Orange County Computer Consultant

My photo
Orange County Computer Consultant helps small businesses with networking, installations and small business software.

Thursday, September 20, 2007

Hacker Methods

So how do hackers and crackers go about attacking networks and hosts? The best ones do research first. They want to know about your company, workers names, hobbies. The more information the better.

The first step would be to scan your target to determine which ports are open on your network. This can be done with many tools on the Internet. I will not list the tools as this is not a hacker tutorial but more of a heads up. Once they find what ports are open they can determine what services are running. A simple scan on Google or other websites can tell you which vulnerabilities are known for this application or service.

The next step would be to search for exploit code for that open port/service. At this point the attacker could craft a packet with a payload with the exploit code. The exploit code can tell the remote host to send back a shell or any other numerous things. Most attackers want access to the system to look for things. Others are malicious.

Attackers will often install a sniffer to grab more passwords on the network. Then cover their tracks and come back at a later time to grab the information or use your host as a jump off point for more attacks. Some hackers use mulitple systems to do Denial of service attacks. DDos is used with multiple systems.

The lesson here is patch and patch often, install IDS systems and have a firewall that will drop any suspicious traffic. Monitor your logs and encrypt your data!

Layered Technologies Hacked

It appears that hackers have managed to get into Layered Technologies databases. There are reports that over 6,000 user id's and passwords were compromised. This just shows why encryption should be used more vigilantly.

It looks like the hacker got in over HTTP. He then accessed the database and copied the information. Passwords for SSH, MySQL, Cpanel and other applications were taken. I would suggest to anyone using this company to switch their passwords or think about another hosting company.

Intrusion Detection Systems

In my previous post I talked about a IDS. IDS is a system that is used to monitor your network or hosts for behaviour that is out of the norm. They look for known attacks and alert you. You can usually have a back end database to store this information.

IDS systems can protect against zero day exploits, directory traversal, SQL injection attacks, buffer overflows, worms and othe Mal ware.

A good IDS should be able to do the following:
  1. Deep Packet Inspection
  2. Behaviour analysis
  3. Logging

SNORT is a great and free IDS. It can do network analysis and logging.

There are plenty of books availiable to learn and configure SNORT.

Cisco also has a IDS, they call it IPS or Intrusion Prevention System.

McAffee Intrushield

McAffee Intrushield is a IPS. Intrusion protection system. The Intrushield can scan data at up to 10Gbps. Their are different models. I was told by a security enginerr by McAffee security engineer that it is effective because it uses FPGA's and ASIC's to transfer data. I noticied a bullet point that stated that the device could even scan for encrypted threats. I asked how can the IPS device determine if it is legit traffic or Malware? He stated that the device decrypts the packets and then scans the contents.

This device also supports QOS. Which will allow you to prioritize data. For instance VoiP would need more bandwith than P2p. They also have a technology called Vitual IPS to protect VLAN's.
The Intrushield is compatabile with McAffe Orchestra and and Mcaffee NAC.