RE: [Off topic] Looking for work

From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Wed May 21 2003 - 20:57:15 MDT

  • Next message: Emlyn O'regan: "Ander's chart (was RE: Left/Right... can't we do better than this ?)"

    Adrian Tymes wrote,
    > This is IMO, but: the full potential of
    > "cyberwar" is vastly overblown - if people could
    > really and easily do the kinds of things they're
    > credited with, it'd be about like someone waving a
    > wand, melting an exterior wall of a bank vault, and
    > helping themselves to the contents without tripping
    > any alarms,

    I humbly disagree. My career is based on breaking into computer systems and
    revealing how I did it. I can assure you that I wouldn't get paid my high
    rates if I couldn't break in most of the time. People would get tired of
    paying me and not getting any surprises back.

    Most systems are deceptively easy to break into. The reason people don't do
    this is not because systems are secure. It is because there are so many
    records in the Internet, at the ISP, at the phone company, etc., that it is
    very hard to get away with the crime. I am almost always successful in
    breaking into computer system. The secret is that I tell them when I break
    in, and they verify the evidence immediately afterwards, which leaves them
    amazed. They don't realize that I probably couldn't have gotten away with
    it for very long.

    Some public examples which you probably have heard about:
    - Spammers putting backdoor relays into other people's computers to spread
    spam
    - Microsoft's hotmail letting anyone reset anyone else's password to what
    they want
    - Viruses are obviously common and easy to spread and get inside companies
    - Denial of service attacks are trivial to do and hard to combat
    - Forgeries are constantly done by spammers and rarely traced back to the
    origin
    - Microsoft Outlook is full of product hooks that let executable commands
    get executed
    - Internet Explorer is also full of undocumented hooks to execute commands

    I have seen high level systems, military systems, on-line banking systems,
    and other highly secure systems with trivial security flaws that went
    unnoticed. Sometimes it is as trivial as editing your local cookie to
    change your userID after the system has already let you in under your own
    ID. Sometimes it is simply sniffing packets as they go by with cleartext
    passwords that are still used by most mail and web system, and remote logins
    (telnet). Sometimes it is just a matter of replaying captured packets back
    to a server, even if you don't understand what they are doing, and see if it
    responds.

    Web interfaces are increasingly popular and trivial to break or exploit.
    Almost all websites have buffer overflow problems. Just type millions of
    characters into a field where the script only expects a few characters.
    Unless the program checks the length, it dutifully copies the entire thing
    into memory, overflowing the program, and overwriting the computer memory.
    At best, this just crashes the computer when it gets its memory filled with
    garbage. At worse, a good hacker can control what they type in and fill the
    computer memory with their own executable binary code.

    Forms are easy to break. Take a simple website that asks for a name and
    repeats it back to you. "Who are you?" "Harvey" "Hello, Harvey!" If they
    don't carefully filter out dangerous characters from my input, nothing stops
    me from inserting text into their executing script. Instead of saying my
    name is "Harvey" and having them "print Hello, Harvey!", I say my name is
    "Harvey ; delete *.*" and have them execute "print Hello, Harvey" and
    "delete *.*"! This is trivial stuff that affects most sites.

    Many commerce sites are too stupid to check for unexpected values. I can
    order negative numbers of items on some sites, and they dutifully will
    deduct the negative prices from my total bill.

    There are whole databases of "known vulnerabilities" that document all these
    known problems in specific versions of software. Your mail headers tell me
    what version of mail you are running. Your website identifies itself and
    version number in the header of web sessions (not usually displayed by the
    browser, but available if you know how to access the data). Servers always
    identify themselves and their version number when you connect, even if you
    don't have a valid login. All you have to do is look up these products to
    see what known vulnerabilities exist, and just follow the directions.

    Even brute-force methods are viable. Many online banking systems only have
    four-digit PIN numbers, which yield 9999 passwords. Many of these don't
    lock out users after failed attempts, because too many people lock
    themselves out. So, how long does it take to send 9999 packets to a website
    to see if one of them gets in? On an extremely slow modem sending only 10
    packets per second, it would take about 1000 seconds or 17 minutes.

    Worse, you don't even have to do any technical hacking. Most banks, credit
    cards, stores and other accounts will let you register on-line to get into
    your account. They "verify" you by asking your social-security number or
    mother's maiden name or telephone number or street address. These are all
    matters of public record. I can get into these accounts for most people
    just by looking up the required information. No "hacking" required. This
    should give you a hint how lax security is. People don't even try that hard
    to achieve security. They just throw something together with little
    thought.

    The worst example of a lack of thought was the revelation that most
    real-money gambling sites allowed people to just push the "back" button on
    their browser to replay the last turn again. It seems obvious after the
    fact, but many companies never considered it before hand. Companies are so
    focused on low-cost, high-production, fast-paced delivery, that security is
    almost always left out or applied as an afterthought.

    Really, these methods are trivial to anybody who wants to learn them. Only
    people unfamiliar with this stuff doubt it exists. It is easy to
    demonstrate, easy to learn, and easy to exploit. And it happens a lot more
    than people think. Most companies do not publicize when incidents have
    occurred. I have been hired by many companies to respond to incidents that
    never made the press.

    --
    Harvey Newstrom, CISSP, IAM, GSEC, IBMCP
    <www.HarveyNewstrom.com> <www.Newstaff.com>
    


    This archive was generated by hypermail 2.1.5 : Wed May 21 2003 - 21:12:02 MDT