Introduction
Introduction
The most insidious computer attacks that we know of are those discussed in this chapter. They exploit vulnerabilities that you have little or no control over and that are incredibly difficult to discover and fix. They are the security vulnerabilities built into commercial software applications such as Microsoft's Internet Information Server (IIS), Oracle's Database servers, and Sun's Java Web Server. You cannot find and fix those vulnerabilities yourself. Unlike your own homegrown Web applications, commercial applications are controlled by an outside vendor, and you usually have virtually little control over them.
The vulnerabilities baked into commercial applications can be easier to discover and exploit than those of custom-built applications. The reason is that attackers can readily obtain, decompile, and disassemble these programs to understand exactly what they do and how they do it. With this knowledge, the attacker can identify weaknesses quickly and easily.
Example
At 2:24 A.M., N3ur0n (the hacker-speak version of his real handle, Neuron) heard the noise from his computer but had just woken up and had a mouthful of breakfast. His peanut butter, honey, and M&M sandwich would fuel him for the next thirty-six hours (with a little help from the accompanying six Red Bulls).
Neuron's IRC buddy, Fl4r3 (hacker-speak for Flare), was desperately trying to reach him. The ringing overwhelmed the room, piercing the cinder-block walls of Neuron's bedroom (his Mom's basement) and reaching up into the kitchen. Neuron was a heavy sleeper (when he did sleep) and always turned up the volume on his computer when he napped.
Neuron couldn't move his feet fast enough as he recognized the distinctive chime and darted downstairs. He jumped onto his laptop and responded:
[ringing]<fl4r3> you up????[ringing]<fl4r3> you there N???<n3ur0n> yup! here eating bfast
<fl4r3> kewl, got a hot one...
<fl4r3> remote overflow on iis6
<n3ur0n> u got it workin?
<Fl4r3> yah right, u know i don't do m$oft
[Flare was a closet NT hacker, and considered n3ur0n his mentor...]
<fl4r3> you up to it?
<n3ur0n> sure, give me the scoop
[Flare sends over a file detailing his findings...]
<n3ur0n> got it...
<n3ur0n> give me a couple days...
What Flare had done was analyze Windows XP's IIS 6.0 Web server for vulnerabilities and found one. How did he do it? And how difficult would it be to exploit? In this chapter we show you and detail the techniques used by hackers everyday to break products, find buffer overflow conditions in them, and write exploits to take advantage of them.
EAN: 2147483647
Pages: 156
- Structures, Processes and Relational Mechanisms for IT Governance
- Measuring and Managing E-Business Initiatives Through the Balanced Scorecard
- A View on Knowledge Management: Utilizing a Balanced Scorecard Methodology for Analyzing Knowledge Metrics
- Managing IT Functions
- Governance Structures for IT in the Health Care Industry