ch04.htm

Maximum Security (First Edition) 网络安全 英文版

an issue we will discuss. However, DoS attacks are nothing special. They are the
modern equivalent of ringing someone's telephone repeatedly to keep the line perpetually
engaged. There are far more serious types of cracks out there. Just ask Crack dot
Com, the manufacturers of the now famous computer game <I>Quake</I>.</P>
<P>In January, 1997, crackers raided the Crack dot Com site. Reportedly, they cracked
the Web server and proceeded to chip away at the firewall from that location. After
breaking through the firewall, the crackers gained carte-blanche access to the internal
file server. From that location, they took the source code for both <I>Quake</I>
and a new project called <I>Golgotha</I>. They posted this source code on the Net.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>For those of you who are not programmers,
	<I>source code</I> is the programming code of an application in its raw state. This
	is most often in human-readable form, usually in plain English. After all testing
	of the software is complete (and there are no bugs within it), this source code is
	sent a final time through a compiler. Compilers interpret the source code and from
	it fashion a binary file that can be executed on one or more platforms. In short,
	source code can be though of as the very building blocks of a program. In commercial
	circles, source code is jealously guarded and aggressively proclaimed as proprietary
	material. For someone to take that data from a server and post it indiscriminately
	to the Internet is probably a programmer's worst nightmare. 
<HR>


</BLOCKQUOTE>

<P>For Crack dot Com, the event could have far-reaching consequences. For example,
it's possible that during the brief period that the code was posted on the Net, its
competitors may have obtained copies of (at least some of) the programming routines.
In fact, the crackers could have approached those competitors in an effort to profit
from their activities. This, however, is highly unlikely. The crackers' pattern of
activity suggests that they were kids. For example, after completing the crack, they
paraded their spoils on Internet Relay Chat. They also reportedly left behind a log
(a recording of someone's activity while connected to a given machine). The Crack
dot Com case highlights the seriousness of the problem, however.
<H4><FONT COLOR="#000077"><B>Kriegsman Furs</B></FONT></H4>
<P>Another interesting case is that of Kriegsman Furs of Greensborough, North Carolina.
This furrier's Web site was cracked by an animal-rights activist. The cracker left
behind a very strong message, which I have reproduced in part:

<DL>
	<DD>Today's consumer is completely oblivious to what goes on in order for their product
	to arrive at the mall for them to buy. It is time that the consumer be aware of what
	goes on in many of today's big industries. Most importantly, the food industries.
	For instance, dairy cows are injected with a chemical called BGH that is very harmful
	to both humans and the cows. This chemical gives the cows bladder infections. This
	makes the cows bleed and guess what? It goes straight in to your bowl of cereal.
	Little does the consumer know, nor care. The same kind of thing goes on behind the
	back of fur wearers. The chemicals that are used to process and produce the fur are
	extremely bad for our earth. Not only that, but millions of animals are slaughtered
	for fur and leather coats. I did this in order to wake up the blind consumers of
	today. Know the facts.
</DL>

<P>Following this message were a series of links to animal-rights organizations and
resources.
<H4><FONT COLOR="#000077"><B>Kevin Mitnik</B></FONT></H4>
<P>Perhaps the most well-known case of the public sector being hacked, however, is
the 1994/1995 escapades of famed computer cracker Kevin Mitnik. Mitnik has been gaining
notoriety since his teens, when he cracked the North American Aerospace Defense Command
(NORAD). The timeline of his life is truly amazing, spanning some 15 years of cracking
telephone companies, defense sites, ISPs, and corporations. Briefly, some of Mitnik's
previous targets include

<UL>
	<LI>Pacific Bell, a California telephone company<BR>
	<BR>
	
	<LI>The California Department of Motor Vehicles<BR>
	<BR>
	
	<LI>A Pentagon system<BR>
	<BR>
	
	<LI>The Santa Cruz Operation, a software vendor<BR>
	<BR>
	
	<LI>Digital Equipment Corporation<BR>
	<BR>
	
	<LI>TRW
</UL>

<P>On December 25, 1994, Mitnik reportedly cracked the computer network of Tsutomu
Shimomura, a security specialist at the San Diego Supercomputer Center. What followed
was a press fiasco that lasted for months. The case might not have been so significant
were it not for three factors:

<UL>
	<LI>The target was a security specialist who had written special security tools not
	available to the general public.<BR>
	<BR>
	
	<LI>The method employed in the break-in was extremely sophisticated and caused a
	stir in security circles.<BR>
	<BR>
	
	<LI>The suspicion was, from the earliest phase of the case, that Mitnik (then a wanted
	man) was involved in the break-in.
</UL>

<P>First, Shimomura, though never before particularly famous, was known in security
circles. He, more than anyone, should have been secure. The types of tools he was
reportedly developing would have been of extreme value to any cracker. Moreover,
Shimomura has an excellent grasp of Internet security. When he got caught with his
pants down (as it were), it was a shock to many individuals in security. Naturally,
it was also a delight to the cracker community. For some time afterward, the cracking
community was enthralled by the achievement, particularly because Shimomura had reportedly
assisted various federal agencies on security issues. Here, one of the government's
best security advisors had been cracked to pieces by a grass-roots outlaw (at least,
that was the hype surrounding the case).</P>
<P>Second, the technique used, now referred to as <I>IP spoofing</I>, was complex
and not often implemented. IP spoofing is significant because it relies on an exchange
that occurs between two machines at the system level. Normally, when a user attempts
to log in to a machine, he or she is issued a login prompt. When the user provides
a login ID, a password prompt is given. The user issues his or her password and logs
in (or, he or she gives a bad or incorrect password and does not log in). Thus, Internet
security breaches have traditionally revolved around getting a valid password, usually
by obtaining and cracking the main password file.</P>
<P>IP spoofing differs from this radically. Instead of attempting to interface with
the remote machine via the standard procedure of the login/password variety, the
IP-spoofing cracker employs a much more sophisticated method that relies in part
on trust. <I>Trust</I> is defined and referred to in this book (unless otherwise
expressly stated) as <I>the &quot;trust&quot; that occurs between two machines that
identify themselves to one another via IP addresses</I>.</P>
<P>In IP spoofing, a series of things must be performed before a successful break-in
can be accomplished:

<UL>
	<LI>One must determine the trust relationships between machines on the target network.<BR>
	<BR>
	
	<LI>One must determine which of those trust relationships can be exploited (that
	is, which of those machines is running an operating system susceptible to spoofing).<BR>
	<BR>
	
	<LI>One must exploit the hole.
</UL>

<P>(Be mindful that this brief description is bare bones. I treat this subject extensively
in its own chapter, Chapter 28, &quot;Spoofing Attacks.&quot;)</P>
<P>In the attack, the target machine trusted the other. Whenever a login occurred
between these two machines, it was authenticated through an exchange of numbers.
This number exchange followed a forward/challenge scenario. In other words, one machine
would generate a number to which the other must answer (also with a number). The
key to the attack was to forge the address of the trusted machine and provide the
correct responses to the other machine's challenges. And, reportedly, that is exactly
what Mitnik did.</P>
<P>In this manner, privileged access is gained without ever passing a single password
or login ID over the network. All exchanges happen deep at the system level, a place
where humans nearly never interact with the operating system.</P>
<P>Curiously, although this technique has been lauded as new and innovative, it is
actually quite antiquated (or at least, the <I>concept</I> is quite antiquated).
It stems from a security paper written by Robert T. Morris in 1985 titled <I>A Weakness
in the 4.2BSD UNIX TCP/IP Software</I>. In this paper, Morris (then working for AT&amp;T
Bell Laboratories) concisely details the ingredients to make such an attack successful.
Morris opens the paper with this statement:

<DL>
	<DD>The 4.2 Berkeley Software Distribution of the UNIX operating system (4.2BSD for
	short) features an extensive body of software based on the &quot;TCP/IP&quot; family
	of protocols. In particular, each 4.2BSD system &quot;trusts&quot; some set of other
	systems, allowing users logged into trusted systems to execute commands via a TCP/IP
	network without supplying a password. These notes describe how the design of TCP/IP
	and the 4.2BSD implementation allow users on untrusted and possibly very distant
	hosts to masquerade as users on trusted hosts. Bell Labs has a growing TCP/IP network
	connecting machines with varying security needs; perhaps steps should be taken to
	reduce their vulnerability to each other.
</DL>

<P>Morris then proceeds to describe such an attack in detail, some ten years before
the first widely reported instance of such an attack had occurred. One wonders whether
Mitnik had seen this paper (or even had it sitting on his desk whilst the deed was
being done).</P>
<P>In any event, the break-in caused a stir. The following month, the <I>New York
Times</I> published an article about the attack. An investigation resulted, and Shimomura
was closely involved. Twenty days later, Shimomura and the FBI tracked Mitnik to
an apartment in North Carolina, the apparent source of the attack. The case made
national news for weeks as the authorities sorted out the evidence they found at
Mitnik's abode. Again, America's most celebrated computer outlaw was behind bars.</P>
<P>In my view, the case demonstrates an important point, the very same point we started
with at the beginning of this chapter: As long as they are connected to the Net,
<I>anyone</I> can be cracked. Shimomura is a hacker and a good one. He is rumored
to own 12 machines running a variety of operating systems. Moreover, Shimomura is
a talented telephone <I>phreak</I> (someone skilled in manipulating the technology
of the telephone system and cellular devices). In essence, he is a specialist in
security. If he fell victim to an attack of this nature, with all the tools at his
disposal, the average business Web site is wide open to assault over the Internet.</P>


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>In defense of Shimomura: </B></FONT>Many individuals in
	security defend Shimomura. They earnestly argue that Shimomura had his site configured
	to bait crackers. In Chapter 26, &quot;Levels of Attack,&quot; you will learn that
	Shimomura was at least marginally involved in implementing this kind of system in
	conjunction with some folks at Bell Labs. However, this argument in Shimomura's defense
	is questionable. For example, did he also intend to allow these purportedly inept
	crackers to seize custom tools he had been developing? If not, the defensive argument
	fails. Sensitive files were indeed seized from Shimomura's network. Evidence of these
	files on the Internet is now sparse. No doubt, Shimomura has taken efforts to hunt
	them down. Nevertheless, I have personally seen files that Mitnik reportedly seized
	from many networks, including Netcom. Charles Platt, in his scathing review of Shimomura's
	book <I>Takedown</I>, offers a little slice of reality:</P>
	<P>Kevin Mitnick...at least he shows some irreverence, taunting Shimomura and trying
	to puncture his pomposity. At one point, Mitnick bundles up all the data he copied
	from Shimomura's computer and saves it onto the system at Netcom where he knows that
	Shimomura will find it....Does Shimomura have any trouble maintaining his dignity
	in the face of these pranks? No trouble at all. He writes: &quot;This was getting
	personal. ... none of us could believe how childish and inane it all sounded.&quot;</P>
	<P>It is difficult to understand why Shimomura would allow crackers (coming randomly
	from the void) to steal his hard work and excellent source code. My opinion (which
	may be erroneous) is that Shimomura did indeed have his boxes configured to bait
	crackers; he simply did not count on anyone cutting a hole through that baited box
	to his internal network. In other words, I believe that Shimomura (who I readily
	admit is a brilliant individual) got a little too confident. There should have been
	no relationship of trust between the baited box and any other workstation. 
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Charles Platt's critique
	of <I>Takedown</I>, titled <I>A Circumlocuitous review of Takedown by Tsutomu Shimomura
	and John Markoff</I>, can be found at <A HREF="http://rom.oit.gatech.edu/~willday/mitnick/takedown.review.html"><TT>http://rom.oit.gatech.edu/~willday/mitnick/takedown.review.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Summary</B></FONT></H2>
<P>These cases are all food for thought. In the past 20 or so years, there have been
several thousand such cases (of which we are aware). The military claims that it
is attacked over 250,000 times a year. Estimates suggest it is penetrated better
than half of the time. It is likely that no site is entirely immune. (If such a site
exists, it is likely AT&amp;T Bell Laboratories; it probably knows more about network
security than any other single organization on the Internet.)</P>
<P>All this having been established, I'd like to get you started. Before you can
understand how to hack (or crack), however, you must first know a bit about the network.
Part II of this book, &quot;Understanding the Terrain,&quot; deals primarily with
the Internet's development and design.</P>
<CENTER>
<P>
<HR>
<A HREF="../ch03/ch03.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch05/ch05.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> <BR>
<BR>
<BR>
<IMG SRC="../button/corp.gif" WIDTH="284" HEIGHT="45" ALIGN="BOTTOM" ALT="Macmillan Computer Publishing USA"
BORDER="0"></P>

<P>&#169; <A HREF="../copy.htm">Copyright</A>, Macmillan Computer Publishing. All
rights reserved.
</CENTER>


</BODY>

</HTML>