How Mugsy Plans a Cyber-Heist
By David M. Piscitello, President, Core Competence
In classic black and white gangster movies, Edward G. Robinson
-- playing the part of "Mugsy" or "Mr. Big" -- always "cased the joint"
before "knocking off" a bank or jewelry store. Even today, thugs in trench
coats and brow-down fedoras, concealed in a doorway across Main Street
from the target, or Mugsy and his moll doing a drive-by, persist as
stereotypes for criminal information gathering.
In the
information age, Main Street is the Internet, and information gathering is
more sophisticated than driving past your building. Modern heist movies
often fast-forward to the part where the cyber sleuth dials directly into
an acquired target’s critical data center. The actual process of
information gathering used by serious attackers is too mundane and
slow-moving for movie scripts. But it’s worth your while to understand
their processes so you can decide whether you are revealing too much about
your organization.
This article addresses one scenario of
information gathering, but there are certainly many others. For example,
I'm not addressing the "any target, anywhere, I want root" script-kiddy
approach. This article describes what a motivated professional criminal
(picture Mugsy as a cyber-hoodlum) might do.
Mugsy Drives By Your Web
Site
Most Web sites provide contact and
location information. Each corporate phone number may identify the base
number of the block of numbers within a phone exchange assigned to your
company. Serious attackers use war dialing software to scan these blocks
for modems, oft-neglected side doors to your network. In addition, contact
e-mail addresses sometimes identify domain-specific mail hosts, and may
reveal how a company structures its intranet. The e-mail address
dave@naivecompany.com reveals little more than the Web name
www.naivecompany.com, but dave@humanresources.naivecompany.com suggests
there might be an engineering.naivecompany.com, or
datacenter.naivecompany.com. (Don’t laugh, it happens!) Such clues help
the attacker map your network, your mail routing, and possibly your
organizational infrastructure.
Attackers may use specific
information gleaned from your Web site to refine searches about your
organization as they look for "anything about <this info, this
company>" anywhere on the Web. Metasearch engines like DogPile and All the Web, All the Time(TM) expedite such
searches by launching a search request across a dozen or more engines.
Alternatively, an attacker can download an entire Web site using tools
like WebZip Offline Browser, then
compile your site into a compressed HTML file. Using index and search
features from Microsoft’s HTML Help Workshop, he will search for links to
directories, other Web servers in your organization, and HTML comments and
tags that offer information to help him break into your Web or
intranet.
Mugsy Checks the EDGAR
Database
Hacking Exposed authors
Stu MacLure, George Kurtz and Joel Scambray explain that one of the
serious attacker’s tricks of the trade is to cull the EDGAR database at the U.S.
Security and Exchange Commission (SEC). Motivated attackers may be very
patient. They may wait for times when a targeted company is engaged in
acquisitions and mergers. During such transition periods the companies
involved may have difficulty reconciling multiple security policies, or
they may engage in IP renumbering and modifying firewalls, VPNs, internal
network structure and Internet access. Thus, the target company is more
vulnerable to misconfiguration or policy implementation flaws. Hackers
pounce on such opportunities.
Mugsy Moves On to Name
Servers and Registrars
Domain Names and
IP numbers used in the public Internet are administered by
registrars, who maintain the master domain name databases. The
databases identify the domain names and IP network numbers assigned to
organizations, as well as administrative, technical, and billing contact
names and addresses. You can trawl these databases of Internet Registrars
using the WHOIS protocol, available for most operating systems. Many
registrars (ARIN, RIPE, APNIC) have Web interfaces to the
database. Multi-national organizations often have multiple IP network
blocks assigned and administered locally; attackers use network and
contact information extracted from the WHOIS database to focus war dialing
efforts, as well as network scans.
WHOIS database entries also
enumerate the public Domain Name Servers. The Domain Name Service is
primarily used to find out what host name goes with what IP address (and
vice versa), and to provide mail routing information. Serious attackers
will attempt zone transfers -- the equivalent of copying your entire
public DNS database. As a rule, you should not permit zone transfers from
your public DNS server, except to a list of servers you trust. But even
individual DNS lookups can provide an attacker with useful information.
For example, mail exchange records may reveal the IP address of a firewall
where a mail server or proxy is run.
The DNS can and has been
used as a distributed database, and certain DNS record types (HINFO) can
be used for equipment and operating system inventory. A serious attacker
doesn’t actually need this information, but if you've left this
information in the public domain, you've saved him the time he’d spend
determining your OS type using a program like nmap. And it turns your
network into "low hanging fruit" for less sophisticated
attackers.
Mugsy Steals the
Blueprint
With the information gathered
using the methods discussed, the attacker will begin probing your network
with ICMP utilities -- traceroute, firewalk, ping nmap. Using the results
from these utilities, he will first attempt to determine how traffic is
routed to your networks, and then will attempt to create a topology map of
your network(s). The processes of network mapping, host and services
scanning, enumeration, and discovery are too detailed to continue here.
The point is that if you're not proactive, you'll unwittingly help hackers
map your network with chilling accuracy.
When the subject of
security auditing and penetration testing is raised, you’ll invariably
hear about zero-knowledge attacks. Companies who engage third
parties to audit and test their security may want such parties to begin
with no insider assistance, referred to as zero knowledge. Serious
attackers don’t begin with zero knowledge; they begin with a motive and a
target, and they glean plenty of helpful knowledge from public
sources.
Spoiling Mugsy's
Spying
Countermeasures against
information gathering may seem to conflict with your company’s intended
use of the Internet. Actually, they don’t. Disclosing only the information
that helps outsiders make informed business decisions about your company
is good management. Frivolous disclosure of details describing how your
company operates (including how it operates its networks) is unnecessary
and dangerous. For obligatory SEC filings and Internet Registrar
databases, include only the information they require. Try to keep your
registrar records up to date and valueless as a source of insider
information: Security auditors suggest providing toll-free numbers or
telephone numbers unique from any blocks your company
uses.
If you advertise internal hosts through DNS, consider
running a "split" DNS. A split DNS runs an external server that maintains
only the entries necessary to provide proper name resolution and inverse
address mappings for publicly accessible hosts, and nothing more. This DNS
can be hosted by your ISP, or you can host it yourself, off the Optional
interface of your Firebox. For your internal network, host a complete DNS
(both external and internal records) behind your firewall, off your
Trusted interface.
I’ve only highlighted the process of information
gathering here. Books I’ve found to be credible sources for additional
information are the aforementioned Hacking Exposed, the
forthcoming The
Windows 2000 Security Handbook, and Practical
Intrusion Detection Handbook. You might also want to lurk on
security mailing lists such as PEN-TEST at SecurityFocus.com.
After
all, that's a nice little network you've got there, palsie. It'd be a
shame if anything should happen to it. But if you harden your
system as I've described, Mugsy will be more likely to mutter "You dirty
rat!" and slink away.
Copyright© 2000, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.