Thieves Trick Crackers Into Attacking Networks By Lee Kimber, Network Week Feb 16, 1999 (9:10 AM) URL: http://www.techweb.com/wire/story/TWB19990216S0008 Corporate networks are coming under attack from an army of amateur crackers working unwittingly for professional thieves, security experts have warned. They have identified signs that organized criminals and "professional" crackers are using trick software that lets teenage enthusiasts -- known as "script kiddies" -- attack networks for amusement. The software then secretly sends the findings of these surveys to experienced crackers. Professional gangs could use this trick to build massive databases of network insecurities for thieves to exploit. Consultants cited the hacking group New Order's Aggressor network-attack software, which invites amateurs to register for a full copy on the promise that they will receive hidden tools to mount stronger attacks on their victims. "We could be looking at half a dozen teenagers doing cracking on behalf of New Order," warned Internet Security Systems security expert Kevin Black. "It's: 'Here's a toy to play with,' then: 'Thank you, soldier.' " The growth of Java programming skills lies behind another new trick, where crackers build Java cracking software into websites. When surfers browse the site, the program returns the surfer's IP address to network security tools' logs, leaving the cracker's real location a secret. [What? So a surfer visits a site and it returns their IP? Web servers log the incoming traffic, not pass info back to the surfer. This statement makes no sense.] Canadian hacking group HackCanada is encouraging crackers to rewrite the Python network-scanning script Phf in Java so it can be loaded into Web surfers' browsers during a visit to an innocuous-looking site. HackCanada adopted the tactic after a cracker received a warning from a corporate network administrator who detected him using the Phf script in its native Python form. And in a gloomy warning for network administrators Axent security consultant David Butler warned teenagers and students who collected cracking tools to impress their peers would quickly try them out. "Cracking attempts rise by a factor or three or four during school holidays," Butler told a joint Toshiba-Inflo security presentation earlier this month. The news came shortly after security experts learned the freely available password authenticator Tcpwrapper had been rewritten and redistributed in a form that sends passwords it finds to an anonymous Hotmail address. ["password authenticator Tcpwrapper"? TCPWrappers have nothing to do with password authentication. They control who can connect to the site at all.] "It's a shift in the mentality of cracking," said Black. "It's the difference between the men and the boys." "We have been under constant attack by hackers since Christmas," said Nokia Telecommunications' Europe, Middle East, and Africa marketing director Bob Brace. The company had detected 24,000 cracking attempts since October last year, he said. Nokia runs IP440 firewall and NAT with log analysis, so Brace could see the hackers first tried to ping every IP address, then probed for specific ports such as the default port for Back Orifice (1234) and port 80. (Back Orifice lets crackers gain control of a remote PC and is often hidden as a trojan in games.) [Back Orifice defaults to port 31337 and would rarely (if ever) be installed on port 80 as it would conflict with HTTP if it was running.] "I believe much of the probing is automated and some of the more serious attacks are spread out so they are not easy to identify in a trace," Brace said.