Hacker Perspectives Advanced Computer Networks SS 2007 Franz Sommerauer
Overview Definition of a Hacker History of Hacking How to get into Scene Information Gathering Ethical Hacking Most famous Hackers
Definition (see Hacker Jargon file) 1. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn only the minimum necessary. 2. One who programs enthusiastically, or who enjoys programming rather than just theorizing about programming.
Types of hackers White hat A person who is ethically opposed to the abuse of computer systems (ethical hacker) Generally focuses on securing IT systems Grey hat A skilled hacker who sometimes acts legally, sometimes in good will, and sometimes not Hybrid between white and black hat hackers Black hat Someone who compromises the security of a system without permission from an authorized party Cracker
History of hacking 1972 John Draper discovers that a 2.6 khz tone allows to access the internal trunking mechanism of Ma Bell 2.6 khz tone created by a whistle With a Blue box it was possible to take internal control of Ma Bell's long distance switching equipment 1973 College students Steve Wozniak and Steve Jobs begin making and selling blue boxes
History of hacking 1981 Chaos computer Club forms in Germany 1982 Hacker group of six teenage hackers (414 s) broke into 60 computer systems and instiutitions (including Los Alamos Labs) 1988 Kevin Mitnick secretly monitors the e-mail of security officials (sentenced for one year to jail)
History of hacking 1988 Robert T. Morris launches a worm on governments ARPAnet (precursor of the Internet) The worm spreads to 6000 networked computers First person indicted under the Computer Fraud and Abuse Act of 1986 3 years probation 400 hours community service Fine of $10,050 and cost of his supervision First National Bank of Chicago became victim of $70-million computer theft
History of hacking 1989 Hackers in West Germany were arrested Broke into U.S. Government and corporate computers Sold OS-Sourcecode to Soviet KGB Fry Guy was arrested earned the name by hacking into a local McDonald's computer and giving raises to his hamburger-flipping friends Got credit card numbers by social engeneering
History of hacking 1993 During radio station call-in contests, Kevin Poulsen and 2 friends rigged the stations phone systm to let their calls through Won 2 Porsches, vacation trips and $20.000 Texas A&M Univerity professor received death threats because a hacker used his email account to sent 20.000 racist emails
History of hacking 1994 Vladimir Levin and his group transferred $10 million from Citibank to bank accounts all over the world Sentenced to three years in prison 1995 Kevin Mitnick arrested again FBI accused him of stealing 20.000 credit card numbers stealing files from companies as Motorola and Sun Microsystems
History of hacking 1998 2 hacker were sentenced to death in China for stealing 260.000 Yuan ($31.400) 1999 Unidentified hacker seized control of British military communication satellite and demanded money in return for control of satellite 2000 Hackers broke into Microsoft s corporate network accessed source code for latest versions of Mircrosoft Windows and Office software Russian cracker attempts to extort $100.000 from online music retailer CD Universe threatening to expose thousands of customers credit card numbers I love you virus spread rapidly around the world infected image and sound files
History of hacking 2002 Mircrosoft sent more than 8.000 programmers to security training 2004 Myron Tereshchuk was arrested Attempting to extort $17 million from Micropatent 2006 Jeanson James Ancheta received a 57 month prison sentence
How to get into scene How to become a hacker Learn about the techniques behind (program, UNIX, WWW) Contribute to a hacker culture You aren't really a hacker until other hackers consistently call you one Hackers publish their work under real-names, Crackers use pseudonyms Experiment and try out things How to become a cracker Download a script and run it somewhere Download a file called 40HEX Use your hacking skills for bad purpose The final reason a cracker cracks is for money
Information gathering The more you know the easier you can attack. There are many ways to gather information Footprinting, Ping Sweep, Port Scan, OS Detection, Finger Giving away knowledge is more dangerous than running insecure software. Manuals must be secret! Never give away secret information over telephone! Try to conceal what software / hardware / versions you are using
Information gathering Footprinting Learn as much as you can about a system Remote access possibilities, ports, services How does the phone-system work? How does the back-bone work? How does the company deal with the system? Who is responsible, who knows the system? Read papers, manuals and ask the ones who know
Information gathering Social Engineering Attacker tries to convince someone to give out information, passwords Most innocent questions What is the phone number/ip address for Who is responsible for administrating the computer network Network structure The technical know-how is less important than information!
Information gathering Ping sweep Ping a range of IP addresses to find out which machines are currently running Port Scan TCP Scan: Scan ports to see which services are running UDP Scan: Send garbage packets to ports
Information gathering OS Detection Finger This involves sending illegal ICMP or TCP packets to a machine Retrieving the User List to get all accounts. Read Log-Files that show from where and when users are logging in.
Ethical Hacking Best protect a system by probing it while causing no damage and fixing vulnerabilities found Simulate how an attacker with no inside knowledge of a system might try to penetrate Includes permission to intrude Consulting services Hacking contests Beta testing
Ethical Hacking The Problem Current software engineering practices do not produce systems that are immune from attack Current security tools only address parts of the problem and not the system as a whole lack understanding leads to reliance upon partial solutions Policy and law in cyberspace is immature and lags the state-of-the-art in attacks System administration is difficult and becoming unmanageable due to patching against increased vulnerabilities
Ethical Hacking The result Average time for a PC to be broken into directly out-of-box from the store and attached to the Internet is less than 24 hours. The worst case scenario is about 15 minutes
Ethical Hacking Scanning Tools Typical information that can be learnd from a port scan is: Existence of computer OS Version of OS Types of available services (smtp, httpd, ftp, telnet ) Type of computing platform
Ethical Hacking Dual nature of a port scanner Most powerful tool an ethical hacker can use in protecting a network of computers Most powerful tool a cracker can use to generate attacks Historically most popular cracker attacks are those that use scanning tools to target known vulnerabilities
Ethical Hacking Conflicts of interest Security firms hype and invent threats Persons who work at security firms have been known to spend their off-hours creating and distributing the very attack tools their company sells to protect against Due to market pressure, businesses have used ethical hackers to: Beta test products Hacking contests
Ethical Hacking Conclusion The present poor security on the Internet, ethical hacking may be the most effective way to proactively plug security holes an prevent intrusions. On the other hand, ethical hacking tools have also been notorious tools for crackers.
Most famous Hackers Black hat hackers Jonathan James installed a backdoor into a Defense Threat Reduction Agency server cracked into NASA computers stealing software worth approximately $1.7 million started a computer security company Adrian Lamo His hits include Yahoo!, Bank of America, Citigroup and Cingular Now he is working as journalist and public speaker
Most famous Hackers Kevin Mitnick He hacked into computers, stole corporate secrets, scrambled phone networks and broke into the national defense warning system is now a computer security consultant, author and speaker Kevin Poulsen His hacking specialty, however, revolved around telephones He is now a senior editor for Wired News Robert Tappan Morris is currently working as a tenured professor at the MIT Computer Science and Artificial Intelligence Laboratory
Most famous Hackers White hat hackers Stephan Wozniak Co-founded Apple computers with Steve Jobs got his start in hacking making blue boxes Wozniak even used a blue box to call the Pope while pretending to be Henry Kissinger Tim Berners-Lee famed as the inventor of the World Wide Web While working with CERN he created a hypertext prototype system that helped researchers share and update information easily founded the World Wide Web Consortium at MIT (W3C)
Most famous Hackers Linus Torvalds Father of Linux He started with a task switcher in Intel 80386 assembly and a terminal driver. Then he put out a call for others to contribute code, which they did. Only about 2% of the Linux kernel is written by Torvalds himself (most prominent examples of free/open source software) Richard Stallman Founded the GNU Project to develop a free OS Tsutomu Shimomura he was hacked by Kevin Mitnick. Following this personal attack, he made it his cause to help the FBI capture him Using Mitnick's cell phone, they tracked him near Raleigh- Durham International Airport
Thank you for your attention!