CSIS 343 Exam 1 module 2

Hacktivism

Hacktivism is when hackers break into government or corporate computer systems as an act of protest. Hacktivists use hacking to increase awareness of their social or political agendas, as well as themselves, in both the online and offline arenas.

Advanced Administrative Tools

Port scanner Proxy analyzer RBL locator CGI analyzer E-mail verifier Links analyzer Network monitor Process monitor WHOIS System information Resource viewer

Phases of an Attack

Reconnaissance: The attacker gathers information about a target using active or passive means. Scanning: The attacker begins to actively probe the target for vulnerabilities that can be exploited. Gaining access: If a vulnerability is detected, the attacker exploits it to gain access to the system. Maintaining access: Once access is gained, the attacker usually maintains access to fulfill the goal of the attack. Covering tracks: The attacker tries to destroy all evidence of the attack.

Approaches to Ethical Hacking

Remote network: This simulates an attacker launching an attack against the firewalls and filtering routers from an outside network. Remote dial-up network: If the client uses dial-up services, this simulates an attacker launching an attack against an organization's telephone modems, PBX units, fax, and voice mail servers, in coordination with the local telephone company. Local network: This simulates an employee or other authorized person who has an authorized connection to the organization's network. This will test the client's security firewalls, internal Web servers, and other security mechanisms. Stolen equipment: Many company employees keep sensitive data on their portable devices, such as laptop computers and PDAs. The ethical hacker will try to extract the data from these devices, and even try to remotely access private servers with stolen credentials. Social engineering: Perhaps the most difficult attack to avoid, this evaluates the integrity and awareness of a target organization's personnel. As mentioned earlier in this chapter, this attack involves the hacker calling, e-mailing, or otherwise communicating with real people inside the client's organization, and using information gained through other means to try to gain more information. For instance, the ethical hacker might call the client's IT department, pretending to be an employee who forgot his or her password. If the hacker has enough other information, he or she may be able to fool the employee into resetting the password. The only way to guard against this is to make sure all employees understand the importance of security. Physical entry: This test checks the client's physical entry security policies. This includes checking security guards, reception areas, access controls, and surveillance equipment.

cognitive hacking

Single-source cognitive hacking: This occurs when information is read, but the accuracy of the information cannot be verified. Multiple-source cognitive hacking: This occurs when there are several sources for a piece of information and its accuracy is debatable.

Application-Level Attacks

Software developers are often under intense pressure to meet deadlines, and this can mean they do not have sufficient time to completely test their products before shipping them, leaving undiscovered security holes. This is especially troublesome in newer software applications that come with a multitude of features and functionalities, making them increasingly complex. As with operating systems, more complexity means more opportunities for vulnerabilities. Security is not always a high priority to software developers, and is frequently delivered as an "add-on" component after release. This means that not all instances of the software will have the same level of security. Error checking in these applications can be very poor (or even nonexistent), which leads to buffer overflow attacks.

Can Hacking Be Ethical?

The noun hacker refers to a person who enjoys learning the details of computer systems and stretching his or her capabilities. The verb hacking describes the rapid development of new programs or the reverse-engineering of already existing software to make it better or more efficient in new and innovative ways. The terms cracker and attacker refer to a persons who employ their hacking skills for offensive purposes. The term ethical hacker refers to security professionals who employ their hacking skills for defensive purposes.

Security Assessment

The process of security assessment involves the following: Information gathering Footprinting Targeting Fingerprinting Vulnerability discovery Penetration testing

Assurance

There are several aspects to security, and the owner of a system should have confidence that the system will behave according to its specifications. This is called assurance.

Why Hackers Need Vulnerability Research

To identify and correct network vulnerabilities To protect the network from being attacked To get information that helps to prevent security issues To gather information about viruses and malware To find weaknesses in the network and to alert the network administrator before a network attack To know how to recover from a network attack

resource record (RR)

information about specific server functions listed in the DNS registry database

three-way handshake

the method that TCP uses to establish communications between two hosts

competitive intelligence gathering

the process of accumulating information from resources such as the Internet that can later be analyzed as business intelligence Data gathering Data analysis Information verification Information security

ICMP scanning

the process of determining which systems on a network are up using ICMP (Internet Control Message Protocol) packets

tracerouting

the process of following a given network route taken by an information packet

footprinting

the process of gathering information about network systems and computers on those systems to look for possible entry points for an attack

passive information gathering

the process of gathering information in such a manner as to not alert the target that he or she is being observed; gathering information from company Web sites, SEC information, and company annual statements are examples of this

ping sweep

the process of scanning a network for live hosts

network scanning

the process of scanning for active hosts on a network

port scanning

the process of scanning for open ports and services to determine the systems and services that are running on a computer

scanning

the process used by hackers to gather information about potential target systems

Conduct Phase

but the two most common approaches are the limited vulnerability analysis and attack and penetration testing.

