You are on page 1of 12

◆ The Business of Hacking and Birth

of an Industry
Matt Bowles

Hacking is a term that has evolved over the years. Its evolution spawned two
separate industries. An evil industry based on greed, theft, and general chaos
on the Internet, and a business industry whose sole purpose is to combat the
evil industry. The evil industry is comprised of all sorts of deviants who troll
the Internet looking for weaknesses that they can exploit to their gain. The
business industry is made up of products, vendors, and professionals whose
purpose is to keep the deviants out. Both industries are experiencing
explosive growth as technology increases the presence of organizations out
on the Internet. This paper’s aim is to examine some of the tools and
techniques used by both industries and to raise awareness for readers in
both the home and corporate environments. © 2012 Alcatel-Lucent.

Introduction
To figure out where we were are going, we first impression on the world were actually called phreak-
have to take a look at where we have been. Every ers. These were brilliant individuals who, by inter-
event in the history of computer security is impor- acting with the phone system, were able to derive
tant because it is a link in the chain that has led us how it worked, and manipulate it for their own bene-
to where we are today. Where would technology fit. In some cases they stumbled upon tools which
be today if Steve Jobs and Steve Wozniak didn’t cre- could be used in ways that were unintended. One of
ate the Apple* computer? The Apple computer went the most notable phreakers was named “Captain
through a series of permutations that eventually led to Crunch” because he discovered that a toy (found in
the iPhone* which revolutionized the smartphone the Cap’n Crunch* breakfast cereal) emitted a 2600 Hz
industry. tone, which caused interaction with the AT&T long
Hacking as it is known today was born out of distance phone systems. In 1971 Captain Crunch and
pure curiosity in the 1970s and 1980s. Computer other fellow phreakers created a blue box which
enthusiasts wanted to learn about these mystical simulated a telephone operator’s console. It func-
devices and see if they could be made more efficient. tioned by replicating the tones used to switch long-
Before the personal computer made its first appear- distance calls and using them to route the user’s own
ance, some of the most accessible computers were call, bypassing the normal switching mechanism.
actually the telephone systems run by large telecom- Phreaking was the most notable beginning of the
munication companies. The first hackers to make an hacking revolution.

Bell Labs Technical Journal 17(3), 5–16 (2012) © 2012 Alcatel-Lucent. • DOI: 10.1002/bltj.21555
Panel 1. Abbreviations, Acronyms, and Terms
APT—Advanced persistent threats MOD—Masters of Deception
BBS—Bulletin board system OWASP—Open Web Application Security
CCC—Chaos Computer Club Project
cDc—Cult of the Dead Cow PDF—Portable Document Format
DES—Data Encryption Standard SET—Social Engineering Toolkit
IDS—Intrusion detection system SHA1—Secure hash algorithm 1
IP—Internet Protocol SIEM—Security information and event
IPS—Intrusion prevention system management
IT—Information technology SQL—Structured Query Language
LAN—Local area network TCP—Transmission Control Protocol
LANMAN—LAN manager URL—Uniform resource locator
LOD—Legion of Doom USB—Universal serial bus
MD5—Message digest 5 XSS—Cross-site scripting

By the early 1980s the personal computer revo- California, Colorado, and North Carolina where he
lution was beginning to take hold. Computers started caused damage and stole proprietary information [7].
to pop up all around the world and so did hacker He was finally sentenced in 1999 and served five years
groups who tried to figure them out. The early 1980s in prison. Eight months were spent in solitary con-
brought the creation of the Chaos Computer Club finement after a judge was convinced that Mitnick
(CCC) in Germany, Legion of Doom (LOD), Masters could “start a nuclear war by whistling into a pay-
of Deception (MOD), and the Cult of the Dead Cow phone.” [3] In 1999, the Cult of the Dead Cow
(cDc), to name a few of the most notable. These were released the controversial Back Orifice 2000 program
groups of hackers who usually feuded with each other as a remote administration tool, but many people
but also made intellectual contributions to the claim it to be a rootkit with a backdoor.
advancement of computer security. The 1980s through From the year 2000 until the present time there
the 1990s was one of the most popular times for bul- was usually at least one major security incident,
letin board systems (BBS). A BBS was a place for peo- sometimes two a year. Early in the 2000s there were
ple who shared a common interest to collaborate, and massive worms that plagued the Internet such as MS
a good portion of BBS were focused on computers. Blaster, Slammer, and Code Red. These worms
This was one of the first places that hackers could exploited service side vulnerabilities mostly on
share and trade information. As their popularity grew, servers, but also on workstations as well. Starting
so did the diversity of topics. The usage of BBS sys- around the year 2007 there was a paradigm shift in
tems played a role in making the Internet the entity how attacks were taking place. Attacks began to lever-
we know it as today. In the late 1980s we saw the age client side exploitation. The attack would often
Morris Worm, which was one of the first major pieces occur by email or a malicious website. A user would
of malware, and the first worm to affect networked unknowingly interact with the attack, creating an out-
computers. bound connection, which would bypass network
In the mid 1990s, the BBS began to disappear and security controls such as firewalls. These attacks
give way to the Internet. The latter half of the 1990s would also leverage elements of social engineering
was much more interesting. Kevin Mitnick was to entice the user to interact with the malicious ele-
arrested in 1995 on suspicion that he attacked numer- ments. In some cases, the exploit that was run on the
ous corporate and communications carriers located in system via the client side exploit would add that

