Introduction

On the morning of January 26, 1876, seven men from New York City pulled off what would be, up to that time, the biggest bank robbery in United States history. The gang, who code-named themselves "Rufus," made off with more than $1.6 million in cash and bonds. The robbery was very well planned and several simple techniques were used to rob the bank. Initially, they monitored the bank and its surrounding area for activity and weaknesses. Next, they gathered inside information and secured the help of a safe salesman. Finally, they tunneled into the bank from the building next door. Because they knew everything about the bank, its layout, and its operation, "Rufus" was able to walk away with the $1.6 million. Unfortunately, neither the bank nor the sheriff and his men knew the first thing about "Rufus" until it was too late. Had either of them known what their assailants were up to and how they planned to do it, the $1.6 million might have stayed right where it was.

In September of the same year, a bit west of New York, several men rode their horses into the town of Northfield, Minnesota. Among these men were Frank James and his infamous brother Jesse. Jesse James and his boys had surely come to rob the Northfield bank. However, many of the towns-people, some of them former Civil War soldiers, recognized the look of a "bank robbery" the moment these strangers rode into town. With guns ablaze, the citizens of Northfield took to the street with the intent of one thing: Protect the money in their bank! Jesse James and the Jameses' gang fled Northfield under heavy gunfire without a red cent, leaving two of their own for dead. The notorious James brothers and their robbery scheme had been thwarted.

Things haven't changed much since the days of the Wild West. There are still the good guys and there are still the bad guys; there are still banks and there are still gangs that want to steal from them. But today the men in the black hats can rob the banks without leaving the comfort of their own living rooms. Instead of walking into a bank or any business, the outlaw will just hook on the public Internet, launch a few programs, and then take what they want. The question that needs to be addressed is the outcome: Will the Internet outlaws of today be successful, like the robbery in New York? Or will they fail, due to good planning and watchful monitoring?

Modern-day bank robbers don't rob banks. They rob corporations and companies, and they do so without ever walking into a building or stepping through a door. The Internet enables you to do anything while sitting on your couch, even rob a bank. The modern-day bandits in the black hats sitting on their couches are known as hackers, crackers, phreaks, smurfs, etc.

Today we are going to rob a bank, or in other words, hack into a Lan-based computer site. We ride our horses into town, go into the saloon and we get a drink (I like Dr Pepper). Now we hatch our plan. Do we attack like a hacker (not a lumberjack), or a cracker (not a saltine), or a phreak (not the weird guy at the end of your street), or even smurf (not the little cute blue ones) our way in? Here are a few definitions to help you out:

Hacker: Hackers like to look for internal and external system holes, bugs, and poor system configurations in someone else's system. They may know several programming languages and work extensively with UNIX and NT and they usually have a firm understanding of TCP/IP protocols. In some hacker circles, it is considered unethical to change data aside from the logs that are needed to clean their tracks. Like in our bank robbing scenario, the hacker would try to find an easy way into the bank.

Cracker: These guys break into systems by guessing or "cracking" user and system passwords. The media has a tendency to mistake a hacker for a cracker. A cracker is often not as well educated in the art of breaking into a system as the hacker. If asked about the difference between the two, a hacker might say, "Hackers build things, crackers break them." The cracker would try to open the safe into the bank by guessing the combination.

Phreak: Literally, a phreak is a "phone hacker." However, a phreak can be anyone who messes around with phones or phone lines. The closest comparison to this in the Old West is using the telegraph lines to stop and/or modify a message.

Smurf: The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function noted below, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multiaccess broadcast network, there could potentially be hundreds of machines to reply to each packet. The "smurf" attack's cousin is called "fraggle," which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple rewrite of "smurf." There is really no comparison between a smurf attack and an Old West bank robbery.

Now that we are familiar with these definitions, we can simplify all four of them into one broad definition that serves the purpose of this book quite well: "Some dork who keeps screwing up my web site and making it difficult for me to do business." Why do they do it? Lots of reasons: Some are disgruntled ex-employees looking for vengeance; some may be on a crusade against a company with whom they have a moral disagreement; others just like to "push the red button" and see what happens. These events or incidents can cost your system critical time and potential losses of revenue.

Time for the big question: What can these guys do? Most hackers exploit holes in the security of computer operating systems. Most operating system vendors will publish where these weaknesses are and how to fix them. The fixes are typically referred to by terms such as patches, hot-fixes, and maintenance releases. Just because these fixes exist doesn't mean problems can't surface if administrators are too lazy or busy to keep up with security updates. These holes are what allow hackers to get into systems and access protected data, change content on web pages, and even bring the systems altogether. There have been instances when a hacker has exploited poor programming on a web site and has managed to order an item that costs $100 for $1.

This is what they are capable of and why we recommend the Computer Crime and Security Survey, a document released every year by CSI/FBI.^[1] It contains the results of many surveys that can really open your eyes to the amount of damage a hacker can do. These are the statistics covered:

1. Unauthorized use of computer systems in the last twelve months

2. Number of incidents from the inside

3. Number of incidents from the outside

4. Location of attacks internal systems, remote dial-in, Internet, and so forth

5. Type of attacks denial-of-service, sabotage, virus, and so forth

6. Financial loss

7. Financial loss by type

8. Much more

Take the time to browse through this and order it for yourself. You'll find it extremely useful when you start your risk analysis.

Now, let's have a look into the methods these hackers, crackers, phreaks, and smurfs can use:

Denial-of-Service (DoS) Attacks: This is an indirect attack to the site. The hackers are not trying to get into the site itself, however, they are trying to keep everyone else from getting in. One of the most famous attacks of this type was the "IP Ping of Death" documented as early as January 1998. The "Ping of Death" relied on flaws in the implementation of TCP/IP. Although this method of attack does not threaten the security of systems that are being attacked, it can be used as a lead into more direct attacks on the accounts or data stored on a system. Some older firewall software, for example, can be tricked into letting in unauthorized traffic by overloading legitimate TCP/IP ports.

Distributed Denial-of-Service (DDoS) Attacks: This is an attack directed by several hackers from several locations, thus making it harder to detect and stop. A DDoS is like someone in the Old West today broadcasting, "The bank has free money!" when, in reality, the bank does not. This type of saturation attack would cause so many people to show up at the bank that no one would be able to even enter the doors, including real customers. Hackers can inundate the largest ISPs and consume all of their bandwidth by simply using several smaller network connections.

Trinoo: Trinoo first appeared about the year 2000 in the form of a Trojan Horse program (one with malicious or harmful code in a harmless looking program). All you need to do to activate it is execute the program, usually without even knowing you've done it. It copies an executable to the window\System directory and then will install itself, once executed, in such a way that it will be active all the time. If the Trinoo Trojan Horse program is activated while the user is connected to the Internet, anyone who has the Trinoo Trojan Horse client program can sneak into the user's computer and poke around without the user ever knowing of the invader's existence. As you can guess, this can be a serious problem.

Footprinting: This process involves the hacker obtaining information about your computing environment. They can do this in a number of ways: Internet names and registration sources, business sources and private information. Once the hacker obtains this information, you can be attacked. This information typically includes IP addresses, domain names, SMPT server names and more. Footprinting is essentially what "Rufus" did before they carried out their robbery. They were "casing the joint."

Network Scanning Tools: There are many tools you can use to "scan" a system or web page. They can be downloaded by most anyone and used with little more modification. They will scan, or search, a network or web page for holes and other vulnerabilities, essentially looking for ways into your system. Many Internet scanners specifically seek out and locate files and printer shares whether they are protected by passwords or not. Hackers leave these scanning programs running day and night, collecting IP addresses, then mapping the shares onto their local drive letters to gain total access to others' computer files. The hackers can also use tools that allow "stealth" scanning. Nmap is one such tool. Nmap can precisely learn everything about the files in an attacked system, as opposed to what other scanning programs do, which is essentially groping around in the dark. Other well-known network scanning tools include Port Scanner, Sam Spade, Internet Maniac, and SATAN (Security Administrator's Tool for Analyzing Networks).

Operating System (OS) Attacks: These attacks exploit bugs in specific operating systems, such as Windows 98, Windows 2000, or MacOS. The tools are easy to find: Just check out a software vendor security page on the Web. In most cases, when these problems are identified, the software vendor promptly fixes them. As a first step, always make sure you have the very latest version of your operating system, including all bug fixes. Not everyone installs all of the required patches as the software vendors release them, so this is how these types of attacks can happen. OS attacks are known by various titles, namely Win Nuke or Windows OOB bug.

Remote Access: This is one of the oldest attacks and is also one of the easier ones to do, with the right tools. Many companies are not locking down "analog" lines to keep this attack from being so pervasive. There are two basic tools for conducting a remote access attack: a war dialer and a password hacking tool. The war dialer is a simple database and an automated modem script that dials every phone number in a group designated by the user. Mr. Hacker can then review the database and select a likely target for a hack attempt. The second tool, the password hacking tool, uses a dictionary attack to crack passwords. Requiring the use of passwords that cannot be found in a dictionary, or limiting the number of login attempts before the account is locked out, can thwart password hackers.

Virus Attacks: These are programs that have been put on a PC or workstation without authorization from the user. They are not always harmful but they can cause damage or cause computer systems to overload themselves and stop working. They are often transmitted via attachments on e-mail but can also be transmitted via CD, diskettes, and downloaded files from web sites. The source of the e-mail, downloaded file, or diskette is usually unaware there was a virus. Some viruses take effect as soon as their code is executed; others still lie dormant until certain conditions trigger their code to be executed by the host computer. Recent virus attacks include the media-hyped Love Bug, the Resume Virus, and the NewLove Virus.

Insider Attacks: Contrary to popular belief, hackers and crackers are only half the problem. Assailants from within the corporation or organization attacked can be just as dangerous, if not more so. It can be anything from a case of "Oops" or "What does this button do?" to an administrator exacting vengeance for being fired.

Banks don't get robbed as often as they used to because they made it unprofitable for criminals to rob them; the chances of getting caught are much higher these days than back in 1876. Unfortunately, companies and web sites represent all-too-easy targets when left unprotected, as many are. The purpose of this book is to help you make it unprofitable for hackers, crackers, smurfs, phreaks, insiders, outsiders, jerks, and all other associated idiots to steal or hinder your operations. You know who they are, and how they plan on getting in now. The rest of this book will teach you how to stop them through the creation of an effective and efficient security system.

You will learn to (1) identify what you need to protect; (2) target what you need protection from; (3) analyze the likelihood of threats and risk mitigation; and (4) review the processes for continuous improvements. Now, let's get started.

^[1]This document is available at http://www.gocsi.com/