i-data-recovery.com

Archive for the ‘Information Security’ Category

Counter-Economic Espionage

Saturday, July 31st, 2010

Craig A. Schiller, CISSP

Today’s economic competition is global. The conquest of markets and technologies has replaced former territorial and colonial conquests. We are living in a state of world economic war, and this is not just a military metaphor — the companies are training the armies, and the unemployed are the casualties.

— Bernard Esambert,

President of the French Pasteur Institute, at a Paris Conference on Economic Espionage

The Attorney General of the United States de?ned economic espionage as “the unlawful or clandestine targeting or acquisition of sensitive ?nancial, trade, or economic policy information; proprietary economic information; or critical technologies.” Note that this de?nition excludes the collection of open and legally available infor-mation that makes up the majority of economic collection. This means that aggressive intelligence collection that is entirely open and legal may harm U.S. companies but is not considered espionage, economic or otherwise. The FBI has extended this de?nition to include the unlawful or clandestine targeting or in?uencing of sensitive economic policy decisions.

Intelligence consists of two broad categories — open source and espionage. Open-source intelligence collection is the name given to legal intelligence activities. Espionage is divided into the categories of economic and military/political/governmental; the distinction is the targets involved. A common term, industrial espio-nage was used (and is still used to some degree) to indicate espionage between two competitors. As global competitors began to conduct these activities with possible assistance from their governments, the competitor-versus-competitor nature of industrial espionage became less of a discriminator. As the activities expanded to include sabotage and interference with commerce and proposal competitions, the term economic espionage was coined for the broader scope.

While the examples and cases discussed in this chapter focus mainly on the United States, the issues are universal. The recommendations and types of information gathered can and should be translated for any country.

Brief History

The prosperity and success of this country are due in no small measure to economic espionage committed by Francis Cabot Lowell during the Industrial Revolution. Britain replaced costly, skilled hand labor with water-driven looms that were simple and reliable. The looms were so simple that they could be operated by a few unskilled women and children. The British government passed strict patent laws and prohibited the export of technology related to the making of cotton. A law was passed making it illegal to hire skilled textile workers for work abroad. Those workers who went abroad had their property con?scated. It was against the law to make and export drawings of the mills.

So Lowell memorized and stole the plans to a Cartwright loom, a water-driven weaving machine. It is believed that Lowell perfected the art of spying by driving around. Working from Edinburgh, he and his wife traveled daily throughout the countryside, including Lancashire and Derbyshire, the hearts of the Industrial Revolution. Returning home, he built a scale model of the loom. His company built its ?rst loom in Waltham. Soon, his factories were capable of producing up to 30 miles of cloth a day.¹This marked America’s entry into the Industrial Revolution.

By the early 20th century, we had become “civilized” to the point that Henry L. Stimson, our Secretary of State, said for the record that “Gentlemen do not read other gentlemen’s mail” while refusing to endorse a code-breaking operation. For a short time the U.S. Government was the only government that believed this fantasy. At the beginning of World War II, the United States found itself almost completely blind to activities inside Germany and totally dependent on other countries’ intelligence services for information. In 1941 the United States recognized that espionage was necessary to reduce its losses and ef?ciently engage Germany. To meet this need, ?rst the COI and then the OSS were created under the leadership of General “Wild Bill” Donovan.

It would take tremendous forces to broaden this awakening to include economic espionage.

Watershed: End of Cold War, Beginning of Information Age

In the late 1990s, two events occurred that radically changed information security for many companies. The end of the Cold War — marked by the collapse of the former Soviet Union — created a pool of highly trained intelligence of?cers without targets. In Russia, some continued to work for the government, some began to work in the newly created private sector, and some provided their services for the criminal element. Some did all three. The world’s intelligence agencies began to focus their attention on economic targets and information war, just in time for watershed event number-two — the beginning of the information age.

John Lienhard, M.D. Anderson Professor of Mechanical Engineering and History at the University of Houston, is the voice and driving force behind the “Engines of Our Ingenuity,” a syndicated program for public radio. He has said that the change of our world into an information society is not like the Industrial Revolution. No; this change is more like the change from a hunter-gatherer society to an agrarian society. A change of this magnitude happened only once or twice in all of history. Those who were powerful in the previous society may have no power in the new society. In the hunter-gatherer society, the strongest man and best hunter rules. But where is he in an agrarian society? There, the best hunter holds little or no power. During the transition to an information society, those with power in the old ways will not give it up easily. Now couple the turmoil caused by this shift with the timing of the “end” of the Cold War.

The currency of the new age is information. The power struggle in the new age is the struggle to gather, use, and control information. It is at the beginning of this struggle that the Cold War ended, making available a host of highly trained information gatherers to countries and companies trying cope with the new economy. Of?cial U.S. acknowledgment of the threat of economic espionage came in 1996 with the passage of the Economic Espionage Act.

For the information security professional, the world has fundamentally changed. Until 1990, a common practice had been to make the cost of an attack prohibitively expensive. How do you make an attack prohibitively expensive when your adversaries have the resources of governments behind them?

Most information security professionals have not been trained and are not equipped to handle professional intelligence agents with deep pockets. Today, most business managers are incapable of fathoming that such a threat exists.

Role of Information Technology in Economic Espionage

In the 1930s, the German secret police divided the world of espionage into ?ve roles.²Exhibit 14.1 illustrates some of the ways that information technology today performs these ?ve divisions of espionage functionality.

In addition to these roles, information technology may be exploited as a target, used as a tool, used for storage (for good or bad), used as protection for critical assets as a weapon, used as a transport mechanism, or used as an agent to carry out tasks when activated.

• Target. Information and information technology can be the target of interest. The goal of the exploitation may be to discover new information assets (breach of con?dentiality), deprive one of exclusive owner-

EXHIBIT 14.1 Five Divisions of Espionage Functionality

Role	WWII Description	IT Equivalent
Collectors	Located and gathered desired information	People or IT (hardware or software) agents, designer viruses that transmit data to the Internet
Transmitters	Forwarded the data to Germany, by coded mail or shortwave radio	E-mail, browsers with convenient 128-bit encryption, FTP, applications with built-in collection and transmission capabilities (e.g., comet cursors, Real Player, Media Player, or other spyware), covert channel applications
Couriers	Worked on steamship lines and transatlantic clippers, and carried special messages to and from Germany	Visiting country delegations, partners/ suppliers, temporary workers, and employees that rotate in and out of companies with CD-R/CD-RW, Zip disks, tapes, drawings, digital camera images, etc.
Drops	Innocent-seeming addresses of businesses or private individuals, usually in South American or neutral European ports; reports were sent to these addresses for forwarding to Germany	E-mail relays, e-mail anonymizers, Web anonymizers, specially designed software that spreads information to multiple sites (the reverse of distributed DoS) to avoid detection
Specialists	Expert saboteurs	Viruses, worms, DDoS, Trojan horses, chain e-mail, hoaxes, using e-mail to spread dissension, public posting of sensitive information about salaries, logic bombs, insiders sabotaging products, benchmarks, etc.

ship, acquire a form of the asset that would permit or facilitate reverse-engineering, corrupt the integrity of the asset — either to diminish the reputation of the asset or to make the asset become an agent — or to deny the availability of the asset to those who rely on it (denial of service).

Tool. Information technology can be the tool to monitor and detect traces of espionage or to recover information assets. These tools include intrusion detection systems, log analysis programs, content monitoring programs, etc. For the bad guys, these tools would include probes, enumeration programs, viruses that search for PGP keys, etc.
Storage. Information technology can store stolen or illegal information. IT can store sleeper agents for later activation.
Protection. Information technology may have the responsibility to protect the information assets. The protection may be in the form of applications such as ?rewalls, intrusion detection systems, encryption tools, etc., or elements of the operating system such as ?le permissions, network con?gurations, etc.
Transport. Information technology can be the means by which stolen or critical information is moved, whether burned to CDs, e-mailed, FTP’d, hidden in a legitimate http stream, or encoded in images or music ?les.
Agent. Information technology can be used as an agent of the adversary, planted to extract signi?cant sensitive information, to launch an attack when given the appropriate signal, or to receive or initiate a covert channel through a ?rewall.

Implications for Information Security

Implication 1

A major tenet of our profession has been that, because we cannot always afford to prevent information system-related losses, we should make it prohibitively expensive to compromise those systems. How does one do that when the adversary has the resources of a government behind him? Frankly, this tenet only worked on adversaries who were limited by time, money, or patience. Hackers with unlimited time on their hands — and a bevy of unpaid researchers who consider a dif?cult system to be a trophy waiting to be collected — turn this tenet into Swiss cheese.

This reality has placed emphasis on the onion model of information security. In the onion model you assume that all other layers will fail. You build prevention measures but you also include detection measures that will tell you that those measures have failed. You plan for the recovery of critical information, assuming that your prevention and detection measures will miss some events.

Implication 2

Information security professionals must now be able to determine if their industry or their company is a target for economic espionage. If their company/industry is a target, then the information security professionals should adjust their perceptions of their potential adversaries and their limits. One of the best-known quotes from the Art of War by Sun Tsu says, “Know your enemy.” Become familiar with the list of countries actively engaging in economic espionage against your country or within your industry. Determine if any of your vendors, contractors, partners, suppliers, or customers come from these countries. In today’s global economy, it may not be easy to determine the country of origin. Many companies move their global headquarters to the United States and keep only their main R&D of?ces in the country of origin. Research the company and its founders. Learn where and how they gained their expertise. Research any publicized accounts regarding economic espionage/intellectual property theft attributed to the company, the country, or other companies from the country. Pay particular attention to the methods used and the nature of the known targets. Contact the FBI or its equivalent and see if they can provide additional information. Do not forget to check your own organization’s history with each company. With this information you can work with your business leaders to determine what may be a target within your company and what measures (if any) may be prudent.

He who protects everything, protects nothing.

— Napoleon

Applying the wisdom of Napoleon implies that, within the semipermeable external boundary, we should determine which information assets truly need protection, to what degree, and from what threats. Sun Tsu speaks to this need as well. It is not enough to only know your enemy.

Therefore I say, “Know the enemy and know yourself; in a hundred battles you will never be in peril.”

When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal.

If ignorant both of your enemy and yourself, you are certain in every battle to be in peril.

— Sun Tzu, The Art of War (III.31–33)

A company can “know itself ” using a variation from the business continuity concept of a business impact assessment (BIA). The information security professional can use the information valuation data collected during the BIA and extend it to produce information protection guides for sensitive and critical information assets. The information protection guides tell users which information should be protected, from what threats, and what to do if an asset is found unprotected. They should tell the technical staff about threats to each information asset and about any required and recommended safeguards.

A side bene?t gained from gathering the information valuation data is that, in order to gather the value information, the business leaders must internalize questions of how the data is valuable and the degrees of loss that would occur in various scenarios. This is the most effective security awareness that money can buy.

After the information protection guides have been prepared, you should meet with senior management again to discuss the overall posture the company wants to take regarding information security and counter-economic espionage. Note that it is signi?cant that you wait until after the information valuation exercise is complete before addressing the security posture. If management has not accepted the need for security, the question about desired posture will yield damaging results.

Here are some potential postures that you can describe to management:

Prevent all. In this posture, only a few protocols are permitted to cross your external boundary.
City wall. A layered approach, prevention, detection, mitigation, and recovery strategies are all, in effect, similar to the walled city in the Middle Ages. Traf?c is examined, but more is permitted in and out. Because more is permitted, detection, mitigation, and recovery strategies are needed internally because the risk of something bad getting through is greater.
Aggressive. A layered approach, but embracing new technology, is given a higher priority than protecting the company. New technology is selected, and then security is asked how they will deal with it.
Edge racer. Only general protections are provided. The company banks on running faster than the competition. “We’ll be on the next technology before they catch up with our current release.” This is a common position before any awareness has been effective.

Implication 3

Another aspect of knowing your enemy is required. As security professionals we are not taught about spycraft. It is not necessary that we become trained as spies. However, the FBI, in its annual report to congress on economic espionage, gives a summary about techniques observed in cases involving economic espionage.

Much can be learned about modern techniques in three books written about the Mossad — Gideon’s Spies by Gordon Thomas, and By Way of Deception, and The Other Side of Deception, both by Victor Ostrovsky and Claire Hoy. These describe the Mossad as an early adopter of technology as a tool in espionage, including their use of Trojan code in software sold commercially. The books describe software known as Promis that was sold to intelligence agencies to assist in tracking terrorists; and the authors allege that the software had a Trojan that permitted the Mossad to gather information about the terrorists tracked by its customers. By Way of Deception describes the training process as seen by Ostrovsky.

Implication 4 Think Globally, Act Locally

The Chinese government recently announced that the United States had placed numerous bugging devices on a plane for President Jiang Zemin. During the customization by a U.S. company of the interior of the plane for its use as the Chinese equivalent of Air Force One, bugs were allegedly placed in the upholstery of the president’s chair, in his bedroom, and even in the toilet.

When the United States built a new embassy in Moscow, the then-extant Soviet Union insisted it be built using Russian workers. The United States called a halt to its construction in 1985 when it discovered it was too heavily bugged for diplomatic purposes. The building remained unoccupied for a decade following the discovery.

The 1998 Annual Report to Congress on Foreign Economic Collection and Industrial Espionage concluded with the following statement:

…foreign software manufacturers solicited products to cleared U.S. companies that had been embed

ded with spawned processes and multithreaded tasks.

This means that foreign software companies sold products with Trojans and backdoors to targeted U.S. companies.

In response to fears about the Echelon project, in 2001 the European Union announced recommendations that member nations use open-source software to ensure that Echelon software agents are not present.

Security teams would bene?t by using open-source software tools if they could be staffed suf?ciently to maintain and continually improve the products. Failing that, security in companies in targeted industries should consider the origins of the security products they use. If your company knows it is a target for economic espionage, it would be wise to avoid using security products from countries actively engaged in economic espionage against your country. If unable to follow this strategy, the security team should include tools in the architecture (from other countries) that could detect extraneous traf?c or anomalous behavior of the other security tools.

In this strategy you should follow the effort all the way through implementation. In one company, the corporate standard for ?rewall was a product of one of the most active countries engaging in economic espionage. Management was unwilling to depart from the standard. Security proposed the use of an intrusion detection system (IDS) to guard against the possibility of the ?rewall being used to permit undetected, un?ltered, and unreported access. The IDS was approved; but when procurement received the order, they discovered that the ?rewall vendor sold a special, optimized version of the same product and — without informing the security team — ordered the IDS from the vendor that the team was trying to guard against.

Implication 5

The system of rating computers for levels of security protection is incapable of providing useful information regarding products that might have malicious code that is included intentionally. In fact, companies that have intentions of producing code with these Trojans are able to use the system of ratings to gain credibility without merit.

It appears that the ?rst real discovery by one of the ratings systems caused the demise of the ratings system and a cover-up of the ?ndings. I refer to the MISSI ratings system’s discovery of a potential backdoor in Checkpoint Firewall-1 in 1997. After this discovery, the unclassi?ed X31 report³for this product and all previous reports were pulled from availability. The Internet site that provided them was shut down, and requestors were told that the report had been classi?ed. The federal government had begun pulling Checkpoint Firewall-1 from military installations and replacing it with other companies’ products. While publicly denying that these actions were happening, Checkpoint began correspondence with the NSA, owners of the MISSI process, to answer the ?ndings of that study. The NSA provided a list of ?ndings and preferred corrective actions to resolve the issue. In Checkpoint’s response⁴ to the NSA, they denied that the code in question, which involved SNMP and which referenced ?les containing IP addresses in Israel, was a backdoor. According to the NSA, two ?les with IP addresses in Israel “could provide access to the ?rewall via SNMPv2 mechanisms.” Checkpoint’s reply indicated that the code was dead code from Carnegie Mellon University and that the ?les were QA testing data that was left in the ?nal released con?guration ?les.

The X31 report, which I obtained through an FOIA request, contains no mention of the incident and no indication that any censorship had occurred. This fact is particularly disturbing because a report of this nature should publish all issues and their resolutions to ensure that there is no complicity between testers and the test subjects.

However, the letter also reveals two other vulnerabilities that I regard as backdoors, although the report classes them as software errors to be corrected. The Checkpoint response to some of these “errors” is to defend aspects of them as desirable. One speci?c reference claims that most of Checkpoint’s customers prefer maximum connectivity to maximum security, a curious claim that I have not seen in their marketing material. This referred to the lack of an ability to change the implicit rules in light of the vulnerability of stateful inspection’s handling of DNS using UDP, which existed in Version 3 and earlier.

Checkpoint agreed to most of the changes requested by the NSA; however, the exception is notable in that it would have required Checkpoint to use digital signatures to sign the software and data electronically to prevent someone from altering the product in a way that would go undetected. These changes would have provided licensees of the software with the ability to know that, at least initially, the software they were running was indeed the software and data that had been tested during the security review.

It is interesting to note that Checkpoint had released an internal memo nine months prior to the letter responding to the NSA claims in which they claimed nothing had ever happened.⁵

Both the ITSEC and Common Criteria security rating systems are fatally ?awed when it comes to protection against software with intentional malicious code. Security companies are able to submit the software for rating and claim the rating even when the entire system has not been submitted. For example, a company can submit the assurance processes and documentation for a targeted rating. When it achieves the rating on just that

EXHIBIT 14.2 Military Critical Technologies (MCTs)

Information systems Sensors and lasers Electronics Aeronautics systems technology Armaments and energetic materials Marine systems Guidance, navigation, and vehicle signature control Space systems Materials Manufacturing and fabrication Information warfare Nuclear systems technology Power systems Chemical/biological systems Weapons effects and countermeasures Ground systems Directed and kinetic energy systems

portion, it can advertise the rating although the full software functionality has not been tested. For marketing types, they gain the bene?t of claiming the rating without the expense of full testing. Even if the rating has an asterisk, the damage is done because many that authorize the purchase of these products only look for the rating. When security reports back to management that the rating only included a portion of the software functionality, it is portrayed as sour grapes by those who negotiated the “great deal” they were going to get. The fact is that there is no commercial push to require critical software such as operating systems and security software to include exhaustive code reviews, covert channel analysis, and to only award a rating when it is fully earned.

To make matters worse, if it appears that a company is going to get a poor rating from a test facility, the vendor can stop the process and start over at a different facility, perhaps in another country, with no penalty and no carry-over.

What Are the Targets?

The U.S. government publishes a list of military critical technologies (MCTs). A summary of the list is published annually by the FBI (see Exhibit 14.2).

There is no equivalent list for nonmilitary critical technologies. However, the government has added “targeting the national information infrastructure” to the National Security Threat List (NSTL). Targeting the national information infrastructure speaks primarily to the infrastructure as an object of potential disruption, whereas the MCT list contains technologies that foreign governments may want to acquire illegally. The NSTL consists of two tables. One is a list of issues (see Exhibit 14.3); the other is a classi?ed list of countries engaged in collection activities against the United States. This is not the same list captured in Exhibit 14.4. Exhibit 14.4 contains the names of countries engaged in economic espionage and, as such, contains the names of countries that are otherwise friendly trading partners. You will note that the entire subject of economic espionage is listed as one of the threat list issues.

According to the FBI, the collection of information by foreign agencies continues to focus on U.S. trade secrets and science and technology products, particularly dual-use technologies and technologies that provide high pro?tability.

Examining the cases that have been made public, you can ?nd intellectual property theft, theft of proposal information (bid amounts, key concepts), and requiring companies to participate in joint ventures to gain access to new country markets — then either stealing the IP or awarding the contract to an internal company with an identical proposal. Recently, a case involving HP found a planted employee sabotaging key bench

EXHIBIT 14.3 National Security Threat List Issues

Terrorism Espionage Proliferation Economic espionage Targeting the national information infrastructure Targeting the U.S. Government Perception management Foreign intelligence activities

EXHIBIT 14.4 Most Active Collectors of Economic Intelligence

China Japan Israel France Korea Taiwan India

marking tests to HP’s detriment. The message from the HP case is that economic espionage also includes efforts beyond the collection of information, such as sabotage of the production line to cause the company to miss key delivery dates, deliver faulty parts, fail key tests, etc.

You should consider yourself a target if your company works in any of the technology areas on the MCT list, is a part of the national information infrastructure, or works in a highly competitive international business.

Who Are the Players?

Countries

This section is written from the published perspective of the U.S. Government. Readers from other countries should attempt to locate a similar list from their government’s perspective. It is likely that two lists will exist: a “real” list and a “diplomatically correct” edition.

For the ?rst time since its original publication in 1998, the Annual Report to Congress on Foreign Economic Collection and Industrial Espionage 2000 lists the most active collectors of economic intelligence. The delay in providing this list publicly is due to the nature of economic espionage. To have economic espionage you must have trade. Our biggest trading partners are our best friends in the world. Therefore, a list of those engaged in economic espionage will include countries that are otherwise friends and allies. Thus the poignancy of Bernard Esambert’s quote used to open this chapter.

