Hacker Perspectives
Advanced Computer Networks SS 2007 Franz Sommerauer
ACN SS 07 - Hacker Perspectives Overview
Definition of a Hacker History of Hacking How to get into Scene Information Gathering Ethical Hacking Most famous Hackers
ACN SS 07 - Hacker Perspectives Definition (see Hacker Jargon file)
1. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn only the minimum necessary. 2. One who programs enthusiastically, or who enjoys programming rather than just theorizing about programming.
ACN SS 07 - Hacker Perspectives Types of hackers
White hat – A person who is ethically opposed to the abuse of computer systems (ethical hacker) – Generally focuses on securing IT systems Grey hat – A skilled hacker who sometimes acts legally, sometimes in good will, and sometimes not – Hybrid between white and black hat hackers Black hat – Someone who compromises the security of a system without permission from an authorized party – Cracker
ACN SS 07 - Hacker Perspectives History of hacking
1972 – John Draper discovers that a 2.6 kHz tone allows to access the internal trunking mechanism of Ma Bell 2.6 kHz tone created by a whistle With a Blue box it was possible to take internal control of Ma Bell's long distance switching equipment
1973 – College students Steve Wozniak and Steve Jobs begin making and selling blue boxes
ACN SS 07 - Hacker Perspectives History of hacking
1981 – Chaos computer Club forms in Germany 1982 – Hacker group of six teenage hackers (414’s) broke into 60 computer systems and instiutitions (including Los Alamos Labs) 1988 – Kevin Mitnick secretly monitors the e-Mail of security officials (sentenced for one year to jail)
ACN SS 07 - Hacker Perspectives History of hacking
1988 – Robert T. Morris launches a worm on governments ARPAnet (precursor of the Internet) The worm spreads to 6000 networked computers First person indicted under the Computer Fraud and Abuse Act of 1986 3 years probation 400 hours community service Fine of $10,050 and cost of his supervision – First National Bank of Chicago became victim of $70-million computer theft
ACN SS 07 - Hacker Perspectives History of hacking
1989 – Hackers in West Germany were arrested Broke into U.S. Government and corporate computers Sold OS-Sourcecode to Soviet KGB – Fry Guy was arrested earned the name by hacking into a local McDonald's computer and giving raises to his hamburger-flipping friends Got credit card numbers by social engeneering
ACN SS 07 - Hacker Perspectives History of hacking
1993 – During radio station call-in contests, Kevin Poulsen and 2 friends rigged the stations phone systm to let their calls through Won 2 Porsches, vacation trips and $20.000 – Texas A&M Univerity professor received death threats because a hacker used his email account to sent 20.000 racist emails
ACN SS 07 - Hacker Perspectives History of hacking
1994 – Vladimir Levin and his group transferred $10 million from Citibank to bank accounts all over the world Sentenced to three years in prison 1995 – Kevin Mitnick arrested again FBI accused him of stealing 20.000 credit card numbers stealing files from companies as Motorola and Sun Microsystems
ACN SS 07 - Hacker Perspectives History of hacking
1998 – 2 hacker were sentenced to death in China for stealing 260.000 Yuan ($31.400) 1999 – Unidentified hacker seized control of British military communication satellite and demanded money in return for control of satellite 2000 – Hackers broke into Microsoft‘s corporate network accessed source code for latest versions of Mircrosoft Windows and Office software – Russian cracker attempts to extort $100.000 from online music retailer CD Universe threatening to expose thousands of customers credit card numbers – I love you virus spread rapidly around the world infected image and sound files
ACN SS 07 - Hacker Perspectives History of hacking
2002 – Mircrosoft sent more than 8.000 programmers to security training 2004 – Myron Tereshchuk was arrested Attempting to extort $17 million from Micropatent 2006 – Jeanson James Ancheta received a 57 month prison sentence
ACN SS 07 - Hacker Perspectives How to get into scene
How to become a hacker – Learn about the techniques behind (program, UNIX, WWW) – Contribute to a hacker culture You aren't really a hacker until other hackers consistently call you one Hackers publish their work under real-names, Crackers use pseudonyms – Experiment and try out things How to become a cracker – Download a script and run it somewhere – Download a file called “40HEX” – Use your hacking skills for bad purpose – The final reason a cracker cracks is for money
ACN SS 07 - Hacker Perspectives Information gathering
The more you know the easier you can attack. There are many ways to gather information – Footprinting, Ping Sweep, Port Scan, OS Detection, Finger Giving away knowledge is more dangerous than running insecure software. – Manuals must be secret! – Never give away secret information over telephone! – Try to conceal what software / hardware / versions you are using
ACN SS 07 - Hacker Perspectives Information gathering
Footprinting – Learn as much as you can about a system Remote access possibilities, ports, services … How does the phone-system work? How does the back-bone work? How does the company deal with the system? Who is responsible, who knows the system?
Read papers, manuals and ask the ones who know
ACN SS 07 - Hacker Perspectives Information gathering
Social Engineering – Attacker tries to convince someone to give out information, passwords – Most innocent questions What is the phone number/IP address for… Who is responsible for administrating the computer network – Network structure
The technical know-how is less important than information!
ACN SS 07 - Hacker Perspectives Information gathering
Ping sweep Ping a range of IP addresses to find out which machines are currently running Port Scan – TCP Scan: Scan ports to see which services are running – UDP Scan: Send garbage packets to ports
ACN SS 07 - Hacker Perspectives Information gathering
OS Detection This involves sending illegal ICMP or TCP packets to a machine Finger – Retrieving the User List to get all accounts. – Read Log-Files that show from where and when users are logging in.
ACN SS 07 - Hacker Perspectives Ethical Hacking
Best protect a system by probing it while causing no damage and fixing vulnerabilities found Simulate how an attacker with no inside knowledge of a system might try to penetrate Includes permission to intrude – Consulting services – Hacking contests – Beta testing
ACN SS 07 - Hacker Perspectives Ethical Hacking
The Problem – Current software engineering practices do not produce systems that are immune from attack – Current security tools only address parts of the problem and not the system as a whole → lack understanding leads to reliance upon partial solutions – Policy and law in cyberspace is immature and lags the state-of-the-art in attacks – System administration is difficult and becoming unmanageable due to patching against increased vulnerabilities
ACN SS 07 - Hacker Perspectives Ethical Hacking
The result – Average time for a PC to be broken into directly out-of-box from the store and attached to the Internet is less than 24 hours. – The worst case scenario is about 15 minutes
ACN SS 07 - Hacker Perspectives Ethical Hacking
Scanning Tools – Typical information that can be learnd from a port scan is: Existence of computer OS Version of OS Types of available services (smtp, httpd, ftp, telnet…) Type of computing platform
ACN SS 07 - Hacker Perspectives Ethical Hacking
Dual nature of a port scanner – Most powerful tool an ethical hacker can use in protecting a network of computers – Most powerful tool a cracker can use to generate attacks
Historically most popular cracker attacks are those that use scanning tools to target known vulnerabilities
ACN SS 07 - Hacker Perspectives Ethical Hacking
Conflicts of interest – Security firms hype and invent threats – Persons who work at security firms have been known to spend their off-hours creating and distributing the very attack tools their company sells to protect against – Due to market pressure, businesses have used ethical hackers to: Beta test products Hacking contests
ACN SS 07 - Hacker Perspectives Ethical Hacking
Conclusion – The present poor security on the Internet, ethical hacking may be the most effective way to proactively plug security holes an prevent intrusions. – On the other hand, ethical hacking tools have also been notorious tools for crackers.
ACN SS 07 - Hacker Perspectives Most famous Hackers
Black hat hackers – Jonathan James installed a backdoor into a Defense Threat Reduction Agency server cracked into NASA computers stealing software worth approximately $1.7 million started a computer security company – Adrian Lamo His hits include Yahoo!, Bank of America, Citigroup and Cingular Now he is working as journalist and public speaker
ACN SS 07 - Hacker Perspectives Most famous Hackers
– Kevin Mitnick He hacked into computers, stole corporate secrets, scrambled phone networks and broke into the national defense warning system is now a computer security consultant, author and speaker – Kevin Poulsen His hacking specialty, however, revolved around telephones He is now a senior editor for Wired News – Robert Tappan Morris is currently working as a tenured professor at the MIT Computer Science and Artificial Intelligence Laboratory
ACN SS 07 - Hacker Perspectives Most famous Hackers
White hat hackers – Stephan Wozniak Co-founded Apple computers with Steve Jobs got his start in hacking making blue boxes Wozniak even used a blue box to call the Pope while pretending to be Henry Kissinger – Tim Berners-Lee famed as the inventor of the World Wide Web While working with CERN he created a hypertext prototype system that helped researchers share and update information easily founded the World Wide Web Consortium at MIT (W3C)
ACN SS 07 - Hacker Perspectives Most famous Hackers
– Linus Torvalds Father of Linux He started with a task switcher in Intel 80386 assembly and a terminal driver. Then he put out a call for others to contribute code, which they did. Only about 2% of the Linux kernel is written by Torvalds himself (most prominent examples of free/open source software) – Richard Stallman Founded the GNU Project to develop a free OS – Tsutomu Shimomura he was hacked by Kevin Mitnick. Following this personal attack, he made it his cause to help the FBI capture him Using Mitnick's cell phone, they tracked him near Raleigh- Durham International Airport
ACN SS 07 - Hacker Perspectives Thank you for your attention!
ACN SS 07 - Hacker Perspectives