| Home I Mind I Body I Life I Tools I New I Music Instrument I Links I Contact Us I |
| Copyright ©2003, part of The YKTA Corporation, and its licensor's. All rights reserved. |
 |  |  |  |  |  |  |  |  |
| Y K T A |
|
How Hackers Attack Multiple different mail servers are used in today’s enterprises; chosen for performance, price, name recognition or any of a number of other reasons, servers such as Lotus Notes and Microsoft Exchange dominate the corporate e- mail landscape. Once a company has chosen a mail server, it is essentially beholden to that brand, as the primary server platforms are not interoperable. Each different mail server has its own set of known vulnerabilities, giving resourceful hackers ample opportunity to search for weaknesses. Once these weaknesses are identified, a single hacker can take down an entire rack of mail servers in the blink of an eye.. The following sections outline some of the vulnerabilities widely known within hacking circles and explain how hackers are able to take advantage of these security holes. IMAP & POP Vulnerabilities Hackers have found a number of issues in both IMAP & POP servers that are exploited. Items such as dictionary attacks can expose sensitive e-mail which is stored on an IMAP or POP server. There are countless tools available for performing these attacks and the graphical nature of many of these tools make it simple for even a novice to perform these attacks. Additionally, weak passwords are common vulnerabilities in these protocols. Many organizations do not have adequate controls for password strength, thus end users will use passwords which can easily be broken. Lastly, there may be concerns about defects or bugs in various IMAP and POP services which can leave them susceptible to other types of exploits such as buffer overflows. Denial-of-Service (DoS) Attacks • Ping of death – Sends an invalid fragment, which starts before the end of packet, but extends past the end of the packet. • Syn Flood – Sends TCP SYN packet (which starts connections) very rapidly, leaving the attacked machine waiting to complete a huge number of connections, and causing it to run out of resources and start dropping legitimate connections. A new defense against this is “SYN cookies.” Each side of a connection has its own sequence number. In response to a SYN, the attacked machine creates a special sequence number that is a “cookie” of the connection, then “forgets” everything it knows about the connection. It can then recreate the forgotten information about the connection when the next packets come in from a legitimate connection. • Loop – Sends a forged SYN packet with identical source/destination address/port so that the system goes into an infinite loop trying to complete the TCP connection. System Configuration Holes Weaknesses in enterprise system configuration can be classified as follows: • Default configurations – Most systems are shipped to customers with default, easy-to-use configurations. Unfortunately, “easy-to-use” can mean “easy-to-break-into” as well. Almost any UNIX or WinNT machine shipped can be exploited rather easily. • Empty/Default root passwords – A surprising number of machines are configured with empty or default root/administrator passwords. One of the first things an intruder will do on a network is to scan all machines for empty passwords. • Hole creation – Virtually all programs can be configured to run in a non-secure mode which can leave unnecessary holes on the system. Additionally, sometimes administrators will inadvertently open a hole on a machine. Most administration guides will suggest that administrators turn off everything that doesn't absolutely need to run on a machine in order to avoid accidental holes. Unfortunately this is easier said than done, since many administrators aren’t familiar with disabling many common services. To execute a Denial-of-Service (DOS) attack, a hacker uses Trojans to take control over a potentially unlimited number of zombie computers, which then take aim at a single target and flood it with traffic in an attempt to overwhelm the server. Exploiting Software Issues Software bugs can be exploited in the server daemons, the client applications, the operating system, and the network stack. Software bugs can be classified in the following manner: • Buffer Overflows – Almost all the security holes you read about in the press are due to this problem. A typical example is a programmer who will set aside a specific number of characters to hold a login username. Hackers will look for these types of vulnerabilities, often sending longer strings than specified, including code that will be executed by the server. Hackers find these bugs in several ways. First, the source code for a lot of services is available on the net. Hackers routinely look through this code searching for programs that have buffer limitations. Hackers will also examine every place the program accepts input and try to overflow it with random data. If the program crashes, there is a good chance that carefully constructed input will allow the hacker to break into the system. • Unexpected Combinations Programs usually are constructed using many layers of code, including the underlying operating system as the bottom-most layer. Intruders can often send input that is meaningless to one layer, but meaningful to another when constructed properly. • Unhandled Input – Most programs are written to handle valid input. Most programmers do not consider what happens when somebody enters input that doesn't match the specification. Exploiting the Human Factor Education of e-mail users by organizations regarding how hackers seek to exploit them has improved to the point that a large majority of e-mail users now have at least a rudimentary understanding of fundamental security. The basic message regarding not opening certain malicious attachment types, particularly .exe files, from unknown senders is widely known. This means the hackers are being forced to redouble their efforts in order to counteract the education that e-mail users are receiving. Examples of hackers using sophisticated means to get users to open e-mail attachments include the following: • Double Extension – The Netsky, lovegate, and Klez viruses took advantage of this vulnerability. Malicious files are given double extension such as “filename.txt.exe” to trick the user into running the executable. NetSky actually would place 100 spaces between the extensions so the victim would not see the second extension. NetSky would also put the DOS command “COM” at the end of a string that appeared to be a Web address ending in .COM. • Password-Protected Zip File – Virus writers encrypt the virus in a password protected zip and send the file to users with the password in the message body. Since the encrypted file skips virus scanning, the end user gets what they think is legitimate e-mail. Unfortunately, in most cases this message has a look of urgency and the unsuspecting user will many times go the extra mile to open the malicious attachment. • Plain Trickery – Hackers harvest e-mail addresses from LDAP servers and spoofing the “from” field with names the victim would recognize so they open the e-mail and attachments, and by trying to trick the victim into accessing a Web site. Common tactics include sending e-mails with headings with “re:” or “Re: re: re:” included to make the victim believe it is a chain e-mail. Another common header tactic is including technical terms that make the victim believe that e-mail system error was encountered; MyDoom used this tactic effectively. The Bagle worm would use icons of text file, folders, and Excel files for executables in hopes a user would not check the filename closely. The Sober.D worm tried to fool the user into believing that it was a patch delivered from Microsoft for the MyDoom worm. Again, this message contained a malicious attachment which preyed upon the user’s belief that the message was sent by a legitimate source. Self-Propagation: The New Mission of Attacks Hackers are becoming increasingly sophisticated and are no longer content with simply gaining access to networks to cause mischief and disrupt service. Whereas hackers first spread viruses through individual networks simply because they could, we now are seeing more and more attacks that involve the use of Trojans designed to spread a virus to as many computers as possible, with the intent of taking control of these machines for nefarious purposes. Trojans Trojans enter the victim’s computer undetected, usually disguised as a legitimate e-mail attachment. Once the Trojan is opened by the unsuspecting recipient, the attacker is granted unrestricted access to the data stored on the computer. Trojans can either be hidden programs running on a computer, or hidden within a legitimate program, meaning a program that the user trusts will have functions they are not aware of. The following chart outlines some of the most popular types of Trojans used by hackers: |
| ||||||||||
| Get the last news about Germany and the world. http://www.focus.de/ |
|
|
|