URL: http://www.robertgraham.com/pubs/hacking-dict.html
Version 0.7.0, 2001-11-11
Copyright 1998-2001 by Robert Graham (hacking-dict@robertgraham.com. You may use this document for any purposes (including commercial) as long as you give me credit and include a link back to the original at http://www.robertgraham.com/pubs/hacking-dict.html.
[ $IFS | 'bot | .forward | .plan | /dev/null | /dev/random | /etc | /etc/hosts | /etc/hosts.equiv | /etc/inetd.conf | /etc/passwd | /etc/services | /etc/shadow | 0-day | 11 | 128-bit | 2600 | 3DES | 3DES_EDE | 40-bit | 56-bit | 64-bit | 8 | 8-character password | 802.11 | 802.1q | ~user ]
The term "0-day" describes the fact that the value of exploits quickly goes down as soon as they are announced. The next day they are half as valuable. The 2nd day they are a 1/4 as valuable. Ten days later they are 1/1000 as valuable as on day 0. This is because script-kiddies quickly use the exploits on computers throughout the Internet, compromising systems before anybody else can get to them.
Contrast: The term 0-day exploit describe the hard-to-use exploits by the discoverer himself (or close friends), in contrast to the easy-to-use scripts employed by script kiddies. For example, a buffer-overflow script will go through many phases as people try to find the right offsets for the target platforms, but will eventually end up as a broad-spectrum aim-and-shoot script that anybody could use.
Key point: One of the dangers of 0-day exploits is BUGTRAQ camping. A hacker discovers all the services running on the target victim and waits for day-0 when the exploit is announced. At that time, the hacker attacks the systems with the new exploit.
Key point: The term "0-day" describes any bit of information in the community, whether it is serial numbers, lists of proxies, or passwords to porn sites. As soon as such information becomes well-known and exploited by large numbers of people, it is then fixed by the victim. Information has a "half-life": the older it is, the less value it has.
Key point: The debate over strong encryption is never ending. Within the United States, law enforcement is constantly lobbying to restrict the use of strong encryption. Many resist, pointing out how often law enforcement already abuses wiretap powers (such as against Martin Luther King). At the same time, companies making products constantly lobby for the easing of export restrictions, so that they can sell strong encryption products abroad. Another funny thing is that the U.S. government's intransigence on this issue has actually led to stronger encryption abroad. U.S. export restrictions (and desire to spy on foreigners) was one of the reasons France relaxed its own law-enforcement bans on encryption use by citizens.
Key point: The random number generators within systems are often weaker than the key itself. For example, when you connect via SSL from your browser to a web-server, they choose a key for that session. That key is chosen with a random number generator. One estimate was that the average 128-bit session key contains only 47-bits of randomness. Other browsers have had even weaker systems allowing the session key to be recovered in only a few minutes.
Culture: This number is often used within the hacking culture. It is the name of a magazine (http://www.2600.com) as well as that of a series of newsgroup (news:alt.2600).
Key point: Specialized hardware can decrypt 40-bit keys in real time. The average new desktop has enough horsepower to decrypt 40-bit messages. Thus, many people now consider 40-bit encryption to be simply obfuscated plaintext.
Key point: The term 40-bit often means the RC4 system within browsers.
Key point: In January of 1999, the EFF built a custom machine (the "Deep Crack") for $250,000 that could decrypt 56-bit DES encrypted messages in hours.
Key point: 56-bit cryptography almost always means DES.
Status: At the current time (year 2001), 802.11 is completely broken as far as security is concerned. There exists no solutions at this time that companies can use to create secure networks. However, within a couple years, it is likely that secure standards will be created.
Key point: The following techniques are used in an attempt to secure a wireless network:
Key point: An employee leaving the company is likely to know all necessary SSIDs, MAC addresses, and WEP keys in order to get back on the network. This means that they can sit in the parking lot and gain access to the network and/or sniff traffic. Unless better key-management techniques are standardized, 802.11 cannot be securely used in corporate environments.
Key point: Other 802.11 terms:
Point: IEEE 802.11b transmits in the 2.4 GHz radio band (the same as microwave ovens, so it is recommended to keep it away from your body). This band is unregulated by the U.S. government. This means that it is a desireable technology for creating ad-hoc networks. For example, satellite dishes can be used with 802.11 to connect networks up to 30-kilometers away from each other -- without government licenses.
Key point: Security conscious users of such systems need to make sure they use a more random mix of characters because they cannot create long passwords.
Key point: Password cracking such systems is a little easier.
Key point: Web-servers often allow access to user's directories this way. An example would be http://www.robertgraham.com/~rob.
Key point: A big hole on the Internet is that people unexpectedly open up information. For example, the file .bash_history is a hidden file in a person's directory that contains the complete text of all commands they've entered into the shell (assuming their shell is bash, which is the most popular one on Linux).
This file a is prime target of attackers. If they can overwrite this file, they can subtly start capturing the user's e-mail. This is especially dangerous if the the account in question is the root account. Note that the user doesn't have to know any about this file or have one on his system. The mere creation of this file by the intruder will activate this feature. Furthermore, since this file starts with a 'dot', it is normally hidden from the user, so they won't even be ware that this feature exists.
Key point: When rooting a machine,
intruders will often redirect logging to /dev/null
For example, the command
Culture: In the vernacular, means much the same thing as black hole. Typical usage: if you don't like what I have to say, please direct your comments to /dev/null.
Key point: If an intruder can read files from this directory, then they can likely use the information to attack the machine.
Hack: If you can write files to a user's machine, then you can add entries to his/her hosts files to point to your own machine instead. For example, put an entry for www.microsoft.com to point to your machine, then proxy all the connections for the user. This will allow you to perform a man in the middle attack.
Analogy: The European Union (EU) doesn't have passport control between countries. You only have to present your passport when entering the first European country, then you can roam freely once inside the union. The "hosts.equiv" file creates a similar union of machines.
Hack: Hackers will target this file. If their target is machine A, they may instead find that A trusts B, and B may be easier to break into first. At that point, the hacker can hop back to A using an account on B. Likewise, if a hacker can write to this file, they can tell the system to trust any other system on the network (including the hackers own machine).
Hack: Older software would do a reverse DNS lookup on a connecting IP address. If the hacker controlled the DNS server, s/he could return a trusted domain name, and therefore be allowed into the system. Another older hack is the default "+" entry.
See also: .rhosts
Key point: The passwords are encrypted, so even though everyone can read the file, it doesn't automatically guarantee access to the system. However, programs like crack are very effective at decrypting the passwords. On any system with many accounts, there is a good chance the hacker will be able to crack some of the accounts if they get hold of this file.
Key point: Modern UNIX systems allow for shadowed password files, stored in locations like /etc/shadow that only root has access to. The normal password file still exists, minus the password information. This provides backwards compatibility for programs that still must access the password file for account information, but which have no interest in the passwords themselves.
Key point: The chief goal of most hacks against UNIX systems is to retrieve the password file. Many attacks do not compromise the machine directly, but are able to read files from the machine, such as this file. Typical examples include:
Key point: /etc/passwd is a simple text file, with one line per account. The line is broken down into seven columns:
See also: shadowed passwords
Key point: Its role in life is so that programs can do a getportbyname() sockets call in their code in order to get what port they should use. For example, a POP3 email daemon would do a getportbyname("pop3") in order to retrieve the number 110 that pop3 runs at. The idea is that if all POP3 daemons use getportbyname(), then no matter what POP3 daemon you run, you can always reconfigure its port number by editing /etc/services.
Misunderstanding: This file is bad in order to figure out what port numbers mean. If you want to find out what ports programs are using, you should instead use the program lsof to find out exactly which ports are bound to which processes. If running lsof is not appropriate, then you should lookup the ports in a more generic reference.
[ A | access control | Access Control List | accountability | ACK | Acknowledgement Number | ACL | active attack | ActiveX | administrator | advocacy | AES | age | AH | algorithm | alias | amplifier | ANAC | Anarchist Cookbook | anarchy | ANI | anonymity | anonymous | anonymous FTP | ANSI | ANSI X9.17 | anti-replay | anti-virus | AP | Apache | application/form-url-encoded | area code | ARP | ARP redirect | ASN.1 | ASP | Assassination Politics | asymmetric cryptography | AT command set | attack | audit | audit trail | auth | authentication | Authentication Header | authenticity | Authenticode | authorization | automatic variables | availability | avatar ]
In formal terms, a "subject" (e.g. a user) attempts to access the "object" (e.g. system or data). An access control system will evaluate the security levels of the subject and object in order to see if access is permitted.
Example: A simple example is the case where you enter a username and password in order to log onto the computer.
Contrast:
Key point: There are different kinds of access. Read access means that somebody can read information, whereas write access implies that that somebody can change the data. For example, you can get a copy of your credit report and read it, but you can't necessarily change the data.
Key point: An Access Control List (ACL) is used to list those accounts that have access to the resource that the list applies to. When talking about firewalls, the ACL implies the list of IP addresses that have access to which ports and systems through the firewall. When talking about WinNT, the ACL implies the list of users that can access a specific file or directory on NTFS.
Contrast: Discretionary Access Control is the ability to have fine grained control over who has access to what resources.
Misconception: Many people believe that firewall IP address rules or IEEE 802.11 MAC address rules form robust ACLs. However, since neither IP addresses or MAC addresses provide robust authentication, such ACLs provide only a weak form of security. When these so-called ACLs are relied upon for security, they frequently lead to compromises as people spoof their IP or forge their MAC address.
Controversy: A major human rights debate these days is between accountability and anonymity. On one hand, you want to make criminals accountable for their actions, but this invades upon the privacy of individuals who do not want their every action recorded.
Contrast: The term accountability typically describes the issue of tracing actions back to individuals, whereas accounting describes actually recording those actions.
Examples:
Contrast: ActiveX is similar to Java applets, except that the code is not "sandboxed": it has full access to the operating system. In order to stop hostile code, ActiveX relies upon digital signatures and "zones". Microsoft browsers are configured to trust ActiveX programs from servers in the "trusted" zone, to trust signed ActiveX programs from servers in less trusted zones, and to prompt/deny unsigned ActiveX applets from untrusted zones.
Controversy: The idea of trusted zones and signed applets works pretty well in theory, but doesn't always work well in practice. The problem is that is relies upon on all users making the correct choices all the time. The Melissa virus/worm proved that this philosophy is not adequate.
Contrast: The main impetus behind AES to replace DES is the support for larger key sizes. DES uses 56-bit keys, which can be cracked in just a few minutes (in the year 2001). In contrast, AES supports 128-bit keys (as well as 192-bit and 256-bit). Whereas both DES and AES are fundamentally block-ciphers, AES is also designed to be an efficient stream-cipher and hash algorithm. Whereas DES was designed to be hardware based (software implementations are much slower), AES has been designed to be efficient in both software and hardware. In particular, implementations in ANSI C, Java, and x86 assembly language were important. Another important criteria was the ability for the algorithm to work within smart-cards with slow CPUs and limited memory.
Key point: The NIST director in charge of selecting the AES algorithm says: "If Moore's law continues and quantum computing doesn't manifest itself, then I think this system will have a good 30 year run".
Misconception: AES does not replace DES. In the 1980s, DES was the most used encryption algorithm. However, due to length of time it took the government to come up with a replacement standard, other encryption algorithms became widely used, such as RC2, RC4, Blowfish, IDEA, and Triple DES. Moreover, crypto has became very "pluggable", with many products supporting numerous simultaneous encryption algorithms.
Analogy: An cookbook recipe is an algorithm.
Key point: Different algorithms have different levels of complexity. For example, consider the ancient parable (Babylonian?) about a king and a wise subject who did a favor for him. The subject asked for one piece of grain to be placed on the first square of a chess board, two grains on the second, four grains on the third, and so on, doubling the amount of grain for each successive square.
This problem demonstrates an algorithm of exponential complexity. For the first 10 squares of the chess board, the series is: 1 2 4 8 16 32 64 128 256 512. Thus, for the first 10 squares, roughly a thousand grains must be paid out. However, the series continues (using K=1024): 1k 2k 4k 8k 32k 64k 128k 256k 512k. Thus, for the first 20 squares, roughly a million grains must be paid out. After 30 squares, roughly a billion grains must be paid out. For 40 squares, roughly a trillion grains must be paid out.
This is directly related to such things as key size. A 41-bit key is twice as hard to crack as a 40-bit key. A 50-bit key is a thousand times harder. A 60-bit key is a million times harder. This is why the 128-bit vs. 40-bit encryption debate is so important: 128-bit keys are a trillion trillion times harder to crack (via brute force) than 40-bit keys.
Key point: Most algorithms are public, meaning that somebody trying to decrypt your message knows all the details of the algorithm. Consequently, the message is protected solely by the key. Many people try to add additional protection by making the details of the algorithm secret as well. Experience so far has led to the belief that this actually leads to weaker security for two reasons. First, such secrets always get discovered eventually, so if security depends upon this secret, it will eventually be broken. Secondly, human intelligence is such that someone cannot create a secure algorithm on his/her own. Therefore, only by working with a community of experts over many years can humans create a secure algorithm. To date, only two such communities exist: the entire world of cryptography experts publishing the details of their work and trying to break other people's work, and the tightly knit community of cryptography experts working in secret for the NSA.
Example: The classic example is the smurf amplifier. An attacker spoofs the address of a victim and sends directed broadcasts to the amplifier, which then sends hundreds of replies back to the victim. Thus, it only costs the attacker a single packet to send many packets to the victim.
Example: A more subtle attack is the use of DNS. The DNS response packet can be much larger than the request. This allows an attacker to flood the victim with large packets at the cost of small packets.
Contrast: Cyberspace anarchy and real-world anarchy are different. The main thrust is that cyber-punishment should fit cyber-crime, and physical-punishment should only be used in cases of physical-crime.
Example: Most of the cyber-anarchy focuses on cryptography, or crypto-anarchy. This is because most anarchic capabilities will be based in cryptography.
Humor: Anairchists believe in the lack of odor.
See also: cypherpunks
Contrast: While on the service ANI is similar to Caller ID, it is actually a completely different system. ANI predates Caller ID by about 50 years. Since the systems are independent, the numbers recorded for ANI and Caller ID can be different. Also note that the "*67" technique of blocking Caller ID has no affect on ANI.
Example: The term ANAC (Automatic Number Announcement Circuit) will echo back the number you are calling from, either from ANI or Caller ID. They are popular among beige boxing pheakers in order discover the telephone number of the lines they tap into. It is also useful for coporate stooges that are having problems with 800 services because the phone number revealed by ANI about the extension is significantly different that the number they think it is. There really is no number dedicated to ANI discovery (other than 1-800-MY-ANI-IS used in the old days); these numbers are for other purposes, such as automated telephone customer service. Some numbers that are currently active as of August, 2000:
Point: As of 1998, ANI-II is starting to provide extra digits on the end of the telephone number indicating the type of number. The numbers "00" indicate POTS (plain old telephone service), "63" indicates a roaming PCS/cellular caller, "70" is a type of a payphone, etc.
Example: Anonymous e-mail services like Hotmail put the IP address of the person sending the e-mail in the headers (which are normally hidden from view by e-mail clients). Many would-be hackers get caught this way.
Example: France is currently trying to outlaw Internet anonymity, forcing uses to disclose their identity.
Contrast: Anonymity is one aspect of privacy.
Contrast: ANSI is the American representative to the ISO. ANSI is made up of industry, whereas NIST specifies standards only for use within government.
Example: The following are infosec related standards by ANSI. The X9 group are Financial Industry Security Standards, but used elsewhere as well.
Key point: By sniffing ARP packets off the wire, you can discover a lot of stuff going on. This is especially true of cable-modem and DSL segments. Since ARP packets are broadcasts, you aren't technically breaking your user's agreement by sniffing.
Key point: You can spoof ARP requests and/or responses in order to redirect traffic through your machine.
Key Point: Some carribean countries have U.S. area codes. A common telco fraud is to fool people into calling those numbers. The consumers believe that their are calling a U.S. number protected by fraud laws, when in reality they are dialing a pay service that will charge them upwards of $2 a minute. North American Area Codes Outside the U.S. and Canada
| 242 | Bahamas | 664 | Montserrat | |
| 246 | Barbados | 758 | St. Lucia | |
| 264 | Anguilla | 767 | Dominica | |
| 268 | Antigua & Barbuda | 784 | St. Vincent & the Grenadines | |
| 284 | British Virgin Islands | 809 | Dominican Republic | |
| 345 | Cayman Islands | 868 | Trinidad & Tobago | |
| 441 | Bermuda | 869 | St Kitts & Nevis | |
| 473 | Grenada | 876 | Jamaica | |
| 649 | Turks & Caicos Is. |
Link: See the website http://www.nanpa.com/ for more information on NANP (North American Numbering Plan).
Key point: A recurring bug in ASP has allowed hackers to read the script rather than the output of the script. These techniques rely upon changing the name of the script such that the server not longer recognizes it as a script, but as a file instead. Some techniques that have worked in the past have been:
Key point: ASN.1 is used within many areas of security to declare data structures and compatible file/network encodings of those data structures. For example, your X.509 Certificate is an ASN.1 encoded file.
Example: The following shows an ASN.1 structure compared to a C++ structure.
struct UserRecord {
bool account_disabled;
int user_type;
char *user_name;
char *password;
};
UserRecord ::= [APPLICATION 0] IMPLICIT SEQUENCE {
account_disabled BOOLEAN,
user_type INTEGER,
user_name OCTET STRING,
password OCTET STRING
}
Key point: ASN.1 defines structures abstractly, which means it doesn't really specify the concrete representation. There are many ways to encode an ASN.1 structure in binary. There are three popular sets of encoding rules:
The command "ATH0" means to hang up the modem.
Key point: One of the juvenile tricks people play is to cause people to hang up their own modem. Once the modem connects, it goes into a different mode where it no longer accepts AT commands. However, a user can switch back to the command mode by sending the characters "+++" to the modem. Therefore, if somebody can remotely trick your PC into sending "+++ATH0", then your modem will hang up. One way of doing this is with the ping program that sends and ICMP echo to the victim, which then replies with the same contents. E.g.:
ping -p 2b2b2b415448300d victim
The most popular exploits for this are spoofed ICMP pings, but it can be exploited in any number of ways. For example, one may include the following in an HTML webpage:
<IMG src="http://www.robertgraham.com/images/x.gif?+++ATH0">
Example: Some classifications of attacks against computers are:
The first is the security audit, whereby a consulting firm comes in and validates a companies security profile. This is similar to how accounting firms review a company's books.
The second term is infosec specific, and means an "auditing" subsystem that monitors actions within the system. For example, it may keep a record of everyone who logs onto a system. Such a record is known as an audit trail.
Contrast: Authentication will identify who an individual is; authorization will identify what the individual is allowed to do.
Example: When you log in with your username and give the password, you are authenticating yourself to the system. You are proving that you are you because, in theory, only you know your password.
Contrast: Abstractly, anything that combats forgery is called authentication. For example, IPsec includes an Authentication Header (AH) that proves that a packet hasn't been modified in transit. However, this feature overlaps with the abstract concept of integrity: both are checked at the same time.
Examples:
Contrast: Three things used for
See also: Authentication is often mentioned along with other key security concepts such as integrity, confidentiality, and non-repudiation.
Contrast: The terms integrity and authenticity are widely used to mean the same thing. In other situations, they have subtly different meanings (especially law). The term integrity generally describes defending against malicious change of a message once it has been sent, whereas authenticity implies some sort of validation of the sender of the message to protect against forgeries.
Contrast: The terms authentication and authenticity are widely used to mean the same thing. The subtle difference is that authentication is about someone proving who they say they are, whereas authenticity is about proving that message was sent by a certain person.
Contrast: The first stage of authorization is generally authentication. Before you decide what an individual is allowed to do, you must first establish who they are. In some cases, authorization is independent from authentication, such as not allowing anybody to logon after midnight.
Controversy: Availability is one of the key sticking points in security. It is easy to secure things simply by making them unavailable: if a computer is turned off, nobody can hack into it. The trick to infosec is making things both available and secure. Examples of this problem are:
Antonym: The opposite of the infosec term "availability" is the hacking term "DoS".
See also: Availability is often mentioned along with other key security concepts such as integrity, authentication, confidentiality, and non-repudiation.
Key point: Most common people don't understand cyberspace, and assume that their physical body and digital manifestation are the same thing. The hacking culture has a very different point of view that there is no direct corpespondance between a real person and their online identity.
See also: pseudonym
[ back channel | back door | Back Orifice | backtrack | backtracking | banner | BASE64 | bash" | bastion host | BBS | Bcc | beige box | Bell-LaPadula Modle | BER | BGP | big-endian | binary | BIND | BinHex | biometrics | BIOS | birthday attack | birthday paradox | bit | black | black bag job | black-hat | BlackNet | Blind spoofing | block cipher | Blowfish | Blue Team | BlueBEEP | boink | bomb | bonk | boot sector | bootp | box | broadcast | broadcast domain | browser | brute force | BS7799 | BSD | buffer overflow | buffer overrun | bug | BUGTRAQ | BXA | byte-order ]
Contrast: Remote administration trojans (RATs) are NOT examples of back channels, but are instead forward channels. A RAT allows the hacker to contact the system from anywhere in the world, and allows the hacker to hide where he/she is coming from. A back channel, on the other hand, will contact the hacker, who must have a fixed IP address. This clearly fingers who the hacker is.
Key point: Typical back channel protocols are X Windows (xterm) and shells like Telnet. These programs are often built into the victim's system, so many attacks that can't otherwise compromise the system can still trigger a back channel that allows a remote shell.
See also: covert channel
Example:
Key point: Key features of backdoors are:
Key point: Back doors are frequently programmed into systems either benignly or maliciously. Most computers shipped today allow BIOS passwords to be set that will prevent the booting of the computer without the administrator first typing the password. However, since many people lose their password, such BIOSes often have a back door passwords that allows the real password to be set. Similarly, a lot of remotely manageable network equipment (routers, switches, dialup banks, etc.) have backdoors for remote Telnet or SNMP. The frequency of such back doors is due to the fact that people are stupid, set passwords, forget them, then whine to customer support.
Key point: A backdoor can be added to any system. For example, when generating random session keys, a programmer may actually subvert the random number generator. Such subversion would then allow decrypting of the message by those who knew the specifics. This has already been done accidentally; some paranoids believe that some encryption products do this intentionally in order to get export approval of 128-bit products.
See also: trap-door
Example: Many programs contain built-in HTTP servers. This allows the program to be remotely managed from any web browser. These servers expect that only the files in their own directory and below will be read. However, hackers can still provide URLs that go up directories, and down into other directories in order to read any file from the system. For example, a hacker may be able to read the UNIX password file by typing in the URL: http://www.robertgraham.com/../../../etc/passwd.
Key point: This bug occurs because programmers frequently forget to double-check input.
Example: This bug is common. The original version of Win95 had this bug, so that if you had access to File and Print Sharing to any subdirectory, you also had access to the entire system. A huge number of HTTP servers and CGI scripts have this bug. Many FTP servers have had this bug. Even though this bug has been exploited for over 15 years, new variations of this technique are constantly being discovered in new programs.
Key point: Win9x has the quirk that three dots "..." means "two directories up", four dots "...." means "three directories up", and so on. Additionally, whereas on many UNIX systems going up past the top directory automatically generates an error, going above the top directory on Windows leaves you in the top directory. Therefore, filenames like "............/Windows/greg.pwl" are frequently seen: the hacker puts more than enough dots in the path in order to guarantee they reach the root directory.
Key point: Many popular Windows "personal web servers", including several versions shipped from Microsoft, have had either the "../.." or "....." vulnerability. In particular, since the "....." issue is not widely know, it is very common among those products that fix the first variant. FrontPage98 from Microsoft shipped with this bug.
Key point: Many banners reveal the exact version of the product. Over time, exploits are found for specific versions of products. Therefore, the intruder can simply lookup the version numbers in a list to find which exploit will work on the system. In the examples below, the version numbers that reveal the service has known exploitable weaknesses are highlighted.
Example: The example below is a RedHat Linux box with most the default service enabled. The examples below show only the text-based services that show banners upon connection (in some cases, a little bit of input was provided in order to trigger the banners). Note that this is an older version of Linux; exploits exist for most these services that would allow a hacker to break into this box (most are buffer-overflow exploits).
| Protocol | Port | Banner |
|---|---|---|
| FTP | 21 | 220 rh5.robertgraham.com FTP server (Version wu-2.4.2-academ[BETA-15](1) Sat Nov 1 03:08:32 EST 1997) ready. |
| ssh | 22 | SSH-2.0-2.1.0 SSH Secure Shell (non-commercial) |
| Telnet | 23 |
Red Hat Linux release 5.0 (Hurricane) Kernel 2.0.31 on an i486 login: |
| SMTP | 25 | 220 rh5.robertgraham.com ESMTP Sendmail 8.8.7/8.8.7; Mon, 29 Nov 1999 23:28:31 -0800 |
| finger | 79 |
Login Name Tty Idle Login Time Office Office Phone rob Robert David Graham p0 Nov 29 22:51 (gandalf) root root p1 Nov 29 23:34 (10.17.128.201:0.0) |
| HTTP | 80 |
HTTP/1.0 200 OK Date: Tue, 30 Nov 1999 07:34:59 GMT Server: Apache/1.2.4 Last-Modified: Thu, 06 Nov 1997 18:20:06 GMT Accept-Ranges: bytes Content-Length: 1928 Content-Type: text/html |
| POP3 | 110 | +OK POP3 rh5.robertgraham.com v4.39 server ready |
| identd | 113 | 0 , 0 : ERROR : UNKNOWN-ERROR |
| IMAP4 | 143 | * OK rh5.robertgraham.com IMAP4rev1 v10.190 server ready |
| lp | 515 | lpd: lp: Malformed from address |
| uucp | 540 | login: |
Best practices: It is often recommend (and required in some government areas) to display a banner warning off unauthorized users. It makes the legal case stronger if you can show that the attacker saw a banner that indicated that they were unauthorized.
Best practices: All version information should be supressed in the banners.
See the product documentation for more information on this. An example on Solaris is
to edit the configuration file /etc/default/telnetd and added the line:
BANNER=""
This will remove the Solaris login banner, making it more difficult for an intruder to determine
the type of operating system.
|
SunOS 5.7 login: |
login: |
| Service | File | Parameter |
|---|---|---|
| Sendmail | sendmail.cf | O SmtpGreetingMessage= |
| Sun FTP | /etc/default/ftpd | BANNER="" |
| Sun Telnet | /etc/default/telnetd | BANNER="" |
See also: firewall
...a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (e.g., clearance) of subjects to access information of such sensitivity
In this definition, a "subject" is somebody (user) who wants access to an "object" (information, data file, system). The subject and object have different security levels.
Objects (information, data, systems) are assigned security classification levels. A typical
example would be:
unclassified < confidential < secret < top-secret
Subjects are assigned similar clearance levels that allow access to objects of similar level or below. For example, if you are a government employee with "secret" clearance level, you can access everything but "top-secret" information.
A classification level such as "top-secret" will also include categories. For example, you may have a "secret" clearance for NATO information, and "top-secret" clearance for all matters pertaining to nuclear weapons. The system follows the principle of least privilege. Therefore, you would not be cleared to access top-secret NATO nuclear plans because your NATO clearance isn't high enough.
Netiquette: USE BCC!!! It is a security breach to reveal people's e-mail addresses to others. For example, one of the recipients may be an MLM seller and will start spamming the other recipients. Another breach is a virus like Magister.B that will forward itself to addresses it finds while scanning the Inbox. There are cases where you want recipients to know about each other, but if you can't come up with a reason, you should use "Bcc:" instead of "Cc:" or "To:" fields.
Key point: BGP can be subverted in many ways. BGP is generally unauthenticated, and rogue ISPs can play havoc.
Contrast: The word binary usually means not text. In computers, every 8 binary digits are used to represent a byte. However, only 7 binary digits are needed to convey text (26 upper case, 26 layer case 10 decimal digits, a number of punctuation characters, etc). Therefore, data using just 7 binary digits per bytes is always text data. It is pointless to say binary computer data, since all computer data is binary. When someone says binary, rather than being redundant, what they are really trying to convey is that the data in question isn't text data. For example, FTP is a text protocol, whereas SMB is a binary protocol.
Misconception: The word is also a noun (as well as the usual adjectival sense). A binary is a file containing binary (as opposed to text) data. In particular, you may hear the phrase "hackers replace the binaries on a the victim's machine". What this really means is that the hackers have replaced many of the software programs (with trojans). This phrase comes about because executable programs contains binary, not text data. Therefore, a machine's binaries are its programs.
See also: A common issue is how to send binary data within a text protocol/message. For example, how can we send a binary within a text e-mail message? The answer is to "encode" the data. See the word encoding for more details.
History: The ancient Egyptions used biometrics in order to verify somebody's identity. They would make several measurements of body features (e.g. length of arms) and record them. Fingerprints have actually only been used in the last 100 years.
Example: The market for biometrics in the year 2000 was roughly $100 million. There are many methods, each with their own pros and cons (accuracy, ease of use, end-user prejudice, etc.).
Point: One area of biometrics focuses on those cases where the user isn't aware of the scan. For example, an airport may have a facial features scanner design to trigger on known terrorists. Equipment could be installed under the floor in order to discover people according to their gait as they walk over them (such systems can distinguish among multiple people walking simultaneously). Body odor and DNA can be extracted from a persons "thermal plume" as they walk under a sniffing system.
