Overview of a Few Computer Security Issues

posted onFebruary 13, 2002
by hitbsecnews

By: Justin Keane, MA

25 September, 2001

Business Process Solutions

Edits: Christian Keane, NA

29 September 2001

Also posted in full at: Madirish.net (some of the pics may be absent in this version)

Please note: all exploits, intrusion attempts, and network surveillance
outlined in this document were executed against target systems controlled by
the author and with full authorization. Reproduction of these exploit attempts
will fail against IP addresses and systems outlined in this document,
and more importantly would constitute a violation of international and US Federal
laws. Any unauthorized attempt to gain access to any of the systems outlined
in this document will be vigorously pursued by the author to the full extent
of electronic and legal means. Be advised that all systems used as examples
in this document are subject to full time intrusion detection system and aggressive
automated intrusion response.

External Threats:

Remote Exploits:

Remote exploits are attacks by a foreign computer on a local server which
lead to unauthorized access of a local machine. These types of exploits are
commonly buffer
overflow attacks or other compromises of weak,
insecure, or unpatched services. It is important to note
that a remote exploit follows several steps and an attacker can be tracked or
even stopped at many of these stages. These steps include:

1.
Discovery

a.
Operating System

b.
Administrative configuration

c.
Services

2.
Access

3.
Exploits

The first step in a remote exploit is usually discovery. This
is the information gathering stage. In order to exploit a machine, it must
first be known what type of machine it is (operating system) and what services
are available for exploit. Many Windows 95 and 98 machines are completely immune
to remote exploits, simply because these operating systems rarely
offer any services to remote computers.
Server machines are usually the most vulnerable since they offer the widest
range of services to remote hosts (telnet, ftp, web service, etc.).

Remember: An increase in remote services
constitutes an increase in a computer’s vulnerability. Therefore, a system administrator
should minimize the number of remote services running, particularly unnecessary
services.

Discovery:

In order to exploit services
an attacker must first know what is available
for compromise.
The easiest way to discover what services are available for exploit is to run
a port scan. There are several
tools to automate this process, but at its most basic, a port scan sends packets
to various ports on the target machine in an attempt to illicit response from
the target. Many times these packets are of the stateless ICMP type or TCP
rst. This method allows for the target machine to respond to packets, but not
initiate a connection so as to avoid logging the activity. These atypical packet
types are able to
circumvent many firewalls to give a true and accurate picture of the target
machine. When many machines receive
malformed packets, they simply respond without logging the interaction, under
the expectation that a well-formed packet will soon follow, and normal communications
will begin. Port scanning may also involve attempts to
determine the operating system of the target. While simply mapping ports may
be enough to analyze
the target operating system (only Windows machines will be running ports 135-139,
(Netbios
sharing ports)
there are other methods for operating system discovery. Often when a connection
is made to a remote service a banner is displayed
(a service is a general term for various internet communications software packages,
such as email, ftp, or telnet). For example:

C:>ftp madirish.org

Connected to madirish.org.

220 SPHYNX Microsoft FTP Service (Version 5.0).

User (madirish.org:(none)):

This ftp session immediately identifies the operating system in the banner
‘220 SPHYNX Microsoft FTP Service (Version 5.0).’ While many operating systems
do not offer this depth of information (operating system, service, and version),
often the service is enough to estimate the operating system (wu-ftp is a unix
based ftp server, etc.).

In order to automate this discovery many attackers will use a port
scanning tool. The two most popular port scanners are Nessus (www.nessus.org)
and nmap (www.nmap.org). Both tools are lightweight and
fast, and available for free download. These tools will allow a remote attacker
to scan a local server in seconds and map the operating system as well. Here
is a sample output from nmap:

[root@madirish /root]# nmap
-sS -O madirish.org

Starting nmap V. 2.53 by fyodor@insecure.org
( www.insecure.org/nmap/ )

Interesting ports on ip-216-25-200-135.covad.dsl.fcc.net
(216.25.200.135):

(The 1513 ports scanned but
not shown below are in state: closed)

Port State Service

21/tcp open ftp

25/tcp open smtp

80/tcp open http

135/tcp open loc-srv

139/tcp open netbios-ssn

443/tcp open https

445/tcp open microsoft-ds

1025/tcp open listen

1030/tcp open iad1

1433/tcp open ms-sql-s

TCP Sequence Prediction: Class=random
positive increments

Difficulty=11755
(Worthy challenge)

Remote operating system guess:
Windows 2000 RC1 through final release

Nmap run completed -- 1 IP
address (1 host up) scanned in 2 seconds

As you can see nmap quickly creates a specific, simple outline
of the target computer.

