Secuirty&HackerWhat Are the Laws of Security?
The list presented here is not complete. There may be other laws that are outside
the specific scope of this book, or that the authors aren’t aware of. New
laws will be identified in the future. You may find your own that are specific to
your job and the way it works. Here are some of the most generally applicable
information security laws:
Client-side security doesn’t work.
You can’t exchange encryption keys without a shared piece of information.
Viruses and trojans cannot be 100 percent protected against.
Firewalls cannot protect you 100 percent from attack.
Secret cryptographic algorithms are not secure.
If a key isn’t required, you don’t have encryption; you have encoding.
Passwords cannot be securely stored on the client unless there is
another password to protect them.
In order for a system to begin to be considered secure, it must
undergo an independent security audit.
Security through obscurity doesn’t work.
People believe that something is more secure simply because it’s new.
What can go wrong, will go wrong.
What Are the Classes of Attack?
The classes of attack that are examined in this chapter are denial-of-service,
information leakage, file creation, reading, modification and removal, misinformation,
special file/database access, and elevation of privileges. Let’s start
Denial-of-Service
What is a denial-of-service (DoS) attack? A DoS attack takes place when availability
to a resource is intentionally blocked or degraded due to maliciousness.
In other words, the attack impedes the availability of the resource to its regular
authorized users. The attack may concentrate on degrading processes,
degrading storage capability, destroying files to render the resource unusable,
or shutting down parts of the system or processes. Let’s take a closer look at
each of these items.
Degradng processes occurs when the attacker reduces performance by
overloading the target system, by either spawning multiple processes to eat up
all available resources of the host system, or by spawning enough processes to
overload the central processing unit (CPU). A simple UNIX fork bomb can be
used to degrade processes on a system by recursively spawning copies of itself
until the system runs out of process table entries. The fork bomb is easy to
implement using the shell or C. The code for shell is:
($0 & $0 &)
The code for C is:
(main() {for(;;)fork();})
The degrading processes attack can also be directed at a network application,
such as File Transfer Protocol (FTP) or Simple Mail Transfer Protocol
(SMTP), or at a network service, such as Internet Protocol (IP) or the Internet
Control Message Protocol (ICMP). The attacker sends a flood of network
requests to the target regardless of whether he or she is attacking a network
application or a network service.
Examples of denial-of-service attacks that degrade processes are snork and
chargen. Both of these DoSs affect Windows NT boxes (unless Service Pack 4
or higher has been applied). Snork enables the attacker to send spoofed
Remote Procedure Call (RPC) datagrams to the User Datagram Protocol (UDP)
destination port 135, giving it the appearance that the “attacked” RPC server
sent bad data to another RPC server. The second server sends a reject packet
back to the “attacked” server that, in turn, replies with another reject packet,
thereby creating a loop that is not broken until a packet is dropped, which
could take a few minutes. If the spoofed packet is sent to several different
computers, then the “attacked” server could waste a considerable amount of
processor resources and network bandwidth that otherwise could be used by
legitimate network users to accomplish their mission. The chargen DoS functions
against Windows NT systems that have the Simple TCP/IP Services
installed. Basically, what happens is that a flood of UDP datagrams is sent
from a spoofed source IP address to port 19 (the chargen port) to the subnet
broadcast address. Affected Windows NT systems respond to each broadcast,
thereby creating a flood of UDP datagrams on the network.
Two more examples of this type of DoS are smurf and the SYN (synchronization)
flood. The smurf DoS performs a network-level attack against the target
host. However, unlike other DoSs, this attack relies on the intermediary, a
router, to help as shown in Figure 3.1. The attacker, spoofing the source IP
address of the target host, generates a large amount of ICMP echo traffic
directed toward IP broadcast addresses. The router, also known as a smurf
amplifier, converts the IP broadcast to a layer 2 broadcast and sends it on its
way. Each host that receives the broadcast responds back to the real source IP
with an echo reply. Depending on the number of hosts on the network both
the router and target host can be inundated with traffic, resulting in degraded
network service availability.
The SYN flood is accomplished by sending Transmission Control Protocol
(TCP) connection requests faster than a system can process them. The target
system sets aside resources to track each connection, so a great number of
incoming SYNs can cause the target host to run out of resources for new legitimate
connections. The source IP address is, as usual, spoofed so that when
the target system attempts to respond with the second portion of the three-way
handshake, a SYN-ACK (synchronization-acknowledgment), it receives no
response. Some operating systems will retransmit the SYN-ACK a number of
times before releasing the resources back to the system. Here is an example of
exploit code written by Zakath that creates a SYN flood. This SYN flooder
allows you to select an address the packets will be spoofed from, as well as the
ports to flood on the victim’s system.