Controversy: Biometrics introduces huge privacy debate. For the first time, it provides the government with a means to track its citizens in a manner that the citizens cannot avoid. This gives totalitarian governments the ability to tightly control their populations. At the same time, it provides businesses equal opportunity to invade their employees and customer's privacy.
Controversy: Biometrics is based upon a single, unalterable identity. A private-key, for example, can be destroyed in case it is compromised (through key revocation). However, your biometrics are with you for life. Today's authentication is usually through pseudonyms that are only roughly related to who you really are.
Key Point: Biometrics has a number of problems. The first is that biometric measurements get worse over time. People's signatures change over time. An injury can change fingerprints. Voice recognition systems fail when people have cold. Not all people have the requisite physical features (eyes, hands, etc).
Pros: Biometrics cannot be forgotten; many companies are adopting biometrics as a cost saving issue because lost passwords is becoming a leading problem in IT departments. Biometrics cannot be passed on from one person to another. Biometrics are extremely difficult to forge.
Culture: Biometrics have appeared frequently in movies, partially because of the Orwellian horros they ellicit from the audience. The entire plot of the movie Gataca was based upon DNA biometrics. The Bond film "Diamonds are Forever" used a trick of thin rubber over the fingertips to forge someone else's fingerprints -- a trick that has been recently shown to work. Another Bond film used the trick of surgical change in order to forge an iris scanner.
Key point: The BIOS stores configuration settings in NVRAM (Non-Volatile RAM). Remember that the contents of your normal RAM/memory are lost when you power-off your computer. The contents of NVRAM, in contrast, are retained when power goes off. Most NVRAM consists of CMOS (low-power) chips with a small battery that constantly feeds power to the chips (such batteries last about 5-years). A common trick of hackers and viruses is to corrupt the CMOS settings causing the computer to fail to boot. Removing the battery connection (usually a jumper on the motherboard) will cause the CMOS settings to be lost and be reset back to default (good) state.
Key point: All of today's BIOSes are stored in programmable ROMs, which allows them to be reprogrammed (usually with bug fixes from the manufacturer). This allows the hacker to reprogram them as well. While in theory hackers could reprogram their own code into the BIOS, in practice this has not been done yet. Instead, hackers can sometimes use this programming feature to corrupt the BIOS code (in much the same way they corrupt the BIOS settings mentioned above). This will usually prevent the system from booting even to a point where a fresh BIOS can be re-programmed into the system. This requires that the system be brought back to the vendor in order to have the BIOS reprogrammed. Note that you can often set a jumper on the motherboard that denies the ability to reprogram the BIOS.
Misconception: Naive users who get hacked often come up with the belief that the hacker has gotten into their BIOS and left some sort of backdoor behind. While such a thing is possible in theory, it never happens in practice.
Key point: Many BIOSs can be locked with a boot password. This prevents somebody from booting the machine without the password. However, for technical support reasons, they generally have backdoor passwords. Some of them are listed below. By the time you read this, these are likely to be out-of-date. However, if you type these strings into a search engine, you will probably be able to find the latest ones.
Key point: BIND provides about 80% of all DNS services. It is also enabled by default on a lot of Linux distributions. As a result, any exploit discovered for BIND has immediate and large impact on the Internet. As of November, 1999, all versions of BIND previous to 8.2.2-P5/4.9.7 have known holes that can be exploited. It is likely that these newer versions also have undiscovered exploitable holes as well.
Key point: BIND comes in two versions, 4.x and 8.x. This is largely due to backwards compatibility: people are running a lot of older servers and would rather patch them than upgrade to a newer version. Also, the newer 8.x code-base has not be extensively peer-reviewed and is thought to be a lot less secure than the 4.x source base. UPDATE: BIND v9 is now available, though most users are sticking with v8.
Another way of looking at it is that most school classrooms have more than 23 students. Therefore, in more than half of all school classrooms, two students have the same birthday.
The reason this is surprising is because we are accustomed to thinking in terms of somebody having the same birthday as ourselves. In a room with 20 people, there is less than a 5% chance that somebody else has the same birthday as ourselves.
Key point: This fact is important in cryptography. For example, the cryptographic hash function creates a "unique" fingerprint of a file. It is virtually impossible for an attacker to create another messages that matches that unique fingerprint. However, there may be cases where an attacker wants to create two new messages with the same fingerprint. This second problem is a lot easier than the first. The attacker may want to create two contracts, then after having the first one digitally sign, substitute the second one in its place. For this reason, a common recommendation for third-party signature services is to add a seal along with the signature in order to change the resulting hash.
Example: Consider MD5 whose hash has a length of 128-bits. This means that creating a message that hashes to the same value as the first message would take 2128 brute-force attempts. However, choosing two messages that together hash to the same value takes only 264 attempts. In other words, if you have to create a match an existing message, the problem is tough, but if you can create both messages, the problem is easy. The upshot is that many cryptographic algorithms have to be strong enough to defend also against birthday attacks.
Key point: In many contexts, each additional bit means "twice as much". 8 extra bits means 256 times as much. 16 extra bits means 65536 times as much. Therefore, it takes 65536 times longer to brute force crack a 56-bit key than a 40-bit key.
Key point: The inadvertent connection between black and red networks is one of the chief concerns of military-grade security.
Terminology:
History: in 2000, the FBI secretly entered the office of Nicodemo Scarfo and installed a keylogger. The FBI was able to capture Scarfo's password and decrypt his PGP encoded e-mail.
History: The 1971 Watergate snafu was an illegal black-bag operation.
History: In October of 1993, Attorney General Janet Reno authorized the FBI to enter the home of Aldritch Ames, a suspected CIA mole. This was after months of of electronic and physical surveillance, including searches of his trash.
Key point: Authorized black-bag jobs are sometimes part of pen-tests.
Controversy: Many believe that black-bag jobs are in violation of the Fourth Ammendment.
In the class of hostile software, a logic bomb is some code left behind by a program that "goes off" at a particular time (such as deleting all the files on the computer on New Years Eve). One theory was that Y2K consultants left logic bombs inside the code they were fixing in order to earn even more money after Y2K.
A mail bomb is the effect of sending somebody tons of e-mail (or large e-mail), overloading their mailbox and/or network connection. Sometimes this can be done with a program, other times it can be done simply by signing up the victim to huge numbers of e-mailing lists. Finally, it can be accidental, as happened once to Apple Computer when its mailing list software got out of control.
A time bomb is a bit of malware inserted into a system set to go off at a specific date.
History: In the old days of UNIX terminals, an e-mail message containing VT100 control codes in a logic bomb could completely hose a user's terminal, forcing them to log out. DOS machines supporting the ANSI.SYS driver also had that problem.
Example: Some well known programs for e-mail bombing are: Unabomber, Kaboom, UpYours, and Avalanche.
Key point: DHCP is simply an extension on top of bootp. This is important because without an IP address, clients cannot reach bootp servers that reside across routers. Virtually all routers have an extension for bootp forwarding that fixes this issue. Since DHCP had the same requires, the designers just stuck it inside bootp packets rather than requiring yet another change to the routing infrastructure.
Key point: Until macro viruses came along, boot sector viruses where the most common variant. They spread through companies via floppy disks. Users would leave floppy disks in the drive and when the computer restarted, it would attempt to boot from the floppy. This would run the virus, which then infected the boot sector on the hard drive. Any further floppies plugged into the system would then be infected by the virus.
Countermeasures: I worked at a company with anal anti-virus procedures (anti-virus on all desktops, regular wiping of floppy disks). It was never able to completely free itself from the boot sector virus problem; one of the viruses was never successfully eradicated from the company. My own personal policy is to disconnect the floppies on 90% of the machines, and disable floppy bootup on the remaining machines.
Example: A cancel-bot is a program that attempts to cancel lots of messages within USENET newsgroups. These are sometimes used by the USENET Death Penalty or rogue cancellers. *
Example: Search engine spiders that index the web follow web-page links, going from site to site, downloading web-pages.
Example: In the IRC wars, hackers run automated bots to control channels. These are programs (usually in C) that help in administering channels, protection against hackers, flooding, and so forth.
Misconception: Most of the information you read on boxes is terribly outdated and rarely works in the real world. There is the standard memetic drift going on: documents without dates and without descriptions how they don't work in the modern world are invariably picked up and copied by people who believe in the magic but don't understand that the information is useless. Conversely, documents that dispell the magic and explain how hard it really is and how it mostly is no longer valid do not get copied widely.
Key point: Virtually all popular boxes no longer work in newly developed urban areas. However, phone company equipment doesn't change all that fast. While the average phone system is not vulnerable to such attacks, you can eventually find out-of-the-way places that are vulnerable if you look far enough.
Key point: Simply posessing such boxes is illegal under Title 18 USC section 1029.
Example:
Example: A popular DOS (Disk Operating System) program was used in the mid-90s called "BlueBEEP that implemented many box functionality baed upon Tones.
Subdefinition: Ethernet has broadcast domains, allowing you to partially sniff some data from your neighbors, and possibly subvert it. Typical protocols that can be sniffed and subverted in this manner are: ARP, NetBIOS, MSBROWSE, rwho, bootp/DHCP, SNMP. An Ethernet broadcast address is "FF:FF:FF:FF:FF:FF".
Subdefinition: The Internet protocols TCP/IP support a feature known as a directed broadcast, which allows a remote person the ability to send a single packet to an entire subnet. This will then take advantage of the Ethernet broadcast domain once it reaches its destination. Attacks like smurf take advantage of this. A directed broadcast address looks something like 192.0.2.255, where the last integer "255" means "all devices on subnet 192.0.2.x".
Subdefinition: The special IP address of "255.255.255.255" is the local broadcast, and causes the packets to be sent to everyone locally, but not across the Internet.
Key point: Netsape and Microsoft have not yet produced a browser that is hardened against predation from hostile websites.
Key point: Disabli