Hacking Techniques:

An Introduction for Business Owners and Decision Makers

by Ken Fogalin

Capella University School of Technology

TS5508 Enterprise System Security
Instructor: Steven Brown
November 28, 2004
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

Abstract

This paper reviews the literature on the threats and attacks that target online business. It

reviews the basic tools, techniques and processes used by hackers and other online adversaries.

The basics of using malicious code, exploiting network protocols and exploiting known

vulnerabilities are covered. In addition, emerging attacks, such as blended or multi-vector

attacks are discussed with examples of real attacks such as Code Red, Nimda and Klez being

described. This paper describes how hackers use a methodical and very predictable process that

starts with a detailed reconnaissance and progresses through various phases such as gathering

information, gaining access, acquiring privileges to control the network, and avoiding detection.

Finally, some basic protection and security practice recommendations are presented.

Understanding the information presented in this paper will help business owners and decisions

makers protect their company assets.

© Ken Fogalin 2
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

CONTENTS

Abstract...........................................................................................................................................2

ABSTRACT.....................................................................................................................................2

INTRODUCTION...........................................................................................................................5

CHARACTERISTICS OF DIGITAL CRIME.................................................................................7

Automation ............................................................................................................................7

Action at a Distance ...............................................................................................................7

Technique Propagation ..........................................................................................................7

CLASSES OF DIGITAL ATTACKS...............................................................................................8

Criminal Attacks ....................................................................................................................8

Publicity Attacks ....................................................................................................................8

Legal Attacks...........................................................................................................................9

ADVERSARIES: WHO IS ATTACKING YOUR NETWORK?..................................................10

Objectives ............................................................................................................................10

Access and Resources............................................................................................................10

Expertise................................................................................................................................11

Risk........................................................................................................................................11

Understanding Your Adversary..............................................................................................11

PROFILE OF A HACKER: WHY THEY DO IT..........................................................................12

Money ..................................................................................................................................12

Entertainment........................................................................................................................13

Ego .......................................................................................................................................13

Cause (Ideology) .................................................................................................................14

Entrance to a Social Group....................................................................................................15

Status.....................................................................................................................................15

© Ken Fogalin 3
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

TOOLS AND TECHNIQUES: HOW HACKERS DO WHAT THEY DO...................................16

Malicious Code......................................................................................................................16

Exploiting Network Protocols...............................................................................................17

Exploiting Vulnerabilities......................................................................................................18

Password Cracking................................................................................................................19

Multi-vector Attacks..............................................................................................................20

THE HACKING LIFECYCLE: A METHODICAL PROCESS....................................................22

Phase 1 - Reconnaissance......................................................................................................22

Phase 2 - Gathering Information...........................................................................................23

Phase 3 - Gaining Access......................................................................................................25

Phase 4 - Acquiring Privileges..............................................................................................28

Phase 5 - Avoiding Detection................................................................................................29

Realizing the Goal.................................................................................................................29

FINAL THOUGHTS AND RECOMMENDATIONS...................................................................30

CONCLUSION..............................................................................................................................32

References.....................................................................................................................................34

REFERENCES..............................................................................................................................34

APPENDIX A

ANNOTATED BIBLIOGRAPHY...........................................................................................35

© Ken Fogalin 4
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

INTRODUCTION

The digital threats of cyberspace are not very different from the flesh-and-blood, bricks-

and-mortar, real world threats (Schneier, 2004). Like the real world, cyberspace has

communities filled with commerce, agreements, contracts, disagreements, and threats that mirror

the threats in the physical world. Threats like embezzlement, bank robbery, theft, racketeering,

vandalism, voyeurism, exploitation, extortion, con games, fraud, and invasion of privacy are all

evident in cyberspace. In other words, the threats against digital systems are basically the same

as the threats against real-world physical systems. Although the threats will be the same, the

methods of attack will be very different because cyberspace changes everything. Attacks in the

digital world will be more common, more widespread, and more devastating (Schneier, 2004).

According to the CSI/FBI Computer Crime and Security Survey (Gordon et al, 2004),

virus attacks and denial of service (DoS) attacks have started to outpace the theft of proprietary

information. The annual costs to business resulting from viruses have jumped to $55 million.

Network intrusions are on the rise, but the percentage of organizations reporting computer

intrusions has actually declined because of the concern for negative publicity.

Both the Computer Emergency Response Team Coordination Centre (CERT-CC) and

Internet Security Systems (ISS) have documented the constant rise in the number of reported

vulnerabilities. In their 2001 annual report, CERT-CC reported 2,437 vulnerabilities, compared

with only 774 in their 2000 annual report. The ISS reported 537 new security vulnerabilities in

software for the first quarter of 2002 (Goetz, 2002).

For the period of January 1, 2004 to June 30, 2004, Symantec reported the average time

between the announcement of network or software vulnerabilities and the appearance of the

associated code to exploit the vulnerability was only 5.8 days. Once exploit code is made

© Ken Fogalin 5
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

available, hackers can widely scan for and exploit the vulnerability very quickly. This danger is

made worse if the application, in which the vulnerability is found, is widely deployed, such as

Web server or database applications. During this period, Symantec observed that worms had

compromised 40 percent of Fortune 100 companies. Furthermore, the e-commerce industry was

the most frequent target with 16 percent of e-commerce sites being targeted - a dramatic increase

from the last six months of 2003, during which only four percent of e-commerce sites were

targeted. Other alarming statistics indicate that 39 percent of the disclosed vulnerabilities

targeted Web application technologies and 82 percent of these were considered easy to exploit

(Symantec Security, 2004).

The digital threats to business are ever increasing in frequency and complexity.

Therefore, it is prudent for business owners and decision makers to be aware of the online

threats. They should know who their adversaries are and how such threats could affect their

organization. This paper will focus on the types of attacks that a business owner should

anticipate. First, this paper will explain the characteristics of the Internet that make attacks so

prevalent. Then it will describe adversaries, in broad terms, and give a detailed profile of a

hacker so you can understand who your enemy is and what motivates him to attack your

network. Following this, the heart of this paper will describe exactly how hackers attack

systems, giving examples and explanations of the tools and techniques they use to compromise a

network and avoid detection. This section may be particularly useful for system administrators

as well.

This paper is about basic concepts that business owners and decisions makers can

understand. It offers the knowledge they need to understand cyber attacks so they can effectively

communicate with their security team and develop effective security policies.

© Ken Fogalin 6
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

CHARACTERISTICS OF DIGITAL CRIME

The Internet has introduced three new characteristics into the area of crime: automation,

action at a distance, and technique propagation.

Automation

Automation makes attacks with a minimal rate of return profitable. Previously, attacks

there were just too marginal to notice in the physical world can quickly become a major threat in

the digital world. For example, if a thief was successful in picking someone’s pocket once every

hundred thousand times, he would starve before he could rob anyone. However, in cyberspace, a

thief could set his computer to look for the one-in-a-hundred-thousand chance and would

probably find a couple of dozen every day. If a thief could enlist other computers to assist, he

might get hundreds (Schneier, 2004).

Action at a Distance

The Internet has no borders or boundaries. Every two points are adjacent, whether they

are across the hall or across the planet. If a criminal does not like the censorship laws or

computer crime statutes of his country, he could find a country more to his liking. This means

that attackers do not have to be anywhere near their prey, and this will complicate criminal

investigation and prosecution (Schneier, 2004).

Technique Propagation

Successful techniques can easily propagate through the Internet. The Internet is also the

perfect medium for propagating successful attack tools. Only the first hacker requires the skills

to commit the attack; everyone else can just use his software. Furthermore, once the tool is

released, it is impossible to control. For example, dozens of Internet sites allow you to download

viruses, virus construction kits, and virus designs (Schneier, 2004).

© Ken Fogalin 7
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

CLASSES OF DIGITAL ATTACKS

There are three broad classes of attacks: criminal attacks, publicity attacks, and legal

attacks. The last two are probably the more damaging (Schneier, 2004).

Criminal Attacks

Criminal attacks aim to achieve maximum financial return. Attackers vary from lone

criminals to sophisticated organized crime syndicates, from insiders looking to make some fast

money to foreign governments looking to wage war on a country’s infrastructure (Schneier,

2004). These attacks take the form of fraud, scams, destructive attacks, intellectual property

theft, identity theft, and brand theft (Schneier, 2004).

Publicity Attacks

Publicity attacks aim to get the attacker public attention. Attackers are generally skilled

hackers who know a lot about systems and their security. They often have access to significant

resources (either as students of large universities or as employees of large companies). They

usually do not have a lot of money, but do have a lot of time. Furthermore, they are not likely to

do anything that will put them in jail. A good example of this type of attack was the two

Berkeley graduate students who broke Netscape Navigator’s encryption scheme in 1995. They

did not use this weakness for monetary gain; instead, they called the New York Times. The

system designers soon realized that publicity seekers do not fall into the same threat model that

criminals do. Criminals will only attack a system for profit; publicity seekers will attack a

system if there is a good chance the Press will cover it. Attacks against large-scale systems or

widely fielded products are prime targets. The primary danger of these types of attacks is the

erosion of public confidence in the systems following the announcements. This is a particular

problem for electronic commerce systems. Defacing Web pages is one form of publicity attack;

© Ken Fogalin 8
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

however, denial-of-service (DoS) attacks are currently the most popular form of this attack

(Schneier, 2004).

Legal Attacks

The hardest attacks to protect against are attacks that use the legal system. Their aim is to

discredit a system and prove their client’s innocence by persuading a judge and jury that there

could be a flaw in the system. Attackers are highly skilled and well funded. They can use the

discovery process to get all the details of the target system they need. Furthermore, the attack

does not even have to work operationally; the attackers only have to find enough evidence to

adduce a flaw (Schneier, 2004).

© Ken Fogalin 9
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

ADVERSARIES: WHO IS ATTACKING YOUR NETWORK?

Hackers are not the gifted teenagers with poor social skills that the movies portray

(McCarthy, 2003), and they are not the only threats on the Internet. Schneier (2004) notes that

the adversaries on the Internet are basically the same as in the physical world and include lone

criminals, malicious insiders, industrial espionage, Press, organized crime, police, terrorists,

national intelligence organizations, and “Infowarriors”. Insiders account for the majority of

attacks since they have direct access to your computer systems as part of their daily job or

business relationship. Insiders include disgruntled employees, customers, suppliers, vendors,

business partners, contractors, temps and consultants (Skoudis, 2002). Schneier (2004) further

categorizes adversaries by their objectives, access, resources, expertise, and risk.

Objectives

The objectives of an industrial spy are not the same as those of an organized crime

syndicate. Industrial spies are really looking for secret information to gain a competitive

advantage, not for quick financial gain. Therefore, the countermeasures to stop the industrial spy

might not even bother the organized crime syndicate. Understanding the objectives of the likely

attackers is the first step toward figuring out what countermeasures are going to be effective

(Schneier, 2004).

Access and Resources

Adversaries also have different levels of access and resources. For example, a malicious

insider will have much more access than someone who is outside the organization. Some

adversaries are well funded, while others operate with little money.

© Ken Fogalin 10
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

Expertise

Some attackers have considerable technical expertise, while others have none. For

example, “script kiddies” have only rudimentary skills and do not understand how their tools

really work. Rather, script kiddies rely on prepackaged attack tools written by more elite hackers

and tend to indiscriminately scan large swaths of the Internet looking for the easy prey (Skoudis,

2002). An adversary will likely choose an attack that gives him good return on investment

considering his constraints of budget, expertise, access, manpower, time, and risk. Some attacks

require a lot of access but not much expertise. Some attacks require a lot of expertise but no

online access (for example, breaking an encryption algorithm). Each adversary is going to have

a set of attacks that is affordable to him and a set of attacks that is not (Schneier, 2004).

Risk

As well, different adversaries are willing to tolerate different levels of risk. For example,

terrorists are often willing to die for their cause, and criminals are willing to risk jail time, while

publicity seekers do not want to go to jail (Schneier, 2004).

Understanding Your Adversary

It is important to understand your adversary because with understanding comes the ability

to anticipate behavior and motivation. Furthermore, to understand the hacker who is likely to

attack your systems, you need to understand what it is that makes you a target (Pipkin, 2003).

Hackers may target your systems because of the information they contain, or some specific

resources to which they have access, or because it is easy to compromise. The reason for attack

could be financial, political, personal, or merely convenience due to location or ease of access

(Pipkin, 2003).

© Ken Fogalin 11
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

PROFILE OF A HACKER: WHY THEY DO IT

Understanding the hacker community is equally important as understanding the technical

tools they use to discover exploits (Honeynet Project, 2004). However, there is no official

“hacker identity card,” no reliable identifiable physical characteristics, nor any single means

among members of the community themselves for identifying others that share their identity

(Honeynet Project, 2004). To gain an understanding of why individuals become hackers requires

a thorough analysis of what motivates them. There are six basic motivations prevalent in the

entire computer hacker community. Understanding these six motives will assist computer

security professionals in predicting the potential behavior of hackers who gain unauthorized

access to their networks. It will also help policy makers in deciding how best to protect the

nation’s critical information infrastructure given the plethora of threats to many of its key

components. The origins of the six motives come from the term MICE, which the Federal

Bureau of Investigation’s counterintelligence unit used. The original MICE acronym stands for

Money, Ideology, Compromise, and Ego. The six motives are captured in the acronym

MEECES, which stands for Money, Entertainment, Ego, Cause, Entrance to a social group, and

Status (Honeynet Project, 2004).

Money

This includes blackmail, extortion, and credit card theft. There are incidents where

hackers have stolen confidential client information from a company and then threatened to

expose this information if the company refused to pay. Unfortunately, many of these incidents

go unreported because the hacked companies decide to pay “quiet money” rather than report it to

the authorities or to publicize the incident. A spin-off of this type of extortion occurs when a

hacker offers to launch a DoS attack against a competing company in exchange for money.

© Ken Fogalin 12
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

Stolen credit cards have become “pseudo-currency” where thieves can trade freshly stolen credit

card numbers for money, merchandise, accounts on other computer systems, or most any other

item of value. It is also alarming that criminal enterprises are hiring talented hackers to create

financial gains for criminal entities. There appears to be no current or foreseeable inhibitors that

may attenuate this trend, so it is expected that money, as a source of motivation for hacking will

continue to grow unabated (Honeynet Project, 2004).

Entertainment

Computer hackers may hack a company Web site and post embarrassing pictures or text

on the site as entertainment for themselves or their friends. They may also redirect the company

Web site to a pornographic Web site instead or they may tap into telecommunications systems

and reroute telephone calls for some popular business to an unlucky recipient’s home phone.

The number of potential schemes deployed in the name of entertainment is limitless. There is no

indication that this motivation will ever die off, however, it accounts for only a small portion of

the motivation of hackers. This type of hacking has the least consequences for the intended

target because the final objective appears to be more playful than destructive (Honeynet Project,

2004).

Ego

This is a core motivation shared by almost the entire hacking community. This comes

from the satisfaction of overcoming technical obstacles and creating innovative solutions to a

problem. It offers the hacker a psychological payoff in the form of a rise in self-esteem and

personal ego. This motivation should not be underestimated; it often overpowers many other

constraints that might otherwise restrain a hacker. Common examples of this are the large

number of cases where a hacker, without any malicious intentions, works feverishly and

© Ken Fogalin 13
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

successfully on a method to bypass the computer security on a targeted system such as a

government or military network. They undertake this objective in the face of the real threat of

discovery and apprehension and the subsequent serious legal ramifications (Honeynet Project,

2004).

Cause (Ideology)

Many different factors, such a geopolitical orientation, cultural influences, religion,

historical events, and view on current social issues, shape this motivation. Ideology driven

hacking, often referred to as hacktivism, is a phenomenon that is becoming more common. The

belief, by some hackers, that all information should be free also drives this motivation.

Therefore, they break into companies like the Bell System networks, extract technical

information on telephone switching systems, and then publish the information on the Internet for

everyone to read and use. In other cases, hackers believe that commercial software products

costs so much that they discriminate against lower-income people, so they go about writing

password cracks and disabling copy protection measures. Ideology was also the motive to

redirect the Palestinian Islamic terrorist’s group Hamas’ Web site to a pornographic Web site, the

defacement of the Israeli Likud party leader Ariel Sharon’s Web site, as well as the mass Web

site defacements and DoS attacks between Palestinians, Israelis, and their supporters after Ariel

Sharon visited the Temple Mountain. National boundaries are no defense to these attacks, as

witnessed by the official White House Web site, which was hacked by Korean computer hackers.

Cause (Ideology) as a motivation in the hacking community is likely to increase in the future

(Honeynet Project, 2004).

© Ken Fogalin 14
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

Entrance to a Social Group

There are social forces within the hacker community that make joining a group of other

like-minded individuals a more involved process. Joining a group may depend on the level of

skill the hacker possesses, since hackers tend to group themselves by the technical skills that they

have in common. Other hackers evaluate individuals whose technical skills are too far below

those in the group as “newbies,” “losers,” or other derogatory terms and tend to deny them

membership. Therefore, there is some motivation to write a particular exploit, to defeat a

particularly strong computer security defense, or to write some stealthy code that monitors

network traffic, to provide evidence of technical skill in order to join a group (Honeynet Project,

2004).

Status

This is by far the most powerful social force within the hacker community and motivates

more of the behavior within the community that any other component. Status within the hacker

community depends on technical skills in coding, network protocols, and other areas of

expertise. However, many of the information clues or “status markers” that are normally

exchanged in face-to-face interactions, are absent in Internet Relay Chats (IRC). Therefore,

members have to resort to other means to broadcast their status position within the group. This

may take the form of bragging about how many systems they “own”, which of course fuels the

motivation to compromise computer systems in order to make a valid claim. Other status

markers in IRC include disclosure of knowledge to another group member or teaching another

member how to gain root access using a specific exploit or vulnerability (Honeynet Project,

2004).

© Ken Fogalin 15
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

TOOLS AND TECHNIQUES: HOW HACKERS DO WHAT THEY DO

Hacking used to require extensive knowledge of systems, networks, and protocols.

Gaining unauthorized access required either using the knowledge to subvert protocols or to write

programs that could exploit faults. However, hacking can now be automated (Pipkin, 2003) and

there are many powerful tools, which are freely distributed on the Internet, that can identify and

exploit vulnerabilities to compromise a system. An attacker does not need to understand what

these tools do, but only how the tool works. These tools require little knowledge to use, and can

be virtually undetectable until the damage is done (Pipkin, 2003). Most hackers carry their own

“toolbox” that will include versions of programs with back doors, programs that will help mask

their activities, and programs that exploit known problems. The hacker’s “toolbox” will very

from simple tools to extremely sophisticated tools and will include using malicious code,

exploiting network protocols, exploiting vulnerabilities, and cracking passwords.

Malicious Code

Malicious code is one of the basic tools that all hackers will have. These include logic

bombs, parasites, Trojan horses, viruses, and worms. A logic bomb is a program that lies

dormant until it is activated. Either time, or the presence or absence of some data, such as when

a programmer’s name is no longer in the payroll file, may activate the program (Pipkin, 2003).

A parasite is a piece of code that is added to an existing program and draws information

from the original program. It gathers information for which the hacker may not have privileges.

It is a covert, nondestructive program (Pipkin, 2003).

A Trojan horse is a program that looks like a useful program, but has an alternate agenda.

To plant a Trojan horse, hackers will advertise the program to convince people to run it. The

program will usually do what it advertises to do as well as the covert action. Trojan horses can

© Ken Fogalin 16
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

be introduced as games or utilities. Utilities are especially effective because they are more likely

to be run by someone with privileges (Pipkin, 2003).

A virus is a program that infects another program by replicating itself into the host

program. A virus first infects a host, then activates itself to find another host to infect, and then

replicates by copying itself to the new host. Viruses are transported from one system to another

by being in a file that is moved from one system to another (Pipkin, 2003).

A worm is a program that is used as a transport mechanism for other programs and uses

the network to spread program from one system to another. It uses a flaw in network transport

methods, such as network mail or remote process execution, to gets it payload from one system

to another. First, a worm will search for a receptive system. Then it will establish a connection

to that system. Finally, it will transport its program to the remote system and execute the

program (Pipkin, 2003).

Exploiting Network Protocols

Since most systems are accessed over a network, hackers have hundreds of network

services from which they can attack. It is relatively easy for a hacker to create a back door, spoof

e-mail, spoof Internet protocol (IP) addresses, or flood systems.

A hacker could create a back door by exploiting the Internet daemon, inetd, which

controls some of the processes that communicate over the network. It listens to each port,

identifies a connection, and then passes control of the socket to the associated program. A hacker

could exploit this by adding a line in /etc/inetd.conf, which will attach a shell with root privileges

to a specific socket. Another way of creating a back door is to replace one of the configured

programs in inetd.conf with an alternate program, or just enable a disabled program, such as

rexd. Hackers know that the rexd server has serious security design flaws (Pipken, 2003).

© Ken Fogalin 17
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

E-mail spoofing is a trivial spoof because a hacker does not need to obtain access or

authorizations to forge e-mail. Because simple mail transfer protocol (SMTP) consists of simple

ASCII commands, a hacker can input these commands manually by using a telnet connection to

the system’s SMTP port. Once connected, via telnet, a hacker can type the mail protocol

command directly to the port, identify someone else in the mail “From:” command, or send mail

to other systems by entering a “To:” command to another system (Pipken, 2003).

IP spoofing is the act of sending packets with source addresses other than the actual

address of the originating host. These spoofed packets can have addresses that are unassigned or

addresses that belong to another host. Currently there is no way to stop IP spoofing because

authentication is not a feature of the protocol (IPSec will correct this, but will take many more

years before it is widely used). For now, administrators should focus on preventing their

network from being the source of such an attack. Configuring border routers for ingress and

egress filtering is an effective first step (Pipken, 2003).

Finally, a hacker may try to flood a system and prevent it from being useful by

consuming system resources. The consumed resources can be general resources, such as

memory, storage, or computation. However, more often the consumed resources are specific

resources such as buffers or queues. In many cases, system flooding will result in the system

hanging or failing completely (Pipken, 2003).

Exploiting Vulnerabilities

Exploiting known vulnerabilities is the most common method of attack because tools are

widely available to find systems with known vulnerabilities as well as attack the known

vulnerabilities. Tools such as scanners, profilers, sniffers, and snoopers can all be run without

any knowledge of the vulnerability being exploited (Pipken, 2003).

© Ken Fogalin 18
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

Scanners look at many systems and make a preliminary evaluation of the software being

run on the system. They usually sweep through address spaces looking for vulnerable services

running on the system. Scanners can determine the system hardware and operating system

software, including the particular version. They can determine what services are available on

each system and what software is servicing those services (Pipken, 2003).

Profilers take a more in-depth evaluation of a specific system to determine the type of

hardware and software being used. Profilers will identify the versions and patch levels so that a

specific attack can be crafted. The process of scanning and profiling are often combined

(Pipken, 2003).

A sniffer or snooper is a program that watches data travel through the system looking for

a particular type of information. Snoopers may be attached to a network interface to watch all

the network traffic or to a disk interface to watch all the data flowing to or from the disk.

Snoopers can also be parasites, inserted inside a system, like the print spooler or login system,

secretly gathering information (Pipken, 2003).

Password Cracking

Passwords are most computer systems’ primary method of authentication and are usually

protected by strong encryption. Reverse engineering the encryption algorithm is nearly

impossible, so hackers try to guess the password using an automated process. They are usually

successful because users are not educated on the wise selection of passwords and select a

password from only a miniscule percentage of all possible passwords. Hackers will try a

dictionary attack using all the information available about a user, such as the user’s name,

initials, account name, and any other personal information known. The dictionary will include

common first names; characters, titles, and location from works of fiction, television and film,

© Ken Fogalin 19
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

cartoons, and computer games; sports terms; and terms based on the industry in which the

computer is being used. All of the words will be permuted by varying case, reversing spelling,

substituting numbers for letters, appending digits to words, and pairing two words separated by a

special character. Studies show that between 25 and 30 percent of passwords will be cracked

using this process (Pipken, 2003).

Multi-vector Attacks

The attacks described above are generally one-dimensional, mainly in the form of

viruses, worms, and unauthorized intrusions, and are launched against Web sites, mail servers or

client machines. However, there is a fundamental change in recent attacks. Cyber attacks are

becoming more diverse resulting in multi-vector weapons that use a variety of attack tools and

technologies. Most multi-vector attacks now use a variety of different exploits, propagation

methods, and payloads. Hackers are increasingly using new technologies, such as instant

messenger (IM), chat programs (IRC), and peer-to-peer (P2P) networks to exploit vulnerabilities.

These programs were developed with functionality in mind, not security. Since their use has

become ubiquitous, hackers are now taking advantage of their security deficiencies.

Furthermore, infected machines are used to launch attacks against other targets; and this trend is

intensifying (Goetz, 2002).

IM and IRC services are inherently insecure. Vulnerabilities have been discovered and

the first worms that use these technologies have started to emerge. Furthermore, hackers are now

using IM and IRC programs to coordinate other forms of cyber attacks, such as distributed

denial-of-service (DDoS) strikes. DDoS attacks are made up of hundreds or even thousands of

machines. Even larger DDoS networks have been discovered – some containing tens of

thousands of machines – many times more than were used to disrupt Yahoo! and CNN Web sites

© Ken Fogalin 20
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

in February 2001. P2P networks are also vulnerable and are being used by hackers for malicious

ends. P2P networks are particularly vulnerable to the spread of malware (i.e. viruses, Trojans,

and worms) because they connect millions of machines to one another and downloading

programs is their rasion d’être (Goetz, 2002).

Examples of multi-vector attacks include Code Red, Nimda, and BadTrans. These

attacks used a combination of formerly stand-alone attacks by merging viruses, Trojans, worms,

and hacker techniques into automated, multi-vector tools that can rapidly propagate across the

Internet. Propagation is achieved by employing mass-mailing capabilities. Once a system is

infected, all the e-mail addresses on that system are harvested and the attacking program sends

copies of itself to all these e-mail addresses. The existence of malicious code in the e-mail is

disguised by randomly changing the subject line and/or content of the e-mail, or even by

spoofing the sender address. The Klez worm is an example of this. Klez also allows the Elkern

or CIH virus to hitch a ride, thereby acting as their delivery mechanism. It also disables security

software to avoid detection (Goetz, 2002).

© Ken Fogalin 21
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

THE HACKING LIFECYCLE: A METHODICAL PROCESS

Today, hackers are more skilled and often have a plan and an objective. First, they will

do reconnaissance, i.e. select the target, and identify the systems they want to attack by gathering

as much information as possible. Then they will gain access to the system and acquire privileges

until they have control of the system. During this process, hackers will monitor the activities of

the system administrator, cover up any evidence to avoid detection, and open a back door so they

can return at any time. Then they will branch out to other systems. They will collect many

systems to make tracing their activities as difficult as possible. Finally, they will make their way

to the target system and achieve their goal of engaging in whatever malicious activities they have

planned (Pipken, 2003). Understanding this process is critical to deploy countermeasures and

prevent intrusions. Regardless of the objectives or type of the adversary you may be facing, this

is the normal process that hackers use to attack systems; and it is very predictable.