Scanning Methodology

1. Check for live systems: An attacker may start with the objective of checking for live systems in the network. 2. Check for open ports: After the live systems are found, the attacker will look for open ports to determine which services are running on the systems. This can be a vital step, because some services may be of a much higher priority from the attacker's point of view. 3. Fingerprint the operating system: The next phase involves fingerprinting the operating system by figuring out the target's network layout. 4. Scan for vulnerabilities: Identification of the vulnerabilities in the target's OS is the next step. The hacker may try to exploit these vulnerabilities during an attack. 5. Probe the network: The attacker may also choose to actively probe the network or silently monitor its traffic. This can be accomplished by the use of proxies (which will be dealt with later in the chapter). The technique of anonymous surfing makes it hard to trace this activity to the attacker.

vulnerability

A security weakness in a target of evaluation (e.g., due to failures in analysis, design, implementation, or operation) Weakness in an information system or components (e.g., system security procedures, hardware design, or internal controls) that could be exploited to produce an information-related misfortune The presence of a weakness, design error, or implementation error that can lead to an unexpected and undesirable event compromising the security of the system, network, application, or protocol involved

Threat

A threat is an action or event that might compromise security. As a simple example, paper is vulnerable to being burned or destroyed by fire.

The Security, Functionality, and Ease of Use Triangle

A triangle for doing cool stuff

Attack

An attack is a deliberate assault on that system's security. Attacks can be broadly classified as active and passive.

Exploit

An attacker gains access to a system through exploiting a vulnerability in that system. An exploit is a specific way to breach the security of an IT system through a vulnerability.

Hacker Classes

Black hats use their computer skills for illegal or malicious purposes. This category of hacker is often involved with criminal activities and is sought by law enforcement agencies. On the other hand, white hats use their hacking ability for defensive purposes. White hats include security analysts who are knowledgeable about hacking countermeasures. Gray hats believe in full disclosure. They believe that information is better out in the open than kept in secret, and the average person will make good use of that information rather than abuse it. Suicide hackers are hacktivists who are willing to become martyrs for their causes. They attempt to sabotage large-scale infrastructures and are fully willing to accept any consequences of their actions.

The Needs of the Client

Clients will often prefer a limited vulnerability analysis because they do not want to lose any data or risk any unintended damage. The ethical hacker should communicate to the client that, yes, there are some inherent risks in undertaking an attack and penetration test, including staff confusion, accidental damage to network devices, system crashes, bandwidth consumption, denials of service, and other damages similar to the consequences of a real attack. Because of these risks, it is often preferable to conduct these simulations after hours, during weekends, or during holidays.

Computer Crimes and Implications

Crimes facilitated by use of a computer: A computer is used to store, manipulate, and distribute data related to the criminal activity. This may include information related to terrorist activities, child pornography, and illegal distribution of copyrighted materials. Crimes where the computer is the target: These are attacks against computer systems from unethical hackers. More so than other types of crime, it can be difficult to determine the identity of the criminal, nature of the crime, identity of the victim, location or jurisdiction of the crime, and other details. Electronic data may be used as evidence in a court of law.

Conducting Ethical Hacking

Each ethical hacking assignment has six basic steps: 1. Talk with the client about the importance of security and the necessity of testing. 2. Prepare NDA (nondisclosure agreement) documents and have the client sign them. 3. Prepare an ethical hacking team and create a schedule for testing. 4. Conduct the test. 5. Analyze the results and prepare the report. 6. Deliver the report to the client.

Objectives of Scanning

Detect the live systems running on a network. Discover which ports are open: Based on the open ports, the attacker will determine the best means of entry into the system. Discover the operating system of the target system: This is also known as fingerprinting. The attacker will formulate a strategy based on the operating system's vulnerabilities. Discover the services running/listening on the target system: This gives the attacker an indication of any vulnerabilities (based on the service) that can be exploited to gain access to the target system. Discover the IP addresses of the target system. Identify specific applications or versions of a particular service. Identify vulnerabilities in any of the systems in the network: This can be useful in taking counteractive measures to secure the systems from being probed by attackers.

