To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39116604,00.htm

Hackers preying on patching headache
frixion and dryice reveal how hackers target businesses

By Andy McCue

Published: Monday 27 October 2003

This is the second part of our interview with two UK hackers dryice and frixion who were implicated in testimony during a recent trial over a denial of service attack on one of the largest ports in the US. Here they reveal how businesses are still leaving themselves woefully exposed to even the most inexperienced script kiddies.

frixion, who now holds down a steady and respectable job in public sector IT, said that the sheer volume of patches that need applying in order to close the vulnerabilities that are exposed in equally worrying volumes are a headache for administrators.

"Take your standard Windows install for example, you need to apply dozens of patches as soon as you install it to make it even half secure. I’ve just taken a look at the content directory on our Microsoft Software Update Services server here at work and there are over 600Mb of security updates, some critical. Granted they’re not all pertinent to a particular system, but it gives you a good idea," he wrote in an email.

And there are still plenty of familiar and common system vulnerabilities that are easily exploitable by both experienced and inexperienced hackers using freely available source code and tools on the internet, he said.

"The standard overflow techniques are still as widespread as ever. Be it heap/buffer/integer overflow, these probably make up over 90 per cent of new exploits discovered, and with so much open source and a copy of your favourite debugger, it doesn’t take long to work out exactly what shellcode to send a vulnerable system."

A technique known as SQL injection is also a problem that leaves many companies exposed, according to dryice – who also now works in the IT industry. This is where information in a database can be compromised by manipulating queries, often through things like HTML forms on websites.

One reason why denial of service attacks are so common is because it is so easy for script kiddies and hackers to download the necessary tools to execute it. But frixion said many could easily be prevented by more responsible action from internet service providers (ISPs).

"ISPs play a vital role in preventing denial of service attacks. It is usually very easy for administrators to apply rules to filter such attacks, for both inbound and outbound attacks. We have systems for this in place at our co-location centre, and have yet to see any of our hosted servers go down during an attack," he said.

The other option, of course, is to go with the geek and hacker's favourite operating systems of choice. frixion said that Unix and Linux have become even harder to penetrate, saying that even out of the box "most become practically impenetrable" with just a small amount of configuration.

"Gone are the days where you could just compile some readily available source and just give it an IP (that you found with your ultra-fast banner scanner) on the command line, and drop a root shell in the newest distribution of RedHat," he said.

A bigger threat facing businesses and home users, and one that anti-virus companies have been warning about for some time is the 'blended threat' virus with a devastating payload. One security source recently told us that some of the recent attempts such as Sobig were just one step away from having a payload that would erase the victim's hard drive.

dryice said: "One of the most frightening concepts that possibly looms on the horizon, is the creation of a worm similar to Blaster/Nachi/Sobig, but with a potentially lethal payload. So far the symptoms suffered by people affected by these worms have been pretty mild, just imagine what would happen if someone made one that irreversibly deleted files or dropped database tables."

Both hackers still put the blame for breaches at those who perpetrate the crimes, and not the businesses for failing to have adequate security.

"If you’re walking down the street and see an empty car with its keys in the ignition, does that give you the right to drive away in it?"

But frixion warned that for businesses today it is a case of when rather than if its systems will come under attack.

"The bottom line is no matter whom you are, someone will try and gain access to your system at some point in existence, and whether or not they are successful is down to you or your administrator."

Tell us whether you agree with dryice and frixion in our Reader Comments section below