Software Vulnerabilities

'Errare humanum est' (' To err is human.') Marcus Tullius Cicero, Roman statesman, philosopher and author 'To err is human, but to really foul things up you need a computer' Paul Ehrlich The term 'vulnerability' is often mentioned in connection with computer security, in many different contexts. In its broadest sense, the term 'vulnerability' is associated with some violation of a security policy. This may be due to weak security rules, or it may be that there is a problem within the software itself. In theory, all computer systems have vulnerabilities; whether or not they are serious depends on whether or not they are used to cause damage to the system. There have been many attempts to clearly define the term 'vulnerability' and to separate the two meanings. MITRE, a US federally funded research and development group, focuses on analysing and solving critical security issues. The group has produced the following definitions: According to MITRE's CVE Terminology: [...] A universal vulnerability is a state in a computing system (or set of systems) which either:

allows an attacker to execute commands as another user allows an attacker to access data that is contrary to the specified access restrictions for that data allows an attacker to pose as another entity allows an attacker to conduct a denial of service

MITRE believes that when an attack is made possible by a weak or inappropriate security policy, this is better described as 'exposure': An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either:

allows an attacker to conduct information gathering activities allows an attacker to hide activities includes a capability that behaves as expected, but can be easily compromised is a primary point of entry that an attacker may attempt to use to gain access to the system or data is considered a problem according to some reasonable security policy

When trying to gain unauthorized access to a system, an intruder usually first conducts a routine scan (or investigation) of the target, collects any 'exposed' data, and then exploits security policy

weaknesses or vulnerabilities. Vulnerabilities and exposures are therefore both important points to check when securing a system against unauthorized access.

History of Hacking-related Events

December 1947 - William Shockley invents the transistor and demonstrates its use for the first time. The first transistor consisted of a messy collection of wires, insulators and germanium. According to a recent poll on CNN's website, the transistor is believed to be the most important discovery in the past 100 years. 1964 - Thomas Kurtz and John Kemeny create BASIC, one of the most popular programming languages even nowadays. 1965 -it's estimated that approximately 20,000 computer systems are in use in the United States. Most of these are manufactured by International Business Machines (IBM). 1968 - Intel is founded. 1969 - AMD is founded. 1969 - The Advanced Research Projects Agency (ARPA) create the ARPANET, the forerunner of the Internet. The first four nodes (networks) of ARPANET consisted of the University of California Los Angeles, University of California Santa Barbara, University of Utah and the Stanford Research Institute. 1969 - Intel announces 1K (1024 bytes) RAM modules. 1969 - Ken Thompson and Dennis Ritchies begin work on UNICS. Thompson writes the first version of UNICS in one month on a machine with 4KB of 18 bit words. UNICS is later renamed 'UNIX'. 1969 - MIT becomes home to the first computer hackers, who begin altering software and hardware to make it work better and/or faster. 1969 - Linus Torvalds born in Helsinki. 1970 - DEC introduces the PDP-11, one of the most popular computer designs ever. Some are still in use as today. 1971 - John Draper, aka as 'Cap'n Crunch' hacks phone systems using a toy whistle from a cereal box. 1971 - The first email program is released for the Arpanet. The author is Ray Tomlinson, who decides to use the '@' character to separate the user name from the domain address. 1972 - Ritchie and Kerningham rewrite UNIX in C, a programming language designed with portability in mind. 1972 - NCSA develops the 'telnet' tool. 1973 - Gordon Moore, Intel's chairman postulates the famous 'Moore Law', which states the number of transistors in CPUs will double every 18 months, a law which will stay true for more than 20 years. 1973 - FTP is introduced. 1974 - Stephen Bourne develops the first major UNIX shell, the 'bourne' shell. 1975 - Bill Gates and Paul Allen found Microsoft. 1976 - A 21-year old Bill Gates writes 'An Open Letter to Hobbyists', a document in which he condemns open source and software piracy. April 1st, 1976 - Apple Computers is founded. 1977 - Billy Joy authors BSD, another UNIX-like operating system.

1979 - Microsoft licenses the UNIX source code from AT&T and creates their own implementation, 'Xenix'. 1981 - The Domain Name System (DNS) is created. 1981 - Microsoft acquires the intellectual property rights for DOS and renames it MS-DOS. 1982 - Sun Microsystems is founded. Sun will become famous for its SPARC microprocessors, Solaris, the Network File System (NFS) and Java. 1982 - Richard Stallman begins to develop a free version of UNIX which he calls 'GNU', a recursive definition meaning 'GNU's Not UNIX'. 1982 - William Gibson invents the term 'cyberspace'. 1982 - SMTP, the 'simple mail transfer protocol' is published. SMTP is currently the most widespread method for exchanging messages on the Internet. 1982 - Scott Fahlman invents the first emoticon, ':)'. 1983 - The Internet is founded by splitting the Arpanet into separate military and civilian networks. 1983 - FidoNet is developed by Tom Jennings. FidoNet will become the most widespread information exchange network in the world for the next 10 years, until the Internet takes over. 1983 - Kevin Poulsen, aka 'Dark Dante' is arrested for breaking into the Arpanet. 1984 - CISCO Systems is founded. 1984 - Fred Cohen develops the first PC viruses and comes up with the now-standard term 'computer virus'. 1984 - Andrew Tannenbaum creates Minix, a free UNIX clone based on a modular microkernel architecture. 1984 - Bill Landreth, aka 'The Cracker', is convicted of hacking computer systems and accessing NASA and Department of Defense computer data. 1984 - Apple introduces Macintosh System 1.0. 1985 - Richard Stallman founds the Free Software Foundation. March 15, 1985 - 'Symbolics.com' is registered as the first Internet domain name. November 1985 - Microsoft releases 'Windows 1.0', which sells for $100. 1986 - The Computer Fraud and Abuse Act in US adopted. 1986 - 'Legion of Doom' member Loyd Blankenship, aka 'The Mentor', is arrested and publishes the now famous 'Hacker's Manifesto'. 1988 - The CD-ROM is invented. 1988 - IRC is established. November 1988 - Robert Morris launches an Internet worm which infects several thousand systems and clogs computers around the country due to a programming error. This worm is now knows as the Morris worm. 1989 - the WWW is developed at CERN labs, in Switzerland. 1990 - The Arpanet is dismantled. 1990 - Kevin Poulsen hacks a phone system in LA making himself the winner of a Porsche 944 in a radio phone-in. 1991 - PGP (Pretty Good Privacy), a powerful, free encryption tool is released by Philip Zimmerman. The software quickly becomes the most popular encryption package in the world. 1991 - Rumours appear regarding the computer virus 'Michaelangelo', coded to launch its destructive payload on March 6th.

September 17, 1991 - Linus Torvalds releases the first version of Linux. 1992 - The 'Masters of Deception' phone phreaking group is arrested due to evidence obtained via wiretaps. 1993 - The Mosaic web browser is released. 1993 - Microsoft releases Windows NT. 1993 - First version of FreeBSD is released. March 23, 1994 - 16-year-old Richard Pryce, aka 'Datastream Cowboy', is arrested and charged with unauthorized computer access. 1994 - Vladimir Levin, a Russian mathematician, hacks into Citibank and steals $10 million. 1995 - Dan Farmer and Wietse Venema release SATAN, an automated vulnerability scanner, which becomes a popular hacking tool. 1995 - Chris Lamprecht, aka 'Minor Threat', is the first person to be ever banned from the Internet. 1995 - Sun launches Java, a computer programming language designed to be portable across different platforms in compiled form. August 1995 - Microsoft Internet Explorer (IE) released. IE will become the most exploited web browser in history and a favourite target for virus writers and hackers. August 1995 - Windows 95 is launched. 1996 - IBM releases OS/2 Warp version 4, a powerful multi-tasking operating system with a new user interface, as a counter to Microsoft's recently released Windows 95. Despite being more reliable and stable, OS/2 will slowly lose ground and be discontinued a few years later. 1996 - ICQ, the first IM, is released. 1996 - Tim Lloyd plants a software time bomb at Omega Engineering, a company in New Jersey. The results of the attack are devastating: losses of USD $12 million and more than 80 employees lose their jobs. Lloyd is sentenced to 41 months in jail. 1997 - DVD format specifications published. 1998 -Two Chinese hackers, Hao Jinglong and Hao Jingwen (twin brothers), are sentenced to death by a court in China for breaking into a bank's computer network and stealing 720'000 yuan ($87'000). March 18, 1998 - Ehud Tenebaum, a prolific hacker aka 'The Analyzer', is arrested in Israel for hacking into many high profile computer networks in US. 1998 - CIH virus released. CIH was the first virus to include a payload which wipes the FLASH BIOS memory, rendering computer systems unbootable and invalidating the myth that 'viruses cannot damage hardware'. March 26, 1999 - Melissa virus released. 2000 - A Canadian teenage hacker known as 'Mafiaboy' conducts a DoS attack and renders Yahoo, eBay, Amazon.com, CNN and a few other web sites inaccessible. He is later sentenced to eight months in a youth detention center. 2000 - Microsoft Corporation admits its computer network was breached and the code for several upcoming versions of Windows were stolen. 2000 - FBI arrests two Russian hackers, Alexei V. Ivanov and Vasiliy Gorshkov. The arrests took place after a long and complex operation which involved bringing the hackers to the US for a 'hacking skills demonstration'.

July 2001 - CodeRed worm released. It spreads quickly around the world, infecting a hundred thousand computers in a matter of hours. 2001 - Microsoft releases Windows XP. July 18th, 2002 - Bill Gates announces the 'Trustworthy Computing' initiative, a new direction in Microsoft's software development strategy aimed at increasing security. October 2002 - A massive attack against 13 root domain servers of the Internet is launched by unidentified hackers. The aim: to stop the domain name resolution service around the net. 2003 - Microsoft releases Windows Server 2003. April 29th, 2003 - New Scotland Yard arrest Lynn Htun at a London's InfoSecurity Europe 2003 computer fair. Lynn Htun is believed to have gained unauthorized access to many major computer systems such as Symantec and SecurityFocus. November 6th, 2003 - Microsoft announces a USD 5 million reward fund. The money will be given to those who help track down hackers targeting the software giant's applications. May 7th, 2004 - Sven Jaschan, the author of the Netsky and Sasser Internet worms, is arrested in northern Germany. September 2004 - IBM presents a supercomputer which is the fastest machine in the world. Its sustained speed is 36 trillion operations per second.

How to Detect a Hacker Attack

Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack. Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user. This article gives a few basic guidelines to help you figure out either if your machine is under attack or if the security of your system has been compromised. Keep in mind just like with viruses, there is no 100% guarantee you will detect a hacker attack this way. However, there's a good chance that if your system has been hacked, it will display one or more of the following behaviours.
Windows machines:

Suspiciously high outgoing network traffic. If you are on a dial-up account or using ADSL and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant - it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet. Increased disk activity or suspicious looking files in the root directories of any drives. After hacking into a system, many hackers run a massive scan for any interesting documents or files containing passwords or logins for bank or epayment accounts such as PayPal. Similarly, some worms search the disk for

files containing email addresses to use for propagation. If you notice major disk activity even when the system is idle in conjunction with suspiciously named files in common folders, this may be an indication of a system hack or malware infection. Large number of packets which come from a single address being stopped by a personal firewall. After locating a target (eg. a company's IP range or a pool of home cable users) hackers usually run automated probing tools which try to use various exploits to break into the system. If you run a personal firewall (a fundamental element in protecting against hacker attacks) and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is that if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific FTP service running on your system which has been made accessible to all. In this case, the solution is to block the offending IP temporarily until the connection attempts stop. Many personal firewalls and IDSs have such a feature built in. Your resident antivirus suddenly starts reporting that backdoors or trojans have been detected, even if you have not done anything out of the ordinary. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside.

Unix machines:

Suspiciously named files in the /tmp folder. Many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the /tmp folder and use it as 'home'. Modified system binaries such as 'login', 'telnet', 'ftp', 'finger' or more complex daemons, 'sshd', 'ftpd' and the like. After breaking into a system, a hacker usually attempts to secure access by planting a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are 'stealthed' against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode. Modified /etc/passwd, /etc/shadow, or other system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system. Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines. This is accomplished by modifying /etc/services as well as /etc/ined.conf. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port.