[ISN] Crack the hackers

From: InfoSec News (alerts@private)
Date: Mon Apr 14 2008 - 00:40:36 PDT


http://www.itp.net/news/516118-i

By Imthishan Giado  
Arabian Computer News
April 13, 2008

When asked to describe what a typical ‘hacker' looks like, most people 
will resort to film clichés such as Keanu Reeves from the Matrix. The 
typical hacker profile is that of a dank unkempt loner who lives in a 
basement lit by the harsh glow of an LCD and gleefully punches away at a 
keyboard, defacing websites and leaving rude messages on desktops.

That's the old reality, says Jeremiah Grossman, CTO and founder of web 
security specialists WhiteHat Security, former information security 
officer for Yahoo! and the keynote speaker at this month's HackInTheBox 
security conference in Dubai.

"It used to be about ideology, the art of the hack and getting a 
reputation. We're now seeing a trend towards financially motivated 
hacks, where a lot of smart people all over the world make their living 
out of doing illicit hacks online. You have rogue marketing types that 
hack websites to improve their global ranking. State sponsored hacking 
happens all the time. You also have things like the Russian Business 
Network hiring hackers to carrying out e-commerce type fraud and 
identity theft. So you'll see a wide spectrum of bad guys monetising in 
different types of ways," he explains.

While these attacks are a daily reality for most net citizens and 
corporations, Petko Petkov, founder of ethical hacker think tank 
GNUCitizen says that the trend has not yet reached its peak, and 
suggests which organisations make the most vulnerable targets.

"Banks and corporations that hold personal details will probably be the 
first types of targets. A lot of these new-age Web 2.0 companies and 
websites are also at risk. There is not one specific target - whatever 
is easy to compromise is a good enough target for attackers.

"The hacking business is not as mature as it will get in the future. 
Right now it mostly involves compromising PCs and hooking them to 
botnets and such, but in the future - I'm not talking about the distant 
future but probably a year or two ahead - organised crime will start 
using hacker tricks for all sort of things - modifying public records or 
black public relations, which is where companies hire a group of hackers 
to break into their competition and steal data, make it public through 
some channel and as such defame the company. This stuff is not uncommon 
- we've seen it happen and it's already been on the news," he warns.

WhiteHat's Grossman says that even though application developers are 
responsible for the vulnerabilities which allows hackers easy access to 
corporate systems, don't expect them to resolve the problem quickly.

"It's way outpacing quality assurance personnel's ability to effectively 
pentest [penetration test] all these vulnerabilities. Beyond that, even 
if we're able to know their exact location, remediation is almost 
impossible at this point due to the volume of work being generated," he 
claims.

The problem, suggests Petkov, is that enterprises have expanded too 
quickly, with infrastructure growth outpacing the ability of IT teams to 
secure it.

"I've tested numerous corporate networks where inside it's fairly 
relaxed because the user is trusted. With no proper segmentation between 
different networks and no security restrictions, it's complete chaos. 
Once an attacker gets into the corporate network it's a matter of time 
to get to the real interesting data. Many corporations try to resolve 
the problem on the upper level by installing firewalls, intrusion 
detection and sometimes prevention systems," he says.

He lists a number of possible means by which attackers can gain access 
to a network - and surprisingly few require sophisticated IT knowledge. 
One of the key problems is, as he mentioned earlier, the low levels of 
security within corporate networks.

While most corporations erect expensive firewalls to prevent hackers 
breaking in, a far easier strategy is to target senior users who travel 
with laptops and have corporate VPN access. Once these users connect to 
their home networks or public Wi-Fi hotspots, they are easy for prey for 
hackers who can inject their machines with malicious code and then 
later, steal their credentials when they reconnect to the corporate VPN.

Another method which is only slightly more involved is to erect a 
complete fake network. This fools laptops - which often have a preferred 
wireless connection list - into thinking that it is in its regular 
office environment. If the attacker controls the network, says Petkov, 
anything is possible.

"If that user starts using their e-mail client which probably runs in 
the background and starts performing checks, the credentials sometimes 
travel in the clear. When the attacker controls the network silently, 
they will be able to steal this information. This hack can be performed 
in about five minutes," he states.

Some entry methods are shockingly basic and reflect the scant attention 
which enterprises pay to fundamental physical security.

"One of the most basic ways of compromising a corporate network is to 
walk into one of the offices. The entrances sometimes have access to 
Ethernet sockets so the attackers install a small device and hide it 
away from casual observation and use it to access the corporate network. 
This is very basic stuff," reveals Petkov.

The tools used for these attacks are often not what one expects, says 
MST team chief and senior technical threat analyst MST II for the US 
Army, Thomas Blackard.

"I've seen people do strange things with Asus Eee PCs and a modified 
Sega Dreamcast with a network adapter and a modem setup in a wiring 
closet with access. If you have quantifiably important equipment then 
you need to take equitable measures to secure that from the outside 
world; don't use a glass door, use a metal door. You don't want to 
impede the users but you want to impede processes into areas where 
humans don't necessarily need to be," he says.

