Cracking a corporation's IT system

Table of contents

1 EXECUTIVE SUMMARY

2 THE WEAK POINTS OF A CORPORATION
2.1 TECHNICAL WEAK POINTS
2.2 HUMAN WEAK POINTS

3 ATTACKING THE CORPORATION
3.1 HOW TO CRACK THE COMPANY
3.1.1 Virus
3.1.2 Worms
3.1.3 Trojan horses
3.2 METHODS TO SEND VIRAL CODE INTO THE COMPANY

4 THE IMPACT ON A CORPORATION
4.1 ACTIVATING THE INFILTRATED CODE
4.2 THE RESULTS EXPECTED FROM THE ACTIVATED VIRII

5 COUNTER MEASURES

6 CONCLUSIONS

7 REFERENCES

1 Executive Summary

This report deals with how one can crack a company’s IT system. It is written from an attacker’s point of view who wants to penetrate the e-Fence company with an appropriate method. Therefore the weak points of the company are highlighted to determine in what areas the organization is vulnerable and which approach to chose. The technical and human factors in terms of weaknesses are described whereas the conclusion is drawn that there are heaps of security lacks in both areas. The technical flaws that are not removable in some cases as well as the incompetence of staff and managers pose a major threat to the entire company since the most important asset, the information, is not enough protected. As a second step the methods how to attack a company are described. The alternatives of using virus, worm and trojan horse program are emphasized and how they can enter the computer system of the organization. In most cases it is the floppy disk that carries the viral code to the nodes. But email attachments can often contain malicious code as well that can cause damage within the corporate network. In the following section the cracker’s impact on the organization is revealed. It is described how the code is brought into the company and how it is activated. Moreover it is figured out that it takes an activator, who must trigger the malicious application. The results are devastating. From erasing the local hard drive to recoding the file allocation tables those programs have the power to corrupt or even delete data on the computer. As one computer spreads the virus via the network on other computers the whole network will be infected soon. Much more damage can cause trojan horse applications. They gain the control over the victim’s computer and can log all the actions taken by the user. For instance typed passwords can be identified and sent back to the cracker. They are also capable to read, write or even delete data on the computer and can control the entire hardware of the system. As a counter measure it takes both the staff and the technical safety measures to be able to stop a cracker from doing his job. With the awareness and knowledge about security the staff is able to recognize

security flaws and suspicious activities. Anti-virus scanners, firewalls, user restrictions might help to avoid being cracked by someone else.

2 The weak points of a corporation

Nowadays the Intranet of a company becomes more and more integrated in the business processes because it supports the rise in productivity and effectiveness. By using Web technologies organizations can increase their revenues, lower their costs and expand their market share. The key asset of a company is its information and the company gains its competitive advantage by knowing how to use this information. The threat comes usually from outside the company since there are other parties that want to acquire that particular information or limit the company’s opportunities. This can have an impact on the entire business of a corporation. Since precious information is stored in most cases electronically attackers try to access those resources by outsmarting the security systems and breaking into the Intranet of the company. There are often many weaknesses caused by the lacking expertise and the careless attitude of the personnel that enables unauthorized people to gain access to the internal resources. That makes the company become vulnerable since sensitive information is not protected anymore and business operations can be disrupted easily. The security threats are due to technical and human flaws that will be analysed in detail in the next section.

2.1 Technical Weak Points

While deploying an Intranet, technology can reveal a lot of weak points. Many companies use a series of business critical applications and remote access servers where the user is expected to remember multiple passwords for each individual application. The more passwords the users have to keep in mind the more likely they will start to write them down or select commonly ones like the name of their girl-friends, what will weaken the security of those applications.

There are programs available on the Internet that use dictionaries as their data source to identify one’s password via a trial-and-error mechanism. Therefore more companies introduce a single sign-on system that allows users to have only a single unique password to log on the Intranet. The system consists of a list of authorized users and areas within the network in which they are allowed to access resources. State of the art sign-on systems do not work with typed passwords any more. They are using smart cards, miniature electronic physical tokens or fingerprint readers. (Invincible Data Systems, Inc. (2000)

The biggest threat to security is in remote access implementations where employees access the company’s resources with a dial-in modem from outside the corporate premises. With free available “war-dialers” programs one can dial a programmed list of numbers and try to gain access to confidential information. Even without using correct names and passwords for dialing, many remote access servers reveal hostnames or LAN router prompts. Furthermore a lot of remote access servers transfer login names and passwords between the clients and the host without using any kind of encryption. Software is available on the Internet to snoop the user information transferred along with the data stream. There are several ways to prevent unauthorized access from outside the company. The use of encryption technologies for transferring passwords, enhanced password mechanisms like the token cards mentioned above and RADIUS (Remote Authentication Dial-In User Service) servers can help to ensure the protection of the corporate resources. (Lucent Technologies, 2000; Hacker Jargon, no year)

With more than 45,000 virii estimated in these days they are a major threat to companies. Usually documents and not programs spread a virus. They are able to overwhelm e-mail servers or disk storage and can delete data stored on hard drives. Currently there are various technologies available that can prevent an infection by a virus by scanning all the incoming data for virus signatures and bodies. The phenomenon virus will be analysed in much more detail later in this report.

Intrusion is another important issue that has to be addressed when thinking about the security of certain key files like password or system configuration files. It has to be ensured that only the system administrator is allowed to access those files. Therefore intrusion detection software is used to detect

attempts from unauthorized users trying to access those key files. Moreover this kind of software is also able to detect and manage multiple failed attempts to log into the network. (Messmer, 1999)

The lack of segmenting the Intranet into distinct workgroups is often a reason why the resources within the organization are accessible to everybody. This can be considered to be very insecure. To protect the informational assets of a company firewall technologies help to control the traffic and the access between its workgroups, departments and the outside world. The segmentation provides additional security due to strict networking and access controls, especially between servers that are exposed to public use and need to access the internal data resources.

Sensitive data like business critical information that is available on the network insecure is another weak point of a company. It must need additional protection. Therefore modern operating environments provide multiple levels of data protection and logging utilities to track users who access or attempt to access critical information. (Messmer, 1999)

Further vulnerabilities that base on technical flaws are firewalls, gateways or servers that are configured improperly, sometimes without even having a root password. That makes it easy for potential intruders to gain access to confidential information within the company. Other shortcomings occur in the implementation of the protocols like TCP/IP that allows people to spoof IP addresses and initiate TCP connection request (SYN) attacks. (Phrack Magazine, 1999)

Telnet and FTP protocols have their weaknesses as well since they transfer user names and passwords in clear text. (Beale, 2000)

When Microsoft products and UNIX versions interoperate there are often commands that reveal user and system operation. Those are a major threat to people who use that information to break into a system. With so called “finger” programs information about each user who is currently logged on can be revealed: “If you cannot turn off the finger service, consider installing a modified finger daemon. It is rarely necessary to reveal a user's home directory and the source of last login” (Farmer, no year). There are more commands like rexec that allows to remotely execute files on UNIX-based systems. In that manner

people can abuse this command to probe a system for valid user accounts. (Farmer, no year; Digital Rebels, 1998)

Within the network infrastructure of an organization like e-Fence or even Unitec the switches and routers are managed remotely by using a HTTP interface to set their configurations. With the use of weak passwords people can access those pages and get control over the devices.

2.2 Human weak points

Human factors are not to neglect or to underestimate when trying to improve the security of an Intranet since both can pose a major threat for the entire business. An Intranet has to be planned in advance and the security issues that arise during the design stages have to be considered. In some companies there is not even a formal policy established for identifying unauthorized access to confidential data. To meet the business needs a thorough formal planning is needed to avoid inefficiency or even counter productivity.

Once a security system is installed by a group of people they move on to other task and the system will not be maintained and followed-up. While time passes hackers and crackers identify more and more security breaches and holes. Then the security system is not capable any more to protect the internal resources of the company from inside or outside attacks.

Among the companies one can always notice that passwords are often given to someone who requests it. People trust each other and spread their passwords for instance over the telephone. Thereby the intention of the passwords and the individual access rights gets lost. To avoid this, products just like physical token cards (as stated earlier in this reports) must be introduced to prevent the distribution of passwords for instance over the telephone.

[...]