12 I into IT You can manage what you know about; it's what you don't know about that creeps up and stabs you. For the IT The hacker manager, computer hacking is one such sword of Technically, a "hacker" is someone who is enthusiastic about computer programming and all things computer Damocles for which sensible preventive related, and is motivated by curiosity to reverse engineer software and to explore. and detective measures have become essential. And in common with other disasters in waiting, infiltration should feature in contingency planning. For the benefit of those readers unfamiliar with computer hacking, N. Nagarajan of the Office of the Comptroller and Auditor General of India gives an overview and explains some of the terms associated with it. The basics of protecting against computer hacking into IT I 13 The term "cracker", on the other hand, describes those who apply hacking skills Computer hacking the area of fraud. However, other motives include espionage (both to gain unauthorised access to a Hacking is in some ways the online governmental and commercial computer facility, often with sinister equivalent to burglary; in other words secrets) and the obtaining of motives. But "cracking" never really breaking into premises against the personally sensitive information that caught on, perhaps due to the grey wishes of the lawful owner - in some might be used for tracing people, area that exists between the two jurisdictions a crime in itself - from deception and blackmail; activities and to the media's widespread which other criminal acts such as theft G alteration or deletion of data use of "hacking" as a term synonymous and/or damage generally result. and code: most organisations now with computer crime. I will not Computer hacking refers to gaining depend to some extent on comput- therefore try to buck the trend in this unauthorised access to, and hence some erised information systems, and any article. measure of control over, a computer act resulting in significant corruption facility, and most countries now have or deletion of corporate data could specific legislation in place to deter have serious implications on their those who might wish to practice this ability to transact business; art and science. In some jurisdictions, G degradation or cessation of unauthorised access alone constitutes a service: acts that result in systems criminal offence, even if the hacker being unable to carry their attempts nothing further. However, in workload or that fail altogether, practice, hackers generally have a could also have serious business particular target in mind, so their unau- implications; thorised access leads to further acts, which national law might also define as G use of computer resources: criminal activities. These can be this impact is really inherent in the summarised under the headings of previous three, but it's worth unauthorised: mentioning separately because an emerging problem is the use by G obtaining of confidential hackers of other people's systems information: perhaps the major (extending to home PCs) to store growth area in computer crime is illegally obtained data or to mount "identity theft", in other words the attacks on other systems. There are obtaining of personal information documented cases of systems that can then be used to commit hacked in this way - sometimes other serious offences, usually in referred to as "zombies" because they are no longer in the full control The Ten Immutable Laws of Security of their unsuspecting owners - being used to store child 1 If a bad guy can persuade you to run his program on your computer, it's pornography and material that not your computer anymore. breaches copyright law (e.g. 2 If a bad guy can alter the operating system on your computer, it's not your copyrighted music files), to mount computer anymore. distributed denial of service attacks 3 If a bad guy has unrestricted physical access to your computer, it's not on other systems, and to distribute your computer anymore. spam e-mail. 4 If you allow a bad guy to upload programs to your web site, it's not your Finally, it's worth emphasising that the web site any more. term "hacker" applies both to outsiders 5 Weak passwords trump strong security. and to otherwise authorised personnel 6 A machine is only as secure as the administrator is trustworthy. who misuse their system privileges, or who impersonate higher privileged 7 Encrypted data is only as secure as the decryption key. users. This sad fact needs to be 8 An out of date virus scanner is only marginally better than no virus recognised when formulating corporate scanner at all. security policy. 9 Absolute anonymity isn't practical, in real life or on the web. 10 Technology is not a panacea. Source - www.microsoft.com/technet 14 I into IT dential waste can prove fruitful. Just another security update for Microsoft Internet Explorer Perhaps the quickest and easiest way to Are You on a Network? gain physical access to an organisation's computer facilities is to join the If your computer is part of a managed network, contact your organization's system contract cleaning force, which often administrator before making changes to your computer. works unsupervised and outside normal Why We Are Issuing This Update office hours. A number of security issues have been identified in Microsoft® Internet Explorer that Password attacks: obtain a valid could allow an attacker to compromise a Microsoft Windows®-based system and then password to the system and you take a variety of actions. For example, an attacker could run programs on a computer become just another legitimate user. used to view the attacker's Web site. This vulnerability affects computers that have This is particularly dangerous where Internet Explorer installed. (You do not have to be using Internet Explorer as your Web the hacked account has special browser to be affected by this issue.) You can help protect your computer by installing privileges assigned to it that permit this update from Microsoft. wide-ranging system access and use. Source - Microsoft Security Bulletin MS03-032 A successful password attack is both difficult to detect and difficult to Approaches