Misconfiguration Attacks

Even systems that are otherwise very secure can be hacked if they are not configured correctly. System administrators need to be careful when configuring systems, and always know what is running. It is important to create a simple but usable configuration, removing all unnecessary services and software.

Ethical Hackers

Former black hats: This group is composed of reformed attackers. They are well informed about security due to their past actions in attempting to defeat it, and retain access to hacker networks in order to keep up with new developments; however, they may pass along sensitive information to those hacker networks, knowingly or accidentally, thereby putting their clients at risk. White hats: These are independent security consultants working either individually or as a group. They have not been on the attacking side, so they don't have the same experience as the former black hats, but that does not mean that they can't be just as knowledgeable. Most ethical hackers are white hats. Consulting firms: With the increasing demand for third-party security evaluations, consulting firms are becoming more common. These firms can boast impressive talent and credentials, but due diligence must be done in checking up on these firms before hiring them. These firms could very well just be groups of hackers who don't take security seriously, taking assignments just for thrills.

Reusability

Generally, not all resources are available to all users. Having access controls on predefined parameters can help to increase the level of security. Another security aspect, critical at a system's operational level, is reusability or availability. One user or program may not reuse or manipulate objects that another user or program is currently accessing in order to prevent violation of security. Information and processes need to be accurate in order to derive value from system resources. The accuracy and integrity of data play a very important role in creating a secure environment.

Ethical Hacking Deliverables

In the conclusion phase, the ethical hacker creates a detailed report for the client, analyzing the possibility and impact of hacking. Vulnerabilities that were detected are explained in detail, along with specific recommendations to patch them in order to bring about a permanent security solution. The client may also solicit the participation of its employees by asking them for suggestions or observations during the course of the evaluation. The final report should be delivered only in a hard copy, and the client should be urged to keep the report under lock and key, with as few copies as possible and all of them accounted for at all times. For security reasons, all data gathered by the ethical hacker should usually be destroyed after the end of the project. If the client is long term, and more tests will be run in the future, the data can be kept, but it must be encrypted and stored offline.

People Search Services

People search: A user can find a person's phone number, cell phone number, business number, pager number, and even unlisted number by entering that person's name and city. Reverse phone lookup: A user just needs to provide a phone number to get information about the person who has that number, including name, address, and phone service provider. Background check: A user can investigate and view criminal, financial, court, and other records of a given person using the person's name. Social security check: A user can investigate and view criminal, financial, court, and other records of a given person using the person's social security number.

Maltego

Maltego is an online tool for carrying out the initial footprinting of a target network. It can be used to unearth information related to the following: People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure, such as: Domains DNS names Netblocks IP addresses Phrases Affiliations Documents and files

Steganography and Tunneling

Other techniques include steganography and tunneling. Steganography is the process of hiding data in other data, for instance image and sound files. Tunneling takes advantage of the transmission protocol by carrying one protocol over another. Even the small amount of extra space in a data packet's TCP and IP headers can be used for hiding information. An attacker can use the compromised system to launch new attacks against other systems or use it as a means of reaching another system on the network undetected. Thus, this phase of attack can turn into another attack's reconnaissance phase.

Shrink-Wrap Code Attacks

Software developers will often use free libraries and code licensed from other sources in their programs. This means that large portions of many pieces of software will be exactly the same, and if vulnerabilities in that code are discovered, many pieces of software are at risk. The problem is that software developers leave the libraries and code unchanged. Developers need to customize and fine-tune every part of their code in order to make it not only more secure, but different enough that the same exploit will not work.

SpiderFoot

Subdomains Affiliates Web server versions Users Similar domains E-mail addresses Netblocks

Accountability

Systems, users, and applications interact with one another in a networked environment. Identification and authentication are means to ensure security in this environment. System administrators or concerned authorities need to be able to know by whom, when, how, and why system resources have been accessed. An audit trail or log files can address this, termed accountability.

