Computer Security

Hackers

Topics
Crisis Computer Crimes Hacker Attacks Modes of Computer Security
Password Security Network Security Web Security Distributed Systems Security Database Security

Crisis
Internet as !rown "ery fast and security as #a!!ed be ind$ %e!ions of ackers a"e emer!ed as impedance to enterin! t e ackers c#ub is #ow$ It is ard to trace t e perpetrator of cyber attacks since t e rea# identities are camouf#a!ed It is "ery ard to track down peop#e because of t e ubi&uity of t e network$ %ar!e sca#e fai#ures of internet can a"e a catastrop ic impact on t e economy w ic re#ies ea"i#y on e#ectronic transactions

 In '()) a *worm pro!ram* written by a co##e!e student s ut down about '+ percent of computers connected to t e Internet$ , is was t e be!innin! of t e era of cyber attacks$ ,oday we a"e about '+-+++ incidents of cyber attacks w ic are reported and t e number !rows$

Computer Crime The Beginning

Computer Crime - 1994

A './year/o#d music student ca##ed 0ic ard Prycebetter known by t e acker a#ias Datastream Cowboy- is arrested and c ar!ed wit breakin! into undreds of computers inc#udin! t ose at t e 1riffit s Air 2orce base- Nasa and t e 3orean Atomic 0esearc Institute$ His on#ine mentor- *3u4i*- is ne"er found$ A#so t is year- a !roup directed by 0ussian ackers broke into t e computers of Citibank and transferred more t an 5'+ mi##ion from customers6 accounts$ 7"entua##y- Citibank reco"ered a## but 58++-+++ of t e pi#fered money$

Computer Crime - 1995

In 2ebruary- 3e"in Mitnick is arrested for a second time$ He is c ar!ed wit stea#in! 9+-+++ credit card numbers$ He e"entua##y spends four years in 4ai# and on is re#ease is paro#e conditions demand t at e a"oid contact wit computers and mobi#e p ones$ :n No"ember ';- C ristop er Pi#e becomes t e first person to be 4ai#ed for writin! and distributin! a computer "irus$ Mr Pi#e- w o ca##ed imse#f t e <#ack <aron- was sentenced to ') mont s in 4ai#$ , e =S 1enera# Accountin! :ffice re"ea#s t at =S Defense Department computers sustained 9;+-+++ attacks in '((;$

Computer Crime - 1999

In Marc - t e Me#issa "irus !oes on t e rampa!e and wreaks a"oc wit computers wor#dwide$ After a s ort in"esti!ation- t e 2<I tracks down and arrests t e writer of t e "irus- a 9(/year/o#d New >ersey computer pro!rammer- Da"id % Smit $ More t an (+ percent of #ar!e corporations and !o"ernment a!encies were t e "ictims of computer security breac es in '(((

Computer Crime - 2000

In 2ebruary- some of t e most popu#ar websites in t e wor#d suc as Ama?on and @a oo are a#most o"erw e#med by bein! f#ooded wit bo!us re&uests for data$ In May- t e I%:A7@:= "irus is un#eas ed and c#o!s computers wor#dwide$ :"er t e comin! mont s"ariants of t e "irus are re#eased t at mana!e to catc out companies t at didn6t do enou! to protect t emse#"es$ In :ctober- Microsoft admits t at its corporate network as been acked and source code for future Windows products as been seen$

Why Security?
Some of the sites which have been compromised
U.S. Department of Commerce NASA CIA Greenpeace Motorola UNIC ! Ch"rch of Christ # $ahoo Microsoft Ama%on #

Some sites which have been rendered ineffective

 Because they can

Why do H c!ers "tt c!?

A large fraction of hacker attacks have been pranks

Financial Gain Espionage Venting anger at a company or organization Terrorism

Types o# H c!er "tt c!

Active Attac&s
Denial of Service 'rea&in( into a site
Intelli(ence Gatherin( )eso"rce Usa(e Deception

*assive Attac&s
Sniffin(
*asswords Networ& +raffic Sensitive Information

Information Gatherin(

$odes o# H c!er "tt c!

,ver the Internet ,ver -AN -ocall. ,ffline +heft Deception

Spoo#ing
Definition/
An attac&er alters his identit. so that some one thin&s he is some one else mail0 User ID0 I* Address0 # Attac&er e1ploits tr"st relation between "ser and networ&ed machines to (ain access to machines

+.pes of Spoofin(/
2. I* Spoofin(/ 3. mail Spoofin( 4. 5eb Spoofin(

Definition/ Attac&er "ses I* address of another comp"ter to ac6"ire information or (ain access
Replies sent back to 10.10.20.30

%& Spoo#ing '(ying-B(ind "tt c!

Spoofed Address 10.10.20.30

John 10.10.5.5 From Address: 10.10.20.30 To Address: 10.10.5.5

Attac&er chan(es his own I* address to spoofed address Attac&er can send messa(es to a machine mas6"eradin( as spoofed machine Attac&er can not receive messa(es from that machine

Attacker 10.10.50.50

Definition/ Attac&er spoofs the address of another machine and inserts itself between the attac&ed machine and the spoofed machine to intercept replies
Attacker intercepts packets as the !o to 10.10.20.30 From Address: 10.10.20.30 To Address: 10.10.5.5 Replies sent back to 10.10.20.30 Spoofed Address 10.10.20.30 Attacker 10.10.50.50 John 10.10.5.5

%& Spoo#ing Source )outing

+he path a pac&et ma. chan(e can var. over time +o ens"re that he sta.s in the loop the attac&er "ses so"rce ro"tin( to ens"re that the pac&et passes thro"(h certain nodes on the networ&

*m i( Spoo#ing
Definition/
Attac&er sends messa(es mas6"eradin( as some one else 5hat can be the reperc"ssions7

+.pes of mail Spoofin(/

2. Create an acco"nt with similar email address
San8a.(oel9.ahoo.com/ A messa(e from this acco"nt can perple1 the st"dents Attac&er can p"t in an. ret"rn address he wants to in the mail he sends Most mail servers "se port 3: for SM+*. Attac&er lo(s on to this port and composes a messa(e for the "ser.

2. Modif. a mail client

2. +elnet to port 3:

We+ Spoo#ing
'asic
Attac&er re(isters a web address matchin( an entit. e.(. voteb"sh.com0 (eprod"cts.com0 (es"c&s.com Attac&er acts as a pro1. between the web server and the client Attac&er has to compromise the ro"ter or a node thro"(h which the relevant traffic flows Attac&er redirects web traffic to another site that is controlled b. the attac&er Attac&er writes his own web site address before the le(itimate lin& 5hen a "ser lo(s on to a site a persistent a"thentication is maintained +his a"thentication can be stolen for mas6"eradin( as the "ser

Man;in;the;Middle Attac&

U)- )ewritin(

+rac&in( State

5eb Site maintains a"thentication so that the "ser does not have to a"thenticate repeatedl. +hree t.pes of trac&in( methods are "sed/
2. Coo&ies/ -ine of te1t with ID on the "sers coo&ie file
Attac&er can read the ID from "sers coo&ie file

We+ Spoo#ing Tr c!ing St te

2. U)- Session +rac&in(/ An id is appended to all the lin&s in the website web pa(es.
Attac&er can ("ess or read this id and mas6"erade as "ser ID is hidden in form elements which are not visible to "ser <ac&er can modif. these to mas6"erade as another "ser

2. <idden !orm lements

Session Hi, c!ing

Definition/
*rocess of ta&in( over an e1istin( active session

Mod"s ,perandi/
2. User ma&es a connection to the server b. a"thenticatin( "sin( his "ser ID and password. 3. After the "sers a"thenticate0 the. have access to the server as lon( as the session lasts. 4. <ac&er ta&es the "ser offline b. denial of service =. <ac&er (ains access to the "ser b. impersonatin( the "ser

Session Hi, c!ing

"ob telnets to Ser#er "ob a$thenticates to Ser#er "ob %ie& Ser#er 'i& ( am "ob

Attacker

Attac&er can
monitor the session periodicall. in8ect commands into session la"nch passive and active attac&s from the session

Session Hi, c!ing Ho- .oes it Wor!?

Attac&ers e1ploit se6"ence n"mbers to hi8ac& sessions Se6"ence n"mbers are 43;bit co"nters "sed to/
tell receivin( machines the correct order of pac&ets +ell sender which pac&ets are received and which are lost

)eceiver and Sender have their own se6"ence n"mbers 5hen two parties comm"nicate the followin( are needed/
I* addresses *ort N"mbers Se6"ence N"mber

I* addresses and port n"mbers are easil. available so once the attac&er (ets the server to accept his ("esses se6"ence n"mber he can hi8ac& the session.

Definition/

.eni ( o# Ser/ice 0.1S2 "tt c!

Attac& thro"(h which a person can render a s.stem "n"sable or si(nificantl. slow down the s.stem for le(itimate "sers b. overloadin( the s.stem so that no one else can "se it.

+.pes/
2.

Crashin( the s.stem or networ&

Send the victim data or pac&ets which will ca"se s.stem to crash or reboot.

2.

1ha"stin( the reso"rces b. floodin( the s.stem or networ& with information

Since all reso"rces are e1ha"sted others are denied access to the reso"rces

2.

Distrib"ted D,S attac&s are coordinated denial of service attac&s involvin( several people and>or machines to la"nch attac&s

.eni ( o# Ser/ice 0.1S2 "tt c! +.pes/

2. 3. 4. =. :. ?. @. A. B. 2D. 22. 23. 24. 2=. *in( of Death SS*in( -and Sm"rf S$N !lood C*U <o( 5in N"&e )*C -ocator Colt3 '"bonic Microsoft Incomplete +C*>I* *ac&et E"lnerabilit. <* ,penview Node Mana(er SNM* D,S E"lneabilit. Netscreen !irewall D,S E"lnerabilit. Chec&point !irewall D,S E"lnerabilit.

Bu##er 1/er#(o- "tt c!s

+his attac& takes a vantage of the !ay in !hich

information is store by computer programs

An attac&er tries to store more information on the stac& than the si%e of the b"ffer

<ow does it wor&7

Bottom of Memory

)
Buffer 2 Local Variable 2 Buffer 1 Local Variable 1 Return Pointer Function Call Arguments

Fill Direction

Bottom of Memory

)
Buffer 2 Local Variable 2 Mac#ine Co$e% e&ec'e()bin)s#* e+ Pointer to ,&ec Co$e Function Call Arguments

Fill Direction

Buffer 1 !pace -'er+ritten Return Pointer -'er+ritten

Top of Memory

)
ormal !tac"

Top of Memory

)
!mas#e$ !tac"

Bu##er 1/er#(o- "tt c!s

*ro(rams which do not do not have a ri(oro"s memor. chec& in the code are v"lnerable to this attac& Simple wea&nesses can be e1ploited
If memor. allocated for name is :D characters0 someone can brea& the s.stem b. sendin( a fictitio"s name of more than :D characters

Can be "sed for espiona(e0 denial of service or compromisin( the inte(rit. of the data 1amples
NetMeetin( '"ffer ,verflow ,"tloo& '"ffer ,verflow A,- Instant Messen(er '"ffer ,verflow SF- Server 3DDD 1tended Stored *roced"re '"ffer ,verflow

& ss-ord "tt c!s

A hacker can e"ploit a !eak pass!or s # uncontrolle net!ork mo ems easily $teps

%acker gets the phone number of a company %acker runs !ar ialer program
&f original number is '''('')* he runs all numbers in the '''(''"" range +hen mo em ans!ers he recor s the phone number of mo em

%acker no! nee s a user i an pass!or to enter company net!ork

,ompanies often have efault accounts e-g- temp. anonymous !ith no pass!or /ften the root account uses company name as the pass!or For strong pass!or s pass!or cracking techni0ues e"ist

& ss-ord Security

Client
%ash Function 1ass!or $alt Allo!23eny Access $tore 1ass!or %ashe 1ass!or

!er'er
,ompare 1ass!or %ashe 1ass!or

1ass!or hashe an store

$alt a e to ran omize pass!or # store on system

1ass!or attacks launche to crack encrypte pass!or

Fin a vali user &3 ,reate a list of possible pass!or s 4ank the pass!or s from high probability to lo! Type in each pass!or &f the system allo!s you in success 5 &f not. try again. being careful not to e"cee pass!or lockout 6the number of times you can guess a !rong pass!or before the system shuts o!n an !on7t let you try any more8

& ss-ord "tt c!s &rocess

& ss-ord "tt c!s Types 3ictionary Attack

%acker tries all !or s in ictionary to crack pass!or 9:; of the people use ictionary !or s as pass!or s Try all permutations of the letters # symbols in the alphabet +or s from ictionary an their variations use in attack 1eople !rite pass!or s in ifferent places 1eople isclose pass!or s naively to others %ackers slyly !atch over peoples shoul ers to steal pass!or s 1eople ump their trash papers in garbage !hich may contain information to crack pass!or s

Brute Force Attack %ybri Attack $ocial Engineering $houl er $urfing 3umpster 3iving

Conc(usions
,omputer $ecurity is a continuous battle
As computer security gets tighter hackers are getting smarter

Very high stakes