Computer Crime

What is Security ?
Part I
Meletis A. Belsis
Information Security Consultant MPhil / MSc / BSc CWNA/CWSP, C|EH, CCSA, Network+, ISO27001LA

Setting the Scene
• Security is one of the oldest problem that governments ,commercial organizations and almost every person has to face • The need of security exists since information became a valuable resource • Introduction of computer systems to business has escalated the security problem even more • The advances in networking and specially in distributed systems made the need for security even greater • The Computer Security Institute report, notes that in year 2003 computer crime costs where increased to more than 450 million dollars in the USA alone.

Profiling Adversaries

• Adversaries that target corporate system are numerous: • These can be general classified in the following categories:
– – – – – Hackers Employees (both malicious and unintentional) Terrorists groups Governments Opposing Industries


• So now we know that we need security.

BUT what is security anyway ? • Many people fail to understand the meaning of the word. • Many corporations install an antivirus software, and/or a firewall and believe they are protected.

Are they ?

Security through obscurity • Consider some cases : – An internal employee wants to revenge the company and so publishes private corporate information on the NET. This laptop contains all corporate private information. – The terrorist attack on the twin towers (in USA) had as a result many corporations to close. HOW CAN A FIREWALL PROTECT FROM THE PREVIOUS ? . Why ? – An employee forgets his laptop into a café.

security involves processes. it itself is a process. ” Bruce Schneier (Secrets and Lies. Security is not a product. Wiley and Sons Inc. It involves preventive technologies. …. but also detection and reaction processes.Security: easy to understand. and an entire forensics system to hunt down and prosecute the guilty.) . difficult to implement “In the real world.

difficult to implement • Security contains a number of tools . processes and techniques. A I . • A new requirement enforced by the operation of e-markets is non-repudiation.Security: easy to understand. • These in general cover three main requirements: – Confidentiality – Integrity – Availability C Pers pecti ve • Depending on the security requirements a system has. one can concentrate only on one of the previous or all of them.

– Security managers work under strict money and time schedule. – Industries pay huge amount of money for industrial espionage. – Computer prices have fallen dramatically and the number of hackers have been multiplied. total security is almost infeasible. – Hackers are often cooperate with known criminals. Criminals do not have any time schedule and they do not need any specialised software. That is why. – Users feel that security is going to take their freedom away and so often they sabotage the security measures. difficult to implement • Computer Security is difficult to implement due to the following: – The cost of implementing a security system should not exceed the value of the data to be secured. .Security: easy to understand.

Attacking Corporate Systems The Art of Hacking Part II .

Information Gathering • The first step to hacking is to gather as much information as possible for the target. • This map is used to define and design an attack methodology as well as identify the needed attack tools. • The extreme case of information gathering is called dumpster diving . • This information is later used to draw a map of the corporate network.

i. – Email Addresses. These are used to identify user – Office Locations: Companies with office locations in different countries would probably use a VPN to interconnect.Information Gathering : Searching the Corporate Web site • Searching the corporate web site for information: – Statements like : “This site is best viewed with Internet Explorer” could uncover that the company uses Microsoft Web Server. – Company News . username@thecompany.e.

– Searching the greater WEB using the company’s name • Searching public WHOIS databases :Provide information about the domain name of the company.somecompany. link: provides information on the sites that link to the corporate web site.Information Gathering : Searching the Internet • Searching the WEB can provide valuable information – Using the link directive. i. • Searching the ARIN Whois Database: Provide a database with all register IP addresses. • Searching technical forums using either the name of the administrator or the name of the company. .

it is now time to ASK the network itself.Information Gathering :Being Polite….. Believe it or not most networks are quite polite. It can be performed by simple using the nslookup program. • When the initial search has finished. Can unveil hosts that are connected and are not protected by a firewall. – DNS Interrogation. . – Using the PING command (ICMP Echo ). – Using the TraceRoute command we can identify which is the IP of the router that connects the corporate network to the Internet.

NeoTrace: Windows Based TraceRT .

– The open ports that respond show the services that are running. • Detecting the OS – The Scanner sends specific erroneous message to the ports. we must now identify the services that they offer and the operating system that is installed on each host. . OS response with different messages. • Detecting Services – The Scanner tries to open a connection to each port of the target host (By sending Syn messages) .Information Gathering :Identify Running Services • Having a map of the internet hosts that are accessible from the internet. • Special programs like nmap and superscanner are used to interrogate each port in a host.

SuperScan: Windows Based Port Scanner .

So scanners use some alternate techniques: – Slow Scanning – Distributed Scanning – Half Open Connection – Fragmented packets – XMAS – FIN – FTP Bounce .Information Gathering :Scanning undetected • Many firewalls can detect these scanning attempts.