to hacking weaknesses) in infrastructure software and communications protocols offer prevent because password security depends largely on the user. Keystroke There are several basic strategies for seemingly endless tactical possibilities, loggers and social engineering (see hacking a computer facility: physical as is evidenced in the never-ending terminology below) are methods of intrusion; password attacks; network stream of security updates (see capturing passwords, while people access; web server attacks; and e-mail example). often share their personal passwords attacks, but there are a multitude of Physical intrusion: an attacker's work with others, write them on notes that tactics that can be used to implement is made easier by gaining physical they attach to their terminals, and fail them. For example, security flaws (or access to a machine's keyboard or to to change them periodically. Password design network junction boxes. Physical access cracking programs perform an opens up such possibilities as elaborate process of guessing 'weak' installing a keystroke passwords by trial and error, using logger1; installing combinations of words from different unauthorised languages, names (places, people, hardware devices characters in books), jargon, slang, and (e.g. linking a acronyms. These are tried backwards, modem that in two-word combinations, in combina- bypasses the tions with numbers substituted for corporate firewalls to letters, etc. Vendors often ship infra- the network); tapping structure software with the administra- junction boxes through tor account passwords set to default which network traffic values; because these are widely might be analysed; gaining known in the hacking community, they access to system docu- provide an easy route into a computer mentation, printouts and facility if left unchanged. to written notes of their Network Access and Web Server passwords left by reckless Attacks: computers forming part of a users. Even access to confi- local area network that is in turn 1 Hardware or software than captures the user's keystrokes, including their passwords. into IT I 15 connected to the Internet are exposed to a range of potential logical access Managing common G systems administrators occupy positions of extreme trust; it risks. A network's primary purpose is vulnerabilities follows that they should themselves to permit users to access resources be trustworthy. Be very careful and exchange information, but hackers A compromised system can be a self- who you permit to have system can also use the network for the same inflicted injury due simply to the basic administrator-level access to your purpose. There are different ways to precautions having being ignored: network particularly when hiring achieve unauthorised access under this G ensure that your computer has new staff or appointing people to heading, many being technically sophis- good physical security, consistent cover for absences. Consider ticated. One set of approaches exploits with both its value in terms of implementing a policy of "least features of networking software that replacement cost and the conse- privilege"3 and review periodically make it accessible from outside the quences that could stem from its the privileges that have been network. Another set exploits data being disclosed or destroyed. allocated, to whom and for what browsers; for example, browsers Secure sensitive areas; manage purpose; maintain or have access to information access keys; consider installing G infrastructure software - in about the user and computer that a intruder alarms. Ensure communica- particular the operating system and hacker can exploit. A hacker could also tions junction boxes are secured firewalls - generates logs that cause a browser to launch an "applet" and inspect them periodically for record who is using (or attempting (a program that runs in conjunction signs of tampering - network admin- to use) the system, for what with the browser) to hack the istration packages can detect unau- purpose and when. This computer or network, or to send back thorised physical devices connected information can prove vital in information that is not normally to the network. Provide a secure detecting unauthorised activity - for accessible from outside. Once access is waste disposal service for computer example, attempted access to par- gained, "island hopping" through the printouts and removable media; ticularly sensitive accounts or files - network is sometimes possible by G formulate a sensible password and system use at unusual times. exploiting trusted relationships policy for authenticating users and Logs should be reviewed frequently between interconnected computers - enforce it. Consider the need to - it may be necessary to develop or the fact is that a network of computers strengthen password authentication purchase a log monitoring and that trust each other is only as secure as with tokens or biometrics. Disable analysis package to enable key its weakest link. unnecessary services and accounts system messages to be detected The basic solutions to this family of promptly; quickly. An unplanned increase in security risks are to keep abreast of vendor security updates - such as the Microsoft example illustrated - and to Autorooter maintain an effective "firewall"2. ...a Trojan horse, potentially spread by e-mail, which exploits a Windows vulnerability to allow a hacker to gain control of infected computers. Email Attacks: e-mail is a major route into networked computers. Typically, a This DCOM-RPC exploit only affects Windows XP/2000 Pro/NT computers, which can Trojan horse program is buried within use Remote Procedure Call. As the Trojan is incapable of spreading by itself, the file an innocuous-looking attachment to an reaches computers through infected e-mail messages, inside files downloaded from the e-mail message (see the Autorooter Internet or even on floppy disks. example). The Trojan is launched when When run, Autorooter creates files, including RPC.EXE, which exploit the operating the attachment is opened (or system vulnerability by opening communication port 57005 and logging on with the sometimes viewed) and covertly passes same privileges as the computer's user. It also downloads a file called LOLX.EXE, control of the computer to the hacker. which opens a backdoor in the computer. After that, the infected computer is at the mercy of the hacker who can gain remote control through the port created. 2 Because it doesn't show any messages or warnings that may indicate that it has A combination of hardware and software that limits reached the computer, Autorooter is difficult to recognise. external access to networked computers and resource. 3 The least level of privilege consistent with performing a particular role. 16 I into IT disc storage, slower than expected successfully tested) disaster recovery network performance and It's vital to appreciate that: arrangements in place may find it com- suspicious-looking outbound G security consists of both paratively easy to transfer their key connections can be other indicators technology and policy; that is, operations to a disaster recovery site that you have a cuckoo in the nest; it's the combination of the while they thoroughly investigate and technology and how you use it sanitise their home site. G make sure that your system files (including the Registry) are well that ultimately determines how You should consider the extent to protected from unauthorised secure your systems are; which you back up your firewall and change. Apply the principle of least G security is journey, not a other significant logs. Assuming the vul- privilege to limit what users are able destination. It's not a problem nerability that gave rise to the attack is to do. Implement a change control that can be "solved" once and for not apparent, you may need to look procedure to ensure at least two all, but a continual series of back, perhaps weeks, to identify when people are involved in important moves and countermoves and how the intrusion occurred system changes and that all changes between the good guys and the (another plus in favour of frequent log are recorded. Periodically audit bad guys; reviews). Furthermore, should events your system software for unautho- G the key is to ensure that you finish up in the hands of the police, the rised executables; have good security awareness, police are likely to need the evidence appropriate security policies contained in your logs to support a G never run or download software (that you enforce), and that you prosecution. from an untrusted source (the source from which it was obtained exercise sound judgment. You will also need to consider who to might not be the same as the inform when you discover the developer). If you run a web site, you should control closely what Planning for hacking problem. This will involve striking a balance between those who need to be visitors can do; in particular, you incidents involved in the investigation, top should only permit programs on the management - but only when you have site that you obtained from a So, you discover that your system has concrete proposals to make to them - trusted developer; been hacked. What next? Well, first it's and everyone else, at least until the necessary to backtrack and consider evidence has been preserved. G typically, a new virus or Trojan does planning for this possibility. Sit down the greatest amount of damage with colleagues and write down a Investigation needs to be thorough; early in its life when few people are strategy to guide your response, focusing on a single vulnerability before able to detect it. Thus, an out of exactly as you would for any other restoring service might overlook the date virus scanner is only marginally aspect of contingency planning. Who existence of backdoors that the hacker better than no virus scanner. New will form your incident response team? has inserted to enable easy re-entry viruses and Trojans are created What are your goals going to be and in later. A thorough investigation will virtually every day, so it's vital to what order of priority? In most cases involve advanced networking keep your scanner's signature file up they are likely to be first, to prevent techniques, adeptness with software to date - virtually every vendor further intrusion, then to identify the tools, system administration, provides a means to obtain free vulnerabilities that led to the attack, data/system recovery, technical skills updated signature files from their assess the damage and consider what that might not be at your immediate web site. remedial action needs to be taken (e.g. disposal. Thus, it might be prudent in When you're satisfied that the basics what would you do were you to are both in place and operating, why suspect identity theft?). Will you assign The hackers' hit parade not consider hiring a reputable firm of resources to identifying the intruder? Security firm Qualys produces a security specialists to undertake a Will you involve the police? real-time index of the vulnerabilities "penetration testing" programme to One of the first points to consider is that are the current favourites of the assess the extent to which your whether to disconnect from your Internet's computer hacking scheme of control rests on solid external networks to limit damage and community. You can obtain details of foundations rather than on sand? prevent further infiltration to other each vulnerability by clicking on each trusted networks. Assuming the attack entry in the 'ID' column of the vulner- is external, remaining connected may ability table. leave the hacker able to observe and http://www.qualys.com/services/threa negate the response team's actions. ts/current.html. Organisations that have reliable (i.e. into IT I 17 Responding to intrusions Conclusion Firewall - the online equivalent of the 'man on the door' who, when a visitor G understand the extent and In the context of computer hacking, arrives in the foyer, asks for proof of source of an intrusion; knowing what you do not know is identity, checks the appointments book, G protect sensitive data contained manageable, hence the importance of contacts the host, issues a temporary on systems; good preventive and detective pass and perhaps inspects the visitor's measures, such as log review and baggage before permitting - or denying G protect the systems, the intrusion detection systems. The less - entry. networks and their ability to fortunate are those who remain in self- A network firewall sits at the junction continue operating as intended; inflicted ignorance - maybe for weeks point or gateway between two G recover systems; or months - that their system has been networks - usually a private network G collect information to better infiltrated and their business is being and a public network such as the understand what happened. damaged. Internet - its purpose being to reduce Without such information, you Regardless of the strength of your the risk to networked computers of may inadvertently take actions preventive and detective measures, be intrusion. It may be a hardware device that can further damage your prepared for hacking incidents, particu- or software running on a secure host systems; larly if your organisation relies heavily computer. In either case, a firewall has G support legal investigations. at least two network interfaces, one for on networks (the Internet, WANs and Source: www.cert.org LANs) for its operations and customer the network it is protecting and one for services. Should you fall victim, a the untrusted network to which it is your planning to identify reputable thorough investigation of a exposed. Because firewalls cannot security specialists well versed in compromised system - while decide for themselves whether traffic is penetration testing that might be called disruptive, time-consuming, expensive, hostile or benign, they must be upon to assist with sanitising and and tedious - is essential. The programmed with rules (a "security rebuilding your systems. temptation is to give in to pressure to policy") that govern the types of traffic resume operations quickly by closing to allow or deny. In addition to identifying the system the obvious vulnerabilities and trusting In addition to guarding external vulnerabilities exploited by the hacker, to luck that the system is clean. That connections, firewalls are also a critical review and reconciliation of could easily be a false economy. sometimes used internally to provide activated accounts (particularly those of guests, supposedly disabled accounts additional security by segregating sub- network that give access to highly and those whose presence can't be explained) and their associated system Some terminology sensitive applications. privileges, while tedious, could reveal Buffer overflows - are due partly to a Honey Pots - decoy servers or other unused entry points the hacker characteristic of some programming systems designed to gather information has set up against a rainy day; likewise, languages, such as C, which poor about attackers. A honey pot, which is you should confirm the status of all programming practices then set up to be easier prey for attackers interconnected 'trusted' systems. exacerbate. An overflow occurs when a than genuine production systems, program attempts to store more data incorporates modifications that enable Scan the system for Trojans. These are in temporary storage area, or "buffer", intruders' activities to be logged and typically identified by antivirus than it can hold. Since buffers are of traced. The theory is that when an packages, but their scan engines have finite size, the extra information intruder breaks into a system, they will varying degrees of success, particularly overflows into adjacent buffers thereby return. During subsequent visits, if not up-to-date, so scan using (up-to- corrupting or overwriting the valid data additional information can be gathered date versions of) several packages. held in them. This would normally and additional attempts at file, security, Note: there is more information on cause a program failure or even a and system access on the Honey Pot incident response at... system crash, but a skilfully crafted can be monitored and saved. Most http://www.cert.org/security- overflow can also be exploited as a firewalls can be configured to alert improvement/modules/m06.html form of security attack. The attacker system administrators when they can gain control by creating an detect traffic entering or leaving a overflow containing code designed to honey pot. send new instructions to the attacked computer, hence the relevance of Identity theft - involves taking over an buffer overflows to hacking. individual's identity by stealing critical private information, such as the Social Security number, driver's license 18 I into IT resources and activities and, using compromise the system, or be used in Example of a buffer overflow information gathered from these a social engineering attack. For vulnerability sources, alerts system administrators example, a keylogger will reveal the on identifying possible intrusion. contents of all e-mail composed by the The Phone Book Service that runs on user. Keylogger programs are Internet Information Services (IIS) 5.0 Firewalls (see above) work only at a commonly included in rootkits and has an unchecked buffer (a network's point of entry with packets remote administration Trojans. A temporary data storage area that has as they enter and leave the network. keystroke logger can also take the form a limited capacity but no specification An attacker that has breached the of a hardware device, independent of for the amount of information that can firewall can roam at will through a the operating system, which plugs in be written into it) in the code that network - this is where an ID system between the keyboard and the main processes requests for phone book becomes important. system (for PCs). They simply record updates. A specifically malformed Intrusion Prevention - systems what is typed at the keyboard; the HTTP request from a malicious user monitor for suspicious activity with the hacker can later retrieve the device can cause a buffer overflow in the aim of proactively blocking potential and examine its contents. Phone Book Service, which might attacks. Typically, an IP system allow the malicious user to run unau- Phishing - occurs when a consumer comprises a software agent that resides thorized code on the server, or cause receives a deceptively legitimate near to the host's operating system the service to fail. looking e-mail from what appears to be kernel, which monitors system calls Source: extract from a Microsoft a reputable company (see Spoofing). before they reach the kernel using a security update. The e-mail might ask a recipient to, for rules engine to identify potentially example, update their credit card suspicious activity. This can then be information, and/or provide other number, address, credit card number, halted, or the systems administrator personal details to avoid their account or bank account number. The identity alerted. A drawback is that IP systems being terminated. Another approach is thief can then use the stolen can respond to legitimate activities and for the sender of the message to offer information to obtain loans or credit generate false alarms. Defining a service, for example to protect their lines to buy goods and services under exceptions can reduce such false alarms, credit cards from possible fraud. Those the stolen name. Identity thieves but there are pros and cons to this. stung by phishing are victims of typically change the consumer's mailing Keystroke logger (or keylogger) - is "identity theft" (see above). address to hide their activities. a program that runs in the background Intrusion detection - the art and recording all keystrokes. Once logged, science of detecting when a computer the keystrokes are returned to the hacker who peruses them carefully to Attempted identity theft or network is being used inappropri- ately or without authority. An ID identify passwords and other useful National Australia Bank customers system monitors system and network information that could be used to became targets for an e-mail fraud in which they were sent (grammatically incorrect) requests, purportedly from the bank, requesting them to connect to the NAB web site. "Dear valued customer," it read, "Our new security system will help you to avoid frequently fraud transactions and to keep your investments in safety." The e-mail encouraged recipients to click a link in the body of the message, which then connected them to a site that mimicked the NAB Web site but that had been set up to capture their login and password details. The scam used a message previously used to targeted other banks' customers. into IT I 19 Rootkit - a collection of tools and Spoofing - in essence a technique that Trojan horse - a name derived from utilities that a hacker can use to hide depends on forging the identity of the classic Trojan horse in Homer's their presence and gather data to help someone or something else ("mas- Iliad. After spending many months them further infiltrate a network. querading"), the aim being to alter the unsuccessfully besieging the fortified Typically, a rootkit includes tools to log trust relationship between the parties city of Troy, the Greeks evolved a keystrokes (see keylogger above), to a transaction. strategy. They departed leaving behind create secret backdoor entrances to them as a gift a large wooden horse, In the online world, there are different the system, monitor packets on the which the citizens of Troy brought into flavours of spoofing. A hacker might network to gain information, and alter town. Unknown to them the horse employ sophisticated e-mail spoofing to system log files and administrative tools contained Greek warriors, who at night make it appear that an e-mail requiring to prevent detection. jumped out and opened the city gates the victim to confirm their account letting in the Greek army who had Social engineering - in his book, The details, including such information as been in hiding. Art of Deception: Controlling the Human their logon ID and password, has been Element of Security4, arch hacker Kevin sent by a reputable person or organisa- In the IT environment - and setting Mitnick poses the question: why bother tion (see "phishing" and "social aside the legitimate use of network attacking technology when the weakest engineering" above). administration tools - Trojans are link lies not in the computer hardware generally considered a class of IP spoofing is another common form of or software, but in humans who can be "malware" that, like their predecessor, online camouflage, in which a hacker tricked into giving up their passwords contain covert functionality. They act as attempts to gain unauthorised access to and other secrets? Mitnick goes on to a means of entering a target computer a computer or network by making it state that social engineering "uses undetected and then allowing a remote appear that a packet has come from a influence and persuasion to deceive hacker unrestricted access and control. trusted machine by spoofing its unique people by convincing them that the social They generally Internet IP address. A countermeasure engineer is someone he is not, or by incorporate a rootkit is to use of a Virtual Private Network manipulation. The social engineer is able (see above). (VPN) protocol, a method that involves to take advantage of people to obtain encrypting the data in each packet as information with or without the use of well as the source address using technology." encryption keys that a potential attacker 4 doesn't have. The VPN software or Wiley, ISBN 0-471-23712-4 firmware decrypts the packet and source address, and performs a About the author checksum. The packet is discarded if N. Nagarajan CISA joined the Office either the data or the source address of the Comptroller and Auditor has been tampered with. General of India in 1989, and is presently employed as Senior Deputy Accountant General in Mumbai. In addition to his wide experience in auditing IT (particularly in the field of Electronic Data Interchange) and in training staff in IT audit skills, Nararajan has also worked as a developer of pensions systems. Nagarajan's international work includes audit assignments at the United Nations in New York, and a two year secondment to the Office of the Auditor General of Mauritius where he was involved in training staff and in the audit of EDI systems operated by the Customs department. Nagarajan has been published in a number of international journals.