Social Icons

Pages

Monday, June 15, 2009

What are hackers?

Technically, a hacker is someone who is enthusiastic about computer programming and all things relating to the technical workings of a computer. Under such a definition, I would gladly brand myself a hacker. (There is in fact more to it than that - hackerdom is an entire culture in its own right.) However, most people understand a hacker to be what is more accurately known as a 'cracker'. Worryingly, people tend to prefer to use the word 'hacker' over the more technically correct 'cracker'. This means that many are afraid to use the word for its correct meaning. On this website, when I refer to a hacker, I actually mean a cracker. This is because I prefer to use language that I feel most people understand, rather than language that is technically correct. If you want to know what a cracker is, please read ahead to the next section...

What are crackers?

Crackers are people who try to gain unauthorised access to computers. This is normally done through the use of a 'backdoor' program installed on your machine. A lot of crackers also try to gain access to resources through the use of password cracking software, which tries billions of passwords to find the correct one for accessing a computer. Obviously, a good protection from this is to change passwords regularly. Another good move is the use of software that supports intruder lockout, where no further passwords are accepted after a certain number of bad passwords have tried. Even the correct password wouldn't allow access. Such blocks are normally released after a period of time has elapsed (eg 15 minutes). Of course, an even better idea is never to put security-sensitive resources on the Internet in the first place. If you don't want something to be accessed from the Internet, then make it so that it is only accessible from your local network, or even just from one computer. However, backdoor programs are programs that can expose files to the Internet that were never meant to be shared with other people. You can protect yourself from these by using a firewall and a good up-to-date anti-virus program. You would normally get such a backdoor program by opening an e-mail attachment containing the backdoor program. It is normal for such a backdoor program to send out more copies of itself to everyone in your address book, so it is possible for someone you know to unintentionally send you a malicious program. Note that this can normally only be done if you are using Microsoft Outlook or Outlook Express. A few backdoor programs can work with any e-mail program by sitting in memory and watching for a connection to a mail server, rather than actually running from within a specific mail program. If you do use Outlook or Outlook Express, and you do not have the correct security patches installed, it may be possible for a malicious program to be executed from an e-mail when you receive it, without the need for you to click on any attachments. Note that the same bug also affects Internet Explorer. A security patch is available for this, but personally I would advise that you use different mail and web browsing software. There are other ways of cracking as well, some more widespread than others. See How do hackers hack? for more information. Note that on most of this website, I refer to 'hackers' instead of 'crackers'. I mean 'crackers'. I explain this in more detail above.

What damage can a hacker do?

This depends upon what backdoor program(s) are hiding on your PC. Different programs can do different amounts of damage. However, most allow a hacker to smuggle another program onto your PC. This means that if a hacker can't do something using the backdoor program, he can easily put something else onto your computer that can. Hackers can see everything you are doing, and can access any file on your disk. Hackers can write new files, delete files, edit files, and do practically anything to a file that could be done to a file. A hacker could install several programs on to your system without your knowledge. Such programs could also be used to steal personal information such as passwords and credit card information. Some backdoor programs even allow a hacker to listen in on your conversations using your computer's microphone if one is attached! Hackers can do great damage to your computer. They could delete vital files from your hard disk, without which your computer could not work. However, you can re-install these from backups (you do keep backups, don't you?) In theory, the absolute worst damage a hacker could do is turn your computer into a large paperweight. It is possible - the CiH virus demonstrated how. This virus attacked your computer using the then new Flash BIOS technology. This capability was intended to be used to upgrade your computer's BIOS. (The BIOS is a program stored on a chip inside your computer. It controls quite a lot of low-level stuff and is a very vital part of your computer. It is the BIOS that does all the memory checks when you turn on, and also performs the first stage in loading your operating system.) However, the virus used this 'feature' to destroy the BIOS. Without the BIOS, the computer can't work. The only way to recover from this would be to replace your computer's motherboard. At the time of writing this, there are no backdoor programs that can do the same thing, but it is easy enough for a hacker to install a virus that does. Since the CiH virus, many BIOSs have a "flash write protect" option in BIOS setup, and/or a jumper setting on the motherboard that has a similar effect. See your motherboard manual for details.

How does a firewall protect me?

Basically, firewalls protect your computer from unauthorised access attempts. There are two kinds of firewall. Networked computers tend to be connected to the Internet through just one or two computers (hence only one Internet connection is required). These computers behave as firewalls by blocking any unauthorised packets. Any other packets are passed on to the computer they are intended for. This kind of firewall is called a corporate firewall. The kind of firewall you may be more familiar with is a personal firewall- this is a program that runs on your computer, and blocks any unauthorised incoming packets. Personally, I use ZoneAlarm. The great thing about ZoneAlarm is that it is easy to configure. Also, it only allows chosen programs to access the Internet- allowing you to block hackers that use standard protocols such as FTP. In case of emergency, it also has an emergency stop button, which allows you to block allfree by private individuals and charities. Businesses, governments, and educational institutions can download ZoneAlarm on the basis of a 60-day free trial. See ZoneLab's website for more information. access to the Internet immediately. ZoneAlarm can be downloaded and used for Remember that although a firewall stops hackers from getting in, it will not remove any existing 'backdoor' software from your machine. For this, you need a good anti-virus product like Norton or Sophos. Also make sure that you use your anti-virus software regularly, and that you keep it up-to-date.

How do I report hackers?

When an access attempt occurs, if you have alert popups turned on, ZoneAlarm will tell you the IP address of the possible hacker. This looks something like 123.123.123.123 (example only). You can use this information to track down and report hackers to their ISP. Bare in mind that you are unlikely to get any response apart from a simple acknowledgement- they have to deal with hundreds of reports like yours every day. Here is a rough guide of how to report hackers (note: some of the programs referred to are only available in Windows):

1. Make a note of all the information ZoneAlarm gives you. If possible, use ZoneAlarm's text log option- many ISPs prefer text log format (personally, I supply ZoneAlarm's text log and an English translation).

2. Select Start, Run... In the Run box, type in "winipcfg" and then click OK. This will tell you what your IP address is (among other things). Write down the IP address.

3. Use an Internet tool like SamSpade's address digger to look up which ISP uses the IP address given in your firewall's log.

4. This will return a lot of technical information. Some ISPs add remarks to this information telling you where to send abuse reports to. Make a note of any such e-mail addresses. If there is no such information, look at the official name for the server (near the top), or the names of the domain name servers. To convert these to an e-mail address, remove everything before the first period, including the period itself, then add 'abuse@' in front of it.

5. Now send an e-mail to the abuse address(es) you have. If the recipient obviously isn't English (eg if the e-mail address ends in .de (Germany) or .fr (France)), write it in their language, if you know it. If not, don't worry, most people speak at least a little English, and the technical language of computers is the same almost anywhere you go!

6. Include in the message what ZoneAlarm told you. Also include your own IP address (this is what winipcfg told you), the date, the time, your time zone (in relation to GMT), and an indication of how accurate your computer's clock is (eg if you set it by the atomic clock every day, say so!)

What is a port scan?

A port scan is, quite simply, a test to see if a computer exists and responds to access attempts on a certain port (eg TCP port 80, used by the HTTP protocol). Port scans, on their own, are quite harmless and have many legitimate uses. However, they also have a malicious use, which is to test to see if any particular backdoor software is running on a computer for the purposes of then using such backdoor software. In my Internet logs, I include all unauthorised port scans of my computer. I tend to describe these port scans as hack attempts, since it is most likely that this is what they are. To be absolutely pedantic, I shouldn't really describe them as such, since there may be other explanations.

What is an IP address?

An IP address is a number that can uniquely identify any computer on the Internet. With the current Internet protocol (IPv4), an IP address is a 32-bit number. That means that as a binary number, it would be stored as 32 ones and zeroes. There are 4,294,967,296 possible IP addresses. However, we humans tend to split IP addresses into four 8-bit numbers, express these numbers using our decimal number system, and separate them with dots. With 8-bit numbers, each number must be a whole number in the range 0 to 255, inclusive. For example, an IP address of 2,071,690,107 would probably be expressed as 123.123.123.123 (example only). Some people might express an IP address in hexadecimal as well (7B7B7B7Bh in this case). The dotted IP address is by far the most common, however. As the Internet grows, plans are being made to increase the size of IP addresses. (The "next" Internet protocol, IPv6, uses 128-bit IP addresses.) The problem with that, of course, is that quite a few Internet protocols would need to be rewritten, since they are designed to work with 32-bit IP addresses. This includes the Internet Protocol itself (IP). Thankfully, Internet packets include an IP version flag, so it would be possible to have both old and new implementations of the IP communicate with each other. (The newer implementation would use the older protocol when communicating with older implementations. Implementations of the IP would know whether a computer was using the older or newer protocol from the version flag. Unfortunately, older implementations would not be able to access anything outside of the 32-bit IP range.) IP addresses can be statically or dynamically allocated. Statically allocated IP addresses always refer to the same computer. However, dynamically allocated IP addresses can refer to different computers at different times. For example, if you have a dial-up Internet connection, your IP address doesn't become unused when you hang up- it is allocated to someone else. When you reconnect, you are allocated a new IP address. This is dynamic allocation.

How can I hack?

I don't like that first person pronoun... I don't mind explaining how hackers hack, but I won't explain how you can hack. This is not a pro-hacking website. This is a computer security site. My aim is not to encourage or assist hacking in any way. I aim to try to inform people of the risks that they may be exposed to, so that they can better protect themselves from these risks. I also provide this website as a resource for those with an academic interest. If you want a rough idea of some of the cracking methods that other people (not you) use, just read on to the next section.

How do hackers hack?

There are many ways in which a hacker can hack. The most common way is by using a backdoor program. See What damage can a hacker do? for more information on these. However, there are some 'special' cases. Click a link below for more information. NetBIOS - UDP 137, UDP 138, TCP 139

ICMP Ping - Internet Control Message Protocol

FTP - TCP 21

rpc.statd - TCP 111, TCP 9704

lpr - TCP 515

HTTP - TCP 80

How can NetBIOS be harmful?

