Hackers Beware

•Education is very important. Make sure users pay attention to the URLs displayed on your browser’s location line. Then, if something looks suspicious, they will not ignore it but will take action. For example, if a user thinks he is surfing Microsoft.com’s Web site but the URL listed says www.btmicrosoft.com, the user should notify the help desk or internal security immediately.

•When using any form of ID to track a user, make sure it is as long and random as possible. This makes it much harder to guess.

Because most web spoofing attacks are not that sophisticated, they are very popular. It is paramount that you protect your site and users from these attacks. Unfortunately, a big part of the prevention is awareness of users and education of developers, neither of which is a simple task.

Now that we have looked at several different technical ways of performing spoofing on the Internet, let’s switch gears and look at some nontechnical ways of spoofing users. It is interesting that these types of attacks can be used to gain as much access, if not more, than their technical counterparts.

Non-Technical Spoofing

Because non-technical attacks are in widespread use and often allow an attacker to gain access to systems in a very short time period, they are covered here for completeness.

These non-computer based techniques are commonly referred to as social engineering. With social engineering, an attacker tries to convince someone that he is someone else. This can be as simple as the attacker calling someone on the phone saying that he is a certain person. Because he reveals certain information that supposedly only that person knows, the victim believes him. Social engineering can also be as daring as putting on a mask and pretending to be someone else because you look and act like him. Social engineering techniques have been around for a while and continue to be used because they are extremely effective.

At the heart of social engineering, an attacker tries to spoof his identity and trick the victim into giving away private information. The goal of these types of attacks, at least in the context I am talking about here, is to gather information to gain access to computer systems, usually by spoofing someone into giving out a password or creating a new account on the system. Other goals could be to scout out the environment, find out what hardware or software is installed, find out what patches are loaded on a server, and so on. The information that can be gained via social engineering is limitless.

The following are some basic but effective social engineering examples:

•An attacker calls the help desk to request a new account to be set up. For example, the attacker pretends to be a new employee that has a tight deadline that has to be completed by the end of the day (see the upcoming section “Social Engineering Example”).

•An attacker calls IT acting like a vendor to find out what software a company is running.

•An attacker impersonates a manager to get an employee to send him a proposal.

Let’s look at an example of a social engineering spoofing attack. As you read the example, think not only about how easy it is, but how effective it would be in most companies.

Social Engineering Example

An attacker calls the help desk of a large company and the following dialogue takes place:

Help Desk: Hello, this is Bob. Thank you for calling the help desk. What department do you work in and what can I do to help you?

Attacker: Good morning. Hi, Bob. This is Joe. How is everything? I am not sure if you are the right person to call, but I am a new employee and need some help.

Help Desk: Sure, we are here to help.

Attacker: I just started working for this company and I really want to make a good impression. How long have you worked at the company?

Help Desk: Oh, about six months.

Attacker: That is great. Listen, I just started in the new Denver office and my boss just threw all of this work at me that needed to be done by tomorrow morning, and she just left for the day. She said that I should call you to get an account set up. My boss said something about a form, but she did not have time to fill it out.

Help Desk: We cannot set up any accounts without the proper forms.

Attacker: I know, but we all work for the same company and if I am successful, we all are successful. Can you please help me out? Otherwise, I cannot get my work done.

Help Desk: Can’t you contact your boss and have her fill out the forms?

Attacker: She left and said she will not be back today and since I am new, I have no idea how to contact her. Can you just set up a temporary

account so I can get my work done, and when my boss gets back, I will tell her to fill it out.

Help Desk: We are not supposed to do that.

Attacker: I know, but I just started this job and really want to make a good impression. If my boss comes back tomorrow and I have nothing done, she will be furious. I just relocated to Denver because it is a better area to raise my son. Do you have any children?

Help Desk: Yes, I have a 2-year-old son.

Attacker: My son is only 6 months, but aren’t children great? I love being a dad.

Help Desk: Yes, every time I look at his picture, it puts a big smile on my face.

Attacker: So do you think you can help me out this once? It is my first day on the job and I really want to make a good impression.

Help Desk: I am not supposed to, but I will help you out. Please hold while I set up a new account.

As you can see by this example, as a result of a five-minute conversation, an attacker acquired an account on this system. If you think this is not realistic, trust me; this technique is more effective than I would like to admit. The following are some key points that made this spoofing attack effective:

•The attacker was kind and never got upset.

•The attacker sounded desperate and really needed the victim’s help.

•The attacker befriended the victim by getting personal and asking about his children.

After reviewing this, it might seem that social engineering is fairly straightforward, but it is important to understand. Why? First, this is a huge threat that most companies ignore. If you have not figured out already in this field, ignorance is deadly. Also, technical measures like firewalls and Intrusion Detection Systems are ineffective against this type of attack. Because these attacks can be used to gain root access, it is critical that security professionals understand the threat and properly protect against it.

The scary thing about social engineering is that even though it is not a technical attack, it can still be used to gain root or domain administrator access on a system. Remember, an attacker will always take the path of

least resistance or compromise the weakest link in a chain to gain access. Too many companies overlook the simple attacks, yet that is how their systems get compromised.

People look at social engineering and wonder why it is so successful. The main reason is that it exploits attributes of human behavior: trust is good and people love to talk. Most people assume that if someone is nice and pleasant, he must be honest. If an attacker can sound sincere and listen, you would be amazed at what people will tell him.

Reverse Social Engineering

Social engineering is very effective at gaining information because an attacker is spoofing his identity. Reverse social engineering can be just as effective to gain access and information about a company. With this type of attack, the roles are reversed—instead of the attacker calling in for help, as he would for social engineering, the attacker gets the user to call the him for help. As you can imagine, this type of attack is more risky and requires more sophistication, but it can be used to achieve a higher level of access.

To perform reverse social engineering, the attacker has to insert himself into the stream that a user would normally use to ask for help. Attackers do this by making companies aware that they can provide support or help to the user. A common example is to send the user a postcard congratulating her on the purchase of a new computer, which also informs her that she is eligible for five hours of free technical support by calling the number listed. The number listed is actually a number that an attacker controls. The attacker then sits back and waits for the user to call in for help. When the user calls in for help, the attacker helps the user as he is extracting information.

This might seem more cumbersome, which it is, but it puts the attacker in a much better position to gain information. Because the attacker is supposedly the expert, now if he asks for system information or the user ID and password, he does not look as suspicious.

Comparing Social and Reverse Social Engineering

Let’s briefly look at both types of non-technical attacks, so that you can better see the advantages and disadvantages of both.

As you can see, reverse social engineering is more complicated, and therefore not used as much, but in certain situations, it can be used to gain more information than a social engineering attack can. Now that you have a better understanding of non-technical attacks, let’s look at what can be done to protect against them.

Non-Technical Spoofing Protection

The following are some of the key things you can do to protect against these non-technical types of spoofing attacks:

• Educate your users: o Help desk

o Administrators

oReceptionists

•Post messages on each computer.

•Include a section in the employee handbook.

•Have security make presentations at new employee orientations.

•Have proper policies:

oPassword policy

oSecurity policy

•Post appropriate warning banners.

•Require users to authenticate when calling the help desk: Help desk should have caller ID and company directory. Use callback feature for all help desk inquiries.

Do not punish help desk for following procedures.

•Limit information distributed to the public.

•Run periodic tests against help desk and users.

The key to remember is that users must be educated so that they understand the threat to the company and know what to do to protect against it.

Another requirement to protect against these types of attacks is to make sure the company does not punish users for following the procedures. For example, the help desk staff is trained to authenticate all users and to call them back with the information they require. What if one day, the CEO of the company calls for help and the help desk says, “We have to call you back.” The CEO gets upset and says, “No, I am the CEO and you must help me now.” If the help desk person refuses and gets punished for it, the company has just defeated its entire policy. No one wants to get fired,

and if following the procedures might get them fired, your staff will never follow the guidelines. Companies must realize that they are sometimes their worst enemies. If they truly want to have a secure environment, everyone at the company has to back the policy and stand behind the people who are enforcing it.

The preceding bulleted list mentions one of the best ways I have found to defeat social engineering attacks for help desk staff. The technique is to call back the user on the number listed in the corporate directory. If Eric calls up asking for his password to be changed, call Eric back at his desk to give him the temporary password. Yes, someone could be sitting at Eric’s desk, but the goal is to improve security, not find the silver bullet. What if Eric says that he is working from home today and is not at his desk? You tell Eric that you will call back and leave a message on his work voice mail. If he calls in and checks his messages in five minutes, he can retrieve the information.

Also, encrypted email works nicely, if it being used. If the user needs a new password, send him an encrypted email. Because he is the only one who knows his key, this is effective

Summary

This chapter covered various forms of spoofing, including IP spoofing, email spoofing, web spoofing, and non-technical spoofing attacks. All of these types of attacks can have a detrimental effect on a company and cause a lot of damage. Only by understanding how they work can you be in a better position to prevent these types of attacks. One other word of caution: Even though I showed you how to perform various types of spoofing attacks, it was only done so that you can better protect your site. They should never be used against a site where you do not have written permission. They might seem like fun, but you can find yourself in a lot of legal trouble if you perform spoofing without permission.

Chapter 5. Session Hijacking

One of the difficult parts of compromising a system is to find a valid password that can be used to gain access. Especially if strong passwords such as one-time passwords are used, even if an attacker can sniff the

password or capture it another way, it is useless, because it changes the next time the user logs on to the system. Trying to find out a user’s password is one way to gain access, but because it is not always successful, there is a better way. For example, let’s say an attacker waits for users to make a remote connection to a server via telnet. After the user successfully provides her password, the attacker takes over her current session and becomes that user. By doing this, the attacker does not need access to the user’s password, but still has an active, authenticated connection to a server, where he can execute any command on the system.