Companies

Stories of companies affected by economic espionage are hard to come by. Public companies fear the effect on stock prices. Invoking the economic espionage law has proven very expensive — a high risk for a favorable outcome — and even the favorable outcomes have been inadequate considering the time, money, and com-mitment of company resources beyond their primary business. The most visible companies are those that have been prosecuted under the Economic Espionage Act, but there have only been 20 of those, including:

Four Pillars Company, Taiwan, stole intellectual property and trade secrets from Avery Dennison.
Laser Devices, Inc., attempted to illegally ship laser gun sights to Taiwan without Department of Commerce authorization.
Gilbert & Jones, Inc., New Britain, Connecticut, exported potassium cyanide to Taiwan without the required licenses.
Yuen Foong Paper Manufacturing Company, Taiwan, attempted to steal the formula for Taxol, a cancer drug patented and licensed by the Bristol-Myers Squibb (BMS) Company.
Steven Louis Davis attempted to disclose trade secrets of the Gillette Company to competitors Warner-Lambert Co., Bic, and American Safety Razor Co. The disclosures were made by fax and e-mail. Davis worked for Wright Industries, a subcontractor of the Gillette Company.
Duplo Manufacturing Corporation, Japan, used a disgruntled former employee of Standard Duplicating Machines Corporation to gain unauthorized access into a voicemail system. The data was used to compete against Standard. Standard learned of the issue through an unsolicited phone call from a customer.
Harold Worden attempted to sell Kodak trade secrets and proprietary information to Kodak rivals, including corporations in the Peoples Republic of China. He had formerly worked for Kodak. He established his own consulting ?rm upon retirement and subsequently hired many former Kodak employees. He was convicted on one felony count of violating the Interstate Transportation of Stolen Property law.
In 1977, Mitsubishi Electric bought one of Fusion Systems Corporation’s microwave lamps, took it apart, then ?led 257 patent actions on its components. Fusion Systems had submitted the lamp for a patent in Japan two years earlier. After 25 years of wrangling with Mitsubishi, the Japanese patent system, Congress, and the press, Fusion’s board ?red the company’s president (who had spearheaded the ?ght) and settled the patent dispute with Mitsubishi a year later.
The French are known to have targeted IBM, Corning Glass, Boeing, Bell Helicopter, Northrup, and Texas Instruments (TI). In 1991, a guard in Houston noticed two well-dressed men taking garbage bags from the home of an executive of a large defense contractor. The guard ran the license number of the van and found it belonged to the French Consul General in Houston, Bernard Guillet. Two years earlier, the FBI had helped TI remove a French sleeper agent. According to Cyber Wars⁶by Jean Guisnel, the French intelligence agency (the DGSE) had begun to plant young French engineers in various French subsidiaries of well-known American ?rms. Over the years they became integral members of the companies they had entered, some achieving positions of power in the corporate hierarchy. Guillet claims that the primary bene?ciary of these efforts was the French giant electronics ?rm, Bull.

What Has Been Done? Real-World Examples

Partnering with a Company and Then Hacking the Systems Internally

In one case, very senior management took a bold step. In the spirit of the global community, they committed the company to use international partners for major aspects of a new product. Unfortunately, in selecting the partners, they chose companies from three countries listed as actively conducting economic espionage against their country. In the course of developing new products, the employees of one company were caught hacking sensitive systems. Security measures were increased but the employees hacked through them as well. The company of the offending partners was confronted. Its senior management claimed that the employees had acted alone and that their actions were not sanctioned. Procurement, now satis?ed that their fragile quilt of partners was okay, awarded the accused partner company a lucrative new product partnership. Additionally, they erased all database entries regarding the issues and chastised internal employees who continued to voice suspicions. No formal investigation was launched. Security had no record of the incident. There was no information security function at the time of the incident.

When the information security function was established, it stumbled upon rumors that these events had occurred. In investigating, they found an internal employee who had witnessed the stolen information in use at the suspect partner’s home site. They also determined that the offending partner had a history of economic espionage, perhaps the most widely known in the world. Despite the corroboration of the partner’s complicity,

line management and procurement did nothing. Procurement knew that the repercussions within their own senior management and line management would be severe because they had pressured the damaged business unit to accept the suspected partner’s earlier explanation. Additionally, it would have underscored the poor choice of partners that had occurred under their care and the fatal ?aw in the partnering concept of very senior management. It was impossible to extricate the company from this relationship without causing the company to collapse. IT line management would not embrace this issue because they had dealt with it before and had been stung, although they were right all along.

Using Language to Hide in Plain Sight

Israeli Air Force of?cers assigned to the Recon/Optical Company passed on technical information beyond the state-of-the-art optics to a competing Israeli company, El Op Electro-Optics Industries Ltd. Information was written in Hebrew and faxed. The of?cers tried to carry 14 boxes out of the plant when the contract was terminated. The of?cers were punished upon return to Israel — for getting caught.⁷

In today’s multinational partnerships, language can be a signi?cant issue for information security and for technical support. Imagine the dif?culty in monitoring and supporting computers for ?ve partners, each in a different language.

The Annual Report to Congress 2000⁸reveals that the techniques used to steal trade secrets and intellectual property are limitless. The insider threat, briefcase and laptop computer thefts, and searching hotel rooms have all been used in recent cases. The information collectors are using a wide range of redundant and complementary approaches to gather their target data. At border crossings, foreign of?cials have conducted excessive attempts at elicitation. Many U.S. citizens unwittingly serve as third-party brokers to arrange visits or circumvent of?cial visitation procedures. Some foreign collectors have invited U.S. experts to present papers overseas to gain access to their expertise in export-controlled technologies. There have been recent solicitations to security professionals asking for research proposals for security ideas as a competition for awarding grants to conduct studies on security topics. The solicitation came from one of the most active countries engaging in economic espionage. Traditional clandestine espionage methods (such as agent recruitment, U.S. volunteers, and co-optees) are still employed. Other techniques include:

Breaking away from tour groups
Attempting access after normal working hours
Swapping out personnel at the last minute
Customs holding laptops for an extended period of time
Requests for technical information
Elicitation attempts at social gatherings, conferences, trade shows, and symposia
Dumpster diving (searching a company’s trash for corporate proprietary data)
Using unencrypted Internet messages

To these I would add holding out the prospect of lucrative sales or contracts, but requiring the surrender or sharing of intellectual property as a condition of partnering or participation.

What Can We, as Information Security Professionals, Do?

We must add new skills and improve our pro?ciency in others to meet the challenge of government funded/ supported espionage. Our investigative and forensic skills need improvement over the level required for nonespionage cases. We need to be aware of the techniques that have been and may be used against us. We need to add the ability to elicit information without raising suspicion. We need to recognize when elicitation is attempted and be able to teach our sales, marketing, contracting, and executive personnel to recognize such attempts. We need sources that tell us where elicitation is likely to occur. For example, at this time, the Paris Air Show is considered the number-one economic espionage event in the world.

We need to be able to raise the awareness of our companies regarding the perceived threat and real examples from industry that support those perceptions. Ensure that you brief the procurement department. Establish preferences for products from countries not active in economic espionage. When you must use a product from a country active in economic espionage, attempt to negotiate an indemni?cation against loss. Have procurement add requirements that partners/suppliers provide proof of background investigations, particularly if individuals will be on site.

Management and procurement should be advised that those partners with intent to commit economic espionage are likely to complain to management that the controls are too restrictive, that they cannot do their jobs, or that their contract requires extraordinary access. You should counter these objectives before they occur by fully informing management and procurement about awareness, concerns, and measures to be taken. The measures should be applied to all suppliers/partners. Ensure that these complaints and issues will be handed over to you for an of?cial response. Treat each one individually and ask for speci?cs rather than generalities.

If procurement has negotiated a contract that commits the company to extraordinary access, your challenge is greater. Procurement may insist that you honor their contract. At this time you will discover where security stands in the company’s pecking order. A stance you can take is, “Your negotiated contract does not and cannot relieve me of my obligation to protect the information assets of this corporation.” It may mean that the company has to pay penalties or go back to the negotiating table. You should not have to sacri?ce the security of the company’s information assets to save procurement some embarrassment.

We need to develop sources to follow developments in economic espionage in industries and businesses similar to ours. Because we are unlikely to have access to de?nitive sources about this kind of information, we need to develop methods to vet the information we ?nd in open sources. The FBI provides advanced warning to security professionals through ANSIR (Awareness of National Security Issues and Responses) systems. Interested security professionals for U.S. corporations should provide their e-mail addresses, positions, com-pany names and addresses, and telephone and fax numbers to ansir@leo.gov. A representative of the nearest ?eld division of?ce will contact you. The FBI has also created InfraGard (http:// www.infragard.net/?eldof-?ce.htm) chapters for law enforcement and corporate security professionals to share experiences and advice.⁹

InfraGard is dedicated to increasing the security of the critical infrastructures of the United States. All InfraGard participants are committed to the proposition that a robust exchange of information about threats to and actual attacks on these infrastructures is an essential element in successful infrastructure protection efforts. The goal of InfraGard is to enable information ?ow so that the owners and operators of infrastructures can better protect themselves and so that the U.S. Government can better discharge its law enforcement and national security responsibilities.

Barriers Encountered in Attempts to Address Economic Espionage

A country is made up of many opposing and cooperating forces. Related to economic espionage, for information security, there are two signi?cant forces. One force champions the businesses of that country. Another force champions the relationships of that country to other countries. Your efforts to protect your company may be hindered by the effect of the opposition of those two forces. This was evident in the ?rst few reports to Congress by the FBI on economic espionage. The FBI was prohibited from listing even the countries that were most active in conducting economic espionage. There is no place in the U.S. Government that you can call to determine if a partner you are considering has a history of economic espionage, or if a software developer has been caught with backdoors, placing Trojans, etc.

You may ?nd that, in many cases, the FBI interprets the phrase information sharing to mean that you share information with them. In one instance, a corporate investigator gave an internal e-mail that was written in Chinese to the FBI, asking that they translate it. This was done to keep the number of individuals involved in the case to a minimum. Unless you know the translator and his background well, you run the risk of asking someone that might have ties to the Chinese to perform the translation. Once the translation was performed, the FBI classi?ed the document as secret and would not give the investigator the translated version until the investigator reasoned with them that he would have to translate the document with an outside source unless the FBI relented.

Part of the problem facing the FBI is that there is no equivalent to a DoD or DoE security clearance for corporate information security personnel. There are signi?cant issues that complicate any attempt to create such a clearance. A typical security clearance background check looks at criminal records. Background inves-tigations may go a step further and check references, interview old neighbors, schoolmates, colleagues, etc. The most rigorous clearance checks include viewing bank records, credit records, and other signs of ?scal responsibility. They may include a psychological evaluation. They are not permitted to include issues of national origin or religion unless the United States is at war with a particular country. In those cases, the DoD has granted the clearance but placed the individuals in positions that would not create a con?ict of interest. In practice, this becomes impossible. Do you share information about all countries and religious groups engaging in economic espionage, except for those to which the security of?cer may have ties? Companies today cannot ask those questions of its employees. Unfortunately, unless a system of clearances is devised, the FBI will always be reluctant to share information, and rightfully so. Another aspect of the problem facing the FBI today is the multinational nature of corporations today. What exactly is a U.S. corporation? Many companies today were conceived in foreign countries but established their corporate headquarters in the United States, ostensibly to improve their competitiveness in the huge U.S. marketplace. What of U.S. corporations that are wholly owned by foreign corporations? Should they be entitled to assistance, to limited assistance, or to no assistance? If limited assistance, how are the limits determined?

Within your corporation there are also opposing and cooperating forces. One of the most obvious is the con?ict between marketing/sales and information security. In many companies, sales and marketing personnel are the most highly paid and in?uential people in the company. They are, in most cases, paid largely by commission. This means that if they do not make the sale, they do not get paid. They are sometimes tempted to give the potential customer anything they want, in-depth tours of the plant, details on the manufacturing process, etc., in order to make the sale. Unless you have a well-established and accepted information protection guide that clearly states what can and cannot be shared with these potential customers, you will have little support when you try to protect the company.

The marketing department may have such in?uence that they cause your procurement personnel to abandon reason and logic in the selection of critical systems and services. A Canadian company went through a lengthy procurement process for a massive wide area network contract. An RFP was released. Companies responded. A selection committee met and identi?ed those companies that did not meet the RFP requirements. Only those companies that met the RFP requirements were carried over into the ?nal phase of the selection process. At this point, marketing intervened and required that procurement re-add two companies to the ?nal selection process — companies that had not met the requirements of the RFP. These two companies purchased high product volumes from this plant. Miracle of miracles, one of the two unquali?ed companies won the contract.

It is one thing for the marketing department to request that existing customers be given some preference from the list of quali?ed ?nalists. It is quite another to require that unquali?ed respondents be given any consideration.

A product was developed in a country that conducts economic espionage operations against U.S. companies in your industry sector. This product was widely used throughout your company, leaving you potentially vulnerable to exploitation or exposed to a major liability. When the issue was raised, management asked if this particular product had a Trojan or evidence of malicious code. The security of?cer responded, “No, but due to the nature of this product, if it did contain a Trojan or other malicious code, it could be devastating to our company. Because there are many companies that make this kind of product in countries that do not conduct economic espionage in our industry sector, we should choose one of those to replace this one and thus avoid the risk.”

Management’s response was surprising. “Thank you very much, but we are going to stay with this product and spread it throughout the corporation — but do let us know if you ?nd evidence of current backdoors and the like.” One day the security team learned that, just as feared, there had indeed been a backdoor; in fact, several. The news was reported to management. Their response was unbelievable. “Well, have they ?xed it?” The vendor claimed to have ?xed it, but that was not the point. The point was that they had placed the code in the software to begin with, and there was no way to tell if they had replaced the backdoor with another. Management responded, “If they have ?xed the problem, we are going to stay with the product, and that is the end of it. Do not bring this subject up again.” In security you must raise every security concern that occurs with a product, even after management has made up its mind. To fail to do so would set the company up for charges of negligence should a loss occur that relates to that product. “Doesn’t matter; do not raise this subject again.”

So why would management make a decision like this? One possible answer has to do with pressure from marketing and potential sales to that country. Another has to do with embarrassment. Some vice president or director somewhere made a decision to use the product to begin with. They may even have had to fall on a sword or two to get the product they wanted. Perhaps it is because a more powerful director had already chosen this product for his site. This director may have forced the product’s selection as the corporate standard so that staff would not be impacted. One rumor has it that the product was selected as a corporate standard because the individual choosing the standard was being paid a kickback by a relative working for a third-party vendor of the product. If your IT department raises the issue, it runs the risk of embarrassing one or more of these senior managers and incurring their wrath. Your director may feel intimidated enough that he will not even raise the issue.

Even closer to home is the fact that the issue was raised to your management in time to prevent the spread of the questionable product throughout the corporation. Now if the ?ag is raised, someone may question why it was not raised earlier. That blame would fall squarely on your director’s shoulders.

Does it matter that both the vice president and the director have ?duciary responsibility for losses related to these decisions should they occur? Does it matter that their decisions would not pass the prudent man test and thus place them one step closer to being found negligent? No, it does not. The director is accepting the risk — not the risk to the corporation, but the risk that damage might occur during his watch. The vice president probably does not know about the issue or the risks involved but could still be implicated via the concept of respondent superior. The director may think he is protecting the vice president by keeping him out of the loop — the concept of plausible deniability — but the courts have already tackled that one. Senior management is responsible for the actions of those below them, regardless of whether they know about the actions.

Neither of these cases exists if the information security of?cer reports to the CEO. There is only a small opportunity for it to exist if the information security of?cer reports to the CIO. As the position sinks in the management structure, the opportunity for this type of situation increases.

The ?rst time you raise the specter of economic espionage, you may encounter resistance from employees and management. “Our company isn’t like that. We don’t do anything important. No one I know has ever heard of anything like that happening here. People in this community trust one another.”

Some of those who have been given evidence that such a threat does exist have preferred to ignore the threat, for to acknowledge it would require them to divert resources (people, equipment, or money) from their own initiatives and goals. They would prefer to “bet the company” that it would not occur while they are there. After they are gone it no longer matters to them.

When you raise these issues as the information security of?cer, you are threatening the careers of many people — from the people who went along with it because they felt powerless to do anything, to the senior management who proposed it, to the people in between who protected the concept and decisions of upper management in good faith to the company. Without a communication path to the CEO and other of?cers representing the stockholders, you do not have a chance of ful?lling your ?duciary liability to them.

The spy of the future is less likely to resemble James Bond, whose chief assets were his ?sts, than the

Line X engineer who lives quietly down the street and never does anything more violent than turn

a page of a manual or ?ick on his computer.

— Alvin Toffler,

Power Shift: Knowledge, Wealth and Violence at the Edge of the 21st Century

References

War by Other Means, John J. Fialka, W.W. Norton Company, 1997.
Sabotage! The Secret War Against America, Michael Sayers and Albert E. Kahn, Harper & Brothers, 1942, p. 25.
NSA X3 Technical Report X3-TR001–97 Checkpoint Firewall-1 Version 3.0a, Analysis and Pene-tration Test Report.
Letter of reply from David Steinberg, Director, Federal Checkpoint Software, Inc. to Louis F. Giles, Deputy Chief Commercial Solutions & Enabling Technology; 9800 Savage Road Suite 6740, Ft. Meade, MD, dated September 10, 1998.
E-mail from Craig Johnson dated June 3, 1998, containing memo dated Jan 19, 1998, to all U.S. Sales of Checkpoint.
Cyber Wars, Jean Guisnel, Perseus Books, 1997.
War by Other Means, John J Fialka, W.W. Norton Company, 1997, pp. 181–184.

Annual Report to Congress on Foreign Economic Collection and Industrial Espionage — 2000, pre-pared by the National Counterintelligence Center.
Infragard National By-Laws, undated, available online at http://www.infragard.net/applic_ require-ments/natl_bylaws.htm.

Tags: Information Security

Posted in Information Security | No Comments »

Breaking News: The Latest Hacker Attacks and Defenses

Saturday, July 31st, 2010

Ed Skoudis, CISSP

Computer attackers continue to hone their techniques, getting ever better at undermining our systems and networks. As the computer technologies we use advance, these attackers ?nd new and nastier ways to achieve their goals — unauthorized system access, theft of sensitive data, and alteration of information. This chapter explores some of the recent trends in computer attacks and presents tips for securing your systems. To create effective defenses, we need to understand the latest tools and techniques our adversaries are throwing at our networks. With that in mind, we will analyze four areas of computer attack that have received signi?cant attention in the past year or so: wireless LAN attacks, active and passive operating system ?ngerprinting, worms, and snif?ng backdoors.

Wireless LAN Attacks (War Driving)

In the past year, a very large number of companies have deployed wireless LANs, using technology based on the IEEE 802.11b protocol, informally known as Wi-Fi. Wireless LANs offer tremendous bene?ts from a usability and productivity perspective: a user can access the network from a conference room, while sitting in an associate’s cubicle, or while wandering the halls. Unfortunately, wireless LANs are often one of the least secure methods of accessing an organization’s network. The technology is becoming very inexpensive, with a decent access point costing less than U.S.$200 and wireless cards for a laptop or PC costing below U.S.$100. In addition to affordability, setting up an access point is remarkably simple (if security is ignored, that is). Most access points can be plugged into the corporate network and con?gured in a minute by a completely inexperienced user. Because of their low cost and ease of (insecure) use, wireless LANs are in rapid deployment in most networks today, whether upper management or even IT personnel realize or admit it. These wireless LANs are usually completely unsecure because the inexperienced employees setting them up have no idea of or interest in activating security features of their wireless LANs.

In our consulting services, we often meet with CIOs or Information Security Of?cers to discuss issues associated with information security. Given the widespread use of wireless LANs, we usually ask these upper-level managers what their organization is doing to secure its wireless infrastructure. We are often given the answer, “We don’t have to worry about it because we haven’t yet deployed a wireless infrastructure.” After hearing that stock answer, we conduct a simple wireless LAN assessment (with the CIO’s permission, of course). We walk down a hall with a wireless card, laptop, and wireless LAN detection software. Almost always we ?nd renegade, completely unsecure wireless networks in use that were set up by employees outside of formal IT roles. The situation is similar to what we saw with Internet technology a decade ago. Back then, we would ask corporate of?cers what their organizations were doing to secure their Internet gateways. They would say that they did not have one, but we would quickly discover that the organization was laced with homegrown Internet connectivity without regard to security.

Network Stumbling, War Driving, and War Walking

Attackers have taken to the streets in their search for convenient ways to gain access to organizations’ wireless networks. By getting within a few hundred yards of a wireless access point, an attacker can detect its presence and, if the access point has not been properly secured, possibly gain access to the target network. The process of searching for wireless access points is known in some circles as network stumbling. Alternatively, using an automobile to drive around town looking for wireless access points is known as war driving. As you might guess, the phrases war walking and even war biking have been coined to describe the search for wireless access points using other modes of transportation. I suppose it is only a matter of time before someone attempts war hanggliding.

When network stumbling, attackers set up a rig consisting of a laptop PC, wireless card, and antenna for discovering wireless access points. Additionally, a global positioning system (GPS) unit can help record the geographic location of discovered access points for later attack. Numerous software tools are available for this task as well. One of the most popular is NetStumbler (available at www.netstumbler.com), an easy-to-use GUI-based tool written by Marius Milner. NetStumbler runs on Windows systems, including Win95, 98, and 2000, and a PocketPC version called Mini-Stumbler has been released. For UNIX, several war-driving scripts have been released, with Wi-scan (available at www.dis.org/wl/) among the most popular.

This wireless LAN discovery process works because most access points respond, indicating their presence and their services set identi?er (SSID) to a broadcast request from a wireless card. The SSID acts like a name for the wireless access point so that users can differentiate between different wireless LANs in close proximity. However, the SSID provides no real security. Some users think that a dif?cult-to-guess SSID will get them extra security. They are wrong. Even if the access point is con?gured not to respond to a broadcast request for an SSID, the SSIDs are sent in cleartext and can be intercepted.

In a recent war-driving trip in a taxi in Manhattan, an attacker discovered 455 access points in one hour. Some of these access points had their SSIDs set to the name of the company using the access point, gaining the attention of attackers focusing on juicy targets.

After discovering target networks, many attackers will attempt to get an IP address on the network, using the Dynamic Host Con?guration Protocol (DHCP). Most wireless LANs freely give out addresses to anyone asking for them. After getting an address via DHCP, the attacker will attempt to access the LAN itself. Some LANs use the Wired Equivalent Privacy (WEP) protocol to provide cryptographic authentication and con?-dentiality. While WEP greatly improves the security of a wireless LAN, it has some signi?cant vulnerabilities that could allow an attacker to determine an access point’s keys. An attacker can crack WEP keys by gathering a signi?cant amount of traf?c (usually over 500 MB) using a tool such as Airsnort (available at airs-nort.shmoo.com/).

Defending against Wireless LAN Attacks

So, how do you defend against wireless LAN attacks in your environment? There are several levels of security that you could implement for your wireless LAN, ranging from totally unsecure to a strong level of protection. Techniques for securing your wireless LAN include:

Set the SSID to an obscure value. As described above, SSIDs are not a security feature and should not be treated as such. Setting the SSID to an obscure value adds very little from a security perspective. However, some access points can be con?gured to prohibit responses to SSID broadcast requests. If your access point offers that capability, you should activate it.
Use MAC address ?ltering. Each wireless card has a unique hardware-level address called the media access control (MAC) address. A wireless access point can be con?gured so that it will allow traf?c only from speci?c MAC addresses. While this MAC ?ltering does improve security a bit, it is important to note that an attacker can spoof wireless card MAC addresses.
Use WEP, with periodic rekeying. While WEP keys can be broken using Airsnort, the technology signif-icantly improves the security of a wireless LAN. Some vendors even support periodic generation of new WEP keys after a given timeout. If an attacker does crack a WEP key, it is likely that they break the old key, while a newer key is in use on the network. If your access points support dynamic rotating of WEP keys, such as Cisco’s Aironet security solution, activate this feature.
Use a virtual private network (VPN). Because SSID, MAC, and even WEP solutions have various vulnerabilities as highlighted above, the best method for securing wireless LANs is to use a VPN.

VPNs provide end-to-end security without regard to the unsecured wireless network used for trans-porting the communication. The VPN client encrypts all data sent from the PC before it gets sent into the air. The wireless access point simply collects encrypted streams of bits and forwards them to a VPN gateway before they can get access to the internal network. In this way, the VPN ensures that all data is strongly encrypted and authenticated before entering the internal network.

Of course, before implementing these technical solutions, you should establish speci?c policies for the use of wireless LANs in your environment. The particular wireless LAN security policies followed by an organi-zation depend heavily on the need for security in that organization. The following list, which I wrote with John Burgess of Predictive Systems, contains recommended security policies that could apply in many orga-nizations. This list can be used as a starting point, and pared down or built up to meet speci?c needs.

All wireless access points/base stations connected to the corporate network must be registered and approved by the organization’s computer security team. These access points/base stations are subject to periodic penetration tests and audits. Unregistered access points/ base stations on the corporate network are strictly forbidden.
All wireless network interface cards (i.e., PC cards) used in corporate laptop or desktop computers must be registered with the corporate security team.
All wireless LAN access must use corporate-approved vendor products and security con?gurations.
All computers with wireless LAN devices must utilize a corporate-approved virtual private network (VPN) for communication across the wireless link. The VPN will authenticate users and encrypt all network traf?c.
Wireless access points/base stations must be deployed so that all wireless traf?c is directed through a VPN device before entering the corporate network. The VPN device should be con?gured to drop all unauthenticated and unencrypted traf?c.

While the policies listed above ?t the majority of organizations, the policies listed below may or may not ?t, depending on the technical level of employees and how detailed an organizations’ security policy and guidelines are:

The wireless SSID provides no security and should not be used as a password. Furthermore, wireless card MAC addresses can be easily gathered and spoofed by an attacker. Therefore, security schemes should not be based solely on ?ltering wireless MAC addresses because they do not provide adequate protection for most uses.
WEP keys can be broken. WEP may be used to identify users, but only together with a VPN solution.
The transmit power for access points/base stations near a building’s perimeter (such as near exterior walls or top ?oors) should be turned down. Alternatively, wireless systems in these areas could use directional antennas to control signal bleed out of the building.

With these types of policies in place and a suitable VPN solution securing all traf?c, the security of an organization’s wireless infrastructure can be vastly increased.

Active and Passive Operating System Fingerprinting

Once access is gained to a network (through network stumbling, a renegade unsecured modem, or a weakness in an application or ?rewall), attackers usually attempt to learn about the target environment so they can hone their attacks. In particular, attackers often focus on discovering the operating system (OS) type of their targets. Armed with the OS type, attackers can search for speci?c vulnerabilities of those operating systems to maximize the effectiveness of their attacks.

To determine OS types across a network, attackers use two techniques: (1) the familiar, time-tested approach called active OS ?ngerprinting, and (2) a technique with new-found popularity, passive OS ?ngerprinting. We will explore each technique in more detail.

Active OS Fingerprinting

The Internet Engineering Task Force (IETF) de?nes how TCP/IP and related protocols should work. In an ever-growing list of Requests for Comment (RFCs), this group speci?es how systems should respond when speci?c types of packets are sent to them. For example, if someone sends a TCP SYN packet to a listening port, the IETF says that a SYN ACK packet should be sent in response. While the IETF has done an amazing job of de?ning how the protocols we use every day should work, it has not thoroughly de?ned every case of how the protocols should fail. In other words, the RFCs de?ning TCP/IP do not handle all of the meaningless or perverse cases of packets that can be sent in TCP/IP. For example, what should a system do if it receives a TCP packet with the code bits SYN-FIN-URG-PUSH all set? I presume such a packet means to SYNchronize a new connection, FINish the connection, do this URGently, and PUSH it quickly through the TCP stack. That is nonsense, and a standard response to such a packet has not been devised.

Because there is no standard response to this and other malformed packets, different vendors have built their OSs to respond differently to such bizarre cases. For example, a Cisco router will likely send a different response than a Windows NT server for some of these unexpected packets. By sending a variety of malformed packets to a target system and carefully analyzing the responses, an attacker can determine which OS it is running.

An active OS ?ngerprinting capability has been built into the Nmap port scanner (available at www.inse-cure.org/nmap). If the OS detection capability is activated, Nmap will send a barrage of unusual packets to the target to see how it responds. Based on this response, Nmap checks a user-customizable database of known signatures to determine the target OS type. Currently, this database houses over 500 known system types.

A more recent addition to the active OS ?ngerprinting realm is the Xprobe tool by Fyodor Yarochkin and O?r Arkin. Rather than manipulating the TCP code bit options like Nmap, Xprobe focuses exclusively on the Internet Control Message Protocol (ICMP). ICMP is used to send information associated with an IP-based network, such as ping requests and responses, port unreachable messages, and instructions to quench the rate of packets sent. Xprobe sends between one and four specially crafted ICMP messages to the target system. Based on a very carefully constructed logic tree on the sending side, Xprobe can determine the OS type. Xprobe is stealthier than the Nmap active OS ?ngerprinting capability because it sends far fewer packets.

Passive OS Fingerprinting

While active OS ?ngerprinting involves sending packets to a target and analyzing the response, passive OS ?ngerprinting does not send any traf?c while determining a target’s OS type. Instead, passive OS ?ngerprinting tools include a sniffer to gather data from a network. Then, by analyzing the particular packet settings captured from the network and consulting a local database, the tool can determine what OS type sent that traf?c. This technique is far stealthier than active OS ?ngerprinting because the attacker sends no data to the target machine. However, the attacker must be in a position to analyze traf?c sent from the target system, such as on the same LAN or on a network where the target frequently sends packets.

One of the best passive OS ?ngerprinting tools is p0f (available at www.stearns.org/p0f/), originally written by Michal Zalewski and now maintained by William Stearns. P0f determines the OS type by analyzing several ?elds sent in TCP and IP traf?c, including the rounded-up initial time-to-live (TTL), window size, maximum segment size, don’t fragment ?ag, window scaling option, and initial packet size. Because different OSs set these initial values to varying levels, p0f can differentiate between 149 different system types.

Defending against Operating System Fingerprinting

To minimize the impact an attacker can have using knowledge of your OS types, you should have a de?ned program for noti?cation, testing, and implementation of system patches. If you keep your systems patched with the latest security ?xes, an attacker will be far less likely to compromise your machines even if they know which OS you are running. One or more people in your organization should have assigned tasks of monitoring vendor bulletins and security lists to determine when new patches are released. Furthermore, once patches are identi?ed, they should be thoroughly but quickly tested in a quality assurance environment. After the full functionality of the tested system is veri?ed, the patches should be rolled into production.

While a solid patching process is a must for defending your systems, you may also want to analyze some of the work in progress to defeat active OS ?ngerprinting. Gaël Roualland and Jean-Marc Saffroy wrote the IP personality patch for Linux systems, available at ippersonality.sourceforge.net/. This tool allows a system administrator to con?gure a Linux system running kernel version 2.4 so that it will have any response of the administrator’s choosing for Nmap OS detection. Using this patch, you could make your Linux machine look like a Solaris system, a Macintosh, or even an old Windows machine during an Nmap scan. Although you may

not want to put such a patch onto your production systems due to potential interference with critical processes, the technique is certainly worth investigating.

To foil passive OS ?ngerprinting, you may want to consider the use of a proxy-style ?rewall. Proxy ?rewalls do not route packets, so all information about the OS type transmitted in the packet headers is destroyed by the proxy. Proxy ?rewalls accept a connection from a client, and then start a new connection to the server on behalf of that client. All packets on the outside of the ?rewall will have the OS ?ngerprints of the ?rewall itself. Therefore, the OS type of all systems inside the ?rewall will be masked. Note that this technique does not work for most packet ?lter ?rewalls because packet ?lters route packets and, therefore, transmit the ?ngerprint information stored in the packet headers.

Recent Worm Advances

A computer worm is a self-replicating computer attack tool that propagates across a network, spreading from vulnerable system to vulnerable system. Because they use one set of victim machines to scan for and exploit new victims, worms spread on an exponential basis. In recent times, we have seen a veritable zoo of computer worms with names like Ramen, L10n, Cheese, Code Red, and Nimda. New worms are being released at a dizzying rate, with a new generation of worm hitting the Internet every two to six months. Worm developers are learning lessons from the successes of each generation of worms and expanding upon them in subsequent attacks. With this evolutionary loop, we are rapidly approaching an era of super-worms. Based on recent advances in worm functions and predictions for the future, we will analyze the characteristics of the coming super-worms we will likely see in the next six months.

Rapidly Spreading Worms

Many of the worms released in the past decade have spread fairly quickly throughout the Internet. In July 2001, Code Red was estimated to have spread to 250,000 systems in about six hours. Fortunately, recent worms have had rather inef?cient targeting mechanisms, a weakness that actually impeded their speeds. By randomly generating addresses and not taking into account the accurate distribution of systems in the Internet address space, these worms often wasted time looking for nonexistent systems or scanning machines that were already conquered.

After Code Red, several articles appeared on the Internet describing more ef?cient techniques for rapid worm distribution. These articles, by Nicholas C. Weaver and the team of Stuart Staniford, Gary Grim, and Roelof Jonkman, described the hypothetical Warhol and Flash worms, which theoretically could take over all vulnerable systems on the Internet in 15 minutes or even less. Warhol and Flash, which are only mathematical models and not actual worms (yet), are based on the idea of fast-forwarding through an exponential spread. Looking at a graph of infected victims over time for a conventional worm, a hockey-stick pattern appears. Things start out slowly as the initial victims succumb to the worm. Only after a critical mass of victims succumbs to the attack does the worm rapidly spread. Warhol and Flash jump past this initial slow spread by prescanning the Internet for vulnerable systems. Through automated scanning techniques from static machines, an attacker can ?nd 100,000 or more vulnerable systems before ever releasing the worm. The attacker then loads these known vulnerable addresses into the worm. As the worm spreads, the addresses of these prescanned vulnerable systems would be split up among the segments of the worm propagating across the network. By using this initial set of vulnerable systems, an attacker could easily infect 99 percent of vulnerable systems on the Internet in less than an hour. Such a worm could conquer the Internet before most people have even heard of the problem.

Multi-Platform Worms

The vast majority of worms we have seen to date focused on a single platform, often Windows or Linux. For example, Nimda simply ripped apart as many Microsoft products as it could, exploiting Internet Explorer, the IIS Web server, Outlook, and Windows ?le sharing. While it certainly was challenging, Nimda’s Windows-centric approach actually limited its spread. The security community implemented defenses by focusing on repairing Windows systems. while single-platform worms can cause trouble, be on the lookout for worms that are far less discriminating from a platform perspective. New worms will contain exploits for Windows, Solaris, Linux, BSD, HP-UX, AIX, and other operating systems, all built into a single worm. Such worms are even more dif?cult to eradicate because security personnel and system administrators will have to apply patches in a coordinated fashion to many types of machines. The defense job will be more complex and require more time, allowing the worm to cause more damage.

Morphing and Disguised Worms

Recent worms have been relatively easy to detect. Once spotted, the computer security community has been able to quickly determine their functionalities. Once a worm has been isolated in the lab, some brilliant folks have been able to rapidly reverse-engineer each worm’s operation to determine how best to defend against it.

In the very near future, we will face new worms that are far stealthier and more dif?cult to analyze. We will see polymorphic worms, which change their patterns every time they run and spread to a new system. Detection becomes more dif?cult because the worm essentially recodes itself each time it runs. Additionally, these new worms will encrypt or otherwise obscure much of their own payloads, hiding their functionalities until a later time. Reverse-engineering to determine the worm’s true functions and purpose will become more dif?cult because investigators will have to extract the crypto keys or overcome the obfuscation mechanisms before they can really ?gure out what the worm can do. This time lag for the analysis will allow the worm to conquer more systems before adequate defenses are devised.

Zero-Day Exploit Worms

The vast majority of worms encountered so far are based on old, off-the-shelf exploits to attack systems. Because they have used old attacks, a patch has been readily available for administrators to ?x their machines quickly after infection or to prevent infection in the ?rst place. Using our familiar example, Code Red exploited systems using a ?aw in Microsoft’s IIS Web server that had been known for over a month and for which a patch had already been published.

In the near future, we are likely going to see a worm that uses brand-new exploits for which no patch exists. Because they are brand new, such attacks are sometimes referred to as zero-day exploits. New vulnerabilities are discovered practically every day. Oftentimes, these problems are communicated to a vendor, who releases a patch. Unfortunately, these vulnerabilities are all — too easy to discover, and it is only a matter of time before a worm writer discovers a major hole and ?rst devises a worm that exploits it. Only after the worm has propagated across the Internet will the computer security community be capable of analyzing how it spreads so that a patch can be developed.

More Damaging Attacks

So far, worms have caused damage by consuming resources and creating nuisances. The worms we have seen to date have not really had a malicious payload. Once they take over hundreds of thousands of systems, they simply continue to spread without actually doing something nasty. Do not get me wrong; ?ghting Code Red and Nimda consumed much time and many resources. However, these attacks did not really do anything beyond simply consuming resources.

Soon, we may see worms that carry out some plan once they have spread. Such a malicious worm may be released in conjunction with a terrorist attack or other plot. Consider a worm that rapidly spreads using a zero-day exploit and then deletes the hard drives of ten million victim machines. Or, perhaps worse, a worm could spread and then transfer the ?nancial records of millions of victims to a country’s adversaries. Such scenarios are not very far-fetched, and even nastier ones could be easily devised.

Worm Defenses

All of the pieces are available for a moderately skilled attacker to create a truly devastating worm. We may soon see rapidly spreading, multi-platform, morphing worms using zero-day exploits to conduct very damaging attacks. So, what can you do to get ready? You need to establish both reactive and proactive defenses.

Incident Response Preparation

From a reactive perspective, your organization must establish a capability for determining when new vulner-abilities are discovered, as well as rapidly testing patches and moving them into production. As described above, your security team should subscribe to various security mailing lists, such as Bugtraq (available at www.secu-rityfocus.com), to help alert you to such vulnerabilities and the release of patches. Furthermore, you must create an incident response team with the skills and resources necessary to discover and contain a worm attack.

Vigorously Patch and Harden Your Systems

From the proactive side, your organization must carefully harden your systems to prevent attacks. For each platform type, your organization should have documentation describing to system administrators how to build the machine to prevent attacks. Furthermore, you should periodically test your systems to ensure they are secure.

Block Unnecessary Outbound Connections

Once a worm takes over a system, it attempts to spread by making outgoing connections to scan for other potential victims. You should help stop worms in their tracks by severely limiting all outgoing connections on your publicly available systems (such as your Web, DNS, e-mail, and FTP servers). You should use a border router or external ?rewall to block all outgoing connections from such servers, unless there is a speci?c business need for outgoing connections. If you do need some outgoing connections, allow them only to those IP addresses that are absolutely critical. For example, your Web server needs to send responses to users requesting Web pages, of course. But does your Web server ever need to initiate connections to the Internet? Likely, the answer is no. So, do yourself and the rest of the Internet a favor by blocking such outgoing connections from your Internet servers.

Nonexecutable System Stack Can Help Stop Some Worms

In addition to overall system hardening, one particular step can help stop many worms. A large number of worms utilize buffer over?ow exploits to compromise their victims. By sending more data than the program developer allocated space for, a buffer over?ow attack allows an attacker to get code entered as user input to run on the target system. Most operating systems can be inoculated against simple stack-based buffer over?ow exploits by being con?gured with nonexecutable system stacks. Keep in mind that nonexecutable stacks can break some programs (so test these ?xes before implementing them), and they do not provide a bulletproof shield against all buffer over?ow attacks. Still, preventing the execution of code from the stack will stop a huge number of both known and as-yet-undiscovered vulnerabilities in their tracks. Up to 90 percent of buffer over?ows can be prevented using this technique. To create a nonexecutable stack on a Linux system, you can use the free kernel patch at www.openwall.com/linux. On a Solaris machine, you can con?gure the system to stop execution of code from the stack by adding the following lines to the/etc/system ?le:

set noexec_user_stack = 1
set noexec_user_stack_log = 1

On a Windows NT/2000 machine, you can achieve the same goal by deploying the commercial program SecureStack, available at www.securewave.com.

Snif?ng Backdoors

Once attackers compromise a system, they usually install a backdoor tool to allow them to access the machine repeatedly. A backdoor is a program that lets attackers access the machine on their own terms. Normal users are required to type in a password or use a cryptographic token; attackers use a backdoor to bypass these normal security controls. Traditionally, backdoors have listened on a TCP or UDP port, silently waiting in the background for a connection from the attacker. The attacker uses a client tool to connect to these backdoor servers on the proper TCP or UDP port to issue commands.

These traditional backdoors can be discovered by looking at the listening ports on a system. From the command prompt of a UNIX or Windows NT/2000/XP machine, a user can type “netstat-na” to see which TCP and UDP ports on the local machine have programs listening on them. Of course, normal usage of a machine will cause some TCP and UDP ports to be listening, such as TCP port 80 for Web servers, TCP port 25 for mail servers, and UDP port 53 for DNS servers. Beyond these expected ports based on speci?c server

Sniffer listens for traffic DNS

destined for the WWW server

World Wide Web

Firewall

EXHIBIT 13.1 A promiscuous snif?ng backdoor.

types, a suspicious port turned up by the netstatcommand could indicate a backdoor listener. Alternatively, a system or security administrator could remotely scan the ports of the system, using a port-scanning tool such as Nmap (available at www.insecure.org/nmap). If Nmap’s output indicates an unexpected listening port, an attacker may have installed a backdoor.

Because attackers know that we are looking for their illicit backdoors listening on ports, a major trend in the attacker community is to avoid listening ports altogether for backdoors. You may ask, “How can they communicate with their backdoors if they aren’t listening on a port?” To accomplish this, attackers are integrating snif?ng technology into their backdoors to create snif?ng backdoors. Rather than con?guring a process to listen on a port, a snif?ng backdoor uses a sniffer to grab traf?c from the network. The sniffer then analyzes the traf?c to determine which packets are supposed to go to the backdoor. Instead of listening on a port, the sniffer employs pattern matching on the network traf?c to determine what to scoop up and pass to the backdoor. The backdoor then executes the commands and sends responses to the attacker. An excellent example of a snif?ng backdoor is the Cd00r program written by FX. Cd00r is available at http://www. phenoelit.de/stuff/ cd00r.c.

There are two general ways of running a snif?ng backdoor, based on the mode used by the sniffer program to gather traf?c: the so-called nonpromiscuous and promiscuous modes. A sniffer that puts an Ethernet interface in promiscuous mode gathers all data from the LAN without regard to the actual destination address of the traf?c. If the traf?c passes by the interface, the Ethernet card in promiscuous mode will suck in the traf?c and pass it to the backdoor. Alternatively, a nonpromiscuous sniffer gathers traf?c destined only for the machine on which the sniffer runs. Because these differences in sniffer types have signi?cant implications on how attackers can use snif?ng backdoors, we will explore nonpromiscuous and promiscuous backdoors separately below.

Nonpromiscuous Snif?ng Backdoors

As their name implies, nonpromiscuous snif?ng backdoors do not put the Ethernet interface into promiscuous mode. The sniffer sees only traf?c going to and from the single machine where the snif?ng backdoor is installed. When attackers use a nonpromiscuous snif?ng backdoor, they do not have to worry about a system adminis-trator detecting the interface in promiscuous mode.

In operation, the nonpromiscuous backdoor scours the traf?c going to the victim machine looking for speci?c ports or other ?elds (such as a cryptographically derived value) included in the traf?c. When the special traf?c is detected, the backdoor wakes up and interacts with the attacker.

Promiscuous Snif?ng Backdoors

By putting the Ethernet interface into promiscuous mode to gather all traf?c from the LAN, promiscuous snif?ng backdoors can make an investigation even more dif?cult. To understand why, consider the scenario shown in Exhibit 13.1. This network uses a tri-homed ?rewall to separate the DMZ and internal network from the Internet. Suppose an attacker takes over the Domain Name System (DNS) server on the DMZ and installs a promiscuous snif?ng backdoor. Because this backdoor uses a sniffer in promiscuous mode, it can gather all traf?c from the LAN. The attacker con?gures the snif?ng backdoor to listen in on all traf?c with a destination address of the Web server (not the DNS server) to retrieve commands from the attacker to execute. In our scenario, the attacker does not install a backdoor or any other software on the Web server. Only the DNS server is compromised.

Now the attacker formulates packets with commands for the backdoor. These packets are all sent with a destination address of the Web server (not the DNS server). The Web server does not know what to do with these commands, so it will either discard them or send a RESET or related message to the attacker. However, the DNS server with the snif?ng backdoor will see the commands on the LAN. The sniffer will gather these commands and forward them to the backdoor where they will be executed. To further obfuscate the situation, the attacker can send all responses from the backdoor using the spoofed source address of the Web server.

Given this scenario, consider the dilemma faced by the investigator. The system administrator or an intrusion detection system complains that there is suspicious traf?c going to and from the Web server. The investigator conducts a detailed and thorough analysis of the Web server. After a painstaking process to verify the integrity of the applications, operating system programs, and kernel on the Web server machine, the investigator determines that this system is intact. Yet backdoor commands continue to be sent to this machine. The investigator would only discover what is really going on by analyzing other systems connected to the LAN, such as the DNS server. The investigative process is signi?cantly slowed down by the promiscuous snif?ng backdoor.

Defending against Snif?ng Backdoor Attacks

It is important to note that the use of a switch on the DMZ network between the Web server and DNS server does not eliminate this dilemma. As described in Chapter 11, attackers can use active sniffers to conduct ARP cache poisoning attacks and successfully sniff a switched environment. An active sniffer such as Dsniff (available at http://www.monkey.org/~dugsong/dsniff/) married to a snif?ng backdoor can implement this type of attack in a switched environment.

So if a switch does not eliminate this problem, how can you defend against this kind of attack? First, as with most backdoors, system and security administrators must know what is supposed to be running on their systems, especially processes running with root or system-level privileges. Keeping up with this information is not a trivial task, but it is especially important for all publicly available servers such as systems on a DMZ. If a security or system administrator notices a new process running with escalated privileges, the process should be investigated immediately. Tools such as lsof for UNIX (available at ftp://vic.cc.purdue.edu/pub/tools/ unix/lsof/) or Inzider for Windows NT/2000 (available at http://ntsecurity. nu/toolbox/inzider/) can help to indicate the ?les and ports used by any process. Keep in mind that most attackers will not name their backdoors “cd00r” or “backdoor,” but instead will use less obvious names to camou?age their activities. In my experience, attackers like to name their backdoors “SCSI” or “UPS” to prevent a curious system administrator from questioning or shutting off the attackers’ processes.

Also, while switches do not eliminate attacks with sniffers, a switched environment can help to limit an attacker’s options, especially if it is carefully con?gured. For your DMZs and other critical networks, you should use a switch and hard-code all ARP entries in each host on the LAN. Each system on your LAN has an ARP cache holding information about the IP and MAC addresses of other machines on the LAN. By hard-coding all ARP entries on your sensitive LANs so that they are static, you minimize the possibility of ARP cached poisoning. Additionally, implement port-level security on your switch so that only speci?c Ethernet MAC addresses can communicate with the switch.

Conclusions

The computer underground and information security research ?elds remain highly active in re?ning existing methods and de?ning completely new ways to attack and compromise computer systems. Advances in our networking infrastructures, especially wireless LANs, are not only giving attackers new avenues into our systems, but they are also often riddled with security vulnerabilities. With this dynamic environment, defending against attacks is certainly a challenge. However, these constantly evolving attacks can be frustrating and exciting at the same time, while certainly providing job security to solid information security practitioners. While we need to work diligently in securing our systems, our reward is a signi?cant intellectual challenge and decent employment in a challenging economy.

Tags: Information Security

Posted in Information Security | No Comments »

Social Engineering: The Forgotten Risk

Saturday, July 31st, 2010

John Berti, CISSP and Marcus Rogers, Ph.D., CISSP

Information security practitioners are keenly aware of the major goals of information technology: availability, integrity, and con?dentiality (the AIC triad). However, none of these goals is attainable if there is a weak link in the defense or security “chain.” It has often been said that with information security, one is only as strong as one’s weakest link. When we think of information and information technology security, we tend to focus collective attention on certain technical areas of this security chain. There are numerous reference sources available to information security practitioners that describe the latest operating system, application, or hard-ware vulnerabilities. Many companies have built their business plans and are able to survive based on being the ?rst to discover these vulnerabilities and then provide solutions to the public and to the vendors themselves. It is quite obvious that the focus of the security industry has been primarily on the hardware, software, ?rmware, and the technical aspects of information security.

The security industry seems to have forgotten that computers and technology are merely tools, and that it is the human who is using, con?guring, installing, implementing, and abusing these tools. Information security is more than just implementing a variety of technologically complex controls. It also encompasses dealing with the behavior or, more appropriately, the misbehavior of people. To be effective, information security must also address vulnerabilities within the “wetware,” a term used to describe “people.” One can spend all the money and effort one wants on technical controls and producing better, more secure code, but all of this is moot if our people give away the “keys to the kingdom.” Recent research on network attacks clearly indicates that this is exactly what people are doing — albeit unintentionally. We seem to have done a good job instilling the notions of teamwork and cooperation in our workplace. So much so that in our eagerness to help out, we are falling prey to unscrupulous people who gain unauthorized access into systems through attacks categorized as “social engineering.”

This chapter attempts to shed some light on social engineering by examining how this attack works, what are the common methods used, and how we can mitigate the risk of social engineering by proper education, awareness training, and other controls. This is not intended to be a “how-to” chapter, but rather a discussion of some of the details of this type of attack and how to prevent becoming a victim of social engineering. None of this information is secret; it is already well-known to certain sectors of society. Therefore, it is also important for information security professionals to be aware of social engineering and the security controls to mitigate the risk.

De?ning Social Engineering

To understand what social engineering is, it is ?rst important to clearly de?ne what is being discussed. The term “social engineering” is not a new term. It comes from the ?eld of social control. Social engineering can refer to the process of rede?ning a society — or more correctly, an engineering society — to achieve some desired outcome. The term can also refer to the process of attempting to change people’s behavior in a predictable manner, usually in order to have them comply with some new system. It is the latter social

psychological de?nition of social engineering that is germane to this discussion. For our purposes, social engineering will refer to:

Successful or unsuccessful attempts to in?uence a person(s) into either revealing information or

acting in a manner that would result in unauthorized access, unauthorized use, or unauthorized

disclosure, to an information system, network or data.

From de?nition, social engineering is somewhat synonymous with conning or deceiving someone. Using deception or conning a person is nothing new in the ?eld of criminal activity; and despite its longevity, this kind of behavior is still surprisingly effective.

It would be very interesting at this point to include some information on the apparent size of the social engineering problem. Unfortunately, there is very little data to use for this purpose. Despite the frequent references to social engineering in the information security ?eld, there has not been much direct discussion of this type of attack. The reasons for this vary; some within the ?eld have suggested that social engineering attacks the intelligence of the victim and, as such, there is a reluctance to admit that it has occurred. Despite this reluctance, some of the most infamous computer criminals have relied more on social engineering to perpetrate their crimes than on any real technical ability. Why spend time researching and scanning systems looking for vulnerabilities and risk being detected when one can simply ask someone for a password to gain access? Most computer criminals, or any criminal for that matter, are opportunists. They look for the easy way into a system, and what could be easier than asking someone to let them in.

Why Does Social Engineering Work?

The success of social engineering attacks is primarily due to two factors: basic human nature and the business environment.

Human Nature

Falling victim to a social engineering attack has nothing to do with intelligence, and everything to do with being human, being somewhat naïve, and not having the proper mind set and training to deal with this type of attack. People, for the most part, are trusting and cooperative by nature. The ?eld of social psychology has studied human interactions, both in groups and individually. These studies have concluded that almost anyone who is put in the right situation and who is dealing with a skilled person can be in?uenced to behave in a speci?c manner or divulge information he or she usually would not in other circumstances. These studies have also found that people who are in authority, or have the air of being in authority, easily intimidate other people.

For the most part, social engineering deals with individual dynamics as opposed to group dynamics, as the primary targets are help desks and administrative or technical support people, and the interactions are usually one-on-one but not necessarily face-to-face (i.e., the relationship is usually virtual in nature, either by phone or online). As discussed in this chapter, attackers tend to seek out individuals who display signs of being susceptible to this psychological attack.

Business Environment

Combined with human nature, the current business trend of mergers and acquisitions, rapid advances in technology, and the proliferation of wide area networking has made the business environment conducive to social engineering. In today’s business world it is not uncommon to have never met the people one deals with on a regular basis, including those from one’s own organization, let alone suppliers, vendors, and customers. Face-to-face human interaction is becoming even more rare with the widespread adoption of telecommuting technologies for employees. In today’s marketplace, one can work for an organization and, apart from a few exceptions, rarely set foot in the of?ce. Despite this layer of abstraction we have with people in our working environment, our basic trust in people, including those we have never actually met, has pretty much remained intact.

Businesses and organizations today have also become more service oriented than ever before. Employees are often rated on how well they contribute to a “team” environment, and on the level of service they provide to customers and other departments. It is rare to see a category on an evaluation that measures the degree to which someone used common sense, or whether an employee is conscious of security when performing his

or her duties. This is a paradigm that needs to change in order to deal effectively with the threat of social engineering.

Social Engineering Attacks

Social engineering attacks tend to follow a phased approach and, in most cases, the attacks are very similar to how intelligence agencies in?ltrate their targets.

For the purpose of simplicity, the phases can be categorized as:

Intelligence gathering
Target selection
The attack

Intelligence Gathering

One of the keys to a successful social engineering attack is information. It is surprisingly easy to gather suf?cient information on an organization and its staff in order to sound like an employee of the company, a vendor representative, or in some cases a member of a regulatory or law enforcement body. Organizations tend to put far too much information on their Web sites as part of their marketing strategies. This information often describes or gives clues as to the vendors they may be dealing with, lists phone and e-mail directories, and indicates whether there are branch of?ces and, if so, where they are located. Some organizations even go as far as listing their entire organizational charts on their Web pages. All this information may be nice for potential investors, but it can also be used to lay the foundation for a social engineering attack.

Poorly thought-out Web sites are not the only sources of open intelligence. What organizations throw away can also be a source of important information. Going through an organization’s garbage (also known as dumpster diving) can reveal invoices, correspondence, manuals, etc. that can assist an attacker in gaining important information. Several convicted computer criminals confessed to dumpster diving to gather information on their targets.

The attacker’s goal at this phase is to learn as much information as possible in order to sound like he or she is a legitimate employee, contractor, vendor, strategic partner, or, in some cases, a law enforcement of?cial.

Target Selection

Once the appropriate amount of information is collected, the attacker looks for noticeable weaknesses in the organization’s personnel. The most common target is help desk personnel, as these professionals are trained to give assistance and can usually change passwords, create accounts, re-activate accounts, etc. In some orga-nizations, the help desk function is contracted out to a third party with no real connection to the actual organization. This increases the chances of success, as the contracted third party would usually not know any of the organization’s employees. The goal of most attackers is to either gather sensitive information or to get a foothold into a system. Attackers realize that once they have access, even at a guest level, it is relatively easy to increase their privileges, launch more destructive attacks, and hide their tracks.

Administrative assistants are the next most common victims. This is largely due to the fact that these individuals are privy to a large amount of sensitive information that normally ?ows between members of senior management. Administrative assistants can be used as either an attack point or to gather additional information regarding names of in?uential people in the organization. Knowing the names of the “movers and shakers” in an organization is valuable if there is a need to “name drop.” It is also amazing how many administrative assistants know their executive managers’ passwords. A number of these assistants routinely perform tasks for their managers that require their manager’s account privileges (e.g., updating a spreadsheet, booking appoint-ments in electronic calendars, etc.).

The Attack

The actual attack is usually based on what we would most commonly call a “con.” These are broken down into three categories: (1) attacks that appeal to the vanity or ego of the victim, (2) attacks that take advantage of feelings of sympathy or empathy, and (3) attacks that are based on intimidation.

Ego Attacks

In the ?rst type of attack — ego or vanity attacks — the attacker appeals to some of the most basic human characteristics. We all like to be told how intelligent we are and that we really know what we are doing or how to “?x” the company. Attackers will use this to extract information from their victims, as the attacker is a receptive audience for victims to display how much knowledge they have. The attacker usually picks a victim who feels under-appreciated and is working in a position that is beneath his or her talents. The attacker can usually sense this after only a brief conversation with the individual. Often, attackers using this type of an attack will call several different employees until they ?nd the right one. Unfortunately, in most cases, the victim has no idea that he or she has done anything wrong.

Sympathy Attacks

In the second category of attacks, the attacker usually pretends to be a fellow employee (usually a new hire), a contractor, or a new employee of a vendor or strategic partner who just happens to be in a real jam and needs assistance to get some tasks done immediately. The importance of the intelligence phase becomes obvious here because attackers will have to create some level of trust with the victim that they are who they say they are. This is done by name dropping, using the appropriate jargon, or displaying knowledge of the organization. The attacker pretends that he or she is in a rush and must complete some task that requires access but cannot remember the account name or password, was inadvertently locked out, etc. A sense of urgency is usually part of the scenario because this provides an excuse for circumventing the required procedures that may be in place to regain access if the attacker was truly the individual he or she was pretending to be. It is human nature to sympathize or empathize with who the attacker is pretending to be; thus, in the majority of cases, the requests are granted. If the attacker fails to get the access or the information from one employee, he or she will just keep trying until a sympathetic ear is found, or until he or she realizes that the organization is getting suspicious.

Intimidation Attacks

In the third category, attackers pretend to be authority ?gures, either an in?uential person in the organization or, in some documented cases, law enforcement. Attackers will target a victim several levels within the orga-nization below the level of the individual they are pretending to be. The attacker creates a plausible reason for making some type of request for a password reset, account change, access to systems, or sensitive information (in cases where the attacker is pretending to be a law enforcement of?cial, the scenario usually revolves around some “hush-hush” investigation or national security issue, and the employee is not to discuss the incident). Again, the attackers will have done their homework and pretend to be someone with just enough power to intimidate the victim, but not enough to be either well-known to the victim or implausible for the scenario.¹Attackers use scenarios in which time is of the essence and that they need to circumvent whatever the standard procedure is. If faced with resistance, attackers will try to intimidate their victims into cooperation by threatening sanctions against them.

Mitigating the Risk

Regardless of the type of social engineering attack, the success rate is alarmingly high. Many convicted computer criminals joke about the ease with which they were able to fool their victims into letting them literally “walk” into systems. The risk and impact of social engineering attacks are high. These attacks are often dif?cult to trace and, in some cases, dif?cult to identify. If the attacker has gained access via a legitimate account, in most cases the controls and alarms will never be activated because they have done nothing wrong as far as the system is concerned.

If social engineering is so easy to do, then how do organizations protect themselves against the risks of these attacks? The answer to this question is relatively simple but it entails a change in thinking on behalf of the entire organization. To mitigate the risk of social engineering, organizations need to effectively educate and train their staff on information security threats and how to recognize potential attacks. The control for these attacks can be found in education, awareness, training, and other controls, the discussion of which follows.

Social engineering concentrates on the weakest link in the information security chain — people. The fact that someone could persuade an employee to provide sensitive information means that the most secure systems

become vulnerable. The human part of any information security solution is the most essential. In fact, almost all information security solutions rely on the human element to a large degree. This means that this weakness — the human element — is universal, independent of hardware, software, platform, network, age of equipment, etc.

Many companies spend hundreds of thousands of dollars to ensure effective information security. This security is used to protect what the company regards as its most important assets, including information. Unfortunately, even the best security mechanisms can be bypassed when social engineering techniques are used. Social engineering uses very low-cost and low-technology means to overcome impediments posed by information security measures.

Protection against Social Engineering

To protect ourselves from the threat of social engineering, there must be a basic understanding of information security. In simple terms, information security can be de?ned as the protection of information against unau-thorized disclosure, transfer, modi?cation, or destruction, whether accidental or intentional. In general terms, information security denotes a state that a company reaches when its data and information, systems and services, are adequately protected against any type of threat. Information security protects information from a wide range of threats to ensure business continuity, minimize business damage, and maximize return on investment and business opportunities. Information security is about safeguarding a business money, image, and reputation — and perhaps its very existence.

Protection mechanisms usually fall into three categories, and it is important to note that to adequately protect an organization’s information security assets, regardless of the type of threat, and including social engineering attacks, a combination of all three is required; that is:

Physical security
Logical (technical) security
Administrative security

Information security practitioners have long understood that a balanced approach to information security is required. That “balance” differs from company to company and is based on the system’s vulnerabilities, threats, and information sensitivity, but in most instances will require a combination of all three elements mentioned above. Information security initiatives must be customized to meet the unique needs of the business. That is why it is very important to have an information security program that understands the needs of the corporation and can relate its information security needs to the goals and missions of the organization. Achieving the correct balance means implementing a variety of information security measures that ?t into the three categories above, but implementing the correct balance so as to meet the organization’s security requirements as ef?ciently and cost effectively as possible. Effective information security is the result of a process of identifying an organization’s valued information assets; considering the range of potential risks to those assets; implementing effective policies to those speci?c conditions; and ensuring that those policies are properly developed, implemented, and commu-nicated.

Physical Security

The physical security components are the easiest to understand and, arguably, the easiest to implement. Most people will think of keys, locks, alarms, and guards when they think of physical security. While these are by no means the only security precautions that need to be considered when securing information, they are a logical place to begin. Physical security, along with the other two (logical and administrative), are vital components and fundamental to most information security solutions. Physical security refers to the protection of assets from theft, vandalism, catastrophes, natural disasters, deliberate or accidental damage, and unstable environmental conditions such as electrical, temperature, humidity, and other such related problems. Good physical security requires ef?cient building and facility construction, emergency preparedness, reliable electrical power supplies, reliable and adequate climate control, and effective protection from both internal and external intruders.

Logical (Technical) Security

Logical security measures are those that employ a technical solution to protect the information asset. Examples include ?rewall systems, access control systems, password systems, and intrusion detection systems. These controls can be very effective, but usually rely on human element or interaction to work successfully. As mentioned, it is this human element that can be exploited rather easily.

Administrative Security

Administrative security controls are those that usually involve policies, procedures, guidelines, etc. Adminis-trative security examples include information security policies, awareness programs, and background checks for new employees. These examples are administrative in nature, do not require a logical or technical solution to implement, but they all address the issue of information security.

Coverage

To be effective, information security must include the entire organization — from the top to the bottom, from the managers to the end users. Most importantly, the highest level of management present in any organization must endorse and support the idea and principles of information security. Everyone from top to bottom must understand the security principles involved and act accordingly. This means that high-level management must de?ne, support, and issue the information security policy of the organization, which every person in the organization must then abide by. It also means that upper management must provide appropriate support, in the way of funding and resourcing, for information security. To summarize, a successful information security policy requires the leadership, commitment, and active participation of top-level management.

Critical information security strategies primarily rely on the appropriate and expected conduct on the part of personnel, and secondly on the use of technological solutions. This is why it is critical for all information security programs to address the threat of social engineering.