Password Cracking • Adversaries use two methods to attack passwords. – Dictionary: Use a dictionary of known words and try each word along with their combinations. • These attacks can be performed either locally or remotely . – Brute force: Try all key combination in the password space.

L0phtCrack: Windows Password Cracking .

• A user can get infected by: – – – – Running a program Opening an email Visiting a web site (evil Trojan) Opening a .500 virus ready to be downloaded.doc file Program Code Program Code Ending Code Infecting the start of a program Ending Code • Today virus creation and mutation centres can be freely downloaded from the Internet Virus Code Start Of Program Infecting the End of a program .VIRUSES • Computer Viruses are categorised in: – Normal viruses – Trojan Horses – WORMS Pointer to Virus Code Initialization Code Initialization Code Virus Code • Today there are more than 2.

SubSeven: Visual Interface to Control Infected PC .

Denial of Service Attack (DoS) • The idea behind these attacks is to make the target system unavailable to its authorised users.535) – SYN Flooding Attack (Starting Many half-open connections) – Smurf Attack (sending requests to broadcast address with a spoofed IP address) – Domain Name Server DoS (Requesting DNS quires from multiple DNS Servers with a Spoofed IP . • Typical attacks include but not limited to : – Ping O’ Death (sending packets of size greater that 65.

SynFlood Attack Half Open Connection Half Open Conenction Attacker Half Open Conenction Half Open Conenction Server Legitimate Connection Legitimate userr .

Smurf Attack Computer Computer Computer ICMP Echo Network A Broadcast Address Replies from every terminal in the Network ICMP Echo Workstation Workstation Workstation ICMP Echo ICMP Echo Netwrok B Replies from every terminal in the Network Target system Broadcast Address Attacker Laptop Computer ICMP Echo Network C ICMP Echo Replies from every terminal in the Network Broadcast Address Computer Workstation .

Domain Name System DoS Query with spoofed IP DNS 1 Results from attackers query Attack er Query with spoofed IP DNS 2 Results from attackers query Target Query with spoofed IP DNS 3 Results from attackers query Query with spoofed IP DNS 4 Results from attackers query .

Distributed Denial of Service (DDoS) • Hackers have used the distributed power internet offers. • Examples are: – Tribal Flood Network – TFN2K – Stacheldraft Attacker’s Commands Attacker Client Software Command Attacker’s Coomand Command Command Client Server Software (Zombie) Server Software Server Software (Zombie) (Zombie) Packets Server Software (Zombie) Server Software (Zombie) Packets Packets Packets Target Host Packets . • Tools are now perform DoS attack from multiple hosts at the same time.

• The first and most used sniffer is the TCPDump . read all information from http packets only. • Some sniffers can be even programmed to transmit sniffed passwords back to the attacker. .e. • Sniffing software are using this to read all data transmitted in the local net.Sniffing • Ethernet provides the ability to run a network card in Promiscuous mode. • Sniffers can be programmed to steal information associated only with specific protocols or programs. i. This allows the card to read any packet travelling on the network.

SnifferPro: A windows based Sniffer .

• The Internet has a vast amount of software that test a given server for a number of such exploits. • Hackers can use these bugs to gain access to systems. • Examples of such are : – Default accounts – Poor User Accounts – Allowing outside anonymous Telnet connections to the Web Server – Allowing trusted connections – Buffer Overflows – Allowing Banners in services – Allowing NetBios over TCP/IP when not needed. These are coming either from the system designers. .System Flaws and Exploits • Most systems today contain bugs. implementers or the ones that manage the system.

Simpsons’: A CGI vulnerability scanner .

<Hacker is calling the administrator >  Hallo I am <<name of an employee>>. I am going to reset your password to newpassoword. My user name <<user name as seen on email address>>. I am going to buy the coffee when we meet. Do not cry now. (The scenario works even better is the hacker is a female and the administrator is a male. <Hacker thanks the polite employee>  Oh thank you so much.Social Engineering • One of the oldest and easiest form of hacking. Just do not forget it again.) . I am afraid that he is going to fire me. Please help <<be persuasive>>>> <Administrator wants to help a fellow employee> Ok. If I tell him that I forgot my password . That is why we are here for. I am new to the company but I forgot my system password <<be very unhappy>> but my manager ask to find him some files. You are a lifesaver….

Use Source Routing Use ICMP redirect If both hacker and target are located on the same network use ARP spoofing. and systems that allow trusted connections. . • In order to see the response the hacker has a number of ways: – – – – Install a sniffer to the target network. Thus their real IP is almost untraceable. • This happens for two reasons: – To avoid getting caught. – To bypass security tools. because the hacker never sees the response from the target.IP Spoofing • Hackers usually change the IP address in their datagrams. • Software programs like A4 proxy allows hackers to use a number of anonymous servers before they attack. • Changing just the IP is called a blind attack. – DNS cache Poisoning.

A4 Proxy : Using multiple anonymous proxies to hide the IP address .

try to gain root access. Find and clear Log Files. If you do not already have. 2.The Next Step • So now I am in what am I doing next ?. 3. Install a Root Kit to ensure that you will have access in the future . 1.

Information Security Measures Protecting Corporate Systems PART III .

Is it possible ? • Total security is not feasible. • The first step is to understand the threats. • Systems must be secured depending on their value. • In this stage remember that security is a business requirement . This can be done by a risk analysis process. to your corporate systems. • Security measures are applied according to the threat level a system has.

• The DMZ contains all the servers that must be accessible from the outside world • NOTE that we must always assume that servers in the DMZ are going to be hacked at some point. • This is performed by developing a network called Demilitarized Zone (DMZ). Internet Web Server Firewall DMZ Firewall Internal Network SMTP Server Client Client .Creating a DMZ zone • The first security measure is to seal the internal network from the outside world.

Thus allowing us to enforce policies on which users can access the internet and on which port.Firewalls • Firewalls exist into types: – Packet filters: Are operating on the protocol level. • Packet Filters are usually located on the router. They use a firewalling policy to allow the packet to pass or to drop the packet. • Known Firewalls are Checkpoint’s Firewall-1. – Proxy Servers: They operate at the application level. Microsoft’s ISA. They are always located between the user requests and the servers response. while Proxies are installed on computers • A network may use any number of the previous depending its size and architecture. Cisco PIX. .

– Anomaly based: They test the traffic against anomalies. I. sms. why does the network has so heavy traffic at 2 in the morning ? DMZ Client SMTP Server IDS Sensor Internal Network • When the IDS detects an attack it inform the administrator with a number of ways : email. • IDS are organised into two categories : Internet Router Web Server – Signature based : They hold a database of known attacks and they test packets against the data stored in the database.e. pager IDS Sensor Security Management Console Client .Intrusion Detection Systems (IDS) • Intrusion detection systems are used to detect attacks to the network and inform the administrator.

open ports. Unix Server.Honey Pots • These are the sacrificed lamps of a network. Apache Server Microsoft Exchange Server • These simulated systems look unprotected from the outside world (i. • Hackers scanning for victims detect the simulated systems and try to hack them.e. • Honey pots are software programs that when installed on a computer they can simulate a number of systems i. known exploits. The honey pots allow hackers to enter but record all their moves and inform the administrator. default accounts. • Honey pots can be installed either in the DMZ or in the local network.e. .: • • • • Windows NT Server.

Anti sniffing • The general idea is to make the sniffing host reply to a message that he should not be able to listen. If the host acknowledges the packet the it is in promiscuous mode. – For example creating a packet with a fake MAC address but with the IP address of the sniffing host. • Another way is to transmit unencrypted login details for a fake (honey pot) server to the network. . • NOTE that using switches instead of hubs will make a sniffers life much more difficult. If someone tries to use this account then someone is sniffing the network.

L0pht Antisniff : A windows based program to detect sniffers .

– Network based : Each copy of the program is responsible of protecting the specific host. but they are all managed by a Antivirus Server. • Such programs can be applied either as – Standalone : Each copy of the program is responsible of protecting the specific host on which it is installed. • Note that using an antivirus program without updating its virus database does not provide protection .Antivirus • Antivirus programs are known to most users.

• There are many ways to educate users on the issues of security: – Use of seminars – Use of posters – Use of e-mail messages – Enforce penalties .Security Awareness • No matter what security tools are going to be used. if users do not know about security. hacks are going to be common.

Security Awareness .

e.Penetration Testing and Security analyzers • Security systems must be regularly tested for flaws. • These flaws are usually created from bugs in the software programs. or from bad management (i. bad passwords) • The process of testing a system is called penetration testing. • The process uses a number of hacking / security programs that test a system for a number of known flaws and provide advice on securing these flaws .

Microsoft Baseline Security Analyzer: Tests the systems for known bugs .

Additional Security Measures • • • • • Encryption/ Decryption Digital Signatures / PKI AAA Security Protocols Physical Security – The Jaguar Paradigm – The polite Employees paradigm • Security Policy .

.Thank You.

Sign up to vote on this title
UsefulNot useful