A Brief History of Hacking
; In the 1960s, it was the ARPANET, the first transcontinental computer network, which truly brought hackers together for the first time.The ARPANET was the first opportunity that hackers were given to truly work together as one large group, rather than working in small isolated communities.
; In the mid-1970s, Steve Wozniak and Steve Jobs—the very men who founded Apple Computer—worked with Draper, who had made quite an impression on them, building “Blue Boxes,” devices used to hack into phone systems. Jobs went by the nick- name of “Berkley Blue” and Wozniak went by “Oak Toebark.” Both men played a major role in the early days of phone hacking or phreaking.
; Congress passed a law in 1986 called the Federal Computer Fraud and Abuse Act. It was not too long after that law was passed by Congress that the government prosecuted the first big case of hacking. (Robert Morris was convicted in 1988 for his Internet worm.)
What Motivates a Hacker?
; Notoriety:The knowledge a hacker amasses is a form of power and prestige.
; Challenge: Discovering vulnerabilities, researching a mark, or finding a hole nobody else could find are intellectual challenges.
; Boredom: Finding a target is often a result of happening across a vulnerability in time-consuming, wide-ranging probes, not seeking it out in a particular place.
; Revenge: A disenfranchised former employee, who knows the code, network, or other forms of protected information intimately, may use that knowledge for leverage towards “punishment.”
; Somewhere in between the definition of an ethical hacker and a malicious hacker lies the argument of legal issues concerning any form of hacking. Is it ever truly okay for someone to scan your ports or poke around in some manner in search of an exploitable weakness?
; A security professional will provide the edge that is needed to fix existing issues while providing the training, planning, and insight that can be used to prevent future vulnerabilities. Of course, no security professional will be able to protect your organization from every future attack.
Understanding Current Attack Types
; A recent example of a DoS/DDoS attack occurred when Microsoft was brought to its knees in February of 2001.The attack by hackers was just one more sign to the Internet industry that hackers are very much able to control sites when they feel they have a point to prove.
; Traditional DDoS attacks happen at the server level but can also occur at the application level with a buffer overflow attack, which in essence is a denial of service attack.
; Viruses are designed to replicate and to elude detection. Like any other computer program, a virus must be executed to func- tion (it must be loaded into the computer’s memory) and then the computer must follow the virus’s instructions.Those instructions are what is referred to as the payload of the virus. The payload may disrupt or change data files, display a message, or cause the operating system to malfunction.
; Just as with viruses, there is nothing that a developer can do to protect against a worm attack. Code can’t be written any tighter to prevent a worm attack on your machine or that of an end-user.
; Mobile code applications, in the form of Java applets, JavaScript, and ActiveX controls, are powerful tools for distributing infor- mation.They are also powerful tools for transmitting malicious code. Rogue applets do not replicate themselves or simply cor- rupt data as viruses do, but instead they are most often specific attacks designed to steal data or disable systems.
; Obtaining a user’s name and social security number or credit card information is enough information for a malicious hacker to cause damage to the victim. A malicious hacker could find all pieces of information in one centralized location, such as in bank records.
Recognizing Web Application Security Threats
; Application hacking allows an intruder to take advantage of vul- nerabilities that normally occur in many Web sites. Because applications are typically where a company would store their sensitive data, such as customer information including names, passwords, and credit card information, it is an obvious area of interest for a malicious attack.
; Hidden manipulation occurs when an attacker modifies form fields that are otherwise hidden on an e-commerce Web site, such as prices and discount rates. Surprisingly, this type of hacking requires only a common HTML editor like those avail- able with today’s popular Web browsing software.
; Parameter tampering may occur upon a failure to confirm the correctness of CGI parameters embedded inside a hyperlink, and can be used for an intrusion into a site. Parameter tampering allows the attacker access to secure information without the need for passwords or logins.
; Cross-site scripting is the ability to insert malicious programs (scripts) into dynamically generated Web pages.The scripts are disguised as legitimate data, such as comments on a customer service page, and because of this disguise are then executed by a users Web browser. Part of the problem is that when a browser downloads a page containing malicious code, the browser does not check the validity of the script.
; A buffer overflow attack is done by deliberately entering more data than a program was written to handle.They exploit a lack of boundary checking on the size of input being stored in a buffer.The extra data will overflow the memory set aside to accept it and overwrite another region of memory that was meant to hold some of the program’s instructions.The newly introduced values can be new instructions, which could give the attacker control of the target computer.
; When a hacker is using “cookie poisoning,” he is usually someone who has authorized access to the Web application in the first place.The hacker may alter a cookie stored on his com- puter and send it back to the Web site. Because the application does not expect changes to the cookie, it may process the poi- soned cookie.The effects are usually changed fixed data fields.
Preventing Break-Ins by Thinking Like a Hacker
; By examining the very methods that hackers use to break into and attack Web sites, we should be able to use those same prac- tices to prevent an attack from happening on our Web site.You test your code for functionality; one step further is to test for security, to attempt to break into it by some possible hole that may have been unintentionally left in.
; Optimal security reviews and testing occurs using the knowl- edge and skills of a development team, a QA team, and an information security team.
Q: Is protecting my Web applications important if network security is a primary focus at my company?
A: Yes, thinking about Web application security within your company is really important. Malicious hackers are not just attacking at the net- work level; they are using attack methods such as cross-site scripting and buffer overflows to attack at the application level.You can’t pro- tect against that type of an attack from the network level.
Q: A co-worker of mine has learned how to hack into someone else’s Web application and gained access to a lot of personal information, such as customer logins and passwords and even some credit card information. He says he is a white hat hacker because he isn’t actu- ally doing anything with the information, yet he hasn’t reported the security hole to anyone that could fix it. Is he really a white hat hacker?
A: He can call himself whatever he wants, but that’s not really the point. If your friend is knowingly leaving potentially damaging information at risk and bragging to others about it, his actions are definitely not particularly ethical.
Q: I’m confused about what exactly a buffer overflow attack is and at what level it occurs.
A: A buffer overflow attack is an attack that is done by entering more information than a program is able to accept. Buffer overflow attacks exploit a lack of boundary checking on the size of input being stored