Through the Eye of a Hacker
Risk & Insurance Magazine - October 15, 2000
By Lori Widmer

A savvy hacker can find his way around just about any security measure your company has taken to protect your e-business interests. Here is an inside look at what vulnerabilities hackers look for.

Think your e-business is safe from an online attack? Think again. Fraud on the Internet is anywhere from 3 to 50 times larger than it is in the brick-and-mortar world.

With this in mind, Risk & Insurance talked with four hackers through separate e-mail exchanges for their insight about hacking, cracking, and e-commerce security. The hackers have chosen to remain anonymous and go by the names Sir Dystic, Samarac, Genocide, and Tazinator. They are affiliated with the online hacking community and, in the case of Genocide and Tazinator, even work in the computer security industry. Here, they offer readers an inside look at what vulnerabilities cyber-attackers target on e-business Web sites.

What makes a Web site an easy target?

Samarac: Sometimes it’s not so much the site's security or lack of security. It’s just because the person can, unfortunately. Sometimes the greater the risk, the greater the challenge, the more susceptible a site may be. It’s cyber-bungee jumping. Sometimes it’s because a company said it was impenetrable. Sort of the “forbidden fruit” concept.

Tazinator: A site is easy to get into if the system administrators are not knowledgeable in tightening security. For example, if the target machine is running Windows NT or 2000 for its operating system, an uneducated ad­ministrator may enable a guest account. This allows anyone to log into the machine and, even though it is an account that allows for minimal tasks to be per­formed, it can allow for exploits to be run remotely, thus allowing the attacker to gain administrator rights. This guest account issue is not just with Windows as it can apply to a Unix or Linux machine in similar aspects, as well. Other things that make it easy to gain access to a machine is that the system administrator may not perform routine or necessary updates to the operating system or to the applications running on the target machine. Many times companies hire administrators who only know the bare minimum. Updates and patches are things that can go overlooked or unknown for a long period of time, sometimes even until a more knowledgeable administrator or user comes along and raises the issue. In cases such as this, older, more known security holes can provide a means for an attacker to gain access.

Sir Dystic: One of the things I see happen all the time that nobody in the corporate world has been talking about is people on relatively secure networks who have laptops that they take from work, from their secure network, and bring home and put it on their cable modem or DSL network where it sits there completely unprotected. Because the network at the corporate level is more secure, the individual machine is less likely to be secure because there's this assumption that it's on a protected, private network. Once it's on a DSL or cable modem connection, people can do whatever they want with it.

What weaknesses do you look for in a site?

Genocide: In one word, services. Anything that serves or awaits a connection on a machine is a potential vulnerability. A machine that sits there with no need for external communication is essentially secure except to physical penetrations, meaning that services or programs that are required to run externally are equivalent to doors. The hack comes from finding the key.

Another site that might be an attractive target is one that is on the same network as you are. If you are within a corporate network and all its computers are on hubs to allow them to communicate with each other, then we might run what's called a "sniffer," which allows us to peek at some of the data streams currently zipping around the network. This allows us to gain logins, passwords, e-mail - pretty much anything that is not encrypted.

Samarac: We may look for inconsistencies in checks, holes in firewalls and other network securities, back doors through programs, or simply poor programming.

Tazinator: When someone targets a server on the Web, the most common thing to do is research a bit on it before trying to gain access right away. An attacker will find out what type of operating system that machine is running, what kind of remote access privileges it is most likely to provide, if the host machine has a guest account enabled, and what the machine's role is, such as a Web server, mail server, etc. After all that is determined, an attacker will usually try to use some exploitable security hole in the operating system or application running on the targeted machine to gain root or administrator rights. Security information is readily available to the public at sites such as www.securityfocus.com and www.rootshell.com, as well as the L0pht site (www.L0pht.com).

Another commonly used method of gaining access to a system is to brute force the login credentials. This is simply someone having an automated program running that continuously tries different passwords until it finds one that works.

How easy is it?

Samarac: That depends on the site and the cracker. Some are easier than others. But if a group can get into the Pentagon, do you really think anything's completely impenetrable if someone wants to badly enough?

Genocide: Very easy. Not all system administrators are as anal as they should be. If an administrator doesn't keep up with mailing lists for the software they run or keep up with the new attacks (they can usually find the attack and fix it on the same site: www.packetstorm.securify.com) and only run services that they absolutely need, then they are asking for it.

Tazinator: Honestly, if the system is not secured properly, it's incredibly easy. To give you an example, most hackers refer to the unskilled self-proclaimed hackers as "Script Kiddies." These are the people who don't know much about security and can still gain access to systems by simply executing a series of predefined commands on their machine. They download scripts and programs that exploit security holes and do nothing more than execute them.

Sir Dystic: It's quite easy. The fact is that if someone wants to target a specific system, it's incredibly hard to keep them out. The main reason for that is that humans have to be able to use these systems, then there's going to be mistakes and things that the system does that makes it easier for those humans to use it. My favorite is saving passwords. You run a program and there's a little check box that lets you save the password. It's an incredibly bad idea. It means that the password can be retrieved later by any program that's running on that computer.

Are there favorite methods of hacking into a site?

Samarac: It is important to make sure the terms "hackers" and "crackers" are not used in the same context. (Ed. note - according to those we spoke with, a hacker is a computer expert; a cracker is someone who exercises malicious intent.) Hackers don't have a preferred method. Crackers, however, once in at a high level, could then either continue to use that account (and a password capture utility would almost be a must at that point) or create a hidden shell account with comparable levels of security clearance that would involve either knowing the target (and thus being able to guess a password) or setting up some kind of password-trapping mechanism within a utility program or backgrounded task.

Genocide: The first thing that nearly every attacker does is portscan. They want to see what services are running and what versions they are. With a portscan, they are in essence performing a sweep of the computer from the outside and seeing what holes there could be to the inside.

Tazinator: There is always a way into any system if it is connected to the outside world. The trick is finding what way is easier for the person seeking to gain access. The most common methods for entry from my experiences would have to be exploiting known security holes and brute force entry. If I had to list a third common entry method, I would have to say social engineering. That is another good method although not 100 percent reliable as it requires some conniving to get the administrator or someone who already has access to the targeted system to believe you are someone who should have access.

How do you use site A to break into site B?

Genocide: I assume you mean as a relay. This often is one of the more safe methods of hacking. You use a site of which you have full control (and full run of the log files on) to employ your recon before the attack, which would be the portscans and the target identification. Actually, if you are able, you can launch your attack on the end target site and, with new American laws, the people who host that intermediary site that you originally hacked could be held liable for not securing their server.

Tazinator: Ghosting or hopping is simply gaining access to one machine and using it to perform the tasks necessary to gain access to another machine. It's basically like using another workstation remotely to do the same things you could do on your own machine. The benefit to this is that if there is a high risk of being caught trying to get access to one machine, it would make it harder for the administrators or authorities to pinpoint exactly where the attack is coming from.

What makes a site more difficult to get into?

Tazinator: Having a knowledgeable system or security administrator who keeps up on the latest security issues surrounding the systems he or she maintains, as well as knowing what points are possibly vulnerable to outside attackers, and making efforts to secure those points as much as possible. Most good companies will hire hackers to be their security people because who better to keep unwanted persons out of a system than someone who knows how to gain entry?

Samarac: I believe the more firewalls a site has, the more challenging it may be. Password-protected sites that use letter and number combinations are more difficult to crack. 128-bit encryption is extremely difficult to work with. Some (crackers) may choose to work in groups to divide the responsibility or do multiple attacks. I believe most people would be more likely to choose not to bother with a site that was well protected 24 hours by live people who keep close tabs on their site's security. Sites that would take an extremely long time to crack would be more likely to cause the cracker to lose interest. . . at least for a while.

What does a cracker look for once he/she is in?

Samarac: Once a cracker is in, they may be after information, files containing credit card numbers, or just to change the site for a not-so-practical practical joke.

Tazinator: Other times, the goal can be for information-gathering purposes only. If so, the person may simply look around until something piques interest.

Also, there are times when the attack is simply to prove to the administrator of the system that there is a hole and true hackers will simply gain access, then try to assess what kind of rights they managed to acquire, then disconnect from the remote machine and write the admin on what they did to get entry and what measures could be taken to prevent other people from doing the same thing later.

Genocide: I would look for poorly written code that is being run by a high level process. A lot of these programs, once crashed, will yield a root shell. Then the trick becomes to crash them, which can usually be done by passing too much information to the program (that reads the information); then it overflows, crashing to a shell.

How would you protect your site?

Samarac: First of all, I would not recommend bragging about how great my security is. Greatness speaks for itself, without bravado, and word-of-mouth does the rest. Bragging only opens a large target upon the site.

There are several programs available to monitor sites to let people know if someone is trying to get in. Several alarms set up that can be inadvertently tripped while a cracker is trying to gain access, especially one who's not being very cautious. Finally, encrypting any important files or not storing any important files such as credit card numbers longer than 24 hours.

Sir Dystic: Policy is the most important thing. Having the right software, all the typical stuff - firewalls, intrusion detection systems, auditing systems - having people who are competent enough to use those are important, too. And don't just check it once. Have your security checked constantly. There's constantly new vulnerabilities being discovered.

What advice would you give to e-business owners to help them avoid a break-in?

Samarac: Avoid going online via public Internet. Use LAN networking for anything that would carry sensitive material and keep those lines running at levels that would be very cost-prohibitive for non-business people to afford the equipment to connect to them.

Genocide: Firewall, intrusion detection, updating software versions, securing personal access and running only what needs to be run in the way of services would be an excellent start.

The firewall blocks traffic or can route traffic to your internal network. The intrusion detection software (www.snort.org) can watch for packets that could be malicious and warn the system administrator of an impending attack.

Updating your software can mean the difference between having a program that is exploitable to gain access and having a program that is only useful in its originally intended method. Securing access on the user level is a very important one that usually keeps the honest people honest.

Tazinator: For starters, if you're going to hire a systems administrator, try to locate one who has good experience with computer security. Basic system admins are a dime a dozen. Good, experienced administrators, however, are rare. When interviewing for the job, administer a basic test of sorts or ask some questions regarding computer security.

Another key to keeping a system secure is keeping things up-to-date. Keep an eye on the news regarding the operating system your machines run and the applications they use. if there is an update available, read up on it and see what security flaws it fixes. Keep in mind, however, that with every update you make, new holes can be created, so be sure to read up on the updates.

What you need to do when securing a system or network is to try to think of ways you may use to try and gain access. This will help you determine your weak areas and also help you think of possible ways to make them stronger and more secure.