Hacker "secrets" shouted out loud in the gray zone By Richard Power and Rik Farrow As we wade ever deeper into the "Information Age," the stakes are rising. Corporations and government agencies are demanding more and more from their information systems. Consequently, the struggle to secure Internet connections and internal networks against attack is intensifying. Ironically, information itself-whether used for good or ill-is the most powerful weapon in the entire arsenal. Those who rely solely on Computer Emergency Response Team (CERT) advisories and vendor-supplied patches to build their approach to network security are living in a fantasy world. Information security is a complex, dynamic and multi-dimensional realm. Your sources of information must be numerous and diverse if you want to get the big picture, while also attending to the minute details. For example, one of your most worthwhile resources may well be those you are trying to stay ahead of. "Meet the Enemy" For years, Ray Kaplan, now a senior network security consultant for Secure Computing, has been bridging the gap between the established information security community and the "electronic underground" by holding teleconferences between "hackers" and the more straight-laced security practitioners employed by corporations and government agencies under the auspices of the Computer Security Institute. At the most recent "Meet the Enemy" session, held at CSI's 1998 NetSec conference in San Antonio, TX., the hacker panel assembled by Kaplan provided some fascinating fodder. Are there serious weaknesses in security posture of most Internet Service Providers (ISP)? "Does it get dark at night? They're wide open. They're in it for the money. They get up and running as fast as possible to get you to pay them to put you on-line. Most of them have taken very little care or effort into even stopping spam or anything else, unless it directly influences their profit margin. If you're shopping for an ISP, first of all, ask them if they have a dedicated security professional looking after their systems, and if they don't just keep shopping. If the ISP does not support SSH, don't use them." What about security provided by Windows NT? "It's a joke. 'NT' stands for 'Nice Try.' Nice Try number four, Nice Try number five..." How safe is a properly configure and well-administered firewall running on NT with every recommended patch in place? "I would never run a firewall that ran on NT. As long as Microsoft refuses to 'play nicely' with others and doesn't release it's source code so that the kernel can be hardened (which contrary to pubic opinion, is 'in the wild,' i.e., available to hackers in the electronic underground)- there are going to be serious problems." "What you're saying is, 'Yes, there are these exploits, but they have been patched, so what's the problem?' But it is naive to think that way. The real issue is that they indicate a trend. Every operating system has bugs, but the kind of problems that come up with NT have been at a much more fundamental level. There is a lot more that has been discovered that is going to be made public soon. Look for Phrack #53." During the teleconference, the hackers suggested that as little as five percent of serious network intrusions become public. "When a bank is hit, the incident is swept under the carpet. They do not want to talk about it, they do not want their customers to know." Nor is it only banks, government agencies and major corporations tha t are at risk. In one recent incident the hackers described, a little locksmith, a "mom and pop shop" was hit. "They didn't even realize they had been hacked until they talked to me. They were running some remote PC access stuff, and somebody download ed a list of master keys." Door keys are not just random indentations on a piece of brass, there are specific plates, every key has a number. So somebody got the master keys for a high-rent apartment complex in that particular area. And in regard to digital keys, it is a widely heralded bit of "conventional wisdom" that Public Key Infrastructures (PKI) will snuff out the party. But a question about the deployment of PKIs revealed that the hackers were actually licking their chops in anticipation. "That's going to be a lot of fun. Those are going to be great hacking targets. How much is Verisign's key going to be worth? Key management is one of the biggest problems. You've got to generate the keys and get them out there. Most schemes don't take key management into account. People are left to fend for themselves. My bet is that in many cases the algorithm used for creating and distributing 'certificates' is going to have to be on a system that is accessible and that is were the PKIs will fall apart" Many "old guard" information security professionals grow sentimental, speaking of the by-gone days before distributed systems when the scope of issues revolved around a mainframe sitting "securely" inside a glass room. But the hackers debunked that bit of "conventional wisdom" as well. "Generally, mainframe security is terrible-especially in state governments. For example, in one particular state government system, every user had to change their password every month, and it had to be longer than three digits. So all the users were putting in the first day of the month, so once you had a user ID to go wth it, you were in!" Intrusion Detection Systems (IDS) weren't spared scorn either. "This generation of IDS is broken, the last generation of IDS was broken, and the one before that was too. Maybe someday someone will figure out how to do it without stopping the system or allowing Denial of Service (DoS) attacks, but not yet." As corroboration of their harsh assessment, the hackers pointed to a study done by Thomas Ptacek, now with Network Associates, and others, which can be viewed at http://www.secnet.com. Summarizing the overall situation vis-a-vis security in cyberspace, the hackers sounded a note remarkably similar to that of countless network professionals who take the issue seriously. "The problem isn't as technical as it is attitudinal. People just don't care. And the people who do care are often under-funded. People are busy, they don't have time to review security, if they are billable and they have a lot of work to do. If there is an information security officer in an organization, there is usually only one for an entire organization. We find situations were security is either very god or very bad. And with upper management making all the decisions company-wide, it is almost impossible to convince large organizations to invest in security. So those with talent for it, just throw up their hands and say, "I can't be here, I can't do my job, I can't sleep at night. It isn't a downward decline, it is just that management either recognizes the issue or they don't." "Black Hat Briefings" The promotional literature for the "Black Hat Briefings" displays a thin, dark-suited man in a black bowler and reads: "The choice is yours, you can live in fear of them, or you can learn from them." But although it is billed as a kind of "Meet the Enemy" in person, rather than via a teleconference, the "Black Hat Briefings," organized by underground impresario Jeff Moss (a.k.a. "Dark Tangent") and sponsor ed by his employer, Secure Computing in Minneapolis, MN., has evolved into a technically-oriented conference featuring some of the best minds in cyberspace security-irregardless of pedigree. For example, Moss' "Black Hat Briefings" include some of whom have long since migrated to the socially acceptable side of hacking-for example, Peter Shipley (a.k.a. "Evil Pete" although he claims that was just a nickname given to him by a girlfriend) who is now a security consult ant with KPMG. But it also features others whom although they have been on the "right side" from the start, nevertheless possess the explorer's soul, which personifies the hacker's mystique. Such technologists approach every router port and each individual line of code as if it were quite possibly the source of the digital Nile -for example, Marcus Ranum, now CEO of Network Flight Recorder. (Perhaps the most fitting symbol wouldn't be a black bowler at all, but rather a gray fedora.) One of the most intriguing presentations of the conference was given by "Dr. Mudge," a prominent member of the L0pht, the hacker group respo nsible for numerous advisories and tools, including L0phtcrack, the Windows NT password decryptor "Monkey," the S/Key password cracker, the Solaris getopt() root vulnerability, sendmail 8.7.5 root vulnerability, the Kerberos ver. 4 cracker, and the SecurID vulnerabilities. Fellow attendee, Laurence Deitz, Vice-President of Current Analysis, a market researc h firm described Mudge as the "pick of the litter." At the "Black Hat Briefings," Mudge spoke on the weaknesses in virtu al private network (VPN) technology, delivering a dissertation on possi ble exploits of Microsoft's Point-to-Point Tunneling Protocol (PPTP). P PPT was designed to solve the problem of running a VPN over a public TCP/IP n etwork using the Point-to-Point Protocol (PPP). PPTP allows for many types of encryption and authentication, but most commercial products use Micr osoft's N version of the protocol. In the presentation, based on cryptanalytic research performed with world-class cryptographer, Bruce Schneier of Counterpane Systems, Mudge outlined several problems, including ways to recover encryption keys through dictionary attacks as well as passive monitoring, spoofing of PPP, client information leaks and control channel and server DoS attacks. For example, Mudge illustrated numerous ways to break encryption keys used in PPTP, including attacks against the NT and Lan Manager password hash functions. In their study, Mudge and Schneier conclude that Microsoft's authentication protocol is "very weak and easily susceptible to a dictionary attack" They assert that most passwords can be recovered within hours. "We have found the encryption-both 40-bit and 128-bit-to be equally weak, and have discovered a series of bad design decisions that can make other attacks against this encryption possible. We can open connections through a firewall by abusing the PPTP negotiations, and can mount several ser ious denial of service attacks on anyone who uses Microsoft PPTP. Microso ft's PPTP implementation is fragile from an implementation perspective an d seriously flawed from a protocol perspective." This research is important. The security of a VPN is based on its authentication and encryption protocols. If a VPN's cryptography is weak, Mudge and Schneier observe, then its security is no better than a non-private network routed over the Internet. Hiring hackers? It is considered "politically correct" by many to distinguish between "hackers," i.e., those who through preciousness, technical savvy or both expose critical vulnerabilities in the spirit of exploration, and "crackers," i.e., those who break into systems and do damage to them with malicious intent. And indeed, it is distinction that can be very useful. Unfortunately, it isn't cut and dried, it isn't a simple duality of black and white, there is a lot of gray area. For example, some who pride themselves as "hackers" rather than "crackers" may consider certain types of intrusion as harmless, while others may view the same types of intrusion as unethical, if not illegal. Also, if someone is portrayed as a "hacker" rather than a "cracker," does it mean that they have never gained unauthorized access or simply that they have never been caught? There are numerous individuals who call themselves "hackers" and have contributed to the growing body of knowledge about information systems security. But there are also numerous individuals who call themselves "hackers" who would be considered "crackers" if a more rigorous definition were applied. The point is that you must proceed with caution, decide for yourself where to draw the line, and then explore these issues with those you are considering hiring as consultants or in-house security experts for penetration testing or security assessments. Background checks are helpful, references are vital. But whatever decisions you make in regard to who you want banging on your systems, it is imperative that you avail yourself of the critical information that is out there. Events such as Ray Kaplan's "Meet the Enemy" And Jeff Moss' "Black Hat Briefings," as well as hacker publications, such as the paper-based 2600 and the electronic Phrack are invaluable resources. Date: Mon, 10 Aug 1998 09:15:37 -0700 From: RPower@mfi.com (Richard Power) Subject: article To: LChae@mfi.com (Lee Chae), rik@spirit.com this is the url for the VPN paper mentioned in the column http://www.counterpane.com/pptp.html this is the url for L0pht: http://www.l0pht.com this is the url for the Black Hat Briefings http://blackhat.com it would be helpful to the readers to somehow include these... is it possible? Richard