The Behaviors and Tools of Today's Hackers
Symantec Article
SEP 24, 2002
These days, it doesn't take a computer expert to become a hacker. There are over 30,000 hacking-oriented sites on the Internet, offering easy to use click-and-hack programs and scripts for anyone to download. These easily accessible hacking tools have opened the door for a multitude of new exploits.
The first big-name hackers include Steve Wozniak, Bill Gates and Linus Torvalds, all now highly recognizable names behind many of the computer technologies used today. These early hackers had a love of technology and a compelling need to know how it all worked, and their goal was to push programs beyond what they were designed to do. Back then, the word "hacker" didn't have the negative connotation it has today. The original hacker ethic, rooted out of simple curiosity and a need to be challenged, appears to be dead.
The objectives of early hackers are a far cry from the goals of today's hacker. The motivation of the new breed of hackers appears not to be curiosity, or a hunger for knowledge, as it used to be. Instead, most of today's hackers are driven by greed, power, revenge, or some other malicious intent, treating hacking as a game or sport, employing the tools that are readily available via the Internet.
The security realities we face today
The rate of security attacks is actually outpacing the growth of the Internet. This means that something besides the growth of the Internet is driving the rise in security attacks. Here are some realities you should know about:
Operating systems and applications will never be secure. New vulnerabilities will be introduced into your environment every day. And even if you ever do get one operating system secure, there will be new operating systems with new vulnerabilities – phones, wireless devices, and network appliances.
The perimeter is disappearing. Old computer security jargon used to speak of "trusted" networks and "untrusted" networks. At best, your internal networks today are "semi-trusted." For instance, a company with over 50,000 nodes may have thousands of users who are connecting from home offices through cable modems. That makes the entire neighborhood of each of these employees become part of the corporate network. As employees are connecting to your network from homes, other offices, or hotels outside of the physical enterprise, new vulnerabilities are opened up.
Network security and location security.
If they don't get in quickly and easily through your firewall, modems or Web server, they can always walk in through the front door, smile at the receptionist, tailgate into a passcard-protected area behind one of your employees, proceed to an empty cubicle, and sit down at someone's unprotected computer.
Employees will never keep up with security polices and awareness. It doesn't matter how much you train and educate your employees. If your employees disregard warnings about the hazards of opening questionable email attachments, how are you going to educate them about properly configuring firewalls and intrusion detection systems for their home office PCs?
Managers have more responsibility than ever. And on top of facing the realities listed above, security managers are being asked to support increasing degrees of network availability and access.
Best practices that block most attacks
There are some good overall security measures you can take:
Employ a layer 7, full-inspection firewall
Automatically update your anti-virus at the gateway, server and client.
Keep all of your systems and applications updated
Hackers commonly break into a Web site through known security holes, so make sure your servers and applications are patched and up to date.
Turn off unnecessary network services
Eliminate all unneeded programs
Scan network for common backdoor services - Use intrusion detection systems, vulnerability scans, anti virus protection.
Exploitive behaviors
Exploitive behaviors by hackers we see today have taken on many forms. Below is a list of some common hacker activities:
Defacing Web sites
Web defacements happen when a hacker breaks into a Web server and defaces the Web site by altering or replacing the front page for the entire world to see. Web site defacements are the most prevalent form of cyber vandalism, and are as easy as running an exploit tool downloaded from the Internet that is designed to exploit a known vulnerability.Stealing credit card information
Credit card information can be stolen using the same exploit tools that are behind Web site defacements. Once hackers gain access to the network, they can scan databases looking for any files that may hold valuable information, such as "customer" files holding credit card information. Any files that interest a hacker may be downloaded to their own computer.Exploiting server-side scripting
Server-side scripting allows bi-directional communications between Web servers and users. Used to create dynamic Web pages, server-side scripting is one of the most common sources of Web server vulnerabilities.There are three main ways that server-side script exploits can be used to corrupt a Web server:
Execute commands on the Web server
Read system files from the Web server
Modify files on the Web server
Exploiting buffer overflows
Remotely, a hacker may crash a program or modify other elements on the stack by executing arbitrary commands on a victim's system, causing a vulnerable program to write more data to a buffer than is allocated. The hacker can take control by overwriting the original program code with new executables.
In addition to the best security practices listed above, another important way to stay protected is to eliminate all unneeded privileged (setuid or setgid) programs from your system.
Domain Name Server (DNS) Attacks
DNS is the protocol by which Web addresses (e.g., www.symantec.com) are translated into IP addresses. Program and design flaws may allow a hacker to poison the DNS server information with incorrect data, misdirecting users.Denial of Service (DoS) Attacks
Denial of service happens when someone or something is prevented from performing a desired task or operation. Common ways hackers cause DoS attacks:
Bandwidth consumption – flooding a network with data
Resource starvation – depleting a system's resources
Programming flaws – exploiting buffer overflows
Routing and DNS attacks – manipulating DNS tables to point to alternate IP addressesDistributed Denial of Service (DDoS) Attacks
In a DDoS attack, many computers are hijacked and instructed to inundate a target site with packets or requests for data, denying service to legitimate users of the victim systems. The degree of automation in attack tools enables a single attacker to install their tools and control tens of thousands of compromised systems for use in attacks.Employ Malicious Code
To propagate viruses, worms, and highly destructive blended threats, hackers use a variety of malicious code. We devoted an entire article to blended threats.
Employing new tools to keep control
As we mentioned, there are many tools available to aid the hacker in their exploits. Two commonly used tools are:
Rootkit
Rootkits are available for many operating systems and can be used by a hacker to gain administrator-level access to a computer or computer network. Once hackers, through cracking a password or exploiting a known vulnerability, obtain user-level access, they install the rootkit that collects user ids and passwords, thus obtaining access to the network. Intrusions using a rootkit are very difficult to detect, because other features within the rootkit make it possible for the hacker to essentially erase their tracks on the system.SubSeven
SubSeven is a back door program that will install itself on the system. It is highly configurable and can be programmed to infect and notify in several ways.
Guard your enterprise from today's hacker
Today we are facing hackers with little going for them in the way of ethics, but who have sophisticated hacking tools at their disposal. These tools give hackers unprecedented access to networks.
To help combat these types of threats, your enterprise needs an in-depth defense across the gateway, server, and client. There are many different types of threats in today's environments and many security appliances are deployed to address a subsection of these. Because of this, enterprises often end up deploying many individual point solutions — firewalls, intrusion detection systems, virtual private networks, etc. — to get the full security coverage they need. Due to the increase in blended threats and the dynamic nature of attacks, full coverage is a necessity.
Following the best practices noted above and implementing processes to manage policy and incidents is your best bet to stay protected from all exploits.
