Hackers Beware

this feature on and if you are using NT it will automatically use the same password they do for login. If they question it, you can just say that it probably went into “timeout” mode but trust me, most people will not questions it. Then you tell them that they just have to type in their password to unlock the screen and you are all set. Also, most people say their password silently when they type it so if you are good at reading lips, you can also watch their mouth as they type their password.

Unlocked Terminals

Most people come to work in the morning, log on at the start of the day, and log off at the end of the day. Unfortunately, they are not at their desk every second of the day. They go to meetings, lunch and the restroom and therefore their computer is left unattended but logged into the network. If someone can gain access to the computer, they have whatever the user has access to. So someone could sit down and access sensitive data or send emails as if they came from the user. If an attacker is really smart, they could install a backdoor program so that they could regain access to the machine remotely. Or they could install a sniffer or packet capture program and then come back in a day or two and retrieve the results. This information would provide passwords, sensitive data and large quantities of other useful information.

Since we have seen that gaining physical access to a facility is fairly easy, combining that with the threat of an unlocked terminal provides a huge vulnerability that someone can use to exploit a network. I have performed tests at companies and on an average day more than 70 percent of the users have their computers accessible and unlocked for more than an hour at any given time. Even in the hands of an unsophisticated attacker, 60 minutes is a long time to have unauthorized and unsupervised access to a network. I should also point out that this is an area that users get very defensive over. When I performed internal security at a large company, we performed periodic checks to make sure people were locking their terminals (because it was in the security policy). People that did not adhere to this policy got very arrogant when we let them know, or left a warning on their computer. One person even cursed at me and threatened my life—which is always fun. Thus another good reason to have bullet proof vests and stun guns in the security budget. In these types of cases it is also a good idea to have a relationship with human resources so that they can address the situation.

Written Passwords

With shoulder surfing you have to try and extract the password from the user as they type it in, but in some cases there is an easier way. A large number of people write their password just in case they forget it. They usually do it right after they create a new password. A couple of days later when they remember the new password and no longer need the reminder,

they forget to destroy it. Most people that do this either keep it on their phone or monitor with a post it pad. Yes, nothing is more exciting or frustrating (depending which side of the fence your are on), to sit down at a computer and see the password right there in front of you.

If a normal user writes down their password, that is bad, but what is even worse is when an administrator does it. I have seen a large number of administrators write down their password. The reason is threefold. First, administrators usually have to remember several passwords for the various systems that they work on. The more passwords you have to remember, the harder it is. Second, administrators only periodically use these passwords. The less you use a password, the harder it is to remember. Third, with administrator passwords, the stakes are much higher. If you have not used a password in two weeks and the network goes down and you have to bring the system back up, it is not the time to forget a password. You add stress into the equation and most administrators write down their passwords not only ensure that they will remember them, but to make sure they have a job too. In IT, the quickest way to lose your job is to be locked out of a system because you do not remember your password. Trust me, if this happens, security will be blamed for making people have passwords in the first place.

At one company I worked for, one of the major systems crashed and we needed to logon as the administrator to rebuild it and bring it back up. One problem, the person that built the system no longer worked at the company and the person responsible for it was on vacation for two weeks and was out of contact. It’s funny, but most IT people tend to go on vacation to places where cell phones do not work and there are no dial-up connections. Now it was 1:00 a.m. and without the password we would have to rebuild the entire system, but with the password it would be up and running in 10 minutes. I went to the administrator’s desk and there were no visible passwords written down. So I started feeling under the desk and pulled off several post-it notes and bingo, there were the passwords for all of the systems the administrator maintained, including the one we needed. Being the security administrator I now had a dilemma. On the one hand, I wanted to take action against the individual for not adhering to the security policy and writing down his password, but on the other hand, we would have been in a lot of trouble if he had not.

Unplugging Machines

Computers and networking components tend to work the best when they are plugged into electricity and plugged into the network. If someone either accidentally or purposely unplugs a machine, they can cause a denial of service attack against a computer. If a computer is off, people cannot access it. Think of the impact if, on a Friday, someone accidentally

unplugs the web server and no one notices until Monday morning, leaving the site inaccessible for the entire weekend.

In most cases that I have seen where machines have been unplugged, it was done accidentally. In one case, someone was putting in a new machine and all of the plugs were full. So they just unplugged another machine to make room for the machine they were installing and did this without checking with anyone. Talk about risky. In my opinion, people like that are too risky and should not work in IT. In another case, the power cable was not long enough so they lifted the power strip up so that it would reach, which meant the power supply was suspended in the air. Someone was in a rush accidental tripped over it, unplugged it, did not realize what they did, and kept on going. Accidents happen and are unavoidable in some cases, but can definitely be minimized with proper planning. Especially in a data center where uptime is extremely critical, extra planning should be done to minimize the impact that accidents and attacks have on an operation.

