Web of Opportunity, Web of Intrigue A story about hackers, their tools, and what practices you should follow to defeat them. By Richard Power and Rik Farrow Whether you see the stereotypical hacker as a heroic giant-killer or a troubled youth doesnOt really matter. What does matter is that hacke rs can wreak havoc. If they couldnOt do real damage, no one would reall y care about them. And since the mid-1990s, there have been numerous headline-grabbing hacking sprees that have captured the public's imagination. Although tales of digital derring-do make for fascinating front-page reading on your way home from work, even a minor system penetration can result in hundreds of thousands of dollars in losses 2E Significant, sustained attacks could easily end up costing millions of dollars in investigative costs alone. Remember, too, that there doesnOt have to be malicious intent to lead to serious damage. ALL ROADS LEAD TO ROME In terms of the financial costs caused by hackers, consider the following case study. Rome Labs, located at Griffiss Air Force Base in New York, is one of the U.S. Air ForceOs premiere research facilitie s. Its computers contain information on sensitive projects, including artificial intelligence systems, radar guidance systems, and target detection and tracking systems. In March 1994, the lab discovered th at someone had used sniffers (software that captures data, such as passwords, as it travels over a network or data line) to successfull y compromise 30 of its computers. Air Force investigators tracked the unknown intruder first to an ISP in New York, and then to an ISP in Seattle. Next, they turned to keystroke monitoring (a way to see what someone is actually typing when that person is on-line) at Rome Labs, as well as at the ISPs in New York and Seattle. Investigators soon learned that the attack was being performed by two hackers, one known as OKuji,O the other ODatastream Cowboy.O With the help of an informant, the Air Force investigators learne d that at least one of the hackers was operating from the United Kingdom. Investigators from Scotland Yard entered the chase. The U.K 2E investigators soon discovered that the hackers used telephone lines in Columbia and Chile to reach the ISP in New York, and then breaking into the Rome Labs system from there. They also detected the same pattern leading from phone lines in South America to the ISP in Seattle and then on to Rome Labs. As the probe continued, it became apparent to investigators that the hackers were following a trail of U.S. defense contracts and moving out from the Rome Labs site to attack other sites, including Air Force contractors in Texas and California, as well as the Goddar d Space Flight Center in Greenbelt, MD, NASA's Jet Propulsion Lab in California, and Wright-Patterson Air Force Base in Ohio. Going from the U.K. through South America up to the ISP in Seattle, the hackers even attacked computers at NATO headquarters in Europe. In one of the most disturbing episodes of the investigation, investigators detected that data from Wright Air Force Base was being sent through the Seattle ISP to the tiny country of Latvia, in the former Soviet Union. Even more chilling was the discovery that the hackers had succeeded in gaining access to the South Korean Atomic Research Institute. (The figure on page XXX, shows the full reach of the Rome Labs break-in.) At 8 p.m. on May 12, 1994, U.S. and British investigators sat in four unmarked cars at a stake-out in a London suburb. By mobile phon e, they were alerted by investigators at Rome Labs that Datastream Cowb oy was on-line. The team raided the house and discovered that the hacke r was a 16-year old boy. His cohort, Kuji, successfully eluded identification and apprehension for two more years, but was eventual ly arrested in June 1996. A damage assessment of the intrusions into Rome LabOs systems indicated a loss to the United States Air Force of $211,722. But thi s total doesnOt include the cost to other agencies that were attackedD1for example, NASA's Jet Propulsion Lab, the Goddard Space Flight Center, or Wright-Patterson Air Force Base Indeed, according to the testimony of Jim Christy, an Air Force investigator, before the U.S. Senate Permanent Subcommittee on Investigations, the complete extent of the damage is unknown. The investigation was unable to reveal what was downloaded from the networks or whether any data was tampered with. And when you consider the sensitive information contained on the various computer networks, it is very difficult, perhaps impossible, to quantify the total loss es from a national security perspective. THE HACKER TOOLKIT Although the hack at Rome Labs seems to be a sophisticated, complex attack, the tools that hackers such as Kuji and Datastream Cowboy employ are actually easy to use_and easy to find. Steve Romig, a researcher at Ohio State University (Athens, OH), gives us some insight into the typical hacker toolkit. "For starters, they use good, general purpose probing and scanning tools. Something like Fping to probe for active hosts, and something like Strobe to probe for network services running on that host. More clueful hackers use so-called stealth scanners that can dodge some of the simpler scan detection schemes, or probe behind some sorts of packet filters. Hackers can probe a host for a variety of vulnerabilities using all-round tools such as Satan or Ogre. But, some hackers are more fixated on specific holes. So, rather than examing one host and exploring it from all angles to see what vulnerabilities they can take advantage of, they run one or more remote "exploit scripts" that attack a specific vulnerability. Some examples of these include PHF hole for the Web or IMAP for Linux hosts. These hackers simply scan the Internet for hosts that might be vulnerable to the scripts they have. Once hackers attain access to a host, they use local exploits to gain privilege (for example, root access on a Unix host), if the remote exploit didn't grant them that already. These exploit scripts are generally easy to run. They don't require extensive knowledge of how they work or even what they do. Either they work and you're in, or they don't, in which case you try something else or move on. Once inside a host, hackers will hide their tracks. To help them do this, the many versions of Rootkit contain replacements files for Login, PS, Netstat, and Ifconfig. They also often contain replacements for system programs such as LS, DU, DF, and Find. The Login replacement typically is set up with a special password that allows you backdoor access for a root login, while not logging your presence. The other replacements allow you to hide critical clues of a hack, including the presence of network links, promiscuous mode, and suspect files and directories. There are also other interesting backdoor programs that you can use to set up root access to a host over the Internet, using various mechanisms that are not always blocked by packet filters. Finally, the complete hacker's toolkit includes various sniffers, password crackers for UNIX and NT, and of course, numerous denial of service tools. Not only are these tools easy to use, they're also easy to get. According to Andrew Gross, a researcher at the San Diego Super Computer Center, OThere are multiple web sites, www.rootshell.com being the most notable, that have a whole database of exploits that is convenient and searchable. Nowadays, you can just say OOh, this is an IRIX machine I want to get into,O and then search for ways to do this in the database. OMost of the hacking scripts I see these days come either from the Bugtraq mailing list or can be found at www.rootshell.com. This gives us a nice way to determine if we're up against someone who generates new exploits.O According to representatives at Connectnet (San Diego), the ISP that maintains www.rootshell.com, the company keeps the site to pressure software vendors into notifying users of vulnerabilities and distributing fixes for emerging hacking methods. At the site, you can browse for exploits by the month and year, or simply type in a search keyword. For example, in a recent session, typing in "denial of service" provided us with 15 matching exploits. Each entry was complete with a date of origin and a descriptive sentence. Sunkill.c was described as an Oeffective denial of service attack against Sun boxes running Solaris.O Likewise, a search on OsnifferO provided us with a dozen sniffers and related documents, including Linsniff.c, a password sniffer for Linux, and Promise.c, a program that scans network devices to detect the presence of sniffers. If youOre hot on the trail of the latest exploit, you can just search on its name. For example, a search on OLand," a recent denial of service attack, yielded us information on the variety of Land versions, including Latierra.c, an Oenhanced version of Land.c whick works better against NT SP3 among other things.O ThatOs how easy it can be. And remember, there are numerous other sites, such as www.geek-girl.com/bugtraq, to help hackers stock their toolkits. SOUND PRACTICES FOR INTERNET SECURITY The Internet and the World Wide Web have brought unprecedented opportunities for profit and growth, but it is also clear that they have also brought unprecedented dangers to networks security. To deal with these new risks in a responsible way, organizations are scrambling to develop bodies of sound practices (sometimes called Obest practicesO or ObenchmarksO) that will hold true not only for the organizations themselves, but for whole industry segments. For example, in order to benchmark the information security practices of financial services institutions, the Federal Reserve Bank of New York established a computer security team. The team visited a cross-section of financial service institutions, as well as security firms, service providers, common carriers, certified public accounting firms, and other industry-related organizations. Then it developed a document to provide guidance on sound practices for protecting private local and wide area networks and systems, as well as an overview of Internet technology and sound practices for protecting Internet sites and networks connected to the Internet. Here are some of the suggestions presented in the report: Keep the firewall and site server configurations simple. Implement only the applications, utilities, and services required for the firewall or Internet-site server to support the institutionOs business needs. Remove everything else. Use commercially available applications to periodically probe networks and firewalls for weaknesses. Consider using a separate proxy server for each application. Perform due diligence with regard to service providers' security measures and require a comprehensive contract with service providers that covers security issues. Provide each desktop system on the network with virus scanning software and install virus scanning software at critical entry points, such as e-mail proxy servers. Do not allow any external users to use Telnet to reach your organization's critical network components. Allow outgoing Telnet sessions only to specific locations. Consider the use of public key/private key encryption technology to establish secure communications with customers. Require strong authentication for customers when providing fully transactional processing services. Richard Power is editorial director of the Computer Security Institute (San Francisco). You can reach him at rpower@mfi.com. Rik Farrow is an independent security consultant. You can reach him at rik@spirit.com 2E CAPTION Rome burned. The Romes Lab attack, detected in 1994, produced these statistics: two hackers, 26 days of attacks, 20 days of monitoring, seven sniffers on Rome systems, 150 plus intrusions at Rome Labs, 10 different points of origin for the attacks, and at least eight countries used as a conduit for the attacks.Here it is. E-mail me if you have any questions or changes. Also, you may want to rename the document with the Word .DOC extension when you send it to Rik. I know he's a bit wary about opening things with unknown extensions. Thanks, Lee