A day in the life of an Internet hacker
The Irish Honeynet has again been subjected to a continuing barrage of attacks from Internet hackers. The network saw a further 395 attacks launched against it during August 2002. The site was offline for five days during a relocation exercise, and so the daily average is up again in August from the July figure of a total of 415 attacks. This continually increasing trend highlights the ever-growing threat present in our wired world.
The Irish Honeynet Project is a research initiative sponsored by professional services firm, Deloitte & Touche, operated by Espion, a security software and services distribution company, and hosted by Data Electronics. The honeynet refers to a group of computers that are designed from the start to be compromised and attacked. An off-the-shelf server (typically without any particular security patches or other modifications) is placed out on the Internet, and monitoring tools are set-up to record the activities of the hacking community in action, allowing us to keep abreast of their ever-changing tactics.
The types of attacks witnessed continue to reflect those that are found by organisations around the world. The locations from which these attacks arise may be somewhat surprising, however. Asian countries are particularly active, with a total of 141 attacks in August. The bulk of this comes from China and the Republic of Korea, from where a high level of worm activity has been launched.
The United States and Europe continued to be active with 138 and 94 attacks respectively. And, it seems that there exists a small but active hacking community here in Ireland. There were two unsuccessful attempts to hack the honeynet from IP addresses allocated to Irish Internet Service Providers. However, judging from the time of the attacks, 06:10 am and 02:45 am, there is a strong possibility that these particular hackers were merely using a previously compromised server in this country to launch the attacks but were actually physically located in another country entirely, as is commonly the case.
In the September 2002 issue of ComputerScope we discussed the importance of ensuring that your organisations mail server is protected and configured against the possibility of it being used as an open mail relay server. Now we will take a closer look at how hackers can actually penetrate and compromise a system and what kind of things they may do once they are in.
Recently, one of the servers in the honeynet alerted us to a probe that had originated from a computer in Russia. This probe was an attempt to determine the version of the SSH server that was running. SSH (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels, such as the Internet. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications.
There is an easily exploited bug in all SSH programs with the exception being the latest versions that have had the latest patches and service packs installed. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory.
Our Russian attacker’s first step was to determine whether the version of SSH running on our system was in fact vulnerable to this bug. The probe simply queried the server as to the version of SSH running, returning this information to the hacker, and it was easily determined that our server was in fact (intentionally) vulnerable and any number of freely available tools could be used to give a remote attacker full control of our system.
Shortly after the initial probe the attacker returned in full-scale attack mode. An attack was launched which did in fact give our attacker full control of the system. In other words, what somebody standing physically in front of the computer could do, the remote attacker could also do. A scary thought indeed for any organisation that understands the value of their information assets and takes information security seriously.
Once the hacker had gained control of the system a number of events took place. The first step our hacker took was to upgrade and patch the system. This may sound unusual at first but the hacker was well aware that he was not alone in the shadier parts of cyberspace and was intent on ensuring that no one else could attack and compromise this particular system. The best way to avoid this is to ensure that the system is patched with the latest versions of the software and all the required service packs. This would make compromising the system extremely difficult to even the most sophisticated hacker.
So now that the system was safe from attack to other hackers, our attacker had to ensure easy access to the system in the future. A backdoor, or Trojan Horse, was installed on the system that only our attacker would be aware of. This would allow for an easy and, with any other system, undetected return at their leisure.
An IRC (Internet Relay Chat) server was also installed, presumably to offer our hacker a private place where they could communicate and swap files and hacking techniques with like-minded individuals. IRC is one of the most common ways in which hackers and blackhats will communicate on the Internet.
The final step was to remove all evidence that any breach or hack had actually occurred. The attacker ran scripts that deleted log files and cleared any trace that someone may have successfully compromised the system. It is most likely that unless an organisation is running sophisticated logging mechanisms or running some kind of Intrusion Detection or Prevention software they may never know an incident has taken place. It was only due to the nature of the honeynet, where all activity is logged and captured in real time using the techniques mentioned above, that we were able to determine exactly what had happened and how.
What are the lessons learned? ‘Firstly, any system running outdated or un-patched software programs are running a huge risk of being identified by hackers and compromised. It is not a question of if, but when,’ says Colman Morrissey, managing director of Espion Limited.
‘Also, don’t assume that simply because you are running secure programs and protocols that you are safe from harm,’ says Gerry Fitzpatrick, Enterprise Risk Services partner at Deloitte & Touche. ‘Even the most secure applications have bugs and can be exploited and compromised over time,’ he continued.
A few tips:
- Have a risk assessment performed on your organisation’s information assets and determine where the threats and vulnerabilities lie.
- Perform regular vulnerability assessments, and perform security audits.
- Check with your program vendors for updates and service packs.
- Always ensure you have purchased maintenance that will entitle you to these updates.
- Never take security for granted. If you are running vulnerable systems on your network the chances are they will be discovered and they will be compromised. That is something no organisation can afford.
- Employ the right tools to monitor your security, and ensure you act on any threats and vulnerabilities identified.
For more information on the Irish Honeynet, see the websites at www.espion.ie or www.deloitte.ie/honeynet