6 Bell Labs Technical Journal DOI: 10.1002/bltj


system into a botnet. Botnets are used to send spam, Web Application Attacks
perpetrate click fraud, launch denial of service attacks, Web application attacks, commonly exemplified
and other nefarious deeds. by cross-site scripting (XSS) and SQL injection, are
With the technology boom at the turn of the cen- described below.
tury, the hacker community divided into two Cross-site scripting. With more and more web-
groups—the black hat hacker group and the white based applications appearing on the Internet, there is
hat hacker group, with a gray fuzzy line that sepa- an increased risk for vulnerabilities in the web appli-
rated the two. The term black hat hacker has changed cation code. Cross-site scripting is a vulnerability in a
meaning in recent years so we will use the term evil web application that occurs when input is taken from
hacker. The evil hacker group can be characterized as a user and not properly sanitized before it is processed
people, groups, criminal organizations, governments, by the user’s browser and displayed back to the user.
and military with malicious intent. The white hat There are two types of XSS, persistent and reflected.
hacker group, who we will refer to as security pro- Persistent XSS occurs when the malicious code pro-
fessionals, is comprised of people, groups, organiza- vided by the attacker is saved on the server and run
tions, and governments who are employed to protect anytime someone visits the page. This is most often
their employers from the evil hackers. Both groups seen in forum settings where users can post data. The
have been around for a while but were fairly small most common type of XSS is called reflected XSS. In
until this point in time. The distinction between the a reflected XSS attack, none of the malicious data is
two groups is often characterized by security profes- actually stored on the server. It is merely processed
sionals practicing information security within the legal by the server and rendered back to the user’s browser.
limits, and evil hackers having no regard for what Let’s say for example that while a user is shopping
laws they break or who is hurt by their actions. There online, a website asks for a shipping address. Instead
is also a group known as gray hat hackers, which live of putting in a legitimate address, this snippet of code
in the gray fuzzy line between the two groups, who is added instead:
typically say they “bend” the law without breaking <script>alert(“This Site has a reflected
it. The three groups operate in the evil industry or XSS Vulnerability!”)</script>
the business industry and sometimes both. The busi-
If the programmer who designed the site did their
ness industry has grown out of necessity due to the
job properly, then the web application should return
increase of malicious hacking activity on the Internet.
an error saying that the user supplied an incorrect
This paper will take a look at both industries to
address format. If the programmer didn’t properly sani-
explore how they operate, however, readers are
tize the user data, then the code will run and pop up an
advised that any attacks discussed here are used only
alert window with the message that was in the code
to illustrate information security theory. Do not
above. XSS code can also be placed in the uniform
attempt anything detailed in this paper as it could be
resource locator (URL) of a browser, which can also
breaking the law.
make it harder to detect. Attackers can obfuscate the
code by encoding it or using Unicode characters which
The Evil Industry makes it harder for humans to detect. URL shorteners
While the Internet has provided countless hours such as TinyURL.com* and BIT.LY* make it very easy for
of entertainment and information, there are some an attacker to send a malicious link to a user. While the
deep dark corners of the Internet that are truly mali- example above may seem innocent, the ability to run
cious. Some of the most common attacks seen today code without the user knowing can be very dangerous.
are web application attacks, denial of service, mal- SQL injection. Structured Query Language (SQL)
ware, advanced persistent threats (APT), and social injection has been in the news frequently. Some of
engineering. Let’s briefly discuss them and the role the most publicized hacking attacks in the last couple
that they play in the evil industry. of years have used SQL injection. Sony, Heartland

DOI: 10.1002/bltj Bell Labs Technical Journal 7


Payment Systems, HBGary/HBGaryFederal, and ability to use a computing resource. Denial of service
RockYou were all compromised using SQL injection as attacks are usually accomplished with the help of a
part of their attack. SQL injection is a web applica- botnet or a large number of coordinated computers.
tion attack. It is commonly used because it is an attack The computers will send as many requests as possible
against the web application architecture which to a victim in an effort to overwhelm it and deny
includes the web application and the database server. legitimate users the ability to use the resource. The
Successful SQL injection attacks will often yield large victim could be made unavailable by excessive net-
amounts of sensitive data. SQL injection is also a work traffic, exhausting available computer resources
result of poor coding of a web application. When pro- (memory, hard drive, or processor), or by lack of
grammers do not properly sanitize special characters power. Possibly one of the biggest reasons why DoS
received from user input, it can result in a security attacks are seen so often on the Internet is due to the
vulnerability. For example, a web application uses the simplicity of the attack and its effectiveness. For an
following query to lookup users: e–commerce website, not being online means a loss of
Valid Query: SELECT * FROM users WHERE sales, which directly affects the bottom line.
user = ‘test’;
Evil Injected Query: ‘ OR 1 = 1; — Malware
Virus used to be the word that summed up any
The user supplies the username of ‘test’ to the
nasty program that ended up on a computer. Recently
web application. If an evil attacker were able to insert
that has given way to the term malware, short for
the malicious query above, it would disrupt the SQL
any type of malicious software. Two of the most dev-
syntax of the valid query and display the entire user-
astating types of malware are worms and rootkits.
name table from the database. The malicious query
When a worm is propagating in the wild, it will
is being injected into the valid query in between the
infect a system and then search for others to infect
two single quote marks where the word test is.
without any interaction from a user. This means that
In the injected SQL query, the first apostrophe closes
once a worm starts infecting systems, it increases expo-
the user input portion where ‘test’ is being passed
nentially as the infected systems start infecting others.
to the database, causing the web application to send
This creates a significant amount of chatter on the
a blank query. The OR command is a valid SQL com-
Internet while the worm is searching for vulnerable
mand that allows a second statement to be evaluated.
systems. During outbreaks of some of the more notable
1 = 1 is a statement that will always be true, and the
worms, the entire Internet was said to have slowed
semicolon ends the query. The two dashes will com-
down. Once detected in the wild, Internet service
ment out anything after the malicious query com-
providers can usually filter out some of the malicious
pletes, effectively nullifying any code that follows.
traffic to ease the load. As worms have evolved, they
The complete statement that the web application pro-
have developed evasion methods such as encryption
vides to the database with the evil query injected
or polymorphic code that make them even more chal-
actually looks like this:
lenging to detect. Worms can be used to create botnets
Query with SQL Injection: SELECT *
by having the payload of the worm install a bot pro-
FROM users WHERE user = ’’ OR 1 = 1; ––
gram as part of its functionality. The Conficker worm is
In plain English this says: Select everything from one of the best examples to illustrate this point. “The
the user table in the database where the value of user Conficker Working Group (CWG) estimates that more
is either blank or true. Since 1 = 1 will always be true, than seven million government, business and home
the database would return all records in the users table. computers in over 200 countries are still infected by
Denial of Service Conficker and potentially under its control.“[2]
Denial of service attacks are one of the most fre- Rootkits are also incredibly notorious because
quent attacks seen on the Internet. The goal of a they are very difficult to detect. If detected they are
denial of service attack is to deny legitimate users the even harder to remove without completely rebuilding

8 Bell Labs Technical Journal DOI: 10.1002/bltj


a machine. Once installed, rootkits intercept calls to the phone to try and glean sensitive information.
the kernel, which then provides the ability to hide Some have even pretended to be maintenance per-
files, processes, and network connections. When issu- sonnel to gain access to a computer room or phone
ing a command to list running processes on an closet. The attack uses a consequence to get the user
infected machine, the rootkit would modify the to do something. An evil attacker can use different
results of the command to not display any process techniques to appeal to a person’s ego or imply that
associated with the rootkit. Because rootkits have they are an authority figure of some sort. These
such an intimate relationship with the kernel on an attacks are incredibly efficient when used properly.
infected machine, the only way to be sure to remove
them is to wipe the hard drive, reinstall the operating What Drives the Evil Industry?
system, install patches, and then start moving forward Motives for malicious activity on the Internet are
with configuration of the machine. usually driven by reputation, political, or monetary
gain. In the early days of hacking, the hacker’s driving
Advanced Persistent Threat
motive was reputation and pride, usually to prove
APT attacks have become an industry buzzword.
that they were better than someone else. While that
While the definition of an APT attack varies from per-
is still around to some extent, today the major motives
son to person, almost every attack shares one common
for hacking are monetary, political, or revenge.
feature. The attack exploits an undisclosed vulnerabil-
Hacktivism is the use of computers and computer net-
ity, which allows the attack to go undetected.
works as a means of protest to promote political ends.
Undisclosed vulnerabilities, also known as “zero days,”
Hacktivism has recently come to light due to the
have become another industry buzzword as well. These
groups “Anonymous” and “Lulzsec.” Hacktivist groups
zero day vulnerabilities go undetected because signa-
tend to target governments and businesses that they
ture-based detection methods such as antivirus and
feel have wronged someone in some way. They par-
intrusion detection systems have no signature to iden-
ticipate in Internet vigilante justice. Tracking them
tify the attack. Software vendors can only create
down proves to be a very difficult task because they
patches for vulnerabilities once they have been dis-
are often geographically dispersed, meaning that all
covered. The same holds true for antivirus companies
levels of law enforcement have to work together on
because they have to analyze how a malicious piece of
an international level to track them down.
software works before they can create a signature to
Cyber warfare can be defined as “actions by a
detect it. APT attacks have also been known to use
nation-state to penetrate another nation’s computers
encryption and rootkits to hide processes, network traf-
or networks for the purposes of causing damage or
fic, and data exfiltration while avoiding detection.
disruption [1].” The Stuxnet computer worm was one
Social Engineering of the most eye opening cases of what might be clas-
Social engineering attacks incorporate multiple sified as cyber warfare or APT. While the authors of
attack vectors and also deal with the psychology of the worm are still in question, the target was defi-
the human mind. Social engineering is often used nitely the Iranian nuclear program. The worm sabo-
on social networking websites to get victims to click on taged centrifuges used to enrich uranium, causing
malicious links. Using a compromised account, an evil them to behave erratically. It was not only a worm
hacker could send out a message to the friends of the but also contained a rootkit to hide its presence on
original account holder saying “look at this video of systems that it had infected. Stuxnet was the first
you!” Social engineering is also used with most phish- threat of its kind which brought to light just how dev-
ing schemes telling users that they have to verify their astating an advanced focused attack can be. While
account information or else their account will be cyber war seems to be on the near distant horizon,
closed. Social engineering is not just limited to elec- hacking for money seems to be the most common
tronic messages. Attackers can also call a victim over reason that the industry is around today. Botnet

DOI: 10.1002/bltj Bell Labs Technical Journal 9


herders will sell the services of their botnets to send penetration testing, and incident response are used
spam email messages or denial of service attacks to assess the risks that an organization is facing, and
against a specific website for a specified amount of respond appropriately if a compromise does occur.
time. Identity thieves will use stolen credit card data Firewalls, intrusion detection systems, and logs are
from hackers to create fake credit cards and launder used to monitor activity within the organization. This
money. Organized crime has taken up residence in section will discuss how information security profes-
this space as well [5]. As the number of attacks from sionals operate with their tools and techniques in the
evil hackers has increased, so does the response business world.
from organizations that are being attacked. For help,
Risk Management
they turn to a group of people who have some of the
Risk management is a technique that is used to
same technical skills, just a different ethical mindset.
assess the impact of risk to an organization. It formu-
The Business Industry lates a number to indicate how significant a particu-
lar risk would be to the organization. Risk can be
The other side of the coin reveals a group of pro-
defined as anything that would adversely affect the
fessionals who practice information security within
organization. This number is then reviewed by a risk
the business world. Some companies have their own
management committee made up of security profes-
staff, and some outsource IT security to managed
sionals, management, and other key players within
security service providers. Entire companies have
the organization, which decides on a course of action.
emerged which do nothing but provide information
It can choose to accept the risk and deal with the con-
security related services and products. Information
sequences, or to mitigate the risk with some form of
security professionals face an ongoing challenge in
compensating control. Regulatory compliance audits,
that laws designed to combat computer crime contin-
vulnerability assessments, and penetration testing are
ually lag behind the rapidly evolving tools and tech-
methods that are used to discover and document risks
niques used to perpetrate it. Tracing attackers back to
for an organization. These methods are also used to
their actual locations can span multiple countries,
verify that the controls put in place to manage risk
which can significantly increase the time it takes to
are functioning properly. Based on the type of busi-
locate an attacker. Some countries that attackers
ness and its organizational structure, some organiza-
might be bouncing their attacks through may have
tions may be required to perform all three.
few if any computer crime laws (such as Nigeria), or
might be feuding with each other. Imagine how diffi- Penetration Testing
cult it would be to track an attacker that bounced Penetration testing is one of the most aggressive
from any location to a machine in Iran, then to South methods for uncovering risk for an organization.
Korea and North Korea to hit a target in the United Organizations often hire a third party penetration test-
States. It takes major cooperation from all countries ing company to test the strength of their security imple-
involved to track down these types of attacks, and mentation, but this can also be done by in-house staff.
that can often lead to major delays. Hiring a third party for the test provides a better chance
Any organization can be compromised; it is just a for unbiased results and is often required by some com-
question of when it will happen. All it takes for an pliance standards. By performing the tests in-house,
attacker to gain access to potentially sensitive data is tests can be performed more often, which can allow
one exploitable vulnerability in an organization’s the company to mitigate vulnerabilities as they arise.
infrastructure. Information security professionals are Organizations will often employ both testing groups to
employed to try to mitigate vulnerabilities in the hope ensure completeness. The job of the penetration tester
of keeping their organization from being compro- is to legally try to hack into the networks and comput-
mised. Information security professionals use a dif- ers of the organization within the scope of the test. An
ferent variety of tools and techniques to secure their amazing resource on penetration testing is the
organizations. Techniques such as risk management, Penetration Testing Execution Standard, put together

