July 29, 2006 at 3:41 pm #588
I am always tempted to predict the future when it comes to computer security. Of course its impossible to know for sure but I think its possible to make an educated guess. They say we are in the “the golden age of hacking” and I could not agree more. Never have I seen more tools available for free on the net. Tools for both windows and linux and now you can actually be a decent hacker using nothing but windows. Without question this is the best of times and the worst of times to quote Dickens. The best of times for those curious about security and how it can be breached and the worst of times if you are sitting on the net with a vulnerable computer! I was asked to do a test at a university of their network a while back. We connected a laptop into the network with a default install of XP sp1 and in less than 10 minutes it was hacked! Sign of the times I would say. It was a good demo for the “powers that be” at the school. If you are a University Admin and are having budget problems, try arranging a demo for the heads just like this if you can. In this instance it was very much an eye opener for them.
If we were to split hacking into 3 levels, say low, middle and high. Low is requiring the least amount of technical skill and relies more on social engineering and a few simple things like hardware key loggers. Middle level comprises a good skill with tools available and precompiled buffer overflows, etc.. High is someone who can think way outside the box and deepest aspects of TCP/IP and can code accordingly.
My strong feeling is that the middle level as I define it will be the one that will disappear in the future. Buffer overflows will become a thing of the past. Technology is growing strongly towards that direction. Microsofts SP2 was an attempt to stop it with their DEP. It will only get better in time. Exploiting code will slowly become more and more difficult and tools that focus on that will lose more and more of their effectiveness.
So that leaves the low and high and this is were I am willing to bet the future holds. Hackers will either focus on things like social engineering or gaining physical access. Join a cleaning crew and place a hardware key logger. Come back the next night and retrieve it and while not very sophisticated it can be very devastating none the less.
The high end will be those that understand the very core of IP6 and will understand how to manipulate packet flows in ways no one has ever thought about.
Obviously if this scenario is correct, most hackers will focus on the low level and that perhaps is even scarier. Using a combination of hardware and social skills could prove the most difficult to defend against. A security professional I know that was trained by the government was mentioning to me that there exist hardware most people are not aware of. One device he mentioned was a piece of hardware that would strap on your leg and was hidden under your pants. You could then go to an office building and sit in the lobby reading a newspaper. As you sat there, it would sniff out traffic flowing through all the Ethernet cables running through the building. Then you would go back to the lab and download everything. Unless that building was running everything through lead pipes, they were very vulnerable. All I thought was ” I want one!”
If we remember, Kevin Mitnick did most of his hacks with social skills and still teaches that. By the way, that doesn’t mean that he doesn’t have a lot of high level skills these days. I met the instructor who gave Mitnick his CEH test. Many seemed to be surprised when they discover he actually attended a CEH boot camp. He said Mitnick had sat in on his class and asked a lot of intelligent questions and said he passed the test in the high 80’s (89?) which was the highest score he had ever seen. He also mentioned Kevin is very proud of that and if anyone has done better than that on their first attempt they should email Mitnick and let him know, lol. Any way our job will focus more and more on educating the building personnel concerning security policies.
That’s the future as I see it happening. Lets wait and see!
July 29, 2006 at 4:28 pm #9828
interesting post and you are probably right… we will see a loss of middle of the road hacking. it will either be poorly written apps that sould have never been released to the public or real detailed reversed engineered code and exploits from prodcuts.
i would also add that while “hacking” will move away from PC’s i think it is far from gone. now that you can basically carry a computer in your pocket in the way of your cell phone or blackberry that have lately only been safe because of their closed source OS, it will only be a matter of time before we just start hacking cell phones or even the appliances that will soon be wired into our homes. wont be long before the thing to do will be to hack someone’s fridge for hacktivism instead of their web site.
July 29, 2006 at 4:35 pm #9829pcsneakerParticipant
A security professional I know that was trained by the government was mentioning to me that there exist hardware most people are not aware of. One device he mentioned was a piece of hardware that would strap on your leg and was hidden under your pants. You could then go to an office building and sit in the lobby reading a newspaper. As you sat there, it would sniff out traffic flowing through all the Ethernet cables running through the building. Then you would go back to the lab and download everything. Unless that building was running everything through lead pipes, they were very vulnerable. All I thought was ” I want one!”
What fairy tale you are talking about ?
All in all I agree partially with what you say, but that one is really nonsense. Although tempest can be a security problem if someone is saying that it is possible to capture everything that is going over all the wires in a building with a small piece of hardware he wears under his pants that clearly shows that this guy knows nothing about that.
In theory it is possible to capture radiations from ethernet cables, electric cables, monitors etc., but you need some equipement that you certainly cannot wear under your pants. Each time that someone told me such a story I tried to get a demonstration – as far without any success. (Yes I saw someone capturing what was on a monitor using an antenna just 2 Meters away from that monitor – but does not scare me a lot. I would like to see a demonstration from the other side of the street, capturing some content of a certain Monitor in a building with 50 or 100 PCs, that would be problem. Perhaps NSA can do it – but I think that even if they can do it there are really little cases they will invest that much…)
July 29, 2006 at 5:12 pm #9830
Fairy Tale? I hope so! But unless you are working with the CIA and are privy to all their technology, I wouldn’t be too quick to dismiss and they have resources that go beyond what most of us have access. We like to think that we are somehow more in the know than the big old stupid government but unfortunately that’s not always true. Their surveillance abilities are beyond what most people are aware. There was an interesting show on the discovery channel that showed some amazing things like their ability to actually pick up subtle sound vibrations from office windows from a distance and actually hear private conversations. I didn’t see the device this fellow was talking about, but he was very adamant that he had been trained with it, but who really knows? Any way, thanks for the comments because this makes the forum alive.
July 29, 2006 at 5:32 pm #9831pcsneakerParticipant
The CIA has a lot of ressources, be it money or human power, that’s true. But there are physical facts that even the CIA can’t bypass. Unfortunately there are a lot of myths about what the CIA (or NSA or other governmental agency) can do (actually a lot less than most people think).
There was an interesting show on the discovery channel that showed some amazing things like their ability to actually pick up subtle sound vibrations from office windows from a distance and actually hear private conversations
That’s nothing mysterious, it’s just a directed microphone with high sensitivity. Depending on the quality (the distance over which it is useable) you can order different types on the internet.
July 29, 2006 at 9:27 pm #9832tmartinParticipant
Interesting stuff. Could you please put a return between your paragraphs to help with readability? Thx.
July 29, 2006 at 10:36 pm #9833
Yes, thanks and sorry about that.
July 30, 2006 at 2:50 pm #9834Hug_ItParticipant
I don’t see much changing in the near future except for the targets. Slowly drifting away from the OS to the applications. With so much focus on core security principles rarely does anyone pay attention to all those misc. applications floating around the network.
As far as low to high level hackers, I don’t see much change there. I have a problem with labeling criminals in a way that implies any kind of respect but the fact of the matter is physical theft is always going to be a huge threat. So low level hackers (theives) and human error is and always will be a problem.
Middle level hackers already seem to be focusing more on building bot nets and similar activities where they can make money without much exposure. Like installing spyware on their victims for profit. There will always be millions of pigeons around the world begging to be an easy target. I still run into people running Windows 95 or completely unpatched systems plugged directly into their cable modem. They aren’t going anywhere soon.
High levels will continue to find vulnerabilities and develop exploits no matter what the landscape. It’s what they do and systems are getting more complicated, leaving more room for possibilities.
I’ve never been one for conspiracy theories. Though I’ve never directly worked for the CIA or NSA, I have worked for government agencies in the law enforcement realm most of my career. Everytime I take a step up I always think, “I bet these guys know what they are doing and have the tools to do it.”. Only to be disappointed by the fact they are just scrambling to keep their heads above water, let alone have all this neat stuff that the general public isn’t privy to the existence. Just look at the FISMA report cards.
July 30, 2006 at 4:31 pm #9835
Good post and thanks for the comment. I agree and I don’t like putting labels on criminals and I certainly don’t like to romanticize them. That’s why I don’t really like the term Black Hats. You are probably right about the government. I will say in my dealings they are a strange mix and almost schizophrenic in nature. What I mean is they
are a mix of really high level things along with some amazingly poor and disorganized structure that gets you wondering how they even hold it all together.
I’ve never been one for conspiracy theories either, but I feel a good Admin that is security conscious should err on the side of being a little paranoid. Perhaps one can call it an occupational hazard? Of course you can go too far with paranoia to the point you cant function nor your network! The key I think is to try and stay balanced with just a little dose of paranoia, LOL !
July 31, 2006 at 1:47 pm #9836
security in govt is coming around… its ALOT of computers and ALOT of different sysadmins to get on the same page at the same time, not an easy tasks.
some businesses with a few thousand computers in multiple locations have a rough time keeping patches current and network and firewall settings where they need to be. try multiplying that by 1000 and imagine the headache. you may or may not be privy to the IA documentation for the govt but its coming around, enforcement and compliance are now becoming the issue rather than someone saying “they didnt know what they should be doing”
July 31, 2006 at 2:04 pm #9837Hug_ItParticipant
No doubt on the troubles to secure governemnt networks. Not to mention, no where do you deal with the political issues a security pro has to overcome than in government offices.
July 31, 2006 at 3:49 pm #9838
As far as the government goes you do make a good point. I remember a while back when I was doing a CEH boot camp in San Diego. The guy sitting next to me was from the DOD. He was stationed in Germany and he and his team were in charge of pen testing the computers in military installations through out Europe. He was taking the CEH because he said his department was always pushing them to get new certs. He also mentioned that by the time you include the airfare, time away and other expenses, it was costing the DOD almost $10,000 per person to take this class.
He was a very friendly fellow and very approachable, so I asked him what’s the typical OS that you encounter on base. I was expecting and almost hoping he was going to tell me that they use some custom form of Unix or something really cool. He answered “Well actually you would be surprised how much we run into DOS.” DOS! I know the military is on a tight budget but come on, lol! I joked with him saying “Isn’t this the same organization that was accused of buying $500 hammers a while back?” He laughed. A very interesting guy and I enjoyed talking to him. I was surprised but he was trying to recruit new workers right out of the CEH class! He mentioned that once people get trained and have been there a while, they leave and go on to other things. He had no idea why because the pay was not bad. Not great, but not bad. Starting at $80,000 and then after a few years it would be up to $120,000. The kicker was that it was tax free. I don’t get it, but he maintained that this was the way you were paid while working for the DOD in a US military installation in Germany.
On a side note, he said if they do find vulnerability, they don’t attempt a patch. They just wipe the drive three times and do a clean install. Makes sense because if someone has already gained access and placed a root kit, patching at the point doesn’t do a lot of good and they can’t take a chance.
August 1, 2006 at 12:11 am #9839tmartinParticipant
Buffer overflows will become a thing of the past.
I think this is going to take a while. In 1999, one of the 10 largest banks was still settling federal reserve bank funds (overnight funds) with DOS 3.0. I know as I replaced that system.
Look how many Win95 boxes are still around, along with win98. I know many business still running NT 4.0 in their DMZ (we don’t need no stinkin’ patches!)
And on the list goes.
Also, as long as there are users, I think there will be middle ground, as there will be middle users. Buffer overflows and other things like that will only stop when they are impossible to create…
Bruce Schenier says that security needs to be easier to use and built in before it really catches on (a very loose paraphrase); he doesn’t think there’s much of a future in security awareness training. I just don’t think that we will be able to make security easy enough for the average user, at least not in my lifetime…technology changes too fast for us to bring it down to the naive user level….
