4. Introduction to Computer Security
and Information Assurance
Lesson Objectives
• Understand Hacking
• Recognize the mentality of the Hacker
• Recognize common hacker methodologies
• Learn about some example cyber war stories
4DRAFT - Lesson 3
5. Introduction to Computer Security
and Information Assurance
Why Study “The Hacker”?
“If you know the enemy and know yourself, you
need not fear the result of a hundred battles.
If you know yourself but not the enemy, for
every victory gained you will also suffer a
defeat. If you know neither the enemy nor
yourself, you will succumb in every battle.”
-Sun Tzu “On the Art of War”
5
DRAFT - Lesson 3
6. Introduction to Computer Security
and Information AssuranceWhy Study “The Hacker”?
2008 FBI/CSI Cyber Crime Survey
Companies Experiencing Computer Security Incidents
6
DRAFT - Lesson 3
7. Introduction to Computer Security
and Information Assurance
20 Year Trend
password
guessing
self-replicating
code
password
cracking
exploiting
known
vulnerabilities
disabling
audits
back
doors
hijacking
sessions
sniffer /
sweepers
stealth
diagnostics
packet forging /
spoofing
GUI
Hacking
Tools
Average
Intruder
1980 1985 1990 1995
RelativeTechnicalComplexity
Source: GAO Report to Congress, 1996 via Divinci Group
7
DRAFT - Lesson 3
8. Introduction to Computer Security
and Information Assurance
And a bit more recently
Windows
Remote
Control
Stacheldraht
Trinoo
Melissa
PrettyPark
?
DDoS
Insertion
Tools
Hacking
Tools
Kiddie
Scripter
RelativeTechnicalComplexity
1998 1999 2000 2001
8
DRAFT - Lesson 3
9. Introduction to Computer Security
and Information AssuranceWho are they?
NationalNational
InterestInterest
PersonalPersonal
GainGain
PersonalPersonal
FameFame
CuriosityCuriosity
Script-KiddyScript-Kiddy UndergraduateUndergraduate ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
Trespasser
SOURCE:SOURCE: Microsoft and AccentureMicrosoft and Accenture
via Divinci Groupvia Divinci Group
Author
Motives
Knowledge Level
9
DRAFT - Lesson 3
10. Introduction to Computer Security
and Information Assurance
Taxonomy of Hackers
• Novice – Least experienced, focused on mischief
• Student – Bright, bored and looking for
something other than homework
• Tourist – Hack out of sense of adventure, need to
test themselves
• Crasher – Destructive who intentionally damaged
IS systems
• Thief - Rarest of Hackers – profited from their
activities – and most professional
Landreth, 1985
10
DRAFT - Lesson 3
11. Introduction to Computer Security
and Information Assurance
Type of Hackers
• White Hats
– Good guys, ethical hackers
• Black Hats
– Bad guys, malicious hackers
• Gray Hats
– Good or bad hacker; depends on the situation
DRAFT - Lesson 1 11
12. Introduction to Computer Security
and Information Assurance
Hacker Tendencies
• Invests significant amounts of time on study of
documentation, giving special attention to border
cases of standards
• Insists on understanding and implementing the
underlying API – often confirming documentation
claims
• Second guesses implementer’s logic
• Insists on tools for examining the full state of
system across interface layers and for modifying
these states bypassing the standard development
API.
12
DRAFT - Lesson 3
13. Introduction to Computer Security
and Information Assurance
Why these tendencies?
Bratus, 2008
Economics of Insecure Hardware/Software
13
DRAFT - Lesson 3
14. Introduction to Computer Security
and Information Assurance
Developers
under
pressure to
‘make it work’
Developers
‘trained’ away
from exploring
underlying
APIs
Developers
directed to
ignore specific
problems as
the
responsibility
of others
Developers
must comply
with lack of
tools to
explore
outside their
system
Forces cutting of
corners
Forces lack of
understanding of their
choices
Forces
developer’s lack
of concern for a
valid solution
Why these tendencies?
Economics of Insecure Hardware/Software
OPPORTUNITY!!!!
14
DRAFT - Lesson 3
15. Introduction to Computer Security
and Information Assurance
Phases of Ethical Hacking
DRAFT - Lesson 3 15
16. Introduction to Computer Security
and Information Assurance
Basic Hacker Methodology
16
DRAFT - Lesson 3
17. Introduction to Computer Security
and Information Assurance
Information Gathering/ Fingerprinting
• Gathering information about targeted
network addressing scheme prior to launch of
attack
– IP addressing
– Domain Names
– Network Protocols
– Activated Services
17
DRAFT - Lesson 3
18. Introduction to Computer Security
and Information Assurance
Scanning/Probing
• Using Automated tools to scan a system for
computers advertising application services
• Look for potential targets with possible
vulnerabilities
• Look for targets running specific operating
systems.
18
DRAFT - Lesson 3
19. Introduction to Computer Security
and Information Assurance
Gaining Access
• Target Specific Vulnerabilities:
– Operating System
– Network Devices
– Software Applications
• Malicious Code
– Delivered via E-mail
• Social Engineering
19
DRAFT - Lesson 3
20. Introduction to Computer Security
and Information Assurance
Elevating Privilege
• Why Elevate privileges?
