Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Hacking 2
- Thread starter Rish21
- Start date
maxg you said "In terms of systems in my possession, what need do I have to hack into them, they are in my possession"
to make sure that a patch or or work around worked
)hacking to make code what where talking about is craking but anyway...)hacking- is testing network security
that what it is. you can do it or some thief can
At home I still get a few dozen hits a day from nimda by not even checking there machine they dirupting my use of the internet if someone to scan them, find out who they are, see how they got hit, and then email them on it whould this be wrong. gunthnp
Have you ever woken up and realized you where not alive.
to make sure that a patch or or work around worked
)hacking to make code what where talking about is craking but anyway...)hacking- is testing network security
that what it is. you can do it or some thief can
At home I still get a few dozen hits a day from nimda by not even checking there machine they dirupting my use of the internet if someone to scan them, find out who they are, see how they got hit, and then email them on it whould this be wrong. gunthnp
Have you ever woken up and realized you where not alive.
I apologize for the slip in semantics but, in my opinion, it's a short step between the two. I don't need to hack to verify the security of my systems, I have logs that track that, on demand reports and scheduled reports I can peruse to let me know if the security measures I have in place are functioning or if they need to be adjusted. Again, I work in telephony so my world is a little different but I can't imagine some of the same tools (hmmm, much like the tool that tells you that you've been hit by nimda, I wonder?) don't exist in the networking world.
Now, I'm going to show some ignorance maybe but why do you need to scan someone who hits you with nimda to find out who they are? Didn't that virus, like most I've seen, come through e-mail? My virus scan cleans/deletes the virus and gives me the address of the person who sent it. Couldn't I just send a reply back to them saying, "Hey, get a new virus scan" Do I need more than their e-mail address to do that?
Now, I'm going to show some ignorance maybe but why do you need to scan someone who hits you with nimda to find out who they are? Didn't that virus, like most I've seen, come through e-mail? My virus scan cleans/deletes the virus and gives me the address of the person who sent it. Couldn't I just send a reply back to them saying, "Hey, get a new virus scan" Do I need more than their e-mail address to do that?
SteveTheGeek
MIS
MaxG,
I can't remember if it's Nimda or some other worm, but in at least one case, a common worm launches email from an on-the-fly SMTP service rather than through your email client. That is to say, the email address (if any) is completely invalid, but by looking through the email header you can get the source IP address.
In a more recent case, Goner, it precedes the email address with an underscore - easy to figure out once you know it does it, but it does break automated "you sent us a virus" responses such as the one in use protecting my network.
As far as relying on the monitoring tools in place, I don't arrive, set something up, configure it, and then leave trusting that everything will work; I'm foolish if I don't test out what I set up. Where hacking/cracking/virus defenses are concerned, the same thing applies - I'm going to test my system before anyone else has an opportunity to take a whack at it.
-Steve
I can't remember if it's Nimda or some other worm, but in at least one case, a common worm launches email from an on-the-fly SMTP service rather than through your email client. That is to say, the email address (if any) is completely invalid, but by looking through the email header you can get the source IP address.
In a more recent case, Goner, it precedes the email address with an underscore - easy to figure out once you know it does it, but it does break automated "you sent us a virus" responses such as the one in use protecting my network.
As far as relying on the monitoring tools in place, I don't arrive, set something up, configure it, and then leave trusting that everything will work; I'm foolish if I don't test out what I set up. Where hacking/cracking/virus defenses are concerned, the same thing applies - I'm going to test my system before anyone else has an opportunity to take a whack at it.
-Steve
nimda spreds four ways I know of (1) email (2)drive shares (3)IIS [this way it scans from the infected computer out to the rest of the world](4) if you vist a infeted web page.
number 3 is what I was talking about
and new things come out all the time and need to know if they work, beacuse when company worte an update it may work in a lab but not in my networks so I need to know this.
Is the virus thing is wrong (or unethical)? gunthnp
Have you ever woken up and realized you where not alive.
number 3 is what I was talking about
and new things come out all the time and need to know if they work, beacuse when company worte an update it may work in a lab but not in my networks so I need to know this.
Is the virus thing is wrong (or unethical)? gunthnp
Have you ever woken up and realized you where not alive.
Thanks for the info on Nimda. Now, in your example wouldn't the IIS be coming from a Server that most probably attaches the IP address to a name. Correct me if I'm wrong here but couldn't DNS resolve that IP address into a name and isn't that an essential function of the internet and it's use that happens every time I go online? I mean doesn't mean anything until the DNS of my ISP resolves it into IP, right? So, I get an IP address, plug it into a browser and the opposite happens, right? I'm protected against the virus through the mechanisms I have in place and bingo, I also can let the infected party know. Again, I know only enough about this to be a huge pain but I don't see a need to hack.
Steve, not knowing where you're coming from I hope I don't insult you here but I've been in my business long enough to know what works and what doesn't I know how to lock down a telephone system and I can monitor and test that without engaging in any hacking. Again I certainly concede that you operate in a different world but I can't think you would install something to prevent hacking that you didn't think would work.
Steve, not knowing where you're coming from I hope I don't insult you here but I've been in my business long enough to know what works and what doesn't I know how to lock down a telephone system and I can monitor and test that without engaging in any hacking. Again I certainly concede that you operate in a different world but I can't think you would install something to prevent hacking that you didn't think would work.
SteveTheGeek
MIS
Hmmm, since I haven't been in a telecom world either, we may be on different pages (and no, you're not offending me). To me, it's the same as testing backups. Sure, you set the tape backup to run, select the folders and so on, and the day after you look at the log and note that it says everything has backed up successfully. On two occasions (out of a hundred or so) I was not able to successfully restore files - in one case I believe it was tape errors, on another apparently a file lock screwed it up. Occasionally testing backups with trial-restores is an IT best-practice. To me network security is just another implementation or configuration that needs to be op-tested before one can say the job is complete. Does running a port scan against a firewall I've just set up qualify as hacking, or testing?
I'm sorry I was not clear in what I was saying but I'm running a cable modem at home and most of these people just have IIS running on 2000 and are not awhere that is installed and that they are spreading a virus. so this is not a marter of just a whois look up gunthnp
Have you ever woken up and realized you where not alive.
Have you ever woken up and realized you where not alive.
oh and on networks you can't trust your logs that how most people get away is the fact that the 1st thing they do is change your logs so you don't know about it.
I use "hacking" as a way to make sure that I can't get in and hopeful they they can't ethier
gunthnp
Have you ever woken up and realized you where not alive.
I use "hacking" as a way to make sure that I can't get in and hopeful they they can't ethier
gunthnp
Have you ever woken up and realized you where not alive.
monkeylizard
MIS
gunthnp brings up a good point (as does Steve). Hackers (and crackers even more-so) are notorious for changing logs to hide their tracks. Only newbies fail to do this. Checking logs isn't enough. You have to test your security just like Steve checks his backups via trial restores from time-to-time.
In my opinion Steve, scanning your own ports is hacking for the purpose of testing. It's exactly what needs to be done and done on a regular basis with newer and better scanning tools as they are available. Hackers will use them to access your systems, so you need to use them to find the holes they will exploit.
Maxg, I think we are on kind of different pages from I.T. to Telecom. Telecom has been around for a loooooong time and has had time to grow. Since the first real hacking began in the 70's, the Telecom industry has grown and has created fail-safes to stop Joe-Blow from hacking the local Bell. It can still be done, but it's much harder now than then. In the I.T. world however, things are growing so fast that businesses turn out poorly secured code to meet users' demands for "faster, newer, better". The end result is less security and more potential for problems. Any security put in place MUST be thoroughly tested and that can ONLY be done by attempting to hack your own network. Of course, this test is only as good as your hacking skills, and there's always someone better out there.
I once worked for a DoD contractor on some Confidential and SECRET projects. Any Systems used for those projects were kept in secured areas and were not networked in any way. They even had to be at least 10m from each other at all times to prevent someone from passing information from one to another via diskette or CD. The only ABSOLUTE network security is no network at all. Monkeylizard
-Isaiah 35-
In my opinion Steve, scanning your own ports is hacking for the purpose of testing. It's exactly what needs to be done and done on a regular basis with newer and better scanning tools as they are available. Hackers will use them to access your systems, so you need to use them to find the holes they will exploit.
Maxg, I think we are on kind of different pages from I.T. to Telecom. Telecom has been around for a loooooong time and has had time to grow. Since the first real hacking began in the 70's, the Telecom industry has grown and has created fail-safes to stop Joe-Blow from hacking the local Bell. It can still be done, but it's much harder now than then. In the I.T. world however, things are growing so fast that businesses turn out poorly secured code to meet users' demands for "faster, newer, better". The end result is less security and more potential for problems. Any security put in place MUST be thoroughly tested and that can ONLY be done by attempting to hack your own network. Of course, this test is only as good as your hacking skills, and there's always someone better out there.
I once worked for a DoD contractor on some Confidential and SECRET projects. Any Systems used for those projects were kept in secured areas and were not networked in any way. They even had to be at least 10m from each other at all times to prevent someone from passing information from one to another via diskette or CD. The only ABSOLUTE network security is no network at all. Monkeylizard
-Isaiah 35-
MasterRacker
New member
That's essentially breaking and entering someone else's property. It's no different than breaking into a neighbor's apartment and looking through all their stuff to make sure they aren't going to set their apartment on fire since that would burn your down as well.
The only systems you can hack without permission are your own. (Unless of course you don't give yourself permission.... X-) )
Jeff
I haven't lost my mind - I know it's backed up on tape somewhere ....
The only systems you can hack without permission are your own. (Unless of course you don't give yourself permission.... X-) )
Jeff
I haven't lost my mind - I know it's backed up on tape somewhere ....
webmaster999
IS-IT--Management
I agree with Ed Fair's second post. I sure wouldn't consider it unethical if that plumber saved me thousands of dollars since my antiques didn't go floating out into the street!!!
There is a difference...
I am an etical hacker... do it for a living...
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Acheiver with Security Emphasis
Help increase my knowledge by providing some feedback, good or bad, on any advice I have given and if you like my advice, please mark it as helpful.
There is a difference...
I am an etical hacker... do it for a living...
Matt A+, MCP, MCP+I, MCSE Windows NT 4.0, MCSE Windows 2000 Early Acheiver with Security Emphasis
Help increase my knowledge by providing some feedback, good or bad, on any advice I have given and if you like my advice, please mark it as helpful.
MasterRacker
New member
Still a different situation. Maxg has the plumber "Seeing" the water first. The plumber is not breaking someone's door down looking for the possibility of water.
Jeff
I haven't lost my mind - I know it's backed up on tape somewhere ....
Jeff
I haven't lost my mind - I know it's backed up on tape somewhere ....
-
1
- #34
Here's an interesting one. I had a summer intern work for me last year when Code Red first hit.
A particulat Server infected with Code Red was filling my proxy logs with constant attempts to infect us. This intern used the entries in the logs, along with Code Red operational info easily available on the internet, to connect to the infected server via the CodeRed backdoor, disable it, and install the patch. This particular server appeared to be a consumer machine connected to a DSL or Cable Modem with a default IIS page, meaning the person probably didn't even know IIS was running on his machine, let alone install the patch him/herself. Ethical?
Example 2 - One evening I mistyped an IP address into IE while testing my own Intranet's security settings and pulled up another companies internal site directory listing. What caught my eye in this listing was a security system Access database containing the names, addresses, home and work phone numbers, usernames, e-mail addresses, job titles, etc of employees of the company, including the president, senior staff, etc. I was stunned! I found the person in the list with a job title of network administrator, and e-mailed him telling him he had a serious security problem! He responded the next day thanking me for telling him about it, that they had been working on securing their network and thought it was tight, and asking me how I had obtained the information. I told him how simple it was. The following morning, my ISP informed me they had received a complaint from someone stating that an IP address my acocunt was using had "attacked" their network. Was I wrong? was I unethical? Is this even considered a hack or crack? Should I have just closed my browser and forgot that I saw employees.mdb sitting on someones web page for the world to see? Now technically I crossed a line when I knew the site I was viewing was not mine and I chose to click on that document in the list. Once I saw what was in it however, I took what I beleived to be ethical steps in response.
Additional food for thought.
Is it unethical to open an unlocked door of another person's car without their permission and tun off the headlights they left on so they don't come back to a dead battery? What if the window were rolled down and you just reached in to turn off the lights. What if it was a conversion van and you could turn off the lights by pushing in that little triangular window and reaching in? What if you picked the lock to get in?
If we can't dertermine intent, can we determine what is and isn't ethical behaviour? Darwin
Director of Information Services
Philadelphia PA
A particulat Server infected with Code Red was filling my proxy logs with constant attempts to infect us. This intern used the entries in the logs, along with Code Red operational info easily available on the internet, to connect to the infected server via the CodeRed backdoor, disable it, and install the patch. This particular server appeared to be a consumer machine connected to a DSL or Cable Modem with a default IIS page, meaning the person probably didn't even know IIS was running on his machine, let alone install the patch him/herself. Ethical?
Example 2 - One evening I mistyped an IP address into IE while testing my own Intranet's security settings and pulled up another companies internal site directory listing. What caught my eye in this listing was a security system Access database containing the names, addresses, home and work phone numbers, usernames, e-mail addresses, job titles, etc of employees of the company, including the president, senior staff, etc. I was stunned! I found the person in the list with a job title of network administrator, and e-mailed him telling him he had a serious security problem! He responded the next day thanking me for telling him about it, that they had been working on securing their network and thought it was tight, and asking me how I had obtained the information. I told him how simple it was. The following morning, my ISP informed me they had received a complaint from someone stating that an IP address my acocunt was using had "attacked" their network. Was I wrong? was I unethical? Is this even considered a hack or crack? Should I have just closed my browser and forgot that I saw employees.mdb sitting on someones web page for the world to see? Now technically I crossed a line when I knew the site I was viewing was not mine and I chose to click on that document in the list. Once I saw what was in it however, I took what I beleived to be ethical steps in response.
Additional food for thought.
Is it unethical to open an unlocked door of another person's car without their permission and tun off the headlights they left on so they don't come back to a dead battery? What if the window were rolled down and you just reached in to turn off the lights. What if it was a conversion van and you could turn off the lights by pushing in that little triangular window and reaching in? What if you picked the lock to get in?
If we can't dertermine intent, can we determine what is and isn't ethical behaviour? Darwin
Director of Information Services
Philadelphia PA
I'd like tp put in my 2 cents on the telco side with hacking. You do have to TEST your equipt like computer equipt because nothing is PURE reliable.
You need to hack your own equipent both on Telco and Comp side. If Telco was so reliable why did the "Blue boxes" and other colored boxes work before? A lot of them are fixed now but people think of new ways to hack so we ALL need to hack our OWN Equipment.
I think people that want to hack other people's equiptment should first get authroization from the owner.
- NOnoy
You need to hack your own equipent both on Telco and Comp side. If Telco was so reliable why did the "Blue boxes" and other colored boxes work before? A lot of them are fixed now but people think of new ways to hack so we ALL need to hack our OWN Equipment.
I think people that want to hack other people's equiptment should first get authroization from the owner.
- NOnoy
A couple of points that I find fault with:
---quote---
if you own it do what you want. If you don't own it and haven't been specifically asked to mess with it, leave it alone. Period.
--end quote---
So if I'm dying in the street after a car accident and you walk by, just because (due to being unconcious) I don't ask you to help me, you should just walk by? would that be the ethical thing to do? by your definition, you don't own me, and I have not asked for your help. For that matter, even the paramedics don't own me and I would not have asked the for help (unconcious remember...)
---quote---
I've been in my business long enough to know what works and what doesn't I know how to lock down a telephone system
---end quote---
so basically you know the curreny systems well, fine I have no problem with that part of the argument. What if a new system is released tomorrow and you client wants it installed immediatly. You don't know this new system, or how secure it is. How do you know that it's security features and the ones you put in place are working? Do you just do what works in the older systems that you know and trust that this new one will work the same? or do you try to break in to verify that it is secure? Seems stupid to me to set up the system to the best of your ability and then walk away without actually testing the security (which would be attempting to hack the system...)
