Hackers and their tools: the topic is not limited to teenagers who assemble scripts or highly intelligent techies who – at least according to the media stereotype – sit in front of their monitors all night eating pizza and drinking cola. This large group does not have enough knowledge of attack techniques, network protocols, and programming to attack a company on purpose. According to their own self-understanding, “real” hackers are usually top-of-the-class experts who follow the hacker ethic without criminal intent. They simply wish to find, analyze, and publish security gaps for their own circle.
In addition to these two noncommercial groups, another set of hackers exist – hackers who can threaten the very existence of a company with their mischief. Of course, the ranks of potential attackers include traditional insiders along with economic and industrial spies. Although both groups have about the same knowledge as noncommercial hackers, they have a lot of criminal energy. Against this background, they ply their craft of spying on companies and company data.
Attacks with typical hacker tools
Some attacks have no specific target, other than wreaking havoc, such as a denial-of-service (DoS) attack that crashes a system or implants programming that generates viruses. But other attacks have specific targets:
- Spying out or guessing passwords
- Hiding behind an identity or operating under a false identity (spoofing)
- Breaking into remote systems and spying out information
The Internet makes thousands of programs available for download, some of which are typical of their species. Here are some brief portraits.
Exploits are short programs, usually available only in source code, that take advantage of individual security gaps. An exploit is usually effective only against a single computer. To execute effective attacks, users must modify exploits. Professional hackers often publish exploits in a form that makes it more difficult for the uninitiated to use them.
Exploits smbnuke.c and smbdie.exe
These programs can crash Windows systems over a network. Since their appearance, Microsoft has issued effective patches, but only after a long period of high vulnerability.
This exploit can crash a number of Windows-based systems (up to Windows Server 2003). The exploit was published on the Internet in 2004; repair patches, of course, appeared only later. An attack with exploit ASN.1 presumes access to the Microsoft Internet Information Server (IIS) and the NetBIOS interface of the target system. The exploit crashes lsass.exe, which then crashes the entire system.
Brutus: A password spy
Brutus is an easy-to-use tool for guessing passwords. The attacker needs a list of user names and a dictionary of password candidates. The tool tries to gain access to a system simply by going through all possible combinations of user names and passwords. It is especially effective when the attacker has one or more of the following pieces of information: A list of all valid user names (login IDs), rules for creating IDs, knowledge of the languages spoken by a user or a user’s home country, a user’s character set, knowledge of whether the system is or is not case sensitive.
The password lists are enhanced with mutation filters that can use the following commands to guess a password: Use the word backwards, add a number to the word, replace the letter ‘i’ with the number ‘1’, change the word to uppercase.
Sniffers: hunt and webmitm
The hunt sniffer offers effective connection management with easily read recordings for “spoofing”, concealing or falsifying computer addresses, and for a follow-up hijacking of an Internet connection. The use of this program and manipulated DNS and MAC addresses enable an attacker to get into an ostensibly secure SSL connection between a bank customer and a bank’s server and let the data run on the attacker’s computer as a man-in-the-middle attack.
The webmitm tool can generate and transmit a certificate in place of the original certificate. The ostensibly encrypted connection is created with the false certificate and the attacker can read the unencrypted login ID and password.
Easy to obtain, easy to use
Traditionally dangerous goods like weapons, explosives, or poisons can be obtained only with professional contacts and at great expense. But hacker tools are easy to find at no expense with search engines like Google. For example, if you look for exploits written in the C programming language, Google returns more than 30,000 hits for the query.
And hacker tools are easy to use. The quality of the available tools is so high that even an untrained, but interested user can attack an external system in a short time. Of course, a true, professional hacker usually must use a series of weaknesses one after the other to attack a company’s network successfully. But the damage caused by script kiddies working in the dark is usually bad enough.
For example, it’s very easy from a technological perspective to carry out a defacement attack on a company’s Web site. The attack simply replaces the official site with a text that thanks customers for their many years of faithfulness to the company and announces that the company has gone bankrupt and has ceased operations.
The damage caused by the rapid, world-wide spread of viruses unloosed by script kiddies can cost millions. Estimates of the damages caused by the Melissa virus lie between $95 and $395 million. The I-love-you virus is estimated to have caused $700 million in damage. These astronomical sums are the result of exponential dissemination. In the first 24 hours after its appearance, the Nimbda virus infected 2.2 million computers. According to a study by Network Associates, each paralyzed computer cost a company some €5,000.
The exact figures on the financial damage suffered by companies are usually not made public. Consider the trial of the author of the Sasser and Netsky worms. After his arrest, only 143 victims registered complaints with the authorities, which meant “minor” damage of “only” €130,000. Midsize and large companies were certainly affected by the worms, but balked at going public to avoid adding a tarnished image of the IT security to the damage they had already suffered. Without a complaint, these damages don’t show up in statistics.
For the highly complex IT landscapes of many companies, it’s hardly possible to mitigate all risks and implement all possible defenses. However, in addition to virus scanners, firewalls, and intrusion detection systems, companies should consider the following realities.
First, software often contains security gaps, especially in products that are sold by the millions. If a software product contains a security bug, it’s usually discovered by accident. In general, a security mailing list or another forum reports the bug, the manufacturer is notified, and the manufacturer creates a repair patch as soon as possible. But you can be sure that someone is working in the background at the same time to create an exploit for the gap. At the very latest, once the exploit courses through the underground, the danger is acute. Companies need to keep on the ball in terms of software bugs and patches; they must get updates as quickly as they can. According to dshield.org, the survival rate of a server without up-to-date patches on the Internet averages about 20 minutes.
Second, configuration often shows weaknesses in terms of defense. The standard configuration of a complex system does not guarantee 100% protection. The more complex the system, the more it needs to be isolated. Every small bit of careless configuration creates an opening for those who wish to break in.
Finally, users should not be underestimated as a security factor. A small, thoughtless act can have grave consequences. That’s why usage rights should be granted as restrictively as possible. Employees must be trained in security issues and internalize a significant awareness of the danger. That’s the only way to guarantee anything like IT security in the ongoing cat-and-mouse game between attack and defense.
For more information, see the interview with Sebastian Schreiber on penetration tests – test attacks on corporate networks.