Misdirection

Misdirection is a common tactic used by malicious hackers to lead investigators down the wrong path . False leads will consume investigation resources and the good will of those whose assistance is needed.

Masquerading

The hacker will find masquerading very useful in an environment where there is a light to moderate amount of monitoring. He will be able to keep from becoming visible by consuming too many computer resources or too much connect time. He will do this to buy some time in case his activities are discovered , while the system manager chases after the person he is masquerading. The problem for the hacker with masquerading is that the person as whom he is masquerading may notice that someone is using his account and alert security of the hacker's presence. So an experienced hacker will select someone who is not using the system, or someone who is not very sophisticated in his use of the system. A security awareness program will reduce this threat.

IP Spoofing

IP spoofing is a process by which a hacker can convince another computer that he is on a system other than the one he is actually on. This can be accomplished through a number of methods , including altering the ARP or DNS cache, altering router information, intercepting or guessing IP sequence numbers , or by manipulating IP-routing and using a false IP source address.

Every machine has a cache of addresses, both link level, MAC, in its ARP cache, and network level, IP, in its DNS cache, so it does not have to request from a remote system for these frequently used addresses. Since these caches are maintained on each local machine, altering the contents of these caches can alter where the packets of information from that machine are sent.

Another method used to misroute messages is to corrupt the routing information contained in the network equipment itself, such as bridges and routers. Many of the protocols that were developed for these network devices to communicate with each other have limited security. Most of the remote configuration protocols are also lacking in security. However, newer protocols with better security are being introduced and are replacing the older, nonsecure protocols. You should contact your network vendor to determine the status of the security of your network devices.

A new method of misrouting packets has recently come to light. TCP utilizes sequence numbers as its base level of authentication. Each packet contains a sender and a recipient packet number with each system incrementing its respective packet number for each packet sent in this specific connection. This allows packets to arrive out of order and be reassembled and to give some level of authentication if the numbers match. However, with the current speed of computers and networks, it is possible to eavesdrop on a connection and steal the sequence numbers and then to masquerade as one end of the communication. Hacker tools such as " hijack " have been created to do just this. Currently, improved authentication methods are being evaluated to secure network connections better. In the meantime, data encryption is the only safe way to send information over an untrusted network.

For the system manager to overcome this approach, all connections to a system should be logged through appropriate auditing procedures. All programs that create an interactive shell should be audited. As for network connections, both the network sockets should be logged and the daemons that use the sockets should be audited . The socket log will indicate from where the system receives connections while the daemon audit trail will indicate the activities of the service that was using the socket. It may be worthwhile to invoke some countermeasures to determine the origins of the connections.