ch26.htm

Maximum Security (First Edition) 网络安全 英文版

	therefore, a B.S. in Computer Science is not required. Many individuals get this
	knowledge by networking equipment within their home or at their place of business.<BR>
	<BR>
	
	<LI>Uses the Internet more than 50 hours per month--Crackers are not casual users.
	To watch a cracker at work is to watch someone who truly knows not only his or her
	own machine, but the Net. There is no substitute for experience, and crackers must
	have it. Some crackers are actually habitual users and suffer from insomnia. No joke.<BR>
	<BR>
	
	<LI>Intimately knows at least two operating systems--One of these will undoubtedly
	be UNIX or VMS.<BR>
	<BR>
	
	<LI>Has (or had) a job using computers--Not every cracker wakes up one morning and
	decides to devote a major portion of his or her life to cracking. Some have had jobs
	in system administration or development. These individuals tend to be older and more
	experienced. In such cases, you are probably dealing with a professional cracker
	(who probably has had some experience developing client/server applications).<BR>
	<BR>
	
	<LI>Collects old, vintage, or outdated computer hardware or software--This may sound
	silly, but it isn't. Many older applications and utilities can perform tasks that
	their modern counterparts cannot. For example, I recently had a hard drive that reported
	bad sectors. I reformatted it a dozen times and tried various disk utilities to repair
	it; still, I had problems. After several tries with modern utilities, I turned to
	a very obscure program called hdscrub.com, coded many years ago. It repaired the
	problem in no time, reformatting the disk clean. Other examples include old utilities
	that can format disks to different sizes, break up large files for archiving on disks,
	create odd file systems, and so forth. As a cracker's experience grows, he or she
	collects such old utilities.
</UL>

<H2><FONT COLOR="#000077"><B>What Is the Typical Target Like?</B></FONT></H2>
<P>The typical target is hard to pin down because crackers attack different types
of networks for different reasons. Nonetheless, one popular target is the small,
private network. Crackers are well aware of organizational behavior and financial
realities. Because firewalls are expensive to acquire and maintain, smaller networks
are likely to go without or obtain inferior products. Also, few small companies have
individuals assigned specifically to anti-cracking detail (think about the Finnish
report I mentioned in Chapter 4, &quot;Just Who Can Be Hacked, Anyway?&quot;). Finally,
smaller networks are more easily compromised because they fit this profile:

<UL>
	<LI>The owners are new to the Internet<BR>
	<BR>
	
	<LI>The sysad is experienced with LANs rather than TCP/IP<BR>
	<BR>
	
	<LI>Either the equipment or the software (or both) are old (and perhaps outdated)
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Seizing such a network is generally
	easier, as it is maintaining a box there. Crackers refer to this as <I>owning</I>
	a box, as in &quot;I just cracked this network and I now own a box there.&quot; This
	<I>owning</I> refers to a condition where the cracker has root, supervisor, or administrator
	privileges on the box. In other words, the cracker has total control of the machine
	and, at any time, could totally down or otherwise destroy the network. 
<HR>


</BLOCKQUOTE>

<P>This profile, however, is not set in stone. Many crackers prefer to run with the
bleeding-edge target, seeing whether they can exploit a newly discovered hole before
the sysad plugs it. In this instance, the cracker is probably cracking for sport.</P>
<P>Another issue is familiarity. Most crackers know two or more operating systems
intimately from a user standpoint, but generally only one from a cracking standpoint.
In other words, these folks tend to specialize. Few crackers are aware of how to
crack multiple platforms. For example, perhaps one individual knows VAX/VMS very
well but knows little about SunOS. He will therefore target VAX stations and ultimately,
perhaps through experience, DEC Alphas.</P>
<P>Universities are major targets in part because they possess extreme computing
power. For example, a university would be an excellent place to run an extensive
password cracking session. The work can be distributed over several workstations
and can thus be accomplished much more quickly than by doing it locally. Another
reason universities are major targets is that university boxes usually have several
hundred users, even in relatively small network segments. Administration of sites
that large is a difficult task. There is a strong chance that a cracked account can
get lost in the mix.</P>
<P>Other popular targets are government sites. Here, you see the anarchistic element
of the cracker personality emerging: the desire to embarrass government agencies.
Such an attack, if successful, can bring a cracker great prestige within the subculture.
It does not matter if that cracker is later caught; the point is, he or she cracked
a supposedly secure site. This telegraphs the news of the cracker's skill to crackers
across the Internet.
<H2><FONT COLOR="#000077"><B>Why Do They Want to Attack?</B></FONT></H2>
<P>There are a number of reasons why crackers might want to attack your system:

<UL>
	<LI>Spite--Plainly stated, the cracker may dislike you. Perhaps he is a disgruntled
	employee from your company. Perhaps you flamed him in a Usenet group. One common
	scenario is for a cracker to crack an ISP with which he once had an account. Perhaps
	the ISP discovered the cracker was cracking other networks or storing warez on its
	box. For whatever reason, the ISP terminated the cracker's account, and now the cracker
	is out for revenge.<BR>
	<BR>
	
	<LI>Sport--Perhaps you have been bragging about the security of your system, telling
	people it's impenetrable. Or worse, you own a brand-spanking-new system that the
	cracker has never dealt with before. These are challenges a cracker cannot resist.<BR>
	<BR>
	
	<LI>Profit--Someone pays a cracker to bring you down or to get your proprietary data.<BR>
	<BR>
	
	<LI>Stupidity--Many crackers want to impress their friends, so they purposefully
	undertake acts that will bring the FBI to their door. These are mostly kids.<BR>
	<BR>
	
	<LI>Curiosity--Many crack purely for sake of curiosity, simple enjoyment of the process,
	or out of boredom.<BR>
	<BR>
	
	<LI>Politics--A small (but significant) percentage of crackers crack for political
	reasons. That is, they seek press coverage to highlight a particular issue. This
	could be animal rights, arms control, free speech, and so forth. This phenomenon
	is much more common in Europe than in the U.S. Americans fall victim to pride or
	avarice far more often than they do to ideology.
</UL>

<P>All of these reasons are vices. These vices become excess when you break the law.
With breaking the law comes a certain feeling of excitement; that excitement can
negatively influence your reasoning.
<H2><FONT COLOR="#000077"><B>About Attacks</B></FONT></H2>
<P>At what point can you say you have suffered a network attack? Some insist that
it is the moment when crackers either penetrate your network or temporarily disable
any portion of it. Certainly, from a legal point of view, this could be a valid place
to mark the event called an attack (though, in some jurisdictions, intent and not
the successful completion of the act will suffice).</P>
<P>Although the legal definition of an attack suggests that it occurs only after
the act is completed and the cracker is inside, it is my opinion that the mere undertaking
of actions that will result in a network break-in constitutes an attack. The way
I see it, you are under attack the moment a cracker begins working on the target
machine.</P>
<P>The problem with that position is that sometimes, partly out of sophistication
and partly out of opportunity, a cracker will take some time to actually implement
an attack. For example, a series of fishing expeditions may occur over a period of
weeks. These probes in themselves could not reasonably be called <I>attacks</I> because
they do not occur contiguously. If a cracker knows that logs are being run, he may
opt for this &quot;slow boat to China&quot; approach. The level of paranoia in system
administrators varies; this is not a quality that a cracker can accurately gauge
without undertaking some action (perhaps trying a mock attack from a temporary address
and waiting for the response, repercussions, or activity from the sysad). However,
the majority of system administrators do not fly off the handle at a single instruction
from the void unless that instruction is quite obviously an attack.</P>
<P>An example of an obvious attack is when the log reveals the attempt of an old
sendmail exploit. This is where the cracker issues two or three command lines on
port 25. These commands invariably attempt to trick the server into mailing a copy
of the <TT>/etc/passwd</TT> file back to the cracker. If a system administrator sees
this, he will obviously be concerned. However, contrast that with evidence of a <TT>showmount</TT>
query. A system administrator may well know that a <TT>showmount</TT> query is an
ominous indication, but it cannot be indisputably classed as an attempted intrusion.
In fact, it is nothing more than evidence of someone contemplating an intrusion,
if that.</P>
<P>These techniques of gradually gaining information about a system have their advantages
and their pitfalls. For example, the cracker may come from different addresses at
different times, quietly knocking on the doors (and checking the windows) of a network.
Sparse logging evidence from disparate addresses may not alarm the average system
administrator. In contrast, a shotgun approach (heavy scanning) will immediately
alert the sysad to a problem. Unless the cracker is reasonably certain that an exploit
hole exists on a machine, he will not conduct an all-out scanning attack (at least,
not if he is smart).</P>
<P>If you are just getting started in security, the behavior of crackers is an important
element of your education; this element should not be neglected. Security technicians
usually downplay this, because they maintain a high level of disdain for the cracker.
Nonetheless, even though sites employ sophisticated security technology, crackers
continue to breach the security of supposedly solid servers.</P>
<P>Most crackers are not geniuses. They often implement techniques that are tried,
true, and well known in the security community. Unless the cracker is writing his
own tools, he must rely on available, existing tools. Each tool has limitations peculiar
to its particular design. Thus, from the victim's point of view, all attacks using
such tools will look basically the same. Attacks by crackers using strobe will probably
look identical as long as the target machine is, say, a SPARC with SunOS 4.1.3. Knowing
those signatures is an important part of your security education. However, the study
of behavior goes a bit deeper.</P>
<P>Most crackers learn their technique (at least the basics) from those who came
before them. Although there are pioneers in the field (Kevin Mitnik is one), the
majority of crackers simply follow in the footsteps of their predecessors. These
techniques have been described extensively in online documents authored by crackers,
and such documents are available at thousands of locations on the Internet. In them
are extremely detailed examples of how to implement a particular class of attack.</P>
<P>The new cracker typically follows these instructions to the letter, often to his
detriment because some attack methods are pathetically outdated (solutions have since
been devised and the cracker employing them is wasting his own time). If you examine
such an attack in your logs, it may look almost identical to sample logs posted by
security professionals in various technical presentations designed with the express
purpose of illustrating cracking examples.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>You can create scripts that will
	extract such attacks from logs. These scripts are really nothing more than powerful
	regex searches (Perl is most suitable for this) that scan log files for strings that
	commonly appear during or after such an attack. These output strings generally differ
	only slightly from platform to platform. The key is, if you have never seen those
	strings, generate some. Once you know the construct of the output, you will know
	what to scan for. Likewise, check out some of the tools I reference later in this
	chapter. These tools are designed for wholesale scanning of large log files. 
<HR>


</BLOCKQUOTE>

<P>However, there comes a point within a cracker's experience where he begins to
develop specialized methods of implementing attacks. Some of these methods emerge
as a result of habit; others emerge because the cracker realizes that a tool can
be used for more than its express purpose. These types of attacks, called <I>hybrid</I>
attacks, are where one or more techniques are used in concert to produce the ultimate
end. (The example given in the preceding paragraphs is where an apparent denial-of-service
attack is actually one phase of a spoofing attack.) Incredibly, there may be crackers
who still use traditional type-one-command-at-a-time techniques, in which case, you
will see all sorts of interesting log messages.</P>
<P>In any event, studying the behavior of crackers in actual cracking situations
is instructive. There are documents of this sort on the Internet, and you should
obtain at least two or three of them. One of the most extraordinary papers of this
class was written by Bill Cheswick, then of AT&amp;T Bell Laboratories. Cheswick
begins this classic paper as follows:

<DL>
	<DD>On January 7 1991 a cracker, believing he had discovered the famous sendmail
	DEBUG hole in our Internet gateway machine, attempted to obtain a copy of our password
	file. I sent him one.
	<P>Cheswick forwarded the password file and allowed the cracker to enter a protected
	environment. There, the cracker was observed as he tried various methods to gain
	leveraged access and ultimately, to delete all the files. The attack had an apparent
	originating point at Stanford University, but it was later determined that the cracker
	was operating from the Netherlands. At the time, such activity was not unlawful in
	the Netherlands. Therefore, though the calls were ultimately traced and the cracker's
	identity known, he was reportedly untouchable. At any rate, the cracker proceeded
	to make a series of clumsy attempts to crack a specific machine. The story that Cheswick
	relates from there is truly fascinating. Cheswick and his colleagues created a special,
	protected (chroot) environment in which the cracker was free to crack as he pleased.
	In this way, the cracker could be observed closely. The paper contains many logs
	and is a must read.
</DL>