Local Logon

The ultimate goal of most attackers is to gain access to a machine. Remote access is good, but local access is even better. Some systems are configured so that only certain functions can be performed locally. Also, by gaining local access, an attacker can more easily download large amounts of data. If they do not have a secondary storage device installed, an attacker can quickly and easily install an Iomega Zip or Jazz drive which would allow them to copy large amounts of data. Restricting local access and watching the system logs for local logons can go a long way to securing your systems.

Theft of Laptop Computers

Attackers commonly steal laptop computers, which allow high levels of access to sensitive information. Recently, a list was floating around some of the underground web sites that offered large sums of cash to anyone who could steal the laptop of one the executives who was named on the list. This list contained names of executives from most of the large Fortune 100 companies within the United States. Think about it: Current laptops contain at least 8-gigabyte hard drives, if not larger, which can contain large amounts of information. What normally would take a thief boxes of data to steal can now fit in a briefcase. I know some executives of one particular company who, when they travel, they copy the contents of the file server to their laptop. This enables any and all possible documents to be at their disposal. To some, the justifications for this are quite high, however from a security standpoint, downloading all of your files onto a laptop is a security nightmare.

In addition to the data that is on a laptop, laptops usually contain remote access information and possible passwords. Most people that have laptops use them to dial up remotely to their company’s network. The information needed to dial up and the user ID and password are stored on the computer to make it easier for the user to access his company’s network. In this case, an attacker just double-clicks on the dial-up icon and he is given full access to the network, because the password is stored on the computer for the sake of convenience.

Offline

Most attacks that occur on a network are detectable if a company is watching, but with certain types of attacks, there is no way to know that the actual attack is being performed. In these cases, the only way that a company can determine that these attacks are taking place is by detecting them when the attacker is acquiring the data he needs for the attack. If a company fails to notice the fact that the data was acquired, it will be compromised because the attack is done offline while there is no connection to the network. Therefore, it is important that a company detect these attacks while the online portion is being performed. The following are the general types of offline attacks:

•Download password files

•Download encrypted text

•Copying large amounts of data

Download Password File

Based on its importance, we dedicate an entire section of the book (Chapters 10 12) to password cracking. So in this section, we will concentrate on acquiring the file and not what an attacker does once he gets it. Ultimately, an attacker wants to get as many ways in and out of the system as possible. The best way to do this is to acquire everyone’s password. The easiest way to do this is to download or capture a copy of the encrypted password file and to crack it off-line.

Depending on the operating system and configuration, there are various ways that someone can acquire a password file. The trick is if an attacker is persistent and creative, they will eventually find a way to get the password file. Most companies have a very liberal policy with changing passwords, and either have passwords that do not expire or that expire every six months. This means that even if it takes an attacker one month to acquire the file and one month to crack it, they still have three to four months of access to the network before the user has to change it again. Even if an attacker only has one week of access to the network, that will give him enough time to install enough back doors so that he can get back in at a later time. The key rule with passwords is that a company’s password policy should be set so that the password change interval is less than the time it takes to brute force a password file.

Download Encrypted Text

Since passwords are encrypted when they are downloaded and cracked off-line, downloading password files is a subset of downloading encrypted text. What most people do not realize when they use encryption is that all encryption is breakable; it is just a matter of time. What keeps an encrypted message secure is the secrecy of the key that is used to decrypt the message, not the encryption algorithm that has been used. In most cases, the encryption algorithm is public knowledge. For example, everyone knows the algorithm that UNIX and Microsoft operating systems use to secure passwords. Since an attacker would know the algorithm but not the key, they could technically cycle through every single possible combination and eventually find the key. This is known as a brute force attack and what is interesting about these types of attacks is that they are always successful. It could take 400 years, but it will eventually be successful.

Since all encryption can eventually be broken, the goal is to make it much more difficult for someone to attempt it in the first place. As you can imagine, the larger the key, the longer it will take. If you only have a 4- character key, you can cycle through all possible combinations in a very short period of time. On the other hand, if you had a key of 2 million characters it would take a lot longer. The general rule I like to use is that the key length should be long enough that by the time someone can brute

force the key, the usefulness of the information has expired. You have to remember that as computers get faster, this timeline gets accelerated. What would have taken over a 100 years to crack 10 years ago can now be cracked in less than a month.

For example, if we are encrypting data that will be used for an attack that we are going to launch tomorrow, we do not care if someone can crack the message in 6 months. On the other hand, if we are developing a new project that will take 10 years to get to market, we want to make sure that we use very strong encryption. Once again, the thing to remember is that once an attacker gets an encrypted file, the game is over. They will be cracking it from the comfort of their own home and you will have know way of knowing that this is occurring. By using my home computer, it might take 5 years to break some encryption. What if I break it into several pieces and distribute it across 500 computers on the Internet and have each of them do a piece? I have now decreased my time tremendously.

