Through the Eye of a Hacker

Risk & Insurance, Oct 15, 2000 by Lori Widmer

A savvy hacker can find his way around just about any security measure your company has taken to protect your e-business interests. Here is an inside look at what vulnerabilities hackers look for.

Think your e-business is safe from an online attack? Think again. Fraud on the Internet is anywhere from 3 to 50 times larger than it is in the brick-and-mortar world.

According to statistics provided by eHNC, a San Diego-based subsidiary of HNC Software Solutions, estimates of e-tail theft for this year indicate that $600 million in goods will be pilfered.

With this in mind, Risk & Insurance talked with four hackers through separate e-mail exchanges for their insight about hacking, cracking, and e-commerce security. The hackers have chosen to remain anonymous and go by the names Sir Dystic, Samarac, Genocide, and Tazinator. They are affiliated with the online hacking community and, in the case of Genocide and Tazinator, even work in the computer security industry. Here, they offer readers an inside look at what vulnerabilities cyber-attackers target on e-business Web sites.

What makes a Web site an easy target?

SAMARAC: Sometimes it's not so much the site's security or lack of security. It's just because the person can, unfortunately. Sometimes the greater the risk, the greater the challenge, the more susceptible a site may be. It's cyber-bungee jumping. Sometimes it's because a company said it was impenetrable. Sort of the "forbidden fruit" concept.

TAZINATOR: A site is easy to get into if the system administrators are not knowledgeable in tightening security. For example, if the target machine is running Windows NT or 2000 for its operating system, an uneducated administrator may enable a guest account. This allows anyone to log into the machine and, even though it is an account that allows for minimal tasks to be performed, it can allow for exploits to be run remotely, thus allowing the attacker to gain administrator rights. This guest account issue is not just with Windows as it can apply to a Unix or Linux machine in similar aspects, as well.

Other things that make it easy to gain access to a machine is that the system administrator may not perform routine or necessary updates to the operating system or to the applications running on the target machine. Many times companies hire administrators who only know the bare minimum. Updates and patches are things that can go overlooked or unknown for a long period of time, sometimes even until a more knowledgeable administrator or user comes along and raises the issue. In cases such as this, older, more known security holes can provide a means for an attacker to gain access.

SIR DYSTIC: One of the things I see happen all the time that nobody in the corporate world has been talking about is people on relatively secure networks who have laptops that they take from work, from their secure network, and bring home and put it on their cable modem or DSL network where it sits there completely unprotected. Because the network at the corporate level is more secure, the individual machine is less likely to be secure because there's this assumption that it's on a protected, private network. Once it's on a DSL or cable modem connection, people can do whatever they want with it.

What weaknesses do you look for in a site?

GENOCIDE: In one word, services. Anything that serves or awaits a connection on a machine is a potential vulnerability. A machine that sits there with no need for external communication is essentially secure except to physical penetrations, meaning that services or programs that are required to run externally are equivalent to doors. The hack comes from finding the key.

Another site that might be an attractive target is one that is on the same network as you are. If you are within a corporate network and all its computers are on hubs to allow them to communicate with each other, then we might run what's called a "sniffer," which allows us to peek at some of the data streams currently zipping around the network. This allows us to gain logins, passwords, e-mail--pretty much anything that is not encrypted.

SAMARAC: We may look for inconsistencies in checks, holes in firewalls and other network securities, back doors through programs, or simply poor programming.

TAZINATOR: When someone targets a server on the Web, the most common thing to do is research a bit on it before trying to gain access right away. An attacker will find out what type of operating system that machine is running, what kind of remote access privileges it is most likely to provide, if the host machine has a guest account enabled, and what the machine's role is, such as a Web server, mail server, etc. After all that is determined, an attacker will usually try to use some exploitable security hole in the operating system or application running on the targeted machine to gain root or administrator rights. Security information is readily available to the public at sites such as www.securityfocus.com and www.rootshell.com, as well as the L0pht site (www.L0pht.com).