The Basics Of Trapdoor Hacking Information Technology Essay

The Basics Of Trapdoor Hacking Information Technology EssayFor a information processor broadcastmer, trap doors make sense. If the programmer needs to modify the program or sotime in the future, he toilet usage the trap door quite of having to go by all of the normal, customer-directed protocols just to make the change. Trap doors should be closed or eliminated in the final version of the program subsequently all testing is complete, but, intentionally or unintentionally, some atomic number 18 left(p) in place. Other trap doors whitethorn be introduced by mar and merely later discovered by crackers who argon roaming around, flavor for a way into dodge programs and files. Typical trap doors use such(prenominal) dodging features as debugging tools, program exits that transfer control to privileged areas of remembrance, undocumented application calls and parameters, and m both new(prenominal)s.Trap doors make obvious sense to dependable computing device criminals as well, whether they are bitchy programmers or crackers. Trap doors are an easy way to motive into a dodge or to boost price of admission to privileged information or to introduce viruses or some other unauthorized programs into the system.CasesIn 1993 and 1994, an unknown free radical of figurer criminals repetitively stone-skint into systems on the Internet using passwords captured by password sniffers. Once on the system, they exploited packet flaws to gain privileged access. They installed modify login and ne devilrk programs that allowed them reentry scour if the original passwords were changed.In 1996, Philip Myers exposit the insertion and exploitation of back doors as subversion in his MSc thesis at the Naval grad student School. He pointed out that subversion, un ilk penetration fervidnesss, force out begin at any phase of the system development life cycle, including design, implementation, distribution, installation and production.Donn B. Parker described interesting back-door cases in some papers (no longer available) from the 1990s. For example, a programmer discovered a back door left in a FORTRAN compiler by the writers of the compiler. This section of code allowed execution to jump from a regular program file to code stored in a selective information file. The criminal utilize the back door to steal computer impact time from a assist bureau so he could work his own code at other users expense. In another case, unlike users from Detroit used back doors in the operating system of a Florida generationharing benefit to find passwords that allowed unauthorized and unpaid access to proprietary selective information and programs. blush the US government has move to insert back doors in code. In phratry 1997, Congress proposed legislation to dispose domestic US encoding unless the algorithm complicated a back door allowing decryption on demand by law enforcement authorities moved famous Ron Rivest to satire. The famed co-i nventor of the Public Key Cryptosystem and founder of RSA Data security Inc. pointed out that some people be harpve the Bible contains secret messages and codes, so the proposed law would ban the Bible.More lately, devices using the Palm operating system (PalmOS) were discovered to cast off no effective warranter despite the password function. Apparently developer tools supplied by Palm allow a back-door conduit into the supposedly locked data.Dumpster DivingWhat is Dumpster Diving?Dumpster nosedive is a name given to a very simple cause of security round off, which is scavenging through materials that have been thrown and twisted away, as shown below. This type of attack isnt illegal in any obvious way. If papers are thrown away, it means that nobody wants them, right? Dumpster diving also isnt unique only to computer facilities. All kinds of sensitive information ends up in the frappe, and indus streak spies through the years have used this method to get information about (predicate) their competitors.http//oreilly.com/catalog/crime/chapter/f_02_01.gifDumpster Diving in Process in that location is another type of computer-related trash that we powerfulness not consider. In the system itself are files that have been deleted, but that havent actually been erased from the system. Computers and users used only to drop a line data, not destroying it, and sometimes some data is saved that shouldnt be saved. electronic trashing is easy because of the way that systems typically delete data. Usually, deleting a file, a saucer, or a tape doesnt actually delete data, but simply rewrites a header record. Using MS-DOS, for example, a file can be deleted via the DEL command, however, mortal else can retrieve the contents of the file simply by track UNDELETE. System utilities are available that make it easy to retrieve files that may seem to be totally gone.Although in that respect are methods for truly erasing files and magnetized media, most users who wor k on large systems do not shell out the time to erase disks and tapes when they are finished with them. They may discard of age(predicate) disks and tapes with data still on them. They simply write the new data over the old data already on the tape. Because the new data may not be the same length as the old, there may be sensitive data left for those skilled comely to find it. It is far safer to explicitly write over terminus media and memory contents with random data