Copying Large Amounts of Data

With this type of attack, someone copies large amounts of data to a removable drive in a very short period of time and then they go through the data off-line and look for the important information. If I know that an administrator goes to lunch from 11:30 to 12:30 every day, I could connect a removable media device (if they do not have one already) and copy 2GB worth of data to a removable Jazz disk that fits in my coat pocket. Then, at home, I can spend 8 hours looking for the exact document that I want. Why would an attacker waste time online looking for documents where their exposure is high and it is easy for them to get caught? It is easier to copy everything and sort through it later.

Routes Attackers Use to Get In

Now that we have taken a detailed look at the various categories of exploits, we will look into what can be exploited. In addition to the types of exploits, it is important that you understand what can be exploited, because this will show you the weaknesses in your systems and what you need to do to protect against them. If you do not fully understand what can be exploited, you might be missing a huge vulnerability that an attacker can use to compromise your system. The main reason networks that have security and houses that have alarms get broken into is because they protect the wrong things or concentrate their efforts in the wrong area—in other words, they do not fully understand all points of exposure.

The following example illustrates this: There was a house in Beverly Hills that was known to contain a very expensive art collection. To protect the art, the owner installed a very advanced security alarm system. It had

motion detectors and sensors on all the windows and doors. There weren’t any specific alarms on the art itself because the owners figured a thief would have to get into the house to take the art and all of the alarms would detect that. It was also known (because this art was featured in a lot of magazines) that most of the art was on one wall between two windows. Well, some low-tech thieves were pretty creative. They went in with a chain saw, cut a hole in the wall, and pulled the wall out, causing it to fall onto the lawn. Then, they took the art off the wall and left. If the owners had realized that cutting the wall was a way that thieves could exploit the system, they could have had the alarm system run differently so that they would have been protected against it; because they did not, they became victims. Not only is this story true, but it is one of the reasons why I like going to Los Angeles and reading the local paper—I get great security stories.

You now have an appreciation for understanding what can be exploited, so let’s take a look at the common things that can be exploited on a network:

•Ports

•Services

•Third-party software

•Passwords

•Back doors

•Trojan horses

•Inference channels

•Covert channels

What can be exploited? Anything and everything. If an attacker is creative, he can find a way into a system. We will address the more common things an attacker exploits and how he gets into systems.

Ports

If a burglar was going to break into a house, he would usually break in through a window or door because it is an easy point of access. Why break in through a brick wall when you can jimmy a window open and climb in? Ports are the windows and doors of a computer system. There are literally thousands of different ports that can be open on a system. Actually, ports range in value from 1 to 65,535 for TCP and 1 to 65,535 for UDP. Because TCP and UDP use different ports, there are more than 100,000 different ports that can be open on a machine. The more ports that are open, the more points of vulnerability into a system. For a complete list of all of the ports and the protocols assigned to each, look at RFC1700. RFC’s can be downloaded from various sites including: http://www.rfc-editor.org/. Some of the more common ones are the following:

•21. FTP (File Transfer Protocol)

•23. Telnet

•25. SMTP (Simple Mail Transfer Protocol)

•53. DNS (Domain Name Server)

•79. Finger

•80. HTTP (Hypertext Transfer Protocol)

•110. POP (Post Office Protocol)

•137–139. NETBIOS

I highly recommend that you run a port scanner on your system so that you know what ports are open and what your points of vulnerability are. You do not know how many times I have run a port scanner on a system that the client has told me only has port 25 open, yet there are eight other ports open. Figure 2.2 is the output from running a port scanner on a Windows machine.

67

As you can see, these machines have several points of vulnerability. One of the best things you can do from a security perspective is know which ports are open on your machine and close any that are not needed.

Services

Services are programs that are running on a machine to perform a specific function. For example, an NT server runs the server service to allow it to process requests, and a DNS server runs a service that handles the requests. Services become dangerous when they are running as root. If a service is running as root, any command that it executes will run as root. This means that if I am a normal user and I want to execute a process as root, I just exploit a service that is running as root and I am all set.

Again, as with ports, the more services that are running, the more points of vulnerability. Not only should you limit the number of services, but you should limit at what priority they are running.

In NT, to see what services are running, you go to Control Panel and click the Services icon. The Services dialog box appears, as shown in Figure 2.3.

Figure 2.3. Services information for Windows NT.

In UNIX, to see what processes are running on the box, you issue the ps command with the ef option. The e option tells it to select all processes, and the f option does the full listing. The following is the output of running ps –ef: