acker attack techniques and tactics: Understanding hacking strategies

21 May 2009 | SearchSecurity.com Digg This! StumbleUpon Del.icio.us

Hacker tactics and techniques are constantly evolving. Hackers are continually developing new attack tools and hacking strategies to gain malicious access to systems and attack your network, making it difficult for organizations to develop and implement the proper polices and procedures necessary to prevent hacker attacks. This tutorial on hacker attack techniques and tactics will provide insight inside the mind of a hacker and help you to understand a malicious attacker's motives. You will receive advice on how hackers target specific information and what polices and procedures every organization should have in place to protect sensitive data. You will receive information on an array of specific hacker techniques and tactics, such as system fingerprinting and probing, which allow hackers to obtain access to your network systems or files. You will learn how to thwart hacker tactics and techniques with a variety of procedures and defenses, including intrusion prevention and detection (IPS/IDS) technology. This guide also offers valuable advice on the importance of securing your network endpoints and will teach you how to mitigate the threat of hackers connecting to your computers via open network ports. You will also receive tips on how to know if you system has been compromised by a malicious hacking attempt, how to keep your wireless network secure and best practices for end-user education on current threats and preventative measures.

How to stop hacker theft: Employee awareness, risk assessment policies

think for a moment about the possibility of your company's infrastructure being in the crosshairs of a serious malicious hacker. How valuable would information about your infrastructure be? Do you really know how much sensitive information is publicly

accessible or easily obtainable with a little creativity? How can you stop hacker theft of this information? The first step in any serious hacker's attack is reconnaissance on a target. Let's look at a few of the more common techniques and learn how to stop hacker theft. Often there will be a surprising amount of sensitive information about your company sitting on the Web, waiting for someone to stumble upon it. Have you ever searched IT forums for your domain name? Try it! All too often, technical employees will post questions or answers to public forums, mentioning specific equipment in use at the company, and they'll use their work email address! Ouch! Obviously, they aren't thinking about the "black hat" who would love to find out what type of firewall or server you own without having to touch your network. To avoid this scenario, enforce an employee awareness training program and risk assessment policies that require enterprise users to use a non-work email address to post any information to a public forum. Make sure employees know that the company's name should never be used in such postings. They'll still get their questions answered, but your infrastructure details won't be posted for the world to see. Another place hackers go for information about your technical staff are online databases of IP address and website registrants. There are actually four databases, each containing this type of information for various parts of the world. Checkout the Whois section of ARIN.net, and see if your company's domain name lists the name, email, or phone number of your technical staff. Ideally, you should provide generic information in these fields to prevent a hacker from assuming the identity of such staff to coerce your users into divulging their passwords or other sensitive information. One man's trash is another man's treasure literally! Dumpster diving is an old, dirty but still fruitful information-gathering technique by which an attacker peruses your trash, looking for Social Security numbers, phone numbers, userIDs, IP addresses and passwords. A employee awareness training program should be diligently enforced, showing employees how to properly destroy media containing any information that could be used for the wrong reason. You may think this is unnecessary, but I encourage you to audit the contents of a trash can near one of your network printers, especially in an IT area. Would you be comfortable handing over the findings to a hacker?

Hacker techniques and exploits: Prevent system fingerprinting, probing

Serious hackers don't shoot in the dark when attempting to penetrate a system. Instead, they will use hacker techniques such as operating system fingerprinting and probing to systematically identify what systems and services your company is running to determine your weakest link. Are you connected to a partner network that has a firewall equivalent to Swiss cheese? Does your remote access system require only mediocre authentication? Do you have in-house staff develop webpages that haven't been checked for security holes? These are the weaknesses hackers are looking for. In every hacker's tool bag are a variety of free system probing and fingerprinting tools, the purpose of which is to identify specifics about your hardware and software configurations. Some of these tools will undoubtedly check for open ports on routers and firewalls and identify what system services are available for exploitation. To get an idea of what a hacker would see, download and run some of these tools against your own network. Be sure to let your staff know when these tools are being run, in case there are performance issues when certain scans are launched, and always test them against a few non-critical machines first. The first step in defending against hacker techniques and exploits designed to access your systems is to block unnecessary, incoming firewall ports. The ports that remain open should be protected by patching the services that use those ports, such as Web services, email and FTP. Your software vendors should be able to provide their most up-to-date patches. CERT lists vulnerability information about services you may be running. Additionally, Cassandra is an excellent online vulnerability database, freely available to assist you in identifying which vulnerable services you are running, and includes many applications not listed elsewhere. To determine if someone is using such tools to probe and fingerprint your operating systems, you'll need to implement at least one type of logging tool that will record port scans, fingerprinting, failed login attempts, etc. Ideally, any open ports should be monitored with an intrusion prevention system (IPS), which will detect and prevent most attacks before they reach your systems. A common free and open source intrusion detection system (IDS), which only detects attacks and does not prevent them, and IPS is Snort. A quick Google search will yield plenty of free support and add-ons for Snort. Whatever system you implement to detect operating system fingerprinting and probing, you'll want to keep an eye on the log files to identify which machines seem to be probing your systems. Many firewalls and intrusion detection/prevention systems can alert you via email or launch a program when an attack is detected, but none of these systems is capable of reaching through the hacker's monitor and slapping their hands. Someday

Using free network intrusion detection and prevention tools to stop hacks
By now, you've probably been hit up by every security vendor about their latest network intrusion detection and prevention tools or products, claiming they can do everything from stopping viruses to reconfiguring your firewalls. Unfortunately, most of the commercial systems will set you back a small fortune. What's a budget-minded security manager to do when some sort of alerting system is needed, especially when the next fiscal year is many months away? There are several free network intrusion detection tools out there to get you on your way to being well-informed when hackers knock at your door. First, be sure to have a tool in place to analyze network traffic, most importantly near the edge of the network. Snort is, by far, the leading free IDS software available, although commercial versions of Snort are now available as well. Snort can be configured to monitor all network traffic. Typically, you'll want to replicate your Internet inbound traffic to one or more switch-ports (in Cisco terms, you'll span traffic to a port), where a Snort-equipped computer will be running. Your only cost is the computer itself, which can run on Linux or Windows. Often, a spare PC with a decent-sized hard drive will do fine. Snort can dump suspicious looking traffic to log files, after which you can set up any of several free alerting tools to monitor the log files, and email or page you when such traffic is detected. Second, you must have a way to analyze system security logs. Working your way in from the border of your network, make sure your border router is configured to send syslog messages to a server you can access from inside your network. Some firewalls can send syslog messages as well, which you can direct to the same internal server. Also, make sure servers in your demilitarized zone (DMZ) are either accessible from the inside, or configure their event logs to point to an internal server. Making these configuration changes to routers, firewalls and servers is not as difficult as it seems, and usually takes just a few commands or mouse clicks. Once all log files are accessible, it's time to install a free alerting tool or write your own. If you're interested in writing your own alerting tool, Batch, Perl or other free scripting tools can be used to execute parsing commands, such as the Windows "find" command or the Unix "grep" command. This can help to find suspicious-looking activity in log files from both Snort and your server, router and firewall security logs. A free email program, such as Blat, can then be used to send log entries to a pager, cell phone or email address. This is definitely a crash course in developing a budget alerting system, but you'll be surprised at how well such a system can provide alerts to potentially malicious events, like port scans and failed login attempts, at an extremely low cost.

Improving network security: How to avoid physical security threats

Vernon Habersetzer, Contributing Writer 01.31.2005 Rating: -3.50- (out of 5) Digg This! StumbleUpon Del.icio.us

There it is that little jack on the wall that's connected to a world of information, ranging from the Internet to your company's payroll system. One click of a network cable into the jack and they're on their way! Who, you might ask? Let's start with the curious one who finds an active network jack in a nice, quiet conference or training room. What are the real issues with this, and how do you combat them? Here you will learn how improving network security can combat physical security threats. Private facilities have always had an advantage over public facilities in that they are easier to physically secure. Public areas, such as hospitals, universities and libraries, can be a challenge to secure because of the lack of physical security. Public or private, there will always be some level of security risk wherever a network jack is active. Classrooms, communications closets and conference rooms are a few of the problem areas commonly found unlocked and accessible to anyone curious enough to peek inside. Let's demonstrate the risk with an example scenario. Suppose a hacker connects a laptop to a network jack in your building. Most network jacks are active, meaning they are connected to a functioning piece of network equipment. If you run a DHCP server, which hands out IP addresses to any device that is plugged into the network, one will be issued to the hacker's laptop as well. If DHCP is not used, the hacker can simply launch a sniffer and find an unused IP address for his laptop. Once connected, a few simple commands can locate some of your key servers, after which the enumeration of user accounts and services begins. In a matter of minutes, passwords will likely be compromised, a service or two may be exploited and the game is over; the hacker has won. You've now got a real mess on your hands. Fortunately, there are ways to avoid physical security threats and prevent hackers -- or even vendors and contractors, for that matter -- from connecting computers to your network when they find a network jack. One thing you can do is disable network jacks in conference rooms and classrooms until people need them. Keeping these rooms locked whenever possible is another best practice. A third defense is to require your network switches to only allow network cards with specific addresses, called MAC addresses, to connect to the network. Every network card is programmed with a unique MAC address, though these can be altered via spoofing software. Even more stringent is the option of configuring network servers to require a valid computer certificate before a user can log on. Keep in mind, if you want to keep unauthorized people from using computers already

connected to your network, such as classroom PCs, you should enforce bootup and screensaver passwords to lock the PC at both the client side and the network side, as well as requiring a user certificate. To learn more about certificates, contact a vendor of Public Key Infrastructure (PKI) and digital certificate systems. Most of the above recommendations require the involvement of server and network administrators, who may or may not immediately see the value in these changes until you explain the reality of these security risks. Active network jacks are the entrance to a hacker's playground, and can result in a major security incident if ignored.

Defining authentication system security weaknesses to combat hackers

Vernon Haberstetzer 02.06.2005 Rating: --- (out of 5) Digg This! StumbleUpon Del.icio.us

Ah, the good 'ol login screen. Is any secure system complete without one? Whether it's a website login screen or a Unix login prompt, most systems' security relies solely on a valid user ID and password to prove one's identity. Since this is usually the only access requirement, it's worth putting your authentication system security practices under a magnifying glass to uncover any authentication weaknesses and see just how well they hold up to a curious hacker. It's extremely common for hackers to try to brute-force their way into a system by guessing commonly used user IDs and passwords. It's a best practice to avoid using "admin," "test," "user" and any default user IDs. Common passwords to avoid are the user ID, "password," "pass" and any default passwords. Some systems make it easy for a user to discover a valid user ID, displaying a message when a logon failure occurs. Such messages may say, "Invalid user ID," telling the hacker that he or she should keep guessing user IDs. When a valid user ID is found, a malicious hacker may then be shown another revealing message, such as, "Invalid password." Ideally, a system's logon failure message should be generic, such as, "Invalid user ID or password," regardless of the reason for failure. Otherwise, the hacker could enumerate a valid user ID and start guessing passwords, looking for a weak one, which brings us to the next point. Weak passwords are a significant authentication system security weakness. If at all possible, enforce password rules for every system on the network, especially for systems at the network border. Password and account rules should at least require a mix of letters and numbers, and should specify a minimum password length, password history, account lockout and password expiration. If possible, set password rules that do not allow a

password to be the same as the user ID or the user's first or last name, as these are easy to guess. The goal is to force users to choose strong passwords. To really beef up your authentication mechanism, you should enforce a two- or threefactor authentication system. Multifactor authentication means at least two different types of credentials must be submitted for a user to be authenticated. There are three categories of authentication factors: something you have, something you know and something you are. Each factor in the authentication mechanism should be from a different category than the others. In other words, a user ID and password is still one-factor authentication, since both pieces are something you know. Some valid combinations would be a key fob token and a PIN, a thumbprint and a password or a retina scanner and your voice. By improving your authentication mechanisms you are making it tougher for hackers to brute-force their way into your systems. With the exception of multifactor authentication systems, the above recommendations should not cost much, if anything, to implement.

Improving your access request process with system authorization

Vernon Haberstetzer, Contributing Writer 02.14.2005 Rating: --- (out of 5) Digg This! StumbleUpon Del.icio.us

Many companies deal with their fair share of vaguely defined, outdated, cumbersome, inefficient or non-secure access request processes for handling application, data and system access requests. Often, there's an old, outdated hardcopy form used by everyone that has been duplicated so many times it's barely legible. Even worse, it often doesn't require the proper sign-offs or data and system authorization for access. If you plan on passing a serious audit and want to improve your access request process, read on! The first step in setting up a good system access request process is to define the organization's application and data owners. This requires applications and data to be sorted into categories, and assigned an owner. For example, the director of finance may own accounting and payroll data, and sales data may be owned by the director of sales. Once these application and data owners have been defined, it's time to create an updated form. It's best if you can create a Web-based form or custom email form that can be kept online and restricted to a defined group of users who are authorized to request access for employees. If you don't allow hardcopies of the request form to be submitted, you can always ensure that only authorized people are using the most updated form. An added

benefit of using Web-based forms is that you can potentially capture the user's user ID and IP address for further proof that the request came from an authorized employee. The forms should require approval by the application or data owner for each area the user needs to access. Depending on the desired level of sophistication, the application or data owner's approval could be electronic, or a printed, signed hardcopy may be required. Usually, it's easy to find someone in IT that has experience creating Web-based or emailbased forms. Once you've created your forms, it's time to restrict them to authorized personnel and create some instructions for users to follow. The instructions should be stored in the same location as the forms. A flowchart should also be created to document the IT department's internal processes for fulfilling the requests. It's best to designate one person to maintain the forms. This makes it easier to have forms designed and modified with a consistent theme. With a little creativity, these same access request forms and processes can be used to handle employee terminations. Once you've set up a sound process and easy-to-use forms, you'll have a much happier staff and your auditors will be pleased. Just make sure you have an access request form for each person who is granted access to an application or data set!

Understanding social engineering hacker attack tactics and threats

Vernon Haberstetzer, Contributing Writer 02.20.2005 Rating: -4.50- (out of 5) Digg This! StumbleUpon Del.icio.us

So, you've got two firewalls, an intrusion prevention system (IPS) and antivirus software deployed, and you're feeling pretty good about your enterprise's overall network security. Servers are patched, packets are being dropped, you're alerted when network traffic isn't behaving well and viruses are killed on the spot. Yep, life is good! So what's the problem? Hackers can be quite clever, and often devious, when it comes to harvesting information from unsuspecting employees. Your helpdesk, IT staff and general user population care about helping, or sometimes just pacifying, people who need assistance. No matter how much your staff is paid, they can't be configured to drop calls like your firewall drops packets. In fact, most people want to be helpful if a seemingly innocent person needs assistance.

Social engineering can be a fruitful tactic for hackers, and it takes less time than trying to identify or bypass a firewall or an IPS. Unfortunately, or fortunately, depending on whom you ask, the security administrator can't screen everyone's calls or ask for ID from every person who steps foot into your company. It's up to the rest of your staff, those nonconfigurable human beings, to filter out malicious requests that come in through the doorways and over the phone lines. Are they up to the task? The best way to prepare them is to educate them on the social engineering hacker attack tactics they may encounter, both on and off the job. Simply put, the art of social engineering involves employing clever ways of getting questions answered and then using those answers to gain access to restricted areas or information. It can come in the form of a hacker posing as a helpdesk technician, asking a user for his or her password, or other forms such as a network administrator, a distressed user, an electrician needing access to a communications closet, a fire-extinguisher technician needing access to the computer room, a janitor or any number of other believable personas. How hard would it be for some of these types of people to access a PC, or even your computer room? How many times have you asked for ID from electricians you've crossed paths with? If you found an "electrician" in a wiring closet, would you bother to question him? If you're like most people, you would assume everything is as it seems and carry on with your own daily tasks. That predictable pattern of behavior is exactly what an attacker is counting on. In addition to educating your staff, these sorts of attacks are best prevented by creating a social engineering prevention policy that prohibits the divulging of sensitive information over the phone or email, tailgating through locked doorways and a policy requiring visitors to wear badges. I also highly recommend reading Kevin Mitnick's book on social engineering, called The Art of Deception. By looking at the human factor of security, you will help prevent unauthorized access to your company's crown jewels.

Secure remote access points and configure connections to avoid a hack

Vernon Haberstetzer, Contributing Writer 02.25.2005 Rating: --- (out of 5) Digg This! StumbleUpon Del.icio.us

Hackers love poorly configured remote access points, and why shouldn't they? Many times they represent an open door into a network without having to fuss with firewalls and intrusion detection/prevention systems (IDS/IPS) at the Internet border. Considering the threat that these misconfigured devices pose, all organizations should secure remote access points and configure remote connections to prevent a hack. The fact is that most

networks have remote access points, and most of those access points don't employ adequate security. Remote access points most often come in the form of dialup modem banks and VPN concentrators, and it doesn't take much to discover the phone number or IP address. Most remote access points require only a static user ID and password to log on to the network. If your remote access point doesn't require strong authentication, you should probably count on the fact that somewhere out there, maybe an employee or vendor, has setup a remote connection to your network with a saved user ID and password. This means your network is available to anyone who opens that connection, including your employee's neighbor whose computer was used to check email a month ago, and that vendor's employee who quit last week and took all his clients' remote access passwords with him. How to secure remote access and configure remote connections To remedy this problem, it is best to implement some type of strong authentication, requiring a user ID and a single-use password or biometric. There are a number of vendors that sell remote access keychain tokens, which generate a new single-use passcode every few seconds. Additionally, your suppliers and vendors could be required to call your operations department to obtain a passcode for remote access, thus adding another layer of security when dealing with outsiders. By implementing a strong authentication system, saved passwords for remote connections will no longer represent an information security risk. Additionally, most remote access points don't inspect the remote computer for viruses or hacking software, and they usually don't watch the network traffic coming from such computers. If a user with a virus-infected PC or a hacker were to remotely log on to your network with such software, the network could be on the receiving end of a server compromise or a virus outbreak. To help prevent a remote connection hack, it is best to have an IDS or IPS sitting inline between your remote access point and your internal network. Such a system should be capable of catching network-based attacks from hackers or hybrid viruses. Some systems will even prevent users from connecting to your network if their antivirus software is not up to date. It is also best to limit the number of ports allowed access into your internal network. By giving some attention to the authentication process and the traffic coming from remote users, you will greatly reduce the risk of your remote access points being a source of unwelcome company.

Securing your Web sever to ensure protection from a hack attack

Vernon Haberstetzer, Contributing Writer

03.06.2005 Rating: --- (out of 5) Digg This! StumbleUpon Del.icio.us

When operating system patches are released and tested in your environment, Web servers should be the first servers patched to prevent a Web server hack. Exploit code is becoming more readily available to anyone within days of a vulnerability discovery. A few days after it's been in the hands of hackers, a scripted attack is likely to take place that could successfully attack your unpatched Web server. This gives little time to test and install patches for such vulnerabilities, so it's important to devise a deployment plan prior to patch release. Looking at Web code itself, there are several ways hackers can manipulate the URL of a website to perform SQL injection, directory traversals, buffer overflows, etc. There are two common methods to defend against these types of vulnerabilities. One is to have your Web code reviewed by a person or a tool in an effort to identify and correct vulnerabilities. Or you can install an application firewall that examines user input to verify that it is not malicious or malformed before allowing it to pass to the backend application. Blue Coat Systems Inc. and Sanctum Inc. are two vendors that offer such products, which may be worth looking into, especially if you don't think you can retrain your programmers to write secure code. If you use a website to sell products or provide financial services, it is of utmost importance to check the data being submitted to the server that processes the online order. If your security simply relies on the price or account information shown to the user on the webpage, this can be manipulated easily using free proxy tools running on an attacker's PC. Such tools allow the attacker to change the information being submitted to your server, removing all restrictions enforced by the webpage itself. A $50 book could be changed to $1, and a bank account number could be changed to someone else's in an effort to transfer funds or show balances of other accounts. Depending on how you handle information submitted by end users, you'll likely have some way of validating end-user information. For instance, most programs can be written to check the submitted data for inappropriate characters and length before the data is processed. This validation should be performed on the back-end instead of putting constraints on a webpage's input fields, which can be bypassed using the proxy tools mentioned above. Web servers are the number one way into a company's network from the outside. By securing Web servers enforcing adequate Web server protection, you'll be addressing one of the riskiest areas of your network and preventing a potentially extremely harmful attack.

Wireless security basics: Authentication, encryption for access points

Vernon Haberstetzer, Contributing Writer 03.14.2005 Rating: -4.12- (out of 5) Digg This! StumbleUpon Del.icio.us

Casually driving through a local business park, I noticed about 15 wireless access points broadcasting their presence to the public, several of which required no authentication to access the company's network. If you've turned on your laptop with a wireless NIC and driven around a city much, this is no big surprise. To keep your wireless network secure from war-drivers looking for access points, it's important to enhance wireless access point security with basics such as authentication and encryption.. Wireless access points can be configured to broadcast the SSID, or name, of the access point, which is usually not necessary. By turning broadcasting off, you stop advertising your network to the world at large. Yes, the SSID is transmitted when a wireless node connects to the wireless network, but this is infrequent in comparison. The SSID should be set to something that does not describe the company to make it tougher for a hacker to know who owns the wireless network. Wireless security encryption prevents someone from reading data it as it passes through the air, and can be accomplished using Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), Extensible Authentication Protocol Transport Level Security (EAP-TLS), or virtual private network software. WEP lacks true authentication and uses a static encryption key that can be obtained with a little time using free software, and provides little protection against persistent eavesdroppers. WPA requires authentication and uses a longer, dynamic encryption key that is less likely to be cracked. WPA does, however, require compatible client hardware and software. EAP-TLS uses digital certificates to authenticate and encrypt the wireless traffic using SSL, but requires a somewhat complex PKI infrastructure. Radio antennas usually have power settings that will allow the signal's transmission strength to be adjusted. It's best to tune your antennas so that they just cover the areas where wireless access is needed and not the parking lot where drive-by hackers like to reside. Most radio access points also allow you to restrict network access by the Media Access Control (MAC) address, a hardware address that uniquely identifies each node of a network. But be aware that this can be defeated using a passive wireless sniffer that can capture the MAC address of a device that is allowed on the network. Once acquired, the hacker can spoof his MAC address and is no longer restricted to that level. Restricting

MAC addresses does add one more layer that must be compromised, so it's worth considering. This was a very brief look into some wireless security basics and risks, but it gives you an overall view of the real-world issues you'll undoubtedly face when administering a wireless network and wireless access point security strategy.

How to tell if you've been hacked: Signs of a compromised system

Vernon Haberstetzer, Contributing Writer 03.21.2005 Rating: -4.00- (out of 5) Digg This! StumbleUpon Del.icio.us

Worst case scenario: You have a funny feeling you've been hacked, but you're not quite sure what to do next. If you're like most IT people, you don't necessarily know where to look for evidence that shows a system has been compromised, so how can you tell you've been hacked? Let's look at a few of the more common pieces of evidence that you may find after a system breach. To start, suspicious-looking user accounts (those that lack the characteristics or conventions that should be present in most valid user accounts) should be disabled and researched to determine who set up the account and why. Audit logs will show who created such accounts if proper auditing is turned on. If it's possible to determine the date and time the account was created and the account turns out to be the result of a hack, you'll have a timeframe in which to look for other audit log events that may correspond. To find out if a rogue application is listening for incoming connections, which could be used as a backdoor port for the hacker, use tools such as TCPView from Microsoft Windows Sysinternals or Fpipe from McAfee Inc.'s Foundstone division. These Windows utilities show what applications are using any open ports on your system. For Unix systems, use netstat or lsof, which are built into the operating system. Since it is possible for a clever hacker to replace netstat and lsof programs with Trojan versions (that don't show the ports opened by the hackers) it's best to scan a compromised system from another computer, using the free Nmap port scanner. This will offer two different views of the system's open ports. < p>A hacker who compromises a Windows server may add or replace the programs launched via the registry from the following areas:

HKLM > Software > Microsoft > Windows > CurrentVersion> Run HKCU > Software > Microsoft > Windows > CurrentVersion> Run

Malicious software also may be launched from the operating system's job scheduler. To see what jobs are scheduled to run on a Windows system, go to a command prompt and type AT. On a Unix system, use the cron or crontab commands to see the list of jobs scheduled to run. Hackers who have compromised a Unix system may have used a rootkit, which helps the hacker obtain root access by exploiting vulnerability in the operating system or installed applications. Since numerous rootkits are available to hackers, it can be difficult to determine which files have been modified. There are programs to assist with this task, such as chrootkit. There are so many possible ways for a hacker to cover his tracks, but looking for the items above is a good start on your journey toward determining if you've been hacked.