– Access User Account
– Access Super User
– Install Backdoors
• Password Crackers!
20
DRAFT - Lesson 3
21. Introduction to Computer Security
and Information Assurance
Exploiting
• Use victim to launch attacks against others
• Stealing sensitive information
• Crash systems
• Web Server Defacements
21
DRAFT - Lesson 3
22. Introduction to Computer Security
and Information Assurance
Installing Back Doors
• Add user accounts that look ‘normal’
• Open ports
– Allow access to system services or provide
command shell access
• Cover tracks to prevent detection
• Move malicious code to program
– Trojan.exe -> notepad
22
DRAFT - Lesson 3
23. Introduction to Computer Security
and Information Assurance
Chinese Hacker Methodology
23
DRAFT - Lesson 3
24. Introduction to Computer Security
and Information Assurance
And So…
• Need to know how different hackers operate and
what their motives are
• Need to learn how to attack so can defend well
• Need to mitigate vulnerabilities
• Need to stay one step ahead of the attack to
reduce damages
• Best case scenario:
– let people in who should be in
– keep everyone else out!!
24
DRAFT - Lesson 3
25. Introduction to Computer Security
and Information Assurance
Cyberwar Stories
25
DRAFT - Lesson 3
26. Introduction to Computer Security
and Information Assurance
GhostNet
• 10-month cyber-espionage investigation
– 1,295 computers in 103 countries belonging to
international institutions spied on
– Sensitive documents stolen and ability to
completely controlled infected computers
– Used root kits, keyloggers, backdoors and social
engineering
– Operation began in 2004
– Evidence that China behind it
26DRAFT - Lesson 3
28. Introduction to Computer Security
and Information Assurance
Dalai Lama
• One target the Office of His
Holiness the Dalai Lama
(OHHDL)
– Sensitive documents stolen
– Malicious emails sent to Tibet-
affiliated organizations
– Investigation into GhostNet
began when OHHDL suspected
malware and contacted the
Munk Center for International
Studies
28DRAFT - Lesson 3
29. Introduction to Computer Security
and Information Assurance
Unique Aspects
• In addition to stealing documents, GhostNet
had other capabilities
– Reportedly turn on webcams and audio recording
functions of an infected computer
– Essentially, turn infected computer into a large
“bug” for spying on office
• Used a “control panel” reachable by a
standard web browser to manipulate the
computers it had infected
29DRAFT - Lesson 3
30. Introduction to Computer Security
and Information Assurance
So how did they detect it?
• Researcher at Munk Center noticed odd string
of 22 characters embedded in files created by
malicious software
• Googled it
• Led him to web site in China
• Commanded system to infect system in their
lab and watched commands
30DRAFT - Lesson 3
31. Introduction to Computer Security
and Information Assurance
And, of course
China Denies Any Role in 'GhostNet' Computer Hacking
Beijing
31 March 2009
Beijing officials deny any involvement in the electronic
spy ring dubbed "GhostNet," which has infiltrated
more than 1,000 computers around the world and has
been linked to computers in China.
Foreign Ministry spokesman Qin Gang rejected
allegations of a link between the Chinese government
and a vast computer spying network. He said in Beijing
on Tuesday that the accusation comes from people
outside China who, "are bent on fabricating lies of so-
called Chinese computer spies."
31DRAFT - Lesson 3
34. Introduction to Computer Security
and Information Assurance
Lesson Summary Key Points
• Hacking is illegal (most of the time)
– Understand the laws
– Port Scanning can be considered illegal
• Post 9/11 can be act of terrorism
34DRAFT - Lesson 3
Remember that statistics can be affected by non-truthful answers. Companies lie cause no one wants to look like their vulnerable. May contribute to the :don’t know” increase.
Expert is only curious if a tool or exploit will work. Not interested in malicious activity.
Point one : border cases open to interpretation
Money drives the cycle. Want to spend the least money while getting the best profits. (Increase net).
GhostNet (simplified Chinese: 幽灵网; traditional Chinese: 幽靈網; pinyin: YōuLíngWǎng) is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying[1][2] operation discovered in March 2009. The operation is likely associated with an Advanced Persistent Threat. Its command and control infrastructure is based mainly in the People's Republic of China and has infiltrated high-value political, economic and media locations[3] in 103 countries. Computer systems belonging to embassies, foreign ministries and other government offices, and the Dalai Lama's Tibetan exile centers in India, London and New York City were compromised. Although the activity is mostly based in China, there is no conclusive evidence that the Chinese government is involved in its operation.[4]
The Georgia–Russia crisis is a current and ongoing international crisis between Georgia and Russia that escalated in 2008, when both countries accused each other of military buildup near the separatist regions Abkhazia and South Ossetia. On March 6, 2008 Russia announced that it would no longer participate in the Commonwealth of Independent States economic sanctions imposed on Abkhazia in 1996.
Increasing tensions led to the outbreak of the 2008 South Ossetia war. After the war, a number of incidents have occurred in both conflict zones, and tensions between the belligerents remain high. The crisis has been linked to the push for Georgia to receive a NATO Membership Action Plan and, indirectly, the unilateral declaration of independence by Kosovo.