The Internet Worm of 1988
The first widespread DoS was the infamous Internet Worm of 1988
created by Robert Morris, Jr. The Internet Worm was released on
November 2, 1988, and not only did the worm deny service to those
infected by it, but it also caused a denial-of-service for systems it did
not affect because of sites shutting themselves off from the Internet for
fear of infection. Note that DoS was not the intended purpose of the
worm; sites were flooded due to a bug in the worm.
I recently witnessed the same effects of the Love Letter worm as it
caused an organization I am aware of to shut its mail servers down for six
days from the vast paranoia surrounding the worm. Thus, it was successful
at creating a DoS from fear. Personally, I do not agree with this type of
knee-jerk reaction, and all managers should carefully consider whether
they really do need to shut down portions of their operation and not do
it purely out of blind fear. I have never shut down any part of my operations
unless there was a legitimate reason to do so (equipment upgrades,
etc.), and fear of the unknown is not a valid reason. If you are going to act
in that manner, you need to find a job in a different line of work.
One more interesting item about the Internet Worm of 1988: It was
the reason the Computer Emergency Response Team (CERT) was established
at Carnegie Mellon University.
www.zonelabs.com
www.firewallguide.com
What Is Diffing?
Simply put, diffing is the practice of comparing two things for differences,
especially after some change has been made. The two things in question could
be files, Registry entries, memory contents, packets, e-mails—almost anything.
The general principle is that you take some sort of snapshot of the item in
question (for example, if it’s a file, save a copy of the file), perform the action
you think will cause a change, and then compare the snapshot with the current
item, and see what changed.
Any number of objects could be compared for differences. For the purposes
of this chapter, we’ll limit our discussion to files (including special files, such
as the Windows Registry) and memory.
Why is it useful to be able to see the differences in a file or memory before
and after a particular action? One reason is to determine the portion of the file
or the memory location of the item of interest. For example, if you have a file
that you think contains a form of the password to an application, but the file
appears to be in a binary format, you’d like to know what part of the file represents
the password. To make this determination, you’d save a copy of the file
for comparison, change the password, and then compare the two files. One of
the differences between the two files (as there may be several) represents the
password. This information is useful when you want to make changes to the file
directly without going through the application. We’ll look at an example of this
in this chapter. For cases like this, the goal is to be able to make changes to the
storage directly.
In other cases, we may be interested largely in decoding information rather
than changing it. The steps are the same, causing actions while monitoring for
changes. The difference is that rather than trying to gain the ability to make
changes directly, we want to be able to determine when a change occurs, and
possibly infer the action that caused it.
What Is “Sniffing?”
sniff (snf)
v. sniffed, sniff·ing, sniffs.
v. intr.
1. a. To inhale a short, audible breath through the nose, as in smelling
something.
b. To sniffle.
2. To use the sense of smell, as in savoring or investigating: sniffed at the
jar to see what it held.
3. To regard something in a contemptuous or dismissive manner: The
critics sniffed at the adaptation of the novel to film.
4. Informal. To pry; snoop: The reporters came sniffing around for more
details.
As the above definitions describe, the word sniffing has a number of meanings.
While we believe that hackers are known to generate irritating sniffling
noises, sniff at jars to determine their contents, and especially sniff in contempt,
we are really interested in the last meaning: the process of prying or
snooping.
How Is Sniffing Useful to an Attacker?
Sniffing is a method by which an attacker can compromise the security of a
network in a passive fashion. A sniffer, in network security circles, refers to a
program or tool that passively monitors a computer network for key information
that the attacker is interested in. In most cases, this information is
authentication information, such as usernames and passwords, by which to
gain access to a system or resource.
How Does It Work?
Normally, a system’s network card will only receive packets destined to its specific
network address (its MAC (Media Access Control) address), and all other
packets are ignored. Network cards, however, support a mode known as
“promiscuous mode,” which will allow them to receive all traffic that travels
across the network. It is this mode that a sniffer uses to view all traffic. The
sniffer, via an interface to the network card, places the card into promiscuous
mode, and from that point on, all traffic is passed up to the operating system’s
TCP/IP stack.
Most operating systems, with a few important exceptions, provide an interface
by which a user-level program has the ability to turn on promiscuous
mode, and then read packets at this layer. This interface bypasses the operating
system’s TCP/IP stack, passing Ethernet (or other link layer packets) up
to the application. Most UNIX operating systems provide a standard interface
260 Chapter 9 • Sniffing
www.syngress.com
to accomplish this. Windows-based operating systems, however, require a
kernel-level packet driver, as the operating system provides no standardized
method to interface with this level of the networking layer.
www.cyberwalker.net/faqs/xp-sp2
What It Means to Spoof
Merike Keao, in Designing Network Security, defines spoofing attacks as “providing
false information about a principal’s identity to obtain unauthorized
access to systems and their services.” She goes on to provide the example of a
replay attack, which occurs when authentication protocols are weak enough to
allow a simple playback of sniffed packets to provide an untrusted user with
trusted access. Merike’s definition is accurate, but certain clarifications should
be made to accurately separate spoofing attacks from other, network-based
methods of attack.
Spoofing Is Identity Forgery
The concept of assuming the identity of another is central to the nature of the
spoof. The canonical example of spoofing is the IP spoofing attack: Essentially,
TCP/IP and the Internet trusts users to specify their own source address when
communicating with other hosts. But, much like the return addresses we
place on letters we mail out using the Postal Service, it’s up to the sender of
any given message to determine the source address to preface it with. Should
the sender use a falsified source address, no reply will be received. As we have
seen in Chapter 10, “Session Hijacking,” and as we will see in this chapter,
this is very often not a problem
News of (2005)
October 13, 2005
Alaska gets $7m security upgrade after major attack
Government technology
State & Local Govt
Network security
Justice
DHS
In January, cyberattackers waltzed through over 100 Alaska state computers, datamining for personally identifiable information that could be used for identity theft. According to state officials, nothing was taken. But the breach was big enough to bring the FBI and the Dept. of Homeland Security onto the case.
That attack, even though it was unsuccessful, has prompted a $7 million security upgrade, the Alaska Daily News reports. "It was kind of a wake-up call," allows an official from the state's Dept. of Administration.
It seems Alaska needed a little waking up because a month after the attacks officials were claiming everything was A-OK. In a February Daily News article by reporter Sean Cockerham, IT officials refused comment and did not alert the state Legislature.
[State Rep. Pete] Kott said the department was slow in letting the Legislature know about the problem. He said his office got wind of it and had to call state officials and ask what was going on.
"They were shocked that we even knew about it," Kott said Wednesday.
Stan Herrera, the state's director of enterprise technology services, said Tuesday that he was unaware of an FBI investigation.
Apparently they received recommendations from DHS' Computer Emergency Readiness Team but refused to release the report under instructions from DHS.
September 22, 2005
Top 10 ways to protect DNS
Government technology
Network security
Here's "ten things you should know about securing DNS" - a network vulnerability point hackers love to attack - courtesy of TechRepublic.
Use DNS forwarders
Use caching-only DNS servers
Use DNS advertisers
Use DNS resolvers
Protect DNS from cache pollution
Enable DDNS for secure connections only
Disable zone transfers
Use firewalls to control DNS access
Set access controls on DNS registry entries
Set access controls on DNS file system entries. Read the full article at TechRepublic.
September 27, 2005
FBI's "right" to pick your Internet apps
Government technology
Networking
VoIP
Law enforcement
Regulations
Justice
On Cnet's VOIP Blog, Declan McCullaugh points to an "obscure policy document" (PDF) released late last Friday, in which the FCC quietly gives the FBI the right to approve or disapprove of what applications people use. One of the four principles this document announces says, "Consumers are entitled to run applications and use services of their choice, subject to the needs of law enforcement."
Says Declan:
The FCC didn't offer much in the way of clarification. But the clearest reading of the pronouncement is that some unelected bureaucrats at the commission have decreeed that Americans don't have the right to use software such as Skype or PGPfone if it doesn't support mandatory backdoors for wiretapping. (That interpretation was confirmed by an FCC spokesman on Monday, who asked not to be identified by name. Also, the announcement came at the same time as the FCC posted its wiretapping rules for Internet telephony.)
Nowhere does the commission say how it jibes this official pronouncement with, say, the First Amendment's right to speak freely, not to mention the limited powers granted the federal government by the U.S. Constitution.
What's also worth noting is that the FCC's pronunciamento almost tracks the language of the 1996 Telecommunications Act. Almost.
But where federal law states that it is the policy of the United States to preserve a free market for Internet services "unfettered by federal or state regulation," the bureaucrats have adroitly interpreted that to mean precisely the opposite of Congress said. Ain't that clever?
The rest of the principles the FCC announced:
To encourage broadband deployment and preserve and promote the open and interconnectednature of the public Internet, consumers are entitled to access the lawful Internet content oftheir choice.
To encourage broadband deployment and preserve and promote the open and interconnectednature of the public Internet, consumers are entitled to connect their choice of legal devices thatdo not harm the network.
To encourage broadband deployment and preserve and promote the open and interconnectednature of the public Internet, consumers are entitled to competition among network providers,application and service providers, and content providers.
Black^^Bird
Email me : yehiamamdouh@yahoo.com
or call me egypt / cairo : 6377002
posted by ysmmdmrh at 5:04 PM
0 comments
