One of the most publicized attacks to security is the intruder, generally referred to as hacker or cracker. Three classes of intruders are as follows:
· Masquerader – an individual who is not authorized to use the computer and who penetrates a system‟s access controls to exploit a legitimate user‟s account.
· Misfeasor – a legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuse his or her privileges.
· Clandestine user – an individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.
The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider.
Intruder attacks range from the benign to the serious. At the benign end of the scale, there are many people who simply wish to explore internets and see what is out there. At the serious end are individuals who are attempting to read privileged data, perform unauthorized modifications to data, or disrupt the system. Benign intruders might be tolerable, although they do consume resources and may slow performance for legitimate users. However there is no way in advance to know whether an intruder will be benign or malign.
An analysis of previous attack revealed that there were two levels of hackers:
· The high levels were sophisticated users with a thorough knowledge of the technology.
· The low levels were the „foot soldiers‟ who merely use the supplied cracking programs with little understanding of how they work.
one of the results of the growing awareness of the intruder problem has been the establishment of a number of Computer Emergency Response Teams (CERT). these co-operative ventures collect information about system vulnerabilities and disseminate it to systems managers. Unfortunately, hackers can also gain access to CERT reports.
In addition to running password cracking programs, the intruders attempted to modify login software to enable them to capture passwords of users logging onto the systems.
The objective of the intruders is to gain access to a system or to increase the range of privileges accessible on a system. Generally, this requires the intruders to acquire information that should be protected. In most cases, the information is in the form of a user password.
Typically, a system must maintain a file that associates a password with each authorized user. If such a file is stored with no protection, then it is an easy matter to gain access to it. The password files can be protected in one of the two ways:
· One way encryption – the system stores only an encrypted form of user‟s password. In practice, the system usually performs a one way transformation (not reversible) in which the password is used to generate a key for the encryption function and in which a fixed length output is produced.
· Access control – access to the password file is limited to one or a very few accounts.
The following techniques are used for learning passwords.
· Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults.
· Exhaustively try all short passwords.
· Try words in the system‟s online dictionary or a list of likely passwords.
· Collect information about users such as their full names, the name of their spouse and children, pictures in their office and books in their office that are related to hobbies.
· Try user‟s phone number, social security numbers and room numbers.
· Try all legitimate license plate numbers.
· Use a torjan horse to bypass restriction on access.
· Tap the line between a remote user and the host system.
Two principle countermeasures:
Detection – concerned with learning of an attack, either before or after its success.
Prevention – challenging security goal and an uphill bottle at all times.