Aspectos psicosociales:

After an attacker compromises a machine and creates a back door, the last thing he does is make sure he does not get caught. What good is creating a back door if someone can easily spot it and close it? Therefore, the attacker’s last step is to cover his tracks.

The most basic thing to do is clean up the log files. The log files keep a record of who accessed what and when, so if anyone looks at the log file, that person can tell that an unauthorized person was in the system, and the file tells exactly what the person did. From an attacker’s standpoint, this is a bad thing. So, to cover his tracks, he first finds out where the log file is and cleans out the entries that relate to his attack.

Why doesn’t he go in and delete the entire contents of the log file to ensure that he doesn’t miss anything? There are two major drawbacks to total deletion. First, empty log files raise immediate suspicion that

something is wrong. Second, most systems put an entry in the log file indicating that the file has been cleared. This also sets off a red flag that raises fear in the heart of any system administrator. That is why it is so important to send logging to a different machine and ideally have the log information go to a write-only medium. This way, the chances of someone being able to go back and clean it up are minimized.

Another common hacker technique is to turn off logging as soon as he gains access to a machine. Why worry about having to go back and clean up the log files when he can just turn off logging? This way, no one will know what he has done. This requires additional expertise, but, it is extremely effective. The thing to remember is that if logging is done

correctly, even if an attacker turns off logging, the system still records the fact that he entered the system, where he entered, and other useful

information.

If an attacker modifies or overwrites files, part of his cleaning-up process is to make sure that the changed files do not raise suspicion. Most files have dates of when they were last accessed and the size of the file. There are programs that, when run, raise flags if information has been changed. To overcome this, an attacker can go in and fool the system. Even though the file has been modified and the size has changed, he can go into the properties of the files and set them back to their previous settings, which make it much harder to detect.

I recommend that if you are going to run a program to make sure key files on a system were not changed, use a program that calculates checksums. A checksum is a calculation performed on the file, and two checksums can only be the same if the files are identical. This means that even if an attacker goes in and tries to cover his tracks, because the file

changed, the checksum should be different. These types of programs are much harder to hide from. These checksum programs are covered in detail in Chapter 16, “Covering the Tracks,” along with much more information about how attackers cover their tracks.

The Types of Attacks

Now let’s take a look at the types of attacks that are occurring on the Internet. This list is not meant to be all encompassing but to give you an idea of what is occurring. The following is a high-level breakdown of network-based attacks:

• Active attacks

o Denial of Service o Breaking into a site

ƒ Intelligence gathering ƒ Resource usage ƒ Deception • Passive attacks o Sniffing ƒ Passwords ƒ Network traffic ƒ Sensitive information o Information gathering

At the highest level, the preceding attacks can be broken down into two main areas: active and passive. An active attack involves a deliberate action on the part of the attacker to gain access to the information he is after. An example is trying to telnet to port 25 on a given machine to find out information about the mail server that a company is running. An attacker is actively doing something against your site to get in. In the traditional sense, this is the equivalent of a burglar trying to pick the lock on your front door or throw a brick through a window to gain access. In all of these cases, an attacker is actively doing something against you or your company. Because of this, these attacks are fairly easy to detect, if you are looking for them. However, active attacks often go undetected because companies do not know what to look for or are looking at the wrong thing.

The following is an example that shows how companies typically are addressing security. It is equivalent to protecting your house by

concentrating all your efforts on the front of the house. You have a steel re-enforced front door, bars on all the windows, a fence around the front yard, and a large dog patrolling the front area. From the street, most people agree that this is pretty good security, until you go around to the back of the house. The back of the house does not have locks, or bars on

most companies are doing. They put blinders on and concentrate all of their efforts in one area; unfortunately, it is either the wrong area or only one of many areas that should be guarded.

Passive attacks, on the other hand, are geared toward gathering

information as opposed to gaining access. This is not to say that active attacks cannot gather information or that passive attacks cannot be used to gain access—in most cases, the two types are used together to

compromise a site. Unfortunately, most passive attacks do not necessarily involve traceable activity and therefore are much harder to detect.

Another way to look at it is that active attacks are easier to detect and most companies are missing them; therefore, the chances of detecting a passive attack are almost zero

Categories of Exploits

There are many different categories of exploits that an attacker can use to attack a machine. As stated earlier, it is imperative to remember that an attacker is going to use several different types of attacks and will always look for the easiest way into a machine or network. In some cases,

systems are so open that an attacker can just launch one type of attack and be successful. In other cases, he will have to launch several different attacks to succeed. As we have stated, there are several different

categories of exploits, but we will only cover some of the more popular ones, which follow: