Search for notes by fellow students, in your own course and all over the country.
Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.
Extracts from the notes are below, to see the PDF you'll receive please use the links above
Praise for Gray Hat Hacking: The Ethical Hacker’s Handbook, Second Edition “Gray Hat Hacking, Second Edition takes a very practical and applied approach to learning how to attack computer systems
...
” —Jeff Moss Founder and Director of Black Hat “The second edition of Gray Hat Hacking moves well beyond current ‘intro to hacking’ books and presents a well thought-out technical analysis of ethical hacking
...
The tools and vulnerability classes discussed are very current and can be used to template assessments of operational networks
...
Dodge Jr
...
D
...
The tools and techniques covered provide a solid foundation for aspiring information security researchers, and the coverage of popular tools such as the Metasploit Framework gives readers the information they need to effectively use these free tools
...
com Guide for Internet/Network Security, http://netsecurity
...
com “Gray Hat Hacking, Second Edition provides broad coverage of what attacking systems is all about
...
” —Bruce Potter Founder, The Shmoo Group “As a security professional and lecturer, I get asked a lot about where to start in the security business, and I point them to Gray Hat Hacking
...
The fact that a second edition is coming out is even better, as it is still very up to date
...
” —Simple Nomad Hacker
ABOUT THE AUTHORS Shon Harris, MCSE, CISSP, is the president of Logical Security, an educator and security consultant
...
S
...
Shon was also recognized as one of the top 25 women in information security by Information Security Magazine
...
in North Carolina
...
Additionally, he has served as a security analyst for the U
...
Department of the Treasury, Internal Revenue Service, Computer Security Incident Response Center (IRS CSIRC)
...
Chris Eagle is the associate chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, California
...
He can often be found teaching at Black Hat or playing capture the flag at Defcon
...
He and his coworkers ensure that Microsoft’s security updates comprehensively address reported vulnerabilities
...
He serves one weekend each month as a security engineer in a reserve military unit
...
S
...
About the Technical Editor Michael Baucom is a software engineer working primarily in the embedded software area
...
He co-taught Exploiting 101 at Black Hat in 2006
...
Gray Hat Hacking The Ethical Hacker’s
Handbook Second Edition
Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness
New York • Chicago • San Francisco • Lisbon London • Madrid • Mexico City • Milan • New Delhi San Juan • Seoul • Singapore • Sydney • Toronto
0-07-159553-8 The material in this eBook also appears in the print version of this title: 0-07-149568-1
...
Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark
...
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs
...
com or (212) 904-4069
...
(“McGraw-Hill”) and its licensors reserve all rights in and to the work
...
Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent
...
Your right to use the work may be terminated if you fail to comply with these terms
...
” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
...
Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom
...
Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages
...
DOI: 10
...
To my loving and supporting husband, David Harris, who has continual patience with me as I take on all of these crazy projects! —Shon Harris To the service members forward deployed around the world
...
—Allen Harper To my wife, Kristen, for all of the support she has given me through this and my many other endeavors! —Chris Eagle To Jessica, the most amazing and beautiful person I know
...
Chapter 16 Exploiting Windows Access Control Model for Local Elevation of Privilege
...
Most People Don’t Understand Access Control
...
You’ll Find Tons of Security Vulnerabilities
...
Security Identifier (SID)
...
Security Descriptor (SD)
...
Tools for Analyzing Access Control Configurations
...
Dumping the Security Descriptor
...
Special SIDs
...
Investigating “Access Denied”
...
Attack Patterns for Each Interesting Object Type
...
Attacking Weak DACLs in the Windows Registry
...
Attacking Weak File DACLs
...
Enumerating Shared Memory Sections
...
Enumerating Other Named Kernel Objects (Semaphores, Mutexes, Events, Devices)
...
441
Protocol Analysis
...
Installing Sulley
...
Blocks
...
Monitoring the Process for Faults
...
Controlling VMware
...
Postmortem Analysis of Crashes
...
Way Ahead
...
459
Exploitability
...
Understanding the Problem
...
Repeatability
...
Payload Protocol Elements
...
Self-Destructive Shellcode
...
Background Information
...
Research Results
...
481
Mitigation Alternatives
...
Migration
...
Source Code Patching Considerations
...
Binary Mutation
...
481 482 482 484 484 486 490 495
Contents
xvii Part V Malware Analysis
...
499
Malware
...
Malware Defensive Techniques
...
Honeypots
...
Why Honeypots Are Used
...
Low-Interaction Honeypots
...
Types of Honeynets
...
Catching Malware: Setting the Trap
...
VMware Guest Setup
...
Initial Analysis of Malware
...
Live Analysis
...
What Have We Discovered?
...
521
Trends in Malware
...
Use of Encryption
...
Use of Rootkit Technology
...
Peeling Back the Onion—De-obfuscation
...
Unpacking Binaries
...
Malware Setup Phase
...
Automated Malware Analysis
...
This page intentionally left blank
PREFACE This book has been developed by and for security professionals who are dedicated to working in an ethical and responsible manner to improve the overall security posture of individuals, corporations, and nations
...
She would also like to thank Scott David, partner at K&L Gates LLP, for reviewing and contributing to the legal topics of this book
...
You gave me the strength and the ability to achieve my goals
...
Chris Eagle would like to thank all of his students and fellow members of the Sk3wl of r00t
...
He would also like to thank his family, mentors, teachers, coworkers, pastors, and friends who have guided him along his way, contributing more to his success than they’ll ever know
...
—George Washington He who has a thousand friends has not a friend to spare, and he who has one enemy will meet him everywhere
...
—Sun Tzu The goal of this book is to help produce more highly skilled security professionals who are dedicated to protecting against malicious hacking activity
...
Corporations and nations have enemies that are very dedicated and talented
...
The authors of this book want to provide the readers with something we believe the industry needs: a holistic review of ethical hacking that is responsible and truly ethical in its intentions and material
...
We have updated the material from the first edition and have attempted to deliver the most comprehensive and up-to-date assembly of techniques and procedures
...
In Part I of this book we lay down the groundwork of the necessary ethics and expectations of a gray hat hacker
...
Many existing books cover the same old tools and methods that have
xxiii
Gray Hat Hacking: The Ethical Hacker’s Handbook
xxiv been rehashed numerous times, but we have chosen to go deeper into the advanced mechanisms that real gray hats use today
...
We cover the following topics in this section: • Program Coding 101 to introduce you to the concepts you will need to understand for the rest of the sections • How to exploit stack operations and identify and write buffer overflows • How to identify advanced Linux and Windows vulnerabilities and how they are exploited • How to create different types of shellcode to develop your own proof-ofconcept exploits and necessary software to test and identify vulnerabilities In Part IV we go even deeper, by examining the most advanced topics in ethical hacking that many security professionals today do not understand
...
At some time or another, the ethical hacker will come across a piece of malware and may need to perform basic analysis
...
We’re interested in your thoughts and comments
...
com
...
grayhathackingbook
...
Ethics of Ethical Hacking Ethical Hacking and the Legal System Proper and Ethical Disclosure
1
This page intentionally left blank
CHAPTER
Ethics of Ethical Hacking • • • •
Role of ethical hacking in today’s world How hacking tools are used by security professionals General steps of hackers and security professionals Ethical issues among white hat, black hat, and gray hat hackers
This book has not been compiled and written to be used as a tool by individuals who wish to carry out malicious and destructive activities
...
Let’s go ahead and get the commonly asked questions out of the way and move on from there
...
Next question
...
The goal is to identify and prevent destruction and mayhem, not cause it
...
I think these books are only written for profits and royalties
...
More royalties would be nice, so please buy two copies of this book
...
Most countries’ militaries carry out scenario-based fighting exercises in many different formats
...
” The bad guys use the tactics, techniques, and fighting methods of a specific type of enemy—Libya, Russia, United States, Germany, North Korea, and so on
...
This may seem like a large leap for you, from pilots practicing for wartime to corporations trying to practice proper information security, but it is all about what the team is trying to protect and the risks involved
...
Several governments around the world have come to understand that the same assets they have spent millions and billions of dollars to protect physically are now under different types of threats
...
This software can be hacked into, compromised, or corrupted
...
Individual military bases still need to be protected by surveillance and military police, which is physical security
...
These types of controls are limited in monitoring all of the physical entry points into a military base
...
So your corporation does not hold top security information about the tactical military troop movement through Afghanistan, you don’t have the speculative coordinates of the location of bin Laden, and you are not protecting the launch codes of nuclear bombs—does that mean you do not need to have the same concerns and countermeasures? Nope
...
The example of protecting military bases may seem extreme, but let’s look at many of the extreme things that companies and individuals have had to experience because of poorly practiced information security
...
From 2005 and forward, overall losses due to malware attacks declined
...
Several factors are believed to have caused this decline, depending upon whom you talk to
...
Another theory regarding this reduction is that attacks have become less generalized in nature, more specifically targeted
...
The less-generalized attacks are still taking place, but at a decreasing rate
...
The more targeted attacks will not necessarily continue to keep the operational staff carrying out such busy work, but the damage of these attacks is commonly much more devastating to the company overall
...
Attacks on the home user declined by approximately 7 percent in that same period
...
Over the last two to three years, hackers’ motivation has changed from just the thrill of figuring out how to exploit vulnerabilities to figuring out how to make revenue from their actions and getting paid for their skills
...
The attacks are not only getting more specific, but also increasing in sophistication
...
The year 2006 has been called the “Year of the Rootkit” because of the growing use of rootkits, which allow hackers to attack specific targets without much risk of being identified
...
NOTE
Chapter 6 goes in-depth into rootkits and how they work
...
An interesting thing about malware is that many people seem to put it in a category different from hacking and intrusions
...
The attacker only has to put in some upfront effort developing the software, and then it is free to do damage over and over again with no more effort from the attacker
...
The company Alinean has put together some cost estimates, per minute, for different organizations if their operations are interrupted
...
Many times attacks and intrusions cause a nuisance, and they can negatively affect production and the operations of departments, which always correlates with costing the company money in direct or indirect ways
...
A conservative estimate from Gartner (a leading research and advisory company) pegs the average hourly cost of downtime for computer networks at $42,000
...
Even when attacks are not newsworthy enough to be reported on TV or talked about in security industry circles, they still negatively affect companies’ bottom lines all the time
...
Here are a few more examples and trends of the security compromises that are taking place today: • Both Ameritrade and E-Trade Financial, two of the top five online brokerage services, confirmed that millions of dollars had been lost to (or stolen by) hacker attacks on their systems in the third quarter of 2006
...
• Apple computers, which had been relatively untargeted by hackers due to their smaller market share, are becoming the focus of more attacks
...
In another product line, Apple reported that some of their iPods shipped in late 2006 were infected with the RavMonE
...
The virus was
Chapter 1: Ethics of Ethical Hacking
7
• In December 2006, a 26-year-old Romanian man was indicted by U
...
courts on nine counts of computer intrusion and one count of conspiracy regarding breaking into more than 150 U
...
government computer systems at the Jet Propulsion Labs, the Goddard Space Flight Center, Sandia National Laboratories, and the U
...