TCP communication flags

TCP packet headers that govern the connection between hosts

Ethical Hacking Testing

The actual testing can be performed in several different ways. Depending on how much knowledge of the target system the hacker is given, the approaches fall into one of three categories: white box testing, black box testing, and gray box testing. In black box testing, the ethical hacker is given no prior knowledge or information about a system. This is perhaps the most similar to a true hacking attack, because the ethical hacker will have to perform the reconnaissance phase in the same way as an attacker. The ethical hacker gathers information about the network and the business from as many outside sources as possible, such as Web sites, and media publications, before moving on to social engineering, port scanning, and other hacking strategies. The ethical hacker does everything that a hacker does. On the other hand, in white box testing, the ethical hacker is given full advance knowledge of the system. Ethical hackers will still perform the same penetration testing, but with full access to the client's system design and implementation documentation, which may include listings of source code, manuals, and diagrams. This helps the ethical hacker to form a more structured approach. The ethical hacker will still need to verify the authenticity of the information provided.

target of evaluation

The information resource or asset that is being protected from attacks is usually referred to as the target of evaluation.

Operating System Attacks

Today's operating systems contain many features, making them increasingly complex. These features use additional processes and services, which mean more vulnerabilities for hackers to exploit. Keeping up with the latest patches and hotfixes can be challenging with today's complex networks. Most patches and fixes tend to solve an immediate issue, but do not provide permanent solutions. Attackers are constantly looking for OS vulnerabilities to exploit. System administrators must keep themselves informed of various new exploits, and monitor their networks continuously.

Information-Gathering Methodology

Unearth initial information. Locate the network range. Ascertain active machines. Discover open ports/access points. Detect operating systems. Uncover services on ports. Map the network.

What Is Vulnerability Research?

Vulnerability research can be classified based on: Severity level (low, medium, or high) Exploit range (local or remote)

What Do Ethical Hackers Do?

What can an attacker see on the target system? Normal security checks by system administrators will often overlook several vulnerabilities. An ethical hacker will have to think about what an attacker would see during the reconnaissance and scanning phases of an attack. What can an intruder do with that information? The ethical hacker needs to discern the intent and purpose behind attacks to determine appropriate countermeasures. During the gaining-access and maintaining-access phases of an attack, the ethical hacker needs to be one step ahead of the hacker in order to provide adequate protection. Are the attackers' attempts being noticed on the target systems? Sometimes attackers will try for days, weeks, or potentially even months to breach a system. Other times attackers will gain access, but will wait before doing anything damaging, instead taking their time in assessing the potential use of exposed information. During these periods, the ethical hacker should notice and stop the attack.

Exposure

What comprises a breach of security, or an exposure, can vary from one company to another, or even from one department to another. Exposure is loss due to an exploit. Examples of loss include disclosure, deception, disruption, and usurpation.

Active or Passive

When an attacker is using passive reconnaissance techniques, he or she does not interact with the system directly. Instead, the attacker relies on publicly available information, social engineering, and even dumpster diving as a means of gathering information. Active reconnaissance techniques, on the other hand, involve direct interactions with the target system by using tools to detect open ports, accessible hosts, router locations, network mapping, details of operating systems, and applications. Active reconnaissance is usually employed when the attacker discerns that there is a low probability that these reconnaissance activities will be detected.

XYMon

XYMon is a Web-based system and network monitoring solution. It provides a highly scalable, customizable, and easy to maintain system with a small footprint for monitoring the real-time availability of network devices, servers (Windows, UNIX, and Linux), and all network-related services in any IT infrastructure.

TTL (time to live)

a limitation on the number of times a packet can be transmitted

vulnerability scanning

a method used to check whether a system is exploitable by identifying its vulnerabilities

WHOIS

a query protocol for identifying IP addresses and domain names on the Internet

proxy server

a server that is used as an intermediary server between two others

DNS (Domain Name System)

a service that provides a correlation between domain names and IP addresses on a network

Internet Protocol (IP) address

a unique number assigned to every device on a network to allow for network communication (like a cell phone number for computers)

hacker

an expert computer user

internal URL

an intranet site available only to internal company users

Regional Internet Registry (RIR)

an organization that oversees the allocation and assignment of Internet numbers for a region of the world (e.g., ARIN-American Registry for Internet Numbers; RIPE Network Coordination Centre for Europe, Middle East, and Central Asia; APNIC-Asia Pacific Network Information Centre; LACNIC-Latin American and Caribbean Internet Addresses Registry; AfriNIC-African Network Information Center)