I know that if one of my customers came to me and said "I need my network to be secure!" I would apply the patches and do what I can to secure it, but let's say I've only worked with win2k small buisness server and this is win2K advanced server that I'm securing. I have not been given authorization to hack the machine, and the manager is away when I finish. Do I just leave it at a stage where to the best of my knowledge it is secure or do I start hacking it to find other holes that need to be patched? I see that being a good money maker. "Sir. As far as I know the machine is secure, but without your permission to actually hack it I was unable to start testing. Do you wish for me to test it now?" this conversation is taking place while someone is looking around the system through a hole that I was not aware of to begin with, and by the time I find it, the hacker who broke in WITHOUT permission has taken the most sensitive data and sold it for hundreds of thousands of dollars to the company's main competitor... I think it's safe to say that I would never work for them again, just because the manager didn't give me permission to hack the system before he left (maybe I forgot to ask, or maybe I gave him the contract, but it was never signed and returned to me...) either way I'll be the one that takes the heat for letting the intruder in...
---quote---
if you own it do what you want. If you don't own it and haven't been specifically asked to mess with it, leave it alone. Period.
--end quote---
So if I'm dying in the street after a car accident and you walk by, just because (due to being unconcious) I don't ask you to help me, you should just walk by? would that be the ethical thing to do? by your definition, you don't own me, and I have not asked for your help. For that matter, even the paramedics don't own me and I would not have asked the for help (unconcious remember...)
---quote---
I've been in my business long enough to know what works and what doesn't I know how to lock down a telephone system
---end quote---
so basically you know the curreny systems well, fine I have no problem with that part of the argument. What if a new system is released tomorrow and you client wants it installed immediatly. You don't know this new system, or how secure it is. How do you know that it's security features and the ones you put in place are working? Do you just do what works in the older systems that you know and trust that this new one will work the same? or do you try to break in to verify that it is secure? Seems stupid to me to set up the system to the best of your ability and then walk away without actually testing the security (which would be attempting to hack the system...)
I know that if one of my customers came to me and said "I need my network to be secure!" I would apply the patches and do what I can to secure it, but let's say I've only worked with win2k small buisness server and this is win2K advanced server that I'm securing. I have not been given authorization to hack the machine, and the manager is away when I finish. Do I just leave it at a stage where to the best of my knowledge it is secure or do I start hacking it to find other holes that need to be patched? I see that being a good money maker. "Sir. As far as I know the machine is secure, but without your permission to actually hack it I was unable to start testing. Do you wish for me to test it now?" this conversation is taking place while someone is looking around the system through a hole that I was not aware of to begin with, and by the time I find it, the hacker who broke in WITHOUT permission has taken the most sensitive data and sold it for hundreds of thousands of dollars to the company's main competitor... I think it's safe to say that I would never work for them again, just because the manager didn't give me permission to hack the system before he left (maybe I forgot to ask, or maybe I gave him the contract, but it was never signed and returned to me...) either way I'll be the one that takes the heat for letting the intruder in...
MasterRacker
New member
If you're the one setting up the system, you've been given implicit permission to "hack" it since that is part of testing. However, you were not given permission to hack the systems of the company next door because you overheard a conversation that they have a similar system.
Someone dying in the street is completely different from randomly hacking someone's data systems. But even there you will find limits. It might be ethical to perform basic fist aid and call for help but it's certainly NOT ethical to go further and try to do field surgery on them (unless you're a licened surgeon). Even providing first aid, if you step over the line, you will be held legally liable in any court.
Jeff
I haven't lost my mind - I know it's backed up on tape somewhere ....
Someone dying in the street is completely different from randomly hacking someone's data systems. But even there you will find limits. It might be ethical to perform basic fist aid and call for help but it's certainly NOT ethical to go further and try to do field surgery on them (unless you're a licened surgeon). Even providing first aid, if you step over the line, you will be held legally liable in any court.
Jeff
I haven't lost my mind - I know it's backed up on tape somewhere ....
how about lamo he does it all the time and it thanked after words with big commpnays I think his last hit was the NY times is he helping by telling them about the holes or should he leave them wide open and some guy steal all the data and trashes the system NY times said thaknes for the help gunthnp
Have you ever woken up and realized you where not alive.