Naval Observatory
...
S
...
The accused faces up to 54 years in prison if convicted on all counts
...
Symantec detected an average of 6,110 denial-of-service (DoS) attacks per day, the United States being the most prevalent target of attacks (54 percent), and the most prolific source of attacks (37 percent) worldwide
...
• On September 25, 2007, hackers posted names, credit card numbers, as well as Card Verification Value (CVV) Codes and addresses of eBay customers on a forum that was specifically created for fraud prevention by the auction site
...
• A security breach at Pfizer on September 4, 2007, may have publicly exposed the names, social security numbers, addresses, dates of birth, phone numbers, credit card information, signatures, bank account numbers, and other personal information of 34,000 employees
...
• On August 23, 2007, the names, addresses, and phone numbers of around 1
...
com
...
com reported that identity theft had topped the Federal Trade Commission’s (FTC’s) complaint list for the seventh year in a row
...
• Privacyrights
...
• Clay High School in Oregon, Ohio, reported on January 25, 2007, that staff and student information had been obtained through a security breach by a former student
...
PART I
thought to have been introduced into the production line through another company that builds the iPods for Apple
...
S
...
• In April 2007, a woman in Nebraska was able to use TurboTax online to access not only her previous tax returns, but the returns for other TurboTax customers in different parts of the country
...
• A security contractor for Los Alamos National Laboratory sent critical and sensitive information on nuclear materials over open, unsecured e-mail networks in January 2007—a security failing ranked among the top of serious threats against national security interests or critical Department of Energy assets
...
Carnegie Mellon University’s Computer Emergency Response Team (CERT) shows in its cyberterrorism study that the bad guys are getting smarter, more resourceful, and seemingly unstoppable, as shown in Figure 1-2
...
Protection from attack was their highest priority, followed by proprietary data protection, then customer and client privacy, and finally regulatory compliance issues
...
• The FBI has named computer crimes as their third priority
...
5 million to fund 659 field agents
...
5 percent increase over the 2007 fiscal year
...
• In February 2007, Forrester
...
5 percent and 9
...
These figures were fairly consistent among different organizations, regardless of their industry, size, and geographic location
...
Chapter 1: Ethics of Ethical Hacking
9 PART I
Figure 1-2
The sophistication and knowledge of hackers are increasing
...
Today close to a million computers are infected with bots that are controlled by specific hackers
...
Botnets are used to spread more spam, phishing attacks, and pornography
...
Since more network administrators have properly configured their mail relays, and blacklists are used to block mail relays that are open, spammers have had to move to different methods (using botnets), which the hacking community has been more than willing to provide— for a price
...
“BotHerder” was sentenced on May 8, 2006, with a record prison sentence of 57 months (nearly five years) in federal prison
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
10 NOTE A drastic increase in spam was experienced in the later months of 2006 and early part of 2007 because spammers embedded images with their messages instead of using the traditional text
...
So what does this all have to do with ethics? As many know, the term “hacker” had a positive connotation in the 1980s and early 1990s
...
As malware and attacks emerged, the press and the industry equated the term “hacker” with someone who carries out malicious technical attacks
...
This book has been created by and for ethical hackers
...
infonetics
...
consumer
...
pdf Symantec Corporation, Internet Security Threat Report www
...
com/specprog/ threatreport/ent-whitepaper_symantec_internet_security_threat_report_x_09_2006
...
pdf Bot Network Overview www
...
org
...
htm Zero-Day Attack Prevention http://searchwindowssecurity
...
com/generic/ 0,295582,sid45_gci1230354,00
...
windowsecurity
...
html Computer Crime & Intellectual Property Section, United States Department of Justice www
...
gov/ccnews
...
privacyrights
...
htm#CP
How Does This Stuff Relate to an Ethical Hacking Book? Corporations and individuals need to understand how these attacks and losses are taking place so they can understand how to stop them
...
There is an all too familiar battle of functionality versus security within every organization
...
Security officers are in charge of ensuring the overall security of the environment, which usually means reducing or shutting off many functionalities that users love
...
One side said that such books only increased the attackers’ skills and techniques and created new attackers
...
Who was right? They both were
...
Although some computer crimes may take on some of these aspects, in reality it is not this grand or romantic
...
CAUTION Attackers are only one component of information security
...
Security is a much larger and more complex beast than these technical items
...
So where do we stand on hacking books and hacking classes? Directly on top of a slippery banana peel
...
First, marketing people love to use the word “hacking” instead of more meaningful and responsible labels such as “penetration methodology
...
All of these procedures now take on the negative connotation that the word “hacking” has come to be associated with
...
Third, many hacking books and classes are irresponsible
...
This means more than just showing how to exploit a vulnerability
...
Instead these people are often called “Security Nazi” or “Mr
...
They are responsible for the balance between functionality and security within the company, and it is a hard job
...
This needs to be brought to management and presented in business terms and scenarios, so that the ultimate decision makers can truly understand these threats without having to know the definitions and uses of fuzzing tools, bots, and buffer overflows
...
Many books and courses tout the message of being a resource for the white hat and security professional
...
You will make just as much (or more) money, and you will help eliminate the confusion between the concepts of hacking and ethical hacking
...
A lot of people do not seem to understand this
...
” The problem is that marketing people like to use the word “hacking” because it draws more attention and paying customers
...
It would not be useful to prove that attackers could get through the security barriers with Tool A if attackers do not use Tool A
...
This is because the odds are against the company and against the security professional
...
The attacker only has to be really good at one or two exploits, or really lucky
...
S
...
The CIA and FBI are responsible for protecting the nation from the 10 million things terrorists could possibly think up and carry out
...
NOTE Many ethical hackers engage in the hacker community so they can learn about the new tools and attacks that are about to be used on victims
...
But these configurations cannot check for dictionary words or calculate how much protection is being provided from brute-force attacks
...
The other choice is to go to all employees and ask what their password is, write down the password, and eyeball it to determine if it is good enough
...
Chapter 1: Ethics of Ethical Hacking
13
The same security staff need to make sure that their firewall and router configurations will actually provide the protection level that the company requires
...
Or they could implement the configurations and then run tests against these settings to see if they are allowing malicious traffic into what they thought had controlled access
...
The tools carry out different types of attacks, which allow the team to see how the perimeter devices will react in certain circumstances
...
In an amazing number of cases, a company seemingly does everything correctly when it comes to their infrastructure security
...
It is unfortunate that these companies put forth all the right effort and funds only to end up on CNN as the latest victim who had all of their customers’ credit card numbers stolen and posted on the Internet
...
Every company should decide whether their internal employees will learn and maintain their skills in vulnerability and penetration testing, or if an outside consulting service will be used, and then ensure that testing is carried out in a continual scheduled manner
...
hackingexposed
...
html Top 100 Network Security Tools for 2006 http://netsecurity
...
com/od/hackertools/a/ top1002006
...
darknet
...
uk/2006/04/top-15-securityhacking-toolsutilities/
Recognizing Trouble When It Happens Network administrators, engineers, and security professionals need to be able to recognize when an attack is under way, or when one is about to take place
...
This is only true for the very “noisy” attacks or overwhelming attacks, as in denial-of-service (DoS) attacks
...
It is important to know how different types of attacks take place so they can be properly recognized and stopped
...
Breaking employees’ passwords could be seen as intrusive and wrong if management does not acknowledge and allow for such activities to take place
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
14 Security issues and compromises are not going to go away anytime soon
...
The bad guys know that to hurt an enemy is to take out what that victim depends upon most
...
Though application development and network and system configuration and maintenance are complex, security is only going to become more entwined with them
...
In ten years, there will not be such a dividing line between security professionals and network engineers
...
It is also important to know when an attack may be around the corner
...
There are many activities that lead up to different attacks, so understanding these items will help the company protect itself
...
But it is very dangerous to just depend upon software that does not have the ability to put the activities in the necessary context and make a decision
...
So it is important to see how hacking tools are really just software tools that carry out some specific type of procedure to achieve a desired result
...
The good and the bad guys use the same toolset; it is just the intent that is practiced when operating these utilities that differs
...
Emulating the Attack Once network administrators, engineers, and security professionals understand how attackers work, they can emulate the attackers’ activities if they plan on carrying out a useful penetration test (“pen test”)
...
This book walks you through these different steps so that you can understand how many types of attacks take place
...
Many elementary ethical hacking books are already available in every bookstore
...
It is also obvious that although some people are just entering this sector, many individuals are ready to move on to the more advanced topics of
Chapter 1: Ethics of Ethical Hacking
15
Security Does Not Like Complexity Software in general is very complicated, and the more functionality that we try to shove into applications and operating systems, the more complex software will become
...
Today’s operating systems and applications are increasing in lines of code (LOC)
...
Unix and Linux operating systems have many fewer, usually around 2 million LOC
...
So a middle of the road estimate would be that Windows XP has approximately 1,200,000 bugs
...
Just a guesstimation
...
The programming industry has evolved from traditional programming languages to object-oriented languages, which allow for a modular approach to developing software
...
But applications and operating systems use each other’s components, users download different types of mobile code to extend functionality, DLLs (dynamic linked libraries) are installed and shared, and instead of application-to-operating system communication, today many applications communicate directly with each other
...
If we peek under the covers even further, we see that thousands of protocols are integrated into the different operating system protocol stacks, which allow for distributed computing
...
Device drivers are developed by different vendors and installed into the operating system
...
Device drivers work in the context of privilege mode, so if they “act up” or contain exploitable vulnerabilities, this only allows the attackers more privilege on the systems once the vulnerabilities are exploited
...
The goal of this book is to quickly go through some of the basic ethical hacking concepts and spend more time with the concepts that are not readily available to you—but are unbelievably important
...
A wide range of computer crimes are taken seriously by today’s court system, and attackers are receiving hefty fines and jail sentences for their activities
...
There is just as much fun and intellectual stimulation to be had working as a good guy, with no threat of jail time!
Gray Hat Hacking: The Ethical Hacker’s Handbook
16 get even closer to the hardware level, injection of malicious code into firmware has always been an attack vector
...
Until we understand that a majority of the successful attacks are carried out because software vendors do not integrate security into the design and specification phases of development, that most programmers have not been properly taught how to code securely, that vendors are not being held liable for faulty code, and that consumers are not willing to pay more for properly developed and tested code, our staggering hacking and company compromise statistics will only increase
...
Every industry in the world is becoming more reliant on software and technology
...
Although security is becoming more of an issue, functionality of software has always been the main driving component of products and it always will be
...
Will vendors integrate better security, ensure their programmers are properly trained in secure coding practices, and put each product through more and more testing cycles? Not until they have to
...
Currently most vendors are only integrating protection mechanisms because of the backlash and demand from their customer bases
...
So we are back to the original question: what does this have to do with ethical hacking? A novice ethical hacker will use tools developed by others who have uncovered specific vulnerabilities and methods to exploit them
...
The more advanced ethical hacker will be able to identify possible vulnerabilities and programming code errors, and develop ways to rid the software of these types of flaws
...
grayhathackingbook
...
sans
...
securitystats
...
sans
...
deaddrop
...
html
CHAPTER
Ethical Hacking and the Legal System • • • •
Laws dealing with computer crimes and what they address Malware and insider threats companies face today Mechanisms of enforcement of relevant laws Federal and state laws and their application
We are currently in a very interesting time where information security and the legal system are being slammed together in a way that is straining the resources of both systems
...
” In the past, these two very different sectors had their own focus, goals, and procedures that did not collide with one another
...
Today’s CEOs and management not only need to worry about profit margins, market analysis, and mergers and acquisitions
...
Business managers must develop at least a passing familiarity with the technical, systemic, and physical elements of information security
...
Just as businesspeople must increasingly turn to security professionals for advice in seeking to protect their company’s assets, operations, and infrastructure, so too must they turn to legal professionals for assistance in navigating the changing legal landscape in the privacy and information security area
...
Thus, the security technology developers and other professionals are constantly trying to outsmart the sophisticated attackers, and vice versa
...
Compounding the challenge for business is the fact that the information security situation is not static; it is highly fluid and will remain so for the foreseeable future
...
These and other new technologies are also giving rise to new transaction structures and ways of doing business
...
Like business leaders, those involved in the legal system, including attorneys, legislators, government regulators, judges, and others, also need to be properly versed in the developing laws (and customer and supplier product and service expectations that drive the quickening evolution of new ways of transacting business)—all of which is captured in the term “cyberlaw
...
The rise in prominence of cyberlaw is not surprising if you consider that the first daily act of millions of American workers is to turn on their computers (frequently after they have already made ample use of their other Internet access devices and cell phones)
...
But the ease of access also results in business risk, since network openness can also enable unauthorized access to networks, computers, and data, including access that violates various laws, some of which are briefly described in this chapter
...
A very important subset of these laws is the group of laws directed at preventing and punishing the unauthorized access to computer networks and data
...
Security professionals should be familiar with these laws, since they are expected to work in the construct the laws provide
...
Usually it is the guilty ones that get to remain free
...
In addition, recent real-world examples are documented to better demonstrate how the laws were created and have evolved over the years
...
stanford
...
cyberspacelaw
...
We will cover selected U
...
federal computer crime laws in order to provide a sample of these many initiatives; a great deal of detail regarding these laws is omitted and numerous laws are not covered
...
S
...
Instead it is meant to raise the importance of considering these laws in your work and activities as an information security professional
...
With just a finite number of pages, we cannot properly cover all legal systems in the world or all of the relevant laws in the United States
...
The following sections survey some of the many U
...
federal computer crime statutes, including: • 18 USC 1029: Fraud and Related Activity in Connection with Access Devices • 18 USC 1030: Fraud and Related Activity in Connection with Computers • 18 USC 2510 et seq
...
: Stored Wire and Electronic Communications and Transactional Records Access • The Digital Millennium Copyright Act • The Cyber Security Enhancement Act of 2002
18 USC Section 1029: The Access Device Statute The purpose of the Access Device Statute is to curb unauthorized access to accounts; theft of money, products, and services; and similar crimes
...
It defines and establishes penalties for fraud and illegal activity that can take place by the use of such counterfeit access devices
...
These elements include consideration of the potentially illegal activity in light of the precise meaning of “access device,” “counterfeit access device,” “unauthorized access device,” “scanning receiver,” and other definitions that together help to define the scope of application of the statute
...
Specifically, it is defined broadly to mean: …any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds (other than a transfer originated solely by paper instrument)
...
The telephone service codes that they generate would be considered to be within the definition of an access device, since they are codes or electronic serial numbers that can be used, alone or in conjunction with another access device, to obtain services
...
Finally, a crime would occur with each of the activities of producing, using, or selling these codes, since the Access Device Statute is violated by whoever “knowingly and with intent to defraud, produces, uses, or traffics in one or more counterfeit access devices
...
“Access device” also refers to the actual credential itself
...
A common method that attackers use when trying to figure out what credit card numbers merchants will accept is to use an automated tool that generates random sets of potentially usable credit card values
...
The attackers submit these generated values to retailers and others with the goal of fraudulently obtaining services or goods
...
Because this attack type has worked so well in the past, many merchants now require users to enter a unique card identifier when making online purchases
...
Guessing a 16-digit credit card number is challenging enough, but factoring in another three-digit identifier makes the task much more difficult, and next to impossible without having the card in hand
...
In June 2006, the Department of Justice (DOJ), in an operation appropriately named “Operation French Fry,” arrested eight persons (a ninth was indicted and declared a fugitive) in an identity theft ring where waiters had skimmed debit card information from more than 150 customers at restaurants in the Los Angeles area
...
After requesting new PINs for the compromised accounts, they would proceed to withdraw money from the accounts and use the funds to purchase postal money orders
...
Table 2-1 outlines the crime types addressed in section 1029 and their corresponding punishments
...
A further example of a crime that can be punished under the Access Device Statute is the creation of a website or the sending of e-mail “blasts” that offer false or fictitious products or services in an effort to capture credit card information, such as products that promise to enhance one’s sex life in return for a credit card charge of $19
...
(The snake oil miracle workers who once had wooden stands filled with mysterious liquids and herbs next to dusty backcountry roads have now found the power of the Internet
...
The types and seriousness of fraudulent activities that fall within the Access Device Statute are increasing every year
...
S
...
7 percent of white-collar prosecutions that month were related to Title 18 USC 1029
...
S
...
This level of activity represents a 340 percent increase over the same month in 2005 (when there were only five district court filings), and a 425 percent increase over July 2001 (when there were only four such filings)
...
As our dependency upon technology increases and society becomes more comfortable with carrying out an increasingly broad range of transactions electronically, such threats will only become more prevalent
...
So basically you need several tools in your bag of tricks to fight the bad guys—technology, knowledge of how to use the technology, and the legal system
...
Section 1029 addresses offenses that involve generating or illegally obtaining access credentials
...
These activities are considered criminal whether or not a computer is involved
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
22 Crime
Penalty
Example
Producing, using, or trafficking in one or more counterfeit access devices
Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense
Creating or using a software tool to generate credit card numbers
Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $1,000,000 and/or up to 20 years if repeat offense Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense
Hacking into a database and obtaining 15 or more credit card numbers
Using an access device to gain unauthorized access and obtain anything of value totaling $1,000 or more during a one-year period Possessing 15 or more counterfeit or unauthorized access devices Producing, trafficking, having control or possession of devicemaking equipment Effecting transactions with access devices issued to another person in order to receive payment or other thing of value totaling $1,000 or more during a one-year period Soliciting a person for the purpose of offering an access device or selling information regarding how to obtain an access device Using, producing, trafficking in, or having a telecommunications instrument that has been modified or altered to obtain unauthorized use of telecommunications services Using, producing, trafficking in, or having custody or control of a scanning receiver
Producing, trafficking, having control or custody of hardware or software used to alter or modify telecommunications instruments to obtain unauthorized access to telecommunications services Causing or arranging for a person to present, to a credit card system member or its agent for payment, records of transactions made by an access device
Table 2-1
Using a tool to capture credentials and using the credentials to break into the Pepsi-Cola network and stealing their soda recipe
Creating, having, or selling devices to illegally obtain user credentials for the purpose of fraud Setting up a bogus website and accepting credit card numbers for products or service that do not exist
Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense
A person obtains advance payment for a credit card and does not deliver that credit card
Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense
Cloning cell phones and reselling them or using them for personal use
Fine of $50,000 or twice the value of the crime and/or up to 15 years in prison, $100,000 and/or up to 20 years if repeat offense
Scanners used to intercept electronic communication to obtain electronic serial numbers, mobile identification numbers for cell phone recloning purposes Using and selling tools that can reconfigure cell phones for fraudulent activities; PBX telephone fraud and different phreaker boxing techniques to obtain free telecommunication service Creating phony credit card transactions records to obtain products or refunds
Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense
Fine of $10,000 or twice the value of the crime and/or up to 10 years in prison, $100,000 and/or up to 20 years if repeat offense
Access Device Statute Laws
Chapter 2: Ethical Hacking and the Legal System
23 U
...
Department of Justice www
...
gov/cccases
...
usdoj
...
html Orange County Identity Theft Task Force Cracks Criminal Operation www
...
gov/usao/ cac/pr2006/133
...
corporate
...
com TracReports http://trac
...
edu/tracreports/bulletins/white_collar_crime/monthlyjul06
18 USC Section 1030 of The Computer Fraud and Abuse Act The Computer Fraud and Abuse Act (CFAA) (as amended by the USA Patriot Act) is an important federal law that addresses acts that compromise computer network security
...
It addresses unauthorized access to government, financial institution, and other computer and network systems, and provides for civil and criminal penalties for violators
...
Table 2-2 outlines the categories of the crimes that section 1030 of the Act addresses
...
You can be held liable under the CFAA if you knowingly accessed a computer system without authorization and caused harm, even if you did not know that your actions might cause harm
...
S
...
The CFAA is the most widely referenced statute in the prosecution of many types of computer crimes
...
It indicates that the law applies also to any system “used in interstate or foreign commerce or communication
...
Almost every computer connected to a network or the Internet is used for some type of commerce or communication, so this small clause pulls nearly all computers and their uses under the protective umbrella of the CFAA
...
So if the United States can get the attackers, they will attempt to prosecute them no matter where they live in the world
...
There are two types of unauthorized access that can be prosecuted under the CFAA
...
S
...
Obtaining information in a financial record of a financial institution or a card issuer, or information on a consumer in a file of a consumer reporting agency
...
S
...
Affecting a computer exclusively for the use of a U
...
government department or agency or, if it is not exclusive, one used for the government where the offense adversely affects the use of the government’s operation of the computer
...
Hacking into a government computer to obtain classified data
...
Breaking into a computer to obtain another person’s credit information
...
Furthering a fraud by accessing a federal interest computer and obtaining anything of value, unless the fraud and the thing obtained consists only of the use of the computer and the use is not more than $5,000 in a one-year period
...
The result is damage or the victim suffers some type of loss
...
Furthering a fraud by trafficking in passwords or similar information that will allow a computer to be accessed without authorization, if the trafficking affects interstate or foreign commerce or if the computer affected is used by or for the government
...
Fine and/or up to 1 year in prison, up to 10 years if repeat offense
...
Carrying out denial-of-service attacks against government agencies
...
Intentional: Disgruntled employee uses his access to delete a whole database
...
(Or if the prosecution cannot prove that the attacker’s intent was malicious
...
Table 2-2
Penalty with intent to harm: Fine and/or up to 5 years in prison, up to 10 years if repeat offense
...
5 years and $250,000 fine for first offense, 10 years and $250,000 for subsequent offenses
...
Computer Fraud and Abuse Act Laws
commit crimes
...
This helps companies prosecute employees when they carry out fraudulent activities by abusing (and exceeding) the access rights the companies have given to them
...
The Secret Service now deals with several areas to protect the nation and has established an Information Analysis and Infrastructure Protection division to coordinate activities in this area
...
The following are examples of the application of the CFAA to intrusions against a government agency system
...
S
...
The attack came from East Asia and included probes of government systems, attempts to steal passwords, and attempts to implant various backdoors to maintain regular access to the systems
...
NOTE In December 2006, in an attempt to reduce the number of attacks on its protected systems, the DoD barred the use of HTML-based e-mail due to the relative ease of infection with spyware and executable code that could enable intruders to gain access to DoD networks
...
The operation was called “Operation Cyber Sweep
...
The attacker was a former IT technician of a software vendor who provided the critical voice-response system used by the hotline service
...
A
...
This brought the service to a screeching halt
...
Many IT professionals and security professionals have relatively unlimited access rights to networks due to the requirements of their job, and based upon their reputation and levels of trust they’ve earned throughout their careers
...
The CFAA could apply in these cases to prosecute even trusted, credentialed employees who performed such misdeeds
...
The FBI is responsible for cases dealing with national security, financial institutions, and organized crime
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
26 hospital workers, and police officers, were unable to access the hotline or experienced major delays
...
The cracker was arrested by the FBI and faced charges under the CFAA of five years in prison and fines that could total $250,000
...
In this case, an Arizona cracker used his knowledge of automobile computer systems to obtain credit history information that was stored in databases of automobile dealers
...
The cracker used the information that he acquired, including credit card numbers, Social Security numbers, and other sensitive information, to engage in identity fraud against several individuals
...
It is all too common to see CNN lead its news coverage with a virus outbreak alert
...
The malware is constantly becoming more sophisticated, and a record number of home users run insecure systems, which is just a welcome mat to one and all hackers
...
The CFAA criminalizes the activity of knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer
...
This case, United States v
...
The hacker sent an e-mail to these subscribers that contained a malicious worm
...
Several areas from New York to Los Angeles experienced these false 9-1-1 calls
...
When it was launched, the users thought a simple display change was being made to their monitor, such as a color setting
...
The next time the users attempted to connect to their web service, the 9-1-1 call was sent out instead
...
As part of WebTV service, automated dialing is performed each night at midnight in order to download software updates and to retrieve user data for that day
...
The maximum penalty for the case, filed as violating Title 18 USC 1030(a)(5)(A)(i), is ten years in prison and a fine of $250,000
...
Because viruses can spread so quickly, and their impact can grow exponentially, serious countermeasures have begun to surface
...
In Minnesota, an individual was brought to justice under the CFAA for issuing a B variant of the worm that infected 7,000 users
...
These kinds of attacks have gained the attention of high-ranking government and law enforcement officials
...
Cyber hacking is not joy riding
...
The Department of Justice takes these crimes very seriously, and we will devote every resource possible to tracking down those who seek to attack our technological infrastructure
...
Sadly, many of these attackers are not located and prosecuted because of the difficulty of investigating digital crimes
...
“This case is a good example of how effectively and quickly law enforcement and prosecutors can work together and cooperate on a national level,” commented U
...
District Attorney Tom Heffelfinger
...
Jana Monroe, FBI assistant director, cyber division, stated, “Malicious code like Blaster can cause millions of dollars’ worth of damage and can even jeopardize human life if certain computer systems are infected
...
” In response to this and other types of computer crime, the FBI has identified investigating cybercrime as one of its top three priorities, behind counterterrorism and counterintelligence investigations
...
Heckenkamp); a case in which the defendant was charged with illegally accessing a company’s computer system to get at credit information on approximately 60 persons (United States v
...
So many of these computer crimes happen today, they don’t even make the news anymore
...
If more people knew the amount of digital criminal behavior that is happening these days (prosecuted or not), security budgets and awareness would certainly rise
...
But wouldn’t the better approach be to ensure that software does not contain so many flaws that can be exploited and that continually cause these types of issues? That is why we wrote this book
...
Networks should not have a hard shell and a chewy inside—the protection level should properly extend across the enterprise and involve not just the perimeter devices
...
It seems like a coldhearted reaction, especially in cases where an employee has worked for a company for many years and has done nothing wrong
...
But still these individuals are told to leave and are sometimes treated like criminals instead of former valued employees
...
The saying “one bad apple can ruin a bushel” comes to mind
...
There are physical security issues, employee safety issues, and in some cases, forensic issues to contend with
...
It has happened to many unsuspecting companies, and yours could be next if you don’t protect it
...
Several cases under the CFAA have involved former or current employees
...
In May of that same year, Muvico’s online ticket-ordering system crashed costing the company an estimated $100,000
...
Authorities believe that the former employee literally hid in the bushes outside the company’s headquarters building while implementing the attack
...
In another example, a 2002 case was brought in Pennsylvania involving a former employee who took out his frustration on his previous employer
...
S
...
usdoj
...
html Computer Fraud and Abuse Act www
...
energy
...
pdf White Collar Prof Blog http://lawprofessors
...
com/whitecollarcrime_blog/computer_ crime/index
...
The cracker’s first actions were to post usernames and passwords on Yahoo hacker boards
...
Problems could have been avoided if the company had simply changed usernames, passwords, and configuration parameters, but they didn’t
...
He successfully brought down the network, which prevented customers from placing orders online
...
The company did notice the intrusion after some time and made the necessary adjustments to prevent the attacker from doing further damage; however, significant harm had already been done
...
There was no way for American Eagle to prove how many customers were turned away when trying to access the website, and there was no way to prove that they were going to buy goods if they had been successful at accessing the site
...
The Act does, however, also provide for criminal fines and imprisonment designed to dissuade individuals from engaging in hacking attacks
...
In some intrusion cases, real damages can be calculated
...
This act caused major malfunctions on core systems, the cost of which could be quantified
...
” The Department of Justice press release said that the hacker was sentenced to 12 months of imprisonment and was ordered to pay $80,713
...
These are just a few of the many attacks performed each year by disgruntled employees against their former employers
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
30 State Law Alternatives The amount of damage resulting from a violation of the CFAA can be relevant for either a criminal or civil action
...
A criminal violation is brought by a government official and is punishable by either a fine or imprisonment or both
...
The amount of damage is relevant for some but not all of the activities that are prohibited by the statute
...
For most of the violations under CFAA, the losses must equal at least $5,000 during any one-year period
...
For example, when computers are used in distributed denial-of-service attacks or when the processing power is being used to brute force and uncover an encryption key, the issue of damages becomes cloudy
...
The victim of an attack can suffer various qualitative harms that are much harder to quantify
...
In that context, this federal statute may not be a useful tool for you and your legal team
...
To fill these gaps, many relevant state laws outlawing fraud, trespass, and the like, that were developed before the dawn of cyberlaw, are being adapted, sometimes stretched, and applied to new crimes and old crimes taking place in a new arena—the Internet
...
Often victims will turn to state laws that may offer more flexibility when prosecuting an attacker
...
For example, if an unauthorized party is accessing, scanning, probing, and gathering data from your network or website, this may fall under a state trespassing law
...
This legal theory was used by eBay in response to its continually being searched by a company that implemented automated tools for keeping up-to-date information on many different auction sites
...
The probing used eBay’s system resources and precious bandwidth, but this use was difficult to quantify
...
So eBay’s
Chapter 2: Ethical Hacking and the Legal System
31
TIP If you think you may prosecute for some type of computer crime that happened to your company, start documenting the time people have to spend on the issue and other costs incurred in dealing with the attack
...
A case in Ohio illustrates how victims can quantify damages by keeping an accurate count of the hours needed to investigate and recover from a computer-based attack
...
However, according to the case report, he accessed files that were beyond those for which he was authorized and downloaded personal data located in the databases, such as customer credit card numbers, usernames, and passwords
...
This critical piece allowed the attacker to download customer files
...
” The victim was a Cincinnati-based company, Acxiom, which reported that they suffered nearly $6 million in damages and listed the following specific expenses associated with the attack: employee time, travel expenses, security audits, and encryption software
...
Resort to state laws is not, however, always straightforward
...
Thus, for example, trespass law varies from one state to the next
...
For instance, some states require a showing of damages as part of the claim of trespass (not unlike the CFAA requirement), while other states do not require a showing of damage in order to establish that an actionable trespass has occurred
...
Companies will not, however, have total discretion as to where they bring the case
...
Thus, for example, a cracker in New Jersey attacking computer networks in New York will not be prosecuted under the laws of California, since the activity had no connection to that state
...
Even with these limitations, companies sometimes have to rely upon this patchwork quilt of different non-computer–related state laws to provide a level of protection similar to the intended blanket of protection of federal law
...
The penalty for this offense under CFAA consists of a maximum prison term of five years and a fine of $250,000
...
If these confirmations are not in place, it could lead to misunderstandings and, in the extreme case, prosecution under the Computer Fraud and Abuse Act or other applicable law
...
Department of Air Force, the court rejected an employee’s claim that alterations to computer contracts were made to demonstrate the lack of security safeguards and found the employee liable, since the statute only required proof of use of a computer system for any unauthorized purpose
...
References State Laws www
...
net/State/state_index
...
law
...
edu/uscode/18/1030
...
ussc
...
pdf Computer World www
...
com/securitytopics/security/cybercrime/story/ 0,10801,79854,00
...
Seq
...
The ECPA therefore has a different focus than the CFAA, which is directed at protecting computers and network systems
...
The Wiretap Act has been around since 1918, but the ECPA extended its reach to electronic communication when society moved that way
...
The Stored Communications Act protects some of the same type of communications before and/or after it is transmitted and stored electronically somewhere
...
The Wiretap Act generally provides that there cannot be any intentional interception of wire, oral, or electronic communication in an illegal manner
...
” Does it apply only when the data is being transmitted as electricity or light over some type of transmission medium? Does the interception have to occur at the time of the transmission? Does it apply to this transmission and to where it is temporarily stored on different
Chapter 2: Ethical Hacking and the Legal System
33
Interesting Application of ECPA Many people understand that as they go from site to site on the Internet, their browsing and buying habits are being collected and stored as small text files on their hard drives
...
Suppose you go to a website that uses cookies, looking for a new pink sweater for your dog because she has put on 20 pounds and outgrown her old one, and your shopping activities are stored in a cookie on your hard drive
...
Different websites share this browsing and buying-habit information with each other
...
It is all about targeting the customer based on preferences, and through the targeting, promoting purchases
...
As it happens, some people did not like this “Big Brother” approach and tried to sue a company that engaged in this type of data collection
...
An example will help to illustrate the issue
...
Assume that since Al Gore invented the Internet, he has also figured out how to intercept and read messages sent over the Internet
...
” Through a series of court cases, it has been generally established that “intercept” only applies to moments when data is traveling, not when it is stored somewhere permanently or temporarily
...
The ECPA, which amended both earlier laws, therefore is the “one-stop shop” for the protection of data in both states—transmission and storage
...
For example, if the government wants to listen in on phone calls, Internet communication, e-mail, network traffic, or you whispering into a tin can, it can do so if it complies with safeguards established under the ECPA that are intended to protect the privacy of persons who use those systems
...
It is very important for information security professionals and businesses to be clear about the scope of authorized access that is intended to be provided to various parties to avoid these issues
...
They also claimed that this violated the Wiretap Law because the company intercepted the users’ communication to other websites as browsing was taking place
...
