What is Hacking?

Username: system
Password: manager
Welcome to ABL Computer Research Lab. You have five new messages.
$

That is how easy it was to hack into a computer network. The most prominent definition of hacking is the act of gaining access without legal authorization to a computer or computer network. A hacker first attacks an easy target, and then uses it to hide his or her traces for launching attacks at more secure sites. The goal of an attack is to gain complete control of the system (so you can edit, delete, install, or execute any file in any user’s directory), often by gaining access to a "super-user" account. This will allow both maximum access and the ability to hide your presence.

Often attacks are based on software bugs that a hacker can use to give himself or herself super-user status. The example above was used by West German hacker "Pengo" who exploited the fact that many systems came with default usernames and passwords which some buyers neglected to change. He succeeded by persistence.

Also one can get a copy of the password file (which stores usernames and encrypted passwords and is often publicly accessible) and either do a brute-force attack trying all possible combinations, or encrypt a dictionary and compare the results to see if anyone chose a password that is a dictionary word. Another method of hacking is to email someone a program that either automatically runs, or that runs when they click on an attachment. This can install a program that will give you control of their computer. L0pht Heavy Industry’s Back Orifice 2000 (a crude parody of Microsoft’s Office 2000) allows someone to have nearly complete control (running programs, deleting files, viewing the screen, logging typed keys, etc.) over the target computer without being noticed. One complicated method, known as IP spoofing, is to get one computer to pretend that it is another one which is trusted by the target system, thus gaining the access privileges of the latter.

Early hackers needed to be very knowledgeable so that they were able to identify bugs themselves (a task requiring extensive knowledge about the operating system, and reading complex manuals) and often write their own programs to exploit them. They had to keep track of the leading developments in the field (latest bugs, latest patches, latest bugs in the patches, etc.). Later hackers were able to increasingly rely upon the hacking community to identify bugs and write programs that could be adapted for their specific purpose. For instance, famed hacker Kevin Mitnick used a trojan horse written by the West German Chaos Gang to gain access to hundreds of systems. As another example, it does not take much intelligence to download a copy of Back Orifice 2000 from www.bo2k.com and send a copy of the client as an attachment disguised as a game or cute program, to an unsuspecting person. In fact, Back Orifice has been downloaded over 300,000 times (Deane 1999) and received substantial computer media coverage. In Pengo’s case it is often more a matter of dedication and trying well-known recipes until one finds a place that has not fixed the bugs, than genius.

The growing number of inexperienced hackers (deridingly called "lamers" or "crackers"), due to the growth first in BBSes and then in the Internet, helps explain the antagonism between the older generation that did more of the problem-solving for themselves and the new generation that can get a quick start by running hacker programs without understanding how they work. The reaction of the older generation is to shun the newbies, thus ignoring those who might show talent as well as those who are in it just to copy tactics.

Security : Steganography

Over the past couple of years, steganography has been the source of a lot of discussion, particularly as it was suspected that terrorists connected with the September 11 attacks might have used it for covert communications. While no such connection has been proven, the concern points out the effectiveness of steganography as a means of obscuring data. Indeed, along with encryption, steganography is one of the fundamental ways by which data can be kept confidential. This article will offer a brief introductory discussion of steganography: what it is, how it can be used, and the true implications it can have on information security.

What is Steganography?

While we are discussing it in terms of computer security, steganography is really nothing new, as it has been around since the times of ancient Rome. For example, in ancient Rome and Greece, text was traditionally written on wax that was poured on top of stone tablets. If the sender of the information wanted to obscure the message - for purposes of military intelligence, for instance - they would use steganography: the wax would be scraped off and the message would be inscribed or written directly on the tablet, wax would then be poured on top of the message, thereby obscuring not just its meaning but its very existence[1].

According to Dictionary.com, steganography (also known as "steg" or "stego") is "the art of writing in cipher, or in characters, which are not intelligible except to persons who have the key; cryptography" [2]. In computer terms, steganography has evolved into the practice of hiding a message within a larger one in such a way that others cannot discern the presence or contents of the hidden message[3]. In contemporary terms, steganography has evolved into a digital strategy of hiding a file in some form of multimedia, such as an image, an audio file (like a .wav or mp3) or even a video file.

What is Steganography Used for?

Like many security tools, steganography can be used for a variety of reasons, some good, some not so good. Legitimate purposes can include things like watermarking images for reasons such as copyright protection. Digital watermarks (also known as fingerprinting, significant especially in copyrighting material) are similar to steganography in that they are overlaid in files, which appear to be part of the original file and are thus not easily detectable by the average person. Steganography can also be used as a way to make a substitute for a one-way hash value (where you take a variable length input and create a static length output string to verify that no changes have been made to the original variable length input)[4]. Further, steganography can be used to tag notes to online images (like post-it notes attached to paper files). Finally, steganography can be used to maintain the confidentiality of valuable information, to protect the data from possible sabotage, theft, or unauthorized viewing[5].

