[ISN] Hacking Tools Can Strengthen Security
InfoSec News
isn at c4i.org
Tue Mar 22 03:12:06 EST 2005
http://www.eweek.com/article2/0,1759,1776613,00.asp
By Cameron Sturdevant
March 21, 2005
To avoid getting hacked, you've got to think like a hacker - and that
means knowing the tools and tricks of the hacking trade.
IT managers must understand the types of hacking tools available -
including the vulnerabilities they target and the damage they can
cause - to keep business data private, prevent information theft and
maintain data availability while enabling a high level of business
productivity.
It's tempting to rely on commercial vulnerability assessment tools and
patch management systems to keep network infrastructure devices,
servers and desktop systems in top defensive form. However, IT
organizations should not depend on these products and services as the
sole source of expertise in combating attacks on enterprise resources.
Hacking tools most often originate in the realm of advanced coders.
And recent news stories have tied these coders to underworld backers.
Many of these hacking tools are a few clicks away on the Internet, but
some tools can be difficult to find unless you move in certain
circles. In the frequent case that a hacking tool cannot be accessed
directly, there are several resources on the Web that will provide the
kind of information IT managers need to assess network security tools'
ability to thwart it.
Before doing any kind of assessment of hacking tools, IT
administrators should first perform a risk analysis to see which of
their organization's IT resources are most vulnerable to attack and
what kinds of attacks they're most liable to suffer. Administrators
should then attempt to download, test and become proficient with at
least one of the hacking tools that are most threatening to the
organization's vital IT assets.
Root kits
One hack that should be high on IT organizations' most-wanted list
comes by way of root kits.
In fact, based on detailed information provided to eWEEK Labs and
verified in our testing, Windows shops should immediately take steps
to understand root kits, a type of hack that is widely known in the
Unix community but that now appears to be headed straight for Windows
desktop and server systems.
Although root kits may be a new problem - to the Windows world, anyway
- the overarching concern should be variations on hacks known to exist
in every operating system in use in the network today.
Click here to read about one IT manager's experience as a victim of a
root-kit attack in which 500GB of e-mail data was rendered
inaccessible.
Buffer overflows
One of the most commonly exploited vulnerabilities is the buffer
overflow. Buffer overflows occur when too much information can be
written to a predefined memory buffer, causing a program to fail.
There are many tools that let hackers exploit this vulnerability, and
knowing them will help you learn how to prevent their successful use
on your systems.
One such tool is Digital Monkey's Buffer Syringe, a relatively simple,
minimally documented tool that lets hackers exploit buffer overflows.
In fact, Buffer Syringe includes several usage examples that make
implementation of the tool a snap.
Understanding how Buffer Syringe and tools like it work should give IT
managers much more confidence when evaluating, for example, a Windows
vulnerability assessment tool or patch management system because it
will reveal the ins and outs of how the buffer overflow is
constructed.
With this information, IT managers can then exact much more specific
and telling information from vendors of commercial vulnerability
assessment tools as to how their tools detect such weaknesses. Thus
armed, it will be much easier to evaluate, select, implement and use
such tools over time.
A format-string vulnerability occurs when user-supplied data is
handled incorrectly - usually in the C language - and is passed by a
program directly as a format string. A talented attacker can then
craft a string that overwrites memory locations with the attacker's
input.
Most IT managers likely will not have time to practice with this hack
because it requires extensive tinkering to work correctly. If that's
the case, a good way to get familiar with the hack is to use eWEEK
Labs' favorite open-source vulnerability assessment tool - used by
people wearing both white and black hats - Nessus (nessus.org).
As with all the categories of hacking tools described in this article
(and as with many esoteric hacking tools that are not discussed here),
the Nessus tool has several plug-ins that can reveal format-string and
other vulnerabilities. By becoming familiar with Nessus' format-string
plug-in, IT managers can get a very good feel for how a format-string
attack will look and act.
In fact, it's well worth any IT manager's time to poke around at the
Nessus site, paying close attention to the plug-in library. We
recommend installing Nessus in the organization's test network and
subscribing to the Nessus plug-in feed, which can be the only way to
get the latest additions to the Nessus tool.
Spending even a short amount of time reading about the purpose and use
of a Nessus plug-in will provide valuable insight into the operation
of many hacking tools - and certainly the vulnerabilities that these
tools seek to exploit.
This is also a good way to understand directory traversal hacks,
which, like buffer overflows and format-string attacks, use custom
code to cause a program malfunction to gain escalated user privilege.
Defaults, back doors and misconfiguration
There is a whole class of hacking "tools" that are nothing more than
expert knowledge of a particular application or operating system
combined with poor security practices by the IT implementer.
Early in the methodical stalking of an IT resource, hackers will
enumerate and identify systems in a network, looking for something of
interest. After identifying an interesting target, smart hackers will
gently test to see if any part of a system was left in a default
configuration. Such a configuration provides easy back-door entry into
what might look from the front like an impregnable fortress.
To avoid leaving these back doors open, or even ajar, eWEEK Labs
recommends that IT managers add a section to any RFP (request for
proposal) that requires vendors to supply instructions and tools for
hardening their respective products.
Vendors that are unable to provide this kind of assistanceat no extra
cost or at a nominal fee for custom work - should be passed over in
favor of suppliers that can help IT lock out hacking tools.
We also recommend training users early and often about how to avoid
social hacks such as e-mail phishing and the dreaded Post-It Note
attack.
Web resources: Hacking tools
For Windows systems, start with sysinternals.com, where you'll find a
host of useful no-cost and commercial diagnostic tools. -
http://sysinternals.com/
Go to nessus.org to become familiar with one of the most widely used
vulnerability assessment tools available. Nessus can probe a wide
range of server and desktop operating systems and is frequently
updated. - http://nessus.org/
Wikipedia provides useful information about root kits, with pointers
to articles about other hacking tools. -
http://en.wikipedia.org/wiki/Rootkit
More information about the ISN
mailing list