Transcript Identification and Authentication

Hacking for Fun and Profit
(Or Know Thy Enemy!)
University of Sunderland
CSEM02
Harry R. Erwin, PhD
What is Hacking?
• This discussion is based on Raymond and Steele, 1996, the
New Hacker’s Dictionary, MIT Press, 3rd edition. Some
material from the Qinetiq foundation course is also used.
• (n) a quick job that provides what is needed, but
not well.
• (n) an incredibly good and perhaps very timeconsuming, piece of work that produces exactly
what is needed.
• (v) to interact with a computer in a playful and
exploratory rather than goal-directed way.
What is a Hacker?
• Originally, someone who made furniture with an
axe.
• One who enjoys programming or is good at
programming quickly.
• A person capable of appreciating hack value.
• An expert at a particular program. (Dr. Erwin used
to hack TECO.)
• One who enjoys the intellectual challenge of
creatively overcoming or circumventing
limitations.
Hacker Humor
• Form versus content jokes
• Deadpan parodies of intellectual constructs
• Screwily precise reasoning from ludicrous
premises
• Puns and wordplay
• Subversive humor that appears mindless
• Zen and Taoist ideas
Hack Mode
• “A zen-like state of total focus on The Problem.” This
can be intense and habituating. Some of you may have
seen me in hack mode, particularly in research
discussions.
• Being yanked out of hack mode is often experienced as
a physical shock.
• It is perfectly OK to hold up a hand to a visitor to avoid
being interrupted while you’re holding a lot of delicate
state in your head. A description is “juggling eggs”.
• I suspect hack mode is based on certain brain states.
Is Hacking Ethical?
• Hacking, like lock-picking or doing science, is
neither ethical or unethical—it depends on what
you’re doing.
• The malicious meddling and poking around in
systems usually called ‘hacking’ is often termed
‘cracking’ instead.
• Cracking usually involves persistence and the
dogged repetition of well-known tricks.
• Most crackers are mediocre hackers. (On the other
hand, most spammers are good hackers.)
Some Terminology
• Hacker—someone who enjoys exploring computers.
• Samurai—a hacker who hires out for legal cracking jobs.
See ronin.
• Cracker—a malicious meddler in computer systems. Also
known as a dark-side hacker.
• Script kiddie—a cracker who relies on exploits developed
by others. A loser with a room-temperature IQ.
• Warez d00dz—crackers who get illegal copies of
copyrighted software. Usually a weenie or spod shunned
by everyone.
TCP/IP Concepts
(Now we get serious.)
•
•
•
•
•
•
•
CONS
CLNS
How TCP/IP works
Routing
Boundary Mechanisms
Connections
Strengths and Weaknesses
CONS Protocol
• Like phone service
• Uses connections
– Established, remain up for a while, and are
taken down.
– Using messages consisting of packets
• Reliable, since each packet is numbered.
• Overhead is significant.
CLNS Protocol
• A broadcast protocol
• Unreliable
• Packets are sent out with no
acknowledgement expected
• Not as vulnerable, since the receiver can
ignore them, but still can be subverted.
TCP/IP Protocol
•
•
•
•
Uses TCP packets in a CONS
Packets are sent between ports.
Port numbers 1-65535
IP addresses consisting of dotted quartiles: four
numbers, each between 0 and 254, separated by
dots.
• Addresses are allocated statically or dynamically.
• UDP and ICMP packets (also used in IP) are
CLNS.
TCP/IP Routing Logic
• Start with a packet created and sent.
• The local computer looks in its routing table for local addresses.
• Since the packet is going somewhere else, it is sent to the default
gateway (a router).
• The router checks its routing tables and uses them to forward the
packet.
• Packets are forwarded from router to router until they get to their
destination, thus dealing with outages (and nuclear effects).
• If address is unreachable, ICMP packets are used to report back.
Boundary Mechanisms
• TCP ports (1-65535) may have services
attached or be blocked.
• The more unblocked ports, the more
vulnerabilities. This is bad.
• Boundary mechanisms should follow the
golden rule:
– That which is not explicitly permitted is denied.
TCP/IP Connections
• Process consists of:
–
–
–
–
•
•
•
•
Connection establishment
Data transfer
Connection closure
ACKs and NACKs manage this
Creates a “Virtual circuit”
Resilient to interruption
Lost packets are simply resent
Allows routers to determine if packet traffic makes
sense (SYN versus SYN ACK)
TCP/IP Strengths and
Weaknesses
• Hard to spoof
• Reliable
• Resistant to denial of service
But
• Computationally expensive
• Not designed to be secure
• Firewalls need to be stateful to be strong.
Cracker Tactics
•
•
•
•
Case the Joint.
Break In
Gain Root Access
Exploit the Access
Casing the Joint
• Start with the open literature (see
www.samspade.com and use dig)
• Door-knocking
• War-dialing
• Mapping the network
• O/S analysis
Mapping a Network
• Basic network analysis tool is ping
– Classic ping
– TCP ping (works if ICMP blocked)
• Then traceroute to map the path to the target.
• ethereal allows you to watch and stitch together
the packets used in a connection.
• Then spot the clues that allow you to determine
the operating system of the target.
• nmap (mapping tool)
• tcpdump
Portscanning
• Classic ‘3 way’ portscanning
• Stealth portscanning
• Some routers let SYN packets through if
they are from port 20. This allows you to
drill through a router and portscan behind it.
Breaking In
• Methods:
– By using a valid user ID/password combination. These
can be stolen using a sniffer. Or by breaking a weak
user ID.
– By triggering a buffer overflow or other crash on an
open port.
– Drilling in.
– Physical access
• We will start with a discussion of password
security.
Attacking Password Security
• The typical local login approach is
– Provide a user ID
– Then provide a password
• Remote logins are similar
– telnet, rlogin, rsh, ssh (terminal sessions)
– ftp, ncftp, sftp, rcp, scp (file transfer)
– Avoid telnet, ftp, ncftp, rlogin, rsh, and rcp.
They transmit I&A data in the clear.
I&A Defense Considerations
• Passwords should not be stored in the clear. Store
the encrypted password and compare to that.
• Password files should not be accessible to users.
Hackers can run ‘crack’ against them in a
dictionary attack. Consider running ‘crack’
regularly against your own password file.
• UNIX provides a ‘salt’ field in the password file
unlike Windows. This is concatenated with the
password before encryption (using DES),
increasing the search space for ‘crack’.
Good Password Policies
•
•
•
•
•
6 or more characters
Change every 30-60 days
Passwords must be used for at least 2-7 days
Previous passwords cannot be reused.
Three or more different character types (upper
case, lower case, numbers, symbols)
• Avoid weak passwords (names, addresses, phone
numbers, SSNs, common dictionary words or
phrases, and simple variations on the above).
An Approach to Choosing
Stronger Passwords
•
•
•
•
(Suggested by Qinetiq.)
Start with a phrase about a date.
Use the initials, lower case and upper case
alternating.
Insert a special character somewhere.
Remember September 11th, 2001!
rS1101!
• My birthday is February 29th!
mBiF29!
Token-based Security
• Rather than something you know (password), you
provide something you own.
• The usual approach is that you provide an
identifier (the first factor), and
• The system then sends you a challenge that you
respond to (the second factor).
• The response is generated by a device that you
keep in your possession.
Biometric Security
• The system identifies you by something you are:
–
–
–
–
–
Fingerprint(s)
Retina pattern
Iris pattern
Facial pattern
Voice
• Demands good and expensive technology.
• And if the identifier is stolen, there’s no way of
changing it.
Handling Special I&A
Requirements (Example)
• FAA system administrators at an enroute control center
work as a team, under the supervision of a NAS
Operations Manager (NOM).
