460 likes | 767 Vues
Hacker Motivation. Lesson 3. The Attacker’s Process. Passive Reconnaissance Active Reconnaissance (scanning) Exploiting the system Gain access Elevation of privileges Denial of Service Uploading programs Downloading data Maintaining access (backdoors, trojans) Covering the tracks.
E N D
Hacker Motivation Lesson 3
The Attacker’s Process • Passive Reconnaissance • Active Reconnaissance (scanning) • Exploiting the system • Gain access • Elevation of privileges • Denial of Service • Uploading programs • Downloading data • Maintaining access (backdoors, trojans) • Covering the tracks
Some Definitions • Information Security • “the protection of information against unauthorized disclosure, transfer, modification or destruction whether accidental or intentional” • Information Assurance • “Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation.”
Hacker Definition DEFINITION OF A HACKER 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating hack value. 4. A person who is good at programming quickly. 5. An expert at a particular program, or one who frequently does work using it or on it; as in `a Unix hacker'. (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. From: http://members.tripod.com/cory_hack/definition.htm
Hacker Definition (cont) 8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence `password hacker', `network hacker'. The correct term for this sense is cracker. From:JARGON FILE, VERSION 4.2.3, 23 NOV 2000 It is interesting to note that the previous slide’s first 7 definitions were taken from the Jargon File but that the 8th, more “objectionable”, definition was omitted. This provides an insight in itself as to how folks who “dabble” in this area like to see themselves.
Cracker Definition cracker n. One who breaks security on a system. Coined ca. 1985 by hackers in defense against journalistic misuse of hacker (q.v., sense 8). An earlier attempt to establish `worm' in this sense around 1981-82 on Usenet was largely a failure. Use of both these neologisms reflects a strong revulsion against the theft and vandalism perpetrated by cracking rings. While it is expected that any real hacker will have done some playful cracking and knows many of the basic techniques, anyone past larval stage is expected to have outgrown the desire to do so except for immediate, benign, practical reasons (for example, if it's necessary to get around some security in order to get some work done). Thus, there is far less overlap between hackerdom and crackerdom than the mundane reader misled by sensationalistic journalism might expect. Crackers tend to gather in small, tight-knit, very secretive groups that have little overlap with the huge, open poly-culture this lexicon describes; though crackers often like to describe themselves as hackers, most true hackers consider them a separate and lower form of life. Ethical considerations aside, hackers figure that anyone who can't imagine a more interesting way to play with their computers than breaking into someone else's has to be pretty losing. Some other reasons crackers are looked down on are discussed in the entries on cracking and phreaking. See also samurai, dark-side hacker, and hacker ethic. For a portrait of the typical teenage cracker, see warez d00dz. From:JARGON FILE, VERSION 4.2.3, 23 NOV 2000
Cracking Definition cracking n. [very common] The act of breaking into a computer system; what a cracker does. Contrary to widespread myth, this does not usually involve some mysterious leap of hackerly brilliance, but rather persistence and the dogged repetition of a handful of fairly well-known tricks that exploit common weaknesses in the security of target systems. Accordingly, most crackers are only mediocre hackers. From:JARGON FILE, VERSION 4.2.3, 23 NOV 2000
The Difference between Hackers and Crackers • A hacker is a person intensely interested in the arcane and recondite workings of any computer operating system. Hackers are most often programmers. As such, hackers obtain advanced knowledge of operating systems and programming languages. They might discover holes within systems and the reason for such holes. Hackers constantly seek further knowledge, freely share what they have discovered, and never, ever intentionally damage data. • A cracker is one who breaks into or otherwise violates the system integrity of remote machines with malicious intent. Having gained unauthorized access, crackers destroy vital data, deny legitimate users service, or cause problems for their targets. Crackers can easily be identified because their actions are malicious. • From Maximum Security, 3rd ed.
Phreaking Definition phreaking /freek'ing/ n. [from `phone phreak'] 1. The art and science of cracking the phone network (so as, for example, to make free long-distance calls). 2. By extension, security-cracking in any other context (especially, but not exclusively, on communications networks) (see cracking). At one time phreaking was a semi-respectable activity among hackers; there was a gentleman's agreement that phreaking as an intellectual game and a form of exploration was OK, but serious theft of services was taboo. There was significant crossover between the hacker community and the hard-core phone phreaks who ran semi-underground networks of their own through such media as the legendary "TAP Newsletter". This ethos began to break down in the mid-1980s as wider dissemination of the techniques put them in the hands of less responsible phreaks. Around the same time, changes in the phone network made old-style technical ingenuity less effective as a way of hacking it, so phreaking came to depend more on overtly criminal acts such as stealing phone-card numbers. The crimes and punishments of gangs like the `414 group' turned that game very ugly. A few old-time hackers still phreak casually just to keep their hand in, but most these days have hardly even heard of `blue boxes' or any of the other paraphernalia of the great phreaks of yore. From:JARGON FILE, VERSION 4.2.3, 23 NOV 2000
Samurai Definition samurai n. A hacker who hires out for legal cracking jobs, snooping for factions in corporate political fights, lawyers pursuing privacy-rights and First Amendment cases, and other parties with legitimate reasons to need an electronic locksmith. In 1991, mainstream media reported the existence of a loose-knit culture of samurai that meets electronically on BBS systems, mostly bright teenagers with personal micros; they have modeled themselves explicitly on the historical samurai of Japan and on the "net cowboys" of William Gibson's cyberpunk novels. Those interviewed claim to adhere to a rigid ethic of loyalty to their employers and to disdain the vandalism and theft practiced by criminal crackers as beneath them and contrary to the hacker ethic; some quote Miyamoto Musashi's "Book of Five Rings", a classic of historical samurai doctrine, in support of these principles. See also sneaker, Stupids, social engineering, cracker, hacker ethic, and dark-side hacker. From:JARGON FILE, VERSION 4.2.3, 23 NOV 2000 sneaker n. An individual hired to break into places in order to test their security; analogous to tiger team.
Hacker Ethics The Hacker's Code of Ethics Unlike so many of the so called "hackers" today, the original hackers at places like MIT, Berkeley and Stanford had a clear code of ethics. In 1984, Steven Levy published a book titled Hackers in which he listed the ethical code of these first hackers. This is the Hacker's Ethic. 1.Access to computers-and anything which might teach one something about the way the world works-should be unlimited and total. 2.All information should be free. 3.Mistrust authority-promote decentralization. 4.Hackers should be judged by their hacking, not by other criteria. 5.One can create art and beauty on a computer. 6.Computers can change one's life for the better. From:http://www.midtown.net/~moo/ethic.html
Hacker Ethics (cont) hacker ethic n. (from: JARGON FILE, VERSION 4.2.3, 23 NOV 2000) 1. The belief that information-sharing is a powerful positive good, and that it is an ethical duty of hackers to share their expertise by writing open-source and facilitating access to information and to computing resources wherever possible. 2. The belief that system-cracking for fun and exploration is ethically OK as long as the cracker commits no theft, vandalism, or breach of confidentiality. Both of these normative ethical principles are widely, but by no means universally, accepted among hackers. Most hackers subscribe to the hacker ethic in sense 1, and many act on it by writing and giving away open-source software. A few go further and assert that all information should be free and any proprietary control of it is bad; this is the philosophy behind the GNU project. Sense 2 is more controversial: some people consider the act of cracking itself to be unethical, like breaking and entering. But the belief that `ethical' cracking excludes destruction at least moderates the behavior of people who see themselves as `benign' crackers (see also samurai). On this view, it may be one of the highest forms of hackerly courtesy to (a) break into a system, and then (b) explain to the sysop, preferably by email from a superuser account, exactly how it was done and how the hole can be plugged -- acting as an unpaid (and unsolicited) tiger team. The most reliable manifestation of either version of the hacker ethic is that almost all hackers are actively willing to share technical tricks, software, and (where possible) computing resources with other hackers. Huge cooperative networks such as Usenet, FidoNet and Internet (see Internet address) can function without central control because of this trait; they both rely on and reinforce a sense of community that may be hackerdom's most valuable intangible asset.
Hacker Manifesto (full) HACKER'S MANIFESTO Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike. But did you, in your three- piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...Damn underachiever. They're all alike. I'm in high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up.Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and think it shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike... You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but they are like drops of water in the desert. This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike. -- The Mentor
Tools of the Trade • The means by which a cracker or hacker might be able to penetrate a computer or network. • A number of elements • Reconnaissance: information gathering using several methods. • Social Engineering • Port Scanning • Passive OS Identification (using default settings, banners …) • Exploits – based on data gathered, determine if a known exploit/vulnerability exists. • Tools – there may be something already created
Who are your Enemies?From: Real World Linux Security • Crackers (see previous definition) • Disgruntled current employees • Disgruntled former employees • Competitors • Spies • Criminals • Extremists (also called “hacktivists”)
Motivating Factors - 4 DomainsFrom Information Warfare and Security • Play: hacking/cracking, phreaking • crime: illegal acts in including intellectual property crime and computer fraud and abuse • but isn’t cracking a crime? • individual rights: conflicts over free speech and privacy • national security: foreign intelligence operations, war and military conflicts, terrorism, and operations against a nation by nonstate players
Is Hacking Always a Crime? • Recall discussion on hacking -vs- cracking • White Hat hackers • Black Hat hackers
Motivation -- Play • Recall the Hacker’s Manifesto • Information Warfare and Security, by Denning,Pg 45-46 • Hacking was the ultimate cerebral buzz for me. I would come home from another dull day at school, turn my computer on, and become a member of the hacker elite. It was a whole different world where there were no condescending adults and you were judged by your talent. I would first check in to the private bulletin boards where other people who were like me would hang out, see what the new was in the community, and trade some info with people across the country. Then I would start actually hacking. My brain would be going a million miles an hour and I’d basically completely forget about my body as I would jump from one computer to another trying to find a path into my target. It was the rush of working on a puzzle coupled with the high discovery many magnitudes intensified. To go along with the adrenaline rush was the illicit thrill of doing something illegal. Every step I made could be the one that would bring the authorities crashing down on me. I was on the edge of technology and exploring past it, spelunking into electronic caves where I wasn’t supposed to be.
Motivation -- Play • Bored at school • member of an elite group • thrill (adrenaline rush) • curiosity • power + sense of control
Motivation -- Play • Kuji: • “It is all about control, really. I’m in my little room with my little computer breaking into the biggest computers in the world and suddenly I have more control over this machine than them. That is where the buzz comes from. Anyone who says they are a reformed hacker is talking rubbish. If you are a hacker, you are always a hacker. It’s a state of mind.” • Makaveli • “It’s power, dude. You know, power.”
Motivation -- Play • Prof Nicholas Chantler of Queensland Univ. • Survey of 164 hackers • ages ranged from 11-46 • majority between 15 and 24 • only 5% female • 3 main reasons for hacking were challenge, knowledge, pleasure (49%) • next were recognition, excitement, friendship (24%) • the rest said self-gratification, addiction, espionage, theft, profit, vengeance, sabotage, freedom (27%)
Motivation -- Play • Survey continued: • 52% said they work in teams • 39% said they belonged to hacking groups • e.g. LOD, MOD, 414club, CdC, L0pht • There are many BBoards, web sites, and hacker pubs • 1997 NY Times article reported 440, 1900, 30 • Also several conferences • DEFCON • HOPE
Motivation -- Play • Hacking for a cause • StRyKe (25 yr old hacker from U.K) • “I do think of myself as ‘moral.’ The traditional image of a hacker is no longer a valid one. I don’t attack anyone who doesn’t deserve it. We are talking about people who deliberately harm minors.”
Motivation -- Play • Has the culture evolved/changed/degenerated? • Erik Bloodaxe (Chris Goggans) • “I don’t like most of you people. . . . People might argue that the community has “evolved” or “grown” somehow, but that is utter crap. The community has degenerated. . . The act of intellectual discovery that hacking once represented has now been replaced by one of greed, self-aggrandization and misplaced post-adolescent angst. . . . I’m not alone in my disgust. There are a bunch of us who have reached the conclusion that the “scene” is not worth supporting; that the cons are not worth attending; that the new influx of would-be hackers is not worth mentoring. Maybe a lot of us have just grown up.”
More than just child’s play • Serious implications for • public safety & Health • Worcester Airport (jester) • National Security • Solar Sunrise • National Infrastructure • L0pht members testified in 1997 before Congress and stated they could take down the Internet in 30 minutes
Motivation -- Crime • Intellectual Property • Piracy (losses exceed $20B, mostly external to US) • Theft of trade secrets ($40-$250B) • Biggest risk is insider • Fraud • telemarketing scams ($40B) • identity theft and bank fraud (#’s fuzzy but includes credit card theft) • telecommunications ($5-$10B) • Computer Fraud & Abuse • Organized Crime
Motivation -- Crime • What exactly is stolen? • Nothing “physical” but damage still caused • The argument, especially by phreakers, is that there really wasn’t anything stolen • How does computer Fraud and abuse manifest itself? • According to Denning, unauthorized access, but...
Motivation -- Individual Rights • Rights to Privacy & Free speech • Privacy, who “owns” the info about you? • Conflicts between free speech and harmful or disturbing speech • flaming -vs- defamation • Conflicts over censorship • some countries restrict satellite and Internet access for national interests or religious reasons • some restrict to protect groups such as children • Conflicts over government surveillance
Motivation -- National Security • Operations undertaken by states and by nonstate players against states • Foreign intelligence ops
Intelligence Priorities U.S. 1995 1. The intel needs of the military during operations 2. Political, economic, and military intelligence about countries hostile to the US and all-source info on major political powers with weapons of mass destruction hostile to US 3. Intel about specific transnational threats, such as weapons proliferation, terrorism, drug trafficking, organized crime, illicit trade practices, and environmental issues of great gravity Japan Late 80’s 1. Info pertaining to access to foreign sources of raw materials 2. Technological and scientific developments in the US and Europe 3. Political decision making in the US and Europe, particularly as it relates to trade, monetary, and military policy in Asia 4. Internal political and military developments in China, Korea, and Russia
Motivation -- National Security • Operations undertaken by states and by nonstate players against states • Foreign intelligence ops • war and military ops • PSYOPS, perception Management • Can we have war without bombs (Cyberwar)? • Critical Infrastructure -- what’s a valid target?
Motivation -- National Security • Operations undertaken by states and by nonstate players against states • Foreign intelligence ops • war and military ops • Acts of terrorism • Perception Management, • Attack systems and web sites • Attack computers that control things • Netwars • Low intensity conflicts by nonstate actors: example Zapatistas
Motivation -- National Security • Zapatistas • struggle against Mexican Government • used Internet to “spread their word” • One group of supporters in U.S. organized an attack against the Mexican President Zedillo’s Web site
Common Vulnerabilities and Exposures (CVE) Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. Using a common name makes it easier to share data across separate databases and tools that until now were not easily integrated. This makes CVE the key to information sharing. If a report from one of your security tools incorporates CVE names, you may then quickly and accurately access fix information in one or more separate CVE- compatible databases to remediate the problem. CVE is: One name for one vulnerability or exposure One standardized description for each vulnerability or exposure A dictionary rather than a database How disparate databases and tools can "speak"the same language A basis for evaluation among tools and databases Accessible for review or download from the Internet Industry-endorsed via the CVE Editorial Board
CVE The Vulnerability Life Cycle • Mailing lists, Newsgroups, Hacker sites Start Here Discovery • Incident Response Teams • Incident Reports • Academic Study • Advisories Incident Handling Analysis • Intrusion Detection Systems • Databases • Newsletters Detection Collection Protection • Vulnerability Assessment Tools
CVE-1999-0067 Description: CGI phf program allows remote command execution through shell metacharacters. References: CERT:CA-96.06.cgi_example_code XF:http-cgi-phf BID:629 A Roadblock to Information Sharing:Same Problem, Different Names
Adding New Entries to CVE • Board member submits raw information to MITRE • Submissions are grouped, refined, and proposed back to the Board as candidates • Form: CAN-YYYY-NNNN • Strong likelihood of becoming CVE-YYYY-NNNN • Not a guarantee • Delicate balance between timeliness and accuracy • Board reviews and votes on candidates • Accept, modify, recast, reject, reviewing • If approved, the candidate becomes a CVE entry • Entry is included in a subsequent CVE version • Published on CVE web site • Entries may later be modified or removed
Stages of Security Information in CVE Submissions Candidates Entries • Raw information • Obtained from MITRE, Board members, and other data feeds • Combined and refined • Placed in clusters • Proposed to Editorial Board • Accepted or rejected • Backmap tells submitters what candidates were assigned to their submissions • Added to CVE list • Submissions, candidates removed from the “pool” • Published in an official CVE version ….. ….. CVE-2000-0001 CAN-2000-0001 ….. ….. <REJECTED> CAN-2000-0002 ….. ….. CVE-2000-0003 CAN-2000-0003 ….. ….. Back-map