Even the VOIP telephones widely used in the Middle East represent a 
threat, says the founder of Italy-based security firm Alba ST, Alessio 
Pennasilico.

"The danger is confidentiality. Often by phone, we talk about important 
things, especially managers, but if you don't implement any encryption, 
phone calls can be eavesdropped. This is obviously also a problem of 
traditional telephony but in VOIP, you don't need to be physically near 
the device to eavesdrop - you can do it from a remote location with a 
free internet connection. The problem is that encrypting communications 
needs money and competence and there are very few companies that 
implement encryption," he says.

Pennasilico outlines a common VOIP exploit known as ‘vishing.' It works 
in a similar way to its web equivalent and namesake, phishing.

"It's the same as phishing except that you don't receive an e-mail, you 
receive a phone call with a changed number or spoofed caller ID. On the 
display of your phone appears perhaps the number of your bank. You pick 
up the phone and listen to a recorded message saying that you have some 
problem with your account and asking you to enter your credit card 
number or account number on the keypad. This fraud started in the US and 
will be soon known all over the world because it's really cheap and 
technically simple," he warns.

Of course, one of the key factors in dealing with a potential attack is 
detecting it as soon as possible. But this is often hampered by the 
number of false positives, says the US Army's Blackard.

"You really don't know an attack's an attack until after you've gone and 
looked at it again. It may be a junior technician installing a new 
laptop someplace which has a bad network card going up and down 
flapping, generating a lot of noise traffic. Probably eight out of ten 
incidents are an actual failure of the device more than an actual 
attack," he explains.

Most security experts concur that it's better to have an in-house 
security team to deal with threats and update the security measures of 
the organisation, rather than outsourcing security to a third party.

"Short term, outsourcing is better. Here's the downside to a contract 
firm - they have no real vested interest in a company beyond billable 
hours. Long term, what you want is a cadre of your own personnel because 
they will be able to take ownership of the equipment that's there.

"What you need is a guy that's really good at firewalls, a guy that's 
good at databases, a guy that's good at clients and so on. You'll want 
to have one or two generalist guys that are good at just about 
everything so that you have coverage all day along and then you want to 
have a couple of specialists as your heavy hitters," recommends 
Blackard.

Petkov, however, says that enterprises should be mindful of the cost 
factor: "If you have your own in-house security team likes a tiger team 
to test your networks on a constant basis, this is a huge plus but it 
may become quite expensive for companies. They then have to outsource 
that service which is a more convenient solution and is also very 
flexible."

Blackard suggests that enterprises can take one of two approaches to 
security: "You can do a defence in depth approach - which is what I 
prefer - where your outer perimeter is just as strong as your inner 
perimeter and you have a whole series of air gaps and breaks in 
networks, you have dissimilar segments, you do a lot of things that 
makes it very difficult for the individual to apply any one exploit to 
get all the way into your network."

"The other school of thought is a company having very soft non- 
protected insides and then these huge, monstrous enormously expensive 
firewalls they hide behind. The question is, how much is your data worth 
to you?" asks Blackard.

In closing, WhiteHat's Grossman has some advice for CIOs for securing 
their online property: "Know what websites you have and rank their 
importance because you can't secure what you don't know you own."

"Secondly, you have to measure your security, good bad or otherwise. You 
have to constantly assess the security of your web based property - if 
you don't the bad guys will. Lastly, for defence in-depth, throw up as 
many roadblocks as possible to prevent a compromise. You don't have to 
achieve 100% security but you should at least be more secure than your 
peers," he concludes.


-=-


The IT blacklight

If a company suffers a serious intrusion and experiences a significant 
financial or data loss, it may be time to call in the CSI of the IT 
world - forensics investigators like Mandiant's Jamie Butler.

His job is to treat enterprise IT systems like a virtual crime scene and 
sift through it for evidence of how the attacker gained access and most 
importantly, if they're still there.

"Often the attacker wants to maintain a presence on the systems that 
they've broken into so that whatever value they're taking, they can 
continue to do so in the future. What they leave behind is generally 
classified as malware and we look for those types of indicators," says 
Butler.

Butler notes that attackers usually don't compromise more systems than 
they have to: "They don't want to compromise a lot of boxes because then 
their footprint gets much bigger. If you have a client with 2000 hosts 
on a network, you won't see that 50% of those are compromised, it'll be 
less than 10% or 5%."

And just like CSI, contamination of the crime scene causes problems for 
Butler: "If at the onset they don't realise there's an attack, 
enterprises might run a set of diagnostic tools to give them more 
information. That process makes the hosts dirtier - and what I mean by 
that is that they destroy some of the physical evidence, by erasing the 
memory or running tools that write to the disk. Once you write to the 
disk, recovery becomes impossible for the files that have been deleted 
and you might only get a portion of it back with forensic tools."



___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Apr 14 2008 - 00:55:43 PDT