and to degauss magnetic tapes.Cases i computer company in Texas that does business with a number of oil companies sight that whenever a certain company asked them to mount a temporary storage (scratch) tape on the tape drive, the read-tape ethereal would always come on forward the write-tape light. The ingenious oil company was scavenging the tape for information that might have been put on it by competitors that used the tape before them.Trashing can have deadly consequences. When some old Department of rightn ess computers were sold off, they had on their disks information on the whereabouts of witnesses in the Federal ravisher Protection Program. Although the data had been deleted, it had not been completely erased from the disk. The DOJ was able to get back some of the computers, but not all, and was forced to relocate the compromised families as a result.In 1991, spies posed as garbage collectors distant of a U.S. defense contractor executives home, dug through trash cans looking for information. unrivaled of the collectors was actually Frances consul general and claimed he was collecting fill for a great deal in his yard. Upon investigation, the FBI determined that this operation was part of a French secret-searching mission, aimed at finding U.S. military or scientific information.Then in 1999, two key members of a group called the Phonemasters were convicted of theft and possession of unauthorized access devices and unauthorized access to a federal interest computer. This inter national group of cyber criminals had averly penetrated the computer systems of MCI, Sprint, ATT, Equifax and the National Crime Information Center. The Phonemasters skills had enabled them to download hundreds of life history card numbers and distribute them to organized crime groups around the world. violate of their method included dumpster diving and collecting old phone books and system manuals. These tools, combined with social engineering, led to the attacks on the mentioned systems.In 2000, in a widely publicized case, the CEO of Oracle, Larry Ellison, hired private investigators to dig through corporate dumpsters at Microsoft. This was an effort aimed at finding information about Microsofts possible development of grassroots organizations to support its side in an anti-trust lawsuit. One of the investigators unsuccessfully tried to pay off a member of the janitorial service in exchange for the garbage of one of these organizations. Ellison held that his actions were a ci vic duty, to issue Microsofts secret funding of such groups, but his opponents assert that the incident was resistant and scandalous.Microsoft complained that various organizations allied to it have been victimized by industrial espionage agents who attempted to steal documents from trash bins. The organizations include the Association for Competitive Technology in upper-case letter, D.C., the Independent Institute in Oakland, California, and Citizens for a Sound Economy, another Washington D.C. based entity. Microsoft say, We have sort of always known that our competitors have been actively engaged in trying to define us, and sort of attack us. unless these revelations are particularly concerning and really show the lengths to which theyre willing to go to attack Microsoft.Saying he was exercising a civic duty, Oracle head and founder Lawrence J. Ellison defended his company of suggestions that Oracles behavior was Nixonian when it hired private detectives to scrutinize organ izations that support Microsofts side in the antitrust suit brought against it by the government. The investigators went through trash from those organizations in attempts to find information that would show that the organizations were controlled by Microsoft. Ellison, who, like his hex Bill Gates at Microsoft, is a billionaire, said, All we did was to try to impart information that was hidden and bring it into the light, and added We will ship our garbage to Microsoft, and they can go through it. We believe in full disclosure. The only affair more disturbing than Oracles behavior is their ongoing attempt to justify these actions, Microsoft said in a statement. Mr. Ellison now appears to ac intimacy that he was personally informed of and personally authorized the broad overall strategy of a conniving operation against a variety of trade associations.During the year 2001, industrial espionage came to light concerning the shampoo grocery store between fierce competitors Proctor Gamble and Unilever. buck private Investigators hired by Proctor Gamble sifted through garbage bins outside of the Unilever corporation, succeeding in gathering viable information about market analysis, predictions and future products.16 Upon legal action by Unilever, the two corporations settled out-of-court, because these actions broke Proctor Gambles internal policy on information gathering. logic BombsWhat is a Logic Bomb?Logic go bads are small programs or sections of a program triggered by some event such as a certain date or time, a certain percentage of disk space filled, the removal of a file, and so on. For example, a programmer could pretend a logic conk out to delete critical sections of code if she is all over from the company. Logic bombs are most commonly installed by insiders with access to the system.Logic bombs are a catty programming code that is inserted into a profit system or a single computer for the purpose of deleting data or creating other malicio us acts on a specified date. A logic bomb whole shebang similar to a time bomb because it can be set to go off at a specific date. A logic bomb does not distribute malicious codes until the specified date is reached.How Logic Bombs WorkLogic bombs are created by criminals who are well-versed in computer programming and are generally used to perform acts with malicious intent that threaten network security. The criminal acts include setting a virus to be released into a network system or PC at a specified date or other actions such as deleting or corrupting data and completely reformatting a computer hard drive.A logic bomb works through a code that is inserted into existing software on a network or in a computer where it will lie dormant until a specific event occurs such as a date or time or other command from the computer programmer. When the bomb finally releases the code it can delete files, send hidden information to unauthorized parties, wipe out databases, and disable a net work for a period of days.Why a Logic Bomb is utiliseA logic bomb can be used by a disgruntled employee or other IT personnel that has the knowledge of how to program a logic bomb to threaten network security. Other than targeting a specific computer or network system, a logic bomb can also be used to demand money for software by creating a code that makes the software application into a trial version. After a specific period of time the user must(prenominal) pay a specified sum of money to continue to use the software.Logic bombs can also be used for blackmail and if the demand is not met, the logic bomb will detonate into a computer system or network to destroy data and perform other malicious acts that are included in the command codes.Logic bombs are fairly easy to create if you have a lot of knowledge in computer programming and they do not replicate like other malicious programs. For this reason, logic bombs are usually targeted to specific victims and will not spread to uni ntended victims.A logic bomb can be rather difficult to detect, however you can take security measures such as constantly monitoring the network system for any suspicious activity, using antivirus applications and other scanning programs that can detect any new activity in the data on a network system. The scanning systems should also monitor the entire network and the individual computers attached to the network.CasesA former system administrator for UBS PaineWebber, Roger Duronio, was charged in a New Jersey federal court on charges of sabotaging two-thirds of the companys computer systems. His alleged motive was to undermine the companys run price and make a clomp of money in the process. He is alleged to have shorted over 30,000 shares of UBS stock prior to unleashing his attack which means the potential was there to make 30,000 times the amount by which the stock dropped when the media got wind of the attacks. In a recent stock manipulation case involving Emulex, shares fell 50 percent. Based on the trading range of UBS PaineWebber stock at the time of Duronios alleged attack, it is comely to say his profits could have exceeded half a million dollars.The flaw in Duronios alleged scheme was the obviously unexpected ability of UBS PaineWebber to foreclose news of the attack getting out. This was quite a feat on the companys part because the logic bombs activated on about 1,000 of its nearly 1,500 computers and the malicious programs did actually delete files. Indeed, the company says attack cost it $3 million.In the end, the federal grand jury charged Duronio with one count of securities pretender and one count of violating the Computer Fraud and Abuse Act. Duronio was hit with up to 20 years in prison and fines of more than $1.25 million.In September 1990, Donald Burleson, a programmer at the Fort Worth-based insurance company, USPA, was fired for allegedly being quarrelsome and difficult to work with. Two days later, some 168,000 vital records eras ed themselves from the companys computers. Burleson was caught after investigators went back through several years charge of system files and found that, two years before he was fired, Burleson had plant a logic bomb that lay dormant until he triggered it on the day of his dismissal. Burleson became the first person in America to be convicted of damaging access to a computer.In early 2009, Timothy Allen Lloyd was sentenced to 41 months in prison for leaving behind malicious programs that deleted critical data from the servers of omega Engineering, a high-tech measurement company that claimed the cost of the attack was $10 million.According to a report in the National Computer Security Association section on CompuServe, the Orlando Sentinel reported in January 1992 that a computer programmer was fined $5,000 for leaving a logic bomb at General Dynamics. His intention was to return after his program had erased critical data and get paid lots of money to fix the problem.In 1995, a disgruntled computer security officer at an insurance securities firm firm in Texas set up a complex serial of Job Control Language (JCL) and RPG programs described later as switch on wires and time bombs. For example, a snatch data retrieval function was modified to cause the IBM System/38 midrange computer to power down. Another routine was programmed to erase random sections of main memory, change its own name, and reset itself to do a month later.