The next step in a remote exploit
is to determine the specific service offered by
each open port and search for exploits that are available.

Access:

Two types of attacks
are common at this point. One is to attempt an exploit of one of the services,
the other common route is to attempt to leverage poor configuration of the server
by its administrator. We’ll focus on an example of the latter attack first.

Now that we know the target is running Microsoft Windows 2000,
and has a MS SQL server running, as an attacker it is logical to check to see
if the administrator has enabled a password for the system administrator (‘sa’)
account on the SQL Server (default install leaves the password blank).
To do this we must use a windows platform. Setting up an ODBC (Open Database
Connectivity) connection:

We can use this connection to check whether or not the default installation
has been changed to offer more security. This type of attack involves a fairly intimate
knowledge of server set up and configuration, although news of blank password
default installations pass around the underground fairly quickly.

Remember, when a hacker
discovers a vulnerable machine, the information is typically passed to other
hackers as well.

A potential attacker could also
check to see if the server is already compromised at this point. The IIS Unicode scripts directory
traversal exploit (popularized by worms like Code Red
and NIMDA) leaves a backdoor in the scripts directory of the target machine
called root.exe. Simply using a browser to check for the existence of this
backdoor is trivial and gives full root access if found:

Protection:

Protecting against both of these
types of remote
exploits involves not only a thorough knowledge of the server operating
system AND services, but also periodic scanning for known bugs and backdoors
that might be left on the machine (antivirus tools are somewhat, but not completely
effective in this task).

Assuming that no configuration errors or previously installed backdoors
are installed an attacker will usually turn to remote exploits. Often buffer
overflows, these exploits are compiled and run remotely against services with
known exploits. It is essential that services be patched and updated as soon
as new exploits are discovered to avoid this type of attack. Exploitable services
and patches are commonly announced on the BugTraq mailing list (www.securityfocus.com)
and at least one system administrator should constantly
monitor this list for news of exploits affecting your services.
The official websites for services you run should also have a list of patches and updates
available. NEVER
use an outdated service. Older operating systems and services
are the most vulnerable to these types of exploits.

Remember: Always keep
your system up to date with patches and updates.

It is also essential, since
this type of threat is common, to not run services that are not used
or that administrators don’t understand
since these services make a system more vulnerable to attack.

Remote exploits are rare but powerful and many times when a new
exploit is discovered (say a wu-ftp exploit) attackers will scan the internet
for servers running that particular service, rather than looking for that service
specifically on your system. However, armed with a complete nmap scan, a potential
attacker can search the internet for known exploits for the services your machine
is running. Often attackers will start by searching established databases on
sites like Security Focus (www.securityfocus.com)
or Packet Storm (www.packetstormsecurity.org)
for exploits. This is usually only a starting place but occasionally will reveal
a remote root compromise that is all an attacker needs.

Once an attacker has acquired whatever
tool he may need and runs the exploit, you may find telltale signs of the attack in your
logs (assuming an attacker doesn’t delete the log files) but
at this point a sysadmins job will become more like one of a coroner than a
policeman. It is important for systems administrators to routinely search for exploits to services
offered on their machines and test these exploits on a sandbox
machine (NEVER test exploits directly against a production machine as they are
likely to crash the target, the local machine, or both) to see if your system
is vulnerable. If you find your system to be vulnerable you need to patch the system if possible,
or shut it down and look for
an alternative if no patch to protect against the exploit can be found.

Access:

Once an attacker
runs a remote exploit
and gains access to your machine they will likely follow a series of steps.
First they will attempt (if they have not already accomplished) to gain root or administrator status.
This will allow the attacker unfettered control of the machine. The next normal
step for an attack is to download
a root kit. This is a series
of tools compiled by the attacker to allow them to accomplish any number of
tasks on the target machine. Monitoring
outbound connections
from a server for traffic such as ftp or ssh may alert you to a compromise and
root kit download. Once this task is accomplished attackers will usually look
for some way to erase relevant log files of their activities. Logs are usually
located in var/log on a *nix machine or winnt/system32 on a Windows machine.

