Tuesday February 10, 2009

Home    Services   Downloads   FAQ/Facts   Contact Us   About Us

How Unethical Hackers Can Hurt Your Systems Adapted From:  Hacking For Dummies, 2nd Edition

It's one thing to know that your systems generally are under fire from hackers around the world and rogue insiders around the office; it's another to understand specific attacks against your systems that are possible. This article offers some well-known attacks but is by no means a comprehensive listing.

Many information-security vulnerabilities aren't critical by themselves. However, exploiting several vulnerabilities at the same time can take its toll. For example, a default Windows OS configuration, a weak SQL Server administrator password, and a server hosted on a wireless network may not be major security concerns separately. But exploiting all three of these vulnerabilities at the same time can be a serious issue that leads to sensitive information disclosure and more.

Nontechnical attacks

Exploits that involve manipulating people — end users and even yourself — are the greatest vulnerability within any computer or network infrastructure. Humans are trusting by nature, which can lead to social-engineering exploits. Social engineering is the exploitation of the trusting nature of human beings to gain information for malicious purposes.

Other common and effective attacks against information systems are physical. Hackers break into buildings, computer rooms, or other areas containing critical information or property to steal computers, servers, and other valuable equipment. Physical attacks can also include dumpster diving — rummaging through trash cans and dumpsters for intellectual property, passwords, network diagrams, and other information.

Network infrastructure attacks

Hacker attacks against network infrastructures can be easy because many networks can be reached from anywhere in the world via the Internet. Here are some examples of network-infrastructure attacks:

• Connecting into a network through a rogue modem attached to a computer behind a firewall

• Exploiting weaknesses in network protocols, such as TCP/IP and NetBEUI

• Flooding a network with too many requests, creating a denial of service (DoS) for legitimate requests

• Installing a network analyzer on a network and capturing every packet that travels across it, revealing confidential information in clear text

• Piggybacking onto a network through an unsecure 802.11 wireless configuration

Operating system attacks

Hacking operating systems (OSes) is a preferred method of the bad guys. OS attacks make up a large portion of hacker attacks simply because every computer has one and so many well-known exploits can be used against them.

Occasionally, some operating systems that appear to be more secure out of the box — such as Novell NetWare and various flavors of BSD UNIX — are attacked, and vulnerabilities turn up. But hackers often prefer attacking operating systems such as Windows and Linux because they are widely used and better known for their publicized weaknesses.

Here are some examples of attacks on operating systems:

• Exploiting specific network protocol implementations

• Attacking built-in authentication systems

• Breaking file system security

• Cracking passwords and encryption mechanisms

Application and other specialized attacks

Applications take a lot of hits by hackers. Programs such as e-mail server software and Web applications are often beaten down:

• Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) applications are frequently attacked because most firewalls and other security mechanisms are configured to allow full access to these services from the Internet.

• Voice over IP (VoIP) faces increasing attacks as it finds its way into more and more businesses.

• Unsecure files containing sensitive information are scattered throughout workstation and server shares, and database systems contain numerous vulnerabilities — all of which can be exploited by rogue insiders.

Ethical hacking helps carry out such attacks against your computer systems and highlights any associated weaknesses.