Phase 1 - Reconnaissance

For the hacker, target selection is the easiest part of the attack. However, for victims it is

normally difficult to understand. Hackers may attack your system because of who you are, what

you do, who your customers are, what you know, or what you have. You need to understand this

and you need to consider that your system might not be the ultimate target of the attack. Your

system may be a stepping-stone that the hacker needs to get to his final destination. It is rare that

hackers attack the target system directly or as the first system; and most attacks use many

stepping-stones to get to their final destination (Pipken, 2003). Without even using a computer, a

hacker may gain valuable information about your organization. Using a variety of techniques

such as social engineering, physical break-in, and dumpster diving, a hacker can potentially learn

passwords, gain access to detailed network architectures, and collect system documentation.

© Ken Fogalin 22
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

When used by an experienced hacker, these techniques are very effective (Skoudis, 2002).

Online resources that hackers may use during their reconnaissance include your organization’s

own Web site, search engines, and the Usenet. These resources often reveal employees’ contact

information, clues about the corporate culture and language, business partners, recent mergers

and acquisitions, and technologies in use (Skoudis, 2002). After the reconnaissance, a hacker is

armed with vital information and will use this information to begin scanning your systems to

gather further information in hopes of discovering vulnerabilities.

Phase 2 - Gathering Information

This is the most important part of hacking a system. More information about a system

increases the ability for the hacker to achieve his goals and decreases the chances that he will be

caught. Identification tools locate and identify target systems while avoiding detection by

intrusion detection systems. Good reconnaissance increases successful hacks. Hackers will be

looking for company information that may aide with social engineering attacks. Knowing the

company’s organization and business improves the hacker’s ability to find and exploit

weaknesses. The hacker will also gather information about the specific system such as hardware

and software versions, and what the system is used for. Knowing who owns the machine, who

uses it, and who administers it can indicate the likelihood that it will contain the information the

hacker is looking for and the ability to compromise it without being detected. Understanding the

business process can lead to where valuable information is stored and where the likely weak

links in the business process might be. It can also identify the people who have access to

valuable information. A business partner’s system may be easier to compromise and lead to an

easier access point. Therefore, hackers will look for newly formed business partnerships as an

alternate way to attack the target system. Finally, hackers will study users and their accounts

© Ken Fogalin 23
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

since they are often the weakest link in the security chain. This indicates which accounts are

safer to use. Typically, hackers will look for accounts that have not been used in a long time or

have considerable idle time (Pipken, 2003). Techniques used during this phase include war

dialing, demon dialing, network mapping, port scanning, and vulnerability scanning.

A war dialer is a tool used to scan a large pool of numbers to find modems. Whereas a

demon dialer is a tool used to attack just one modem, guessing password after password in an

attempt to gain access. Users sometimes install modems in their personal computer to get around

their company’s firewall policies. However, they are not the only guilty parties in an

organization. System administrators sometimes leave the system connected to modems and

apply little or no security. War dialing often discovers these modems connected to servers and

routers that either request no password, or have a trivial password (Skoudis, 2002).

Network mapping will usually begin at your Internet gateway, including your

demilitarized zone (DMZ) systems such as your public Web server, mail server, FTP server, and

DNS server. Hackers will methodically probe these systems in an attempt to compromise your

Internet perimeter, then move on to your internal network. Hackers will ping all possible

addresses in your network to determine which ones have active hosts, then use traceroute to

determine the routers and gateways that make up your network. Ping and traceroute

functionality is built into most operating systems, however several automated and easy to use

tools make network mapping effortless and these tools are freely distributed on the Internet

(Skoudis, 2002). By this point in the process, a hacker knows the addresses of your active hosts,

has a good understanding of your network topology, and is ready to learn potential entryways by

using port scanners.

© Ken Fogalin 24
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

Each machine with a TCP/IP stack has 65,535 TCP ports and 65,535 UDP ports, all of

which are potential entryways into the machine. Common ports such port 80 on Web servers,

port 53 on DNS servers, and port 25 on mail servers will likely be open. Request For Comment

(RFC) 1700 defines assigned port numbers so a hacker simply has to refer to this document to

learn what service is running when an open port is discovered. Most port scanning tools can

scan specific ports, a range of ports, or all possible ports, and still avoid detection. Port scanning

tools are also freely distributed on the Internet, the most popular and capable one being Nmap by

Fyodor (Scoudis, 2002). Successful scanning provides a lot of useful information to the hacker,

but vulnerability scanning is still required to learn how to get into the target system.

Vulnerability scanning provides a list of vulnerabilities on the target system that a hacker

could exploit to gain access. Vulnerability scanners automate the process of connecting to the

target system and can check for many hundreds of vulnerabilities such as common configuration

errors, default configuration weaknesses, and well-known system vulnerabilities. For example, a

vulnerability scanner will check to see if your system has an older version of BIND DNS server

that allows a hacker to take control of your server. It could also check to see if you have

misconfigured your Windows NT system to allow a hacker to get a complete list of users through

a NULL session. As with network mapping tools and port scanning tools, vulnerability scanning

tools are freely available on the Internet (Skoudis, 2002). With a list of potential vulnerabilities,

the hacker will then seek to exploit these vulnerabilities to gain access to the target system.

Phase 3 - Gaining Access

Access may be physical access or network access and the approach will depend heavily

on the skill level of the hacker. Script kiddies will use pre-packaged exploits that they learn from

published sources at www.packetstorm.security.com, www.technotronic.com, or

© Ken Fogalin 25
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

www.securityfocus.com. Hackers that are more sophisticated will use highly pragmatic

approaches such as stack-based buffer overflow attacks, password attacks, web application

attacks such as account harvesting, undermining session-tracking mechanisms and SQL

piggybacking (Skoudis, 2002).

Stack-based buffer overflow attacks are the most prevalent attack used to compromise

systems. While the facts are unavailable, buffer overflows – also known as stack smashing – are

believed to account for at least half of all online attacks. The number of security advisories

issued supports this assumption. In 2001, CERT-CC issued 37 security advisories; 19 of these

warned of buffer overflow vulnerabilities. These attacks have been shown to affect all kinds of

platforms, operating systems and applications, making them a pervasive problem. Basically, a

buffer overflow exploit takes advantage of improperly checking input into memory. By going

out of bounds, parts of memory, which are supposed to be untouched, become overwritten. By

current system design it is possible to alter program flow, thereby allowing the attacker to

execute arbritary code on the vulnerable machine (Goetz et al, 2002).

To crack passwords, hackers may use automated tools such as THC-Login Hacker,

brute_ssl and brute_web for passwords based on HTTP and HTTPS authentication, and

Hypnopaedia, which will guess passwords that use the POP3 protocol. Other popular password

crackers include L0phtCrack, an easy to use Windows NT/2000 password cracker, and John the

Ripper, a UNIX password cracker (Skoudis, 2002). Most hackers will have all of these and

many more tools in their toolbox.

Account harvesting is a particular problem for web applications. Using this technique a

hacker can determine legitimate userIDs and even passwords of a vulnerable application.

Account harvesting simply targets the authentication process when an application requests a

© Ken Fogalin 26
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

userID and password. When an invalid userID is entered an error number 1 is returned and when

and invalid password is entered an error number 2 is returned. Based on this distinction, the

hacker will use a script to guess all possible userIDs, with an obviously false password, changing

the userID until he finds a valid one. This is pure userID guessing through scripting and an easy

way for the hacker to harvest a large number of valid userIDs from the target application. With a

list of userIDs compiled, the hacker will then try to harvest a list of passwords (Skoudis, 2002).

Undermining session tracking mechanisms is another common technique to attack Web

applications. After a user authenticates to a Web application (through a valid userID and

password), most Web applications generate a session ID to track the user’s session. This session

ID is passed back and forth across the HTTP or HTTPS connection for all subsequent

interactions that are part of the session, such as browsing Web pages, entering data into forms, or

conducting transactions. The Web application uses this information to track who is submitting

the request. There are many techniques used to implement session tracking, but Cookies are the

most widely used mechanism. Many Web applications have vulnerabilities in properly allocating

and controlling these session IDs. A hacker may be able to get an assigned session ID, and alter

the session ID in real time changing it to a session ID that is currently assigned to another user.

If successful, the Web application will think the hacker’s session is actually the other legitimate

user. For example, in an online banking application the hacker could then transfer funds,

possibly write checks, or make investment trades on behalf of the user (Skoudis, 2002).

Another weakness of many Web applications involves problems with accepting user input

and interacting with back-end SQL databases. Based on interactions with a legitimate user, the

Web application accesses the back-end database to search for information or update fields. This

involves sending SQL statements to the database that include search criteria based on the

© Ken Fogalin 27
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

information entered by the user. By carefully constructing a statement in a user input field of a

vulnerable Web application, a hacker could extend an SQL statement to extract or update

information that he is not authorized to access. Essentially, the hacker is piggybacking extra

information onto the end of a normal SQL statement to gain unauthorized access (Skoudis,

2002).

There are many more methods of gaining access through network attacks by targeting the

Data Link layer protocols with sniffing tools such as Snort and Sniffit. DNS spoofing, IP address

spoofing, and session hijacking are other ways of gaining unauthorized access. Obviously,

network access gives the hacker many more options in probing and attacking a system since

corporate networks are usually guarded and direct attacks on a firewall are usually noticed

(Pipken, 2003).

Physical access may be gained through a shared utility closet. A hacker could then install

his computer as a peer on the corporate network thereby increasing his chance of successfully

compromising the system (Pipken, 2003).

Phase 4 - Acquiring Privileges

All accounts, programs, and services have some privileges to perform their functions and

each element usually has different levels of privileges based on security requirements.

Therefore, a hacker will first try to acquire low-level (i.e. user) privileges and then use them to

leverage higher privileges with the ultimate goal of acquiring administrator privileges. Once a

hacker has access to your system, keeping him from gaining more privileges is the hardest thing

for a security administrator (Pipken, 2003).

© Ken Fogalin 28
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

Phase 5 - Avoiding Detection

Hackers do not want to be caught; not even those looking for publicity, because their

online life and notoriety are based on their online identity or “handle.” Revealing their handle

might lead to discovering their physical whereabouts and potentially arrest. Therefore, many of

the tools in the hacker’s toolbox will provide him some level of stealth. Some of these tools

replace system utilities with version that do not report the presence of the hacker, his tools, or his

activities. The goal of stealth tools, therefore, is to keep the hacker from being discovered

(Pipken, 2003). Some of the techniques hackers use to cover their tracks include altering event

logs in Windows NT/2000, altering accounting and shell history files in UNIX, creating hidden

files and directories, and using covert channels – a technique known as tunneling (Skoudis,

2002).

Realizing the Goal

Hackers usually want more than just access to information or use of your system’s

resources. Most hackers have a goal – a reason for their attacks – and to accomplish this goal,

the hacker must compromise the system. The most common way to compromise a system is by

exploiting known vulnerabilities in software code, improper configurations, or inadequate

administration. Hackers are continuously discovering new exploits, documenting them, and

sharing them within the hacker community. Vendors address and repair these vulnerabilities, but

not all administrators apply the patches, so many systems remain vulnerable after the problem

should no longer be a problem (Pipken, 2003).

© Ken Fogalin 29
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

FINAL THOUGHTS AND RECOMMENDATIONS

McCarthy (2003) has some key recommendations that all business owners and decision

makers should consider. First, you need to know what the risks are to the data on your network.

Obviously some information on your network is more important that other information. That is

why you need to do a proper risk analysis of your network. Second, you need to understand that

the hacker is not just a precocious teenager looking to explore the Internet. Hacker theft is

becoming more deliberate and well organized. Consider that in March 2001 FBI officials

reported that ongoing computer hacking by organized criminal groups in Russia and the Ukraine

had stolen more than a million credit card numbers. McCarthty (2003) summarizes her

recommendations as follows:

• Know your risks. Conduct a proper risk analysis and if necessary, have experts

inside your company classify the data. Add higher levels of control to high-risk

data.

• Avoid out-of-the-box installations. Unless you take proper security precautions,

installing systems with the default configuration will leave your network full of

security holes.

• Test your network. If you do not check your system for security holes, someone

else will, and chances are that someone else will not be on your side. A wide

variety of security audit tools are available – use one of them to conduct an audit.

• Know the people who know your data. Do not assume that your application

experts and network administrators are security experts. They may have different

priorities and knowledge about the value of your data.

© Ken Fogalin 30
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

• Assign or acquire adequate funding for security. Security always comes down to

funding and you do not want to spend more to protect something than it is

actually worth. Therefore, you need to know which data you should protect and

what that data is worth.

• Remove old accounts. Dormant user accounts, like those left by former

employees or workers on an extended leave of absence, are a common security

risk.

• Test passwords. Passwords are your first line of defense and a hacker only needs

to crack one of them. Run a password cracker on your passwords and teach users

how to select good passwords.

• Apply security patches. All systems have flaws and they need to be patched.

Consider using an automated patch management program if your network is large.

• Follow security policies and procedures. As a minimum, you should have policies

and procedures for installing and configuring applications, and maintaining

sensitive data. Without these, chances are good that applications will be installed

with the standard out-of-the-box configuration.

• Work with experts. Using outside experts is not a sign of weakness within your

company – it is a sign of good sense. Unless your company is quite large, you

probably do not need a full-time security expert on staff.

• Use training. Security is not something that most technicians or system

administrators focus on in school or in on-the-job training. Also remember that

security issues are not static, so security training done years ago does not count.

© Ken Fogalin 31
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

CONCLUSION

This paper has reviewed the literature on digital threats and hacking techniques with the

aim of providing a solid introduction for business owners and decision makers. It shows that

traditional, one-dimensional thinking is not optimal for securing today’s systems because

technologies are advancing too quickly and new vulnerabilities and methods of attack are

discovered on a daily basis. In addition, cyber threats have expanded their scope and reach,

targeting, or using new technologies, including instant messenger, chat tools, and peer-to-peer

networks. These new technologies help link a multitude of systems together, thereby potentially

creating a wide range of new launch points for attacks. Furthermore, the window of opportunity

for security professional to patch their systems has dramatically declined to as little as 5.8 days

from the time a vulnerability is discovered.

The characteristics of the Internet make controlling digital crime almost impossible

because automation makes attacks with a minimal rate of return profitable. Furthermore,

adversaries do not need to be close to their prey – they could just as easily be anywhere in the

world. Successful attack tools and techniques are freely and widely published on the Internet

and they propagate so quickly that they are impossible to control.

The seminal thinkers on security have concluded that the adversaries to today’s digital

world range from script kiddies to highly intelligent, well funded and organized crime

syndicates. Business owners and decision makers need to know who their adversaries are to

develop the right countermeasures. They need to understand what motivates hackers and what

tools and techniques hackers will likely use against online business. Business people also need

to understand that for most hackers, their behavior is very methodical and predicable. This

© Ken Fogalin 32
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

means businesses can and must implement proactive security defenses because reactionary

defenses are not a suitable solution.

Business owners and decision makers need to be cautious of out-of-the-box security

solutions. Instead they will have to get more involved with their security team in developing the

right security solution based on their bona fide business needs. This is critically important and

ignoring this can cost a company in many ways, such as financial loss, loss of proprietary

information, loss of competitive edge, company embarrassment, and even legal costs if personal

or private information is revealed.

© Ken Fogalin 33
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

References

Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Richardson, R. (2004). 2004 CSI/FBI Computer
Crime and Security Survey (Computer Security Institute). San Francisco. Retrieved
November 24, 2004, from Computer Security Institute Web site: http://www.GoCSI.com

Symantec Security Response. (2004). In S. Entwisle (Ed.), Symantec Internet Security Threat
Report: Trends for January 1, 2004 to June 30, 2004 (Volume VI). Cupertino, CA.
Retrieved November 24, 2004, from Symantec Web site: http://www.symantec.com

Goetz, E. (2002). Diversification of Cyber Threats (Investigative Research for Infrastructure

Assurance Group). Hanover, NH: Institute for Security Technology Studies at Dartmouth
College.

Goetz, E., Berk, V., Jiang, G., & Burroughs, D. (2002). Cyber Attack Techniques and Defense
Mechanisms (Investigative Research for Infrastructure Assurance Group). Hanover, NH:
Institute for Security Technology Studies at Dartmouth College.

The Honeynet Project. (2004). Know Your Enemy: Learning About Security Threats (2nd ed.).
Boston: Pearson Education, Inc.

McCarthy, L. (2003). IT Security: Risking the Corporation. Upper Saddle River, NJ: Prentice
Hall PTR.

Pipkin, D. L. (2003. Halting the Hacker: A Practical Guide to Computer Security (2nd ed.).

Schneier, B. (2004). Secrets & Lies: Digital Security in a Networked World. Indianapolis,
Indiana: Wiley Publishing, Inc. (Original work published 2000)

Skoudis, E. (2002). Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective
Defenses. Upper Saddle River, NJ: Prentice Hall PTR.

© Ken Fogalin 34
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

APPENDIX A

ANNOTATED BIBLIOGRAPHY

Allen, J. H. (2001). The CERT© Guide to System and Network Security Practices. Upper
Saddle River, NJ: Pearson Education Corporate Sales Division.

This guide is a practical, step-by-step, approach to protecting systems and networks

against malicious and inadvertent compromise. The security practices in this guide are
based on Carnegie-Mellon University’s Software Engineering Institute and the CERT
Coordination Center’s extensive data on security breaches and vulnerabilities. This book
is designed to be a reference manual and includes cross-referencing form one practice to
other, related practices. It details how to detect, respond to, and recover from
instructions. It provides an authoritative view of the most common problems system and
network administrators confront. However, to get value from this book, you must be
familiar with fundamental security concepts such as establishing secure communications,
systems and network monitoring, authentication, access control, and integrity checking.
By implementing the solution presented, administrators will have protection for up to 80
percent of the security incidents reported to CERT.

Goetz, E. (2002). Diversification of Cyber Threats (Investigative Research for Infrastructure

Assurance Group). Hanover, NH: Institute for Security Technology Studies at Dartmouth
College.

This report introduces a clear trend toward a diversification of cyber attack activity in
recent years. It describes how hacking and malware techniques have been merged into
potentially nasty multi-vector threat weapons that contain a variety of exploits,
propagation methods and payloads. It also reports on new tools and technologies that
attackers are using and raises some serious concerns about the Internet’s infrastructure
components, such as routers and the Domain Name System (DNS). Finally, this paper
introduces the idea of cognitive attacks aimed at altering decision makers’ perception of
reality through the injection of misinformation.

Goetz, E., Berk, V., Jiang, G., & Burroughs, D. (2002). Cyber Attack Techniques and Defense
Mechanisms (Investigative Research for Infrastructure Assurance Group). Hanover, NH:
Institute for Security Technology Studies at Dartmouth College.

This report focuses on cyber attack techniques and defense mechanisms by giving
detailed explanations of two of the most common vulnerabilities. First, his report
describes how buffer overflows can be exploited. It introduces some basic concepts of
memory management, such a program control flow, and the workings of the program
execution stack, to illustrate how buffer overflows work. This report then suggests how
to defend against this vulnerability. Second, this report shows how an attacker could
exploit the Extended Unicode Directory Traversal vulnerability in Microsoft Internet
Information Server (IIS) to gain control of a system and run malicious code. It introduces
some of the protocols used during such an attack and describes exactly how the exploit

© Ken Fogalin 35
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

works. This is one of the most detailed reports I have seen and uses extensive references
to support its findings and recommendations.

Anonymous. (2001). Maximum Security: A Hacker's Guide to Protecting Your Internet Site and
Network (3rd ed.). Indianapolis, Indiana: Sams Publishing.

This book has multiple contributors (each knowledgeable within their own area of
expertise) and has received praise from well known sources such as PC Computing,
ZDNet, ComputerWorld, and the IEEE Technical Committee on Security and Privacy. It
is an in-depth security manual that starts with the basic concepts of understanding
TCP/IP, hackers, crackers and the state of the Internet. This book covers all the tricks
used by hackers, such as spoofing, password cracking, viruses, and worms, Trojans and
sniffers used against Microsoft, UNIX, Novell, Macintosh, and VAX/VMS. It also
presents a “defender’s toolkit” to counter these threats. This book goes beyond being just
a handy reference guide. It can be used to fix specific problems or to build a complete
security program. To fully understand how hackers do what they do, this book is a must
read for network administrators and security officers.

Cole, E. (2001). Hackers Beware: Defending Your Network from the Wiley Hacker (First ed.).
United States of America: New Riders Publishing.

Eric Cole, (CISSP, CCNA, MCSE) is a former Central Intelligence Agency (CIA)
employee who today is a highly regarded speaker for the SANS Institute. He is an
adjunct professor at Georgetown University and has taught at New York Institute of
Technology. The point of his book is to demonstrate that there is no way to properly
protect a company’s network unless they know what they are up against. Hackers
Beware teaches how hackers think, what tools they use, and the techniques they utilize to
compromise a machine. To show just how bad the problem is, the author gives examples
of some the sites that have been hacked such as U.S. Department of Commerce, UNICEF,
NASA, CIA, Greenpeace, Tucows, NY Times, Motorola, and many more. This book also
describes the general trends about what is occurring from an Internet security perspective.