Since the other website vendors were allowing this specific company to gather buying and browsing statistics, they were the party that authorized this interception of data
...
Trigger Effects of Internet Crime The explosion of the Internet has yielded far too many benefits to list in this writing
...
Commercial organizations, healthcare organizations, nonprofit organizations, government agencies, and even military organizations publicly disclose vast amounts of information via websites
...
However, as the world progresses in a positive direction, the bad guys are right there keeping up with and exploiting technologies, waiting for their opportunities to pounce on unsuspecting victims
...
It is widely recognized that the Internet represents a fundamental change in how information is made available to the public by commercial and governmental entities, and that a balance must continually be struck between the benefits of such greater access and the downsides
...
After the tragic events of September 11, 2001, many government agencies began reducing their disclosure of information to the public, sometimes in areas that were not clearly associated with national security
...
Residents near Aberdeen, Maryland, have worried for years about the safety of their drinking water due to their suspicion that potential toxic chemicals leak into their water supply from a nearby weapons training center
...
However, when residents found out that rocket fuel had entered their drinking water in 2002, they also noticed that the maps the army provided were much different than before
...
The army responded to complaints by saying the omission was part of a national security blackout policy to prevent terrorism
...
All branches of the government have tightened their security policies
...
Chapter 2: Ethical Hacking and the Legal System
35
• The Homeland Security Act of 2002 offers companies immunity from lawsuits and public disclosure if they supply infrastructure information to the Department of Homeland Security
...
• Information related to the task force for energy policies that was formed by Vice President Dick Cheney was concealed
...
Another manifestation of the current administration’s desire to limit access to information in its attempt to strengthen national security is reflected in its support in 2001 for the USA Patriot Act
...
Among the many laws that it amended
PART I
Limiting information made available on the Internet is just one manifestation of the tighter information security policies that are necessitated, at least in part, by the perception that the Internet makes information broadly available for use or misuse
...
Roger Pilon, Vice President of Legal Affairs at the Cato Institute, lashed out at one such measure: “Every administration overclassifies documents, but the Bush administration’s penchant for secrecy has challenged due process in the legislative branch by keeping secret the names of the terror suspects held at Guantanamo Bay
...
In a separate report, they documented that the U
...
government spent more than $7
...
The White House classified 44
...
That figure equals the total number of classifications that President Clinton’s administration made during his entire second four-year term
...
Bush granted classification powers to the Secretary of Agriculture, Secretary of Health and Human Services, and the administrator of the Environmental Protection Agency
...
The terrorist threat has been used “as an excuse to close the doors of the government” states OMB Watch Government Secrecy Coordinator Rick Blum
...
Some examples include the following:
Gray Hat Hacking: The Ethical Hacker’s Handbook
36 are the CFAA (discussed earlier), under which the restrictions that were imposed on electronic surveillance were eased
...
The Patriot Act also facilitated surveillance through amendments to the Wiretap Act (discussed earlier) and other laws
...
References U
...
Department of Justice www
...
gov/criminal/cybercrime/usc2701
...
fas
...
cpsr
...
html
Digital Millennium Copyright Act (DMCA) The DMCA is not often considered in a discussion of hacking and the question of information security, but it is relevant to the area
...
The WIPO Treaty requires treaty parties to “provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors,” and to restrict acts in respect to their works which are not authorized
...
The DMCA establishes both civil and criminal liability for the use, manufacture, and trafficking of devices that circumvent technological measures controlling access to, or protection of the rights associated with, copyrighted works
...
In hearings, the crime that the anticircumvention provision is designed to prevent was described as “the electronic equivalent of breaking into a locked room in order to obtain a copy of a book
...
” The legislative history provides that “if unauthorized access to a copyrighted work is effectively prevented through use of a password, it would be a violation of this section to defeat or bypass the password
...
” Therefore, measures that can be deemed to “effectively control access to a work” would be those based on encryption, scrambling, authentication, or some other measure that requires the use of a key provided by a copyright owner to gain access to a work
...
• Write laws at a higher abstraction level, which covers many more possible activities that could take place in the future, but is then wide open for different judges, juries, and lawyers to interpret
...
Sometimes the vagueness is inadvertent (possibly reflecting an incomplete or inaccurate understanding of the subject), while at other times it is intended to broaden the scope of that law’s application
...
If the DMCA indicates that no service can be offered that is primarily designed to circumvent a technology that protects a copyrighted work, where does this start and stop? What are the boundaries of the prohibited activity? The fear of many in the information security industry is that this provision could be interpreted and used to prosecute individuals carrying out commonly applied security practices
...
Security classes are offered to teach people how these attacks take place so they can understand what countermeasure is appropriate and why
...
If you have created a nifty little program that will control access to all of your written interpretations of the grandness of the invention of pickled green olives, and someone tries to break this program to gain access to your copyright-protected insights and wisdom, the DMCA could come to your rescue
...
If someone were willing to extend the necessary resources to break your access control safeguard, the DMCA would be of no help to you for prosecution purposes because it only protects works that fall under the copyright act
...
The DMCA also provides that no one can create, import, offer to others, or traffic in any technology, service, or device that is designed for the purpose of circumventing some type of access control that is protecting a copyrighted item
...
If your mother tells you to “be good,” this is vague and open to interpretation
...
There are two approaches to laws and writing legal contracts:
Gray Hat Hacking: The Ethical Hacker’s Handbook
38 hired to break these mechanisms before they are deployed into a production environment or go to market, to uncover flaws and missed vulnerabilities
...
But how will people learn how to hack, crack, and uncover vulnerabilities and flaws if the DMCA indicates that classes, seminars, and the like cannot be conducted to teach the security professionals these skills? The DMCA provides an explicit exemption allowing “encryption research” for identifying flaws and vulnerabilities of encryption technologies
...
Yep, as you pull one string, three more show up
...
An interesting aspect of the DMCA is that there does not need to be an infringement of the work that is protected by the copyright law for prosecution under the DMCA to take place
...
The DMCA, like the CFAA and the Access Device Statute, is directed at curbing unauthorized access itself, but not directed at the protection of the underlying work, which is the role performed by the copyright law
...
Two for the price of one
...
Among these are: • A case in which the defendant was convicted of producing and distributing modified DirecTV access cards (United States v
...
• A case in which the defendant was charged for creating a software program that was directed at removing limitations put in place by the publisher of an e-book on the buyer’s ability to copy, distribute, or print the book (United States v
...
• A case in which the defendant pleaded guilty to conspiring to import, market, and sell circumvention devices known as modification (mod) chips
...
Rocci)
...
eff
...
While there is growing pressure on Congress to limit the DCMA, Congress is taking action to broaden the controversial law with the Intellectual Property Protection Act of 2006
...
Chapter 2: Ethical Hacking and the Legal System
39 Digital Millennium Copyright Act Study www
...
gov/reports/studies/dmca/dmca_ study
...
copyright
...
com
...
html?tag=politech Trigger Effects of the Internet www
...
gov Anti DCMA Organization www
...
org Intellectual Property Protection Act of 2006 www
...
org/issues/hr2391
Cyber Security Enhancement Act of 2002 Several years ago, Congress determined that there was still too much leeway for certain types of computer crimes, and some activities that were not labeled “illegal” needed to be
...
The CSEA made a number of changes to federal law involving computer crimes
...
If an attacker carries out a crime that could result in another’s bodily harm or possible death, the attacker could face life in prison
...
For example, if an attacker were to compromise embedded computer chips that monitor hospital patients, cause fire trucks to report to wrong addresses, make all of the traffic lights change to green, or reconfigure airline controller software, the consequences could be catastrophic and under the Act result in the attacker spending the rest of her days in jail
...
This targeting of a hospital led to a conviction on one count of intentional computer damage that interferes with medical treatment
...
It is believed that the attacker was compensated $30,000 in commissions for his successful infection of computers with the adware
...
S
...
One way in which this is done is that the Act allows service providers to report suspicious behavior and not risk customer litigation
...
If a law enforcement agent requested information on one of their customers and the provider gave it to them without the customer’s knowledge or permission, the service provider could, in certain circumstances, be sued by the customer for unauthorized release of private information
...
This and other provisions of the Patriot Act have certainly gotten many civil rights
PART I
References
Gray Hat Hacking: The Ethical Hacker’s Handbook
40 monitors up in arms
...
The reports that are given by the service providers are also exempt from the Freedom of Information Act
...
This is another issue that has upset civil rights activists
...
Vendors have scrambled to continually meet this demand while attempting to increase profits and market share
...
The flaws in different software packages range from mere nuisances to critical and dangerous vulnerabilities that directly affect the customer’s protection level
...
The number of vulnerabilities that were discovered in Microsoft Office in 2006 tripled from the number that had been discovered in 2005
...
A few were zero-day exploits
...
Once the user opens one of these document types, malicious code that is embedded in the document, spreadsheet, or presentation file executes and can allow a remote attacker administrative access to the now-infected system
...
Internet Explorer • W2
...
Microsoft Office • W4
...
Windows Configuration Weaknesses • M1
...
UNIX Configuration Weaknesses • Cross-Platform Applications • C1 Web Applications • C2
...
P2P File Sharing Applications • C4 Instant Messaging • C5
...
DNS Servers • C7
...
Security, Enterprise, and Directory Management Servers • Network Devices • N1
...
Network and Other Devices Common Configuration Weaknesses • Security Policy and Personnel • H1
...
Users (Phishing/Spear Phishing) • Special Section • Z1
...
The Trojan horse’s reported name is syosetu
...
If a user logs in as an administrator on a system and the attacker exploits this vulnerability, the attacker can take complete control over the system working under the context of an administrator
...
If the user logs in under a less powerful account type, the attacker is limited to what she can carry out under that user’s security context
...
The specially created presentation was a PowerPoint slide deck that discussed the difference between men and women in a humorous manner, which seems to always be interesting to either sex
...
One of the main problems today is that many of these messages contain zero-day attacks, which means that victims are vulnerable until the vendor releases some type of fix or patch
...
Today’s attackers are not necessarily out for the “fun of it”; they are more serious about penetrating their targets for financial gains and attempt to stay under the radar of the corporations they are attacking and of the press
...
Exploitation of these vulnerabilities was not highly publicized for quite some time
...
Because these attacks cannot be detected through the analysis of large traffic patterns or even voluminous intrusion detection system (IDS) and firewall logs, they are harder to track
...
This does have the potential to be a dangerous combination
...
While on the large scale it has very little impact, for those few who are attacked, it could still be a massively damaging event
...
They are considered to be small problems as long as they are scattered and infrequent attacks that only affect a few
...
Where Microsoft products once were the main or only targets of these kinds of attacks due to their inherent vulnerabilities and extensive use in the market, there has been a shift toward exploits that target other products
...
There has also been a major upswing in the types of attacks that exploit flaws in programs that are designed to process media files such as Apple QuickTime, iTunes, Windows Media Player, RealNetworks RealPlayer, Macromedia Flash Player, and Nullsoft Winamp
...
Macintosh systems, which were considered to be relatively safe from attacks, had to deal with their own share of problems with zero-day attacks during 2006
...
Then at Black Hat in 2006, Apple drew even more fire when Jon Ellch and Dave Maynor demonstrated how a rootkit could be installed on an Apple laptop by using third-party Wi-Fi cards
...
Macintosh users did not like to hear that their systems could potentially be vulnerable and have questioned the validity of the vulnerability
...
Mac OS X was once thought to be virtually free from flaws and vulnerabilities
...
While overall the MAC OS systems don’t have the number of identified flaws as Microsoft products, enough has been discovered to draw attention to the virtually ignored operating system
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
44 Complacency is the greatest threat now for Mac users
...
Mac users aren’t used to this, and the misconception of being less vulnerable to attacks could be their undoing
...
Still another security flaw came to light for Apple in early 2006
...
Apple did develop a patch for the vulnerability
...
Apparently the new problem lies in the way that Mac OS X was processing archived files
...
The file and the embedded code would run when a Mac user would visit the malicious site using the Safari browser
...
This problem was made even worse by the fact that these files would automatically be opened by Safari when it encountered them on the Web
...
The shell script can be disguised as practically anything
...
This kind of malicious file can even be hidden as a JPEG image
...
If the file has any executable bits set, it will be run using Terminal, the Unix command-line prompt used in Mac OS X
...
At the writing of this edition, Mac OS X users can protect themselves by disabling the “Open safe files after downloading” option in Safari
...
Attackers have come to understand that if they discover a flaw that was previously unknown, it is very unlikely that their targets will have any kind of protection against it until the vendor gets around to providing a fix
...
Through the use of fuzzing tools, the process for discovering these flaws has become largely automated
...
This is because if the vector of an attack is discovered and steps are taken to protect against these kinds of attacks, the attackers know that it won’t be long before more vectors will be found to replace the ones that have been negated
...
With 2006 being the named “the year of zero-day attacks” it wasn’t surprising that security experts were quick to start using the phrase “zero-day Wednesdays
...
It wasn’t uncommon for vendors to avoid talking about, or even dealing with, the security defects in their products that allowed these attacks to occur
...
A shift occurred in the mid-‘90s, and it became more common to discuss security bugs
...
Vendors, once mute on the topic, even started to assume roles that became more and more active, especially in areas that involved the dissemination of information that provided protective measures
...
Although this all sounds good and gracious, in reality gray hat attackers, vendors, and customers are still battling with each other and among themselves on how to carry out this process
...
came about because hackers quickly found a way to exploit the cycles in which Microsoft issued its software patches
...
Since most corporations and home users do not patch their systems every week, or every month, this provides a window of time for attackers to use the vulnerabilities against the targets
...
Guilfanov is a Russian software developer and had developed the fix for himself and his friends
...
NOTE The Windows Meta File flaw uses images to execute malicious code on systems
...
Guilfanov’s release caused a lot of controversy
...
Second, some feel uneasy about trusting the downloading of third-party fixes compared with the vendors’ fixes
...
) And third, this opens a whole new
PART I
Evolution of the Process
Gray Hat Hacking: The Ethical Hacker’s Handbook
46 can of worms pertaining to companies installing third-party fixes instead of waiting for the vendor
...
You Were Vulnerable for How Long? Even when a vulnerability has been reported, there is still a window where the exploit is known about but a fix hasn’t been created by the vendors or the antivirus and antispyware companies
...
Figure 3-1 displays how long it took for vendors to release fixes to identified vulnerabilities
...
It is imperative for vendors not to sit on the discovery of true vulnerabilities, but to work to get the fixes to the customers who need them as soon as possible
...
The flaws can present serious security concerns to the user
...
How to address the problem is a complicated issue because it involves a few key players who usually have very different views on how to achieve a resolution
...
An individual or company buys the product, relies on it, and expects it to work
...
When the customer finds a flaw, she reports it to the vendor and expects a solution in a reasonable timeframe
...
It develops the product and is responsible for its successful operation
...
When a flaw is reported to
PART I
For this to take place properly, ethical hackers must understand and follow the proper methods of disclosing identified vulnerabilities to the software vendor
...
If an individual uncovers a vulnerability and exploits it with authorization, he is considered a white hat
...
Unlike other books and resources that are available today, we are promoting the use of the knowledge that we are sharing with you to be used in a responsible manner that will only help the industry—not hurt it
...
These items have been created because of the difficulty in the past of teaming up these different parties (gray hats and vendors) in a way that was beneficial
...
On the other hand, many times when gray hats have tried to contact vendors with their useful information, the vendor has ignored repeated requests for communication pertaining to a particular weakness in a product
...
This is then followed by successful attacks taking place and the vendor having to scramble to come up with a patch and endure a reputation hit
...
So before you jump into the juicy attack methods, tools, and coding issues we cover, make sure you understand what is expected of you once you uncover the security flaws in products today
...
We are looking to you to step up and do the right thing
...
Gray hats are also involved in this dance when they find software flaws
...
They, in one manner or another, attempt to work with the vendor to develop a fix
...
Sometimes vendors will not address the flaw until the next scheduled patch release or the next updated version of the product altogether
...
The issue of public disclosure has created quite a stir in the computing industry, because each group views the issue so differently
...
Furthermore, many individuals feel that the only way to truly get quick results from a large software vendor is to pressure it to fix the problem by threatening to make the information public
...
This approach doesn’t have the best interests of the consumers in mind, however, as they must sit and wait while their business is put in danger with the known vulnerability
...
Disclosing sensitive information about a software flaw causes two major problems
...
The vendor’s argument is that if the issue is kept confidential while a solution is being developed, attackers will not know how to exploit the flaw
...
It is much like a smear campaign in a political race that appears as the headline story in a newspaper
...
Vendors fear the same consequence for massive releases of vulnerability reports
...
Vendors are often slow to publicly acknowledge the vulnerabilities because they either don’t have time to develop and distribute a suitable fix, or they don’t want the public to know their software has serious problems, or both
...
In April 2005, a 24-year-old security researcher named Michael Lynn, an employee of the security firm Internet Security Systems, Inc
...
This vulnerability allowed the attacker full control of the router
...
When Cisco was slow to address the issue, Lynn planned to disclose the vulnerability at the July Black Hat Conference
...
Cisco employees spent hours tearing out Lynn’s disclosure presentation from the conference program notes that were being provided to attendees
...
Just before giving
Chapter 3: Proper and Ethical Disclosure
49
NOTE Those who are interested can still find a copy of the Lynn presentation
...
One of the hot buttons in this arena of researcher frustration is the Month of Bugs (often referred to as MoXB) approach, where individuals target a specific technology or vendor and commit to releasing a new bug every day for a month
...
D
...
Since then, several other individuals have announced their own targets, like the November 2006 Month of Kernel Bugs (MoKB) and the January 2007 Month of Apple Bugs (MoAB)
...
They didn’t want to limit the opportunity by choosing a short month
...
Others consider this to be extortion and call for prosecution with lengthy prison terms
...
This chapter will attempt to cover the issue from all sides and to help educate you on the fundamentals behind the ethical disclosure of software vulnerabilities
...
The creation of Bugtraq provided an open forum for individuals to discuss these same issues and to work collectively
...
Posting more and more
PART I
his alternate presentation, Lynn resigned from ISS and then delivered his original Cisco vulnerability disclosure presentation
...
“It has been confirmed that bad people are working on this (compromising IOS)
...
” Lynn further stated, “When you attack a host machine, you gain control of that machine—when you control a router, you gain control of the network
...
Cisco sued Lynn and won a permanent injunction against him, disallowing any further disclosure of the information in the presentation
...
” Cisco did provide a fix and stopped shipping the vulnerable version of the IOS
...
This activity increased the number of attacks on the Internet, networks, and vendors
...
In 2002, Internet Security Systems (ISS) discovered several critical vulnerabilities in products like Apache web server, Solaris X Windows font service, and Internet Software Consortium BIND software
...
A patch that was developed and released by Sun Microsystems was flawed and had to be recalled
...
These types of incidents, and many more like them, caused individuals and companies to endure a lower level of protection, to fall victim to attacks, and eventually to deeply distrust software vendors
...
They suggest that by releasing system flaws and vulnerabilities, they generate good press for themselves and thus promote new business and increased revenue
...
It created detailed procedures to follow when discovering a vulnerability, and how and when that information would be released to the public
...
This fueled the anger of the people who feel that vulnerability information should be available for the public to protect themselves
...
There are differing views and individual motivations that drive each group down different paths
...
NOTE The amount of emotion, debates, and controversy over the topic of full disclosure has been immense
...
Vendors are frustrated because exploitable code is continually released as they are trying to develop fixes
...
CERT’s Current Process The first place to turn to when discussing the proper disclosure of software vulnerabilities is the governing body known as the CERT Coordination Center (CERT/CC)
...
This timeframe will be executed even if the software vendor does not have an available patch or appropriate remedy
...
• CERT/CC will notify the software vendor of the vulnerability immediately so that a solution can be created as soon as possible
...
• During the 45-day window, CERT/CC will update the reporter on the current status of the vulnerability without revealing confidential information
...
The independent body further states that all decisions on the release of information to the public are based on what is best for the overall community
...
The vendors, on the other hand, feel the pressure to create solutions in a short timeframe, while also shouldering the obvious hits their reputations will take as news spreads about flaws in their product
...
A common argument that was posed when CERT/CC announced their policy was, “Why release this information if there isn’t a fix available?” The dilemma that was raised is based on the concern that if a vulnerability is exposed without a remedy, hackers will scavenge the flawed technology and be in prime position to bring down users’ systems
...
Too often, a software maker could simply delay the fix into a later release, which puts the consumer in a vulnerable position
...
PART I
and related issues
...
In 2000, the organization issued a policy that outlined the controversial practice of releasing software vulnerability information to the public
...
In instances when the vendor disagrees with the vulnerability assessment, the vendor’s opinion will be released as well, so that both sides can have a voice
...
Examples of parties that could be privy to confidential information include participating vendors, experts who could provide useful insight, Internet Security Alliance members, and groups that may be in the critical path of the vulnerability
...
As of this writing, the model that is most commonly used is the Organization for Internet Safety (OIS) guidelines
...
The following are just some of the vulnerability issues posted by CERT: • VU#179281 Electronic Arts SnoopyCtrl ActiveX control and plug-in stack buffer overflows • VU#336105 Sun Java JRE vulnerable to unauthorized network access • VU#571584 Google Gmail cross-site request forgery vulnerability • VU#611008 Microsoft MFC FindFile function heap buffer overflow • VU#854769 PhotoChannel Networks Photo Upload Plugin ActiveX control stack buffer overflows • VU#751808 Apple QuickTime remote command execution vulnerability • VU#171449 Callisto PhotoParade Player PhPInfo ActiveX control buffer overflow • VU#768440 Microsoft Windows Services for UNIX privilege escalation vulnerability • VU#716872 Microsoft Agent fails to properly handle specially crafted URLs • VU#466433 Web sites may transmit authentication tokens unencrypted
Full Disclosure Policy (RainForest Puppy Policy) A full disclosure policy, known as RainForest Puppy Policy (RFP) version 2, takes a harder line with software vendors than CERT/CC
...
