1 Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data,...) Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data,...) Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls.

2 Access Control Today almost all systems are protected only by a simple password that is typed in, or sent over a network in the clear.Techniques for guessing passwords: 1. Try default passwords. 2. Try all short words, 1 to 3 characters long. 3. Try all the words in an electronic dictionary(60,000). 4. Collect information about the user’s hobbies, family names, birthday, etc. 5. Try user’s phone number, social security number, street address, etc. 6. Try all license plate numbers (123XYZ). Prevention: Enforce good password selection (c0p31an6)

3 Password Gathering Look under keyboard, telephone etc. Look in the Rolodex under “X” and “Z” Call up pretending to from “micro-support,” and ask for it. “Snoop” a network and watch the plaintext passwords go by. Tap a phone line - but this requires a very special modem. Use a “Trojan Horse” program to record key stokes.

4 UNIX Passwords User’s password ( should be required to have 8 characters, some non-letters) Random 12-bit number (Salt) DES Encrypted to 11 viewable characters User IDSalt ValueHashUser IDSalt ValueHashUser IDSalt ValueHash

Storing UNIX Passwords Until a few years ago, UNIX passwords were kept in in a publicly readable file, /etc/passwords. Now they are kept in a “shadow” directory only visible by “root”. “Salt”: prevents duplicate passwords from being easily seen as such. prevents use of standard reverse-lookup dictionaries ( a different diction would have to be generated for each value of Salt). does not “effectively increase the length of the password.” 5

6 The Stages of a Network Intrusion 1. Scan the network to: locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast.

7 Protection from a Network Intrusion 1. Use a “Firewall” between the local area network and the world- wide Internet to limit access (Chapter 10). 2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute). 3. Use a program like TripWire on each host to detect when systems files are altered, and an alert to Sys Admin. 4. On Microsoft PC’s, a program like BlackIce is easier to install than learning how to reset default parameters to make the system safe (and fun besides).

8

9

10

Type "A" Probes The first three UDP probes, which started my investigation, had a single character in the data field, an 'A'. The UDP port numbers were identical, > They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered. Date Time EST Source IP (Place) Destination (Place) : (Italy) to (Atlanta, GA) : ( AOL ) to (Atlanta, GA) : (Saudi Arabia) to (Atlanta, GA) UDP packets with an empty data field, like those generated by the "nmap" scan program, do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh. 11

Type "Double-zero" Probes (James Bond, 007, "00" -> "license to kill") I have now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas. These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical UDP port numbers, >2140. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered : (Arab Emirates*) to (Atlanta, GA) : (Arab Emirates*) to (Atlanta, GA) *DNS name: cwa129.emirates.net.ae : (Turkey) to xxx.xxx (Wichita, Kansas) *DNS: none : (Manchester, UK*) to xx.xx (Atlanta, GA) *DNS name: manchester_nas11.ida.bt.net : (Road Runner, Hawaii) to xxx.xxx (Wichita, Kansas) *DNS name: a24b94n80client152.hawaii.rr.com : (cwnet, NJ) to xx.xxx (Atlanta, GA) *DNS name: ad11-s cwci.net 12

Start: 11/21/99 11:07:40 PM Find route from: to: ( ), Max 30 hops, 40 byte packets Host Names truncated to 32 bytes ( ): 17ms 17ms 16ms ( ): 18ms 19ms 18ms ( ): 17ms 18ms 17ms ( ): 19ms 17ms 18ms ( ): 25ms 25ms 23ms 6 sgarden-sa-gsr.carolina.rr.com. ( ): 26ms 27ms 27ms 7 roc-gsr-greensboro-gsr.carolina. ( ): 28ms 28ms 30ms 8 roc-asbr-roc-gsr.carolina.rr.com ( ): 30ms 32ms 30ms ( ): 40ms 39ms 39ms 10 gbr2-a30s1.wswdc.ip.att.net. ( ): 38ms 40ms 39ms 11 gr2-p3110.wswdc.ip.att.net. ( ): 278ms 40ms 39ms 12 att-gw.washdc.teleglobe.net. ( ): 41ms 43ms 42ms 13 if-7-2.core1.newyork.teleglobe.n ( ): 45ms 46ms 45ms 14 if bb3.newyork.teleglobe.n ( ): 45ms 47ms 49ms 15 ix bb3.newyork.teleglobe.n ( ): 50ms 46ms 50ms ( ): 44ms 48ms 45ms 17 fe0-0.cr3.ndf.iafrica.net. ( ): 635ms 632ms 633ms 18 atm6-0sub300.cr1.vic.iafrica.net ( ): 641ms 640ms 644ms ( ): 643ms 640ms 643ms ( ): 662ms 659ms 664ms 21 ( ): 663ms 658ms 664ms Trace completed 11/21/99 11:08:25 PM Traceroute to find location of IP Address 13