Methodology of a Hacker
Matthew SchmidTelemus Solutions, Inc.
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Today's Topics
IntroductionFBI Cyber Crime ReportInformation Warfare Techniques
Information gatheringSocial engineeringNetwork reconnaissanceFinding and exploiting vulnerabilitiesControlling and maintaining access
Top 10 Security Vulnerabilities
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Introduction
Telemus Solutions, Inc.Government and commercial securityProtecting the critical infrastructure
CapabilitiesPhysical and IT vulnerability assessmentsSecurity consultingSystems engineeringCustom software developmentResearch and development
Copyright© 2006 Telemus Solutions, Inc.Proprietary
FBI Cyber Crime Survey (2005)Over 5,000 respondents with over 87% experiencing one or more incidents
1. Total financial losses and the reported number of incidents have declined
2. Website attacks and wireless attacks have increased
3. Insider attacks occur about as often as external attacks
4. Defense is focused on the perimeter and antivirus / antispyware solutions
5. Security awareness continues to improve
Information WarfareTechniques
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Information GatheringWHOIS lookup
Find information about ownership and registration of networks
Newsgroup postingsLearn what problems the system administrator is dealing with
Google hackingFind unintentionally published information
Dumpster divingFind account names, passwords, network infoImproperly disposed media
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Example: WHOIS HealthTechNet.orgIPv4 whois information for 204.227.246.38 OrgName: Pillsbury Madison & Sutro, Inc. NetRange: 204.227.224.0 - 204.227.255.255 CIDR: 204.227.224.0/19 NameServer: SFNS01.PILLSBURYWINTHROP.COMNameServer: LANS01.PILLSBURYWINTHROP.COMNameServer: VANS01.PILLSBURYWINTHROP.COMNameServer: NYNS01.PILLSBURYWINTHROP.COMsmtp.shawpittman.com 208.200.185.221
OrgTechName: Network Engineering Group OrgTechPhone: 1-415-477-4917OrgTechEmail: [email protected]
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Social Engineering
Using gathered information to trick employees into compromising the organization’s security
Provide accounts/passwordsModify machine settingsProvide physical access
Getting users to introduce a vulnerability to the system
Removable mediaEmail attachmentsActive web content
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Network Reconnaissance
Network and service mapping
Find out what servers are up/downIdentify operating systemsIdentify open services and versions
ToolsPort scannersNetwork mappersOS fingerprinters
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Wireless Networks
TopologyWhere is it connected?
Access PointsNo securityDefault accountsWEP vulnerabilitiesRogue access points
Wireless on the laptopAssociations with other APsAd-hoc networks
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Vulnerability Discovery
Identify issuesMatch service information to known vulnerabilitiesScan specific machines for vulnerabilities
ToolsOS vulnerability scannersWeb vulnerability scanners
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Compromising the Target
Exploit a vulnerability to gain access to the machineTools
Exploit frameworksShellcode buildersAutomated attack toolsRemote password crackers
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Controlling the Host
Privilege escalationBackdoors
Allow the attacker to easily returnTrojan horses
Disguise malicious programsRootkits
Subvert the operating system itselfErasing tracks
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Example: Titan RainForeign attacks against a broad sector of USG and defense contractors in 2004/2005
Most targets were unaware of compromiseHighly sophisticated attacks against perimeter defenses
Exhibited well-planned attack methodologyCustomized tools and exploits
Goals were data gathering and continued accessOrganizations are still struggling to recover
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Gathering Data
Documents of all kinds from compromised machinesDocuments from file serversNetwork trafficKeyboard loggersEmail messagesRecovering deleted data
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Example: Department of Veterans Affairs
Employee had millions of records with personal information on his computer and external driveComputer and drive were stolen in a burglaryIncident cost huge amount of time, money, and bad publicityEquipment was eventually recovered
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Expanding Control
Leverage new resources to target other machines
Open sharesUnprotected hostsRouters and firewallsNetwork sniffingIntranetsControl systemsAffiliated networks
Conclusions
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Top 10 Security Vulnerabilities1. Unpatched vulnerabilities in services2. Weak authentication and passwords3. Out-of-date antivirus/antispyware software4. Unnecessary administrative privileges5. Poorly configured access controls and file sharing6. Inadequate wireless security7. Mis-configured routers and firewalls8. Lack of policy and education9. Zero-day exploits10. Flawed recovery procedures
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Summary
Seemingly unimportant data can be leveraged by an attackerPerimeter security is critical, but not sufficientEffective security is a combination of technical solutions and good policies
Copyright© 2006 Telemus Solutions, Inc.Proprietary
Thank You
Matthew Schmid, CISSP
Telemus Solutions, Inc.http://www.telemussolutions.com