ITS 4550 - Fraud Prevention and Deterrence


Chapter 1, Hacking: The Next Generation

This lesson presents some background material from chapter 1. Objectives important to this lesson:

  1. Hacker profiles and motives
  2. History of hacking
  3. Ethical hacking
  4. Common methods
  5. Penetration testing
  6. Ethical standards and the law
Concepts:
Chapter 1

Our text begins with a more reasonable approach than some others, suggesting that we should consider the motives of hackers when we try to categorize them. It still gives us labels for people with particular motives, so we have to read further than the bullet headings:

  • good guys - also called white hats, professionals who hack to find and fix vulnerabilities
  • amateurs - also called script kiddies, these are hackers who want to be like famous hackers; typically, they use tools created by hackers the amateurs are trying to be like
  • criminals - hackers who want to turn a profit from stolen information, often credit card and personally identifying information
  • ideologues - hackers who work for political, national, or religious reasons, typically against perceived enemies of their ideologies

Image of black, gray, and white hatsThe text continues with a short list of control types that may be helpful in deterring hackers:

  • technical controls - software and hardware solutions that include firewalls, authentication systems, intrusion detection, and intrusion prevention systems
  • administrative controls - policies and rules that guide and require users to operate computer systems more safely and securely
  • physical controls - the first line of defense of any asset: don't let the black hats near it! You may need to use guards, dogs, turnstiles, gates, and/or card sensors. Old-fashioned locks on doors are good, too.

In a side note, the text explains two useful terms:

  • vulnerability - a weakness in a system or in a defense that an attacker can use to gain access to our systems
  • exploit - this word is a verb, meaning to take advantage of something; the text explains that in IT security, it is also a noun, and it means a program, a tool, or a method that uses a vulnerability to gain unauthorized access to a system

The text presents a list of rationalizations that have been used by hackers to justify unlawful hacks. The text does not quite make it clear that these reasons are not valid legal defenses:

  • Attacking a system is not like attacking a person - Maybe, but stealing information that belongs to someone else is attacking that person.
  • Stealing software from a rich company is okay - Stealing is still stealing, regardless of the wealth of the victim; the victim is probably not Prince John or the Sheriff of Nottingham.
  • Attacking another country or a political rival is fair - No, it is not. You may have heard about Watergate, which is the name of a hotel that now represents an attempt to breach the security of an opposing political party.
  • Hacking is fine if you are learning from it - Learning is not just learning if it involves illegal actions. We have labs, we have a cyber defense club that holds events, and there are sites online like Hack the Box that encourage you to practice your skills and to develop more by hacking their puzzles. You don't have to break laws and you should not do so.
  • Breaking in is okay if that is all you do - If you are testing a system with the permission of its owners, that would be fine. If you don't have permission, you are invading their privacy as much as you would be if you were entering someone's home or business without permission. This may be something your parent never told you. If so, listen/read carefully: the world does not belong to you. You don't get to screw around with it just because you want to.

The text moves on to discuss several motivations that may cause hackers to do their thing. They relate to the material presented so far:

  • Benefiting the system owner - This is a repeat of the concept of a white hat hacker testing a system for vulnerabilities.
  • Social status - Hacking a system to gain status among hackers may be an example of someone needing to belong to and be recognized as a member of a group. People who don't have social connections will try to find some, sometimes in unfortunate ways.
  • Monetary gain - The white hat hacker in the examples above is probably working for a fee, but this bullet is about black hats who are after things they can steal and sell, or things they can lock and hold for ransom. Both, as should be obvious, are crimes.
  • Ideology - This motive includes cyberterrorists, social activists, and state sponsored hackers. The degree to which a person chooses to disregard laws and social conventions to pursue their ideology determines the intensity of the crimes they might commit in the name of their ideals.

The text spends a few paragraphs reviewing the history of computer hacking. It might be good to pause for a moment to consider that the hacking of private information is almost as old as writing, and certainly as old as codes and ciphers. The art of hacking computers had to wait for computers to be invented, but people have been trying to uncover secrets as long as there have been secrets.

That being said, computer hacking also includes compromising and disabling systems, which the text illustrates with a worm that was released at Cornell University in 1988. The Morris worm may not have been the first on the Internet, but it was the first one the news media noticed. Its introduction was a watershed moment that our author sees as the moment the Internet itself became a target and a medium for abuse.

The text turns to some concepts we have already covered, first, that a professional (or a student, for that matter) should never probe a system without permission from someone who has the authority to grant such permission. The text specifies that this should be the system owner, but in the case of corporate or government systems, ownership can be hard to define. At the very least, it should come from someone who is part of the group charged with protecting that system, someone with the authority to give assignments, to approve contracts, and to make a case for conducting such work to the upper management of the organization. You don't just try to break in to a system because your buddy dares you to do it, even if your idiot buddy works on that system. (Hmm. You and your buddy. Now it sounds like a conspiracy. Think you should call a lawyer, kid?)

Having stressed permission the text elaborates on its definition of a penetration test, either without insider knowledge of the system (black box testing) or with it (white box testing). Note that the use of the colors black and white in this context does not mean anything about the tester's motives.

The text provides us with what we might call a code of conduct for ethical hacking:

  • Don't hack without permission.
  • Use the same tools and tactics (or better ones) as those an attacker might use.
  • Use care NOT to harm the the system you are hacking. (Primum non nocere) You are examining it, not trying to destroy it.
  • Study the work done by malicious hackers to understand what they are likely to do, to learn what you may not know.
  • If you pen testing (penetration testing), or any other kind of hacking, make sure that you and the authorizer both understand what is going to happen. This is good for any kind of contract, but it is critical when you are doing something that might be considered illegal without proper permission.
  • Your goal is the help maintain the standard of Confidentiality, Integrity, and Availability. You can do this by finding the vulnerabilities that lead to the opposites of those characteristics: Disclosure, Alteration, and Disruption. If you can do any of those things, we do not have security.

The text presents a version of an attack methodology that I have seen used by an NSA presenter. It first makes it clear that there is no universal method, no absolute set of steps that every attacker will follow. This series of steps is representative of what an organized, determined hacker will probably do, even though it is not required that the hacker carry out every step listed.

  • Reconnaissance - Gather information about your target from public information and from social engineering.
  • Scanning - Build on the initial information with more focused attacks, like spear phishing, waterholing, and exploiting vulnerabilities in systems identified in the first step.
  • Infiltration and escalation - Get into the system with the IDs and access you have gathered. Get escalated right to gather more resources.
  • Exfiltration - Take the material you have captured out of the system, and get yourself out of it as well.
  • Access extension - Use the backdoors you found or installed to go back for more later.
  • Assault - If this was an exercise in data mining, you may want to continue to do it in the future. Destruction is not part of that plan. However, if destruction is part of the plan, this is phase in which it happens. If that is all the attacker wants to do, the previous two steps may not take place.
  • Obfuscation - This is the application of anti-forensics. Clean up your mess. Don't let the victim know anything happened. You can come back to get more goodies if they don't know you were here.


As the text has mentioned several times, a vital activity for an information security professional is penetration testing, also called pen testing. The text goes into more detail in the next section, explaining that a pen test that has not been adequately described in a contract can leave the pen tester open to legal action from the client, and from the client's clients. A written agreement between the pen tester (or company) and the client is critical.

In figure 1.4, the text presents a high level overview of pen testing, showing four major elements"

  • Planning - This leads to the first report cycle, and to the contract finalization. (See below.) Note the list of bullet points in the text that should be included in a proposal, a contract negotiation, and in the contract for the pen test.
  • Discovery - This is the preliminary probe stage as described above.
  • Attack - Attack often leads to more discovery, creating a loop that can repeat any number of times.
  • Reporting -
    Reporting the plan for the pen test to the client is part of the contract creation process. This stage may loop several times before an acceptable plan is agreed to by both parties.
    Reporting the actions taken, the vulnerabilities found, and recommendations for remediation should occur at the end of the process.

The text lists three major forms a pen test may take. A contract should specify which forms will be used. The pen testers will be better protected if the contract includes options for all three forms.

  • Technical attack - testing only the technical system and its defenses
  • Administrative attack - testing for problems with policies, procedures, and standards
  • Physical attack - testing for weaknesses in physical defenses as well as attempting to social engineer staff (social engineering is placed here in the text, but it should be included in all forms

The chapter ends with a warning that computer systems are typically connected to the Internet, and therefor to the world. This presents a problem when determining what laws of what jurisdiction apply to a crime. We are advised to learn about laws and regulations. A list of eleven laws from the United States is provided as a starting point.


Assignments

This week you need to complete Lab 1, which is due before class next week. You should begin Assignment 1 and Part 1 of an ongoing course project. Both of these are due in two weeks.