Computer Security: An overview

Computer Security: An overview

By ghost | 7238 Reads |

0     0

Introduction

It seems that nearly every week a news station is broadcasting about another company that has been compromised, emails read, a school that a student managed to change his or her grades at, or an attack on a company or government by rouge hackers. Hackers and social engineers constantly modify and fine tune their skills to the changing waters of the world wide web and manage to compromise even the most secure systems. Despite the advances in firewalls and antivirus software hackers’ and social engineers’ presence grow every day.

The American Heritage Dictionary lists as its first definition that a hacker is “One who is proficient at using or programming a computer; a computer buff.” The second definition lists the modern terminology of a hacker: “One who uses programming skills to gain illegal access to a computer network or file.” Being referred to as a “hacker” was once a term of respect. The change to this definition was gradual, but it has become the predominant meaning of the word. Modern day “hackers” troll underground IRC servers and websites searching for information to penetrate new systems. Malicious hackers are considered “Black Hats” while those who help to secure sites are considered “White Hats.” These terms are widely disputed even in the hacker underground as to whether there is actually a difference. [Healey]

Technology-Based Attacks

Hackers can gain access to a system through a variety of holes in systems, protocols, and even users. The most common type of system to be probed and compromised is a website. The ease of access and large amount of information available on vulnerabilities provide a playground for even the most inexperienced hacker. The website can be used as a platform to attack databases; MySQL and MSSQL are common databases, through insertion of database queries. Unprotected inputs can be used to modify an already existent query to the hacker’s advantage. The following query is a common way to pull users from a database based on passwords:

SELECT * FROM users WHERE username=’username’ AND password=’password’

In this, both the username and the password are user provided via a front-end input form, such as a login. A hacker can replace these with a term such as:

‘ OR 1=1 /*

This alters the query to allow the hacker to login as whomever he or she pleases [SecuriTeam].

Another attack from is Cross Site Scripting, which is normally used to gain personal details of the users of a site. Inserting HTML code containing JavaScript, the hacker can steal cookie data as well as redirect the user to a fake login page and steal usernames and passwords. Cross site scripting attacks are very often used in phishing. Phishing is the process of obtaining a user’s personal data. When a hacker has the ability to inject XSS onto a web page it opens up the possibility for the data to be stolen with cookies or form data. [NIST]

Servers are attacked on a routine basis also; however, these “hacks” are generally more encompassing. Beyond the standard brute force, which attempts to gain access by trying all possible passwords, the attacks are generally very specific and require a large amount of technical knowledge. Only within recent years have such attacks been published on public sites. This population of the data provides the information to secure a system as well as a means for a new hacker (newbie or noob) or a want-to-be hacker (script kiddy) to gain access without any knowledge of how the attack works. One of these attacks to gain root access on a server is known as a Buffer Overflow. In this attack, the hacker inputs more data than expected to an input. The excess data runs beyond the allotted memory and corrupts outside memory. The correct input can be used to dump the current memory, which may contain passwords or other useful information, or to input code to be executed. [WindowSecurity]

With so much information readily available the question is: why are systems still vulnerable to yesterday’s exploits? The answer is both simple and complex. The simplistic answer is that “people are lazy.” [System_Meltdown] People do not spend the time needed to understand how these problems arise. The more complex explanation covers exactly what “laziness” entails as well as other problems that lead to holes. “[B]ecause they don't tend to keep up with websites like securityfocus … yet another reason is that they are too self righteous to accept help.” [System_Meltdown]

System_Meltdown explained that those who get “hacked” generally are unaware of the problems. The free information provided on sites such as SecurityFocus is generally used more by the hackers than those who become victims. This information is, more often used by script-kiddies, as previously mentioned in one of the above paragraphs, rather than "true" hackers, the sort that tend to figure things out for themselves, without needing any source of information. Many times this is because the pride of an administrator stops them from heeding advice. According to System_Meltdown, it is often the case that when an administrator is informed of a hole by a “White Hat,” the warning is not taken seriously.

Another issue that causes problems is those who know of the dangers, system administrators and security professionals are often not the decision makers. The decision must pass a board of approval or director who does not understand the problem and its severity.

Security holes in a system can lead to further problems. A compromised computer or server can be used as a zombie to launch attacks on other computers or networks. The resources of a server can be used to decrease the time taken to crack a password. These hijacked computers and servers are also a resource for spammers to mass their emails or can be used as general storage. In the worst case, these systems have valuable data on them, that the hacker takes to be his or her own.

The uses for a hijacked computer are nearly endless. A server has computing power far superior to a home computer or laptop and hackers use the extra power to make quick work of difficult tasks. A password brute-forcer, like John the Ripper, might take days to crack a password on a PC, whereas on a server it would take only a matter of hours.

Vast networks of infected PCs are organized into “botnets.” These networks of zombie computers are used to flood other computers or servers with requests and data packets. This influx of data will fill the bandwidth and possibly crash the machine in a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack. [Case]

Servers and home computers are also vulnerable to another type of infection known as a trojan or rootkit. These programs are meant to provide “back doors” for access to a machine which allows a hacker to make the machine his or her own. [Healey] With access to machines from remote locations, hackers have places to store information and files, to launch attacks from and eliminate the threat of being traced, and to steal more and more information from a user.

Finally, home computers are often the target of key loggers. A key logger is another type of virus that has the sole purpose of capturing every keystroke. This provides the hacker with usernames, passwords, credit card numbers, bank account numbers, and any other data the user may type.

Social Engineering Attacks

Beyond the security holes that exist in the actual hardware and software of a network, system, corporation, or other such entity, hackers also have the option of exploiting the users. Hackers use social engineering to gain information that they may not have been able to access through the systems they compromise. Social engineering generally requires research on the hacker’s part. Building up enough information to be credible is the key to success. In Kevin Mitnik’s book “The Art of Deception” he explains a social engineering case in which a person was able to obtain free cellular phones. The person first called a cellular store, similar to Version Wireless, and requested to speak with the manager. When the manager answered the phone this individual wrote down the manager’s name to be used in the next step. After completing the phone call a phone call was made to another such store. The attacker claimed to be the manager from the previous call and explained that a customer had purchased a new phone, but he did not have it in stock. Eventually, the attacker was able to convince the other store’s manager to allow this customer to pick up the phone out of their stock. He simply showed up and received his free cellular phone [Mitnik].

The stream of events that lead to the store being compromised could have easily been prevented had proper protocols been put in place. Authorization could have been required, such as the manager’s ID number or other information that would have been difficult for an attacker to obtain. Corporations with weak security protocols or poorly informed personnel are also highly susceptible to social engineering. A phone call could be made from one department to another department requesting valuable information. Human interaction in person or over the phone are not the only ways that a hacker or other individual to gain access to this data. Dumpster diving is very common. By simply digging through a corporation’s garbage useful information can be gathered.

Hardware and software vulnerabilities mixed with poor protocols allow hackers to gain access to systems; however, the corner stone of the problem is far less technical. Hackers use ignorance as a weapon. Corporations and individuals who do not understand even the most basic elements of security provide fruitful ground for even the newest hackers. Users who do not set up firewalls or antivirus software because it is “too expensive” or “too difficult” are easy prey and generally exploited fully. Corporations that do not bother to encrypt traffic or enforce proper password policies are also targets.

Methods of protection

The simplest steps can provide the biggest difference. Keeping strong passwords, changing passwords regularly, and avoiding websites and emails that seem suspicious are only a few such changes. [Healey] Many routers come with default usernames and passwords that can be found online on various websites. The router’s configuration interface is not simple to access for users who are not computer savvy. This problem causes many home networks to be ill prepared for a hacker. Many companies also do not want to have the hassle of setting up proper encryption and allow there wireless traffic to be received by anyone within range of the broadcast. Proper password creating can also eliminate the ability for a hacker to “crack” a password in reasonable amounts of time. Easy to remember, dictionary passwords can be cracked extremely quickly and reuse of the same password across many accounts provide many targets to gain the encrypted “hash.”

Conclusion

With the advancing world, technology is becoming the backbone of society. This opens up a number of opportunities for hackers. Countries like Estonia have become almost completely web-based. One of the first “cyber wars” was waged on Estonia in 2007. A massive Distributed Denial of Service (DDoS) attack crippled the country for days. The government was close to useless since most of its systems were the first hit.

DDoS attacks are not a new trend, but have been made more effective with the widespread use of the internet and growing speed provided by Internet Service Providers. Hackers are not the only group employing offensive computer strategies either. Corporations have used hackers for years to gain the competitive edge on their competition. Even the mafia has implemented these techniques. The Russian Mafia will actually recruit young students and pay their way through school to create a new generation of hackers.

The hacker underground goes far beyond just gangs and mafias. A “hacker black market” provides a sales front for everything from compromised computers to passwords to credit card numbers and social security numbers.

WORKS CITED:

[Case] "Case Tips for Avoiding Computer Viruses, Worms, & Bots." Case.Edu. Case Western Reserve University. 3 Dec. 2007 http://securityaware.case.edu/aware_virus.html.

[Healey] Healey, Richard. Online interview. 21 Oct. 2007.

[Mitnik] Mitnik, Kevin D., Steve Wozniak, and William L. Simon. The Art of Deception. 1st ed. New York: Wiley, 2003. 1-366.

[NIST] "Cross-Site Scripting (XSS) - the Internet is Definitely a More Dangerous Place." NIST.org. 1 Dec. 2007 http://www.nist.org/news.php?extend.176.

[SecuriTeam] "SQL Injection Walkthrough." SecuriTeam. 26 Mar. 2002. 15 Nov. 2007 http://www.securiteam.com/securityreviews/5DP0N1P76E.html.

[System_Meltdown] System_Meltdown. Online interview. 8 Nov. 2007.

[WindowSecurity] "Analysis of Buffer Overflow Attacks." Windowsecurity.com. 30 Nov. 2007 http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html.

This document is available in word format on: SamuraiNet.org

This document is copy-written by only_samurai