Who Attacks Networks?
Who are the attackers? We
cannot list their names, just as we cannot know who are all the criminals in
our city, country, or the world. Even if we knew who they were, we do not know
if we could stop their behavior. To have
some idea of who the attackers might be, we return to concepts introduced in Chapter 1, where we described the three necessary
components of an attack: method, opportunity, and motive.
In the next sections we
explore method: tools and techniques the attackers use. Here we consider first
the motives of attackers. Focusing on motive may give us some idea of who might
attack a networked host or user. Four important motives are challenge or power,
fame, money, and ideology.
Challenge
Why do people do dangerous or
daunting things, like climb mountains or swim the English Channel or engage in
extreme sports? Because of the challenge. The situation is no different for
someone skilled in writing or using programs. The single most significant
motivation for a network attacker is the intellectual challenge. He or she is
intrigued with knowing the answers to Can I defeat this network? What would
happen if I tried this approach or that technique?
Some attackers enjoy the
intellectual stimulation of defeating the supposedly undefeatable. For example,
Robert Morris, who perpetrated the Internet worm in 1988 (described in Chapter 3), attacked supposedly as an experiment
to see if he could exploit a particular vulnerability. Other attackers, such as
the Cult of the Dead Cow, seek to demonstrate weaknesses in security defenses
so that others will pay attention to strengthening security. Still other
attackers are unnamed, unknown individuals working persistently just to see how
far they can go in performing unwelcome activities.
However, as you will soon
see, only a few attackers find previously unknown flaws. The vast majority of
attackers repeat well-known and even well-documented attacks, sometimes only to
see if they work against different hosts. In these cases, intellectual stimulation
is certainly not the driving force, when the attacker is merely pressing [run]
to activate an attack discovered, designed, and implemented by someone else.
Fame
The challenge of
accomplishment is enough for some attackers. But other attackers seek
recognition for their activities. That is, part of the challenge is doing the
deed; another part is taking credit for it. In many cases, we do not know who
the attackers really are, but they leave behind a "calling card" with
a name or moniker: Mafiaboy, Kevin Mitnick, Fluffy Bunny, and members of the
Chaos Computer Club, for example. The actors often retain some anonymity by
using pseudonyms, but they achieve fame nevertheless. They may not be able to
brag too openly, but they enjoy the personal thrill of seeing their attacks
written up in the news media.
Money and Espionage
As in other settings,
financial reward motivates attackers, too. Some attackers perform industrial
espionage, seeking information on a company's products, clients, or long-range
plans. We know industrial espionage has a role when we read about laptops and
sensitive papers having been lifted from hotel rooms when other more valuable
items were left behind. Some countries are notorious for using espionage to aid
their state-run industries.
Sometimes industrial
espionage is responsible for seemingly strange corporate behavior. For example,
in July 2002, newspapers reported that a Yale University security audit had
revealed that admissions officers from rival Princeton University broke into
Yale's online admissions notification system. The Princeton snoops admitted
looking at the confidential decisions about eleven students who had applied to
both schools but who had not yet been told of their decisions by Yale. In
another case, a startup company was about to activate its first application on
the web. Two days before the application's unveiling, the head offices were
burglarized. The only item stolen was the one computer containing the
application's network design. Corporate officials had to make a difficult
choice: Go online knowing that a competitor might then take advantage of
knowing the internal architecture or delay the product's rollout until the
network design was changed. They chose the latter. Similarly, the chief of
security for a major manufacturing company has reported privately to us of
evidence that one of the company's competitors had stolen information. But he
could take no action because he could not determine which of three competitors
was the actual culprit.
Industrial espionage is
illegal, but it occurs, in part because of the high potential gain. Its
existence and consequences can be embarrassing for the target companies. Thus,
many incidents go unreported, and there are few reliable statistics on how much
industrial espionage and "dirty tricks" go on. Yearly since 1997, the
Computer Security Institute and the U.S. Federal Bureau of Investigation have
surveyed security professionals from companies, government agencies,
universities, and organizations, asking them to report perceptions of computer
incidents. About 500 responses are received for each survey. Theft of
intellectual property amounted to a total loss of $31 million, with an average
loss per incident of $350 thousand, making this the category of third-highest
loss. That amount was more than double the amount reported in the 2004 survey.
(These survey results are anecdotal, so it is hard to draw many conclusions.
For full details on the survey see [CSI05].)
Industrial espionage, leading to loss of intellectual property, is clearly a
problem.
Organized Crime
With the growth in commercial
value of the Internet, participation by organized crime has also increased. In
October 2004, police arrested members of a 28-person gang of Internet
criminals, called the Shadowcrew, who operated out of six foreign countries and
eight states in the United States. Six leaders of that group pled guilty to
charges, closing an illicit business that trafficked in at least 1.5 million
stolen credit and bank card numbers and resulted in losses in excess of $4
million. In July 2003, Alexey Ivanov was convicted as the supervisor of a
wide-ranging, organized criminal enterprise that engaged in sophisticated
manipulation of computer data, financial information, and credit card numbers.
Ivanov and group were responsible for an aggregate loss of approximately $25
million. And in January 2006, Jeanson James Ancheta pled guilty to having
infected 400,000 computers with malicious code and renting their use to others
to use to launch attacks on others. In June 2005, the FBI and law enforcement
from 10 other countries conducted over 90 searches worldwide as part of
"Operation Site Down," designed to disrupt and dismantle many of the
leading criminal organizations that illegally distribute and trade in
copyrighted software, movies, music, and games on the Internet [DOJ06]. Brazilian police arrested 85 people in
2005 for Internet fraud.
Although money is common to
these crimes, the more interesting fact is that they often involve
collaborators from several countries. These more sophisticated attacks require
more than one person working out of a bedroom, and so organization and
individual responsibilities follow. With potential revenue in the millions of
dollars and operations involving hundreds of thousands of credit card numbers
and other pieces of identity, existing organized crime units are sure to take
notice. As Williams [WIL01] says,
"[T]here is growing evidence that organized crime groups are exploiting
the new opportunities offered by the Internet."
Ideology
In the last few years, we are
starting to find cases in which attacks are perpetrated to advance ideological
ends. For example, many security analysts believe that the Code Red worm of
2001 was launched by a group motivated by the tension in U.S.China relations.
Denning [DEN99a]
has distinguished between two types of related
behaviors, hactivism and cyberterrorism. Hactivism involves "operations
that use
hacking techniques against a target's [network] with the intent of disrupting
normal operations but not causing serious damage." In some cases, the
hacking is seen as giving voice to a constituency that might otherwise not be
heard by the company or government organization. For example, Denning describes
activities such as virtual sit-ins, in which an interest group floods an
organization's web site with traffic to demonstrate support of a particular
position. Cyberterrorism is more
dangerous than hactivism: "politically motivated hacking operations
intended to cause grave harm such as loss of life or severe economic
damage."
Security and terrorism experts are seeing
increasing use of the Internet as an attack vector, as a communications medium
among attackers, and as a point of attack. Cullison [CUL04]
presents a very interesting insight (which we overview in Sidebar 1-6, p. 24)
into of the use of technology by al Qaeda.
Reconnaissance
Now that we have listed many
motives for attacking, we turn to how attackers perpetrate their attacks.
Attackers do not ordinarily sit down at a terminal and launch an attack. A
clever attacker investigates and plans before acting. Just as you might invest
time in learning about a jewelry store before entering to steal from it, a
network attacker learns a lot about a potential target before beginning the
attack. We study the precursors to an attack so that if we can recognize
characteristic behavior, we may be able to block the attack before it is
launched.
Because most vulnerable
networks are connected to the Internet, the attacker begins preparation by
finding out as much as possible about the target. An example of information
gathering is given in [HOB97]. (Not all
information gathered is accurate, however; see Sidebar
7-4 for a look at reconnaissance combined with deception.)
Port Scan
An easy way to gather network
information is to use a port scan, a
program that, for a particular IP address, reports which ports respond to
messages and which of several known vulnerabilities seem to be present. Farmer
and Venema [FAR93] are among the first
to describe the technique.
A port scan is much like a
routine physical examination from a doctor, particularly the initial questions
used to determine a medical history. The questions and answers by themselves
may not seem significant, but they point to areas that suggest further
investigation.
Port scanning tells an
attacker three things: which standard ports or services are running and
responding on the target system, what operating system is installed on the
target system, and what applications and versions of applications are present.
This information is readily available for the asking from a networked system;
it can be obtained quietly, anonymously, without identification or
authentication, drawing little or no attention to the scan.
Port scanning tools are
readily available, and not just to the underground community. The nmap scanner
by Fyodor at www.insecure.org/nmap is a useful tool that
anyone can download. Given an address, nmap will report all open ports, the
service they support,
and the owner (user ID) of the daemon providing the service. (The owner is
significant because it implies what privileges would descend upon someone who
compromised that service.) Another readily available scanner is netcat, written
by Hobbit, at www.l0pht.com/users/l0pht. (That URL is "letter ell," "digit
zero," p-h-t.) Commercial products are a little more costly, but not
prohibitive. Well-known
commercial scanners are Nessus (Nessus Corp. [AND03]), CyberCop Scanner (Network Associates), Secure Scanner
(Cisco), and Internet Scanner (Internet Security Systems).
Social Engineering
The port scan gives an
external picture of a networkwhere are the doors and windows, of what are they
constructed, to what kinds of rooms do they open? The attacker also wants to
know what is inside the building. What better way to find out than to ask?
Suppose, while sitting at
your workstation, you receive a phone call. "Hello, this is John Davis
from IT support. We need to test some connections on the internal network.
Could you please run the command ipconfig/all on your workstation and read to
me the addresses it displays?" The request sounds innocuous. But unless
you know John Davis and his job responsibilities well, the caller could be an
attacker gathering information on the inside architecture.
Social engineering involves
using social skills and personal interaction to get someone to reveal
security-relevant information and perhaps even to do something that permits an
attack. The point of social engineering is to persuade the victim to be
helpful. The attacker often impersonates someone inside the organization who is
in a bind: "My laptop has just been stolen and I need to change the
password I had stored on it," or "I have to get out a very important
report quickly and I can't get access to the following thing." This attack
works especially well if the attacker impersonates someone in a high position,
such as the division vice president or the head of IT security. (Their names
can sometimes be found on a public web site, in a network registration with the
Internet registry, or in publicity and articles.) The attack is often directed
at someone low enough to be intimidated or impressed by the high-level person.
A direct phone call and expressions of great urgency can override any natural
instinct to check out the story.
Because the victim has helped
the attacker (and the attacker has profusely thanked the victim), the victim
will think nothing is wrong and not report the incident. Thus, the damage may
not be known for some time.
An attacker has little to
lose in trying a social engineering attack. At worst it will raise awareness of
a possible target. But if the social engineering is directed against someone
who is not skeptical, especially someone not involved in security management,
it may well succeed. We as humans like to help others when asked politely.
Intelligence
From a port scan the attacker
knows what is open. From social engineering, the attacker knows certain
internal details. But a more detailed floor plan would be nice. Intelligence is the general term for
collecting information. In security it often refers to gathering discrete bits
of information from various sources and then putting them together like the
pieces of a puzzle.
One commonly used
intelligence technique is called "dumpster diving." It involves
looking through items that have been discarded in rubbish bins or recycling
boxes. It is amazing what we throw away without thinking about it. Mixed with
the remains from lunch might be network diagrams, printouts of security device
configurations, system designs and source code, telephone and employee lists,
and more. Even outdated printouts may be useful. Seldom will the configuration
of a security device change completely. More often only one rule is added or
deleted or modified, so an attacker has a high probability of a successful
attack based on the old information.
Gathering intelligence may
also involve eavesdropping. Trained spies may follow employees to lunch and
listen in from nearby tables as coworkers discuss security matters. Or spies
may befriend key personnel in order to co-opt, coerce, or trick them into
passing on useful information.
Most intelligence techniques
require little training and minimal investment of time. If an attacker has
targeted a particular organization, spending a little time to collect
background information yields a big payoff.
Operating System and Application Fingerprinting
The port scan supplies the
attacker with very specific information. For instance, an attacker can use a port
scan to find out that port 80 is open and supports HTTP, the protocol for
transmitting web pages. But the attacker is likely to have many related
questions, such as which commercial server application is running, what
version, and what the underlying operating system and version are. Once armed
with this additional information, the attacker can consult a list of specific
software's known vulnerabilities to determine which particular weaknesses to
try to exploit.
How can the attacker answer
these questions? The network protocols are standard and vendor independent.
Still, each vendor's code is implemented independently, so there may be minor
variations in interpretation and behavior. The variations do not make the
software noncompliant with the standard, but they are different enough to make
each version distinctive. For example, each version may have different sequence
numbers, TCP flags, and new options. To see why, consider that sender and
receiver must coordinate with sequence numbers to implement the connection of a
TCP session. Some implementations respond with a given sequence number, others
respond with the number one greater, and others respond with an unrelated
number. Likewise, certain flags in one version are undefined or incompatible
with others. How a system responds to a prompt (for instance, by acknowledging
it, requesting retransmission, or ignoring it) can also reveal the system and
version. Finally, new features offer a strong clue: A new version will
implement a new feature but an old version will reject the request. All these
peculiarities, sometimes called the operating system or application
fingerprint, can mark the manufacturer and version.
For example, in addition to
performing its port scan, a scanner such as nmap will respond with a guess at
the target operating system. For more information about how this is done, see
the paper at www.insecure.org/nmap/nmap-fingerprinting-article.html.
Sometimes the application
identifies itself. Usually a client-server interaction is handled completely
within the application according to protocol rules: "Please send me this
page; OK but run this support code; thanks, I just did." But the
application cannot respond to a message that does not follow the expected form.
For instance, the attacker might use a Telnet application to send meaningless
messages to another application. Ports such as 80 (HTTP), 25 (SMTP), 110 (POP),
and 21 (FTP) may respond with something like
Server: Netscape-Commerce/1.12
Your browser sent a non-HTTP compliant message.
or
Microsoft ESMTP MAIL Service, Version:
5.0.2195.3779
This reply tells the attacker
which application and version are running.
Bulletin Boards and Chats
The Internet is probably the
greatest tool for sharing knowledge since the invention of the printing press.
It is probably also the most dangerous tool for sharing knowledge.
Numerous underground bulletin
boards and chat rooms support exchange of information. Attackers can post their
latest exploits and techniques, read what others have done, and search for
additional information on systems, applications, or sites. Remember that, as
with everything on the Internet, anyone can post anything, so there is no
guarantee that the information is reliable or accurate. And you never know who
is reading from the Internet. (See Sidebar 7-4
on law enforcement officials' "going underground" to catch malicious
hackers.)
Availability of Documentation
The vendors themselves
sometimes distribute information that is useful to an attacker. For example,
Microsoft produces a resource kit by which application vendors can investigate
a Microsoft product in order to develop compatible, complementary applications.
This toolkit also gives attackers tools to use in investigating a product that
can subsequently be the target of an attack.
Reconnaissance: Concluding Remarks
A good thief, that is, a successful one, spends
time understanding the context of the target. To prepare for perpetrating a
bank theft, the thief might monitor the bank, seeing how many guards there are,
when they take breaks, when cash shipments arrive, and so forth.
Remember that time is usually
on the side of the attacker. In the same way that a bank might notice someone
loitering around the entrance, a computing site might notice exceptional
numbers of probes in a short time. But the clever thief or attacker will
collect a little information, go dormant for a while, and resurface to collect
more. So many people walk past banks and peer in the windows, or scan and probe
web hosts that individual peeks over time are hard to correlate.
The best defense against
reconnaissance is silence. Give out as little information about your site as
possible, whether by humans or machines.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.