Over the last eight months major new hacker tools have been released or revealed, ending a lull in activity among hackers that followed the Sept. 11 terrorist attacks and the enactment of legislation that enhanced law enforcement's ability to prosecute people who break code and wreak havoc on networks by exploiting software vulnerabilities, hacking consultant Ed Skoudis said Thursday.
LibRadiate, Paketto Keiretsu, Setiri and The Defiler's Toolkit are just some of the newest tools that have cropped up since March and that are keeping security specialists awake at night, according to Skoudis, who gave a threat update briefing here at a SANS Institute Inc. conference. SANS is a security education and research organization in Bethesda, Maryland.
Skoudis, the vice president of ethical hacking and incident response at consultancy Predictive Systems Inc., in New York, said the June-through-September period saw massive exposures of security vulnerabilities in OpenSSH, Apache Web server software and Internet Explorer (IE).
"This [northern] summer has been a huge summer for hackers. There were huge issues discovered all summer long, and things really opened up between March and now," Skoudis said. "The Golden Age of Hacking rolls on."
One of the latest developments involves the security of wireless LANs (local area networks) and the ease with which people are able to detect them. For one week in early September, amateur wireless LAN sniffers used freeware called NetStumbler to detect hundreds of insecure business and home wireless LANs in North America and Europe in an exercise called a "war drive."
Skoudis said attackers have "flocked to this area" and are finding that many wireless LANs are set up without basic security. After they detect the wireless LAN, they can use a tool that's been available since May called LibRadiate, an API (application programming interface) that allows developers easily to capture, create and transmit arbitrary packets on a wireless LAN using the IEEE 802.11b standard. The tool runs on Linux (kernel 2.4) with wireless cards that have the Intersil Corp. Prism 2 chipset, Skoudis said.
LibRadiate makes it possible for hackers, using "fairly simple C code," to capture TCP/IP packets or inject them into a network. Among the wireless attack tools expected to become available for use with LibRadiate, according to Skoudis, are Wired Equivalent Privacy (WEP) crackers, which exploit flaws in the WEP protocol, allowing a hacker to determine encryption keys even when WEP is in use; and malformed packet generators, which inject strange and noncompliant packets into a network in an attempt to crash systems that cannot handle unusual packet structures.
"With tools like LibRadiate, the computer underground is starting to develop far more sophisticated attack tools than what we have seen in the past," Skoudis said.
Another tool released, two weeks ago, is called Paketto Keiretsu, which Skoudis referred to as a suite of tools for doing TCP/IP (Transmission Control Protocol/Internet Protocol) tricks. One of its most fundamental capabilities involves rapid port scans, which it does by separating the packet sender from the receiver.
Skoudis also described Setiri, a new Trojan horse back door. The tool bypasses personal firewalls, Network Address Translation (NAT) devices, proxies and advanced firewalls by starting up an invisible browser on the victim's PC. Then Setiri, running on the victim's system, uses OLE (Object Linking and Embedding) to communicate with the hidden browser. As long as the victimized PC's browser can access the Internet, Setiri can reach across the network and get the attacker's commands. The personal firewall, NAT (network address translation), proxy and stateful firewall do not know whether the access is caused by a user surfing the Internet or Setiri getting commands.
Setiri, developed by a small group of South African security consultants and demonstrated in August at Def Con, hasn't been seen in the wild yet, Skoudis said. Nevertheless, he included it in his presentation because its existence has been acknowledged within the security community and writing the code is something a moderately skilled coder could do.
Skoudis said the system strips out information about the user by going through anonymizer.com, so blocking access to that site is a way of defending against Setiri. Another solution would require changes in IE that limit the actions of an invisible browser, and Skoudis said Microsoft. Corp. has publicly said it will address the matter.
In the new area of "antiforensics," hackers have had access to a tool called the Defiler's Toolkit since July. It's able in a number of ways to foil the Coroner's Toolkit, a tool that has been used by computer forensic specialists for several years, Skoudis said. For example, it can destroy or hide the traces of a hack that the Coroner's Toolkit looks for. The Defiler's Toolkit targets Linux Ext2fs file system, but Skoudis said the concept could be extended to other platforms.
Commenting on the recent distributed denial of service attack on the Internet that happened Monday, Skoudis said major U.S. law enforcement agencies are investigating, but he didn't know whether they had developed any theories about where the attack originated.
Alan Paller, director of the SANS Institute, said the attack is being characterized by security professionals as a Smurf attack that could have been much worse if all 13 root servers had been affected.
"Had it knocked out all of them, there's a reasonable expectation that over a certain amount of time ... the way that you use the Internet would have ceased to work," Paller said.
There's no easy fix for preventing DOS attacks, and the time is fast approaching when ISPs (Internet service providers) are not going to allow users on the Internet if they pose a threat to the other users by not meeting a minimum standard of security, Paller added.
"DOS attacks are not going to be solved because we get some new hardware in the system," Paller said. "You are going to have to re-engineer the whole Internet. That's going to take close to a decade. While we are doing that, we are going to have to start protecting ourselves from (users who) are not going to be careful."