Securing against Social Engineering Attacks

Policies, Awareness, and Education

Social engineering attacks are very dif?cult to counter. The problem with countering social engineering attacks is that most logical security controls are ineffective as protection mechanisms. Because social engineering attacks target the human element, protective measures need to concentrate on the administrative portion of information security. An effective countermeasure is to have very good, established information security policies that are communicated across the entire organization. Policies are instrumental in forming a “rules of behavior” for employees. The second effective countermeasure is an effective user awareness program. When one com-bines these two administrative information security countermeasure controls effectively, the result is an inte-grated security program that everyone understands and believes is part of his or her own required job duties. From a corporate perspective, it is critical to convey this message to all employees, from top to bottom. The result will be an organization that is more vigilant at all levels, and an organization comprised of individuals who believe they are “contributing” to the well-being of the overall corporation. This is an important perception that greatly contributes to the employee satisfaction level. It also protects from the threat of disgruntled employees, another major concern of information security programs. It may be these disgruntled employees who willingly give sensitive information to unauthorized users, regardless of the social engineering methods.

Most people learn best from ?rst-hand experience. Once it has been demonstrated that each individual is susceptible to social engineering attacks, these individuals tend to be more wary and aware. It is possible to make an organization more immune to social engineering attacks by providing a forum for discussions of other organizations’ experiences.

Continued awareness is also very important. Awareness programs need to be repeated on a regular basis in order to re-af?rm policies regarding social engineering. With today’s technology, it is very easy to set up effective ways to communicate with one’s employees on a regular basis. A good way to provide this type of forum is to

use an intranet Web site that will contain not only the organization’s policies, but also safety tips and infor-mation regarding amusing social engineering stories. Amusing stories tend to get the point across better, especially if one takes into account that people love to hear about other people’s misfortunes.

Recognition of “Good Catches”

Sometimes, the positive approach to recognition is the most effective one. If an employee has done the appropriate thing when it comes to an information security incident, acknowledge the good action and reward him or her appropriately. But do not stop there; let everyone else in the organization know. And as a result, the entire organization’s preparedness will be improved.

Preparedness of Incident Response Teams

All companies should have the capability to deal effectively with what they may consider an incident. An incident can be de?ned as any event that threatens the company’s livelihood. From an information security perspective, dealing with any outside threat (including social engineering) would be considered an incident. The goals of a well-prepared incident response team are to detect potential information security breaches and provide an effective and ef?cient means of dealing with the situation in a manner that reduces the potential impact to the corporation. A secondary but also very important goal would be to provide management with suf?cient information to decide on an appropriate course of action. Having a team in place, comprised of knowledgeable individuals from key areas of the corporation who would be educated and prepared to respond to social engineering attacks, is a key aspect of an effective information security program.

Testing Readiness

Penetration testing is a method of examining the security controls of an organization from an outsider’s point of view. To be effective, it involves testing all controls that prevent, track, and warn of internal and external intrusions. Companies that want to test their readiness against social engineering attacks can use this approach to reveal their weaknesses that may not have been previously evident. One must remember, however, that although penetration testing is one of the best ways to evaluate an organization’s controls, it is only as effective as the efforts of the individuals who are performing the test.

Immediate Noti?cation to Targeted Groups

If someone reports or discovers a social engineering attempt, one must notify personnel in similar areas. It is very important at this point to have a standard process and a quick procedure to do this. This is where a well-prepared incident response team can help. Assuming that a procedure is already in place, the incident response team can quickly deal with the problem and effectively remove it before any damage is done.

Apply Technology Where Possible

Other than making employees aware of the threat and providing guidance on how to handle both co-workers and others asking for information, there are no true solid methods for protecting information and employees from social engineering. However, a few options to consider may be the following:

Trace calls if possible. Tracing calls may be an option, but only if one has the capability and is prepared for it. What one does not want in the midst of an attack is to ask oneself, “how do we trace a call?” Again, be prepared. Have some incident response procedures in place that will allow you to react accordingly in a very ef?cient manner.
Ensure good physical security. As mentioned, good physical security is a must in order to provide ef?cient protection. There are many ways to effectively protect one’s resources using the latest technology. This may mean using methods that employ biometrics or smart cards.
Mark sensitive documents according to data classi?cation scheme. If there is a well-established information classi?cation scheme in place, it may protect one from revealing sensitive information in the event of a social engineering attack. For example, if someone is falling for an attack, and he or she pulls out a document that is marked “con?dential,” it may prevent him or her from releasing that information.

Similarly, if a ?le is electronically marked according to one’s classi?cation schemes, the same would apply.

Conclusion

Social engineering methods, when employed by an attacker, pose a serious threat to the security of information in any organization. There are far too many real-life examples of the success of this type of attack. However, following some of the basic principles of information systems security can mitigate the risk of social engineer-ing. Policies need to be created in order to provide guidelines for the correct handling and release of information considered critical and sensitive within an organization. Information security awareness also plays a critical role. People need to be aware of the threats; and more importantly, they need to know exactly how to react in such an event. Explaining to employees the importance of information security and that there are people who are prepared to try and manipulate them to gain access to sensitive information is a wise ?rst step in any defense plan. Simply forewarning people of possible attacks is often enough to make them alert to be able to spot them and react accordingly. The old saying that “knowledge is power” is true; or in this case, it increases security.

It is far easier to hack people than to hack some technically sound security device such as a ?rewall system. However, it is also takes much less effort to educate and prepare employees so that they can prevent and detect attempts at social engineering than it takes to properly secure that same ?rewall system. Organizations can no longer afford to have people as the weakest link in the information security chain.

Notes

1. CEOs are usually relatively well-known to employees, either from the media or from annual general meetings. Also, most CEOs would not be calling after-hours regarding a forgotten password. On the other hand, their assistant might.

Tags: Information Security

Posted in Information Security | No Comments »

A New Breed of Hacker Tools and Defenses

Saturday, July 31st, 2010

Ed Skoudis, CISSP

The state-of-the-art in computer attack tools and techniques is rapidly advancing. Yes, we still face the tried-and-true, decades-old arsenal of traditional computer attack tools, including denial-of-service attacks, password crackers, port scanners, sniffers, and RootKits. However, many of these basic tools and techniques have seen a renaissance in the past couple of years, with new features and underlying architectures that make them more powerful than ever. Attackers are delving deep into widely used protocols and the very hearts of our operating systems. In addition to their growing capabilities, computer attack tools are becoming increasingly easy to use. Just when you think you have seen it all, a new and easy-to-use attack tool is publicly released with a feature that blows your socks off. With this constant increase in the sophistication and ease of use in attack tools, as well as the widespread deployment of weak targets on the Internet, we now live in the golden age of hacking.

The purpose of this chapter is to describe recent events in this evolution of computer attack tools. To create the best defenses for our computers, one must understand the capabilities and tactics of one’s adversaries. To achieve this goal, this chapter describes several areas of advance among attack tools, including distributed attacks, active snif?ng, and kernel-level RootKits, along with defensive techniques for each type of attack.

Distributed Attacks

One of the primary trends in the evolution of computer attack tools is the movement toward distributed attack architectures. Essentially, attackers are harnessing the distributed power of the Internet itself to improve their attack capabilities. The strategy here is pretty straightforward, perhaps deceptively so given the power of some of these distributed attack tools. The attacker takes a conventional computer attack and splits the work among many systems. With more and more systems collaborating in the attack, the attacker’s chances for success increase. These distributed attacks offer several advantages to attackers, including:

They may be more dif?cult to detect.
They usually make things more dif?cult to trace back to the attacker.
They may speed up the attack, lowering the time necessary to achieve a given result.
They allow an attacker to consume more resources on a target.

So, where does an attacker get all of the machines to launch a distributed attack? Unfortunately, enormous numbers of very weak machines are readily available on the Internet. The administrators and owners of such systems do not apply security patches from the vendors, nor do they con?gure their machines securely, often just using the default con?guration right out of the box. Poorly secured computers at universities, companies of all sizes, government institutions, homes with always-on Internet connectivity, and elsewhere are easy prey for an attacker. Even lowly skilled attackers can take over hundreds or thousands of systems around the globe with ease. These attackers use automated vulnerability scanning tools, including homegrown scripts and freeware tools such as the Nessus vulnerability scanner (http://www.nessus.org), among many others, to scan large swaths of the Internet. They scan indiscriminately, day in and day out, looking to take over vulnerable systems. After taking over a suitable number of systems, the attackers will use these victim machines as part of the distributed attack against another target.

Attackers have adapted many classic computer attack tools to a distributed paradigm. This chapter explores many of the most popular distributed attack tools, including distributed denial-of-service attacks, distributed password cracking, distributed port scanning, and relay attacks.

Distributed Denial-of-Service Attacks

One of the most popular and widely used distributed attack techniques is the distributed denial-of-service (DDoS) attack. In a DDoS attack, the attacker takes over a large number of systems and installs a remotely controlled program called a zombie on each system. The zombies silently run in the background awaiting commands. An attacker controls these zombie systems using a specialized client program running on one machine. The attacker uses one client machine to send commands to the multitude of zombies, telling them to simultaneously conduct some action. In a DDoS attack, the most common action is to ?ood a victim with packets. When all the zombies are simultaneously launching packet ?oods, the victim machine will be suddenly awash in bogus traf?c. Once all capacity of the victim’s communication link is exhausted, no legitimate user traf?c will be able to reach the system, resulting in a denial of service.

The DDoS attack methodology was in the spotlight in February 2000 when several high-pro?le Internet sites were hit with the attack. DDoS tools have continued to evolve, with new features that make them even nastier. The latest generation of DDoS attacks includes extensive spoo?ng capabilities, so that all traf?c from the client to the zombies and from the zombies to the target has a decoy source address. Therefore, when a ?ood begins, the investigators must trace the onslaught back, router hop by router hop, from the victim to the zombies. After rounding up some of the zombies, the investigators must still trace from the zombies to the client, across numerous hops and multiple Internet service providers (ISPs). Furthermore, DDoS tools are employing encryption to mask the location of the zombies. In early generations of DDoS tools, most of the client software included a ?le with a list of network addresses for the zombies. By discovering such a client, an investigation team could quickly locate and eradicate the zombies. With the latest generation of DDoS tools, the list of network addresses at the client is strongly encrypted so that the client does not give away the location of the zombies.

Defenses against Distributed Denial-of-Service Attacks

To defend against any packet ?ood, including DDoS attacks, one must ensure that critical network connections have suf?cient bandwidth and redundancy to eliminate simple attacks. If a network connection is mission critical, one should have at least a redundant T1 connection because all lower connection speeds can easily be ?ooded by an attacker.

While this baseline of bandwidth eliminates the lowest levels of attackers, one must face the fact that one will not be able to buy enough bandwidth to keep up with attackers who have installed zombies on a hundred or thousand systems and pointed them at your system as a target. If one’s system’s availability on the Internet is critical to the business, one must employ additional techniques for handling DDoS attacks. From a techno-logical perspective, one may want to consider traf?c shaping tools, which can help manage the number of incoming sessions so that one’s servers are not overwhelmed. Of course, a large enough cadre of zombies ?ooding one’s connection could even overwhelm traf?c shapers. Therefore, one should employ intrusion detection systems (IDSs) to determine when an attack is underway. These IDSs act as network burglar alarms, listening to the network for traf?c that matches common attack signatures stored in the IDS database. From a procedural perspective, one should have an incident response team on stand-by for such alarms from the IDS. For mission-critical Internet connections, one must have the cell phone and pager numbers for one’s ISP’s own incident response team. When a DDoS attack begins, one’s incident response team must be able to quickly and ef?ciently marshal the forces of the ISP’s incident response team. Once alerted, the ISP can deploy ?lters in their network to block an active DDoS attack upstream.

Distributed Password Cracking

Password cracking is another technique that has been around for many years and is now being leveraged in distributed attacks. The technique is based on the fact that most modern computing systems (such as UNIX and Windows NT) have a database containing encrypted passwords used for authentication. In Windows NT, the passwords are stored in the SAM database. On UNIX systems, the passwords are located in the /etc/passwd or /etc/shadow ?les. When a user logs on to the system, the machine asks the user for a password, encrypts the value entered by the user, and compares the encrypted version of what the user typed with the stored encrypted password. If they match, the user is allowed to log in.

The idea behind password cracking is simple: steal an encrypted password ?le, guess a password, encrypt the guess, and compare the result to the value in the stolen encrypted password ?le. If the encrypted guess matches the encrypted password, the attacker has determined the password. If the two values do not match, the attacker makes another guess. Because user passwords are often predictable combinations of user IDs, dictionary words, and other characters, this technique is often very successful in determining passwords.

Traditional password cracking tools automate the guess-encrypt-compare loop to help determine passwords quickly and ef?ciently. These tools use variations of the user ID, dictionary terms, and brute-force guessing of all possible character combinations to create their guesses for passwords. The better password-cracking tools can conduct hybrid attacks, appending and prepending characters in a brute-force fashion to standard dictio-nary words. Because most passwords are simply a dictionary term with a few special characters tacked on at the beginning or end, the hybrid technique is extremely useful. Some of the best traditional password-cracking tools are L0phtCrack for Windows NT passwords (available at http://www.l0pht.com) and John the Ripper for a variety of password types, including UNIX and Windows NT (available at http://www.openwall.com).

When cracking passwords, speed rules. Tools that can create and check more password guesses in less time will result in more passwords recovered by the attacker. Traditional password cracking tools address this speed issue by optimizing the implementation of the encryption algorithm used to encrypt the guesses. Attackers can gain even more speed by distributing the password-cracking load across numerous computers. To more rapidly crack passwords, attackers will simultaneously harness hundreds or thousands of systems located all over the Internet to churn through an encrypted password ?le.

To implement distributed password cracking, an attacker can use a traditional password-cracking tool in a distributed fashion by simply dividing up the work manually. For example, consider a scenario in which an attacker wants to crack a password ?le with ten encrypted passwords. The attacker could break the ?le into ten parts, each part containing one encrypted password, and then distribute each part to one of ten machines. Each machine runs a traditional password-cracking tool to crack the one encrypted password assigned to that system. Alternatively, the attacker could load all ten encrypted passwords on each of the machines and con?gure each traditional password-cracking tool to guess a different set of passwords, focusing on a different part of a dictionary or certain characters in a brute-force attack.

Beyond manually splitting up the work and using a traditional password-cracking tool, several native distributed password-cracking tools have been released. These tools help to automate the spreading of the workload across several machines and coordinate the computing resources as the attack progresses. Two of the most popular distributed password-cracking tools are Mio-Star and Saltine Cracker, both available at http://packet-storm.securify.com/distributed

Defenses against Distributed Password Cracking

The defenses against distributed password cracking are really the same as those employed for traditional password cracking: eliminate weak passwords from your systems. Because distributed password cracking speeds up the cracking process, passwords need to be even more dif?cult to guess than in the days when nondistributed password cracking ruled. One must start with a policy that mandates users to establish passwords that are greater than a minimum length (such as greater than nine characters) and include numbers, letters, and special characters in each password. Users must be aware of the policy; thus, an awareness program emphasizing the importance of dif?cult-to-guess passwords is key. Furthermore, to help enforce a password policy, one may want to deploy password-?ltering tools on one’s authentication servers. When a user establishes a new password, these tools check the password to make sure it conforms to the password policy. If the password is too short, or does not include numbers, letters, and special characters, the user will be asked to select another password. The pass?lt.dll program included in the Windows NT Resource Kit and the passwd+ program on UNIX systems implement this type of feature, as do several third-party add-on authentication products. One also may want to consider the elimination of standard passwords from very sensitive environments, using token-based access technologies.

Finally, security personnel should periodically run a password-cracking tool against one’s own users’ pass-words to identify the weak ones before an attacker does. When weak passwords are found, there should be a de?ned and approved process for informing users that that they should select a better password. Be sure to get appropriate permissions before conducting in-house password-cracking projects to ensure that manage-ment understands and supports this important security program. Not getting management approval could negatively impact one’s career.

Distributed Port Scanning

Another attack technique that lends itself well to a distributed approach is the port scan. A port is an important concept in the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP), two protocols used by the vast majority of Internet services. Every server that receives TCP or UDP traf?c from a network listens on one or more ports. These ports are like little virtual doors on a machine, where packets can go in or come out. The port numbers serve as addresses on a system where the packets should be directed. While an administrator can con?gure a network service to listen on any port, the most common services listen on well-known ports, so that client software knows where to send the packets. Web servers usually listen on TCP port 80, while Internet mail servers listen on TCP port 25. Domain Name Servers listen for queries on UDP port 53. Hundreds of other ports are assigned to various services in RFC 1700, a document available at http:/ /www.ietf.org/rfc.html.

Port scanning is the process of sending packets to various ports on a target system to determine which ports have listening services. It is similar to knocking on the doors of the target system to see which ones are open. By knowing which ports are open on the target system, the attacker has a good idea of the services running on the machine. The attacker can then focus an attack on the services associated with these open ports. Furthermore, each open port on a target system indicates a possible entry point for an attacker. The attacker can scan the machine and determine that TCP port 25 and UDP port 53 are open. This result tells the attacker that the machine is likely a mail server and a DNS server. While there are a large number of traditional port-scanning tools available, one of the most powerful (by far) is the Nmap tool, available at http://www.inse-cure.org.

Because a port scan is often the precursor to a more in-depth attack, security personnel often use IDS tools to detect port scans as an early-warning indicator. Most IDSs include speci?c capabilities to recognize port scans. If a packet arrives from a given source going to one port, followed by another packet from the same source going to another port, followed by yet another packet for another port, the IDS can quickly correlate these packets to detect the scan. This traf?c pattern is shown on the left-hand side of Exhibit 11.1, where port numbers are plotted against source network address. IDSs can easily spot such a scan, and ring bells and whistles (or send an e-mail to an administrator).

Now consider what happens when an attacker uses a distributed approach for conducting the scan. Instead of a barrage of packets coming from a single address, the attacker will con?gure many systems to participate in the scan. Each scanning machine will send only one or two packets and receive the results. By working together, the scanning machines can check all of the interesting ports on the target system and send their result to be correlated by the attacker. An IDS looking for the familiar pattern of the traditional port scan will not detect the attack. Instead, the pattern of incoming packets will appear more random, as shown on the right side of Exhibit 11.1. In this way, distributed scanning makes detection of attacks more dif?cult.

Of course, an IDS system can still detect the distributed port scan by focusing on the destination address (i.e., the place where the packets are going) rather than the source address. If a number of systems suddenly sends packets to several ports on a single machine, an IDS can deduce that a port scan is underway. But the attacker has raised the bar for detection by conducting a distributed scan. If the distributed scan is conducted over a longer period of time (e.g., a week or a month), the chances of evading an IDS are quite good for an attacker. Distributed port scans are also much more dif?cult to trace back to an attacker because the scan comes from so many different systems, none of which are owned by the attacker.

Several distributed port-scanning tools are available. An attacker can use the descriptively named Phpdis-tributedportscanner, which is a small script that can be placed on Web servers to conduct a scan. Whenever attackers take over a PHP-enabled Web server, they can place the script on the server and use it to scan other systems. The attacker interacts with the individual scanning scripts running on the various Web servers using HTTP requests. Because everything is Web based, distributed port scans are quite simple to run. This scanning tool is available at http://www.digitaloffense.net:8000/phpDistributedPortScanner/. Other distributed port scanners tend to be based on a client/server architecture, such as Dscan (available at http://packet-storm.securify.com/distributed) and SIDEN (available at http://siden.sourceforge.net).

Defenses against Distributed Scanning

The best defense against distributed port scanning is to shut off all unneeded services on one’s systems. If a machine’s only purpose is to run a Web server that communicates via HTTP and HTTPS, the system should have only TCP port 80 and TCP port 443 open. If one does not need a mail server running on the same machine as the Web server, one should con?gure the system so that the mail server is deactivated. If the X Window system is not needed on the machine, turn it off. All other services should be shut off, which would close all other ports. One should develop a secure con?guration document that provides a step-by-step process for all system administrators in an organization for building secure servers.

Additionally, one must ensure that IDS probes are kept up-to-date. Most IDS vendors distribute new attack signatures on a regular basis — usually once a month. When a new set of attack signatures is available, one should quickly test it and deploy it on the IDS probes so they can detect the latest batch of attacks.

Relay Attacks

A ?nal distributed attack technique involves relaying information from machine to machine across the Internet to obscure the true source of the attack. As one can expect, most attackers do not want to get caught. By setting up extra layers of indirection between an attacker and the target, the attacker can avoid being apprehended. Suppose an attacker takes over half a dozen Internet-accessible machines located all over the world and wants to attack a new system. The attacker can set up packet redirector programs on the six systems. The ?rst machine will forward any packets received on a given port to the second system. The second system would then forward them to the third system, and so on, until the new target is reached. Each system acts as a link in a relay chain for the attacker’s traf?c. If and when the attack is detected, the investigation team will have to trace the attack back through each relay point before ?nding the attacker.

Attackers often set up relay chains consisting of numerous systems around the globe. Additionally, to further foil investigators, attackers often try to make sure there is a great change in human language and geopolitical relations between the countries where the links of the relay chain reside. For example, the ?rst relay may be in the United States, while the second may be in China. The third could be in India, while the fourth is in Pakistan. Finally, the chain ends in Iran for an attack against a machine back in the United States. At each stage of the relay chain, the investigators would have to contend with dramatic shifts in human language, less-than-friendly relations between countries, and huge law enforcement jurisdictional issues.

Relay attacks are often implemented using a very ?exible tool called Netcat, which is available for UNIX at http://www.l0pht.com/users/10pht/ nc110.tgz, and for Windows NT at http://www.l0pht.com/~weld/netcat/. Another popular tool for creating relays is Redir, located at http:// oh.verio.com/~sammy/hacks.

Defenses against Relay Attacks

Because most of the action in a relay attack occurs outside an organization’s own network, there is little one can do to prevent such attacks. One cannot really stop attackers from bouncing their packets through a bunch of machines before being attacked. One’s best bet is to make sure that systems are secure by applying security patches and shutting down all unneeded services. Additionally, it is important to cooperate with law enforce-ment of?cials in their investigations of such attacks.

Active Snif?ng

Snif?ng is another, older technique that is being rapidly expanded with new capabilities. Traditional sniffers are simple tools that gather traf?c from a network. The user installs a sniffer program on a computer that captures all data passing by the computer’s network interface, whether it is destined for that machine or another system. When used by network administrators, sniffers can capture errant packets to help troubleshoot the network. When used by attackers, sniffers can grab sensitive data from the network, such as passwords, ?les, e-mail, or anything else transmitted across the network.

Traditional Snif?ng

Traditional snif?ng tools are passive; they wait patiently for traf?c to pass by on the network and gather the data when it arrives. This passive technique works well for some network types. Traditional Ethernet, a popular tech-nology used to create a large number of local area networks (LANs), is a broadcast medium. Ethernet hubs are devices used to create traditional Ethernet LANs. All traf?c sent to any one system on the LAN is broadcast to all machines on the LAN. A traditional sniffer can therefore snag any data going between other systems on the same LAN. In a traditional snif?ng attack, the attacker takes over one system on the LAN, installs a sniffer, and gathers traf?c destined for other machines on the same LAN. Some of the best traditional sniffers include Snort (available at http://www.snort.org) and Snif?t (available at http://reptile.rug.ac.be/~coder/snif?t/snif?t.html).

One of the commonly used defenses against traditional sniffers is a switched LAN. Contrary to an Ethernet hub, which acts as a broadcast medium, an Ethernet switch only sends data to its intended destination on the LAN. No other system on the LAN is able to see the data because the Ethernet switch sends the data to its appropriate destination and nowhere else. Another commonly employed technique to foil traditional sniffers is to encrypt data in transit. If the attackers do not have the encryption keys, they will not be able to determine the contents of the data sniffed from the network. Two of the most popular encryption protocols are the Secure Socket Layer (SSL), which is most often used to secure Web traf?c, and Secure Shell (SSH), which is most often used to protect command-line shell access to systems.

Raising the Ante with Active Snif?ng

While the defenses against passive sniffers are effective and useful to deploy, attackers have developed a variety of techniques for foiling them. These techniques, collectively known as active snif?ng, involve injecting traf?c into the network to allow an attacker to grab data that should otherwise be unsniffable. One of the most capable active snif?ng programs available is Dsniff, available at http://www.monkey.org/~dugsong/dsniff/. One can explore Dsniff ’s various methods for snif?ng by injecting traf?c into a network, including MAC address ?ooding, spurious ARP traf?c, fake DNS responses, and person-in-the-middle attacks against SSL.

MAC Addresses Flooding

An Ethernet switch determines where to send traf?c on a LAN based on its media access control (MAC) address. The MAC address is a unique 48-bit number assigned to each Ethernet card in the world. The MAC address indicates the unique network interface hardware for each system connected to the LAN. An Ethernet switch monitors the traf?c on a LAN to learn which plugs on the switch are associated with which MAC addresses. For example, the switch will see traf?c arriving from MAC address AA:BB:CC:DD:EE:FF on plug number one. The switch will remember this information and send data destined for this MAC address only to the ?rst plug on the switch. Likewise, the switch will autodetect the MAC addresses associated with the other network interfaces on the LAN and send the appropriate data to them.

One of the simplest, active snif?ng techniques involves ?ooding the LAN with traf?c that has bogus MAC addresses. The attacker uses a program installed on a machine on the LAN to generate packets with random MAC addresses and feed them into the switch. The switch will attempt to remember all of the MAC addresses as they arrive. Eventually, the switch’s memory capacity will be exhausted with bogus MAC addresses. When their memory ?lls up, some switches fail into a mode where traf?c is sent to all machines connected to the LAN. By using MAC ?ooding, therefore, an attacker can bombard a switch so that the switch will send all traf?c to all machines on the LAN. The attacker can then utilize a traditional sniffer to grab the data from the LAN.

Spurious ARP Traf?c

While some switches fail under a MAC ?ood in a mode where they send all traf?c to all systems on the LAN, other switches do not. During a ?ood, these switches remember the initial set of MAC addresses that were autodetected on the LAN, and utilize those addresses throughout the duration of the ?ood. The attacker cannot launch a MAC ?ood to overwhelm the switch. However, an attacker can still undermine such a LAN by injecting another type of traf?c based on the Address Resolution Protocol (ARP).

ARP is used to map Internet Protocol (IP) addresses into MAC addresses on a LAN. When one machine has data to send to another system on the LAN, it formulates a packet for the destination’s IP address; however, the IP address is just a con?guration setting on the destination machine. How does the sending machine with the packet to deliver determine which hardware device on the LAN to send the packet to? ARP is the answer. Suppose a machine on the LAN has a packet that is destined for IP address 10.1.2.3. The machine with the packet will send an ARP request on the LAN, asking which network interface is associated with IP address

10.1.2.3. The machine with this IP address will transmit an ARP response, saying, in essence, “IP Address

10.1.2.3 is associated with MAC address AA:BB:CC:DD:EE:FF.” When a system receives an ARP response, it stores the mapping of IP address to MAC address in a local table, called the ARP table, for future reference. The packet will then be delivered to the network interface with this MAC address. In this way, ARP is used to convert IP addresses into MAC addresses so that packets can be delivered to the appropriate network interface on the LAN. The results are stored in a system’s ARP table to minimize the need for additional ARP traf?c on the LAN.

ARP includes support for a capability called the “gratuitous ARP.” With a gratuitous ARP, a machine can send an ARP response although no machine sent an ARP request. Most systems are thirsty for ARP entries in their ARP tables, to help improve performance on the LAN. In another form of active snif?ng, an attacker utilizes faked gratuitous ARP messages to redirect traf?c for snif?ng a switched LAN, as shown in Exhibit 11.2. For the exhibit, the attacker’s machine on the LAN is indicated by a black hat.

The steps of this attack, shown in Exhibit 11.2, are:

The attacker activates IP forwarding on the attacker’s machine on the LAN. Any packets directed by the switch to the black-hat machine will be redirected to the default router for the LAN.
The attacker sends a gratuitous ARP message to the target machine. The attacker wants to sniff traf?c sent from this machine to the outside world. The gratuitous ARP message will map the IP address of the default router for the LAN to the MAC address of the attacker’s own machine. The target machine accepts this bogus ARP message and enters it into its ARP table. The target’s ARP table is now poisoned with the false entry.
The target machine sends traf?c destined for the outside world. It consults its ARP table to determine the MAC address associated with the default router for the LAN. The MAC address it ?nds in the ARP table is the attacker’s address. All data for the outside world is sent to the attacker’s machine.
The attacker sniffs the traf?c from the line.
The IP forwarding activated in Step 1 redirects all traf?c from the attacker’s machine to the default router for the LAN. The default router forwards the traf?c to the outside world. In this way, the victim will be able to send traf?c to the outside world, but it will pass through the attacker’s machine to be sniffed on its way out.

This sequence of steps allows the attacker to view all traf?c to the outside world from the target system. Note that, for this technique, the attacker does not modify the switch at all. The attacker is able to sniff the switched LAN by manipulating the ARP table of the victim. Because ARP traf?c and the associated MAC address information are only transmitted across a LAN, this technique only works if the attacker controls a machine on the same LAN as the target system.

Fake DNS Responses

A technique for injecting packets into a network to sniff traf?c beyond a LAN involves manipulating the Domain Name System (DNS). While ARP is used on a LAN to map IP addresses to MAC addresses on a LAN, DNS is used across a network to map domain names into IP addresses. When a user types a domain name into some client software, such as entering www.skoudisstuff.com into a Web browser, the user’s system sends out a query to a DNS server. The DNS server is usually located across the network on a different LAN. Upon receiving the query, the DNS server looks up the appropriate information in its con?guration ?les and sends a DNS response to the user’s machine that includes an IP address, such as 10.22.12.41. The DNS server maps the domain name to IP address for the user.

Attackers can redirect traf?c by sending spurious DNS responses to a client. While there is no such thing as a gratuitous DNS response, an attacker that sits on any network between the target system and the DNS server can sniff DNS queries from the line. Upon seeing a DNS query from a client, the attacker can send a fake DNS response to the client, containing an IP address of the attacker’s machine. The client software on the users’ machine will send packets to this IP address, thinking that it is communicating with the desired server. Instead, the information is sent to the attacker’s machine. The attacker can view the information using a traditional sniffer, and relay the traf?c to its intended destination.

Person-in-the-Middle Attacks against SSL

Injecting fake DNS responses into a network is a particularly powerful technique when it is used to set up a person-in-the-middle attack against cryptographic protocols such as SSL, which is commonly used for secure Web access. Essentially, the attacker sends a fake DNS response to the target so that a new SSL session is established through the attacker’s machine. As highlighted in Exhibit 11.3, the attacker uses a specialized relay tool to set up two cryptographic sessions: one between the client and the attacker, and the other between the attacker and the server. While the data moves between these sessions, the attacker can view it in cleartext.

The steps shown in Exhibit 11.3 include:

The attacker activates Dsniff ’s dnsspoof program, a tool that sends fake DNS responses. Additionally, the attacker activates another Dsniff tool called “webmitm,” an abbreviation for Web Monkey-in-the-Middle. This tool implements a specialized SSL relay.
The attacker observes a DNS query from the victim machine and sends a fake DNS response. The fake DNS response contains the IP address of the attacker’s machine.
The victim receives the DNS response and establishes an SSL session with the IP address included in the response.
The webmitm tool running on the attacker’s machine established an SSL session with the victim machine, and another SSL session with the actual Web server that the client wants to access.
The victim sends data across the SSL connection. The webmitm tool decrypts the traf?c from the SSL connection with the victim, displays it for the attacker, and encrypts the traf?c for transit to the external Web server. The external Web server receives the traf?c, not realizing that a person-in-the-middle attack is occurring.

While this technique is quite effective, it does have one limitation from the attacker’s point of view. When establishing the SSL connection between the victim and the attacker’s machine, the attacker must send the victim an SSL digital certi?cate that belongs to the attacker. To decrypt all data sent from the target, the attacker must use his or her own digital certi?cate, and not the certi?cate from the actual destination Web server. When the victim’s Web browser receives the bogus certi?cate from the attacker, it will display a warning message to the user. The browser will indicate that the certi?cate it was presented by the server was signed by a certi?cate authority that is not trusted by the browser. The browser then gives the user the option of establishing the connection by simply clicking on a button labeled “OK” or “Connect.” Most users do not understand the warning messages from their browsers and will continue the connection without a second thought. The browser will be satis?ed that it has established a secure connection because the user told it to accept the attacker’s certi?cate. After continuing the connection, the attacker will be able to gather all traf?c from the SSL session. In essence, the attacker relies on the fact that trust decisions about SSL certi?cates are left in the hands of the user.

The same basic technique works against the Secure Shell (SSH) protocol used for remote command-shell access. Dsniff includes a tool called sshmitm that can be used to set up a person-in-the-middle attack against SSH. Similar to the SSL attack, Dsniff establishes two SSH connections: one between the victim and the attacker, and another between the attacker and the destination server. Also, just as the Web browser complained about the modi?ed SSL certi?cate, the SSH client will complain that it does not recognize the public key used by the SSH server. The SSH client will still allow the user, however, to override the warning and establish the SSH session so the attacker can view all traf?c.

Defenses against Active Snif?ng Techniques

Having seen how an attacker can grab all kinds of useful information from a network using snif?ng tools, how can one defend against these attacks? First, whenever possible, encrypt data that gets transmitted across the network. Use secure protocols such as SSL for Web traf?c, SSH for encrypted log-in sessions and ?le transfer, S/MIME for encrypted e-mail, and IPSec for network-layer encryption. Users must be equipped to apply these tools to protect sensitive information, both from a technology and an awareness perspective.

It is especially important that system administrators, network managers, and security personnel understand and use secure protocols to conduct their job activities. Never telnet to ?rewall, routers, sensitive servers, or public key infrastructure (PKI) systems! It is just too easy for an attacker to intercept one’s password, which telnet transmits in cleartext. Additionally, pay attention to those warning messages from the browser and SSH client. Do not send any sensitive information across the network using an SSL session created with an untrusted certi?cate. If the SSH client warns that the server public key mysteriously changed, there is need to investigate.

Additionally, one really should consider getting rid of hubs because they are just too easy to sniff through. Although the cost may be higher than hubs, switches not only improve security, but also improve performance. If a complete migration to a switched network is impossible, at least consider using switched Ethernet on critical network segments, particularly the DMZ.

Finally, for networks containing very sensitive systems and data, enable port-level security on your switches by con?guring each switch port with the speci?c MAC address of the machine using that port to prevent MAC ?ooding problems and fake ARP messages. Furthermore, for extremely sensitive networks, such as Internet DMZs, use static ARP tables on the end machines, hard coding the MAC addresses for all systems on the LAN. Port security on a switch and hard-coded ARP tables can be very dif?cult to manage because swapping components or even Ethernet cards requires updating the MAC addresses stored in several systems. For very sensitive networks such as Internet DMZs, this level of security is required and should be implemented.

The Proliferation of Kernel-Level RootKits

Just as attackers are targeting key protocols such as ARP and DNS at a very fundamental level, so too are they exploiting the heart of our operating systems. In particular, a great deal of development is underway on kernel-level RootKits. To gain a better understanding of kernel-level RootKits, one should ?rst analyze their evolu-tionary ancestors, traditional RootKits.

Traditional RootKits

A traditional RootKit is a suite of tools that allows an attacker to maintain superuser access on a system. Once an attacker gets root-level control on a machine, the RootKit lets the attacker maintain that access. Traditional RootKits usually include a backdoor so the attacker can access the system, bypassing normal security controls. They also include various programs to let the attacker hide on the system. Some of the most fully functional traditional RootKits include Linux RootKit 5 (lrk5) and T0rnkit, which runs on Solaris and Linux. Both of these RootKits, as well as many others, are located at http://packetstorm.securify.com/UNIX/penetration/ rootkits.

Traditional RootKits implement backdoors and hiding mechanisms by replacing critical executable programs included in the operating system. For example, most traditional RootKits include a replacement for the /bin/ login program, which is used to authenticate users logging into a UNIX system. A RootKit version of /bin/ login usually includes a backdoor password, known by the attacker, that can be used for root-level access of the machine. The attacker will write the new version of /bin/login over the earlier version, and modify the timestamps and ?le size to match the previous version.

Just as the /bin/login program is replaced to implement a backdoor, most RootKits include Trojan horse replacement programs for other UNIX tools used by system administrators to analyze the system. Many traditional RootKits include Trojan horse replacements for the ls command (which normally shows the contents of a directory). Modi?ed versions of ls will hide the attacker’s tools, never displaying their presence. Similarly, the attackers will replace netstat, a tool that shows which TCP and UDP ports are in use, with a modi?ed version that lies about the ports used by an attacker. Likewise, many other system programs will be replaced, including ifcon?g, du, and ps. All of these programs act like the eyes and ears of a system administrator. The attacker utilizes a traditional RootKit to replace these eyes and ears with new versions that lie about the attacker’s presence on the system.

To detect traditional RootKits, many system administrators employ ?le system integrity checking tools, such as the venerable Tripwire program available at http://www.tripwire.com. These tools calculate cryptographically strong hashes of critical system ?les (such as /bin/login, ls, netstat, ifcon?g, du, and ps) and store these digital ?ngerprints on a safe medium such as a write-protected ?oppy disk. Then, on a periodic basis (usually daily or weekly), the integrity-checking tool recalculates the hashes of the executables on the system and compares them with the stored values. If there is a change, the program has been altered, and the system administrator is alerted.

Kernel-Level RootKits

While traditional RootKits replace critical system executables, attackers have gone even further by implementing kernel-level RootKits. The kernel is the heart of most operating systems, controlling access to all resources,

System with Traditional RootKit System with Kernel-Level RootKit

good	good	good		good
login	ps	ifconfig		tripwire

Kernel			Trojan Kernel Module

such as the disk, system processor, and memory. Kernel-level RootKits modify the kernel itself, rather than manipulating application-level programs like traditional RootKits. As shown on the left side of Exhibit 11.4, a traditional RootKit can be detected because a ?le system integrity tool such as Tripwire can rely on the kernel to let it check the integrity of application programs. When the application programs are modi?ed, the good Tripwire program utilizes the good kernel to detect the Trojan horse replacement programs.

A kernel-level RootKit is shown on the right-hand side of Exhibit 11.4. While all of the application programs are intact, the kernel itself is rotten, facilitating backdoor access by the attacker and lying to the administrator about the attacker’s presence on the system. Some of the most powerful kernel-level RootKits include Knark for Linux available at http://packetstorm. securify.com/UNIX/penetration/rootkits, Plasmoid’s Solaris kernel-level RootKit available at http://www.infowar.co.uk/thc/slkm-1.0.html, and a Windows NT kernel-level RootKit available at http://www.rootkit.com.

While a large number of kernel-level RootKits have been released with a variety of features, the most popular capabilities of these tools include:

Execution redirection. This capability intercepts a call to run a certain application and maps that call to run another application of the attacker’s choosing. Consider a scenario involving the UNIX /bin/login routine. The attacker will install a kernel-level RootKit and leave the /bin/login ?le unaltered. All execution requests for /bin/login (which occur when anyone logs in to the system) will be mapped to the hidden ?le /bin/backdoorlog in. When a user tries to login, the /bin/backdoorlogin program will be executed, containing a backdoor password allowing for root-level access. However, when the system administrator runs a ?le integrity checker such as Tripwire, the standard /bin/login routine is analyzed. Only execution is redirected; one can look at the original ?le /bin/login and verify its integrity. This original routine is unaltered, so the Tripwire hash will remain the same.
File hiding. Many kernel-level RootKits let an attacker hide any ?le in the ?le system. If any user or application looks for the ?le, the kernel will lie and say that the ?le is not present on the machine. Of course, the ?le is still on the system, and the attacker can access it when required.
Process hiding. In addition to hiding ?les, the attacker can use the kernel-level RootKit to hide a running process on the machine.

Each of these capabilities is quite powerful by itself. Taken together, they offer an attacker the ability to completely transform the machine at the attacker’s whim. The system administrator will have a view of the system created by the attacker, with everything looking intact. But in actuality, the system will be rotten to the core, quite literally. Furthermore, detection of kernel-level RootKits is often rather dif?cult because all access to the system relies on the attacker-modi?ed kernel.

Kernel-Level RootKit Defenses

To stop attackers from installing kernel-level RootKits (or traditional RootKits, for that matter), one must prevent the attackers from gaining superuser access on one’s systems in the ?rst place. Without superuser access, an attacker cannot install a kernel-level RootKit. One must con?gure systems securely, disabling all unneeded services and applying all relevant security patches. Hardening systems and keeping them patched are the best preventative means for dealing with kernel-level RootKits.

Another defense involves deploying kernels that do not support loadable kernel modules (LKMs), a feature of some operating systems that allows the kernel to be dynamically modi?ed. LKMs are often used to implement kernel-level RootKits. Linux kernels can be built without support for kernel modules. Unfortunately, Solaris systems up through and including Solaris 8 do not have the ability to disable kernel modules. For critical Linux systems, such as Internet-accessible Web, mail, DNS, and FTP servers, one should build the kernels of such systems without the ability to accept LKMs. One will have eliminated the vast majority of these types of attacks by creating nonmodular kernels.

Conclusions

The arms race between computer defenders and computer attackers continues to accelerate. As attackers devise methods for widely distributed attacks and burrow deeper into our protocols and operating systems, we must work even more diligently to secure our systems. Do not lose heart, however. Sure, the defensive techniques covered in this chapter can be a lot of work. However, by carefully designing and maintaining systems, one can maintain a secure infrastructure.

Tags: Information Security

Posted in Information Security | No Comments »

Hacker Tools and Techniques

Saturday, July 31st, 2010

Ed Skoudis, CISSP

Recent headlines demonstrate that the latest crop of hacker tools and techniques can be highly damaging to an organization’s sensitive information and reputation. With the rise of powerful, easy-to-use, and widely distributed hacker tools, many in the security industry have observed that today is the golden age of hacking. The purpose of this chapter is to describe the tools in widespread use today for compromising computer and network security. Additionally, for each tool and technique described, the chapter presents practical advice on defending against each type of attack.