Under this
Chapter 3: Proper and Ethical Disclosure
53
• The issue begins when the originator (the reporter of the problem) e-mails the maintainer (the software vendor) with the details of the problem
...
The originator is responsible for locating the appropriate contact information of the maintainer, which can usually be obtained through its website
...
The common e-mail formats that should be implemented by vendors include: security-alert@[maintainer] secure@[maintainer] security@[maintainer] support@[maintainer] info@[maintainer] • The maintainer will be allowed five days from the date of contact to reply to the originator
...
M
...
M
...
The maintainer must respond within five days, which would be 7 A
...
Pacific time five days later
...
If the maintainer does not establish contact within the allotted time, the originator is free to disclose the information
...
The RFP policy warns the vendor that contact should be made sooner rather than later
...
• The originator should make every effort to assist the vendor in reproducing the problem and adhering to its reasonable requests
...
Both parties should work together to find a solution
...
It should also be noted that it is solely the responsibility of the vendor to provide updates, and not the responsibility of the originator to request them
...
This is considered a professional gesture to the individual or company for voluntarily exposing the problem
...
PART I
model, strict policies are enforced upon the vendor if it wants the situation to remain confidential
...
Both sides are expected to work together throughout the process
...
The resolution could include the originator disclosing the vulnerability, or the maintainer disclosing the information and available fixes while also crediting the originator
...
Because the vulnerability is already known, it is the responsibility of the vendor to provide specific details, such as the diagnosis, the solution, and the timeframe
...
He has a long history of successfully, and at times unsuccessfully, working with vendors on helping them develop fixes for the problems he has uncovered
...
The key to these disclosure policies is that they are just guidelines and suggestions on how vendors and bug finders should work together
...
Since the RFP policy takes a strict stance on dealing with vendors on these issues, many vendors have chosen not to work under this policy
...
Organization for Internet Safety (OIS) There are three basic types of vulnerability disclosures: full disclosure, partial disclosure, and nondisclosure
...
CERT and RFP take a rigid approach to disclosure practices
...
The Organization for Internet Safety (OIS) was created to help meet the needs of all groups and it fits into a partial disclosure classification
...
OIS is a group of researchers and vendors that was formed with the goal of improving the way software vulnerabilities are handled
...
), Guardent, Internet Security Systems (owned by VeriSign), Microsoft Corporation, Network Associates (a division of McAfee, Inc
...
• Improve the overall engineering quality of software by tightening the security placed upon the end product
...
Most of it has to do with where the organization’s loyalties lie
...
The root of this is how the information about a vulnerability is handled, as well as to whom it is disclosed
...
The thinking is that vendors should be allowed to fix a problem, but how much time is a fair window to give them? Keep in mind that the entire time the vulnerability has not been announced, or a fix has not been created, the vulnerability still remains
...
As the saying goes, “You can’t make everyone happy all of the time
...
While some question their real allegiance, since the group is made up mostly of vendors, it is probably more of a case of, “A good deed never goes unpunished
...
Discovery The OIS process begins when someone finds a flaw in the software
...
The OIS calls this person or group the finder
...
Discover if the flaw has already been reported in the past
...
Look for patches or service packs and determine if they correct the problem
...
Determine if the flaw affects the default configuration of the product
...
Ensure that the flaw can be reproduced consistently
...
The OIS believes that vendors and consumers should work together to identify issues and devise reasonable resolutions for both parties
...
The model was formed to accomplish two goals:
Gray Hat Hacking: The Ethical Hacker’s Handbook
56 After the finder completes this “sanity check” and is sure that the flaw exists, the issue should be reported
...
The VSR includes the following components: • Finder’s contact information • Security response policy • Status of the flaw (public or private) • Whether the report contains confidential information • Affected products/versions • Affected configurations • Description of flaw • Description of how the flaw creates a security problem • Instructions on how to reproduce the problem
Notification The next step in the process is contacting the vendor
...
Open and effective communication is the key to understanding and ultimately resolving the software vulnerability
...
The vendor is expected to do the following: • Provide a single point of contact for vulnerability reports
...
• Include in contact information: • Reference to the vendor’s security policy • A complete listing/instructions for all contact methods • Instructions for secure communications • Make reasonable efforts to ensure that e-mails sent to the following formats are rerouted to the appropriate parties: • abuse@[vendor] • postmaster@[vendor] • sales@[vendor] • info@[vendor] • support@[vendor]
Chapter 3: Proper and Ethical Disclosure
57
• Cooperate with the finder, even if it chooses to use insecure methods of communication
...
• If the finder cannot locate a valid contact address, it should send the VSR to one or many of the following addresses: • abuse@[vendor] • postmaster@[vendor] • sales@[vendor] • info@[vendor] • supports@[vendor] Once the VSR is received, some vendors will choose to notify the public that a flaw has been uncovered and that an investigation is under way
...
It is also expected that vendors will inform the finder that they intend to disclose the information to the public
...
After the VSR is sent, the vendor must respond directly to the finder within seven days
...
The RFCR is basically a final warning to the vendor stating that a vulnerability has been found, a notification has been sent, and a response is expected
...
The vendor will be given three days to respond
...
The OIS strongly encourages both the finder and the vendor to exercise caution before releasing potentially dangerous information to the public
...
• Exit the process only after providing notice to the vendor (RFCR would be considered an appropriate notice statement)
...
The OIS encourages, but does not require, the use of a third party to assist with communication breakdowns
...
If the finder uses encrypted transmissions to send its message, the vendor should reply in a similar fashion
...
A third party can consist of security companies, professionals, coordinators, or arbitrators
...
If all efforts have been made and the finder and vendor are still not in agreement, either side can elect to exit the process
...
Validation The validation phase involves the vendor reviewing the VSR, verifying the contents, and working with the finder throughout the investigation
...
The OIS provides some general rules regarding status updates: • Vendor must provide status updates to the finder at least once every seven business days, unless another arrangement is agreed upon by both sides
...
Examples of these methods include telephone, e-mail, or an FTP site
...
• The vendor then has three business days to respond to the RFS
...
Investigation The investigation work that a vendor undertakes should be thorough and cover all related products linked to the vulnerability
...
The steps of the investigation are as follows: 1
...
2
...
3
...
4
...
Shared Code Bases In some instances, one vulnerability is uncovered in a specific product, but the basis of the flaw is found in source code that may spread throughout the industry
...
• Establish contact with an organization that can coordinate the communication to all affected vendors
...
Once the other affected vendors have been notified, the original vendor has the following responsibilities: • Maintain consistent contact with the other vendors throughout the investigation and resolution process
...
The plan should include such items as frequency of status updates and communication methods
...
Some examples of the help that a vendor would need include more detailed characteristics of the flaw, more detailed information about the environment in which the flaw occurred (network architecture, configurations, and so on), or the possibility of a third-party software product that contributed to the flaw
...
NOTE Although cooperation is strongly recommended, the only requirement of the finder is to submit a detailed VSR
...
• It has disproved the reported flaw
...
PART I
believes it is the responsibility of both the finder and the vendor to notify all affected vendors of the problem
...
The finder and vendor should do at least one of the following action items:
Gray Hat Hacking: The Ethical Hacker’s Handbook
60 The vendor is not required to provide detailed testing results, engineering practices, or internal procedures; however, it is required to demonstrate that a thorough, technically sound investigation was conducted
...
• The behavior that the finder reported exists, but does not create a security concern
...
In this case, the finder should reply to the vendor with its own testing results that validate its claim and contradict the vendor’s findings
...
The vendor is responsible for reviewing the dispute, investigating it again, and responding to the finder accordingly
...
Test
Chapter 3: Proper and Ethical Disclosure
61
• Provide code to the vendor that better demonstrates the proposed vulnerability
...
In this case, the finder should follow appropriate guidelines on releasing vulnerability information to the public (covered later in the chapter)
...
It is important that remedies are created for all supported products and versions of the software that are tied to the identified flaw
...
The OIS suggests the following steps when devising a vulnerability resolution: 1
...
If one exists, the vendor should notify the finder immediately
...
2
...
3
...
The finder is not required to participate in this step
...
The vendor is expected to produce a remedy to the flaw within 30 days of acknowledging the VSR
...
The fix must solve the problem and not create additional flaws that will put both parties back in the same situation in the future
...
One of the factors is “the engineering complexity of the fix
...
For example, data validation errors and buffer overflows are usually flaws that can be easily recoded, but when the errors are embedded in the actual design of the software, then the vendor may actually have to redesign a portion of the product
...
At this point, the finder can move forward in the following ways:
Gray Hat Hacking: The Ethical Hacker’s Handbook
62 CAUTION Vendors have released “fixes” that introduced new vulnerabilities into the application or operating system—you close one window and open two doors
...
So although it is easy to put the blame on the network administrator for not patching a system, sometimes it is the worst thing that he could do
...
Configuration change fixes involve giving the users instructions on how to change their program settings or parameters to effectively resolve the flaw
...
There are three main types of software change fixes: • Patches Unscheduled or temporary remedies that address a specific problem until a later release can completely resolve the issue
...
Software vendors often refer to these solutions as service packs, service releases, or maintenance releases
...
Vendors consider several factors when deciding which software remedy to implement
...
In addition, the established maintenance schedule will also weigh into the final decision
...
If a scheduled maintenance release is months away, the vendor may issue a specific patch to fix the problem
...
Vendors will usually want to integrate the fix into their already scheduled patch or new version release
...
Release The final step in the OIS “Security Vulnerability Reporting and Response Policy” is the release of information to the public
...
OIS does not advise against advance notification, but realizes that the practice exists in case-by-case instances and is too specific to address in the policy
...
Finders of vulnerabilities usually have the motive of trying to protect the overall industry by identifying and helping remove dangerous software from commercial products
...
Vendors, on the other hand, are motivated to improve their product, avoid lawsuits, stay clear of bad press, and maintain a responsible public image
...
The possible legal liability issues software vendors may or may not face in the future is a can of worms we will not get into, but these issues are gaining momentum in the industry
...
Critics have voiced their concerns that the guidelines will allow vendors to continue to stonewall and deny specific problems
...
Although controversy still surrounds the topic of the OIS guidelines, they are a good starting point
...
Case Studies The fundamental issue that this chapter addresses is how to report discovered vulnerabilities responsibly
...
Along with a simple “yes” or “no” to the question of whether there should be full disclosure of vulnerabilities to the public, other factors should be considered, such as how communication should take place, what issues stand in the way, and what both sides of the argument are saying
...
Pros and Cons of Proper Disclosure Processes Following professional procedures with regard to vulnerability disclosure is a major issue
...
The process is not cut and dried, however
...
It’s a tough game to play and even tougher to referee
...
• Knowing the details helps the good guys more than the bad guys
...
• Making vulnerabilities public is an effective tool to make vendors improve their products
...
In one example, a customer reported a vulnerability to his vendor
...
Frustrated and angered, the customer escalated the issue and told the vendor that if he did not receive a patch by the next day, he would post the full vulnerability on a user forum web page
...
These types of stories are very common and are continually presented by the proponents of full vulnerability disclosure
...
• When good guys publish full exploitable code, they are acting as black hats and are not helping the situation but making it worse
...
Vendors continue to argue that only a trusted community of people should be privy to virus code and specific exploit information
...
All members of the consortium are given access to vulnerability information so that research and testing can be done across companies, platforms, and industries
...
Knowledge Management A case study at the University of Oulu in Finland titled “Communication in the Software Vulnerability Reporting Process” analyzed how the two distinct groups (reporters and receivers) interacted with one another and worked to find the root cause of the
Chapter 3: Proper and Ethical Disclosure
65
• Know-what • Know-why • Know-how • Know-who The know-how and know-who are the two most telling factors
...
In addition, the case study divides the reporting process into four different learning phases, known as interorganizational learning: • Socialization stage When the reporting group evaluates the flaw internally to determine if it is truly a vulnerability • Externalization phase the flaw
When the reporting group notifies the vendor of
• Combination phase When the vendor compares the reporter’s claim with its own internal knowledge about the product • Internalization phase When the receiving vendor accepts the notification and passes it on to its developers for resolution One problem that apparently exists in the reporting process is the disconnect and sometimes even resentment between the reporting party and the receiving party
...
From the case study, it was learned that over 50 percent of the receiving parties who had received potential vulnerability reports indicated that less than 20 percent were actually valid
...
Publicity The case study included a survey that circled the question of whether vulnerability information should be disclosed to the public; it was broken down into four individual statements that each group was asked to respond to: 1
...
2
...
3
...
4
...
As expected, the feedback from the questions validated the assumption that there is a decided difference of opinion between the reporters and the vendors
...
The researchers determined that this process involved four main categories of knowledge:
Gray Hat Hacking: The Ethical Hacker’s Handbook
66 and feel much more strongly about all information being made immediately public than the reporters do
...
Reporters want to help solve the problem, but are treated as outsiders by the vendors
...
The concluding summary was that both participants in the process rarely have standard communications with one another
...
Go figure!
Team Approach Another study, “The Vulnerability Process: A Tiger Team Approach to Resolving Vulnerability Cases,” offers insight into the effective use of teams comprising the reporting and receiving parties
...
The research team focuses on the technical aspects of the suspected flaw, while the management team handles the correspondence with the vendor and ensures proper tracking
...
Research
Reporter discovers the flaw and researches its behavior
...
Verification
Reporter attempts to re-create the flaw
...
Reporting Reporter sends notification to receiver, giving thorough details of the problem
...
Evaluation 5
...
Solutions are developed
...
Patch evaluation 7
...
The solution is delivered to the reporter
...
Advisory generation
The disclosure statement is created
...
Advisory evaluation
The disclosure statement is reviewed for accuracy
...
Advisory release 11
...
The user community offers comments on the vulnerability/fix
...
They found that factors such as holidays, time zone differences, and workload issues were most prevalent
...
This makes communicating all the more difficult
...
The tiger team case study found that the collection of vulnerability data can be very challenging due to this major difference
...
For example, the vendor could appoint a customer advocate to interact directly with the finder
...
Patch Failures The tiger team case also pointed out some common factors that contribute to patch failures in the software vulnerability process, such as incompatible platforms, revisions, regression testing, resource availability, and feature changes
...
It was concluded that a lower quality of patch would be expected if this is the case
...
This happens for several reasons
...
This is the reason that there is a maturing product line and new processes being developed in the security industry to deal with “patch management
...
So although it is easy to shake our fists at the network and security administrators for not applying the released fixes, the task is usually much more difficult than it sounds
...
Started in August 2002, iDefense employs researchers and engineers to uncover
PART I
responsibilities and rarely contributed to time delays
...
Secure communication channels between the reporter and the receiver should be established throughout the life cycle
...
For example, if the sides agree to use encrypted e-mail exchange, they must ensure that they are using similar protocols
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
68 potentially dangerous security flaws that exist in commonly used computer applications throughout the world
...
iDefense’s program, Vulnerability Contributor Program (VCP), has pinpointed hundreds of threats over the past few years within a long list of applications
...
The biggest fear here is that the practice could lead to unethical behavior and, potentially, legal complications
...
Researchers may get paid by the number of bugs they find—much like the commission a salesperson makes per sale
...
” Many believe that bug hunters should be employed by the software companies or work on a voluntary basis to avoid this profiteering mentality
...
They believe bug finding should be considered an act of goodwill and not a profitable endeavor
...
In addition, they are paid for their work and do not work on a bug commission plan as some skeptics maintain
...
In the first quarter of 2007, iDefense, a VeriSign company, offered up a challenge to the security researchers
...
Interestingly, this has fueled debates from some unexpected angles
...
Security researchers feel that their work is being “discounted
...
Because of decrease in payment for the gray hat work for finding vulnerabilities, there is a growing dialogue between these gray hatters to auction off newly discovered, zero-day vulnerabilities and exploit code through an underground brokerage system
...
The exploit writers and the buyers could remain anonymous
...
Spam-spewing botnets and Trojan horses sell for about $5,000 each
...
The debate over higher pay versus ethics rages on
...
Chapter 3: Proper and Ethical Disclosure
69
Zero Day Initiative Another method for reporting vulnerabilities that is rather unique is the Zero Day Initiative (ZDI)
...
The company involved, TippingPoint (owned by 3Com), does not resell any of the vulnerability details or the code that has been exploited
...
Nothing too unique there; what is unique though, is that after they have developed a fix for the vulnerability, they offer the information about the vulnerability to other security vendors
...
Researchers interested in participating can provide exclusive information about previously undisclosed vulnerabilities that they have discovered
...
After an agreement on the acquisition of the vulnerability, 3Com will work with the vendor to generate a fix
...
When TippingPoint started this program, they followed this sequence of events: 1
...
2
...
3
...
This will allow the researcher to track the unique vulnerability through the ZDI secure portal
...
3Com researches the vulnerability and verifies it
...
This usually happens within a week
...
Further, from the blogs, it seems that uncovering a typical, run-of-the-mill vulnerability, understanding it, and writing exploit code takes, on average, two to three weeks
...
Putting this into perspective, Windows Vista has approximately 70 million lines of code
...
This extrapolates to predict that Windows Vista has about 35,000 bugs in it
...
Can the software development industry afford to pay this? Can they afford not to pay this? The path taken will probably lie somewhere in the middle
...
3Com makes an offer for the vulnerability, and the offer is sent to the researcher via e-mail that is accessible through the ZDI secure portal
...
The researcher is able to access the e-mail through the secure portal and can decide to accept the offer
...
7
...
3Com responsibly notifies the affected product vendor of the vulnerability
...
8
...
9
...
The researcher will be given full credit for the discovery, or if it so desires, it can remain anonymous to the public
...
Instead of following the preceding procedure, it took a different approach
...
The announcement would only be a bare-bones advisory that would be issued at the time it was reported to the vendor
...
There is no mention as to which specific product is being affected
...
The decision to preannounce is very different from many of the other vendors in the industry that also purchase data on flaws and exploits from external individuals
...
Some critics feel that this kind of advanced reporting could cause more problems for, rather than help, the industry
...
Only time will truly tell if this will be good for the industry or detrimental
...
When bugs do arise, they are expected to release fixes almost immediately
...
However, the common practice of “penetrate and patch” has drawn criticism from the security community as vendors simply release multiple temporary fixes to appease the users and keep their reputation intact
...
Most security flaws occur early in the application design process
...
Mistrust of user input Users should be treated as “hostile agents” as data is verified on the server side and as strings are stripped of tags to prevent buffer overflows
...
End-to-end session encryption Entire sessions should be encrypted, not just portions of activity that contain sensitive information
...
4
...
For example, passwords should remain encrypted while being stored in databases, and secure data segregation should be implemented
...
5
...
The problem is that these enhancements usually contain serious security flaws
...
6
...
An example of this is vendors who create security quality assurance (SQA) teams to manage all security-related issues
...
Here are some suggestions that should be followed if we really want to improve our environments: 1
...
Firewalls are no longer an effective single countermeasure against attacks
...
2
...
It is just as much the consumers’ responsibility as the developers’ to ensure that the environment is secure
...
Many security breaches happen because of improper configurations by the customer
...
Authentication and authorization The best applications ensure that authentication and authorization steps are complete and cannot be circumvented
...
Educate application developers
...
Vendors should make a conscious effort to train their employees in areas of security
...
Access early and often
...
Vendors should consider hiring security consultant firms to offer advice on how to implement security practices into the overall design, testing, and implementation processes
...
Engage finance and audit
...
Engaging budget committees and senior management at an early stage is also critical
...
• Metasploit: the big picture • Getting Metasploit • Using the Metasploit console to launch exploits • Using Metasploit to exploit client-side vulnerabilities • Using the Metasploit Meterpreter • Using Metasploit as a man-in-the-middle password stealer • Using Metasploit to auto-attack • Inside Metasploit exploit modules
Metasploit: The Big Picture Metasploit is a free, downloadable tool that makes it very easy to acquire, develop, and launch exploits for computer software vulnerabilities
...
When H
...
Moore released Metasploit in 2003, it permanently changed the computer security scene
...
Software vendors could no longer drag their feet fixing publicly disclosed vulnerabilities, because the Metasploit crew was hard at work developing exploits that would be released for all Metasploit users
...
However, it is probably more often used today by security professionals and hobbyists as a “point, click, root” environment to launch exploits included with the framework
...
To save space, we’ll strategically snip out nonessential text, so the output you see while following along might not be identical to what you see in this book
...
Getting Metasploit Metasploit runs natively on Linux, BSD, Mac OS X, and Windows inside Cygwin
...
metasploit
...
The Windows console application (msfconsole) that we will be using throughout this chapter requires the Cygwin environment to run
...
The Cygwin downloader is www
...
com/setup
...
Be sure to install at least the following, in addition to the base packages: • Devel
readline, ruby, and subversion (required for msfupdate)
• Interpreters
ruby
• Libs readline • Net
openssl
References Installing Metasploit on Windows http://metasploit
...
com/dev/trac/wiki/Metasploit3/ InstallMacOSX Installing Metasploit on Gentoo http://metasploit
...
com/dev/trac/wiki/Metasploit3/ InstallUbuntu Installing Metasploit on Fedora http://metasploit
...
We’ll try to get a remote command shell running on that box using the RRAS exploit built into the Metasploit framework
...
So we can choose to use the RRAS vulnerability to open a command shell, create an administrator, start a remote VNC session, or to do a bunch of other stuff
...
Microsoft LSASS Service Microsoft NetDDE Service Microsoft Plug and Play Service Microsoft RRAS Service RASMAN Microsoft RRAS Service Overflow Microsoft Server Service
There it is! Metasploit calls it windows/smb/ms06_025_rras
...
msf > use windows/smb/ms06_025_rras msf exploit(ms06_025_rras) >
Notice that the prompt changes to enter “exploit mode” when you use an exploit module
...
You can get back to the original launch state at the main console by issuing the back command
...
Let’s see what options need to be set to make the RRAS exploit work
...