Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents?AgendaHackerz LingoHacking through the agesRecent newsThe threatsCIA.gov defacement exampleWeb site defacement exampleTypes of hackersTop intrusion justificationsGaining accessBack doors & TrojansPort scanner exampleSoftware vulnerability exploitationPassword guessingPassword/key stealingOnce inside, the hacker can...Intrusion detection systems (IDS)Slide 20Intrusion preventionRisk managementLegal and ethical questionsHackers, Crackers, andNetwork Intruders:Heroes, villains, or delinquents?Tim McLarenThursday, September 28, 2000McMaster UniversityAgenda•Hackers and their vocabulary•Threats and risks•Types of hackers•Gaining access•Intrusion detection and prevention•Legal and ethical issuesHackerz Lingo•Hacking - showing computer expertise•Cracking - breaching security on software or systems•Phreaking - cracking telecom networks•Spoofing - faking the originating IP address in a datagram•Denial of Service (DoS) - flooding a host with datagrams (e.g. by “smurfing”)•Port Scanning - searching for vulnerabilitiesHacking through the ages•1969 - Unix ‘hacked’ together•1971 - Cap ‘n Crunch phone exploit discovered•1988 - Morris Internet worm crashes 6,000 servers•1994 - $10 million transferred from CitiBank accounts•1995 - Kevin Mitnick sentenced to 5 years in jail•2000 - Major websites succumb to DDoSRecent news•15,700 credit and debit card numbers stolen from Western Union (Sep. 8, 2000)(hacked while web database was undergoing maintenance)The threats•Denial of Service (Yahoo, eBay, CNN)•Graffiti, Slander, Reputation•Loss of data•Divulging private information (AirMiles, corporate espionage)•Loss of financial assets (CitiBank)CIA.gov defacement exampleWeb site defacement exampleTypes of hackers•Professional hackers–Black Hats–White Hats•Script kiddiesTop intrusion justifications1. I’m doing you a favour pointing out vulnerabilities2. I’m making a political statement3. Because I can4. Because I’m paid to do itGaining access•Back doors•Trojans•Software vulnerability exploitation•Password guessing•Password/key stealingBack doors & Trojans•e.g. Whack-a-mole / NetBus•Cable modems / DSL very vulnerable•Protect with Virus Scanners, Port Scanners, Personal FirewallsPort scanner exampleSoftware vulnerability exploitation•Buffer overruns•HTML / CGI scripts•Other holes / bugs in software and services•Tools and scripts used to scan ports for vulnerabilitiesPassword guessing•Default or null passwords•Password same as user name (use finger)•Password files, trusted servers•Brute force -- make sure login attempts audited!Password/key stealing•Dumpster diving•Social engineering•Inside jobs (about 50% of intrusions resulting in significant loss)Once inside, the hacker can...•Modify logs•Steal files•Modify files•Install back doors•Attack other systemsIntrusion detection systems (IDS)•Vulnerability scanners–pro-actively identifies risks•Network-based IDS–examine packets for suspicious activity–can integrate with firewall–require 1 dedicated IDS server per segmentIntrusion detection systems (IDS)•Host-based IDS–monitors logs, events, files, and packets sent to the host–installed on each host on network•Honeypot–decoy server–collects evidence and alerts adminIntrusion prevention•Patches and upgrades•Disabling unnecessary software•Firewalls and intrusion detection•‘Honeypots’•Reacting to port scanningRisk managementProbabilityImpactIgnore(e.g. delude yourself)Prevent(e.g. firewalls, IDS, patches)Backup Plan(e.g. redundancies)Contain & Control(e.g. port scan)Legal and ethical questions•‘Ethical’ hacking?•How to react to mischief or nuisances?•Is scanning for vulnerabilities legal?•Can private property laws be applied on the