10 Bell Labs Technical Journal DOI: 10.1002/bltj


by some of the most brilliant minds running these types harden systems, they still don’t know exactly when
of tests on a daily basis. It is a new standard designed to they are going to be hit.
provide both businesses and security service providers Penetration tests can provide companies with
with a common language and scope for performing valuable information on how an attacker might com-
penetration testing [6]. promise their organization. But sometimes the tests
Penetration testing (as most people would define can prove absolutely meaningless. If too many limi-
it) goes beyond the scope of vulnerability assessments tations are placed on the penetration testing team, it
and compliance audits. In audits and vulnerability can hinder their ability to perform a thorough test.
assessments, vulnerabilities and risks are discovered There are often two primary reasons for this. One is
and reported back to the organization. A penetration that the organization wants to pass the penetration
test takes discovery one step further as the vulnera- test and not admit that their security implementation
bilities uncovered are not only reported but actually can be compromised. The second reason is that if
exploited, resulting in the penetration tester getting there are no limitations, penetration testers could use
access to systems or sensitive data. This verifies that tools and techniques which could disrupt the organi-
the vulnerability actually exists and is not a false pos- zation’s ability to conduct business. For example, stag-
itive. Penetration tests can be set up in multiple dif- ing an actual denial of service attack would shut down
ferent scenarios. They are often set up to mimic an the company website and cost the business money.
attacker trying to compromise the organization from For this reason, testers are often restricted in how
the Internet. This is referred to as black box testing they are allowed to operate. Since evil hackers clearly
because the penetration tester has no inside knowl- are not limited in how they can attack, running pene-
edge of the organization. Another common scenario is tration tests under these conditions may in fact only
called white box testing. This is a scenario in which produce the illusion of security.
the penetration tester acts as a rogue employee on the
inside of the organization with knowledge of its appli- Incident Response
cations, systems, and networks. The last of the com- As part of a penetration test, organizations will
mon types of penetration testing is the physical also often test their incident response procedures.
penetration test. This test examines the physical con- Incident response refers to how an organization han-
trols such as building security systems, cameras, locks, dles a possible compromise. An incident can be clas-
and security guards used by the organization to secure sified as an adverse event on a computer system or
its place of business. All three variations of the pene- network with the intent to do harm. Large organiza-
tration test have the same goal: find vulnerabilities tions typically put together incident response teams
before someone with malicious intent does. and policies to be ready at a moment’s notice to
All of the tests listed above can be performed in an respond to a potential incident. Teams should be
announced or an unannounced format. An announced assembled with members from all critical areas of an
format avoids the prospect of employees raising a false organization. Involving all critical aspects of the busi-
alarm that the company is being hacked. It also has a ness ensures that vital processes and operations are
downside in that administrators tend to patch every- accounted for. Smaller companies may contract this
thing and tighten up the firewalls right before the test, out to a third party because their budget may not
which skews the results. Unannounced tests produce allow them to keep adequate resources on staff. The
results as if there was an actual attack occurring. This overall purpose is to determine the cause and the
means that the business is operating as it normally scope of the attack, ensure that the attacker has been
would, and it prevents administrators from hardening contained, and prevent future attacks. Preservation
systems and networks right before a test. Sometimes a of evidence is also important in case the authorities
hybrid approach is used, where a penetration test will need to become involved. When organizations hire
occur at some point within a given thirty-day win- penetration testing teams, unannounced penetration
dow. While this still gives administrators time to tests offer the ability to test the thoroughness of the

