A Little Terminology
Who Are Hackers, Crackers, Phreaks, and Cyberpunks?
Our first ''intermission" begins by taking time out to define the terms hacker, cracker, phreak, and cyberpunk. This is necessary, because they are often used interchangeably; for example, a hacker could also be a cracker; a phreak may use hacking techniques; and so on. To help pinpoint the specifics of each of these, let's define how they're related:
• A hacker is typically a person who is totally immersed in computer technology and computer programming, someone who likes to examine the code of operating sys tems and other programs to see how they work. This individual then uses his or her computer expertise for illicit purposes such as gaining access to computer systems without permission and tampering with programs and data on those systems. At that point, this individual would steal information, carry out corporate espionage, and install backdoors, virii, and Trojans.
• A cracker is a person who circumvents or defeats the security measures of a network or particular computer system to gain unauthorized access. The classic goal of a cracker is to obtain information illegally from a computer system to use computer resources illegally. Nevertheless, the main goal of the majority is to merely break into the system.
• A phreak is a person who breaks into telephone networks or other secured telecommunication systems. For example, in the 1970s, the telephone system used audible tones as switching signals; phone phreaks used their own custom-built hardware to match the tones to steal longdistance services. Despite the sophisticated security barriers used by most providers today, service theft such as this is quite common globally.
• The cyberpunk can be considered a recent mutation that combines the characteristics of the hacker, cracker, and phreak. A very dangerous combination indeed.
It has become an undeniable reality that to successfully prevent being hacked, one must think like a hacker, function like a hacker, and, therefore, become a hacker.
LmiljJjAcknowledging participation from legendary hacker Shadowlord and various members of the Underground hacker community, who wish to remain anonymous, the remainder of this intermission will address hacking background, hacker style, and the portrait of a hacker.
What Is Hacking?
Hacking might be exemplified as inappropriate applications of ingenuity; and whether the result is a practical joke, a quick vulnerability exploit, or a carefully crafted security breach, one has to admire the technological expertise that was applied.
For the purpose of conciseness, this section treats as a single entity the characteristics of hackers, crackers, and phreaks.
Perhaps the best description of hacking, however, is attributed to John Vranesevich, founder of AntiOnline (an online security Web site with a close eye on hacker activity). He called hacking the "result of typical inspirations." Among these inspirations are communal, technological, political, economical, and governmental motivations:
• The communal hacker is the most common type and can be compared to a talented graffiti "artist" spraying disfiguring paint on lavish edifices. This personality normally derives from the need to control or to gain acceptance and/or group supremacy.
• The technological hacker is encouraged by the lack of technology progression. By exploiting defects, this individual forces advancements in software and hardware development.
• Similar to an activist's rationale, the political hacker has a message he or she wants to be heard. This requirement compels the hacker to routinely target the press or governmental entities.
• The economical hacker is analogous to a common thief or bank robber. This person commits crimes such as corporate espionage and credit card fraud for personal gain or profit.
• Though all forms of hacking are illegal, none compares to the implications raised by the governmental hacker. The government analogizes this profile to the common terrorist.
Exposing the Criminal
The computer security problem includes not only hardware on local area networks, but more importantly, the information contained by those systems and potential vulnerabilities to remote-access breaches.
Market research reveals that computer security increasingly is the area of greatest concern among technology corporations. Among industrial security managers in one study, computer security ranked as the top threat to people, buildings, and assets (Check Point Software Technologies, 2000). Reported incidents of computer hacking, industrial espionage, or employee sabotage are growing exponentially. Some statistics proclaim that as much as 85 percent of corporate networks contain vulnerabilities.
In order to successfully "lock down" the computer world, we have to start by securing local stations and their networks. Research from management firms including Forrester indicates that more than 70 percent of security executives reveal that their server and Internet platforms are beginning to emerge in response to demand for improved security. Online business-to-business (B2B) transactions will grow to $327 billion in 2002, up from $8 billion last year, according to Deborah Triant, CEO of firewall vendor Check Point Software, in Redwood City, California. But to protect local networks and online transactions, the industry must go beyond simply selling firewall software and long-term service, and provide vulnerable security clarifications. The best way to gain this knowledge is to learn from the real professionals, that is, the hackers, crackers, phreaks, and cyberpunks
Who are these so-called professionals? Common understanding is mostly based on unsubstantiated stories and images from motion pictures. We do know that computer hacking has been around since the inauguration of computer technology. The first hacking case was reported in 1958. According to the offenders, all hackers may not be alike, but they share the same quest—for knowledge. The following excerpt submission from the infamous hacker guru, Mentor, reveals a great deal about this underground community:
Another one got caught today; it's all over the papers: "Teenager Arrested in Computer Crime Scandal,'' "Hacker Arrested after Bank Tampering."
"Damn kids. They're all alike."
But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?
I am a hacker; enter my world... .Mine is a world that begins with school. I'm smarter than most of the other kids; this crap they teach us bores me.
"Damn underachiever. They're all alike."
I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head... "
"Damn kid. Probably copied it. They're all alike."
I made a discovery today. I found a computer. Wait a second; this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me, or feels threatened by me, or thinks I'm a smart-ass, or doesn't like teaching and shouldn't be here.
"Damn kid; all he does is play games. They're all alike."
And then it happened: a door opened to a world. rushing through the phone line like heroin through an addict's veins; an electronic pulse is sent out; a refuge from the day-to-day incompetencies is sought; a board is found. "This is it. this is where I belong. I know everyone here. even if I've never met them, never talked to them, may never hear from them again. I know you all. ."
"Damn kid. Tying up the phone line again. They're all alike."
You bet your ass we're all alike; we've been spoon-fed baby food at school when we've hungered for steak. The bits of meat that you did let slip through were prechewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few were like drops of water in the desert. This is our world now. the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it weren't run by profiteering gluttons. And you call us criminals. We explore. And you call us criminals. We seek after knowledge. And you call us criminals. We exist without skin color, without nationality, without religious bias. And you call us criminals. You build atomic bombs; you wage wars; you murder, cheat, and lie to us, and try to make us believe it's for our own good, yet we're the criminals...
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not by what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.
Regardless of the view of hacker as criminal, there seems to be a role for the aspiring hacker in every organization. Think about it: who better to secure a network, the trained administrator or the stealthy hacker? Hackers, crackers, phreaks, and cyberpunks seek to be recognized for their desire to learn, as well as for their knowledge in technologies that are guiding the world into the future. According to members of the Underground, society cannot continue to demonstrate its predisposition against hackers. Hackers want the populace to recognize that they hack because they have reached a plateau; to them, no higher level of learning exists. To them, it is unfair for the public to regard the hacker, cracker, phreak, and cyberpunk as one malicious group. Still, remember what the Mentor said: "I am a hacker, and this is my manifesto.You may stop this individual, but you can't stop us all... after all, we're all alike."
Profiling the Hacker
Profiling the hacker has been a difficult, if not fruitless undertaking for many years now. According to the FBI postings on Cyber-Criminals in 1999, the profile was of a nerd, then of a teen whiz-kid; at one point the hacker was seen as the antisocial underachiever; at another, the social guru. Most hackers have been described as punky and wild, because they think differently, and it is reflected in their style. None of this rings true anymore. A hacker may be the boy or girl next door. A survey of 200 well-known hackers reported that the average age of a hacker is 16-19, 90 percent of whom are male; 70 percent live in the United States. They spend an average of 57 hours a week on the computer; and 98 percent of them believe that they'll never be caught hacking. The typical hacker probably has at least three of the following qualities:
• Is proficient in C, C++, CGI, or Perl programming languages.
• Has knowledge of TCP/IP, the networking protocol of the Internet.
• Is a heavy user of the Internet, typically for more than 50 hours per week.
• Is intimately familiar with at least two operating systems, one of which is almost certainly UNIX.
• Was or is a computer professional.
• Is a collector of outdated computer hardware and software.
Do any of these characteristics describe you? Do you fit the FBI profile? Could they be watching you? Further observations from the hacker profiles reveal common security class hack attacks among many different hacker groups. Specific penetrations are targeted at Security Classes C1, C2, B1, and
B2.
Security Levels
The National Computer Security Center (NCSC) is the United States government agency responsible for assessinging software/hardware security. It carries out evaluations based on a set of requirements outlined in its publication commonly referred to as the "Bright Orange Book." This book refers to security breaches that pertain to the NCSC classes defined in the following subsections.
Security Class C1: Test Condition Generation
The security mechanisms of the ADP system shall be tested and found to work as claimed in the system documentation [Trusted Computing System Evaluation Criteria (TCSEC) Part I, Section 2.1]. The trusted computer system evaluation criteria defined in this document classify systems into four broad hierarchical divisions of enhanced security protection. They provide a basis for the evaluation of effectiveness of security controls built into automatic data processing system products. The criteria were developed with three objectives in mind: (a) to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information; (b) to provide guidance to manufacturers as to what to build into their new, widely-available trusted commercial products in order to satisfy trust requirements for sensitive applications; and (c) to provide a basis for specifying security requirements in acquisition specifications. Two types of requirements are delineated for secure processing: (a) specific security feature requirements and (b) assurance requirements. Some of the latter requirements enable evaluation personnel to determine if the required features are present and functioning as intended. The scope of these criteria is to be applied to the set of components comprising a trusted system, and is not necessarily to be applied to each system component individually. Hence, some components of a system may be completely untrusted, while others may be individually evaluated to a lower or higher evaluation class than the trusted product considered as a whole system. In trusted products at the high end of the range, the strength of the reference monitor is such that most of the components can be completely untrusted. Though the criteria are intended to be application-independent, the specific security feature requirements may have to be interpreted when applying the criteria to specific systems with their own functional requirements, applications or special environments (e.g., communications processors, process control computers, and embedded systems in general). The underlying assurance requirements can be applied across the entire spectrum of ADP system or application processing environments without special interpretation.
For this class of systems, the test conditions should be generated from the system documentation, which includes the Security Features User's Guide (SFUG), the Trusted Facility Manual (TFM), the system reference manual describing each Trusted Computing Base (TCB) primitive, and the design documentation defining the protection philosophy and its TCB implementation. Both the SFUG and the manual pages illustrate, for example, how the identification and authentication mechanisms work and whether a particular TCB primitive contains relevant security and accountability mechanisms. The Discretionary Access Control (DAC) and the identification and authentication conditions enforced by each primitive (if any) are used to define the test conditions of the test plans.
Test Coverage
Testing shall be done to assure that there are no obvious ways for an unauthorized user to bypass or otherwise defeat the security protection mechanisms of the TCB [TCSEC, Part I, Section 2.1].
The team shall independently design and implement at least five system-specific tests in an attempt to circumvent the security mechanisms of the system [TCSEC, Part II, Section 10].
These two TCSEC requirements/guidelines define the scope of security testing for this security class. Since each TCB primitive may include security-relevant mechanisms, security testing will include at least five test conditions for each primitive. Furthermore, because source code analysis is neither required nor suggested for class C1 systems, monolithic functional testing (i.e., a black-box approach) with boundary-value coverage represents an adequate testing approach for this class. Boundary-value coverage of each test condition requires that at least two calls of each TCB primitive be made, one for the positive and one for the negative outcome of the condition. Such coverage may also require more than two calls per condition.
Whenever a TCB primitive refers to multiple types of objects, each condition is repeated for each relevant type of object for both its positive and negative outcomes. A large number of test calls may be necessary for each TCB primitive because each test condition may in fact have multiple related conditions, which should be tested independently of each other.
Security Class C2: Test Condition Generation
Testing shall also include a search for obvious flaws that would allow violation of resource isolation, or that would permit unauthorized access to the audit and authentication data [TCSEC, Part I, Section 2.2].
These added requirements refer only to new sources of test conditions, not to a new testing approach, nor to new coverage methods. The following new sources of test conditions should be considered:
• Resource isolation conditions. These test conditions refer to all TCB primitives that implement specific system resources (e.g., object types or system services). Test conditions for TCB primitives implementing services may differ from those for TCB primitives implementing different types of objects. Thus, new conditions may need to be generated for
TCB services. The mere repetition of test conditions defined for other TCB primitives may not be adequate for some services. • Conditions for protection of audit and authentication data. Because both audit and authentication mechanisms and data are protected by the TCB, the test conditions for the protection of these mechanisms and their data are similar to those that show that the TCB protection mechanisms are tamperproof and noncircumventable. For example, these conditions show that neither privileged TCB primitives nor audit and user authentication files are accessible to regular users.
Test Coverage
Although class C1 test coverage suggests that each test condition be implemented for each type of object, coverage of resource-specific test conditions also requires that each test condition be included for each type of service (whenever the test condition is relevant to a service). For example, the test conditions that show that direct access to a shared printer is denied to a user will be repeated for a shared tape drive with appropriate modification of test data (i.e., test environments setup, test parameters, and outcomes).
Security Class B1: Test Condition Generation
The objectives of security testing shall be: to uncover all design and implementation flaws that would permit a subject external to the TCB to read, change, or delete data normally denied under the mandatory or discretionary security policy enforced by the TCB; as well as to ensure that no subject (without authorization to do so) is able to cause the TCB to enter a state such that it is unable to respond to communications initiated by other users [TCSEC, Part I, Section 3.1].
The security-testing requirements of class B1 are more extensive than those of either class C1 or C2, both in test condition generation and in coverage analysis. The source of test conditions referring to users' access to data includes the mandatory and discretionary policies implemented by the TCB. These policies are defined by an informal policy model whose interpretation within the TCB allows the derivation of test conditions for each TCB primitive. Although not explicitly stated in the TCSEC, it is generally expected that all relevant test conditions for classes C1 and C2 also would be used for a class B1 system.
Test Coverage
All discovered flaws shall be removed or neutralized and the TCB retested to demonstrate that they have been eliminated and that new flaws have not been introduced [TCSEC, Part I, Section 3.1].
The team shall independently design and implement at least fifteen system specific tests in an attempt to circumvent the security mechanisms of the system [TCSEC, PartII, Section 10].
Although the coverage analysis is still boundary-value, security testing for class B1 systems suggests that at least 15 test conditions be generated for each TCB primitive that contains security-relevant mechanisms, to cover both mandatory and discretionary policies. In practice, however, a substantially higher number of test conditions is generated from interpretations of the (informal) security model. The removal or the neutralization of found errors, and the retesting of the TCB, requires no additional types of coverage analysis.
Security Class B2: Test Condition Generation
Testing shall demonstrate that the TCB implementation is consistent with the descriptive top-level specification [TCSEC, Part I, Section 3.2].
This requirement implies that both the test conditions and coverage analysis of class B2 systems are more extensive than those of class B1. In class B2 systems, every access control and accountability mechanism documented in the descriptive top-level specification (DTLS) (which must be complete as well as accurate) represents a source of test conditions. In principle, the same types of test conditions would be generated for class B2 systems as for class B1 systems, because, first, in both classes, the test conditions could be generated from interpretations of the security policy model (informal at B1 and formal at B2), and second, in class B2, the DTLS includes precisely the interpretation of the security policy model. In practice, however, this is not the case because security policy models do not model a substantial number of mechanisms that are, nevertheless, included in the DTLS of class B2 systems. The number and type of test conditions can therefore be substantially higher in a class B2 system than in a class B1 system, because the DTLS for each TCB primitive may contain additional types of mechanisms, such as those for trusted facility management.
Test Coverage
It is not unusual to have a few individual test conditions for at least some of the TCB primitives. As suggested in the approach defined in the previous section, repeating these conditions for many of the TCB primitives to achieve uniform coverage can be both impractical and unnecessary. This is particularly true when these primitives refer to the same object types and services. For this reason, and because source-code analysis is required in class B2 systems to satisfy other requirements, the use of the gray-box testing approach is recommended for those parts of the TCB in which primitives share a substantial portion of their code. Note that the DTLS of any system does not necessarily provide any test conditions for demonstrating the tamper-proof capability and noncircumventability of the TCB. Such conditions should be generated separately.
Kickoff
The cyber-criminal definitions, profiles, and security class information guidelines are provided to give an indication of the extent and sophistication of the highly recommended hack attack penetration testing, covered in the rest of this book. Individuals and organizations wishing to use the "Department of Defense Trusted Computer System Evaluation Criteria," along with underground hacker techniques for performing their own evaluations, may find the following chapters useful for purposes of planning and implementation.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment