http://www.itp.net/news/516118-i
By Imthishan Giado
Arabian Computer News
April 13, 2008
When asked to describe what a typical ‘hacker' looks like, most people
will resort to film clichés such as Keanu Reeves from the Matrix. The
typical hacker profile is that of a dank unkempt loner who lives in a
basement lit by the harsh glow of an LCD and gleefully punches away at a
keyboard, defacing websites and leaving rude messages on desktops.
That's the old reality, says Jeremiah Grossman, CTO and founder of web
security specialists WhiteHat Security, former information security
officer for Yahoo! and the keynote speaker at this month's HackInTheBox
security conference in Dubai.
"It used to be about ideology, the art of the hack and getting a
reputation. We're now seeing a trend towards financially motivated
hacks, where a lot of smart people all over the world make their living
out of doing illicit hacks online. You have rogue marketing types that
hack websites to improve their global ranking. State sponsored hacking
happens all the time. You also have things like the Russian Business
Network hiring hackers to carrying out e-commerce type fraud and
identity theft. So you'll see a wide spectrum of bad guys monetising in
different types of ways," he explains.
While these attacks are a daily reality for most net citizens and
corporations, Petko Petkov, founder of ethical hacker think tank
GNUCitizen says that the trend has not yet reached its peak, and
suggests which organisations make the most vulnerable targets.
"Banks and corporations that hold personal details will probably be the
first types of targets. A lot of these new-age Web 2.0 companies and
websites are also at risk. There is not one specific target - whatever
is easy to compromise is a good enough target for attackers.
"The hacking business is not as mature as it will get in the future.
Right now it mostly involves compromising PCs and hooking them to
botnets and such, but in the future - I'm not talking about the distant
future but probably a year or two ahead - organised crime will start
using hacker tricks for all sort of things - modifying public records or
black public relations, which is where companies hire a group of hackers
to break into their competition and steal data, make it public through
some channel and as such defame the company. This stuff is not uncommon
- we've seen it happen and it's already been on the news," he warns.
WhiteHat's Grossman says that even though application developers are
responsible for the vulnerabilities which allows hackers easy access to
corporate systems, don't expect them to resolve the problem quickly.
"It's way outpacing quality assurance personnel's ability to effectively
pentest [penetration test] all these vulnerabilities. Beyond that, even
if we're able to know their exact location, remediation is almost
impossible at this point due to the volume of work being generated," he
claims.
The problem, suggests Petkov, is that enterprises have expanded too
quickly, with infrastructure growth outpacing the ability of IT teams to
secure it.
"I've tested numerous corporate networks where inside it's fairly
relaxed because the user is trusted. With no proper segmentation between
different networks and no security restrictions, it's complete chaos.
Once an attacker gets into the corporate network it's a matter of time
to get to the real interesting data. Many corporations try to resolve
the problem on the upper level by installing firewalls, intrusion
detection and sometimes prevention systems," he says.
He lists a number of possible means by which attackers can gain access
to a network - and surprisingly few require sophisticated IT knowledge.
One of the key problems is, as he mentioned earlier, the low levels of
security within corporate networks.
While most corporations erect expensive firewalls to prevent hackers
breaking in, a far easier strategy is to target senior users who travel
with laptops and have corporate VPN access. Once these users connect to
their home networks or public Wi-Fi hotspots, they are easy for prey for
hackers who can inject their machines with malicious code and then
later, steal their credentials when they reconnect to the corporate VPN.
Another method which is only slightly more involved is to erect a
complete fake network. This fools laptops - which often have a preferred
wireless connection list - into thinking that it is in its regular
office environment. If the attacker controls the network, says Petkov,
anything is possible.
"If that user starts using their e-mail client which probably runs in
the background and starts performing checks, the credentials sometimes
travel in the clear. When the attacker controls the network silently,
they will be able to steal this information. This hack can be performed
in about five minutes," he states.
Some entry methods are shockingly basic and reflect the scant attention
which enterprises pay to fundamental physical security.
"One of the most basic ways of compromising a corporate network is to
walk into one of the offices. The entrances sometimes have access to
Ethernet sockets so the attackers install a small device and hide it
away from casual observation and use it to access the corporate network.
This is very basic stuff," reveals Petkov.
The tools used for these attacks are often not what one expects, says
MST team chief and senior technical threat analyst MST II for the US
Army, Thomas Blackard.
"I've seen people do strange things with Asus Eee PCs and a modified
Sega Dreamcast with a network adapter and a modem setup in a wiring
closet with access. If you have quantifiably important equipment then
you need to take equitable measures to secure that from the outside
world; don't use a glass door, use a metal door. You don't want to
impede the users but you want to impede processes into areas where
humans don't necessarily need to be," he says.
Even the VOIP telephones widely used in the Middle East represent a
threat, says the founder of Italy-based security firm Alba ST, Alessio
Pennasilico.
"The danger is confidentiality. Often by phone, we talk about important
things, especially managers, but if you don't implement any encryption,
phone calls can be eavesdropped. This is obviously also a problem of
traditional telephony but in VOIP, you don't need to be physically near
the device to eavesdrop - you can do it from a remote location with a
free internet connection. The problem is that encrypting communications
needs money and competence and there are very few companies that
implement encryption," he says.
Pennasilico outlines a common VOIP exploit known as ‘vishing.' It works
in a similar way to its web equivalent and namesake, phishing.
"It's the same as phishing except that you don't receive an e-mail, you
receive a phone call with a changed number or spoofed caller ID. On the
display of your phone appears perhaps the number of your bank. You pick
up the phone and listen to a recorded message saying that you have some
problem with your account and asking you to enter your credit card
number or account number on the keypad. This fraud started in the US and
will be soon known all over the world because it's really cheap and
technically simple," he warns.
Of course, one of the key factors in dealing with a potential attack is
detecting it as soon as possible. But this is often hampered by the
number of false positives, says the US Army's Blackard.
"You really don't know an attack's an attack until after you've gone and
looked at it again. It may be a junior technician installing a new
laptop someplace which has a bad network card going up and down
flapping, generating a lot of noise traffic. Probably eight out of ten
incidents are an actual failure of the device more than an actual
attack," he explains.
Most security experts concur that it's better to have an in-house
security team to deal with threats and update the security measures of
the organisation, rather than outsourcing security to a third party.
"Short term, outsourcing is better. Here's the downside to a contract
firm - they have no real vested interest in a company beyond billable
hours. Long term, what you want is a cadre of your own personnel because
they will be able to take ownership of the equipment that's there.
"What you need is a guy that's really good at firewalls, a guy that's
good at databases, a guy that's good at clients and so on. You'll want
to have one or two generalist guys that are good at just about
everything so that you have coverage all day along and then you want to
have a couple of specialists as your heavy hitters," recommends
Blackard.
Petkov, however, says that enterprises should be mindful of the cost
factor: "If you have your own in-house security team likes a tiger team
to test your networks on a constant basis, this is a huge plus but it
may become quite expensive for companies. They then have to outsource
that service which is a more convenient solution and is also very
flexible."
Blackard suggests that enterprises can take one of two approaches to
security: "You can do a defence in depth approach - which is what I
prefer - where your outer perimeter is just as strong as your inner
perimeter and you have a whole series of air gaps and breaks in
networks, you have dissimilar segments, you do a lot of things that
makes it very difficult for the individual to apply any one exploit to
get all the way into your network."
"The other school of thought is a company having very soft non-
protected insides and then these huge, monstrous enormously expensive
firewalls they hide behind. The question is, how much is your data worth
to you?" asks Blackard.
In closing, WhiteHat's Grossman has some advice for CIOs for securing
their online property: "Know what websites you have and rank their
importance because you can't secure what you don't know you own."
"Secondly, you have to measure your security, good bad or otherwise. You
have to constantly assess the security of your web based property - if
you don't the bad guys will. Lastly, for defence in-depth, throw up as
many roadblocks as possible to prevent a compromise. You don't have to
achieve 100% security but you should at least be more secure than your
peers," he concludes.
-=-
The IT blacklight
If a company suffers a serious intrusion and experiences a significant
financial or data loss, it may be time to call in the CSI of the IT
world - forensics investigators like Mandiant's Jamie Butler.
His job is to treat enterprise IT systems like a virtual crime scene and
sift through it for evidence of how the attacker gained access and most
importantly, if they're still there.
"Often the attacker wants to maintain a presence on the systems that
they've broken into so that whatever value they're taking, they can
continue to do so in the future. What they leave behind is generally
classified as malware and we look for those types of indicators," says
Butler.
Butler notes that attackers usually don't compromise more systems than
they have to: "They don't want to compromise a lot of boxes because then
their footprint gets much bigger. If you have a client with 2000 hosts
on a network, you won't see that 50% of those are compromised, it'll be
less than 10% or 5%."
And just like CSI, contamination of the crime scene causes problems for
Butler: "If at the onset they don't realise there's an attack,
enterprises might run a set of diagnostic tools to give them more
information. That process makes the hosts dirtier - and what I mean by
that is that they destroy some of the physical evidence, by erasing the
memory or running tools that write to the disk. Once you write to the
disk, recovery becomes impossible for the files that have been deleted
and you might only get a portion of it back with forensic tools."
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments