• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

The only way to stop a hacker is to think like one

ONE of the shortcuts that security researchers use in discovering vulnerabilities is a mental list of observable behaviours that tells them something about the security of the system they are examining. If they can observe a particular behaviour, it is a good indication that the system has a trait that they would consider to be insecure, even before they have a chance to perform detailed tests.

Denial of service: What is a denial of service (DoS) attack? A DoS attack takes place when availability to a resource is intentionally blocked or degraded by an attacker. In other words, the attack impedes the availability of the resource to its regular authorised users.

These types of attacks can occur through one of two vectors: either on the local system, or remotely from across a network. The attack may concentrate on degrading processes, degrading storage capability, destroying files to render the resource unusable, or shutting down parts of the system or processes.

Crack: The oldest and most widely used UNIX password cracking utility is simply called Crack. Alec Muffett is the author of Crack, which he calls a password-guessing program for UNIX systems. It runs only on UNIX systems against UNIX passwords, and is for the most part a dictionary-based program. However, in the latest release available (v5.0a from 1996), Alec has bundled Crack7, a brute force password cracker that can be used if a dictionary-based attack fails. One of the most interesting aspects of this combination is that Crack can test for common variants that people use when they think they are picking more secure passwords. For example, instead of "password", someone may choose "pa55word". Crack has user-configurable permutation rules that will catch these variants.

Local applications and utilities: A computer system is composed of various applications that the user or system will run in order to do what it needs to do. Many of these applications interact with the user, and thus give a malicious user the chance to do something the application was not expecting. This could, for example, mean pressing an abnormal key sequence, providing large amounts of data, or specifying the wrong types of values.

Eggshell payloads: One of the strangest types of payload is what is known an eggshell payload. An eggshell is an exploit within an exploit. The purpose is to exploit a lower privileged program, and with your payload, attack and exploit a higher privileged piece of code. This technique allows you to execute a simple exploitation of a program to get your foot in the door, then leverage that to march the proverbial army through. This concept saves time and effort over attacking two distinct holes by hand. The attacks tend to be symbiotic, allowing a low privilege remote attack to be coupled with a high privilege local attack for a devastating combination.

Blind spoofing: One of the more interesting results of developments in blind spoofing has been the discovery of methods that allow for blind scanning of remote hosts. It is, of course, impossible to test connectivity to a given host or port without sending a packet to it and monitoring the response (you can't know what would happen if you sent a packet without actually having a packet sent), but blind scanning allows for a probe to examine a subject without the subject being aware of the source of the probing.

Connection attempts are sent as normal, but they are spoofed as if they came from some other machine, known as a zombie host. This zombie has Internet connectivity but barely uses it — a practically unused server, for instance. Because, it is almost completely unused, the prober may presume that all traffic in and out of this ``zombie'' is the result of its action, either direct or indirect.

Other tricks of the trade: Virus and worm writers have had ample time to develop new techniques and tactics for their creations. One particularly evil trick is to have the virus "evolve", or otherwise literally change itself from time to time, in an effort to evade AV software. Nicknamed polymorphism, the general concept is to somehow keep the virus mutating.

The complex approach would be to have the virus literally recode itself enough to be unrecognisable from its past incarnation; however, this feat requires a lot of logic, which results in a big virus, and after all, a virus that contains its own compiler will probably be spotted quite easily.

However, rather than recode itself, it is much easier for the virus to re-encode itself using some kind of randomised key. Imagine a virus that DES encodes itself. It would decode itself (with the known initial key), and then re-encode itself with a new key. The result? The bulk of the code would look different.

(Edited extracts from Hack Proofing Your Network. Book courtesy: Wiley Dreamtech India Pvt Ltd. www.wileydreamtech.com)

Article E-Mail :: Comment :: Syndication

Stories in this Section
Tough and time-consuming

Copyright © 2003, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line