Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data, ...)
Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data, ...)
Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls.
1

Today almost all systems are protected only by a simple password that is typed in, or sent over a network in the clear.Techniques for guessing passwords:
1. Try default passwords.
2. Try all short words, 1 to 3 characters long.
3. Try all the words in an electronic dictionary(60,000).
4. Collect information about the user’s hobbies, family names, birthday, etc.
5. Try user’s phone number, social security number, street address, etc.
6. Try all license plate numbers (123XYZ).
Prevention: Enforce good password selection (c0p31an6)
2

Look under keyboard, telephone etc.
Look in the Rolodex under “X” and “Z”
Call up pretending to from “micro-support,” and ask for it.
“Snoop” a network and watch the plaintext passwords go by.
Tap a phone line - but this requires a very special modem.
Use a “Trojan Horse” program to record key stokes.
3

User’s password ( should be required to have 8 characters, some non-letters)
Random 12-bit number
(Salt)
DES Encrypted to 11 viewable characters
User ID
User ID
User ID
Salt Value
Salt Value
Salt Value
Hash
Hash
Hash
4

Until a few years ago, UNIX passwords were kept in in a publicly readable file, /etc/passwords. Now they are kept in a “shadow” directory only visible by “root”.
“Salt”:
• prevents duplicate passwords from being easily seen as such.
• prevents use of standard reverse-lookup dictionaries ( a different diction would have to be generated for each value of Salt).
• does not “effectively increase the length of the password.”
5

1. Scan the network to:
• locate which IP addresses are in use,
• what operating system is in use,
• what TCP or UDP ports are “open” (being listened to by Servers).
2. Run “Exploit” scripts against open ports
3. Get access to Shell program which is “suid” (has “root” privileges).
4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.
5. Use IRC (Internet Relay Chat) to invite friends to the feast.
6

1. Use a “Firewall” between the local area network and the worldwide Internet to limit access (Chapter 10).
2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute).
3. Use a program like TripWire on each host to detect when systems files are altered, and email an alert to Sys Admin.
4. On Microsoft PC’s, a program like BlackIce is easier to install than learning how to reset default parameters to make the system safe (and fun besides).
7

8

9

10

Type "A" Probes
The first three UDP probes, which started my investigation, had a single character in the data field, an 'A'. The UDP port numbers were identical, 31790->31789.
They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP
Destination_Unreachable-Port Packets. The Echo-Request is never answered.
Date Time EST Source IP (Place) Destination (Place)
1999-12-28 18:40 151.21.82.251 (Italy) to 24.88.48.47 (Atlanta, GA)
1999-12-10 18:28 152.169.145.206 ( AOL ) to 24.88.48.47 (Atlanta, GA)
1999-12-16 03:34 212.24.231.131 (Saudi Arabia) to 24.88.48.47 (Atlanta, GA)
UDP packets with an empty data field, like those generated by the "nmap" scan program, do not stimulate the 1500-byte ICMP packets from an OS-9 Macintosh.
11

Type "Double-zero" Probes (James Bond, 007, "00" -> "license to kill")
I have now seen 3 UDP type "00" probes, and had another "00" probe reported from Kansas.
These probes use a single UDP packet, two bytes of data (ascii zeroes) and identical
UDP port numbers, 60000->2140. They stimulate the 1500-byte ICMP Echo-Request packet and the normal 58-byte ICMP Destination_Unreachable-Port Packets. The Echo-Request is never answered.
1999-12-20 07:04 195.229.024.212 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)
1999-12-21 08:04 195.229.024.213 (Arab Emirates*) to 24.88.48.47 (Atlanta, GA)
*DNS name: cwa129.emirates.net.ae
1999-12-25 09:39 212.174.198.29 (Turkey) to 24.94.xxx.xxx (Wichita, Kansas)
*DNS: none
1999-12-31 05:35 195.99.56.179 (Manchester, UK*) to 14.88.xx.xx (Atlanta, GA)
*DNS name: manchester_nas11.ida.bt.net
2000-01-04 05:08 24.94.80.152 (Road Runner, Hawaii) to 24.94.xxx.xxx (Wichita, Kansas)
*DNS name: a24b94n80client152.hawaii.rr.com
2000-01-06 04:48 195.44.201.41 (cwnet, NJ) to 24.88.xx.xxx (Atlanta, GA)
*DNS name: ad11-s16-201-41.cwci.net
12

Traceroute to find location of IP Address
Start: 11/21/99 11:07:40 PM
Find route from: 24.88.48.47
to: www.orbicom.com. (196.28.160.129), Max 30 hops, 40 byte packets
Host Names truncated to 32 bytes
1 24.88.48.1 (24.88.48.1 ): 17ms 17ms 16ms
2 24.88.3.21 (24.88.3.21 ): 18ms 19ms 18ms
3 24.93.64.69 (24.93.64.69 ): 17ms 18ms 17ms
4 24.93.64.61 (24.93.64.61 ): 19ms 17ms 18ms
5 24.93.64.57 (24.93.64.57 ): 25ms 25ms 23ms
6 sgarden-sa-gsr.carolina.rr.com. (24.93.64.30 ): 26ms 27ms 27ms
7 roc-gsr-greensboro-gsr.carolina. (24.93.64.17 ): 28ms 28ms 30ms
8 roc-asbr-roc-gsr.carolina.rr.com (24.93.64.6 ): 30ms 32ms 30ms
9 12.127.173.205 (12.127.173.205 ): 40ms 39ms 39ms
10 gbr2-a30s1.wswdc.ip.att.net. (12.127.1.30 ): 38ms 40ms 39ms
11 gr2-p3110.wswdc.ip.att.net. (12.123.8.246 ): 278ms 40ms 39ms
12 att-gw.washdc.teleglobe.net. (192.205.32.94 ): 41ms 43ms 42ms
13 if-7-2.core1.newyork.teleglobe.n (207.45.222.145 ): 45ms 46ms 45ms
14 if-0-0-0.bb3.newyork.teleglobe.n (207.45.221.69 ): 45ms 47ms 49ms
15 ix-1-1-1.bb3.newyork.teleglobe.n (207.45.199.202 ): 50ms 46ms 50ms
16 196.30.121.243 (196.30.121.243 ): 44ms 48ms 45ms
17 fe0-0.cr3.ndf.iafrica.net. (196.31.17.26 ): 635ms 632ms 633ms
18 atm6-0sub300.cr1.vic.iafrica.net (196.30.121.81 ): 641ms 640ms 644ms
19 196.30.200.6 (196.30.200.6 ): 643ms 640ms 643ms
20 196.4.162.86 (196.4.162.86 ): 662ms 659ms 664ms
21 www.orbicom.com. (196.28.160.129 ): 663ms 658ms 664ms
• Trace completed 11/21/99 11:08:25 PM •
13