#infosec #security The anatomy of #hacking attacks

Various hacking attacks against servers and users

First of all, there are multiple types of hacker attacks and they all have different purposes.
There are also many different types of hackers and they all have cool names like “White hat” hackers and “Black hat” hacker.
The White Hat ones are ususally the security experts hired at a company to check and verify the IT security measures at other companies.
The Black Hat hackers are not. They’re the ones to be afraid of.
I’m neither of them. I’m simply a consultant and the best of these guys know far more about theses things than I do but still, I thought I’d run through a few common attacks targeted to accomplish various things.

There are many reasons why an attacker wants to hack you.
It could be hacktivism and political reasons or an attempt to gain access to your server to be able to use it for hacking others (basically they want access to your CPU, RAM and disk to hide stolen data and tools, mine for Bitcoins or whatever and to have an IP address to use, not leading back to their own).
There’s a few very cool and easy ways to hide files on servers that ar more or less impossible to find such as hiding a file “behind” another file and so on.

Of course in some cases it can also be about trying to steal company secrets (industrial espionage), possibly a former (or current for that matter, internal data theft and hacking is far more common than you’d expect) discontent employee looking to sabotage or looking for revenge or in some cases, just for the fun of it to see if it can be done.

The pre-run, portscan and checking out you site and server

First of all, any hacker will need to know what you’re running and what it looks like. “Know thy enemy” so to speak
Usually a portscan of your servers will reveal quite a lot of information and there are loads of tools to do this, quietly, undetected and effieciently such as nmap or even Google actually.

In order to make it a bit more difficult for them I’d suggest you have your firewall correctly configured, your servers on a DMZ and also to hide any banner revealing wehat software you’re running and what version. This can’t be done with all software I’m afraid but the ones that you can, please consider doing so.
For a hacker to know exactly what you’re running will only make his/her life much easier since all they do is to start
looking for any known vulnerabilities and so called exploits to that software and version.
Usually software developers have released a patch but ufortunately, a lot of software never gets updated in time due to the old “if it works, don’t fix it” attitude amongst a lot of server tekkies and hosting providers.

Another thing is to move all default pages and scripts (or delete them if you’re not using them) to make a bit more difficult to figure out what you’re actually running and how it is setup. Have for instance 404 error messages redirected to the startpage or Google or your worst competitor and also 403 errors ..

DoS attacks and DDoS attacks.

A DoS attack is a “Denial of Service” attack whick means that your server is in some way attacked and made to stop servicing your clients / users or customers the way it’s supposed to.
This can be accomplished in many ways. A DDoS attack is a DoS attacked but with the difference that it is a Distributed DOS attack meaning there are a lot of more computers involved in doing the attack.
These attacks often have the main purpose of taking a website down by overloading it really.
If you’ve got a webserver servicing for instance a webshop and a hackergroup for some resaon don’t like you, they’ll get a few hundred thousand computers around the world to ask for a specific document or picture on your website, thus overloading it so it can’t really service your customers since the server is busy handling the bogus requests. Worst case, an attacks such as this can actually go on for weeks and it has happened that is is aso simply an extortion. “If you pay us this and this much , your webshop will be back online again, otherwise not”. For som companies this of course could be an absolute disaster, imagine for instance aroound the Christmas sales.

Now, it might sound impossible to find a few hundred thousand computers to get such an attack underway. It’s not. They’re out there in botnets spread over VPS and physical machines and they’re for hire even. Including a trial run and with support. Brave new world ..

There are ways to handle these attacks. For instance increasing the service capacity on the server, increasing you bandwidth and also have a talk with your ISP on how to mitigate the attacks if they have solutions in place for it. You could also have for instance a powerful SNORT server in front of the firewall to get rid of some of the traffic.

If a server is poorly updated and the application/website is sensitive for instance that the hacker simply adds som code to the webaddress trying to browse the filesystem on the server then this can also render in a DOS attack or even worse, the attacker gets hold of the users and administaror/roots passwords. Once they’ve got that, your pretty much ..well. you won’t be having a good day. Basically you need to make sure your webserver is always correctly updated, and you also need to make sure that the underlying filessystem can’t be reached from the outside more than absoplutely necessary.
Make sure you checked every directory and path on the website and what actually is reachable, writeable and browsable. If you’ve got pages you don’t want indexed then hadled that in the robots.txt or have them secured behind a userlogin page.

SQL Injections and badly formated requests

If the website uses a SQL Server or has any input form to validate or gather something, please make sure that the application strips away any characters that could make your server vulnerable to SQL Injections since the SQL Serevr is usually run with administrative rights making the SQL Swerver injections being run with high priviliges and accessing the operatin system. If you don’t know how the application is written, please contact the developers of it and ask them and have them verify this.

For any part of the website where there are input forms, makes sure that all input is validated in terms of what characters are used and how long the input is. If a website is poorly written and poorly validated, a memory buffer overloflow can ooccur which basically means that the input is so large or strangely formated that the server will stop working or even give the attacker access to the servers operatingsystem by overwriting stuff in the RAM in a way that it’s not suppoed to.

Viruses and trojans.

If an attacker has been able to lure your users to a site that contains infected code (sometimes also called drive by
hacking) and the webbrowser or plugins to it (Java, Adobe, Flash and so on) are sensitive to that particular infections you user might come down with an infected computer. Depending on what actually has been infected and why the consequnces vary of course.
I’ve heard of companies that have been affected with a virus rendering them unable to work since nobody was allowed to even plug in their computers to the work networks until they could be sure they’d got rid of it. In this case it was a lot of computers so I think it took them 3 week until people actually could start working again, 3 weeks without any work. That’s a costly thing for any company.The same standstill could also come from a ransomvirus, basically encrypting all your files and you’ll have to pay money to get the right decryption password.

The way to minimize such a horrbile standstill is to make sure that ALL of your devices connecting to the network are
properly updated with antivirus products (please do not use the free ones ..ever.) but also you need to make sure that any other software is properly updated . Java, Flash, and the operating system itself . This also goes for workstations connecting from home and so on or otherwise you might be in for a bad day. You should also be very restrictive when it comes to letting users use USB drives and stuff. They might be infected with something.

MITM – Man in the Middle, proxies and easedropping

If you’ve got a corprate network, you want to know what devices actually are on it and why. If someone for instance sets up a computer and has all of the corprate traffic routed through, all of your communicating is being copied and this can be done in various ways. The same goes actually for you if you’re using public WiFi hotspots which I would never recommend anyone really using. To intercept data isn’t very difficult unfortunately, especially if it isnät protected by valid certificates.
You need to use valid SSL certificates and there’s no reason to use anything lower that 2048 encryption.

Brute force and dictionary attacks.

I’ve written loads and loads on this earlier so I won’t linger on it. A brute force or dictionary attack is basically someone trying to get access to your server by guessing the username and correct password using a large list of common passwords or a dictionary and simply trying them one by one (well, thousands at a time really since its’s automated).
To protect your servers and user you need to have a inttrusion prevention system in place. For Windows Servers I recommend using Syspeace (and you can also use Sysepace for protecting webappliactions you’ve prtected through the Syspeace API) and on Linux servers I’d hava a look at fail2ban. You should also use and enforce complex passwords.
You should also have a very strict policy to immediately block an employees account as soon as they’re no longer with the company and you should be very careful with what user rights you grant your users since they can easily be misused. You should also have software in place for managing mobile phones and othe devices that your employees have and the ability to wipe them clean if they get stolen or if you suspect internal mischief from an employee.

On site data theft and social engineering.

Well. In a sense , it’s not hacking but it’s more fooling people. Not the intial part anyway.
Basically someone turns up, claiming to be from the phone company, a cleaning company, your IT support company or anything that makes sense and they want access to the datacenter, server room to “fix” something. This is also referred to as social enginering. First the hacker finds out as much as possible about the company they’re attacking and then use that information to gain access to workstations or servers within the company,

Once they’ve actually gained access, they’ve got USB sticks to insert into workstations or servers , either loading a software into them as trojans or keyloggers or just something that elevates rights or maybet they’re simply after just copying the data. It all depends on how much time they have and if they’re alone. In some scenarios it might even just be a trick for them to gain access to backup tapes since all the companys data is on them . They could also bribe janitors, cleaning staff and so on to steal backup tapes for them since they far too often will have access to the datcenters and they’re
not that highly paid.

There are a lot of tools that can simply put on a USB stick, boot up the server and you can reset administrator passwords, overwrite systemfiles (to plant a trojan or destroy them to render the server unbootable) , steal data and so on and a lot of them are surprisingly user friendly like for instance Hiren’s BootCD

A variation of this is of course people phoning someone up, claiiming to be from the IT departement or Microsoft or somewhere, wanting to “help you” with a problem and asking for remote access to your computer. Once they gain access, they’ll do same things. Plant a trojan or a virus or a keylogger and the basically own the computer.

To protect your companydata please always make sure you know who and why people are on site, never have anyone come near servers or workstations and if possible, disable any USB ports and always use password protected screen savers.
Every device on your network must also have a good antivirus running in case someone still manages to put an inected USB stick into the workstation. Also make sure you talk the users about the hazards of giving anyone access to their computer.

If you suspect you’ve been hacked.

First of all, try to verify that you have been hacked and also try to find out when. In som cases you’ll have to revet to backups taken BEFORE you we’re hacked to be sure that you don’t restore a rootkit or something. This also means your backupplans and DRP palns need to take these scenarios into account so don’t be cheap with the number of generations you actually save. You might need something from 6 months aog.

Try to find out what happened, when it happened, how it happened and have it fixed before you allow access to the server again. There’s no sense in setting the same flawed server up again. It will only be hacked again,

Don’t be afraid to make it a matter for the police. They need to know about it and they want logfiles and any documentation you may have.

When you get the server up & running again (or prefferably before you’ve been hacked) make sure to have monitoring set up for the server. If it’s a website for instance, you want to be alerted if anything changes on in the html code for website for instance, or if the site is responding slowly (this doesn’t have mean you’ve been attacked but could point to other problems also such as diskproblems, misconfigured server settings or ..well..anything really. In any case you want to look into it.)

So , these were only a few methods and there a loads and loads more of them .

I’ve written a few other blog articles on securing servers, datacenters and on brute force prevention and here’s a few links to previous articles.

Should you need consulting or ideas on these questions or on backup/restore or on building cloud services / migrating to cloud services , I’m reachable by clicking the link below.

By Juha Jurvanen – Senior IT consultant at JufCorp

Social tagging: > > > > > > > > > > > > > >

Leave a Reply