Wednesday, March 14, 2012

Remote Intrusion

Remote Intrusion




> What is remote computer intrusion? 

Remote intrusion is the act of intentionally gaining unauthorized access to somebody else's computer and personal information. It is illegal. 


> What constitutes unauthorized access? 

According to the United States Department of Justice :

"Knowingly Access a Computer Without or In Excess of Authorization"


"A violation of this section requires proof that the defendant 
knowingly accessed a computer without authorization or in 
excess of authorization. This covers both completely unauthorized 
individuals who intrude into a computer containing national security 
information as well as insiders with limited privileges who manage to 
access portions of a computer or computer network to which they have 
not been granted access. The scope of authorization will depend
upon the facts of each case. However, it is worth noting that 
computers and computer networks containing national security 
information will normally be classified and incorporate security 
safeguards and access controls of their own, which should facilitate 
proving this element."


> How is it done? 

Through an understanding of computer networks and the principles associated with them, hackers can discover somebody's internet protocol address. This number is comparable to a computer's social security number. This is most readily accomplished by placing a cookie on a website that an individual is known to frequent. A cookie provides the internet protocol addresses of the computers which have then visited the site. Most companies do this legitimately in an effort to collect information about site visitors so that certain settings can be remembered when they return to the site. Each computer connects to the internet through ports; which are specified in the Internet Assigned Numbers Authority. Information from your computer must be transmitted through ports so that it can then reach the public internet. There are ports for e-mail and ports for connecting to the internet. 
Most hackers will gain unauthorized access to an individual's computer through what is known as a "backdoor", or through a port which is open and has gone unnoticed by an administrator. Once a hacker has slipped through a port and remotely accessed an individual's computer, a person's personal information; including files and photographs, can be viewed; or worse yet, copied and placed on an external hard drive in a technique referred to as "virtual memory" or a "mount daniel" attack. 

> How do I know if an external hard drive has been placed remotely on my computer? 

You can utilize the Windows Management Instrumentation (WMI) program to enable disk management. This process will let you view and manage the disks and drives on your computer. It will also enable you to gain control over an intrusive hard drive.  Furthermore, you can also run an "undelete" program, which will specify the hard drives and disks on your computer. This is called digital forensics. 

Here is an example: 

Analyzing devices ...
 Analyzing device Hard Disk 0 (C:,D:,T:)
 Analyzing volume Daniel Mounted
 Analyzing volume Local Disk (C:)
 Analyzing volume RECOVERY (D:)
 Analyzing volume MOUNTDANIEL (T:)
 Analyzing device CDRom Drive 0 (E:)

 Name: MOUNTDANIEL 124 (T) [Excellent]; Status: Excellent; Drive type: Local Disk; Volume Name: MOUNTDANIEL;
 File System: NTFS; Total Size: 103 MB; Free Space: 13.3 MB; Used Space: 90.0 MB; First Sectors: 624928768;
 Serial Number: DA30-1BC3;
 Attributes found: PBS; MFT; MFT Mirr; Vol; BootRef; Root; CBS; CMFT; CMFT Mirr; CVol; CLog; Bitmap;
               
 Name: MOUNTDANIEL 125 (125) [Very Bad]; Status: Very Bad; Drive type: Local Disk; Volume Name: MOUNTDANIEL;
 File System: NTFS; Total Size: 138 MB; Free Space: 0 bytes; Used Space: 138 MB; First Sectors: 624858240;
 Serial Number: 0000-0000;
 Attributes found: MFT; MFT Mirr; Vol;


> What is digital forensics? 

Digital forensics is the application of science and engineering to the recovery of digital evidence in a legally acceptable method. Examiners use digital investigation and analysis techniques to determine potential legal evidence by applying their skills on a variety of software programs, different operating systems, varying hard drives sizes, and specific technologies. Examiners are capable of locating deleted, encrypted or damaged file information that may serve as evidence in a criminal or terrorism investigation.

The American Government has a special facility called "The Defense 
Computer Forensics Lab" which specializes in retrieving information 
from computers, no matter what condition of the hardware or disks.

http://www.DigitalIntelligence.com

"DriveSpy"

Used for accessing physical drives using pure BIOS 
(lntl3 or lntl3x) calls, 
which bypass the operating system while ensuring that the OS won't 
modify or erase data.