Once an attacker gains access
to log files it will be very difficult to track their behavior and expel the
intruder or fix any damage. The best solution for protecting your logs is to
use a syslogd or similar server
to store your logs on a computer that is well protected and used ONLY to collect
log files. This insures a higher level of layered defense around
your log files and lets you trust the log files from a computer that has been
compromised. Root kits will often contain tools to help the attacker to expand
the range of their attack and level of control. Trojaned programs may allow
the attacker to plant a backdoor into the
computer so that even if discovered and removed they will be able to regain
access. Trojan programs may also be used to replace normal log in mechanisms
to record usernames and passwords for the attacker. Since it is common for
users to use the same username and password on several separate systems the
attacker may be able to use local usernames and passwords to attack a remote
computer.

Remember: To increase layered security,
assign different
passwords for different machines.

Attackers will often also set
up a sniffer on the compromised server. Sniffers are programs
that allow the attacker to utilize the promiscuous mode of an Ethernet card.
Using this diagnostic mode an attacker can force an Ethernet card to trap traffic
from the LAN, including any unencrypted usernames and passwords that may be
transmitted to or from nearby computers. Sniffing attacks are extremely effective
and are probably the most damaging type of attack due to the range of information
that becomes available to an attacker.

Viruses

Viruses are a common threat that mainly affects client computers
and regular network users. Viruses come in many shapes and sizes, but usually
share a common purpose. A virus is designed to infect an innocuous looking
file or system tool so that when that resource is used it initiates activity
the resource wasn’t designed for. Macro viruses have become some of the most
common on the internet due to the proliferation of Windows and Microsoft Office
applications. Macro viruses are coded in Visual Basic – the Microsoft scripting
language – and can be attached to almost any Microsoft document, spreadsheet,
or e-mail invisibly.
Macro viruses can expose almost any part of the Microsoft system to attack.
The best way to protect against viruses is to follow a few simple steps:

  1. Install the latest version of anti-virus software of your choice: Norton
    Anti-Virus or McAfee are the industry leaders.
  2. Be sure to download updates regularly to protect against new viruses and
    make sure to scan systems for viruses regularly (at least once a week)
  3. Several system wide tools such as Symantec’s offer LAN-wide solutions.
  4. Educate users as to e-mail security. Make sure all e-mail settings are
    set to NOT run active X, disable scripts, and if possible set anti-virus software
    to scan incoming e-mail.
  5. Make sure all LAN users know to NEVER open any attachment that is in any
    way questionable. If users receive an unexpected attachment from someone
    they know they should call and confirm the authenticity of the attachment
    before opening it. Any suspect e-mail should be quarantined and inspected
    by a system administrator and verified before opening. Often a trained programmer
    who opens an attachment using a simple text editor such as Notepad can find
    telltale signs of virus laden e-mail.

Trojan Horses:

As described above, Trojan Horses are programs that are modified
to alter their use. This term has also come to describe any number of remote
administration tools. Remote Trojans are most commonly found on Windows platforms.
Common remote Trojans include Sub Sever, Back Orifice, and Net Spy. A good
anti-virus checker should be able to find most remote Trojans on a Windows client
or server assuming the virus updates are current and checks are run often.
The installation of a remote Trojan is a fairly complex task involving a computer
administrator (any user on a Windows 9x/Me system, or the ‘administrator’ or
user with equivalent privileges on a Win NT/2000 system) installing the executable
and setting it to run. In
order to Trojan a Windows machine remotely an attacker must exploit a target NT system and gain administrator
access, or trick a user or system administrator into installing the Trojan themselves.
Often Trojans are disguised as attachments from legitimate senders (sometimes
this e-mail is ‘spoofed’ so that it appears to have originated from another
sender) or as pornography
or gimmicky game downloads. Once a remote Trojan is installed it will
offer complete administrator access to the target machine and attackers will
usually follows steps similar to those described above under ‘Remote Exploits.’

Trojaning Unix based systems is a much more complex task as it
usually involves a fairly good knowledge of programming and/or operating systems.
Trojaned Unix software will usually log usernames and passwords or provide a
backdoor into a server that may be invisible to normal administrators and is
usually provided as extra insurance for an attacker. The best way to protect
against Trojans on a Unix type system (Unix, Linux, BSD, HP-Unix, AIX, etc.)
is to use some sort of a checksum feature to track changes in system files.
Cecksum features will check for any changes in file
sizes, makeup, or accesses. A sophisticated newtowrk administrator can use
a checksum to differentiate normal system usage from attacks. Tripwire is a freely available tool
that is commonly used for this purpose. Tripwire can monitor system files and
notify administrators if anything unusual should happen (such as changes noted
in the telnet program, login program, etc.). Tripwire is available for Linux
for free, and can be downloaded at www.tripwire.org. A Trojaned server is difficult
to recover because the integrity of back ups may be called into question.

Internal Security Threats:

Default Installs:

As noted above in ‘Remote Exploits’ default installs can be extremely
dangerous. Default usernames and passwords or lack of
any password protection is common on many default installations,
from router hardware to server software. It is important that whenever a new
component is added to the network that the documentation be checked thoroughly
to look for configuration changes that need to be made for security.

Many times changes from a default install for security will involve
more
than simply adding or changing a password.
Many default installations fail to utilize available tools for improving security.
For example, Microsoft NT/2000 systems have capabilities for extended security
logging that are not turned on by default. It is important to review ALL documentation
for products to determine if default configurations need to be changed or improved.

One of the easiest routes for attacking a remote machine is to
leverage default installation configurations. Due to the extent of security
threat posed by default installations it is important to set
up a machine and patch or modify that machine OFFLINE. Installing
the operating system and software and leaving the machine plugged into a live
network connection opens that machine to attack every second between the install
completion and configuration changes. The HoneyNet Project (www.honeynet.org)
has reported one of its servers survived only 15 minutes with a default installation
from the time it was plugged in to a full system compromise. With the level
of scanning occurring regularly on the internet it is critical that machines
be fully prepared before they are connected to the internet. Not only should
a complete install and modification of default configurations be complete before
a machine is connected to the network, but a full ‘hardening’
should be done to the machine. Hardening a machine involves turning off unnecessary
services, enabling additional logging and security precautions and countermeasures.

It is often useful for system configuration and hardening to have
a “sandbox” network available for sysadmins. A sandbox is an offline network
with reserved IP addresses that administrators can use for setup, testing, and
configuration. In addition to using a sandbox administrators should be sure
to keep all downloaded patches on removable media, such as compact disks. This way when a new machine is configured it
need not be plugged into a live connection in order to install patches and updates.

Weak Passwords:

Weak passwords open a network to a host of problems. Attackers ranging from passersby
who have access to a local machine, to remote parties, can all exploit easily guessed passwords. Passwords should never be written down or
placed close to the computer or in obvious places in or around a computer.
In addition to easily guessed passwords, weak passwords are extremely susceptible
to password guessing attacks. Password
guessing attacks, or brute
forcing attacks, are easy to accomplish and provide a wealth
of information to an attacker. Usually a users machine password is the users
e-mail password, and sometime the users password to remote machines or services.
System administrators should regularly review user passwords, or attempt password
cracking against user passwords. This will ensure that weak passwords are weeded
out and helps increase overall network security. Some general rules for choosing
good passwords (these rules should be passed along to users) include:

• Make sure the password is not your user name/login
name
• Never use a dictionary word or a person's name
• Don't use leet speak (substituting numbers for letters with similar appearances)
• Never use a password that can be associated with you personally (a birthdate,
social security number, pet's name, or mother's maiden name)
• Make sure you password is

1. At LEAST
8 characters in length

2. Includes upper
case and
lower
case letters

3. Includes numbers and special symbols such as asterisks and
exclamation points
• Change your password every month or so
• DO NOT use the same password for more than one account (that way if one
password is broken, your other passwords will be safe)
• NEVER send a password over unencrypted e-mail

A good way to choose a password is to pick two simple items that you can easily
remember and separate them by your birth year, then follow or precede your password
with a special character. For example:

Mets72Bush!

Is a relatively strong password and fairly easy to remember. Ideally a strong
password resembles:

Wrt5y!7U?

Brute Force Attacks:

In order to understand the necessity of strong passwords it is
important to understand what a brute force attack is, how it works, and steps
to take to prevent brute force attacks.

1.) Traceroute explained - Grifter
2.) Overview of a few computer security issues - madirish
3.) Footprinting: The basics of hacking - ManicVelocity
4.) DSniff: Use and Abuse - Oshu
5.) Installing Linux on your PalmOS Device - Jayson Staton
6.) Computer Robotics: Hacking towards the future of Electro-Mechanical Companionship - Jayson Staton
7.) A Quick Take on Athlon XP - biatch0
8.) The coming of Age - Dinesh Nair
9.) A newbie intro to Telnet - Kn¿ght

Source

Tags

Intel

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes