Hacker Perspectivesledvina/DHT/tugraz/Hacker Perspectives.pdf · ACN SS 07 - Hacker Perspectives History of hacking 1988 – Robert T. Morris launches a worm on governments ARPAnet

ACN SS 07 - Hacker Perspectives

Hacker Perspectives

Advanced ComputerNetworksSS 2007Franz Sommerauer


Overview

Definition of a Hacker History of Hacking How to get into Scene Information Gathering Ethical Hacking Most famous Hackers


Definition (see Hacker Jargon file)

1. A person who enjoys learning the detailsof programming systems and how to stretchtheir capabilities, as opposed to most userswho prefer to learn only the minimumnecessary.

2. One who programs enthusiastically, orwho enjoys programming rather than justtheorizing about programming.


Types of hackers

White hat– A person who is ethically opposed to the abuse of computer

systems (ethical hacker)– Generally focuses on securing IT systems

Grey hat– A skilled hacker who sometimes acts legally, sometimes in

good will, and sometimes not– Hybrid between white and black hat hackers

Black hat– Someone who compromises the security of a system

without permission from an authorized party– Cracker


History of hacking

1972– John Draper discovers that a 2.6

kHz tone allows to access theinternal trunking mechanism of MaBell

2.6 kHz tone created by a whistle With a Blue box it was possible to

take internal control of Ma Bell'slong distance switching equipment

1973– College students Steve Wozniak

and Steve Jobs begin making andselling blue boxes


History of hacking

1981– Chaos computer Club forms in Germany

1982– Hacker group of six teenage hackers (414’s)

broke into 60 computer systems and instiutitions(including Los Alamos Labs)

1988– Kevin Mitnick secretly monitors the e-Mail of

security officials (sentenced for one year to jail)


History of hacking

1988– Robert T. Morris launches a worm on governments

ARPAnet (precursor of the Internet) The worm spreads to 6000 networked computers First person indicted under the Computer Fraud and Abuse Act

of 1986 3 years probation 400 hours community service Fine of $10,050 and cost of his supervision

– First National Bank of Chicago became victim of $70-millioncomputer theft


History of hacking

1989– Hackers in West Germany were arrested

Broke into U.S. Government and corporate computers Sold OS-Sourcecode to Soviet KGB

– Fry Guy was arrested earned the name by hacking into a local McDonald's

computer and giving raises to his hamburger-flippingfriends

Got credit card numbers by social engeneering


History of hacking

1993– During radio station call-in contests, Kevin

Poulsen and 2 friends rigged the stations phonesystm to let their calls through Won 2 Porsches, vacation trips and $20.000

– Texas A&M Univerity professor received deaththreats because a hacker used his email accountto sent 20.000 racist emails


History of hacking

1994– Vladimir Levin and his group transferred $10

million from Citibank to bank accounts all over theworld Sentenced to three years in prison

1995– Kevin Mitnick arrested again

FBI accused him of stealing 20.000 credit card numbers stealing files from companies as Motorola and Sun

Microsystems


History of hacking

1998– 2 hacker were sentenced to death in China for stealing 260.000 Yuan

($31.400) 1999

– Unidentified hacker seized control of British military communicationsatellite and demanded money in return for control of satellite

2000– Hackers broke into Microsoft‘s corporate network

accessed source code for latest versions of Mircrosoft Windows and Officesoftware

– Russian cracker attempts to extort $100.000 from online music retailerCD Universe

threatening to expose thousands of customers credit card numbers– I love you virus spread rapidly around the world

infected image and sound files


History of hacking

2002– Mircrosoft sent more than 8.000 programmers to

security training 2004

– Myron Tereshchuk was arrested Attempting to extort $17 million from Micropatent

2006– Jeanson James Ancheta received a 57 month

prison sentence


How to get into scene

How to become a hacker– Learn about the techniques behind (program, UNIX, WWW)– Contribute to a hacker culture

You aren't really a hacker until other hackers consistently call you one Hackers publish their work under real-names, Crackers use

pseudonyms– Experiment and try out things

How to become a cracker– Download a script and run it somewhere– Download a file called “40HEX”– Use your hacking skills for bad purpose– The final reason a cracker cracks is for money


Information gathering

The more you know the easier you can attack. There are many ways to gather information

– Footprinting, Ping Sweep, Port Scan, OS Detection, Finger

Giving away knowledge is more dangerous thanrunning insecure software.

– Manuals must be secret!– Never give away secret information over telephone!– Try to conceal what software / hardware / versions you are

using



Footprinting– Learn as much as you can about a system

Remote access possibilities, ports, services … How does the phone-system work? How does the back-bone work? How does the company deal with the system? Who is responsible, who knows the system?

Read papers, manuals and ask the ones who know



Social Engineering– Attacker tries to convince someone to give out information,

passwords– Most innocent questions

What is the phone number/IP address for… Who is responsible for administrating the computer network

– Network structure

The technical know-how is less important thaninformation!



Ping sweepPing a range of IP addresses to find out whichmachines are currently running

Port Scan– TCP Scan:

Scan ports to see which services are running

– UDP Scan:Send garbage packets to ports



OS DetectionThis involves sending illegal ICMP or TCPpackets to a machine

Finger– Retrieving the User List to get all accounts.– Read Log-Files that show from where and when

users are logging in.


Ethical Hacking

Best protect a system by probing it while causing nodamage and fixing vulnerabilities found

Simulate how an attacker with no inside knowledgeof a system might try to penetrate

Includes permission to intrude– Consulting services– Hacking contests– Beta testing


Ethical Hacking

The Problem– Current software engineering practices do not produce

systems that are immune from attack– Current security tools only address parts of the problem and

not the system as a whole→ lack understanding leads to reliance upon partialsolutions

– Policy and law in cyberspace is immature and lags thestate-of-the-art in attacks

– System administration is difficult and becomingunmanageable due to patching against increasedvulnerabilities


Ethical Hacking

The result– Average time for a PC to be broken into directly

out-of-box from the store and attached to theInternet is less than 24 hours.

– The worst case scenario is about 15 minutes


Ethical Hacking

Scanning Tools– Typical information that can be learnd from a port

scan is: Existence of computer OS Version of OS Types of available services (smtp, httpd, ftp, telnet…) Type of computing platform


Ethical Hacking

Dual nature of a port scanner– Most powerful tool an ethical hacker can use in

protecting a network of computers– Most powerful tool a cracker can use to generate

attacks

Historically most popular cracker attacks arethose that use scanning tools to target knownvulnerabilities


Ethical Hacking

Conflicts of interest– Security firms hype and invent threats– Persons who work at security firms have been

known to spend their off-hours creating anddistributing the very attack tools their companysells to protect against

– Due to market pressure, businesses have usedethical hackers to: Beta test products Hacking contests


Ethical Hacking

Conclusion– The present poor security on the Internet, ethical

hacking may be the most effective way toproactively plug security holes an preventintrusions.

– On the other hand, ethical hacking tools have alsobeen notorious tools for crackers.


Most famous Hackers

Black hat hackers– Jonathan James

installed a backdoor into a Defense Threat Reduction Agencyserver

cracked into NASA computers stealing software worth approximately $1.7 million started a computer security company

– Adrian Lamo His hits include Yahoo!, Bank of America, Citigroup and

Cingular Now he is working as journalist and public speaker


Most famous Hackers

– Kevin Mitnick He hacked into computers, stole corporate secrets, scrambled

phone networks and broke into the national defense warningsystem

is now a computer security consultant, author and speaker– Kevin Poulsen

His hacking specialty, however, revolved around telephones He is now a senior editor for Wired News

– Robert Tappan Morris is currently working as a tenured professor at the MIT

Computer Science and Artificial Intelligence Laboratory


Most famous Hackers

White hat hackers– Stephan Wozniak

Co-founded Apple computers with Steve Jobs got his start in hacking making blue boxes Wozniak even used a blue box to call the Pope while

pretending to be Henry Kissinger– Tim Berners-Lee

famed as the inventor of the World Wide Web While working with CERN he created a hypertext prototype

system that helped researchers share and update informationeasily

founded the World Wide Web Consortium at MIT (W3C)


Most famous Hackers

– Linus Torvalds Father of Linux He started with a task switcher in Intel 80386 assembly and a

terminal driver. Then he put out a call for others to contributecode, which they did. Only about 2% of the Linux kernel iswritten by Torvalds himself (most prominent examples offree/open source software)

– Richard Stallman Founded the GNU Project to develop a free OS

– Tsutomu Shimomura he was hacked by Kevin Mitnick. Following this personal

attack, he made it his cause to help the FBI capture him Using Mitnick's cell phone, they tracked him near Raleigh-

Durham International Airport


Thank you for your attention!

Documents

Hacker Perspectivesledvina/DHT/tugraz/Hacker Perspectives.pdf · ACN SS 07 - Hacker Perspectives History of hacking 1988 – Robert T. Morris launches a worm on governments ARPAnet