Hacking is all about finding a way onto a computer you are not authorized for and either taking something, changing something or removing something. What happens depends on who is doing it and why. Most “hacks” aren’t really hacks of course. Most of the things we hear of are malware or DDoS attacks.

Malware is someone making a program or script/macro that does something nasty to your computer. Most of these are some type of  Trojan horse. And to get them onto your computer the attackers mostly use social engineering. And DDoS attacks are mostly external attacks that just use up the bandwidth of a system and it can’t communicate or gets so tied up it crashes. We are not talking about those for this post but “real” hacks where an attacker is trying to get into your system to do something they shouldn’t. (I’m rambling today, sorry.)

Generally this involves your computer running some type of server software and is sharing something like a web page or files. And it’s the vulnerabilities in these servers that the attacker is targeting. If you have a service that people can log into this will be where they attack. They want to get some type of access, then up that access to the point where they can just go through the computer.

The majority of attacks are “script kiddies” or organised crime who don’t have their own knowledge of how to attack and break into a computer. They get scripts from on-line chat boards or buy them from someone who makes them up for people. These background hackers usually don’t do their own attacks but have a bunch of computers to use to develop techniques and male the scripts up for others to buy and try.

A very small number of uber hackers do some hacking on their own. You will never hear about these. Other good hackers will form groups and spread their knowledge to the group members and then groups like LULZSec are formed. In other cases a hacker will set up their own network, and a group to teach hacking not for malicious purposes but to educate users and build up a team of security experts for, um, something to do. (We never let anything out of our own network.)

So if they want to get into your system they can use all types of attack “vectors” such as if you are using a web page with a login and you are using a database with your application then the first thing the attacker will do is try to see if an sql-injection will work. (little Bobby Tables…) If you are encoding all input, or escaping it as some people call it, then this won’t work. Or if you use canned queries then the sql will also resist sql-injection.

Next they try breaking passwords. A lot of people use simple passwords that can easily be guessed. And they tend to use them all over. So enforcing strong passwords or making your users use long passwords, 14 or more characters will also make this hard. Also passwords should have 4 of the following 5 types of characters in them, numbers, symbols, punctuation, lowercase characters and uppercase characters. And no symbols and punctuation are not the same.

If they can get access to your computer through a low priviledge account but that allows them to see your password file they will take it and on their own computer, at their leisure, run a password cracker tool on it.

Or if they can get into your database and your passwords are stored there they had better be encrypted otherwise they have your passwords. Even if encrypted with enough time they can run dictionaries and random generated passwords against the encrypted passwords and crack them that way. Encryption is good but without strong and long passwords it can be easily broken. (Even then if the attackers use a cluster or rent time on one it will be broken.)

And if you are using a Windows computer use at least 15 character long passwords because short passwords are not encrypted the same way as long ones on Windows. For reverse compatibility they use the old 8 char encryption that legacy Windows uses and it is reversible with a known encryption scheme which there are freely available password crackers for. I haven’t confirmed this on Windows 7 yet, but assume it’s true until told otherwise.

If you are using a web server on Linux install SELinux. SELinux lets you set what files servers can deliver to users, what files are readable for configuration only and that they can’t see any other files. What this does is that your password files and security files like .htaccess can not be seen by a user on the web. Even if they compromise the server they can’t see them, all they can do is see the html files and maybe deface the system. If the html are read only for apache then they can’t even deface the system.

There is no Windows equivalent of this.

And with your web server you should set it up to only allow encrypted access. All access both internal and external for all services should only allow encrypted access. It’s easy and painless. Unless all you host are stuff that you don’t care who reads it then encrypt it. And encrypt it even then anyway, just get into the habit.

Other servers that could be compromised are file sharing servers such as ftp and Windows shares. Yes if you have shares on your system they are there to exploit. So if you have your laptop at home and share files with your kids, shut sharing off when not at home or the office. Put on a good firewall that can detect that it’s not on a safe lan and it will shut your shares off for you. Otherwise you are asking for trouble.

How can you tell. Well if you have two computers or know a friend who has a Linux system use one to scan the other with nmap. nmap will try to access every port number, depending on the version and your settings either just up to 5400 or so or higher, or a range or just the common ports.  For instance

Interesting ports on 192.168.0.101:
Not shown: 994 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
990/tcp  open  ftps
2869/tcp open  unknown
8081/tcp open  blackice-icecap

This is typical for a Windows XP box, but if you have your firewall enabled you get a message, are you sure that computer is on? On my Linux box with iptables running, it doesn’t even ping but that doesn’t mean that the attacker can’t tell it’s there. By using parameters on nmap such as -PN then it assumes the system is there and does all of the tests anyway. A system will give itself away if it gets the right question on the right port. Every system has to respond to the router when it asks are you there. Otherwise it may give another computer the targets IP address, for instance.

After confirming the computer is there then it’s exploit time. If there is a web server there then does it have any way to allow you to upload a script to it and run the script/ Can the script be made to allow you to get passwords or other files? Can you download them and look at them offline? Can you add a user, change the root user password? Can you upload a file and replace the home page?

FTP servers are more fun as they allow you a small console and if not configured properly access to the whole system. SSH allows remote users to log in and access/maintain the system remotely. If you can get an ssl account compromised you may be able to search through the whole system. And again you can get password files and crack them off-line. Depending on the versions of these servers there are known exploits that allow you to either shut them down by crashing them or let you login and escalate privileges and once in can become root and well rooting a system is the best way to get at everything on the systems or use it as a stepping stone into other servers and the target network.

SO to guard against this what do you need to do? First, set up your system as secure as you can and still allow it to function. encrypt all passwords for everything and make sure passwords are long and strong. Install and maintain a firewall. Set up SELinux!

Don’t use ftp but use secure ftp or scp for copying files. Don’t keep files that need to be secure on the filesystem, but instead encrypted in a database. Use escaping for all user inputs, check them for strings indicating an sql-injection and only use canned sql queries.

Patch everything as soon as there is a patch ready and keep your system secure. Use a good firewall and antivirus. Do not allow root to login. Only let root be used via su and sudo. Read your logs, use intrusion detection and something like sane. Learn how to hack and hack your own systems. Keep your hacking and programming skills up to date. Peer review your settings and changes. Check with on-line security forums and agencies like cert. Don’t piss off an hacker groups. (rule 88) Don’t attack Wikileaks. (rule pi) Don’t be a Sony. (Rule 16)

Never use the same password all over. Do your internet banking at the teller window. :-p

If you can do all that you will probably be safe, probably 🙂 Be safe out there.

Advertisements

About echlinm

Computer Programmer/Systems Analyst/Hacker S31
This entry was posted in Computers and Internet, Fun, hackers, Programming, Security and tagged , , , , , , , . Bookmark the permalink.

One Response to

  1. Pingback: What is a “Hack”?` | Borg or No (S31)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s