Unfortunately, steganography can also be used for illegitimate reasons. For instance, if someone was trying to steal data, they could conceal it in another file or files and send it out in an innocent looking email or file transfer. Furthermore, a person with a hobby of saving pornography, or worse, to their hard drive, may choose to hide the evidence through the use of steganography. And, as was pointed out in the concern for terroristic purposes, it can be used as a means of covert communication. Of course, this can be both a legitimate and an illegitimate application.

Steganography Tools

There are a vast number of tools that are available for steganography. An important distinction that should be made among the tools available today is the difference between tools that do steganography, and tools that do steganalysis, which is the method of detecting steganography and destroying the original message. Steganalysis focuses on this aspect, as opposed to simply discovering and decrypting the message, because this can be difficult to do unless the encryption keys are known.

A comprehensive discussion of steganography tools is beyond the scope of this article. However, there are many good places to find steganography tools on the Net. One good place to start your search for stego tools is on Neil Johnson's Steganography and Digital Watermarking Web site. The site includes an extensive list of steganography tools. Another comprehensive tools site is located at the StegoArchive.com.

For steganalysis tools, a good site to start with is Neil Johnson's Steganalysis site. Niels Provos's site, is also a great reference site, but is currently being relocated, so keep checking back on its progress.

The plethora of tools available also tends to span the spectrum of operating systems. Windows, DOS, Linux, Mac, Unix: you name it, and you can probably find it.

How Do Steganography Tools Work?

To show how easy steganography is, I started out by downloading one of the more popular freeware tools out now: F5, then moved to a tool called SecurEngine, which hides text files within larger text files, and lastly a tool that hides files in MP3s called MP3Stego. I also tested one commercial steganography product, Steganos Suite.

F5 was developed by Andreas Westfield, and runs as a DOS client. A couple of GUIs were later developed: one named "Frontend", developed by Christian Wohne and the other, named "Stegano", by Thomas Biel. I tried F5, beta version 12. I found it very easy to encode a message into a JPEG file, even if the buttons in the GUI are written in German! Users can simply do this by following the buttons, inputting the JPEG file path, then the location of the data that is being hidden (in my case, I used a simple text file created in Notepad), at which point the program prompts the user for a pass phrase. As you can see by the before and after pictures below, it is very hard to tell them apart, embedded message or not.

Steganography and Security

As mentioned previously, steganography is an effective means of hiding data, thereby protecting the data from unauthorized or unwanted viewing. But stego is simply one of many ways to protect the confidentiality of data. It is probably best used in conjunction with another data-hiding method. When used in combination, these methods can all be a part of a layered security approach. Some good complementary methods include:

• Encryption - Encryption is the process of passing data or plaintext through a series of mathematical operations that generate an alternate form of the original data known as ciphertext. The encrypted data can only be read by parties who have been given the necessary key to decrypt the ciphertext back into its original plaintext form. Encryption doesn't hide data, but it does make it hard to read!
• Hidden directories (Windows) - Windows offers this feature, which allows users to hide files. Using this feature is as easy as changing the properties of a directory to "hidden", and hoping that no one displays all types of files in their explorer.
• Hiding directories (Unix) - in existing directories that have a lot of files, such as in the /dev directory on a Unix implementation, or making a directory that starts with three dots (...) versus the normal single or double dot.
• Covert channels - Some tools can be used to transmit valuable data in seemingly normal network traffic. One such tool is Loki. Loki is a tool that hides data in ICMP traffic (like ping).

Protecting Against Malicious Steganography

Unfortunately, all of the methods mentioned above can also be used to hide illicit, unauthorized or unwanted activity. What can you do to prevent or detect issues with stego? There is no easy answer. If someone has decided to hide their data, they will probably be able to do so fairly easily. The only way to detect steganography is to be actively looking for in specific files, or to get very lucky. Sometimes an actively enforced security policy can provide the answer: this would require the implementation of company-wide acceptable use policies that restrict the installation of unauthorized programs on company computers.

Using the tools that you already have to detect movement and behavior of traffic on your network may also be helpful. Network intrusion detection systems can help administrators to gain an understanding of normal traffic in and around your network and can thus assist in detecting any type of anomaly, especially with any changes in the behavior of increased movement of large images around your network. If the administrator is aware of this sort of anomalous activity, it may warrant further investigation. Host-based intrusion detection systems deployed on computers may also help to identify anomalous storage of image and/or video files.

A research paper by Stefan Hetzel cites two methods of attacking steganography, which really are also methods of detecting it. They are the visual attack (actually seeing the differences in the files that are encoded) and the statistical attack: "The idea of the statistical attack is to compare the frequency distribution of the colors of a potential stego file with the theoretically expected frequency distribution for a stego file." It might not be the quickest method of protection, but if you suspect this type of activity, it might be the most effective. For JPEG files specifically, a tool called Stegdetect, which looks for signs of steganography in JPEG files, can be employed. Stegbreak, a companion tool to Stegdetect, works to decrypt possible messages encoded in a suspected steganographic file, should that be the path you wish to take once the stego has been detected.

