ADVANCED HACKING
|
| < Day Day Up > |
|
Today, as enterprisewide networks reach the plant floor and zip data to the far side of the world in a twinkling, and, as the number of computers, personal digital assistants, telephones, and pagers communicating with the network increases, there is a corresponding increase in the opportunities for a critical blunder that would allow an attacker to enter your system. The consequences could be ruinous. According to a recent survey by the Computer Security Institute, the cumulative loss of 297 companies that quantified their losses in 2001 reached $489 million, or about $1.7 million each. Roughly $262 million of that loss was theft of proprietary information—information your competitors want.
One of the best places for plant engineers to learn about network security (see sidebar, “Hack Yourself Before Somebody Else Does”) with a peer in information technology (IT), is at the Computer Security Resource Center, a Web site (http://csrc.nist.gov/) established by the National Institute of Standards and Technology (NIST). There you’ll find primers that explain security issues and technologies, news about current problems and security initiatives, and downloadable copies of the standards that govern electronic communication with Uncle Sam.
 |
How do you test your system to make sure it’s as safe as possible? Can you recommend software, hardware, or services that can identify security issues before they become problems? What kind of procedures do you have in place to make sure that the latest patches are applied to Web servers?
The best way to retain your network security is to do frequent security audits, including trying to gain access using easily available hacking tools. In addition, you should ensure that you only run the services you need and only open the ports needed by your network.
Your gateway to the Internet should be a system without any important company data or a hardware solution backed up by a firewall. You should also set up Windows Update notification for the server and have a back-up server ready when you need to run the update.
Also, you should always check security bulletins and consider joining “hacking” mailing groups to find out what’s happening on “the other side” of computer security. The main thing is to regularly test the security yourself, then you know what to find solutions for.
|
In addition, one of the most useful items at the site (http://csrc.nist.gov/publications/drafts.html) is the March 2001 draft of the “Self-Assessment Guide for Information Technology Systems,” a comprehensive questionnaire that assesses data security from every possible perspective, from cooling fans at the chip to physical security and labeling of back-up disks. Originally developed for the use of U.S. government IT personnel, the questions can teach plant engineers a lot about security and the problems confronting network managers:
-
Does building plumbing endanger the system?
-
Have you performed a consequence assessment that estimates the degree of harm or loss that could occur?
-
Do your emergency exit and reentry procedures ensure that only authorized personnel reenter after fire drills, and so on?
-
Do you sanitize media before re-use?
-
Do you share incident information and common vulnerabilities with interconnected systems?
-
Do you maintain a current list of authorized users and their access?
-
Do your security controls detect unauthorized access attempts?
Careful reading and consideration of the questions make it clear that the electronic ganglia tying together the extremities of the modern manufacturing plant are susceptible to attack across many fronts and that security is everyone’s business. More than ever, it’s vital that plant engineers work effectively with IT to identify potential breaches, shore them up, and train everybody to be security conscious.
Nor is it only NIST that’s getting into the act. The National Infrastructure Protection Center (http://www.nipc.gov/) was created by Congress to defend the nation’s computer networks by serving as the national focal point for gathering information on threats to critical infrastructures. It is the principal means of facilitating and coordinating the federal government’s response to an incident, mitigating attacks, investigating threats, and monitoring reconstitution efforts. The center issues updates about new viruses, Internet frauds, and disruption attempts almost daily. It is located in the FBI’s Washington headquarters and maintains its own investigative staff.
Cybersecurity isn’t an exclusively local matter, however: A complaint filed by the U.S. Attorney for the Southern District of New York provides an instructive example of the reach of today’s e-thieves. The complaint alleged that Oleg Zezov and Igor Yarimaka, residents of Kazakhstan, penetrated the computers of Bloomberg.com, in New York, and demanded $200,000 from the company to tell how they had done it. Bloomberg agreed to pay, but only following a face-to-face meeting in London. There, accompanied by undercover London police officers, Bloomberg met with Zezov and Yarimaka. They repeated their demands, and police arrested them the next day. The United States is now seeking their extradition.
In view of the preceding incident, computer intrusions have more than tripled in the last two years. Who are the people trying to get their hands in your data, and why? Can you fight back by hacking yourself before somebody else does? This part of the chapter continues the theme of advanced computer forensics by providing answers to the previous questions.
Are We a Hacker Nation?
Shadowy, computer-wise predators slip in undetected to steal data, deface Web sites, crash systems, or just look around. Why? Because hacking has become nothing in recent years if not a good career move. Yesterday’s hackers are today’s security gurus, with more corporations counting on them for protection.
One reason there are so many types of hackers these days is that hacking—at least as manifested in its simpler forms such as Web page defacement and denial-of-service attacks (which overwhelm a site with data to prevent users from accessing it)—has never been easier.
Tools of the Trade
The Internet is filled with Web sites that offer tips and tools for the neophyte hacker. Kids, criminals, and terrorists are some of the people who avail themselves of this information—so more and more intruders are knocking at port doors.
The barrier to entering the hacker world has become very low. If you have a political motivation against wheat farmers and you want to deface their Web page, you could just go on-line and learn how to do it.
Despite tighter Web security and stricter penalties for breaking into systems, hacking attacks have more than tripled in the past two years. The government’s Computer Emergency Response Team reported about 5000 cases of corporate hacking in the United States in 1999, more than 17,000 cases in 2000 and over 28,000 in 2001.
And those are just recorded cases; to avoid negative publicity, most companies don’t report attacks. The statistics cover network break-ins (which can give a hacker access to data files), Web site vandalism, denial-of-service attacks, and data theft. The FBI estimates that businesses worldwide lost $2.6 trillion in 2001 due to security breaches perpetrated from within the business.
The risks are personal and professional: Hackers can steal passwords and bank account numbers from your home PC or grab trade secrets from your company network. Recently, criminal hackers broke into Microsoft’s corporate network and accessed source code for its software (see sidebar, “Future Threat: Advanced Malicious Code in Software”).
|
Malicious code embedded in software is not new; users have always run the risk of downloading a virus or a Trojan horse with shareware and games from the Net. The occasional intruder has even been found in shrink-wrapped products. But the hack into Microsoft’s source code recently, raises worries that popular software may be the next target.
Although Microsoft indicates its code was not altered (the code was compared with previous back-ups) it’s possible that a criminal hacker could get into a software manufacturer’s code and insert a Trojan horse. So, unless software companies improve their security, you may find yourself the recipient of a gift horse in your next accounting package.
|
Hacking also poses risks for national security—sophisticated terrorists or hostile governments could conceivably crash satellite systems, wage economic warfare by interfering with financial transfers, or even disrupt air traffic control.
Good and Bad Hackers
Not all hackers have malicious intentions. Some hackers work for companies to secure their systems, and some contribute to security by notifying software vendors when they spot a vulnerability.
Breaking things is easy. Building a solution is difficult, but arguably more fulfilling.
But for every hacker who swaps his black hat for a white one, dozens of others continue to keep governments and companies on their toes. Recently, hackers protesting free trade broke into the World Economic Forum’s system and stole credit-card numbers for at least 1,500 government and business leaders—including, reportedly, Bill Gates and Bill Clinton.
Hacking will get worse. Bad software is being written faster than vulnerabilities are exposed. The trend is toward more features in applications, and the more features you have, the less security you get.
Face it: Hackers are not going to go away. So it’s worthwhile to know who they are and why they do what they do.
Idle Hands
People see movies like War Games and think hackers are going to start World War III. The truth is that computer hackers for the most part are smart, bored kids.
It’s true that the majority of hackers getting attention these days are bored kids. Hackers usually start in their teens and stop by the time they’re 30. But anyone can be a hacker—from the 16-year-old who defaces Web sites to the 36-year-old who sabotages a former employer’s server. For their part, people in the underground indicate that not all hackers are true hackers.
By Any Other Name
It used to be that hacking had nothing to do with breaking the law or damaging systems. The first hackers, who emerged at MIT in the 1960s, were driven by a desire to master the intricacies of computing systems and to push technology beyond its known capabilities.
The hacker’s ethic, an unwritten dictum governing the hacker world, indicates that a hacker should do no harm. A hacker should pass through a network without a trace. But, somehow that message has gotten lost in the noise of Web defacement and data thefts.
Hacker purists get riled when anyone confuses them with crackers—intruders who damage or steal data. But although some hackers are quick to claim the moral high ground, the line between hacker and cracker is often blurred. Most hackers, for instance, don’t believe it’s criminal to break into systems and rifle around. The law, of course, thinks otherwise.
Just because something is illegal doesn’t mean it’s wrong. But, once you go in and destroy data or damage the system, that’s where you stop being a hacker and you become a criminal.
T12, a 20-year-old who admits to some questionable hacking conduct, indicates he wouldn’t normally damage a site. But if a phone company were to illegally switch his long-distance carrier and start billing his calls at $10 a minute, he wouldn’t hesitate to take action. This is the kind of thing where one would feel free to just deface their site and make it as public as possible.
Diablo, a teenager with the Romanian hacking group “Pentaguard,” indicates that a hacker should never abuse his or her powers. But, if you penetrate a server and change the main page, nobody is hurt. The administrator gets embarrassed, and that’s all.
Pentaguard has defaced more than 100 Web sites (most of them government-and military-related) and Diablo indicates that he’s careful: He never deletes or steals data and never crashes the system. This may be true, but the manager of one site Pentaguard defaced (owned by the Hawaii state legislature), indicated that his office had to pay $5000 for several new large-capacity hard drives (because the police confiscated the hacked hard drives as evidence), and the site was down for a week until the drives arrived.
Signs of the Times
Hacking has definitely changed in the last 40 years. Talk to any hacker over 25, and he’s likely to lament the passing of the good old days, when coding was an art form and learning how systems worked was an exercise in persistence. New hackers today are often younger and less skilled than their predecessors, and more likely to focus on showy exploits than the noble pursuit of knowledge, indicate older hackers.
Many old hackers call the Internet generation of hackers hollow bunnies—such as gigantic chocolate Easter bunnies filled with nothing but air. Ten years ago, hackers respected information and machines, and had to possess knowledge and skills to hack. Now novices use hacking programs without understanding them and are more likely to leave havoc in their wake.
Script kiddies receive the bulk of hacker disdain. These are the graffiti kids who download canned scripts (prewritten hacking programs) for denial-of-service attacks or paint-by-number Web defacement.
The risk here is that an unskilled hacker could release wanton mayhem in your systems. The hacker might download a buggy hacking tool to your network that goes awry, or execute a wrong command and inadvertently damage your machines.
But script kiddies tend to disappear after a year. This is the generation of instant gratification, and if they can’t get the hang of Back Orifice (a more advanced hacking program), they get bored and move on.
Bigger Threats
Script kiddies may get attention, but experts agree that the most dangerous hackers are the ones who don’t make any noise: criminal hackers and cyberterrorists. The truly dangerous people are hacking away in the background, drowned out by the noise and pomp that the script kiddies and denial-of-service packet monkeys have been making.
Hacking has evolved into professional crime. Amateur hackers are falling into the minority, and now the fear is the criminal and the terrorist. These are people like the Russian cracker group who siphoned $20 million from Citibank in 1994 and the mafia boss in Amsterdam who had hackers access police files so he could keep ahead of the law.
In 1997, crime syndicates approached hackers to work for them. Now, with so many easy-to-use hacking tools on the Internet, criminals hardly need hackers to do their dirty work.
But the cyberelement that everyone fears most is one you’ve yet to see: foreign governments, terrorists, and domestic militia groups hacking for a political cause.
The Department of Defense indicates its systems are probed about 250,000 times a year. It’s difficult to tell if probes are coming from enemies seeking military data or from “ankle biters”—harmless hackers on a joyride. Regardless, authorities have to investigate every probe as a potential threat.
The likelihood of obtaining top secret information in this way is small, because classified data is generally stored on machines not connected to the Net. A more problematic assault, would focus on utilities or satellite and phone systems. Ninety-five percent (95%) of U.S. military communications run through civilian phone networks. An attack on these systems could impede military communications.
For example, Navy officials recently reported that hackers broke into a Navy research facility in Washington, D.C., and stole two-thirds of its source code for satellite and missile guidance systems. The Navy indicates that the source code was an “unclassified” older version.
Thus, a large-scale cyberattack is imminent. Members of terrorist groups such as Hezbollah have been educated in Western universities and are capable of developing such attacks in the future—such as a digital 9-11 attack.
Why Hackers Hack
Aside from criminal and political motives, the reasons that hackers hack range from malice and revenge to simple boredom. And, despite the image of hackers as dysfunctional loners, many are drawn to hacking by the sense of community it gives.
Of course, a big part of hacking’s attraction is the sense of power that comes from uncovering information you shouldn’t possess. A hacker called “Dead Addict” once described the high that comes from discovering valuable information, followed by the low that comes from realizing you can’t do anything with it.
For example, one hacker knows a little of that rush. He says that he once broke into a hazardous waste firm and found pretty evil insider information that no one was meant to see. Though he didn’t act on the information, he did log it for possible use later. Just in case he felt like being socially active.
But many hackers who begin as system voyeurs graduate to more serious activities. It’s easy to be lured to the dark side when you get easy gratification messing around with individuals such as for example—AOL users. Most hackers are not old enough to drive a car or vote, but they can exert power over a network.
White Hats
There are a lot of the reasons why hackers’ ability to hack into computers fade with age. Life fills their time, and their ethics begin to change. The majority eventually find their interest waning.
You only have three directions to go with hacking: You can keep doing the same old tricks; you can become a real criminal cracker; or you can use those skills wisely to build new software and create a more secure Internet.
Securing the Net is an interest many hackers develop (especially now that employers are hiring them for their skills). They lament that the public never hears about their positive acts, such as patching a hole on their way out of a site and letting the administrator know they fixed it.
Most companies just focus on the fact that you hacked them and want to come after you with a lawsuit. It’s made hackers reluctant to help them.
An even sorer point between hackers and vendors is the issue of releasing vulnerability exploits. These are findings about a security problem that hackers (and researchers) post on the Net.
Vendors indicate hackers expose the holes for anyone to exploit, and should instead report them to vendors first so they can fix them. The hacking community frowns on people who don’t notify vendors, but when they do, vendors often ignore them. Most software companies won’t do anything about a problem until you make it public. Then they have to fix it.
Vendors have a duty to develop secure software. Hackers, on the other hand, force vendors to admit their errors after they’ve hacked into the vendors’ software.. Manufacturers are grossly negligent in selling software that doesn’t stand up. What if they were producing cars that were this unsafe? The software they give us is not safe to drive in cyberspace.
Anything that’s attached to the Internet is potentially hackable. And, if you’re using a Windows 2000 or XP machine, nothing that is on that computer is secure.
Better security is in everyone’s best interest, and hackers should play a crucial role in this. The hacker kids who are going to Def Con today are the software architects of tomorrow. The same thing that makes them hackers makes them valuable to employers in the future.
All of this points to the fact that although hackers may be the Internet’s greatest annoyance, their warnings are ignored about security at everyone’s peril. The network that can’t guard against a bored 18-year-old hacking in his or her spare time, can’t hope to protect itself from a hostile government or tech-savvy terrorist.
Next, let’s look at how digital detectives track hacks. Also, how much does it cost to track a hacker?
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 263