dslreports logo

    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


how-to block ads

How systems are broken (owned in underground terminology)

1. Passwords: If your computer has passwords, it may be possible to guess them, sometimes by what is known as "brute force".

2. Exploitable flaws in gatekeeping programs: Tricking a program into doing something it should not do. usually by modify a file, deleting a file, or, returning information that should not be returned, by taking advantage of a known software bug. Webservers are incredibly complex gatekeepers or guardians of information, and currently have the richest variety of exploitable flaws or insecurities that creep into their setup and administration.

3. Buffer Overflows: Many programs, even the ones that operate as gatekeepers, are written with assumptions that inputs are always shorter than some given length. This has come about mainly due to a characteristic of the C programming language, which encourages (or more strictly, does not disallow) programmers to allocate fixed sized character buffers when reading data, and then not check for the case of input data over-writing those buffers. If the input data is unexpectedly large, the data may write over into the programs stack, and cause either a crash or worse, execution of code that the intruder plants into the input data.

4. Trojans: Tricking a computer to run something that contains code which compromises the machine, is what a Trojan does. It can take almost any form, such as a screen saver or a christmas greeting program. A trojan usually arrives by email or by IRC file-send, or in some cases from a web page. Trojans are sophisticated and unlikely to have been written specifically for either the person using them or the target they are used against, but with binary standards and more complex home operating systems, they are becoming more common.

5. Man in the Middle: The interception of communication between two computers gives the opportunity to either listen for information, possibly leading to cracking via passwords, or to impersonate one party, therefore leading to betrayal of trust. More complex betrayal intrusions can involve three or more parties.

Locating Vulnerable Systems

Information is gained by:

1. Scanning: Programs can scan a domain looking for telltale fingerprints of a system running services with known flaws.

2. Social Engineering: Simply contacting an organization and asking for a password is remarkably effective for the brazen armed with a little background information about the victims.

3. Sniffing: By compromising an otherwise uninteresting host, packet sniffers can be setup to watch data passing by the host that will lead to more information. Sniffers usually just look for cleartext passwords, but can also watch sessions and figure out which machines trust which other machines, information that is invaluable for attacking corporations.

Denial of Service (DOS Attacks)

A "denial-of-service" attack is an explicit attempt by attackers to prevent legitimate use of a service by those who depend upon it. Some examples are attempting to "flood" a network, thereby preventing legitimate network traffic, attempting to disrupt connections between two machines, thereby preventing access to a service, attempting to prevent a particular individual from accessing a service, and attempting to disrupt service to a specific system or person.

Denial of Service attacks are numerous and difficult to defend against, because they exploit very low level flaws in communications protocols, protocols designed in more academic environments. However, when a machine that provides security-related information is muzzled, denial of service can possibly lead to break ins. If a logging machine is crashed via a packet handling flaw, then because it is no longer logging activity, more ambitious attacks can be mounted.


Not getting caught is obviously of paramount importance to an attacker, so they go to incredible lengths to cover their tracks. Spoofed packets contain an invalid or innocent "from" address. Without access to network administrators, it is impossible to tell the origin from data at the point of reception. The trouble with this, from the attackers point of view, is that if they are invisible, they also cannot get any return data! Therefore, they can attempt to use proxies to remain connected. Proxies are usually innocent computers previously "owned", with relay programs setup on them. Conveniently, certain service programs like FTP, Wingate or Socks, when incorrectly configured, can act as relays even without the host being cracked, so scanning for possibly proxies that may be used is also a common activity.

What does Secure-Me concentrate on?

Evaluating security of corporate networks cannot be done with anything so simple as an automated tool, so Secure-Me is aimed at auditing the security of a simple home PC or a simple small business gateway machine, in the context of the increase in the number of machines now hooked to the net fulltime. In this situation, the possible security loopholes are fewer, and the evaluation becomes easier to automate On the other hand however, the number of people with access to scanning tools and the amount of bandwidth they have to use them are growing, so anyone who is running an insecure service or a misconfigured computer can easily be found and "owned".

Simply put, Secure-Me gives the machine a brief scan for what open services it runs, then uses some common crack scripts and programs that are in use now by the net underground to probe for possible risks with those services. The tools Secure-Me uses are really just an automated collection of cracking scripts and programs, orchestrated to report their results in one file. In a way, it is like an online webified version of Satan (an old cracking toolkit), but considerably more complete with newer tools.

Expand got feedback?

by KeysCapt See Profile
last modified: 2004-02-01 05:09:55