Modern Targets

Though every system is fair game for hackers, there are some common targets that warrant special attention. An intelligent hacker will look for the least complicated way of breaking into an organization and he or she will attempt the method of entry that requires the least amount of time, materials, and effort on his/her part. Thus, there are several commonly used entry points that are usually the primary targets of hackers.

DNS Servers

Probably the most common entry points for hackers coming into an organization are DNS servers. Many DNS products have been plagued by hackers since the dawn of networking. It is a good idea to give special attention to DNS servers when considering an organization's security measures and policies.

How They Get In

To start, DNS servers provide a service that is used by just about every networked computer. Internal DNS servers are accessible to everyone on the internal network, while external DNS servers are accessible to everyone on the Internet. DNS servers often bridge requests to both the internal and external networks, and thus have some form of access to both. As a result, DNS servers are highly desirable targets for hackers wishing to compromise an organization.

Many DNS services have been plagued by numerous security holes, and as such, they have been doorways for hackers for many years. A UNIX-based DNS server running BIND is one of the most commonly found services on the Internet. Unfortunately, BIND implementations have had the worst history of security maladies; therefore, BIND has earned a dismal reputation within the security community.

What They Can Do

DNS hacks often compromise the DNS server itself, allowing the hacker to run executables at the DNS server's privilege level. This, of course, opens the possibility for the destruction of the services, and gets the hacker one step closer to the inside of the network. But the real beauty of hacking a DNS server is found when manipulating the function of a DNS server.

The DNS service is ultimately in charge of directing communications by resolving names like "www.somedomain.com" to an IP address like "10.3.2.1." If, for instance, a DNS administrator wanted to redirect everyone in the organization going to www.somedomain.com back to the organization's home page, it would be a simple entry to make. Now, imagine what a hacker could do with this type of access. The hacker could, for example, send everyone going to www.mybank.com to his or her own personal Web server at home. Imagine then that he/she has taken an hour or two to recreate the first page of the intended bank's Web server, just enough to ask for the user's account number and password. Anyone in the organization who goes to access that bank will see the normal page, enter his/her login and password, and be greeted with a simple message saying, "This service is down for the next hour; please try again." Meanwhile, the hacker now has access to the end-user's bank account via the login and password.

Email Servers

Email is often at the heart of communications for modern organizations. Most email server applications incorporate hundreds of extra functions and compatibility options, and sadly, a good share of security flaws to go along with them. What could be more tempting for a hacker than the system that mediates the majority of communications within an organization?

How They Get In

Security holes are commonly found in email systems, oftentimes because of the high degree of functionality attempted by the vendor. In the mid-1990s, Sendmail was one of the most commonly used and extremely vulnerable mail systems. There was a time when, if you were running this lovely service on your UNIX system, you were effectively rolling out the red carpet for the most amateur of hackers.

I wish we could say that times have changed, but today, we are still finding incredible security flaws within the most popular email services. In the past few years, there have been a whole suite of propagating email hacks, primarily targeting Microsoft email servers and client products. Most cause costly outages of email services, some damage systems and corrupt data, and others allow remote access to system resources.

Similar to DNS servers, email servers are usually able to communicate with the outside and inside worlds simultaneously, thus creating a bridge between the two. However, a far worse vulnerability than a DNS server, an email server must always be able to communicate bi-directionally, receiving messages from one side and passing them to the other. This makes email services likely targets for those wishing to further compromise a network.

What They Can Do

The most common attacks against an email server involve shutting the service down. By forcing an email server or client to create and deliver thousands of fake messages, the services quickly become overloaded and crash. Email systems are also notorious for propagating viruses and redirecting unsolicited spam.

A trend, started in 2000, has been to use automated mail distribution capabilities in combination with unprotected address books to forward malicious applications to millions of people around the world. This has made the email system the greatest propagator of worms and other malicious code to date.

Of course, after an email service has been compromised, there is also a likely chance that the hacker can use the email server to relay attacks to the internal network. Hackers know that an email service will have the ability to communicate with systems on both the outside and inside of a network. Thus, email servers are often used to further penetrate a network.

Web Servers

Web servers are common targets for hackers, which is no surprise since they are often the most visible elements in an organization's presence on the Internet. It is common for a Web server to be widely publicized and widely viewed by the general public. Hackers desiring to make a statement will often target unprotected Web servers to distribute their messages to the world, or to cause great social damage to an organization. In my experience, most organizations greatly underestimate the damage that can be done when a hacker penetrated even the seemingly insignificant of web servers.

How They Get In

The most common Web server vulnerabilities are those that succumb to DoS attacks. For a Web server to operate, it must perform numerous highly diverse functions, displaying graphics, rolling animation, playing sound, and querying information, while all the time keeping track of the state that every session is in. This makes the background architecture of the average Web server much more complicated than a DNS or email server.

The numerous functions that a Web server can perform rely on system calls to small modular applications. Such applications are often written by third parties, and each has its own potential vulnerabilities. Many of these applications come pre-installed with the server, and even when not used, can make a Web service vulnerable. As such, Web servers are notorious for being vulnerable. Just about any unpatched Web server running on a standard installation is vulnerable to some form of attack. In some cases, simply installing sample Web pages introduces vulnerabilities that allow for hackers to execute commands on a system.

What They Can Do

Most commonly, an attacker will simply shut down a service with a DoS attack. This is the most simple, inexpensive, and anonymous method of doing damage. Web servers run so many dynamic modules that finding a vulnerability that will slow or halt the server is usually not difficult.

If an attacker is able to take advantage of the various vulnerability types to execute code on the system, far more damage can be done. Hackers can potentially deface a Web site, often splashing their personal logos on the front page accompanied by various forms of profanity, pornography, or a message stating that the company has been "hacked."

It is easy to lose sight of how powerful Web servers are. The first page of a Web server is normally a representation of the organization itself, and the defacement of it can have a very serious and long-lasting effect on customers, partners, and shareholders. Beyond the negative press a company receives when its front page becomes a posterboard for hackers, imagine the damage when a hacker uses the server to deceive the organization's customers. For example, company stockholders have been sent running to their brokers when a Web site read: "Today we announce our organization's sale to the Acme Corporation of Japan." Many organizations have suffered long-term damage simply because a new system call was installed without applying the proper security patch.

Dial-up Modems

The long-standing bane of the security industry, dial-up modems are a continual headache when trying to ensure the safety of an organization. One of the biggest difficulties in dealing with modem security is that few people outside of security professionals are actually able to see the security threat they pose. Many long political wars have been waged over bloody battlefields while the use of these items has been negotiated.

The simple risk of a modem is that it creates a one-to-one bridge between two computers at any distance, bypassing security chokepoints. Properly controlled through a secured dial-up server, a modem provides no more of a risk than a common Internet connection. The problem is that anyone with an analog phone line can plug a PC or laptop into a jack and call, or answer calls from, anyone. Once a system on a network has a modem plugged in, all the systems are bridged to the rest of the world, bypassing all security measures.

How They Get In

Modems have two states in which they pose a significant security threat to the rest of an organization. Many organizations only work to secure inbound calls, but there is an equal threat from both inbound and outbound modem activity.

  • Outbound calls The local Internet connection is down and Jane needs to transfer an email quickly. Rather than waiting for the authorized Internet communications line to be restored, Jane uses the America Online (AOL) account on her laptop to dial up and access her email. While online, Jane's computer is compromised (happens all the time). Until Jane hangs up, her system can now be used as a bridge into the local network. An attacker could also put a back door or Trojan horse on her system, which may grant access after she hangs up and the normal connection is restored.

  • Inbound calls Many modems are preconfigured to auto-answer calls for technical support, faxing, and remote access. Additionally, many modems are configured by installed applications to answer incoming calls. A common hacking technique is to use a tool called a war-dialer to search for unprotected systems with modems. A war-dialer is a device or application that automatically places calls to random or sequential phone numbers, searching for an active modem. Chances are that you have been called by a war-dialer several times in your life and never knew it. Basic dialers will simply hang up when a person or answering machine answers; other more sophisticated ones will actually play a voice saying, "Sorry… wrong number," and then hang up. This is to avoid suspicion and getting caught.

    A war-dialer is an excellent method for bypassing security in an organization. An attacker simply learns the analog phone numbers registered to a company, waits until 2:00 a.m., and then begins calling every number in some random pattern. The next morning, the hacker is presented with a list of systems and, quite often, some basic information such as if a login and password were solicited or what application answered a call.

What They Can Do

The capability provided to a hacker who has dialed directly into a device on a network varies greatly depending on how the receiving device is configured. Oftentimes, dial-up is enabled through PCAnywhere or some other form of remote control application, in which case, the hacker would be able to take over a machine completely and use it to infiltrate the rest of the network. Sometimes, dial-up is enabled through remote authentication service (RAS) or some other form of network linking service, which will attach the hacker's computer as if he or she was on the network locally. In either case, the hacker has now bypassed all external defenses and has a nice, warm, comfortable home hidden deep within the network.



Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net