The terminology applied to these tools and their users has caused some controversy, particularly in the computer underground. Traditionally, and particularly in the computer underground, the term “hacker” is a benign word, referring to an individual who is focused on determining how things work and devising innovative approaches to addressing computer problems. To differentiate these noble individuals from a nasty attacker, this school of thought labels malicious attackers as “crackers.” While hackers are out to make the world a better place, crackers want to cause damage and mayhem. To avoid the confusion often associated with these terms, in this chapter, the terms “system and security administrator” and “security practitioner” will be used to indicate an individual who has a legitimate and authorized purpose for running these tools. The term “attacker” will be used for those individuals who seek to cause damage to systems or who are not authorized to run such tools.

Many of the tools described in this chapter have dual personalities; they can be used for good or evil. When used by malicious individuals, the tools allow a motivated attacker to gain access to a network, mask the fact that a compromise occurred, or even bring down service, thereby impacting large masses of users. When used by security practitioners with proper authorization, some tools can be used to measure the security stance of their own organizations, by conducting “ethical hacking” tests to ?nd vulnerabilities before attackers do.

Caveat

The purpose of this chapter is to explain the various computer underground tools in use today, and to discuss defensive techniques for addressing each type of tool. This chapter is not designed to encourage attacks. Furthermore, the tools described below are for illustration purposes only, and mention in this chapter is not an endorsement. If readers feel compelled to experiment with these tools, they should do so at their own risk, realizing that such tools frequently have viruses or other undocumented features that could damage networks and information systems. Curious readers who want to use these tools should conduct a through review of the source code, or at least install the tools on a separate, air-gapped network to protect sensitive production systems.

General Trends in the Computer Underground

The Smart Get Smarter, and the Rise of the Script Kiddie

The best and brightest minds in the computer underground are conducting probing research and ?nding new vulnerabilities and powerful, novel attacks on a daily basis. The ideas and deep research done by super-smart attackers and security practitioners are being implemented in software programs and scripts. Months of research into how a particular operating system implements its password scheme is being rendered in code, so even a clueless attacker (often called a “script kiddie”) can conduct a highly sophisticated attack with just a point-and-click. Although the script kiddie may not understand the tools’ true function and nuances, most of the attack is automated.

In this environment, security practitioners must be careful not to underestimate their adversaries’ capabil-ities. Often, security and system administrators think of their potential attackers as mere teenage kids cruising the Internet looking for easy prey. While this assessment is sometimes accurate, it masks two major concerns. First, some of these teenage kids are amazingly intelligent, and can wreak havoc on a network. Second, attackers may not be just kids; organized crime, terrorists, and even foreign governments have taken to sponsoring cyberattacks.

Wide Distribution of High-Quality Tools

Another trend in the computing underground involves the widespread distribution of tools. In the past (a decade ago), powerful attack tools were limited to a core group of elites in the computer underground. Today, hundreds of Web sites are devoted to the sharing of tools for every attacker (and security practitioner) on the planet. FAQs abound describing how to penetrate any type of operating system. These overall trends converge in a world where smart attackers have detailed knowledge of undermining our systems, while the not-so-smart attackers grow more and more plentiful. To address this increasing threat, system administrators and security practitioners must understand these tools and how to defend against them. The remainder of this chapter describes many of these very powerful tools in widespread use today, together with practical defensive tips for protecting one’s network from each type of attack.

Network Mapping and Port Scanning

When launching an attack across a TCP/IP network (such as the Internet or a corporate intranet), an attacker needs to know what addresses are active, how the network topology is constructed, and which services are available. A network mapper identi?es systems that are connected to the target network. Given a network address range, the network mapper will send packets to each possible address to determine which addresses have machines.

By sending a simple Internet Control Message Protocol (ICMP) packet to a server (a “ping”), the mapping tool can discover if a server is connected to the network. For those networks that block incoming pings, many of the mapping tools available today can send a single SYN packet to attempt to open a connection to a server. If a server is listening, the SYN packet will trigger an ACK if the port is open, and potentially a “Port Unreachable” message if the port is closed. Regardless of whether the port is open or closed, the response indicates that the address has a machine listening. With this list of addresses, an attacker can re?ne the attack and focus on these listening systems.

A port scanner identi?es open ports on a system. There are 65,535 TCP ports and 65,535 UDP ports, some of which are open on a system, but most of which are closed. Common services are associated with certain ports. For example, TCP Port 80 is most often used by Web servers, TCP Port 23 is used by Telnet daemons, and TCP Port 25 is used for server-to-server mail exchange across the Internet. By conducting a port scan, an attacker will send packets to each and every port. Essentially, ports are rather like doors on a machine. At any one of the thousands of doors available, common services will be listening. A port scanning tool allows an attacker to knock on every one of those doors to see who answers.

Some scanning tools include TCP ?ngerprinting capabilities. While the Internet Engineering Task Force (IETF) has carefully speci?ed TCP and IP in various Requests for Comments (RFCs), not all packet options have standards associated with them. Without standards for how systems should respond to illegal packet formats, different vendors’ TCP/IP stacks respond differently to illegal packets. By sending various combina

tions of illegal packet options (such as initiating a connection with an RST packet, or combining other odd and illegal TCP code bits), an attacker can determine what type of operating system is running on the target machine. For example, by conducting a TCP ?ngerprinting scan, an attacker can determine if a machine is running Cisco IOS, Sun Solaris, or Microsoft Windows 2000. In some cases, even the particular version or service pack level can be determined using this technique.

After utilizing network mapping tools and port scanners, an attacker will know which addresses on the target network have listening machines, which ports are open on those machines (and therefore which services are running), and which operating system platforms are in use. This treasure trove of information is useful to the attacker in re?ning the attack. With this data, the attacker can search for vulnerabilities on the particular services and systems to attempt to gain access.

Nmap, written by Fyodor, is one of the most full-featured mapping and scanning tools available today. Nmap, which supports network mapping, port scanning, and TCP ?ngerprinting, can be found at http:// www.insecure. org/nmap.

Network Mapping and Port Scanning Defenses

To defend against network mapping and port scans, the administrator should remove all unnecessary systems and close all unused ports. To accomplish this, the administrator must disable and remove unneeded services from the machine. Only those services that have an absolute, de?ned business need should be running. A security administrator should also periodically scan the systems to determine if any unneeded ports are open. When discovered, these unneeded ports must be disabled.

Vulnerability Scanning

Once the target systems are identi?ed with a port scanner and network mapper, an attacker will search to determine if any vulnerabilities are present on the victim machines. Thousands of vulnerabilities have been discovered, allowing a remote attacker to gain a toehold on a machine or to take complete administrative control. An attacker could try each of these vulnerabilities on each system by entering individual commands to test for every vulnerability, but conducting an exhaustive search could take years. To speed up the process, attackers use automated scanning tools to quickly search for vulnerabilities on the target.

These automated vulnerability scanning tools are essentially databases of well-known vulnerabilities with an engine that can read the database, connect to a machine, and check to see if it is vulnerable to the exploit. The effectiveness of the tool in discovering vulnerabilities depends on the quality and thoroughness of its vulnerability database. For this reason, the best vulnerability scanners support the rapid release and update of the vulnerability database and the ability to create new checks using a scripting language.

High-quality commercial vulnerability scanning tools are widely available, and are often used by security practitioners and attackers to search for vulnerabilities. On the freeware front, SATAN (the Security Admin-istrator Tool for Analyzing Network) was one of the ?rst widely distributed automated vulnerability scanners, introduced in 1995. More recently, Nessus has been introduced as a free, open-source vulnerability scanner available at http://www.nessus.org. The Nessus project, which is led by Renaud Deraison, provides a full-featured scanner for identifying vulnerabilities on remote systems. It includes source code and a scripting language for writing new vulnerability checks, allowing it to be highly customized by security practitioners and attackers alike.

While Nessus is a general-purpose vulnerability scanner, looking for holes in numerous types of systems and platforms, some vulnerability scanners are much more focused on particular types of systems. For example, Whisker is a full-feature vulnerability scanning tool focusing on Web server CGI scripts. Written by Rain Forest Puppy, Whisker can be found at http://www.wiretrip.net/rfp.

Vulnerability Scanning Defenses

As described above, the administrator must close unused ports. Additionally, to eliminate the vast majority of system vulnerabilities, system patches must be applied in a timely fashion. All organizations using computers should have a de?ned change control procedure that speci?es when and how system patches will be kept up-to-date.

Security practitioners should also conduct periodic vulnerability scans of their own networks to ?nd vulnerabilities before attackers do. These scans should be conducted on a regular basis (such as quarterly or even monthly for sensitive networks), or when major network changes are implemented. The discovered vulnerabilities must be addressed in a timely fashion by updating system con?gurations or applying patches.

Wardialing

A cousin of the network mapper and scanner, a wardialing tool is used to discover target systems across a telephone network. Organizations often spend large amounts of money in securing their network from a full, frontal assault over the Internet by implementing a ?rewall, intrusion detection system, and secure DMZ. Unfortunately, many attackers avoid this route and instead look for other ways into the network. Modems left on users’ desktops or old, forgotten machines often provide the simplest way into a target network.

Wardialers, also known as “demon dialers,” dial a series of telephone numbers, attempting to locate modems on the victim network. An attacker will determine the telephone extensions associated with the target organi-zation. This information is often gleaned from a Web site listing telephone contacts, employee newsgroup postings with telephone contact information in the signature line, or even general employee e-mail. Armed with one or a series of telephone numbers, the attacker will enter into the wardialing tool ranges of numbers associated with the original number (for example, if an employee’s telephone number in a newsgroup posting is listed as 555-1212, the attacker will dial 555-XXXX). The wardialer will automatically dial each number, listen for the familiar wail of a modem carrier tone, and make a list of all telephone numbers with modems listening.

With the list of modems generated by the wardialer, the attacker will dial each discovered modem using a terminal program or other client. Upon connecting to the modem, the attacker will attempt to identify the system based on its banner information and see if a password is required. Often, no password is required, because the modem was put in place by a clueless user requiring after-hours access and not wanting to bother using approved methods. If a password is required, the attacker will attempt to guess passwords commonly associated with the platform or company.

Some wardialing tools also support the capability of locating a repeat dial-tone, in addition to the ability to detect modems. The repeat dial-tone is a great ?nd for the attacker, as it could allow for unrestricted dialing from a victim’s PBX system to anywhere in the world. If an attacker ?nds a line on PBX supporting repeat dial-tone in the same local dialing exchange, the attacker can conduct international wardialing, with all phone bills paid for by the victim with the miscon?gured PBX.

The most fully functional wardialing tool available today is distributed by The Hacker’s Choice (THC) group. Known as THC-Scan, the tool was written by Van Hauser and can be found at http://inferno.tuscu-lum.edu/thc. THC-Scan 2.0 supports many advanced features, including sequential or randomized dialing, dialing through a network out-dial, modem carrier and repeat dial-tone detection, and rudimentary detection avoidance capabilities.

Wardialing Defenses

The best defense against wardialing attacks is a strong modem policy that prohibits the use of modems and incoming lines without a de?ned business need. The policy should also require the registration of all modems with a business need in a centralized database only accessible by a security or system administrator.

Additionally, security personnel should conduct periodic wardialing exercises of their own networks to ?nd the modems before the attackers do. When a phone number with an unregistered modem is discovered, the physical device must be located and deactivated. While ?nding such devices can be dif?cult, network defenses depend on ?nding these renegade modems before an attacker does.

Network Exploits: Snif?ng, Spoo?ng, and Session Hijacking

TCP/IP, the underlying protocol suite that makes up the Internet, was not originally designed to provide security services. Likewise, the most common data-link type used with TCP/IP, Ethernet, is fundamentally unsecure. A whole series of attacks are possible given these vulnerabilities of the underlying protocols. The

most widely used and potentially damaging attacks based on these network vulnerabilities are snif?ng, spoo?ng, and session hijacking.

Snif?ng

Sniffers are extremely useful tools for an attacker and are therefore a fundamental element of an attacker’s toolchest. Sniffers allow an attacker to monitor data passing across a network. Given their capability to monitor network traf?c, sniffers are also useful for security practitioners and network administrators in troubleshooting networks and conducting investigations. Sniffers exploit characteristics of several data-link technologies, including Token Ring and especially Ethernet.

Ethernet, the most common LAN technology, is essentially a broadcast technology. When Ethernet LANs are constructed using hubs, all machines connected to the LAN can monitor all data on the LAN segment. If userIDs, passwords, or other sensitive information are sent from one machine (e.g., a client) to another machine (e.g., a server or router) on the same LAN, all other systems connected to the LAN could monitor the data. A sniffer is a hardware or software tool that gathers all data on a LAN segment. When a sniffer is running on a machine gathering all network traf?c that passes by the system, the Ethernet interface and the machine itself are said to be in “promiscuous mode.”

Many commonly used applications, such as Telnet, FTP, POP (the Post Of?ce Protocol used for e-mail), and even some Web applications, transmit their passwords and sensitive data without any encryption. Any attacker on a broadcast Ethernet segment can use a sniffer to gather these passwords and data.

Attackers who take over a system often install a software sniffer on the compromised machine. This sniffer acts as a sentinel for the attacker, gathering sensitive data that moves by the compromised system. The sniffer gathers this data, including passwords, and stores it in a local ?le or transmits it to the attacker. The attacker then uses this information to compromise more and more systems. The attack methodology of installing a sniffer on one compromised machine, gathering data passing that machine, and using the sniffed information to take over other systems is referred to as an island-hopping attack.

Numerous snif?ng tools are available across the Internet. The most fully functional snif?ng tools include snif?t (by Brecht Claerhout, available at http://reptile.rug.ac.be/~coder/snif?t/snif?t.html) and Snort (by Mar-tin Roesch, available at http://www.clark.net/~roesch/security.html). Some operating systems ship with their own sniffers installed by default, notably Solaris (with the snoop tool) and some varieties of Linux (which ship with tcpdump). Other commercial sniffers are also available from a variety of vendors.

Snif?ng Defenses

The best defense against snif?ng attacks is to encrypt the data in transit. Instead of sending passwords or other sensitive data in cleartext, the application or network should encrypt the data (SSH, secure Telnet, etc.).

Another defense against sniffers is to eliminate the broadcast nature of Ethernet. By utilizing a switch instead of a hub to create a LAN, the damage that can be done with a sniffer is limited. A switch can be con?gured so that only the required source and destination ports on the switch carry the traf?c. Although they are on the same LAN, all other ports on the switch (and the machines connected to those ports) do not see this data. Therefore, if one system is compromised on a LAN, a sniffer installed on this machine will not be capable of seeing data exchanged between other machines on the LAN. Switches are therefore useful in improving security by minimizing the data a sniffer can gather, and also help to improve network performance.

IP Spoo?ng

Another network-based attack involves altering the source address of a computer to disguise the attacker and exploit weak authentication methods. IP address spoo?ng allows an attacker to use the IP address of another machine to conduct an attack. If the target machines rely on the IP address to authenticate, IP spoo?ng can give an attacker access to the systems. Additionally, IP spoo?ng can make it very dif?cult to apprehend an attacker, because logs will contain decoy addresses and not the real source of the attack. Many of the tools described in other sections of this chapter rely on IP spoo?ng to hide the true origin of the attack.

Spoo?ng Defenses

Systems should not use IP addresses for authentication. Any functions or applications that rely solely on IP address for authentication should be disabled or replaced. In UNIX, the “r-commands” (rlogin, rsh, rexec,

and rcp) are notoriously subject to IP spoo?ng attacks. UNIX trust relationships allow an administrator to manage systems using the r-commands without providing a password. Instead of a password, the IP address of the system is used for authentication. This major weakness should be avoided by replacing the r-commands with administration tools that utilize strong authentication. One such tool, secure shell (ssh), uses strong cryptography to replace the weak authentication of the r-commands. Similarly, all other applications that rely on IP addresses for critical security and administration functions should be replaced.

Additionally, an organization should deploy anti-spoof ?lters on its perimeter networks that connect the organization to the Internet and business partners. Anti-spoof ?lters drop all traf?c coming from outside the network claiming to come from the inside. With this capability, such ?lters can prevent some types of spoo?ng attacks, and should be implemented on all perimeter network routers.

Session Hijacking

While snif?ng allows an attacker to view data associated with network connections, a session hijack tool allows an attacker to take over network connections, kicking off the legitimate user or sharing a login. Session hijacking tools are used against services with persistent login sessions, such as Telnet, rlogin, or FTP. For any of these services, an attacker can hijack a session and cause a great deal of damage.

A common scenario illustrating session hijacking involves a machine, Alice, with a user logged in to remotely administer another system, Bob, using Telnet. Eve, the attacker, sits on a network segment between Alice and Bob (either Alice’s LAN, Bob’s LAN, or between any of the routers between Alice’s and Bob’s LANs). Exhibit

10.1 illustrates this scenario in more detail. Using a session hijacking tool, Eve can do any of the following:

Monitor Alice’s session. Most session hijacking tools allow attackers to monitor all connections available on the network and select which connections they want to hijack.
Insert commands into the session. An attacker may just need to add one or two commands into the stream to recon?gure Bob. In this type of hijack, the attacker never takes full control of the session. Instead, Alice’s login session to Bob has a small number of commands inserted, which will be executed on Bob as though Alice had typed them.
Steal the session. This feature of most session hijacking tools allows an attacker to grab the session from Alice, and directly control it. Essentially, the Telnet client control is shifted from Alice to Eve, without Bob’s knowing.
Give the session back. Some session hijacking tools allow the attacker to steal a session, interact with the server, and then smoothly give the session back to the user. While the session is stolen, Alice is put on hold while Eve controls the session. With Alice on hold, all commands typed by Alice are displayed on Eve’s screen, but not transmitted to Bob. When Eve is ?nished making modi?cations on Bob, Eve transfers control back to Alice.

For a successful hijack to occur, the attacker must be on a LAN segment between Alice and Bob. A session hijacking tool monitors the connection using an integrate sniffer, observing the TCP sequence numbers of the packets going each direction. Each packet sent from Alice to Bob has a unique TCP sequence number used by Bob to verify that all packets are received and put in proper order. Likewise, all packets going back from Bob to Alice have sequence numbers. A session hijacking tool sniffs the packets to determine these sequence numbers. When a session is hijacked (through command insertion or session stealing), the hijacking tool automatically uses the appropriate sequence numbers and spoofs Alice’s address, taking over the conversation with Bob where Alice left off.

One of the most fully functional session hijacking tool available today is Hunt, written by Kra and available at http://www.cri.cz/kra/index.html. Hunt allows an attacker to monitor and steal sessions, insert single com-mands, and even give a session back to the user.

Session Hijacking Defenses

The best defense against session hijacking is to avoid the use of insecure protocols and applications for sensitive sessions. Instead of using the easy-to-hijack (and easy-to-sniff) Telnet application, a more secure, encrypted session tool should be used. Because the attacker does not have the session encryption keys, an encrypted session cannot be hijacked. The attacker will simply see encrypted gibberish using Hunt, and will only be able to reset the connection, not take it over or insert commands.

Secure shell (ssh) offers strong authentication and encrypted sessions, providing a highly secure alternative to Telnet and rlogin. Furthermore, ssh includes a secure ?le transfer capability (scp) to replace traditional FTP. Other alternatives are available, including secure, encrypted Telnet or a virtual private network (VPN) estab-lished between the source and destination.

Denial-of-Service Attacks

Denial-of-service attacks are among the most common exploits available today. As their name implies, a denial-of-service attack prevents legitimate users from being able to access a system. With E-commerce applications constituting the lifeblood of many organizations and a growing piece of the world economy, a well-timed denial-of-service attack can cause a great deal of damage. By bringing down servers that control sensitive machinery or other functions, these attacks could also present a real physical threat to life and limb. An attacker could cause the service denial by ?ooding a system with bogus traf?c, or even purposely causing the server to crash. Countless denial-of-service attacks are in widespread use today, and can be found at http://packet-storm.securify.com/exploits/DoS. The most often used network-based denial-of-service attacks fall into two categories: malformed packet attacks and packet ?oods.

Malformed Packet Attacks

This type of attack usually involves one or two packets that are formatted in an unexpected way. Many vendor product implementations do not take into account all variations of user entries or packet types. If the software handles such errors poorly, the system may crash when it receives such packets. A classic example of this type of attack involves sending IP fragments to a system that overlap with each other (the fragment offset values are incorrectly set). Some unpatched Windows and Linux systems will crash when they encounter such packets. The teardrop attack is an example of a tool that exploits this IP fragmentation handling vulnerability. Other malformed packet attacks that exploit other weaknesses in TCP/IP implementations include the colorfully named WinNuke, Land, LaTierra, NewTear, Bonk, Boink, etc.

Packet Flood Attacks

Packet ?ood denial-of-service tools send a deluge of traf?c to a system on the network, overwhelming its capability to respond to legitimate users. Attackers have devised numerous techniques for creating such ?oods, with the most popular being SYN ?oods, directed broadcast attacks, and distributed denial-of-service tools.

SYN ?ood tools initiate a large number of half-open connections with a system by sending a series of SYN packets. When any TCP connection is established, a three-way handshake occurs. The initiating system (usually the client) sends a SYN packet to the destination to establish a sequence number for all packets going from source to destination in that session. The destination responds with a SYN-ACK packet, which acknowledges the sequence number for packets going from source to destination, and establishes an initial sequence number for packets going the opposite direction. The source completes the three-way handshake by sending an ACK to the destination. The three-way handshake is completed, and communication (actual data transfer) can occur.

SYN ?oods take advantage of a weakness in TCP’s three-way handshake. By sending only spoofed SYN packets and never responding to the SYN-ACK, an attacker can exhaust a server’s ability to maintain state of all the initiated sessions. With a huge number of so-called half-open connections, a server cannot handle any new, legitimate traf?c. Rather than ?lling up all of the pipe bandwidth to a server, only the server’s capacity to handle session initiations needs to be overwhelmed (in most network con?gurations, a server’s ability to handle SYNs is lower than the total bandwidth to the site). For this reason, SYN ?ooding is the most popular packet ?ood attack. Other tools are also available that ?ood systems with ICMP and UDP packets, but they merely consume bandwidth, so an attacker would require a bigger connection than the victim to cut off all service.

Another type of packet ?ood that allows attackers to amplify their bandwidth is the directed broadcast attack. Often called a smurf attack, named after the ?rst tool to exploit this technique, directed broadcast attacks utilize a third-party’s network as an ampli?er for the packet ?ood. In a smurf attack, the attacker locates a network on the Internet that will respond to a broadcast ICMP message (essentially a ping to the network’s broadcast address). If the network is con?gured to allow broadcast requests and responses, all machines on the network will send a response to the ping. By spoo?ng the ICMP request, the attacker can have all machines on the third-party network send responses to the victim. For example, if an organization has 30 hosts on a single DMZ network connected to the Internet, an attacker can send a spoofed network broadcast ping to the DMZ. All 30 hosts will send a response to the spoofed address, which would be the ultimate victim. By sending repeated messages to the broadcast network, the attacker has ampli?ed bandwidth by a factor of 30. Even an attacker with only a 56-kbps dial-up line could ?ll up a T1 line (1.54 Mbps) with that level of ampli?cation. Other directed broadcast attack tools include Fraggle and Papasmurf.

A ?nal type of denial-of-service that has received considerable press is the distributed denial-of-service attack. Essentially based on standard packet ?ood concepts, distributed denial-of-service attacks were used to cripple many major Internet sites in February 2000. Tools such as Trin00, Tribe Flood Network 2000 (TFN2K), and Stacheldraht all support this type of attack. To conduct a distributed denial-of-service attack, an attacker must ?nd numerous vulnerable systems on the Internet. Usually, a remote buffer over?ow attack (described below) is used to take over a dozen, a hundred, or even thousands of machines. Simple daemon processes, called zombies, are installed on these machines taken over by the attacker. The attacker communicates with this network of zombies using a control program. The control program is used to send commands to the hundreds or thousands of zombies, requesting them to take uniform action simultaneously.

The most common action to be taken is to simultaneously launch a packet ?ood against a target. While a traditional SYN ?ood would deluge a target with packets from one host, a distributed denial-of-service attack would send packets from large numbers of zombies, rapidly exhausting the capacity of even very high-bandwidth, well-designed sites. Many distributed denial-of-service attack tools support SYN, UDP, and ICMP ?ooding, smurf attacks, as well as some malformed packet attacks. Any one or all of these options can be selected by the attacker using the control program.

Denial-of-Service Attack Defenses

To defend against malformed packet attacks, system patches and security ?xes must be regularly applied. Vendors frequently update their systems with patches to handle a new ?avor of denial-of-service attack. An organization must have a program for monitoring vendor and industry security bulletins for security ?xes, and a controlled method for implementing these ?xes soon after they are announced and tested.

For packet ?ood attacks, critical systems should have underlying network architectures with multiple, redundant paths, eliminating a single point of failure. Furthermore, adequate bandwidth is a must. Also, some routers and ?rewalls support traf?c ?ow control to help ease the burden of a SYN ?ood.

Finally, by con?guring an Internet-accessible network appropriately, an organization can minimize the possibility that it will be used as a jumping-off point for smurf and distributed denial-of-service attacks. To prevent the possibility of being used as a smurf ampli?er, the external router or ?rewall should be con?gured to drop all directed broadcast requests from the Internet. To lower the chance of being used in a distributed denial-of-service attack, an organization should implement anti-spoof ?lters on external routers and ?rewalls to make sure that all outgoing traf?c has a source IP address of the site. This egress ?ltering prevents an attacker from sending spoofed packets from a zombie or other denial-of-service tool located on the network. Antispoof ingress ?lters, which drop all packets from the Internet claiming to come from one’s internal network, are also useful in preventing some denial-of-service attacks.

Stack-Based Buffer Over?ows

Stack-based buffer over?ow attacks are commonly used by an attacker to take over a system remotely across a network. Additionally, buffer over?ows can be employed by local malicious users to elevate their privileges and gain superuser access to a system. Stack-based buffer over?ow attacks exploit the way many operating systems handle their stack, an internal data structure used by running programs to store data temporarily. When a function call is made, the current state of the executing program and variables to be passed to the function are pushed on the stack. New local variables used by the function are also allocated space on the stack. Additionally, the stack stores the return address of the code calling the function. This return address will be accessed from the stack once the function call is complete. The system uses this address to resume execution of the calling program at the appropriate place. Exhibit 10.2 shows how a stack is constructed.

Most UNIX and all Windows systems have a stack that can hold data and executable code. Because local variables are stored on the stack when a function is called, poor code can be exploited to overrun the boundaries of these variables on the stack. If user input length is not examined by the code, a particular variable on the stack may exceed the memory allocated to it on the stack, overwriting all variables and even the return address for where execution should resume after the function is complete. This operation, called “smashing” the stack, allows an attacker to over?ow the local variables to insert executable code and another return address on the stack. Exhibit 10.2 also shows a stack that has been smashed with a buffer over?ow.

The attacker will over?ow the buffer on the stack with machine-speci?c bytecodes that consist of executable commands (usually a shell routine), and a return pointer to begin execution of these inserted commands. Therefore, with very carefully constructed binary code, the attacker can actually enter information as a user into a program that consists of executable code and a new return address. The buggy program will not analyze the length of this input, but will place it on the stack, and actually begin to execute the attacker’s code. Such vulnerabilities allow an attacker to break out of the application code, and access any system components with the permissions of the broken program. If the broken program is running with superuser privileges (e.g., SUID root on a UNIX system), the attacker has taken over the machine with a buffer over?ow.

Stack-Based Buffer Over?ow Defenses

The most thorough defenses against buffer over?ow attacks is to properly code software so that it cannot be used to smash the stack. All programs should validate all input from users and other programs, ensuring that it ?ts into allocated memory structures. Each variable should be checked (including user input, variables from other functions, input from other programs, and even environment variables) to ensure that allocated buffers are adequate to hold the data. Unfortunately, this ultimate solution is only available to individuals who write the programs and those with source code.

Additionally, security practitioners and system administrators should carefully control and minimize the number of SUID programs on a system that users can run and have permissions of other users (such as root). Only SUID programs with an explicit business need should be installed on sensitive systems.

Finally, many stack-based buffer over?ow attacks can be avoided by con?guring the systems to not execute code from the stack. Notably, Solaris and Linux offer this option. For example, to secure a Solaris system against stack-based buffer over?ows, the following lines should be added:

/etc/system:

set noexec_user_stack=1
set noexec_user_stack_log=1

The ?rst line will prevent execution on a stack, and the second line will log any attempt to do so. Unfortunately, some programs legitimately try to run code off the stack. Such programs will crash if this option is implemented. Generally, if the system is single purpose and needs to be secure (e.g., a Web server), this option should be used to prevent stack-based buffer over?ow.

The Art and Science of Password Cracking

The vast majority of systems today authenticate users with a static password. When a user logs in, the password is transmitted to the system, which checks the password to make the decision whether to let the user log in. To make this decision, the system must have a mechanism to compare the user’s input with the actual password. Of course, the system could just store all of the passwords locally and compare from this ?le. Such a ?le of cleartext passwords, however, would provide a very juicy target for an attacker. To make the target less useful for attackers, most modern operating systems use a one-way hash or encryption mechanism to protect the stored passswords. When a user types in a password, the system hashes the user’s entry and compares it to the stored hash. If the two hashes match, the password is correct and the user can login.

Password cracking tools are used to attack this method of password protection. An attacker will use some exploit (often a buffer over?ow) to gather the encrypted or hashed password ?le from a system (on a UNIX system without password shadowing, any user can read the hashed password ?le). After downloading the hashed password ?le, the attacker uses a password cracking tool to determine users’ passwords. The cracking tool operates using a loop: it guesses a password, hashes or encrypts the password, and compares it to the hashed password from the stolen ?le. If the hashes match, the attacker has the password. If the hashes do not match, the loop begins again with another password guess.

Password cracking tools base their password guesses on a dictionary or a complete brute-force attack, attempting every possible password. Dozens of dictionaries are available online, in a multitude of languages, including English, French, German, Klingon, etc.

Numerous password-cracking tools are available. The most popular and full-functional password crackers include:

1. • John-the-Ripper, by Solar Designer, focuses on cracking UNIX passwords, and is available at http://
2. www.openwall.com/john/.
L0phtCrack, used to crack Windows NT passwords, is available at http://www.l0pht.com.

Password Cracking Defenses

The ?rst defense against password cracking is to minimize the exposure of the encrypted/hashed password ?le. On UNIX systems, shadow password ?les should be used, which allow only the superuser to read the password ?le. On Windows NT systems, the SYSKEY feature available in NT 4.0 SP 3 and later should be installed and enabled. Furthermore, all backups and system recovery disks should be stored in physically secured locations and possibly even encrypted.

A strong password policy is a crucial element in ensuring a secure network. A password policy should require password lengths greater than eight characters, require the use of alphanumeric and special characters in every password, and force users to have passwords with mixed-case letters. Users must be aware of the issue of weak passwords and be trained in creating memorable, yet dif?cult-to-guess passwords.

To ensure that passwords are secure and to identify weak passwords, security practitioners should check system passwords on a periodic basis using password cracking tools. When weak passwords are discovered, the security group should have a de?ned procedure for interacting with users whose passwords can be easily guessed.

Finally, several software packages are available that prevent users from setting their passwords to easily guessed values. When a user establishes a new password, these ?ltering programs check the password to make sure that it is suf?ciently complex and is not just a variation of the user name or a dictionary word. With this kind of tool, users are simply unable to create passwords that are easily guessed, eliminating a signi?cant security issue. For ?ltering software to be effective, it must be installed on all servers where users establish passwords, including UNIX servers, Windows NT Primary and Back-up Domain Controllers, and Novell servers.

Backdoors

Backdoors are programs that bypass traditional security checks on a system, allowing an attacker to gain access to a machine without providing a system password and getting logged. Attackers install backdoors on a machine (or dupe a user into installing one for them) to ensure they will be able to gain access to the system at a later time. Once installed, most backdoors listen on special ports for incoming connections from the attacker across the network. When the attacker connects to the backdoor listener, the traditional userID and password or other forms of authentication are bypassed. Instead, the attacker can gain access to the system without providing a password, or by using a special password used only to enter the backdoor.

Netcat is an incredibly ?exible tool written for UNIX by Hobbit and for Windows NT by Weld Pond (both versions are available at http://www. l0pht.com/~weld/netcat/). Among its numerous other uses, Netcat can be used to create a backdoor listener with a superuser-level shell on any TCP or UDP port. For Windows systems, an enormous number of backdoor applications are available, including Back Ori?ce 2000 (called BO2K for short, and available at http://www.bo2k.com) and hack-a-tack (available at http://www.hack-a-tack.com).

Backdoor Defenses

The best defense against backdoor programs is for system and security administrators to know what is running on their machines, particularly sensitive systems storing critical information or processing high-value trans-actions. If a process suddenly appears running as the superuser listening on a port, the administrator needs to investigate. Backdoors listening on various ports can be discovered using the netstat –na command on UNIX and Windows NT systems.

Additionally, many backdoor programs (such as BO2K) can be discovered by an anti-virus program, which should be installed on all users’ desktops, as well as on servers throughout an organization.

Trojan Horses and RootKits

Another fundamental element of an attacker’s toolchest is the Trojan horse program. Like the Trojan horse of ancient Greece, these new Trojan horses appear to have some useful function, but in reality are just disguising some malicious activity. For example, a user may receive an executable birthday card program in electronic mail. When the unsuspecting user activates the birthday card program and watches birthday cakes dance across the screen, the program secretly installs a backdoor or perhaps deletes the users’ hard drive. As illustrated in this example, Trojan horses rely on deception — they trick a user or system administrator into running them for their (apparent) usefulness, but their true purpose is to attack the user’s machine.

Traditional Trojan Horses

A traditional Trojan horse is simply an independent program that can be run by a user or administrator. Numerous traditional Trojan horse programs have been devised, including:

The familiar birthday card or holiday greeting e-mail attachment described above.
A software program that claims to be able to turn CD-ROM readers into CD writing devices. Although this feat is impossible to accomplish in software, many users have been duped into downloading this “tool,” which promptly deletes their hard drives upon activation.
A security vulnerability scanner, WinSATAN. This tool claims to provide a convenient security vulner-ability scan for system and security administrators using a Windows NT system. Unfortunately, an unsuspecting user running this program will also have a deleted hard drive.

Countless other examples exist. While conceptually unglamorous, traditional Trojan horses can be a major problem if users are not careful and run untrusted programs on their machines.

RootKits

A RootKit takes the concept of a Trojan horse to a much more powerful level. Although the name implies otherwise, RootKits do not allow an attacker to gain “root” (superuser) access to a system. Instead, RootKits allow an attacker who already has superuser access to keep that access by foiling all attempts of an administrator to detect the invasion. RootKits consist of an entire suite of Trojan horse programs that replace or patch critical system programs. The various tools used by administrators to detect attackers on their machines are routinely undermined with RootKits.

Most RootKits include a Trojan horse backdoor program (in UNIX, the /bin/login routine). The attacker will install a new Trojan horse version of /bin/login, overwriting the previous version. The RootKit /bin/login routine includes a special backdoor userID and password so that the attacker can access the system at later times.

Additionally, RootKits include a sniffer and a program to hide the sniffer. An administrator can detect a sniffer on a system by running the ifcon?g command. If a sniffer is running, the ifcon?g output will contain the PROMISC ?ag, an indication that the Ethernet card is in promiscuous mode and therefore is snif?ng. RootKit contains a Trojan horse version of ifcon?g that does not display the PROMISC ?ag, allowing an attacker to avoid detection.

UNIX-based RootKits also replace other critical system executables, including ps and du. The ps command, emloyed by users and administrators to determine which processes are running, is modi?ed so that an attacker can hide processes. The du command, which shows disk utilization, is altered so that the ?le space taken up by RootKit and the attacker’s other programs can be masked.

By replacing programs like /bin/login, ifcon?g, ps, du, and numerous others, these RootKit tools become part of the operating system itself. Therefore, RootKits are used to cover the eyes and ears of an administrator. They create a virtual world on the computer that appears benign to the system administrator, when in actuality, an attacker can log in and move around the system with impunity. RootKits have been developed for most major UNIX systems and Windows NT. A whole variety of UNIX RootKits can be found at http://packet-storm.securify.com/UNIX/penetration/rootkits, while an NT RootKit is available at http://www.rootkit.com.

A recent development in this arena is the release of kernel-level RootKits. These RootKits act at the most fundamental levels of an operating system. Rather than replacing application programs such as /bin/login and ifcon?g, kernel-level RootKits actually patch the kernel to provide very low-level access to the system. These tools rely on the loadable kernel modules that many new UNIX variants support, including Linux and Solaris. Loadable kernel modules let an administrator add functionality to the kernel on-the-?y, without even rebooting the system. An attacker with superuser access can install a kernel-level RootKit that will allow for the remapping of execution of programs.

When an administrator tries to run a program, the Trojanized kernel will remap the execution request to the attacker’s program, which could be a backdoor offering access or other Trojan horse. Because the kernel does the remapping of execution requests, this type of activity is very dif?cult to detect. If the administrator attempts to look at the remapped ?le or check its integrity, the program will appear unaltered, because the program’s image is unaltered. However, when executed, the unaltered program is skipped, and a malicious program is substituted by the kernel. Knark, written by Creed, is a kernel-level RootKit that can be found at

http://packetstorm.securify.com/UNIX/penetration/rootkits.

Trojan Horses and RootKit Defenses

To protect against traditional Trojan horses, user awareness is key. Users must understand the risks associated with downloading untrusted programs and running them. They must also be made aware of the problems of running executable attachments in e-mail from untrusted sources.

Additionally, some traditional Trojan horses can be detected and eliminated by anti-virus programs. Every end-user computer system (and even servers) should have an effective and up-to-date anti-virus program installed.

To defend against RootKits, system and security administrators must use integrity checking programs for critical system ?les. Numerous tools are available, including the venerable Tripwire, that generate a hash of the executables commonly altered when a RootKit is installed. The administrator should store these hashes on a protected medium (such as a write-protected ?oppy disk) and periodically check the veracity of the programs on the machine with the protected hashes. Commonly, this type of check is done at least weekly, depending on the sensitivity of the machine. The administrator must reconcile any changes discovered in these critical system ?les with recent patches. If system ?les have been altered, and no patches were installed by the administrator, a malicious user or outside attacker may have installed a RootKit. If a RootKit is detected, the safest way to ensure its complete removal is to rebuild the entire operating system and even critical applications.

Unfortunately, kernel-level RootKits cannot be detected with integrity check programs because the integrity checker relies on the underlying kernel to do its work. If the kernel lies to the integrity checker, the results will not show the RootKit installation. The best defense against the kernel-level RootKit is a monolithic kernel that does not support loadable kernel modules. On critical systems (such as ?rewalls, Internet Web servers, DNS servers, mail servers, etc.), administrators should build the systems with complete kernels without support for loadable kernel modules. With this con?guration, the system will prevent an attacker from gaining root-level access and patching the kernel in real-time.

Overall Defenses: Intrusion Detection and Incident Response Procedures

Each of the defensive strategies described in this chapter deals with particular tools and attacks. In addition to employing each of those strategies, organizations must also be capable of detecting and responding to an attack. These capabilities are realized through the deployment of intrusion detection systems (IDSs) and the implementation of incident response procedures.

IDSs act as burglar alarms on the network. With a database of known attack signatures, IDSs can determine when an attack is underway and alert security and system administration personnel. Acting as early warning systems, IDSs allow an organization to detect an attack in its early stages and minimize the damage that may be caused.

Perhaps even more important than IDSs, documented incident response procedures are among the most critical elements of an effective security program. Unfortunately, even with industry-best defenses, a suf?ciently motivated attacker can penetrate the network. To address this possibility, an organization must have procedures de?ned in advance describing how the organization will react to the attack. These incident response procedures should specify the roles of individuals in the organization during an attack. The chain of command and escalation procedures should be spelled out in advance. Creating these items during a crisis will lead to costly mistakes.

Truly effective incident response procedures should also be multidisciplinary, not focusing only on infor-mation technology. Instead, the roles, responsibilities, and communication channels for the Legal, Human Resources, Media Relations, Information Technology, and Security organizations should all be documented and communicated. Speci?c members of these organizations should be identi?ed as the core of a Security Incident Response Team (SIRT), to be called together to address an incident when one occurs. Additionally, the SIRT should conduct periodic exercises of the incident response capability to ensure that team members are effective in their roles.

Additionally, with a large number of organizations outsourcing their information technology infrastructure by utilizing Web hosting, desktop management, e-mail, data storage, and other services, the extension of the incident response procedures to these outside organizations can be critical. The contract established with the outsourcing company should carefully state the obligations of the service provider in intrusion detection, incident noti?cation, and participation in incident response. A speci?c service-level agreement for handling security incidents and the time needed to pull together members of the service company’s staff in a SIRT should also be agreed upon.

Conclusions

While the number and power of these attack tools continues to escalate, system administrators and security personnel should not give up the ?ght. All of the defensive strategies discussed throughout this chapter boil down to doing a thorough and professional job of administering systems: know what is running on the system, keep it patched, ensure appropriate bandwidth is available, utilize IDSs, and prepare a Security Incident Response Team. Although these activities are not easy and can involve a great deal of effort, through diligence, an organization can keep its systems secured and minimize the chance of an attack. By employing intrusion detection systems and sound incident response procedures, even those highly sophisticated attacks that do get through can be discovered and contained, minimizing the impact on the organization. By creating an effective security program with sound defensive strategies, critical systems and information can be protected.

Tags: Information Security

Posted in Information Security | No Comments »

Archive for the ‘Information Security’ Category

Counter-Economic Espionage

Breaking News: The Latest Hacker Attacks and Defenses

Social Engineering: The Forgotten Risk

A New Breed of Hacker Tools and Defenses

Hacker Tools and Techniques

Categories

Blogroll

Recent Comments