Copyright 2001 Marchany, SANS Institute Is The Threat Real? Randy Marchany Network Appliance Testing Lab VA Tech Computing Center Blacksburg, VA nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute The above screenshot is an actual hacker attack on a personal computer system. This college student had a mini-cam attached to his PC. You can see the furniture in his room and you can see his girlfriend lying on the bed. He’s reading a message that popped up on his desktop……. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This is what he’s reading. The Yahoo Instant Messenger note appeared on his screen: “Hi. I know we haven’t talked before. This is your computer. Since I see everything in your room, I thought I’d throw you a few pointers. First, put on a shirt. PLEASE. Second…” Note that the hacker sees this desktop as well and could easily run any program on the student’s computer. Notice the icons that have been blacked out….the hacker could move the cursor to any of those icons, run a program on this machine as if the hacker were sitting at the console. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute Need to go to a hacker site to get these tools? Nope. The above slide is a screen dump taken from my Unix workstation. All of the windows in the background are Unix. However, the one in the foreground is displays the desktop of a Macintosh in my office. If I move my cursor into this window, I can look at anything running on the Mac. If someone were sitting at the Mac, I would see everything being done on that machine. The good side of the force is that this makes an excellent help desk tool. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute The consequences of not having adequate training in place result in heavy negative publicity for a site. Here, the hackers destroyed the data on a computer in an effort to cover their tracks. This was from the Washington Post circa 1998 nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute If you try to prosecute the offenders but don’t have established procedures in place, the case usually gets thrown out in court. Once this happens, the site is vulnerable to lawsuits. This Washington Post article appeared a few months after the previous one. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute Sometime the fact that you’re one of many victims of a publicized event can make it appear as if your site was guilty of the attack. This was the Yankees.com hack that occurred right after the 2000 World Series. When people went to the Yankees www site, they saw a porno picture with the caption “Yankees Suck”. It turns out the Tech computer had been compromised and the porno picture was left there. It took a while to convince the Yankees that Tech wasn’t involved launching the attack. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This is an example of the latest threat to Internet Security. Network appliance boxes (black boxes) are being built with more “intelligence”  and network compatible. Most of these boxes have limited security features enabled. These devices can be used in a DDOS attack. A recent DOS attack in New Mexico was launched from 4 networked laserjet printers that had easy to guess admin passwords. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute www.attrition.org is a good site to see what www sites have been broken by hackers. The interesting thing to note in the slide is the OS of the www server. This field is the 2nd from the left. Most of these attacks could have been prevented by standard system maintenance. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute Those of you who believe that firewalls prevent illegal traffic from entering the internal network should look at this site. Tunnel programs allow someone to run programs through whatever ports the firewall allow. They do require that a program reside on the inside. How do you get that program inside? Email attachments! nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute There are sites on the net where you can get all sorts of information that can scare any sysadmin. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute www.2600.com is another site that likes to advertise sites that have had their www pages modified. Look at the Dairy Queen entry. There’s just something about the phrase “Again!” that make you go hmmm…….. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute I entered “NT hacking” on a popular search engine and got 438 hits. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This is a sample BackOrifice screen shot. You select the target host in the upper left corner of the view. You select the command to run on it in the upper right window. Of course, it’s password protected to prevent someone else from using your tool.  BackOrifice is the oldest of the tools and most anti-virus scanners are programmed to search for it. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This is a Netbus screen shot. The function keys are shown in the center part of the figure. Simply press the function button to run that command on the remote computer. You can read keystrokes, turn on the microphone to eavesdrop on conversations, examine files, run programs, etc. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute This is a screen shot of BO2K, the newest version of the trojans. Source code is provided with the kit so you can easily change the signature of the trojan in order to evade antiviral tools. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Pay Me Now or Pay Me Later E = D + R E = amount of time you’re exposed D = amount of time it takes to detect an attack R = amount of time it takes to react to an attack Easiest way to calculate the cost of an Incident Multiply average hourly wage * Time * People This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute Percent Vulnerability Top 10 # .77% Webdist #2, #4 15.5% IMAP #9 12.4% Qpopper .52% Innd 26.1% Tooltalk #3, #6 10.8% RPC_mountd 18.1% BIND #1 12.2% WWW #2 735065 Hosts scanned TOTAL A group called the Internet Audit Project scanned a huge number of sites in late 1998 for common vulnerabilities. The figures they cite are scary, phenomenal and typical. The SANS Top 10 threats number is shown in the right column. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute How Easy Is It? % set term=cterm100 % telnet victim.com Trying 0.0.0.0... Connected to victim.com. Escape character is '^]'. UNIX(r) System V Release 4.0 (victim.com) This slide shows one of the more common trojan backdoors for Unix systems. The victim system has been previously compromised by some form of exploit, usually a buffer overflow attack. The hackers replaced some system binaries with modified versions that will allow them to return to the system with full access. The first thing the hacker does at his site is set his termtype to “cterm100”. He then telnets to the victim machine. The trojan telnetd or login programs examine the TERMTYPE of the incoming request and since it’s “cterm100’, the login programs bypass the password authentication step and give the hacker immediate root access. The whole sequence above takes about 15 seconds at most. # id uid=0(root) gid=0(root) # nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Copyright 2001 Marchany, SANS Institute Response Strategies From RFC 2196 Protect and Proceed assets are not well protected continued penetration could result in financial risk willingness to prosecute is not present unsophisticated users and their work is vulnerable Pursue and Prosecute allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies but is the most difficult. Willingness to prosecute!! Your organization needs to decide ahead of time how to respond to an internal or external incident. The real decision is whether or not to prosecute. More precisely, should the organization take steps that will allow it prosecute a violator should it decide to do so. You need to establish this ground first asap since this will dictate how effort you need to spend on Incident Response. If you’re not going to prosecute then you don’t have to ensure the safety of the computer logs. If you are going to prosecute, then you need to take adequate steps to preserve the chain of evidence. RFC 2196 is an excellent resource for guidelines on developing all the components of your site’s security policy. It’s a must read. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute