Log in ...Tribune: IT supplement of The Tribune, Chandigarh, India. Feature page

Monday, September 9, 2002		Feature

Intrusion by hook or crook
Pukhraj Singh

ACCORDING to a survey by webstats.com, an average individual nowadays gets the same amount of information in a single day, what an 19th century man used to get in his whole life. It’s not easy to hang out there in the ‘Infinity void’ as unknown dangers lurk from the sinister nooks and corners of the Net.

There are all types of Netizens — from researchers to rookies, from thieves to psychos. The WWW gives colossal freedom and no central authority. It’s this order that attracts baddies. The hackers can wreak mayhem on a PC with their custom-made scripts. He is the modern criminal, which the media calls cyber criminal. Even the Indian defence ministry has released information warfare brochure to offset cyber terrorism (and chiefly to counter the increasing attacks on Indian servers). Essentially, no firewall or IDS (Intrusion Detection System) can impede him; hence you have to fight your own war. This war is just akin to any other war with the same tactics used.

Mission plan

Here are some pre-emptive attacks. These full-fledged attacks can be divided in phases with each one comprising special tricks and techniques:

1. Recon phase: In this the victim host is scanned for information, which might prove out to be the loophole to be exploited to gain unauthorised access. Victim is scanned for services running, the operating system and any other fact, which might lead to his apprehension. NESSUS is the best free stealth scanner available on the Internet.

2. Mapping phase: This involves mapping of the information gathered with some databases to find some solid loopholes and vulnerabilities. The most commonly used databases are CERT (Computer Emergency Response Team) advisories and Bugtraq. These advisories are then customised for that specific victim system if required.

3. Let loose phase: Now the stockpile collected is let loose on the system. Various exploits are executed to gain leveraged access. Required job like stealing passwords or credit card numbers is done and then crackers bail out.

4. Retro phase: A fine perpetrator always destroys evidence, which could lead to his identification. The best way is to reiterate. Like deletion of log files or disabling of file system integrity checkers.

Modus operandi

Some methods that are used.

1. Buffer overflow: This is the nightmare of all programmers. In a programming language like C, variables declared store the required data in memory. Every variable can store some fixed amount of data. If some more data is assigned to a variable than can be handled, the program crashes. Then the attacker overwrites memory stack of the program with custom-made payload, the next instruction pointer is then made to point to the address of this payload, which when executed leads to the desired privileged access .The Plug n Play vulnerability in Windows XP in 2002 was due to a buffer overflow.

2. Spoofing: Spoofing basically means to steal someone's identity. In this attack the general methods used is to exploit the notion of trust between two computers. Trust means two computers can use each other’s resources without any authentication. The trust is established via a file or a database. In this method the attacker spoofs the identity of a trusted computer and then gains access. The victim checks the target's request for access from a file or a database and then allows him to go on. The most famous spoofing attack is the rhosts attack.

3. Man in the middle attack: In this method, the attacker spies on a previously established connection. When the time is ripe, hijacks the connection for misuse. This method requires a lot of practice and time. First, the attacker spies on a previously established connection to get the connection details like sequence numbers of SYN packets transferred during the initial TCP handshake. After getting some initial sequences of SYN packets attacker starts sending fake packets with incrementing sequence numbers, even if one of the packets gets in the server, the attacker hijacks the connection. The attacker has to take care of the real requesting client also. This is done by generally flooding him and consequently it chokes out. The best software for session hijacking is Juggernaut. Another method is to spy on the connection for credentials like password or credit card numbers by sniffing the packets being transferred.

Hook the cyber crook
M.P. Kumar and Vinay Garg

A defence mechanism must be designed to outsmart human behaviour and psychology, as one must not forget that an intruder is a person with wicked mind. Security system must anticipate and provide for control techniques designed in light of the tools that an abuser of computer technology may use to cause harm

At physical layer level there is every possibility of wiretapping and this can be prevented by enclosing transmission line in sealed tubes containing chemically non-reactive argon gas. An attempt by intruder to drill into tube will trigger alarm and prevent the break-in attempt. Some military organisations and defence systems use this technique.

The phenomenon of e-mail interception and reading the message has spurt in the recent past. It has, therefore, become necessary to secure the message by encryption techniques as it travels the communication network. The encryption software like PGP (Pretty Good Privacy) reads the original message called plain text and converts it into secret message called cipher text, with a "key" based on a certain algorithm of writing concealed ciphers. All this has become possible with the art and science of writing secret messages, better known as cryptography. PGP software is available on the Net and one can download it from www.pgpi.org.

Another technique that has become an integral part on computer security is firewall, which is used to secure corporate network from the intruders. A firewall box is a set of software and hardware that serves as security wall between corporate network and the Internet thereby preventing intruder’s attempt to gain access to company databases through the Internet.

Another powerful technique of ensuring system security, better known as biometrics, is becoming quite popular. In this physical characteristics of employees dealing with computer system are stored in database. Biometrics requires scanning and comparing of fingerprint impressions, retina recognition, facial verification, voice recognition etc and access is granted only when characteristics tally with those stored in the database.