NetBIOS hacks are the worst kind, since they don't require you to have any hidden backdoor program running on your computer. This kind of hack exploits a bug in Windows 9x. NetBIOS is meant to be used on local area networks, so machines on that network can share information. Unfortunately, the bug is that NetBIOS can also be used across the Internet - so a hacker can access your machine remotely. Not all Windows computers are vulnerable to this kind of attack. If you have a firewall that blocks incoming NetBIOS packets, you are safe. Some network configurations will also be immune. To find out whether you are vulnerable, visit GRC's ShieldsUP!, and click the "Test My Shields!" image half way down the page. Note that GRC will attempt to connect to your computer using NetBIOS - this is just to test whether your computer is vulnerable. GRC will not retain any information about your computer, nor will any damage be done. NetBIOS uses TCP port 139, UDP port 137 and UDP port 138.

How can ICMP Ping be harmful?

ICMP is one of the main protocols that makes the Internet work. It standards for Internet Control Message Protocol. 'Ping' is one of the commands that can be sent to a computer using ICMP. Ordinarily, a computer would respond to this ping, telling the sender that the computer does exist. This is all pings are meant to do. Pings may seem harmless enough, but a large number of pings can make a Denial-of-Service attack, which overloads a computer. Also, hackers can use pings to see if a computer exists and does not have a firewall (firewalls can block pings). If a computer responds to a ping, then the hacker could then launch a more serious form of attack against a computer. People who do have firewalls normally don't bother to report pings, because they are innocent in themselves - allowing the hacker to continue hacking for quite a long period of time.

How can FTP be harmful?

FTP is a standard Internet protocol, standing for File Transfer Protocol. You might use it for file downloads from some websites. If you have a web page of your own, you might use FTP to upload it from your home computer to the web server. However, FTP can also be used by some hackers... FTP normally requires some form of authentication for access to private files, or for writing to files. Hackers can get round this by using programs called "backdoor programs". You wouldn't know if you had one of these, unless you used an up-to-date virus scanner regularly. You could get a backdoor program by opening an infected E-mail attachment. FTP backdoor programs, such as Doly Trojan, Fore, and Blade Runner, simply turn your computer into an FTP server, without any authentication. Using a known protocol such as FTP is easier for hackers because the protocol is already defined - not so much new software needs to be written to use it (a normal FTP client could be used - the hacker wouldn't need any specialist software). Also, since FTP has legitimate uses, many firewalls do not block it. Luckily, ZoneAlarm does.

How can rpc.statd be harmful?

This is a problem specific to Linux and Unix. I am not too sure with what precisely rpc.statd should be used for. I do, however, know that it is used by hackers. rpc.statd is typically used as a 'file locking status monitor' (whatever that is) on local area networks. Not all versions of Linux/Unix use it, and some versions have had the security glitch I am about to describe fixed. The problem is the infamous unchecked buffer overflow problem. This is where a fixed amount of memory is set aside for storage of data. If data is received that is larger than this buffer, the program should truncate the data or send back an error, or at least do something other than ignore the problem. Unfortunately, the data overflows the memory that has been allocated to it, and the data is written into parts of memory it shouldn't be in. This can cause crashes of various different kinds. However, a skilled hacker could write bits of program code into memory that may be executed to perform the hacker's evil deeds. That is the problem. rpc.statd uses TCP ports 111 and 9704.

How can lpr be harmful?

This is a similar problem specific to Linux and Unix. lpr is typically used as a printing system. Not all versions of Linux/Unix use it, and some versions have had the security glitch I am about to describe fixed. The problem is the infamous unchecked buffer overflow problem (again). See rpc.statd for more information on this problem. Basically, the result of this problem is that data can be written into parts of memory it shouldn't be written to. A skilled hacker could write program code into memory to perform his evil deeds. lpr uses TCP port 515.

How can HTTP be harmful?

HTTP stands for HyperText Transfer Protocol. It is one of the main protocols used on the Internet- it is what you are using right now to view this web page. HTTP hacks can only be harmful if you are using Microsoft web server software, such as Personal Web Server. There is a bug in this software called an 'unchecked buffer overflow'. If a user makes a request for a file on the web server with a very long name, parts of the request get written into parts of memory that contain active program code. A malicious user could use this to run any program they want on the server. The Code Red worm takes advantage of this. This worm even managed to infect the Microsoft Windows Update site at one point. Despite what I have just said, it is still possible for home users to become infected with such worms, since some people install Personal Web Server without knowing what it is. Some computers even have PWS pre-installed when you buy them. To see if PWS is running on your computer, hover your mouse over each of the icons in the bottom right corner of your screen, until a small description appears. If one of the icons is PWS, right-click it and choose to exit. Then, use Add/Remove Programs in Control Panel to remove the program from your system. Microsoft Personal Web Server is used to serve web pages directly from your computer to the rest of the world. Of course, you would need to be connected to the Internet 24 hours a day in order to do this. Most people will tend to upload Internet material to their ISP, rather than provide access to it directly from their own computer. And just to clear up any remaining confusion: Microsoft Personal Web Server is not required to surf the Internet- all you need to surf the Internet is a web browser and an Internet connection (such as dial-up).