Following on the heels of media reports of the terrorist attacks on Washington and New York, hackers on both sides of the Atlantic claimed to have breached the electronic security of Islamic sites and banks, and also organisations with supposed links to terrorist activity.
One of the most high profile targets was al-Shamal Islamic Bank in Sudan, which was infiltrated by YIHAT (Young Intelligent Hackers Against Terror), a group of European hackers which claimed to have extracted data of transactions between bin Laden’s al-Qaida network and the bank. Reprisals by pro-Taliban hackers ensued, leading to a determined effort by research groups and the US and UK governments to warn business to secure against retaliation hacks. To date, pro-bin Laden hackers have posted anti-US messages on worldtradeservices.com, a Californian e-business web portal, while the motto “Bin Laden vs. Bush: 1-0” was uploaded onto the Hungarian government website by hackers reacting against US sanctions on some Arab countries.
A recent advisory document from Gartner, After the Attacks: plan for new security measures, tells businesses to be on their guard. “Any military reprisals by the United States will inevitably lead to cyber attacks against US government, financial and political internet sites, as well as similar sites in countries seen as supporting the United States,” it says.
But there are many other groups of professional cyber-criminals, as well as amateur hackers with no political agenda, who are prepared to use military activity as cover for their sport. As Gartner says: “Most attacks come from hackers and activists using these events to disguise simple vandalism.”
The seriousness with which the US government is treating all cyber-crime is embodied in proposed amendments to the Anti-Terrorism Act (ATA) in which the Bush administration will elevate the status of all computer intrusion to a “federal terrorism offence”, carrying a penalty of life imprisonment.
Many in the US, particularly in the Democrat-controlled Senate, think the ATA amendments go too far. But even a compromise, the PATRIOT Act (Provide Appropriate Tools Required to Intercept and Obstruct Terrorism), passed by the US House of Representatives on 3 October 2001, cites the cyber-crime issue as a matter of national security.
PATRIOT hones the list of designated terrorist hacking to those that are “calculated to influence or affect the conduct of government by intimidation or coercion; or retaliate against government conduct”. Nevertheless both PATRIOT and ATA would allow the government to conduct electronic surveillance against suspected cyber-terrorists, be they Afghan terrorists, disgruntled employees trying to damage a company’s reputation, or a teenage hacker (a “script kiddie”) larking around on the internet. The distinctions between cyber-terrorism, malicious hacking and simple tomfoolery have become blurred.
But legislation alone, no matter how hard-line and well enforced, will not wipe out hacking. All UK business websites are vulnerable. For online customer-facing companies, such as internet banks, retailers and anyone who values their corporate image, IT security should be a board-level priority.
Hacking is so easy that anyone can sit at a PC terminal with internet access, look up the address and location of your servers, locate and read files, create new files, deface websites, download data and even “kill” your machines. All this is accomplished by exploiting vulnerabilities and bugs in the software and hardware provided by your trusty, reliable software vendor. The only tools a hacker needs are an internet browser and some access software found on the internet.
Financial Director attended an exclusive live hack hosted by Integralis, a Buckinghamshire-based vendor of security solutions to see for ourselves just how easy it is to crack into a typical company’s IT systems and bypass firewalls without administrators’ knowledge. We were astounded by the results.
“Even IT administrators are sometimes blissfully unaware of how vulnerable their company’s website and systems are,” says Tim Ecott, Integralis’ head of S3 security services. “Traditionally you stick in a firewall and think everything is OK. The purpose of our demonstrations is to show that it isn’t,” he says.
Ecott and his team travel the country setting up ‘ethical’ hacks that are demonstrated to server administrators and company directors. UK executives are usually apathetic about security, so extreme measures are required to educate them to the dangers of amateur and professional cyber-criminals.
Integralis often warn their customers months in advance of vulnerabilities that hackers might exploit, and of antidotes to forthcoming viruses such as the Code Red, Code Blue and Mimda worms causing havoc through the country at the moment.
“But a lot of them just don’t listen. They are ‘too busy’ to do anything about it. Some of our customers have been sorely hurt by security breeches, many of which could have been prevented,” says Ecott. In the end, breaking into a system is the only way security vendors can get the attention of the disinterested.
For the purpose of their ethical hacking, Integralis mocks up a typical web server and firewall configuration in a meeting room. In our case it used the latest Microsoft IIS server software running on an NT platform, connected to a state-of-the-art Nokia firewall box running Checkpoint Firewall 1 software. Ecott makes the point that the make of software and hardware used is irrelevant, because there is always a way to break in.
But for the purposes of its demonstrations, Integralis likes to show that even cutting edge IT is vulnerable.
The aim of the game is for Peter Philips, Integralis’ resident ethical hacker and bad guy for the day to probe the web server, locate and retrieve some data, deface the website running on the server and, ultimately, crash the system.
Philips assumes nothing about the system he is attempting to infiltrate.
The only tools he uses are a standard web browser, his knowledge of the vulnerabilities in standard Windows applications, and a little bit of guesswork. “I don’t do anything special,” says Philips, “you can learn how to do this just by looking at guides on the internet.”
The basic premise of hacking rests on the fact that firewalls have a rule-base that either lets traffic through or rejects it. If a firewall is configured properly there should be few doors (or ports) open to the hacker. But a web server’s main function, which is to maintain a website, is also its vulnerability. Anyone trying to infiltrate a web server through http (hypertext transfer protocol), the language through which you navigate the web, will get through because the http port has to be open. Without http access there is no website.
Once through the firewall the hacker pokes around until they find something interesting to download, deface or destroy. The trick for business is to make sure sensitive information isn’t kept on the server or is hard to locate.
Philips begins his hack innocuously, by looking up the IP (internet protocol) address of the target system. This is simple as every IP address is registered in directories that are easily available online. Once located, Philips then sends a ‘ping’ (packet internet gopher) to test what is at the specified IP address. This is basically an electronic request to the server asking it to identify itself. It is rather like a submarine using sonar to detect objects in the water. The route the gopher takes can then be traced, and a list of the machines between the hacker and the target server – including one called ‘fw-out’ – is delivered to Philips’ PC.
“This is typical of most companies’ systems,” says Ecott. “Administrators give systems names that mean something, in this case the administrator knows that ‘fw’ stands for firewall. Unfortunately, the hacker can also guess what it means, and so knows exactly what is in his way.” Assigning critical databases a name such as “customer bank details”, for example, should be avoided at all costs.
After he has run a small program to ascertain what ports are open on the system and what services are running on the host, Philips is ready.
In this case he discovers that there is a firewall and that the only open port is an http port. At this point he has a target web server, he knows of the existence of a firewall and he has a means of entry – all in about fifteen minutes, without the administrator’s knowledge.
All that remains for Philips is to find out the make of server so he can choose the right bugs to interrogate the system. Another tool downloaded from the internet does the job for him, and a couple of one-line commands later Philips receives an electronic message confirming the existence of the Microsoft IIS 4.0 web server software. As 90% of Microsoft servers run on NT he knows the platform, too.
“At this point I usually ask our audience if they think this should be possible,” says Ecott. “Most say it should be impossible for a hacker to get this far into their systems. But the reality is that you can do this to most servers.”
Because the hacker hasn’t actually infiltrated the system and altered any data his actions are not legally designated as a serious hack, even though unauthorised access alone can carry a six-month prison sentence in the UK. Intent and malice are the key determinants of serious hacking offences under current legislation. This is where Philips makes his next move. He begins to stray into dangerous territory when he starts to locate specific files on the server. After the customary ‘don’t try this at home’ warning from Ecott, Philips uses bugs in Microsoft applications to locate and view individual files and databases.
Bugs like IDQ and Showcode are well known and readily employed by hackers.
In brief, the former is a glitch which means that Microsoft applications cannot read files ending in .idq. Therefore, if you use a browser to enter a URL (universal resource locater) or web address incorporating an IDQ script targeted at the host, an error message will pop up on your browser that details the exact location of files used to maintain the website.
Showcode is a tutorial designed to show administrators how to write ASP scripts, which facilitate interactivity with web servers. If left on the server, Showcode can be used by hackers to view the contents of any system file. From here, the hacker can select data of interest and the hack can begin in earnest.
The most popular way to extract or deface information on an IIS server is by using the Unicode bug – the number-one Windows nasty according to a recent FBI Top Twenty of internet vulnerabilities (see box, right).
Put simply, Unicode is a problem that IIS servers have in interpreting the international standard for representing foreign languages and symbols in web addresses. And, if cunningly employed in a URL, the server creates an error message and offers the hacker a complete download of a directory listing all files on the target system – in effect the hacker is handed a detailed map of all the data on the server.
A hacker is then able to download files at his leisure, siphon off sensitive data and any available bank account and credit card details. He may also want to upload rogue files that will corrupt and deface web pages, or run ‘denial of service’ scripts which overload systems and bring e-commerce services to a standstill. Often, this action is interpreted as a simple system crash and hackers are able to knock over systems repeatedly until IT departments get wind that a third party is involved.
No business is safe from attempted hacks. Integralis is pinged at least ten times a day by hackers around the globe, and it faces a continual battle to make its servers as difficult to hack as possible. Large organisations may find themselves probed hundreds of times a day.
In the UK, the Data Protection Act is another reason to review security measures. The deadline to comply with the act fell on 24 October this year. Any unauthorised extraction of customer information from databases and web servers now constitutes a breech of the act.
Eduardo Ustaran, a solicitor at law firm Berwin Leighton Paisner, offers some data protection advice to companies. “There are eight principles that make up the Data Protection Act 1998. The seventh of these is security of data. The act is a bit woolly in this area, but does state that appropriate ‘technical and organisational’ measures must be taken by businesses to protect data held electronically,” he says. “Although the act doesn’t say exactly what you should do, and as there is no case law to refer to, FDs should bear in mind that company information is always a target. Different threats appear every week so you need to implement flexible security measures.”
UK business are going to find themselves increasingly the target of hackers around the world, and FDs should heed the call to arms. Just ask Powergen, Microsoft, McDonald’s, the Hungarian government or any other organisation which is a recent victim of cyber-crime. This is one war that won’t be ending soon.
- The hacking techniques described in this article should under no circumstances be used for unauthorised access to IT systems. Cyber-crime carries heavy penalties in the UK under the Computer Misuse Act 1990 of up to five years in prison and an unlimited fine.
FBI’s MOST WANTED
In October this year, the FBI added another list to its portfolio of ‘Most Wanted’. The Top Twenty Most Critical Internet Security Vulnerabilities was complied with the help of SANS (the System Administration, Networking and Security Institute). It details the vulnerabilities in IT systems most frequently exploited by hackers.
Below, we list the seven general security vulnerabilities highlighted by the FBI. For descriptions of specific Windows and Unix vulnerabilities, their impact and preventative measures, visit www.sans.org/top20.htm.
Default installations of operating systems and applications
Default settings speed up installation times, but they mean that you install many software components that you do not use. Often, these contain additional vulnerabilities.
No or weak password protection
User IDs are quite easy to acquire. So if staff passwords are easy to guess you are open to attack. Default accounts and systems without password protection should be avoided.
Incomplete and non-existent backups
Disaster recovery requires backups, but companies often fail both to keep track of the number of backups held and to protect them in the same way as master data.
On a web server the http port is always open, but many servers are configured badly, so many other ports are also open to traffic. This gives the hacker several more options for entry. Close them.
Inefficient filtering of data packets
Hackers often ping hundreds of websites using a spoof IP address to hide their tracks. If one of them borrows your IP address, then your system may become overloaded with return messages, often resulting in denial of service. Traffic filters reduce this problem, but they still don’t prove that you weren’t the hacker.
Incomplete or non-existent logging
New vulnerabilities appear every week and so are difficult to defend against. But unless you use logs you will never know that your systems have been penetrated and so will be unable to locate vulnerabilities and prevent further attacks.
Common gateway interface (CGI) programs
CGI programs provide interactivity with websites, but they are also one of the easiest means by which hackers can access your web server and deface your website. A CGI vulnerability scanner can be found at www.wiretrip.net/rfp.