Password Cracking

Most UNIX sites store encrypted passwords together with corresponding user accounts in a file called /etc/passwd. Should a hacker gain access to this file, he or she can simply run a password cracking program such as Crack. Crack works by encrypting a standard dictionary with the same encryption algorithm used by UNIX systems (called crypt). It then compares each encrypted dictionary word against the entries in the password file until it finds a match. Crack is freely available via an anonymous FTP from ftp.cert.org at /pub/tools/crack.

To combat the hacker’s use of password-cracking software, the network administrator should ensure that:

•  Encrypted passwords are stored in a shadow password file and that the file is adequately protected.

•  All “weak” passwords are identified by running Crack against the password file.

•  Software such as Npasswd or Passwd+ is used to force users to select passwords that are difficult to guess.

•  Users do not write their passwords on or near their work environments.

•  Only the minimum number of users have access to the command line to minimize the risk of copying the /etc/passwd file.

Keystroke Logging

It takes less than 30 seconds to type in a short script to capture sign-on sessions. A hacker can use a diskette to install a keystroke-logging program onto a workstation. Once this Trojan horse is installed, it works in the background and captures every sign-on session, based on trigger key words. The hacker can read the captured keystrokes from a remote location and gain access to the system. This technique is very simple and almost always goes unnoticed.

To prevent a hacker’s access to the system by way of a keystroke-logging program, the network administrator should ensure that:

•  Privileged accounts (e.g., root) require one-time passwords.

•  The host file system and individual users’ workstations are periodically scanned for Trojan horses that could include keystroke-logging programs.

•  Adequate physical access restrictions to computer hardware are in place to prevent persons from loading Trojan horses.

Packet Sniffing

The Internet offers a wide range of network monitoring tools, including network analyzers and “packet sniffers.” These tools work by capturing packets of data as they are transmitted along a communications segment. Once a hacker gains physical access to a PC connected to a LAN and loads this software, he or she is able to monitor data as it is transferred between locations. Alternatively, the hacker can attach a laptop to a network port in the office and capture data packets.

Remembering that network traffic often is not encrypted, there is a high chance that the hacker will capture valid user account and password combinations, especially between the hour of 8:00 a.m. and 9:00 a.m. Tcpdump is a tool for UNIX systems used to monitor network traffic and is freely available via an anonymous FTP from ftp.ee.lbl.gov at tcpdump2.2.1.tar.z.

To reduce the possibility of account and password leaks through packet sniffers, the network administrator should ensure that:

•  Communications lines are segmented as much as practical.

•  Sign-on sessions and other sensitive data are transmitted in an encrypted format by using software such as Kerberos.

•  Privileged accounts (e.g., root) sign on using one-time passwords.

•  Physical access to communications lines and computer hardware is restricted.

Social Engineering

Hackers often select a user account that has not been used for a period of time (typically about two weeks) and ensure that it belongs to a user whom the administrator is not likely to recognize by voice. Hackers typically target accounts that belong to interstate users or users in another building. Once they have chosen a target, they assume a user’s identity and call the administrator or the help desk, explaining that they have forgotten their passwords. In most cases, the administrator or help desk will reset passwords for the hackers over the telephone.

In an effort to keep the network safe from this type of infiltration, the network administrator should ensure that:

•  All staff are regularly reminded and educated about the importance of data security and about proper password management.

•  The organization has documented and controlled procedures for resetting passwords over the telephone.

•  Staff do not fall prey to social engineering attacks. Staff members must be aware of the possibility that a hacker may misrepresent himself or herself as a member of the information systems department and ask for a password.

General Access Methods

Hackers use a variety of methods to gain access to a host system from another system.

Internet Protocol Address Spoofing

In a typical network, a host allows other “trusted” hosts to communicate with it without requiring authentication (i.e., without requiring a user account and password combination). Hosts are identified as trusted by configuring files such as the.rhost and /etc/hosts.equiv files. Any host other than those defined as trusted must provide authentication before being allowed to establish communication links.

Internet protocol (IP) spoofing involves an untrusted host connecting to the network and pretending to be a trusted host. This access is achieved by the hacker changing his IP number to that of a trusted host. In other words, the intruding host fools the host on the local network into not challenging it for authentication.

To avoid this type of security violation, the network administrator should ensure that:

•  Firewalls and routers are appropriately configured so that they reject IP spoofing attacks.

•  Only appropriate hosts are defined as trusted within /etc/hosts.equiv, and file permissions over this file are adequate.

•  Only appropriate hosts are defined within users’ /.rhost files. If practical, these files should be removed.