| Previous | Table of Contents | Next |
Every computer science major has learned how to leave a login Trojan Horse on a system. Before logging off the system, the perpetrator starts a problem that displays a login prompt and waits for a victim. The username and password entered into the Trojan Horse are logged to a file or mailed to a collecting account. Usually, the Trojan Horse fakes some type of problem and exits. The operating system then takes control and displays the true login prompt. Most users would assume that they had entered a password incorrectly or that some other glitch occurred in the system. Not surprisingly, this attack can be very fruitful.
The temporary Trojan Horse login succeeds because of a flaw in the login authentication protocol described so far. The user is required to authenticate to the computer, but the login program is assumed to be legitimate. To circumvent this problem, secure operating systems provide a secure attention key (SAK) sequence. The NT operating system instructs the user to enter Ctrl-Alt-Del to initiate a trusted path with the operating system. Most UNIX systems also provide a SAK. When this special key sequence is pressed, the user is assured that a clean environment is made available for login. For example, the system will detach any processes that are attached to or running on that terminal. What happens to these processes depends on the operating system implementation. The net result is that there will not be a chance for the previous user’s processes to act as a login impostor.
A more serious threat is replacement of the login program in the system itself. This attack depends on circumventing the system’s access control mechanisms because login and other I&A routines are part of the TCB. A hacker who manages to install a permanent login Trojan Horse can gain multiple username and password pairs. It is unlikely that only the login program was replaced. Trojan Horse versions of other security enforcing programs are certain to be found as well.
Many network protocols were designed with the assumption that users could be trusted or that the network was trustworthy. Precautions in protocol design were not always taken for defending against network eavesdropping. Network traffic monitoring is the electronic equivalent of shoulder surfing. A network sniffer is a program, or dedicated device, capable of capturing all traffic made available to one or more network adapters. Any data sent in the clear across the network is captured and inspected for usefulness. Countless network sniffers are running throughout the Internet today.
Network sniffers are freely available in the public domain (see Anonymous, 1997 for a comprehensive list) or can be purchased as part of products such as RealSecure from Internet Security Systems. A user who has access to a personal computer connected to a network can easily install a sniffer program. Most sniffers are sophisticated enough to selectively find passwords used for network logins. The attacker does not need to monitor every packet traversing the network. Assuming that the communicating systems rely upon reusable passwords for authentication, the person sniffing network traffic can effortlessly gather passwords to be used for later attacks. No evidence of this activity will be found on the attack targets, as was the case for online brute-force attacks.
Network sniffing is not limited to watching for passwords used during the authentication phase of a network login session. Because e-mail and other document delivery systems might contain lists of passwords, it is worth the effort to capture and scan these data forms as well. Remember that a new user must acquire the initial password from the security officer in an out-of-band manner. Often, the method chosen is e-mail, especially inside of private corporate networks. Employees are often required to sign agreements declaring that they will not engage in network sniffing or scanning. Because many computer crimes include an insider, the threat of legal consequences does not always outweigh the opportunity for financial reward.
Many private corporate networks also are accessed by contract vendors, who in turn may not adhere to the same restrictions. A successful social engineering attack could land a planted a network sniffer on your network. The sniffer could periodically send passwords via e-mail to an external system. For these reasons, you should assume that passwords which are sent across a network in cleartext form have been compromised.
Electromagnetic emissions also have been exploited as a means for sniffing passwords, albeit in a different wave spectrum than network traffic. Despite efforts by various standards agencies to limit emissions from monitors and even storage devices, surveillance of these data sources is a very serious threat. The U.S. TEMPEST standard is one guideline that manufactures must follow to reduce electromagnetic emissions in an effort to eliminate this attack. The general idea behind TEMPEST is to shield devices from emitting a strong signal. In some cases, an individual room or an entire building is built to the TEMPEST standard.
Sometimes, the operating system does all the hard work for the hacker. Software bugs continue to be a major source of security problems. For example, a recent bug in the Solaris operating system made the hashed password values available to anyone on the system. One of the network application programs could be forced to end abnormally, and as a consequence, that program would dump its memory contents to disk in a core file (to aid in debugging the crash). Users with no special privileges could force the program to do this. The core file contained copies of the hashed password values that normally were stored in a shadowed file. The information could be used as input to Crack for an offline brute-force attack.
| Previous | Table of Contents | Next |