Professional Documents
Culture Documents
of an Industry
Matt Bowles
Hacking is a term that has evolved over the years. Its evolution spawned two
separate industries. An evil industry based on greed, theft, and general chaos
on the Internet, and a business industry whose sole purpose is to combat the
evil industry. The evil industry is comprised of all sorts of deviants who troll
the Internet looking for weaknesses that they can exploit to their gain. The
business industry is made up of products, vendors, and professionals whose
purpose is to keep the deviants out. Both industries are experiencing
explosive growth as technology increases the presence of organizations out
on the Internet. This paper’s aim is to examine some of the tools and
techniques used by both industries and to raise awareness for readers in
both the home and corporate environments. © 2012 Alcatel-Lucent.
Introduction
To figure out where we were are going, we first impression on the world were actually called phreak-
have to take a look at where we have been. Every ers. These were brilliant individuals who, by inter-
event in the history of computer security is impor- acting with the phone system, were able to derive
tant because it is a link in the chain that has led us how it worked, and manipulate it for their own bene-
to where we are today. Where would technology fit. In some cases they stumbled upon tools which
be today if Steve Jobs and Steve Wozniak didn’t cre- could be used in ways that were unintended. One of
ate the Apple* computer? The Apple computer went the most notable phreakers was named “Captain
through a series of permutations that eventually led to Crunch” because he discovered that a toy (found in
the iPhone* which revolutionized the smartphone the Cap’n Crunch* breakfast cereal) emitted a 2600 Hz
industry. tone, which caused interaction with the AT&T long
Hacking as it is known today was born out of distance phone systems. In 1971 Captain Crunch and
pure curiosity in the 1970s and 1980s. Computer other fellow phreakers created a blue box which
enthusiasts wanted to learn about these mystical simulated a telephone operator’s console. It func-
devices and see if they could be made more efficient. tioned by replicating the tones used to switch long-
Before the personal computer made its first appear- distance calls and using them to route the user’s own
ance, some of the most accessible computers were call, bypassing the normal switching mechanism.
actually the telephone systems run by large telecom- Phreaking was the most notable beginning of the
munication companies. The first hackers to make an hacking revolution.
Bell Labs Technical Journal 17(3), 5–16 (2012) © 2012 Alcatel-Lucent. • DOI: 10.1002/bltj.21555
Panel 1. Abbreviations, Acronyms, and Terms
APT—Advanced persistent threats MOD—Masters of Deception
BBS—Bulletin board system OWASP—Open Web Application Security
CCC—Chaos Computer Club Project
cDc—Cult of the Dead Cow PDF—Portable Document Format
DES—Data Encryption Standard SET—Social Engineering Toolkit
IDS—Intrusion detection system SHA1—Secure hash algorithm 1
IP—Internet Protocol SIEM—Security information and event
IPS—Intrusion prevention system management
IT—Information technology SQL—Structured Query Language
LAN—Local area network TCP—Transmission Control Protocol
LANMAN—LAN manager URL—Uniform resource locator
LOD—Legion of Doom USB—Universal serial bus
MD5—Message digest 5 XSS—Cross-site scripting
By the early 1980s the personal computer revo- California, Colorado, and North Carolina where he
lution was beginning to take hold. Computers started caused damage and stole proprietary information [7].
to pop up all around the world and so did hacker He was finally sentenced in 1999 and served five years
groups who tried to figure them out. The early 1980s in prison. Eight months were spent in solitary con-
brought the creation of the Chaos Computer Club finement after a judge was convinced that Mitnick
(CCC) in Germany, Legion of Doom (LOD), Masters could “start a nuclear war by whistling into a pay-
of Deception (MOD), and the Cult of the Dead Cow phone.” [3] In 1999, the Cult of the Dead Cow
(cDc), to name a few of the most notable. These were released the controversial Back Orifice 2000 program
groups of hackers who usually feuded with each other as a remote administration tool, but many people
but also made intellectual contributions to the claim it to be a rootkit with a backdoor.
advancement of computer security. The 1980s through From the year 2000 until the present time there
the 1990s was one of the most popular times for bul- was usually at least one major security incident,
letin board systems (BBS). A BBS was a place for peo- sometimes two a year. Early in the 2000s there were
ple who shared a common interest to collaborate, and massive worms that plagued the Internet such as MS
a good portion of BBS were focused on computers. Blaster, Slammer, and Code Red. These worms
This was one of the first places that hackers could exploited service side vulnerabilities mostly on
share and trade information. As their popularity grew, servers, but also on workstations as well. Starting
so did the diversity of topics. The usage of BBS sys- around the year 2007 there was a paradigm shift in
tems played a role in making the Internet the entity how attacks were taking place. Attacks began to lever-
we know it as today. In the late 1980s we saw the age client side exploitation. The attack would often
Morris Worm, which was one of the first major pieces occur by email or a malicious website. A user would
of malware, and the first worm to affect networked unknowingly interact with the attack, creating an out-
computers. bound connection, which would bypass network
In the mid 1990s, the BBS began to disappear and security controls such as firewalls. These attacks
give way to the Internet. The latter half of the 1990s would also leverage elements of social engineering
was much more interesting. Kevin Mitnick was to entice the user to interact with the malicious ele-
arrested in 1995 on suspicion that he attacked numer- ments. In some cases, the exploit that was run on the
ous corporate and communications carriers located in system via the client side exploit would add that
Email
Web server
server
External firewall
Figure 1.
Example network architecture for small or medium organizations.
the organization and simply asking for it. It is trivial able to identify most, if not all of the diagram in
for the tester to call an organization pretending to be Figure 1. In this example there are two main vectors
a sales representative for antivirus product X. The of attack, the web site and the end users. The website
tester would ask if the organization is interested in attack could be easy or difficult depending on how
product X. The response might be, “No we already well all aspects of the web application have been
use product Y” or “We already use product X.” The coded with regard for security. Attacking the end users
tester might ask a couple of extra meaningless ques- is almost always considerably easier.
tions to keep from arousing suspicion and then thank
the employee for their time. Now the tester knows Web Site Attack Vector
which type of antivirus product the organization is Websites are intended to be always available,
using and can test any malware or attack tools to which makes them a prime target for attack. Let’s
ensure that the attack goes unnoticed. Another trivial assume that when the site was developed, user input
method is analyzing the metadata from the organiza- was not being checked for special characters which
tion’s website. Maybe the organization has a PDF doc- could make it vulnerable to attacks. There are a
ument with the specifications of a product or service numerous ways that a tester could use an organiza-
that they sell. Taking that file and running a meta- tion’s website in an attack but let’s focus on SQL injec-
data tool on it can often reveal software version infor- tion. Using a SQL injection attack, a tester could
mation such as the current patch level of an Adobe potentially dump all of the data from the back end
product. Each bit of information that can be obtained database using malicious queries as we discussed ear-
by the tester increases the chance of a successful lier. The tester could also invoke a Windows XP* com-
attack. Through the recon process, the tester would be mand shell if it is a Windows database. This would