Have you ever woken up and realized you where not alive.
hmmm...I might as well throw my hat into the ring also...
I've always believed that when one speaks of ethics, what definition is that person using? From what I understand about dealing with ethics issues over the years is that there are two definitions of ethics: Personal ethics, which could be defined as a particular individual's "guiding philosophy" regarding the issue at hand. Depending on said person's perspective on the situation, their compassion level, and their view on the law, affects their moral judgement.
On the other hand, you also have what is known (at least, how I know it) as "situation ethics" - I've heard this term defined as the following:
"A system of ethics by which acts are judged within their contexts instead of by categorical principles."
Now, once again, we are dealing with personal ethics; however, the option of legality does not play any option what-so-ever when an individual formulates a moral decision.
My interpretation of the above definition is as follows: Who cares if it was right or wrong, did it help us?
My question to all of you is this: Have I interpreted the definition of situation ethics correctly? If so, thanks for agreeing!
If not, however...feel free to comment.
I've always believed that when one speaks of ethics, what definition is that person using? From what I understand about dealing with ethics issues over the years is that there are two definitions of ethics: Personal ethics, which could be defined as a particular individual's "guiding philosophy" regarding the issue at hand. Depending on said person's perspective on the situation, their compassion level, and their view on the law, affects their moral judgement.
On the other hand, you also have what is known (at least, how I know it) as "situation ethics" - I've heard this term defined as the following:
"A system of ethics by which acts are judged within their contexts instead of by categorical principles."
Now, once again, we are dealing with personal ethics; however, the option of legality does not play any option what-so-ever when an individual formulates a moral decision.
My interpretation of the above definition is as follows: Who cares if it was right or wrong, did it help us?
My question to all of you is this: Have I interpreted the definition of situation ethics correctly? If so, thanks for agreeing!
If not, however...feel free to comment.
dwmatteson
MIS
Early on, MasterRacker brought up the important distinction between what is legal and what is ethical. You'll find that if you look at US law for a while, the two often have nothing to do with each other (of course, they also coincide quite a bit).
Legally, just about any sort of uninvited hacking is wrong but the ethics/morality of it all are fuzzy, as I'm sure we've all seen clearly from this thread.
A number of years ago, I took a moral reasoning class and many of the arguments that have come up tend to lean towards the positions taken by John Stuart Mill and Immanual Kant.
If I remember correctly, Mill's basic position was that the outcome is what matters, not the intent. If someone's hacking has the net result of improving overall system security for an individual, organization, or the community at large, it's okay. From this perspective, any act of hacking that results in improved security is okay, regardless of intent, since it lets an administrator close a hole. (There's a reason Mill's perspective is called utilitarianism. Very practically oriented.)
Kant's position is generally that it all boils down to intent. A morally correct act is one that is intended to Do Good. From this standpoint, zehrhead's act of notifying the network administrator that his network was vulnerable was entirely morally correct because he did so with the intention of helping someone.
Just some additional philosophical muck-a-muck to throw into the fray.
Don
Legally, just about any sort of uninvited hacking is wrong but the ethics/morality of it all are fuzzy, as I'm sure we've all seen clearly from this thread.
A number of years ago, I took a moral reasoning class and many of the arguments that have come up tend to lean towards the positions taken by John Stuart Mill and Immanual Kant.
If I remember correctly, Mill's basic position was that the outcome is what matters, not the intent. If someone's hacking has the net result of improving overall system security for an individual, organization, or the community at large, it's okay. From this perspective, any act of hacking that results in improved security is okay, regardless of intent, since it lets an administrator close a hole. (There's a reason Mill's perspective is called utilitarianism. Very practically oriented.)
Kant's position is generally that it all boils down to intent. A morally correct act is one that is intended to Do Good. From this standpoint, zehrhead's act of notifying the network administrator that his network was vulnerable was entirely morally correct because he did so with the intention of helping someone.
Just some additional philosophical muck-a-muck to throw into the fray.
Don
- Status
Similar threads
