“Ozancin’s talk dwelled at length on the methods and tools an
attacker (a term he advocates over hacker) uses to select you as
his target and worm his way in.”
“The attacker may also use specialized network-vulnerability
scanners (see Resources): Nessus, the older SATAN and SAINT
packages, Firewalk (which probes and identifies a network’s
firewall ruleset), or proprietary scanners such as Internet
Security Systems’s Internet Scanner and Axxent Technologies’
NetRecon — as well as checking Websites on the target network for
known-exploitable CGI scripts.”
“Or the attacker may skip the fancy network scanners and
concentrate on stealing one of your passwords. In my experience,
that is the bad guys’ usual way in and absurdly easy on most
systems. If one of your users uses Telnet or (nonanonymous)
FTP, or POP3 to reach your system remotely, the user’s login name
and password can be snagged with trivial effort at any point
between the two machines. Alternatively, the malefactor may use as
low-tech a means as shoulder surfing (watching the login as it’s
being typed in), or a variety of social engineering techniques.
People are often astonishingly willing to give their passwords over
the telephone to a stranger with a plausible reason for asking. Or
they email passwords and other confidential data across the open
Internet, ripe for interception.1 At the minimum, the attacker may
telephone the firm to glean people’s names and positions, or get
that information from the company Webpages. He may then be able to
predict valid usernames and try them with likely password
combinations.”
“Then there are the truly embarrassing password techniques that
amount to walking into an open, unguarded bank vault. There are
still services that ship with default remote administrative
passwords, as evidenced by Red Hat Software’s recent Piranha gaffe,
as well as sites reckless enough to use null passwords, the
username as the password, or the username reversed (e.g., toor for
the root account). Or the attacker may use remote techniques to
read a copy of /etc/passwd (on systems without shadow passwords
enabled). Many such past exploits have relied on insecure CGI
scripts provided by default with Web servers that are also
unnecessarily running with root authority. (The Apache Web server
most commonly used on Linux no longer ships with either of those
faults.)”