DOI: 10.1002/bltj Bell Labs Technical Journal 11


policies and procedures of the incident response team blocked or dropped. Host IDSs are typically deployed
as well. on critical systems. A host IDS performs file integrity
Firewalls monitoring by creating cryptographic checksums
Everyone knows the term firewall. For Internet (typically MD5 or SHA1) of important files on the sys-
users, it is what protects them from everything. For tem such as the /etc/passwd or /etc/shadow files. If
information technology (IT) professionals, it is what the file is modified, such as by someone adding an
they may have nightmares about. Firewalls have account, the checksum of the file would change and
evolved over the years from first-generation packet create an alarm to be investigated.
filtering, to second-generation stateful firewalls, to Logs
third-generation application layer firewalls. In their The importance of log files is often overlooked
most basic form, firewalls provide a barrier at critical because of their sheer volume. Strong logging pro-
network boundaries that enforces what traffic is cesses are vital to knowing what is going on in the
allowed to enter the network and what traffic is allow computing environment of an organization. Logs can
to exit. In basic firewalls, traffic is permitted or denied be fed into security information and event manage-
based on the Internet Protocol (IP) address. Stateful ment (SIEM) software, which can then perform cor-
firewalls utilize the connection-based features of relation analysis on the logs. SIEM software helps
Transmission Control Protocol (TCP). If an internal analysts dig through hundreds of thousands of logs
machine makes an outbound request, an entry is in almost real time, assisting the organization in its
made in the state table of the firewall. When the incident response effort. Centralized logging helps
response comes back, the firewall sees that the return ensure log integrity. When logs are stored in a differ-
traffic is part of an ongoing connection and allows ent location it makes life more difficult for an evil
the traffic to pass. If the internal machine had not attacker who is trying to cover his tracks. Some orga-
made the initial request and the firewall received nizations even use “write once, read many” logging
unsolicited traffic from an external location, the fire- systems, which write the logs to a central system
wall would look at the state table and deny the traf- and allow reading of the logs, but nothing can be
fic because there was not an existing connection. modified.
More advanced firewalls also have an intrusion detec- Information security professionals make use of
tion component that inspects the traffic and looks for these tools to protect the networks of the organiza-
malicious payloads. tions that they work for. But these are very complex
Intrusion Detection Systems tools that require a very high level of technical skill to
Intrusion detection systems (IDS) are used in con- implement. What can the average person do to pro-
junction with firewalls to administer and monitor the tect themselves?
traffic in a network as well as to monitor critical sys-
tems. There are two varieties of IDS, network-based General Awareness
and host-based. Network IDS are usually deployed so Some people are still in the mindset of the 1990s
that all the network traffic is either going through the where Hollywood portrays the average hacker as
IDS device or the IDS is being sent a copy of all of the a teenager in front of a giant television with a
traffic to inspect. The network IDS inspects the traffic Nintendo* Power Glove*. With recent events of hack-
and looks for patterns related to attacks. The IDS sim- tivism and talk of cyber war, the public has started to
ply detects interesting traffic and creates alarms for become more aware of the critical role that informa-
further investigation. An intrusion prevention system tion security plays in daily life. One of the most
(IPS) is a more advanced version of an IDS that can important things that everyone needs to be aware of
actually block or drop traffic that appears malicious. is that there are bad things out on the Internet. Things
One problem with an IPS is the tendency for false that sound too good to be true will almost always
positives, which can result in legitimate traffic being mean trouble. Paranoia will keep you safe! That being

12 Bell Labs Technical Journal DOI: 10.1002/bltj


said, there are things that everyone should do both at powerful than they were years ago. Short complex
work and at home to keep themselves safe. passwords such as “#4h)(^T!” would be cracked much
faster than a longer, less complex password such as
Patch! Patch! Patch!
“Samsung%Crayola9Fossil” and the second one is
Keeping software up to date is one of the most
much easier to remember and also easier to type.
powerful ways to keep attackers out of places that
Change passwords often and don’t re-use them. A
they don’t belong. Operating system vulnerabilities
minimum of 15 characters in a password would be a
used to be the primary way that attackers would get
safe recommendation on Microsoft Windows systems.
into systems. The focus of these attacks has shifted to
If a password is 14 characters or less and stored on
third party software because the number of vulnera-
a Windows machine, it could be stored using the LAN
bilities in operating systems has dwindled. One of the
manager (LANMAN) hashing algorithm. LANMAN is
main culprits is the Adobe* suite of products (Reader*
an old Windows password hashing algorithm that is
and Flash*). Adobe has been targeted for a couple of
still around today for backwards compatibility rea-
reasons. First is the large scale deployment of their
sons. When a Windows machine that is using LAN-
software, which means that writing an exploit for
MAN hashing stores a password, it splits the password
Adobe would net an attacker a larger number of vul-
into two seven character passwords (padding the sec-
nerable systems. The second reason that Adobe has
ond password with blank space if needed), converts
been targeted is the long period of time between dis-
them both to all uppercase, and hashes them with
covery of the vulnerability and the time that a patch
one round of Data Encryption Standard (DES)
is released. The attackers get to use the exploit that
encryption. This makes cracking Windows LANMAN
they craft for Adobe products for a much longer time
passwords insanely easy because it isn’t cracking a 14-
period than if they were to write an exploit for
character password, it is cracking two seven character
Windows* which often is patched within a month.
passwords. The LANMAN algorithm only works on
Know What Normal Is Windows passwords that are 14 characters or less. To
By knowing what normal operation of a com- completely avoid storing a LANMAN hash on
puter looks like, users should then be able to deter- Windows, simply use a password of 15 characters or
mine when something is out of the ordinary. Create a more. This forces the Windows machine to store a
baseline of what the computer does during normal Windows NT* hash which is harder to crack.
operation. Document items such as: services, installed
Putting It All Together: A Detailed Example and
programs, disk and memory usage statistics, open
Countermeasures
ports, sample network traffic, and usernames. This
Figure 1 shows a fairly simple network architec-
will provide a baseline of how the system should be
ture that might be used by small or medium organi-
operating normally. Any deviation from that could
zations. It consists of an external website and email
indicate a potential issue and warrant investigation.
server sitting in the demilitarized zone facing the
Passwords and Passphrases Internet. Behind the firewall is the database server
Passwords are often a misunderstood and mis- that runs the website, the file server, and the user net-
used tool when it comes to safeguarding information work segment. Let’s set a goal for our tester to gain
in both the business and personal world. Having a access to the environment, obtain proprietary infor-
strong understanding of how to use passwords effec- mation, and maintain access inside the organization
tively will benefit users in both places. There is a lot of using some of the techniques that we have talked
complexity behind how passwords work, so here are about so far.
some of the things to know. When it comes to pass- In any attack, the tester is going to start by
words, longer is better. Information security profes- performing reconnaissance. Information could be
sionals have been preaching about password obtained by searching the Internet, dumpster diving,
complexity for years, but computers are much more using specialized reconnaissance tools, or even calling

DOI: 10.1002/bltj Bell Labs Technical Journal 13


Internet

Email
Web server
server
External firewall

Demilitarized zone Demilitarized zone

File server Database server

Internal end users

Figure 1.
Example network architecture for small or medium organizations.

the organization and simply asking for it. It is trivial able to identify most, if not all of the diagram in
for the tester to call an organization pretending to be Figure 1. In this example there are two main vectors
a sales representative for antivirus product X. The of attack, the web site and the end users. The website
tester would ask if the organization is interested in attack could be easy or difficult depending on how
product X. The response might be, “No we already well all aspects of the web application have been
use product Y” or “We already use product X.” The coded with regard for security. Attacking the end users
tester might ask a couple of extra meaningless ques- is almost always considerably easier.
tions to keep from arousing suspicion and then thank
the employee for their time. Now the tester knows Web Site Attack Vector
which type of antivirus product the organization is Websites are intended to be always available,
using and can test any malware or attack tools to which makes them a prime target for attack. Let’s
ensure that the attack goes unnoticed. Another trivial assume that when the site was developed, user input
method is analyzing the metadata from the organiza- was not being checked for special characters which
tion’s website. Maybe the organization has a PDF doc- could make it vulnerable to attacks. There are a
ument with the specifications of a product or service numerous ways that a tester could use an organiza-
that they sell. Taking that file and running a meta- tion’s website in an attack but let’s focus on SQL injec-
data tool on it can often reveal software version infor- tion. Using a SQL injection attack, a tester could
mation such as the current patch level of an Adobe potentially dump all of the data from the back end
product. Each bit of information that can be obtained database using malicious queries as we discussed ear-
by the tester increases the chance of a successful lier. The tester could also invoke a Windows XP* com-
attack. Through the recon process, the tester would be mand shell if it is a Windows database. This would

14 Bell Labs Technical Journal DOI: 10.1002/bltj


give the tester shell access to the organization’s envi- concepts and tools created by the Open Web
ronment behind the external firewall. This satisfies Application Security Project (OWASP) [4] can aid
the objective of obtaining data and gaining access, but developers in secure code creation. Building security
not maintaining it. Using a client side exploit attack into the application from the beginning as part of
would provide a method for obtaining persistent the development lifecycle is how this needs to be
access. addressed. Training software developers in how web
Client Side Exploit Attack Vector application attacks work would also help alleviate this
In a client side attack, the tester would deliver a issue. Client side exploit attacks are increasingly being
malicious link or file to employees. This could be used as one of the main ways to attack organizations.
achieved by email (corporate or third party); social Thwarting these attacks is not an easy task. While
networking sites like Twitter* or Facebook*, or even there is no silver bullet to protect against attacks, here
just leaving a few USB sticks in the parking lot. are some things that would help ease the risk:
Incorporating social engineering tactics would also • Limit what users can surf to on the Internet, such
increase the likelihood that the links are clicked and as social networking sites and third party email.
the exploits are run. Using a tool like the Social • Remove any unnecessary software or services and
Engineering Toolkit (SET) written by Dave Kennedy make sure that the resources required for the
makes this attack very easy. The SET uses the organization to do business are promptly patched.
Metasploit* framework and customizes the attack • Use strong unique passwords or passphrases
based on options chosen by the tester. Using which could keep an attacker from drifting deeper
Metasploit allows the exploit code to be encoded, into an organization’s infrastructure.
which avoids detection. It also handles multiple ses- • Develop a baseline analysis of how systems oper-
sions if more than one user runs the exploit. The ate. This can provide an early warning of a com-
exploit would provide a reverse connection to promise and prevent it from growing.
the tester by exploiting vulnerable software on the • Monitor systems logs. This may also provide early
employee’s machine. Because the connection is being signs of an attack.
initiated from the internal trusted network, it is Lastly, users need to be informed. This is one of
allowed outbound through any firewalls to connect the most effective ways to prevent a compromise but
back to the tester. At this point, the tester can attack it is also one of the hardest to achieve. Since any user
the entire network as if he was sitting on the inside. that works on a computer has the potential to inad-
The tester would probably try to obtain and crack any vertently let an attacker in, every single user needs
password hashes available, and then try using those to be trained. It would be impossible to train every
accounts to move around the environment. Cracked user in all aspects of information security, but they
passwords could possibly be used to log into the file need to know the basics, what to watch out for, and
server as well. This keeps the attack stealthy because who to get in touch with if something seems odd. It
it appears like normal user traffic. Setting up persist- needs to be in a context that they can understand and
ent access could be achieved with Metasploit by the motivates them to learn it.
command “run persistence” with the proper com- An Ounce of Prevention is Worth a Pound of Cure
mand flags from the command line of the meter- The primary purpose of this paper was to demys-
preter. Now let’s take a look at how these attacks tify hacking and information security so that anyone
could be prevented. reading the paper could use the information to better
Countermeasures for the Attacks protect themselves personally and professionally.
Web application attacks primarily occur because Technology in the business world drives these indus-
of poorly written application code. Code should be tries to evolve at an astounding rate as everyone
rigorously tested as part of the software development and everything becomes more interconnected. Many
lifecycle before it is deployed into production. Using topics discussed in this paper regarding defensive

DOI: 10.1002/bltj Bell Labs Technical Journal 15


measures may seem basic and trivial in nature but they [6] Penetration Testing Execution Standard,
are some of the most important factors in securing <http://www.pentest-standard.org/index.php/
any computer and are often overlooked. A patching FAQ> .
[7] United States, Department of Justice, “Fugitive
policy that is strictly adhered to would have poten-
Computer Hacker Arrested in North Carolina,”
tially prevented some of the most notorious worms Press Release 95-089, Feb. 15, 1995, <http://www
such as SQL Slammer, Blaster, and Conficker from .justice.gov/opa/pr/Pre_96/February95/89.txt
ever affecting a system. Using strong unique passwords .html>.
will also limit exposure if one of them does get Additional Resources
cracked. Things are bound to only become more com- – Cable News Network, “Timeline: A 40-Year
plex as technology evolves even further. The computer History of Hacking,” CNN Tech, Nov. 19, 2001,
user community needs to have a solid grasp on the <http://articles.cnn.com/2001-11-19/tech
basic fundamentals when it comes to information /hack.history.idg_1_phone-phreaks-chaos-
computer-club-emmanuel-goldstein?_s=
security so that as things become more complex, it is
PM:TECH>.
not the basic principles that cause security to fail. – C. S. Wright, “The Growth of Cyber Terror,”
*Trademarks Infosec Island, Sept. 8, 2011, <https://www
Adobe, Flash, and Reader are registered trademarks of .infosecisland.com/blogview/16291-The-
Adobe Systems Incorporated. Growth-of-Cyber-Terror.html>.
Apple and iPhone are registered trademarks of Apple,
Inc.
BIT.LY is a registered trademark of BITLY, Inc. (Manuscript approved April 2012)
Cap’n Crunch is a registered trademark of the Quaker
Oats Company. MATT BOWLES is an information security specialist at
Nintendo is a registered trademark of Nintendo of Alcatel-Lucent in Highlands Ranch, Colorado.
America, Inc. He is a part of the Security Operations Center
Power Glove is a trademark of i-Star Entertainment, LLC. within the Americas Customer Delivery
TinyURL.com is a registered trademark of Kevin
organization, and has worked in information
Gilbertson DBA Gilby Productions.
Windows, Windows NT, and Windows XP are registered security for over eight years. The Security
trademarks of Microsoft Corporation. Operation Center is responsible for monitoring critical
networks and systems for signs of attempted malicious
References use. Mr. Bowles currently holds a Certified Information
[1] R. A. Clarke and R. K. Knake, Cyber War: The Systems Security Professional (CISSP), GIAC Exploit
Next Threat to National Security and What to Do Researcher and Advanced Penetration Tester (GXPN),
About It, HarperCollins, Ecco, New York, 2010. GIAC Penetration Tester (GPEN), GIAC Certified Incident
[2] ComputerWeekly.com, “Cybersecurity Handler (GCIH), and Cisco Certified Network Associate
Community ‘Learned Valuable Lessons from (CCNA) security certifications. He frequently attends his
Conficker’,” Jan. 26, 2011, <http://www local chapter OWASP meetings. He graduated from the
.computerweekly.com/news/1280094953/Cyber University of Northern Colorado with a bachelor’s
security-community-learned-valuable-lessons degree in business administration with an emphasis in
-from-conficker>. computer information systems. ◆
[3] E. Mills, “Social Engineering 101: Mitnick and
Other Hackers Show How It’s Done,” CNET
News, July 20, 2008, <http://news.cnet.com/
8301-1009_3-9995253-83.html>.
[4] Open Web Application Security Project
(OWASP), <http://www.owasp.org>.
[5] B.-A. Parnell, “Cyber Crime Now Bigger Than
the Drugs Trade,” The Register, Sept. 7, 2011,
<http://www.theregister.co.uk/2011/09/07/cost
_is_more_than_some_drug_trafficking/>.

16 Bell Labs Technical Journal DOI: 10.1002/bltj