Gupta, A., & Laliberte, S. (2004). Defend I.T.: Security by Example. Boston, Massachusetts:
Pearson Education, Inc.

Ajay Gupta is the founder and president of a security company that provides data privacy
services to federal, state, and local governments. His co-author, Scott Laliberte, has
extensive experience in information security, network operations, incident response and
e-commerce. The authors use a collection of case studies, based on real experiences, to
demonstrate important security practices and principles. By examining these case
studies, the authors explain what could have been done differently to avoid the losses
incurred. This book covers the basics of hacking including mapping a network,
exploiting vulnerabilities and launching denial-of-service attacks. It discusses the latest
methods of malicious acts as well as some of the classic means of compromising
networks, such as war dialing and social engineering. Finally, the often-overlooked
security measures such as developing a security policy, intrusion detection systems, and
disaster recovery as discussed. This book is a good source of practical examples of the

© Ken Fogalin 36
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

types of issues that security professionals must be prepared to face in the execution of
their duties.

The Honeynet Project. (2004). Know Your Enemy: Learning About Security Threats (2nd ed.).
Boston: Pearson Education, Inc.

This book, published by the renowned Honeynet Project, presents an intelligence report
on attackers who use the Internet for destructive purposes. The majority of this book
provides an in-depth guide to honeynets, which are networks made up of honeypots
designed to capture extensive information on exactly how attackers operate. However,
the analysis of the data captured by honeynets is helpful to understand our enemies. This
book presents the real data collected by the Honeynet Project, from a variety of different
attacks. By discussing examples of honeynets that have been compromised, this book
covers profiling the enemy, network forensics and the lessons learned about common
attacks and exploits. This book is aimed at security professionals interested in learning
the technical skills needed to study and learn from blackhat attacks. It has a companion
website, (http://www.honeynet.org/book) to keep the material updated.

McCarthy, L. (2003). IT Security: Risking the Corporation. Upper Saddle River, NJ: Prentice
Hall PTR.

Linda McCarthy is currently the Executive Security Advisor for the Office of the CTO
for Symantec Corporation. Formerly she was the Vice President for a company that
developed software to detect, trap, and track hackers. This is an updated version of her
original book published as Intranet Security: Stories from the Trenches. This book uses
scenarios to expose crucial flaws in operating systems, networks, servers, and software
based on her collection of real security audits. Furthermore, it shows why poor training,
corporate politics and careless management have caused many of the vulnerabilities. The
author gives a number of security checklists, resource listings that can help tighten
security, and advise on how to avoid problems in the first place. Chapter 12, A Hacker’s
Walk Through the Network gives line-by-line transcript of an actual break-in with a
description of what the hacker is doing along the way. This is a must have book for
security professionals.

McClure, S., Shah, S., & Shah, S. (2003). Web Hacking: Attacks and Defense. Boston: Pearson
Education, Inc.

In this book, Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and
Shreeraj Shah present a broad range of Web attacks and defenses. The authors include an
overview of the Web and what hackers go after, a complete Web application security
methodology, detailed analysis of hack techniques, and countermeasures. This book
discusses new case studies and eye-opening attack scenarios, along with advanced Web
hacking concepts, methodologies, and tools. The section on How Do They Do It? shows
how and why different attacks succeed, including: e-shoplifting, impersonation and
session hijacking, buffer overflows and automated attack tools and worms. Appendices
include a listing of Web and database ports, cheat sheets for remote command execution,
and source code disclosure techniques. Web Hacking experts show you how to connect

© Ken Fogalin 37
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

the dots - how to put the stages of a Web hack together so you can best defend against
them.

Pipkin, D. L. (2003). Halting the Hacker: A Practical Guide to Computer Security (2nd ed.).
Upper Saddle River, NJ: Prentice Hall PTR.

Donald Pipkin, CISSP, works for the Internet Security Division of Hewlett-Packard as an
information security architect. His best selling book has been updated to cover current
critical threats, tools, and countermeasures. This book is organized around the processes
that hackers use to gain access, privileges, and control and shows exactly how they work,
how they compromise information, and what can be done to stop them. Through
discussion of many examples of true hacker exploits, the author shows not only how a
problem can turn into a security breach, but also why. This book will help you
understand hackers – who they are, their motives, what they do, how they do it, and how
they avoid detection. It presents both reactive and proactive security measures as well as
legal recourse against hackers.

Schneier, B. (2004). Secrets & Lies: Digital Security in a Networked World. Indianapolis,
Indiana: Wiley Publishing, Inc. (Original work published 2000)

The author of this book is well known for his previous title Applied Cryptography and his
monthly newsletter Crypto-Gram. In Secrets and Lies, the author describes real-world
security issues that cryptography or technology alone will not solve. He presents
strategies to solve security problems from a systems perspective, rather than a technology
perspective. While technologies are discussed, his emphasis is on integrating
technologies (hardware, software, and networks) and people into security processes. By
presenting the limitations of the available technologies, he dispels any myths that
technology alone can protect business from the ever-changing threats. He covers the
threat landscape i.e. who the attackers are, what they want, and what businesses need to
deal with the threats. Finally, his discussion of attack methodologies, threat modeling,
and risk assessment is relevant to understanding hackers’ techniques and how business
can implement appropriate countermeasures.

Shema, M. (2003). Hacknotes Web Security Portable Reference. Emeryville, California:

McGraw-Hill/Osborne.

This book is part of McGraw-Hill/Osborne’s HACKNOTES series. It is intended to be a

resource guide for web security by providing condensed security reference information
that is easy to use and access. It also targets the new security professional looking to get
up to speed quickly and provides a concise, single source of knowledge. In this book you
will find a methodology to analyze, pick apart, and secure any web application, however,
the focus is really on the tools and techniques. As a reference guide, you do not read this
book cover to cover or in any sequential manner – you simply flip to whatever section
you need at the moment.

© Ken Fogalin 38
 Hacking Techniques: An Introduction for Business Owners and Decision Makers

Skoudis, E. (2002). Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective
Defenses. Upper Saddle River, NJ: Prentice Hall PTR.

Ed Skoudis has been touted as one of the leading network security experts. In this step-
by-step guide, he presents detailed explanations of the most destructive hacker tools and
tactics along with proven countermeasures for both UNIX and Windows environments.
His book differs from other books on hacking by approaching the issues in several
different ways. First, rather than presenting a dictionary of thousands of hacking tools
and techniques, this book focuses on understanding each category of tool in great depth
so it is easier to understand the appropriate defenses. Second, this book covers the attack
sequence end-to-end by presenting a phased approach to attacking and covering defenses
at each stage of the attack. Finally, scenarios are used to demonstrate how hackers use
multiple tools together to build complete and sophisticated attacks. This book delivers
protection solutions that can be implemented right now as well as long-term strategies to
improve security in the years to come.

© Ken Fogalin 39