How many people do you know that still don’t use computers? Too many!
August 1, 2006 at 2:56 am #9840
that guy lied to you on so many levels i dont know where to start…
but i’ll start with san diego is not even close to the closest place from germany to take a CEH class or exam…
August 1, 2006 at 5:47 am #9841
Oh no, he was really from the DOD for sure. The instructor knew him and introduced him to the class. The instructor had trained others from his department in the past. He was taking the class in San Diego because he had family there and had purposely scheduled it that way so that he could see them. It was hard for him to get to the US much and it was a good opportunity for him.
December 7, 2006 at 5:00 am #9842slimjim100Participant
Ok I can give you a little insight to the .mil as I was enlisted for 7 years there and after that I did a lot of DOD contracts. There networks are normally just like any other corporate environment with Windows. They have two kinds of networks one that is unsecured (normal users and working) and one that is secure (clearance required). The secure network is completely separate from the non-secure network and normally the secure network is on fiber up to the PC’s. There are many other topologies but this is the normal for most Post/Bases. They have security groups that test the systems on both networks and they also have IDS, Firewalls, Honeypots, and many other security tools on the network. Now there is still a lot of older field systems that use proprietary encryption and proprietary transport of data (kind of like thick net and a lot of RF and microwave). I have found the user is the hardest thing to secure in the DOD but they are moving in the right direction. Most installations now have PKI and Access card just to log on to the systems and all e-mail is signed. It takes time to more secure paper systems to digital means and keep the same users working with some sort of productivity. Anyway I feel the future of hacking is going to be VoIP, Wireless, and even Video hijacking.
December 9, 2006 at 2:16 pm #9843
I still feel we will see a shift to more “low tech” ways of breaking into networks down the road. In the next 5 to 7 years things like buffer overflows will disappear. But people never change. Hackers will do more social engineering and resort to tactics like the security auditor that dropped all those USB drives in the place that people take their coffee breaks. It was amazing how many picked them up and plugged them into their computers. You have to think like a thief.
I know of one person that will go a little too far in my opinion. When he does a total security audit, he will try to ask the secretary out on a date! He feels he can get that person to give up sensitive info. Hey Mr. Phoenix, and you know who you are and if you reading this, stop that crap, lol!
I used to look down a little at Kevin Mitnick because he is doing all his security training on the social engineering level. I foolishly thought it was because he lacked skill. Now I realize how brilliant he is. If I can code a kernel root kit that anti-virus cant detect and get some unsuspecting employee to install it, I have total access to their network very easily. Why bother with trying to write an exploit? If anyone here reading this has done it, well you know what is involved and the time! Currently, crypting a Trojan is much easier. Do you know what that means? All your firewalls, etc have no value at that point. Only the most attentive admin will see it. To me, without question, this is where we will see most hacks into sensitive networks.
December 11, 2006 at 4:07 pm #9844oleDBParticipant
Based off a research paper I read last week on DEP, I think were more like 2-3 years away on buffer overflows. I think if you applied all of the technology available today, you would be safe from 99% of buffer overflow attacks. Some of the things they mentioned were the use of:
Buffered Security Checks, which use a stack cookie to determine if the return address has been modified. If it has, the program terminates and the exploit code is not run.
Address Space Layout Randomization, which is available in Vista, completely randomizes the address space used every time a program is run. This makes it extremely hard for exploit writers to code something, because hard coded memory addresses are typically used.
Hardware DEP, which distinguishes between code and data in memory, and prevents stuff tagged as data, like a bufferstore, being used to execute other code or from being executable itself.
Software DEP, which can stop exploit code from using Structured Exception Handlers as an attack vector. This can be used in current versions of windows with the /SAFESEH build flag. SEH attacks will basically push the level of attack one layer back by overwriting the addresses used for the error handling with exploit code. Once the attacker triggers an exception, bingo, their code gets executed.
April 8, 2007 at 5:53 am #9845gqblue2003Participant
People would be amazed if they knew half the things the government does and or is capable of. I am not saying that “Enemy of the State” or anything like that is close but, I do not feel that it is too far off. Anyone heard of Google Earth? Yeah check out your neighborhood on their sometime. You can pull up parts of Iraq, Afghanistan, Pakistan, China, you get the point anywhere that the military is looking for “people” about 3 months later you get these images. Because Google using some of the same sats.
What if I told you about a glove that could revitalize and even make you 10 times “stronger”. Fact or Fiction. FACT
I am a medic and have seen a glove that runs on the concept of keeping your core cooled(Same premise as a CPU). I have seen people near exhaustion after running 5 miles put this glove on and go another 20.
Just goes to show SCI-FI is not too far off.
April 8, 2007 at 10:14 am #9846
oh oh i need that glove!
April 8, 2007 at 4:58 pm #9847heffnercjParticipant
I think were more like 2-3 years away on buffer overflows. I think if you applied all of the technology available today, you would be safe from 99% of buffer overflow attacks.
I agree that in 2-3 years it will probably be possible to mitigate nearly all (if not all) BOF attacks IF you are using a modern system and IF all your software and hardware has been designed/compiled with all available security features. But I think that new BOFs will be discovered in many third party applications and in OSs that don’t yet support all available security features for several years beyond that.
Also consider some of the recent BOF exploits that have been circulating for OpenBSD (probably the most secure OS out there) and Vista (“the most secure OS from Windows to date”, as many people have stated and I am inclined to agree with). Between them, they implement/support most, if not all, of the protection mechanisms listed by oleDB. In the last month or so, remote BOFs have been discovered and exploited in both of those systems (the ANI exploit for Windows, and OpenBSD’s IPv6 exploit).
You also have to consider Mac systems which have (to my knowledge) practically no built in protection mechanisms against BOFs, and Linux systems with 2.4 kernels (stack protection wasn’t enabled by default in the Linux kernel until 2.6.12 I believe). Heck, Debian 3.1 still uses the 2.4 kernel, although I think it does have an option to install 2.6 as well. For Windows systems, there is still plenty of software circulating that isn’t compiled with the /GS and /SAFESEH features, rendering these protections null and void.
With the exception of safe SEH, I know that all of the suggestions listed by oleDB for preventing BOFs have already been circumvented. Not to say they are bad ideas, in fact they are all excellent ideas and most of the reasons they were circumvented were due to poor implementation, but regardless, they still have not been 100% successful. I think we still have a way to go before rendering the good old BOF completely obsolete, although it is becoming harder and harder to exploit them.
April 10, 2007 at 9:19 am #9848
I personally don’t think we are anywhere near seeing the end of buffer overflows unless we see a significant change in computing architecture. I think all the good old points of vulnerability are here to stay, with new ones emerging to replace them in popularity. Attack vectors will be influenced more in response to our changing use of computers as compared to newly introduced security mechanisms. Boot sector viruses died out because we stopped booting from floppies, not because AV software won the day.
Consider the history of computer security; the fast pace of evolution has not only opened up new attack vectors but has challenged just about every assumption made by the industry. Not so long ago we were told you can’t get a virus just by reading an email or viewing a web page. Word macro viruses on the whole used legitimate, legal functions of the word processing package and not specific vulnerabilities to achieve their aims. I think too much emphasis is placed on the domain of vulnerability and exploit.
I hope we see new ground broken in the world of computing in general and I have no doubt that we’ll see the same in the infosec arena. The next new thing? I’ll go out on a limb and say we’ll see many more attacks on Personal Area Network devices (think bluetooth) and we’ll start to see malware distributed like traditional disease as people move from one place to another.
- You must be logged in to reply to this topic.