Conclusions

Steganography is a fascinating and effective method of hiding data that has been used throughout history. Methods that can be employed to uncover such devious tactics, but the first step are awareness that such methods even exist. There are many good reasons as well to use this type of data hiding, including watermarking or a more secure central storage method for such things as passwords, or key processes. Regardless, the technology is easy to use and difficult to detect. The more that you know about its features and functionality, the more ahead you will be in the game.

Resources:

[1] Steganography, by Neil F. Johnson, George Mason University,
http://www.jjtc.com/stegdoc/sec202.html

[2] http://dictionary.reference.com/search?q=steganography

[3] The Free On-line Dictionary of Computing, © 1993-2001 Denis Howe
http://www.nightflight.com/foldoc/index.html

[4] Applied Cryptography, Bruce Schneier, John Wiley and Sons Inc., 1996

[5] Steganography: Hidden Data, by Deborah Radcliff, June 10, 2002,
http://www.computerworld.com/securitytopics/security/story/0,10801,71726,00.html

Security:Firewall Information

What is a firewall?

A term borrowed either from construction—aircraft or automobile design--a firewall is a barrier that segregates two areas to protect one space from the environment of the other. In buildings or airframes, it is designed to prevent fire from spreading from one section to another. In racing, it protects the driver from a possible fuel tank fire. Also in automobiles, the bulkhead separating the engine compartment from the passenger compartment is called a firewall.

In computing terms, a firewall isolates a computer or network from another computer or network. Most often, this creates a so-called "trusted zone" on the inside of the firewall (your local network), which is protected from the untrusted zone outside (the internet). Some network firewalls sit between sections of the network; this creates DMZs, or De-Militarized Zones, referring to the military term for areas that separate two opposing factions to reduce the risk of war. Certain devices, such as public web servers, that need to interface more with untrusted zones will be in the DMZ with a firewall between them and the local network, offering more protection for that network.

As with firewalls in buildings, a certain amount of penetration of the firewall is allowed, but these penetrations, or ports, are controlled and safeguarded against bad stuff trying to get in.

Ports

In networking, one will often hear the term port. Ports, according to the Internet Assigned Numbers Authority (IANA, which coordinates functions for the internet), "name the ends of logical connections which carry long term conversations. For the purpose of providing services to unknown callers, a service contact port is defined." Essentially, this is an addressing scheme that allows the computer to assign meaning to incoming and outgoing information.

Ports fall into three categories:

• Port numbers that range from 0 through 1023 are called Well Known Ports. On most systems, they can only be used by system (or root) processes or by programs executed by privileged users. The IANA has assigned specific uses for most of these ports.
• The Registered Ports are those from 1024 through 49151 and can be used by ordinary user processes or programs executed by ordinary users. Many of these ports are also assigned.
• The Dynamic and/or Private Ports are those from 49152 through 65535. The name is self-explanatory; they are not assigned.

So what firewalls do is filter the data coming into them, allowing information for certain ports to go through and rejecting others, according to preset rules. There are three different ways this is done:

Packet filtering - Packets (small chunks of data) are analyzed against a set of filters

Proxy service - Doesn't accept packets coming in from the untrusted zone unless they were specifically requested by a computer in the trusted zone.

Stateful inspection - Doesn't examine the entire incoming packet, but compares certain key parts of that packet to defining characteristics derived from packets traveling inside the firewall to the outside.

Antivirus: Working of an antivirus package( part II)

Continued......(from part I)

Now, suppose that a previously unknown strain of the Melissa virus happens to come into contact with your computer. Your antivirus software would use a technology known as heuristics to identify the virus.

Heuristics work on the basis of probability. The basic idea is that a variant of Melissa would still resemble one of the existing versions of Melissa. After all, if it looks like Melissa and it smells like Melissa, then it’s probably Melissa. If the heuristics algorithm causes the virus scanner to uncover a potential variant of a known virus, the scanner will alert you to the fact. When your antivirus software detects an unknown variant and alerts you to the potential virus, what it’s really telling you is that the file has a certain percentage of code in common with a known virus or that the software is a certain percentage certain that the file contains viral code.

Polymorphic viruses
Heuristics are great if the virus remains true to its original form, but virus programmers are smart people. Some viruses are designed to encrypt themselves. Such viruses are known as polymorphic viruses. The idea behind polymorphic viruses is that they can reorganize themselves so as to have an extremely large potential number of signatures.

Fortunately, there’s a way to protect your machine from polymorphic viruses. If the virus scanner suspects a polymorphic virus, some antivirus software packages actually test the code. To do so, they create what’s known as a virtual machine. In a nutshell, a virtual machine is an area of memory that can behave as if it existed in a separate computer.

By opening a potentially hazardous file in a virtual machine, the antivirus software can test the file in a safe and controlled environment. If the file proves to be safe, the user will never know of the test. However, if the file does contain a virus, the user is alerted to the infection and prompted to take action.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.