Enables you to:
- Examine hard disk partitions
- Copy files to a designated area without altering file 
access / modification dates
- Undelete files
- Search drives, partitions, and files for text strings or data sequences
- Store the slack space from an entire partition in a 
single file for enumeration
- Save and restore one or more contiguous sectors to and from a file
- Disk Splicing
 
"Forensic Recovery Evidence Device Diminutive 
Interrogation Equipment"
 
"FREDs" / Forensic Recovery Evidence Devices
"FREDDIES" / (portable versions)
GUIDANCE SOFTWARE
http://www.guidancesoftware.com

"EnCase" / Scans a hard disk for graphics files

Computer Forensics
U.S.-based "Electronic Crimes Task Force"
http://www.ectaskforce.org

Scotland-based "National Hi-Tech Crime Unit"
http://www.sdea.police.uk/nhtcus.htm

Forensic Tools
http://www.sleuthkit.org

Computer Secuirty, Cybercrime, and Steganography Resources
http://www.Forensics.NL

Talisker Secuirty Wizard Portal
http://www.networkintrusion.co.uk
 
United States National Security Agency






Since the entire process itself is very subtle, not many people would ever realize that their computer is being illegally accessed remotely by somebody else. 
Although the process itself is more complicated than described, this is the basic premise of remote computer intrusion. 
For a more detailed understanding, I would recommend you read:



The Real Hacker's Handbook by Dr. K. (available through Carlton Books)
and 
Steal This Computer Book 4.0 by Wallace Wang (available through No Starch Press)



> How can I know if my computer is being accessed remotely? 




As many ways as you can attempt to deter intrusion, there are just as many ways hackers can respond. 
Keeping a detailed record of all files and folders, including the dates created and modified is one way. 
Another method is through log file analysis. 



> What are logs? 




Log files keep track of who used a computer, what they did, and for how long they used the computer. With respect to remote intrusion, log files can keep track of when a hacker arrives, what the hacker did, and how long the hacker stayed on the computer - similar to a surveillance camera. 
Therefore, hackers look for the log files that recorded their entry as soon as they gain access to a computer. 
Among the information that a log file might contain that may help a computer's owner track the hacker down are the following: 




- The IP address of the machine that performed an action or "request" on the target computer




- The user name, which simply identifies the account being used




- The date and time of a particular action 




- The HTTP status code (which shows what action the target computer performed in response to the user's command or "request") that the target computer returned to the user. 




- The number of bytes transferred to the user




Operating systems generate logs; which are detailed reports of what's going on in the computer itself. They provide great evidence for computer intrusion. Log analysis is a skill which every system administrator should be proficient in. There are computer-security companies which specialize in log analysis for criminal intent. 




Here is an example: 



>> Requested to remove devices controlled by the "FBIKB_NT" 
service.

ERROR@CM_Get_Device_ID_List_Size - (00000025)
<< Failed to complete the request!



>> Requested to remove a specific device ("Root\LEGACY_FBIKB_NT\0000").


Root\LEGACY_DISCACHE
Root\LEGACY_DISCACHE\0000

Root\volmgr
Root\volmgr\0000
Root\LEGACY_MOUNTMGR
Root\LEGACY_MOUNTMGR\0000
 
System Volume Information >Mount Point Manager Remote Database

$RNC0EFW
$RKYNMHG
Root\MS_AGILEVPNMINIPORT
Root\MS_AGILEVPNMINIPORT\0000

Root\LEGACY_SISRAID2

Root\LEGACY_SISRAID4

Root\*ISATAP
Root\*ISATAP\0000
Root\*ISATAP\0001

Root\ACPI_HAL
Root\ACPI_HAL\0000

Root\blbdrive
Root\blbdrive\0000

Root\COMPOSITEBUS
Root\COMPOSITEBUS\0000

Root\COMPOSITE_BATTERY
Root\COMPOSITE_BATTERY\0000

Root\LEGACY_ADP94XX



You can also browse the logs generated by the Event Viewer. Here is an example: 




Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/7/2011 11:42:19 PM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: Owner-HP
Description:
A logon was attempted using explicit credentials.

Subject:
 Security ID: SYSTEM
 Account Name: OWNER-HP$
 Account Domain: WORKGROUP
 Logon ID: 0x3e7
 Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
 Account Name: Owner
 Account Domain: Owner-HP
 Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
 Target Server Name: localhost
 Additional Information: localhost

Process Information:
 Process ID: 0x220
 Process Name: C:\Windows\System32\winlogon.exe

Network Information:
 Network Address: 127.0.0.1
 Port: 0

This event is generated when a process attempts to log on 
an account by explicitly specifying that account’s credentials.  
This most commonly occurs in batch-type configurations such as 
scheduled tasks, or when using the RUNAS command.
 



It is important to understand that by installing a rootkit and gaining access to operating system functions, dates can sometimes be modified or altered; although this is not always the case. In many cases, just editing the log files can hide a hacker's tracks, but system administrators have their own techniques for ensuring the integrity of their log files. One of the simplest involves printing out the log files as they're generated. That way, if a hacker does delete or modify the log files at some point, the printed copy will still reveal his or her presence. If the system administrator suspects something is wrong, he or she can compare the log file on the hard disk with the log file printout. 




To learn about the capabilities of various log file analysis programs, visit: 







> What is a rootkit? 




A rootkit contains all the tools a hacker needs to maintain unauthorized access and tamper with an individual's computer. Since it needs to be hidden, it will typically masquerade as a legitimate or benign program, such as limewire; or even as an anti-virus program such as Kaspersky. 
Rootkits can delete or modify a computer's log files. 
What makes rootkits particularly dangerous is how they've managed to evolve, getting stealthier and trickier to better avoid detection.
Once a hacker plants a rootkit on a computer, it's nearly impossible to clean it off the system without reformatting the hard disk and reinstalling the operating system. 
If you intend on having an anti-virus program, it is best to have one installed prior to taking your computer home from the store. Otherwise, there is a risk that installing it while a hacker already has remote access to your computer will subvert the intended effects and enable them to use it as a rootkit. 






Installing an IDS, or intrusion detection system, such as "Snort" enables an administrator to be aware of possible intrusions on a computer. Snort is one of the more popular intrusion detection systems and can be readily downloaded from the internet:



> What is an intrusion detection system? 




An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.
IDPSes typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.



Terminology
  • Alert/Alarm: A signal suggesting that a system has been or is being attacked.
    • 

  • True Positive: A legitimate attack which triggers an IDS to produce an alarm.
    • 

  • False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
    • 

  • False Negative: A failure of an IDS to detect an actual attack.
    • 

  • True Negative: When no attack has taken place and no alarm is raised.
    • 

  • Noise: Data or interference that can trigger a false positive.
    • 

  • Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
    • 

  • Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity.
    • 

  • Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
    • 

  • Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
    • 

  • Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
    • 

  • Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
    • 

  • Misfeasor: They are commonly internal users and can be of two types:
    1. An authorized user with limited permissions.
      2. 

    2. A user with full permissions and who misuses their powers.
      3. 

    • 

  • Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.
    • 







Types
For the purpose of dealing with IT, there are two main types of IDS:
Network intrusion detection system (NIDS)


is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to anetwork hubnetwork switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort.
Host-based intrusion detection system (HIDS)


It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.
Intrusion detection systems can also be system-specific using custom tools and honeypots.













Federal Criminal Code Related to Computer Intrusions  









A number of federal criminal statutes relate to computer intrusion and other computer- and network-based offenses, including the following:




18 U.S.C. 1028.  Fraud and related activity in connection with identification documents, authentication features, and information




18 U.S.C. § 1029.  Fraud and Related Activity in Connection with Access Devices




18 U.S.C. § 1030.  Fraud and Related Activity in Connection with Computers




18 U.S.C. § 1362.  Communication Lines, Stations, or Systems




18 U.S.C. § 2510 et seq.  Wire and Electronic Communications Interception and Interception of Oral Communications




18 U.S.C. § 2701 et seq.  Stored Wire and Electronic Communications and Transactional Records Access




18 U.S.C. § 3121 et seq. Recording of Dialing, Routing, Addressing, and Signaling Information












Daniel S. Abrahamian
Livingston, New Jersey
Remote Intrusion
FEELMYFLAME










Posted by



at







































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)