The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (29 page)

I gave it to someone else who uploaded the software to one of the

core Warez sites, archived the whole thing into a package, put the

keygen in, and created information files [with] instructions on

how to install and crack the software. I didn't post it myself.

When ready to upload the program and keygen, they first checked to see whether someone else might have cracked the same program already.

Before you post something, you want to make sure no one else has

done it first, so you do a "dupe check" to make sure it's unique.

The dupe check is easy. The cracker simply goes to www.dupecheck.ru (the site is located in Russia2) and enters the name and version of the product. If it's listed, that means someone else has already cracked it and posted it to one of the core Warez sites. Chapter 8 Your Intellectual Property Isn't Safe 183

But just because the software has been posted to the site doesn't mean just anyone can download it. In fact, the site prominently announces

WE ARE A CLOSED GROUP SO F__K OFF

(The missing letters are, of course, supplied on the site.)

On the other hand, if it's a current product and not yet listed, that means the cracker has scored a major coup. He can be the very first to upload the cracked version of the software.

Once a new package is uploaded, distribution begins swiftly, as Erik described.

There's probably like maybe 50 core Warez sites in the world, pri-

vate FTP sites. You upload to one of these sites, and within maybe

an hour it's replicated from that site to thousands of other sites

around the world, through couriers.

Maybe 50 to 200 times a day -- say probably 100, that's a pretty

good average. One hundred programs a day are pirated this way.

A "courier," Erik explains, is a person who moves "the stuff" from one cracker site to another. Couriers are "the next level down the food chain" from the guys who crack the software.

The couriers are watching three or four different sites. As soon as

someone uploads [a cracked application] to the Warez site, and

they spot it as something new, they download it and send it over

to three or four other sites as fast as they can before anyone else.

Now, at this point there's maybe 20 sites that have it. Sometimes

this might be two or three months before [the new software] even

hits the stores.

The next tier of couriers -- guys who haven't yet earned access to the core Warez sites -- spot the new item and go through the same process of downloading it and then uploading it as fast as they can to as many other sites as they can, to be the first one. "And it just filters down that way and like within an hour, it's gone twice across the world."

Some people get access to Warez sites through credits, Erik explained. The credits are a type of cracker currency earned by contributing to the mission of the sites, which is the distribution of cracked software. The cracker usually supplies both the program and a tool that will generate valid license keys or some other kind of workaround. 184 The Art of Intrusion

A cracker gets credits by being the first to upload the "crack" to a site that doesn't have it yet. Only the first person to upload a new application onto a particular site receives credit.

So they are very motivated to do it quickly. Therefore in no time,

it's seen everywhere. At that point people make copies of it on their

own crack sites or newsgroups.

The people like me who crack this stuff get unlimited access

always -- if you're a cracker, they want you to keep contributing

the good stuff when you're the first person who has it.

Some sites have the full program and the keygen. "But a lot of the crack sites," Erik explains, "don't include the program, just the keygen. To make [the files] smaller and to make it less likely that the Feds will shut them down."

All of these sites, not just the top-tier core Warez sites but those two or three levels down, are "hard to get on. They're all private" because if one of the site addresses became known, "the Feds wouldn't just shut it down, they'd shut it down, arrest the people, take all their computers, and arrest anyone who has ever been on that site" because these FTP sites are, after all, repositories of massive amounts of stolen intellectual property.

I don't even go to those sites anymore. I rarely go, because of the

risks involved. I'll go there when I need some software, but I never

upload stuff myself.

It's actually really interesting because it's extremely efficient. I

mean what other business has a distribution system like that and

everyone's motivated because everyone wants something.

As a cracker, I get invitations to access all these sites because all

the sites want good crackers 'cause that's how they get more couri-

ers. And the couriers want access to the good sites because that's

where they get the good stuff.

My group does not let new people in. Also, there's certain things

we don't release. Like one time we released Microsoft Office, one

summer, and it was just too risky. After that we decided to never

do really big names like that anymore.

Some guys go firebrand, get really aggressive about it and will sell

the CDs. Especially when they start doing it for money, it draws

more attention. They're the ones who usually get busted.

Now, for this whole thing with software, the same process happens

with music and with movies. On some of the movie sites, you can Chapter 8 Your Intellectual Property Isn't Safe 185

get access to movies two or three weeks before they hit theaters some-

times. That's usually someone who works for a distributor or a

duplicator. It's always someone on the inside.

INSIGHT The lesson of the story about Erik's quest for the one last server software package to complete his collection: In nature there seems to be no such thing as perfection, and that's even truer when humans are involved. His target company was very security-conscious and had done an excellent job at protecting its computer systems. Yet a hacker who is competent enough, determined enough, and willing to spend enough time is nearly impossible to keep out.

Oh, sure, you'll probably be lucky enough never to have someone as determined as Erik or Robert attack your systems, willing to spend a mas- sive amount of time and energy on the effort. But how about an unscrupulous competitor willing to hire a team of underground profes- sionals -- a group of hacker mercenaries each willing to put in 12 or 14 hours a day and loving their work?

And if attackers do find a crack in the wall in your organization's elec- tronic armor, what then? In Erik's opinion, "When someone gets into your network as far as I was into this network, [you] will never, ever, ever get him out. He's in there forever." He argues that it would take "a major overhaul of everything and changing every password on the same day, same time, reinstalling everything, and then securing everything at the same time to lock him out." And you have to do it all without miss- ing one single thing. "Leave one door open and I'm going back in again in no time."

My own experiences confirm this view. When I was in high school, I hacked into Digital Equipment Corporation's Easynet. They knew they had an intruder, but for eight years, the best minds in their security department couldn't keep me out. They finally got free of me -- not through any efforts of their own but because the government had been kind enough to offer me a vacation package at one of their federal vaca- tion resorts.

COUNTERMEASURES Although these were very different attacks, it's eye-opening to note how many vulnerabilities were key to the success of both these hackers, and hence how many of the countermeasures apply to both the attacks.

Following are the main lessons from these stories. 186 The Art of Intrusion

Corporate Firewalls Firewalls should be configured to allow access only to essential services, as required by business needs. A careful review should be done to ensure that no services are accessible except those actually needed for business. Additionally, consider using a "stateful inspection firewall." This type of firewall provides better security by keeping track of packets over a period of time. Incoming packets are only permitted in response to an outgoing connection. In other words, the firewall opens up its gates for particular ports based on the outgoing traffic. And, as well, implement a rule set to control outgoing network connections. The firewall administrator should periodically review the firewall configuration and logs to ensure that no unauthorized changes have been made. If any hacker compromises the firewall itself, it's highly likely the hacker will make some subtle changes that provide an advantage.

Also, if appropriate, consider controlling access to the VPN based on the client's IP address. This would be applicable where a limited number of personnel connect to the corporate network using VPN. In addition, consider implementing a more secure form of VPN authentication, such as smart cards or client-side certificates rather than a static shared secret.

Personal Firewalls Erik broke into the CEO's computer and discovered that it had a per- sonal firewall running. He was not stopped, since he exploited a service that was permitted by the firewall. He was able to send commands through a stored procedure enabled by default in Microsoft SQL server. This is another example of exploiting a service that the firewall did not protect. The victim in this case never bothered to examine his volumi- nous firewall logs, which contained more than 500K of logged activity. This is not the exception. Many organizations deploy intrusion preven- tion-and-detection technologies and expect the technology to manage itself, right out of the box. As illustrated, this negligent behavior allows an attack to continue unabated.

The lesson is clear: Carefully construct the firewall rule set to filter both incoming and outgoing traffic on services that are not essential to busi- ness needs, but also periodically review both the firewall rules and the logs to detect unauthorized changes or attempted security breaches.

Once a hacker breaks in, he'll likely hijack a dormant system or user account so he can get back in at a future time. Another tactic is to add privileges or groups to existing accounts that have already been cracked. Performing periodic auditing of user accounts, groups, and file permis- sions is one way to identify possible intrusions or unauthorized insider activity. A number of commercial and public domain security tools are Chapter 8 Your Intellectual Property Isn't Safe 187

available that automate part of this process. Since hackers know this as well, it's also important to periodically verify the integrity of any security- related tools, scripts, and any source data that is used in conjunction.

Many intrusions are the direct result of incorrect system configurations, such as excessive open ports, weak file permissions, and misconfigured Web servers. Once an attacker compromises a system at a user level, the next step in the attack is elevating the privileges by exploiting unknown or unpatched vulnerabilities, and poorly configured permissions. Don't forget, many attackers follow a series of many small steps en route to a full system compromise.

Database administrators supporting Microsoft SQL Server should con- sider disabling certain stored procedures (such as xp_cmdshell, xp_makewebtask, and xp_regread) that can be used to gain further system access.

Port Scanning As you read this, your Internet-connected computer is probably being scanned by some computer geek looking for the "low-hanging fruit." Since port scanning is legal in the United States (and most other coun- tries), your recourse against the attacker is somewhat limited. The most important factor is distinguishing the serious threats from the thousands of script kiddies probing your network address space.

There are several products, including firewalls and intrusion detection systems, that identify certain types of port scanning and can alert the appropriate personnel about the activity. You can configure most firewalls to identify port scanning and throttle the connection accordingly. Several commercial firewall products have configuration options to prevent fast port scanning. There are also "open source" tools that can identify port scans and drop the packets for a certain period of time.

Know Your System A number of system-management tasks should be performed to do the following:

Inspect the process list for any unusual or unknown processes.

Examine the list of scheduled programs for any unauthorized

additions or changes.

Examine the file system, looking for new or modified system

binaries, scripts, or applications programs.

Research any unusual reduction in free disk space. 188 The Art of Intrusion

Verify that all system or user accounts are currently active, and

remove dormant or unknown accounts.

Verify that special accounts installed by default are configured

to deny interactive or network logins.

Verify that system directories and files have proper file access

permissions.

Check the system logs for any strange activity (such as remote

access from unknown origins, or at unusual times during the

night or weekend).

Audit the Web server logs to identify any requests that access

unauthorized files. Attackers, as illustrated in this chapter, will

copy files to a Web server directory and download the file via

the Web (HTTP).

With Web server environments that deploy FrontPage or

WebDav, ensure that proper permissions are set to prevent

unauthorized users from accessing files.

Incident Response and Alerting Knowing when a security incident is in progress can help with damage control. Enable operating system auditing to identify potential security breaches. Deploy an automated system to alert the system administrator when certain types of audit events occur. However, note that if an attacker obtains sufficient privileges and becomes aware of the auditing, this automated alerting system can be circumvented.