• Logging in would disrupt teamwork and delay response to
emergencies.
• Hence I&A is handled procedurally, except at terminals
away from the central operations area.
• In the central operations area, the team logs in using a team
ID and password that is only good there. Elsewhere
individual ID/PW are required.
I&A Conclusions
•
•
•
•
Strong authentication is desirable.
Costs are significant.
Not really compatible with e-commerce.
Vulnerable to social engineering and the
general public availability of private data.
Buffer Overflow Attack
• An oversized packet can crash the program
listening on a port or smash its stack.
• The packet payload can then be executed,
(sometimes) giving the cracker access to the
machine.
• A particular problem for the defense is that the
cracker may be able to test his attack against a
machine under his control.
• Read the Multics paper.
Drilling In
• If the server seen by the outside world does not carefully
validate all inputs, the cracker may be able to ‘drill in’,
attacking machines beyond that server.
• For example, POST packets need not contain valid data.
That can produce buffer overflows or just invalid inputs to
whatever database server the httpd server uses.
• If a WWW page can be created on the fly by a DBMS, this
allows a cracker to query the DBMS by SQL injection.
• There is a related way to hack SSL.
Physical Access
• Start up with a CD or a boot floppy.
• Steal the hard drive.
• Install a password sniffer.
Gaining Root Access
• Root access allows you to become invisible.
– Guess the password
• crack
• john
• L0phtcrack
– Exploit known OS vulnerabilities
– Trojan horses
– Buffer overflows
Operating System Vulnerabilities
• Not all software is designed to the same standards.
• Some utilities ‘think’ they need root access.
• Third-party software that insists on being given
root access is a particular vulnerability.
• Failure to use a chroot jail when appropriate.
• Various local exploits
My advice is to keep your patches up to date!
Windows Weaknesses
•
•
•
•
•
Monoculture
Security was not a major concern
Overfeatured, with far too many vulnerabilities
Insecure by default.
Windows user community is historically naïve
about security.
Maintain a secure configuration and scan for
viruses frequently. Use a personal firewall.
UNIX Weaknesses
• Insecure by default, but more secure than Windows.
• Originally UNIX was defined in opposition to Multics, a
secure operating system.
• Many vendors involved, so patches can be slow.
• Other than Apple and OpenBSD, security has not been a
major vendor concern.
• On the other hand, most of the user community is securityaware, and Apple locks down MacOS X by default.
OpenBSD is very secure.
Less viruses, but you should maintain a secure
configuration and run a personal firewall.
Trojan Horses
• Users sometimes post software for others to use.
• Sometimes this software has ‘interesting’ sideeffects.
• One might be the logging and reporting of user
authentication exchanges.
• Another would be inserting a backdoor. Easter
eggs are in this category. Read the Multics
paper.
Spotting Trojans
• In UNIX, watch the PATH variable, especially when
you’re running root, since trojans play with it.
• In UNIX, watch the setUID bit for shells.
– find / -perm +04000 -print
• More complex in NT
–
–
–
–
–
Back Orifice 2000
SubSeven
SOAP/.NET
PCAnywhere (legit)
malware in general (use www.adaware.com)
Buffer Overflow
• “Sometimes quantity has a quality all its
own.”
• This approach forces an entry by
deliberately crashing parts of the operating
system or middleware.
• Overwrite large parts of memory with
executable code and then smash the stack.
Exploiting Root Access
• The cracker now owns the machine. His options
include:
–
–
–
–
Snooping
Use the machine to launder attacks elsewhere.
Use the machine to serve files (like illegal jpgs).
Use the machine as a zombie in a distributed denial of
service attack.
– Use the machine as a source for poisoned e-mail or
spam. (Spammers are usually good hackers.)
Take-Home Message
• The more you know, the safer you are.
– You know what to expect and
– What to do about it.
– Sometimes you can turn the tables on the
cracker.
• Keep your patches up-to-date,
• Scan for viruses, and
• Happy Hacking!