Session hijacking is the process of taking over an existing active session. One of the main reasons for hijacking a session is to bypass the authentication process and gain access to a machine. With session hijacking, a user makes a connection with a server by authenticating, which is done by providing his user ID and password. Here’s how it works: After users authenticate, they have access to the server, and as long as they stay connected and active, they do not have to re-authenticate. That original authentication is good for the remainder of the session, whether the session lasts five minutes or five hours. This leaves the door open for an attacker to take over that session, which is usually done by taking the user offline (usually with a denial of service attack) and impersonating that user, which gives the attacker access to the server without ever having to log on to the system.

By hijacking a session, an attacker can steal a session, which involves taking over for the authenticated user. He can also monitor the session, where he just watches everything that is going by. When monitoring the session, he can record everything that is happening, so he can replay it at a later time. This is useful from a forensics standpoint for gathering evidence for prosecution. It can also be useful from an attacker’s standpoint, for gathering information like user IDs and passwords. An attacker can also watch a session but periodically inject commands into the session. The attacker has full control of the session and can do what ever he wants, which ranges from passive attacks to very active attacks or anything in between.

When performing session hijacking, an attacker concentrates on sessionoriented applications. This makes sense, because if an attacker’s goal is to gain access, he wants to take over a session where he can interact with a machine and execute commands. What is the value is taking over an HTTP or DNS session? By concentrating on session-oriented applications like telnet and FTP, the power of session hijacking techniques increases.

In this chapter, we will cover what session hijacking is, how it works, why it is so damaging, and what can be done to protect against it. As you will see throughout this chapter, one of the reasons why session hijacking can

be so damaging is that an attacker can perform these types of attacks across the Internet, which gives him access to a remote server or network

Spoofing versus Hijacking

Spoofing and hijacking are similar, but there are some differences worth pointing out. A spoofing attack (see Chapter 4, “Spoofing”) is different from a hijack in that an attacker is not actively taking another user offline to perform the attack. Instead, he pretends to be another user or machine to gain access. While an attacker is doing this, the party he is spoofing can be at home or away on vacation for that matter—the real user plays no role in the attack. Therefore, the attacker is not actively launching an attack against a user’s session. With hijacking, an attacker is taking over an existing session, which means he is relying on the legitimate user to make a connection and authenticate. Then, he can take over a session. This is done by actively taking the user offline.

One main difference between the two types of attacks is that spoofing only requires two parties to be involved—the attacker and the machine he is attacking. Figure 5.1 illustrates the spoofing process.

Figure 5.1. An attacker spoofing a victim named Bob.

As you can see, Bob plays no role in the spoofing attack at all. It doesn’t matter if Bob’s machine is turned on or even connected to the network.

From a session hijacking standpoint, Bob plays an active role, as shown in Figure 5.2.

Figure 5.2. An example of session hijacking.

With session hijacking, Bob has to make a connection and authenticate for the session to be hijacked. In this case, Bob must be active and make a connection for hijacking to be successful.

Types of Session Hijacking

With hijacking, there are two basic types of attacks: active and passive. With a passive attack, an attacker hijacks a session, but just sits back and watches and records all of the traffic that is being sent back and forth. This is useful for finding out sensitive information, like passwords and source code.

In an active attack, an attacker finds an active session and takes over. This is done by forcing one of the parties offline, where the user can no longer communicate, which is usually done with a Denial of Service attack. (For additional information on Denial of Service attacks, please see Chapter 6, “Denial of Service Attacks.”) At that point, the attacker acts like that user, takes over the session, and executes commands on the system that either give him sensitive information or allow him access at a later time.

There could also be hybrid attacks, where the attacker watches a session for a while and then becomes active by taking it over. Another variant is to watch a session and periodically inject data into the active session without actually taking it over.

Now we will briefly cover some TCP/IP concepts that you need to understand to see how session hijacking works in detail

TCP/IP Concepts

In most cases, when two computers want to communicate, the underlying protocols they use are either TCP or UDP and IP. The following is a list of the seven layers in the OSI model that are used for communication:

7) Application

6) Presentation

5) Session

4) Transport

3) Network

2) Datagram

1) Physical

For our discussion, we are concerned with layers 3 and 4. TCP and UDP are at layer 4, the transport layer. IP resides at layer 3, the network layer. So, whether you use TCP or UDP, you still use IP as your layer 3 protocol. TCP is reliable and UDP is unreliable. With session hijacking, because we are concerned with sessions or connection-oriented applications like telnet and FTP, we are also concerned with TCP.

TCP

Because TCP is a reliable protocol, it is connection oriented. It can guarantee whether or not two parties in a communication have successfully received packets. If one of the parties does not receive a packet, TCP automatically resends it. For TCP to work properly, there has to be a connection established and some way to acknowledge that each packet or a group of packets has been received. This is done through the three-way handshake and sequence numbers.

Three-Way Handshake

For two parties to establish a connection using TCP, they perform what is called a three-way handshake. The three-way handshake initializes the connection and exchanges any of the necessary parameters that are needed for the two parties to communicate. Figure 5.3 illustrates how a three-way handshake works.

Figure 5.3. Illustration of the three-way handshake.