A new approach to the protection of information - computer threat detection systems. Stages of implementing attacks. Network detection systems attacks and firewalls

The invention relates to communication technology and can be used in technological communication systems. The technical result consists in improving the reliability of communication. For this, the device includes an interface (114) of technological connection for communication by the contour of the technological connection in accordance with the technological communication protocol. The controller (106) is connected to the technological connection interface (114). The rules repository (116) is connected to the controller (106) and has at least one rule of transmission of technological communication packages, which is based on a technological communication protocol. The controller (106) applies at least one transmission rule of technological communication packets at least one technological connection package adopted from the technological connection interface (114) and generates an event information when the technological connection package does not satisfy at least one packet transmission rule technological connection. 4N. and 12 zp F-li, 6 yl.

BACKGROUND

Modern technological installations are used to provide and / or produce many products and materials used every day. Examples of such technological installations include installations for oil refining, installation for pharmaceutical production, installation for chemical processing, cellulose and other technological installations. In such installations, the network for managing and measuring process indicators may include thousands or even tens of thousands of different field devices connected to the dispatch console, and sometimes with each other to control the process. To ensure that the faults in this field device can derive the process from under the control, physical characteristics and electrical connection of field devices, as a rule, obey strict specifications.

Traditionally, field devices in this technological installation, as a rule, had the ability to communicate through the circuit or the process control segment with a dispatch remote control and / or other field devices through wired connections. For example, a wired communication protocol is known as an interaction protocol with a remote sensor with tire addressing (HART ®). HART ® -Cound is one of the main communication protocols used in technological processes. IN lately It became possible, and potentially desirable in some cases, allow access of technological installations to the Internet. Although such a sign provides the ability to interact with technological installation with almost any connected computer anywhere in the globe, it also provides the potential for an attacker, such as a hacker to try to influence the technological installation without moving to the physical location of the technological installation.

Another recent improvement on technological installations is to use wireless communication. Such wireless links simplifies the design of technological installations in the aspect that no longer needed to provide a laying of long wires to various field devices. In addition, one such wireless protocol, Wirelesshart (IEC 62591), expands the HART ® traditional protocol and provides significant rates of data transmission. For example, Wirelesshart supports data transmission up to 250 kbps. Relevant parts of the Wireless HART® specification include: HCF_SPEC 13, version 7.0; HART 65 Specification - Wireless Physical Specification; The HART 75 specification is the TDMA channel specification (TDMA refers to multiple access to the time separation of the channels); HART 85 Specification - Network Management Specification; HART 155 specification - wireless command specification; And the HART 290 specification is the specification of wireless devices. Although wireless provides many advantages for technological installations, it also provides the ability to potentially connect to devices in physically approximated to the technological installation and the ability to influence the wireless network.

Allowing the modern connectivity of technological installations is now vital that the technological connection is protected from the penetration and actions of intruders. This applies to technological installations that can be connected to the Internet, technological installations that apply a wireless technological connection, or to those and others. Accordingly, ensuring the technological installation of the opportunity to detect and prevent penetration into the circuit of technological communication will additionally help protect the various technological attitudes that are built on such a technological connection.

Essence of the invention

The technological communication device includes a technological communication interface for communications contour in accordance with the technological communication protocol. The controller is connected to the technological connection interface. The rules repository connects to the controller and has at least one rule of transmission of technological communication packages, which is based on a technological connection protocol. The controller applies at least one transmission rule of technological communication packets at least to one technological communication package adopted from the technological communication interface and generates an event information when the technological connection package does not satisfy at least one packet transmission rule technological connection.

Brief description of the drawings

FIG. 1 is a schematic type of technological communication system in accordance with an embodiment of the present invention.

FIG. 2 is a schematic view of a technological connection system and management, in which embodiments of the present invention are highly applicable.

FIG. 3 is a schematic view of another environmental entity and management environment, with which embodiments of the present invention are particularly useful.

FIG. 4 is a schematic type of technological protection device in accordance with an embodiment of the present invention.

FIG. 5 is a block diagram of a flow sequence of a method for ensuring the detection and prevention of penetration in the technological installation in accordance with an embodiment of the present invention.

FIG. 6 is a flowchart of a method for ensuring the detection and prevention of penetration in the technological installation in accordance with another embodiment of the present invention.

Detailed description of illustrative embodiments

Options for the implementation of the present invention, in general, using the specific knowledge of the HART ® protocol (both wired and wireless) and / or device descriptions (DD) HART ® to observe an anomalia for the technological communication network trafficking in the technological circuit. , leaving the contour of the technological connection or even crossing the contour of the technological connection. While embodiments of the present invention are generally described relative to the HART ® technological circuits, embodiments of the present invention can be applied in practice with any suitable technological communication protocols that support device descriptions.

The HART ® protocol has a hybrid physical level consisting of digital communication signals imposed on a standard 4-20 mA analog signal. The data transfer rate is approximately 1.2 kbps. HART ® -Cound is one of the main communication protocols in the technological processes industry. Both Wireless, and Wired HART ® Methods are combined together, essentially, a similar level of applications. In addition, the contents of the commands both wireless and wired HART ® is identical. Accordingly, while physical levels may differ, at the level of applications, these two technological communication protocols are very similar.

The safety of the technological communication network software and through HART ® is an important, and it becomes more important, since the HART ® trafficks can now be transmitted via TCP / IP networks, as well as through wireless networks. Some safety network was provided by devices such as devices sold under the trade designation Model 1420 Wireless Gateway from Emerson Process Management, from Shanghassen, Minnesota. This device provides the ability to authenticate the sender and recipient, confirm that the data is valid, encrypt the technological communication data and manage periodic changes Encryption keys automatically. While the safety of technological connection provided by MODEL 1420 is invaluable in modern networks Technological communication, embodiments of the present invention, in general, are built on the security provided by 1420 Wireless Gateway, by attracting additional knowledge about the HART ® protocol itself, device descriptions (DD) HART ® or combinations thereof. Although embodiments of the present invention are applicable to any device that has access to technological communication, it is preferable that embodiments of the present invention be implemented either in a firewall device, a gateway, such as an improved wireless gateway, or in an access point type device.

FIG. 1 is a schematic form of a technological connection system 10 in accordance with an embodiment of the present invention. System 10 includes a workstation 12 and server 14 connected to communication with each other through a local computer network 16. Network 16 is connected to the Internet 18 through the firewall 20 of the local computing network. Firewall 20 of the local computing network is a well-known device providing only the selected TCP / IP traffic through it. In an embodiment illustrated in FIG. 1, technological protection device 22 is connected to LAN 16 enterprises by connection 24 and additionally connects to devices 1-n via port 26. Technological communication protection device 22 protects segments / technological circuit contours from malicious activities, occurring via Internet 18 and / or LAN 16 enterprises. The processor in the technological protection device 22 performs instructions softwarewhich are able to take one or more technological communication packs and test whether the package (s) is satisfied with one or more rules that are based, in particular, on HART ®-Route technological communication, requirements for the description of the device or a combination thereof.

FIG. 2 is a schematic view of a technological connection system 50, in which embodiments of the present invention are highly applicable. Many workstations 52, 54 and 56 are connected together through LAN 16 enterprises. Additionally, the wireless technological communication gateway 58 is also connected to LAN 16 through compound 60. The structure shown in FIG. 2, is the current environment in which the Model 1420 Smart Wireless Gateway works. Gateway 58 binds to one or more field devices 62 via WirelessHART ® -Cep. Accordingly, embodiments of the present invention can be applied in practice using a processor or other suitable controller located in the gateway 58.

FIG. 3 is a schematic view of the other environmental and management environment, with which embodiments of the present invention are particularly useful. In particular, one or more gateways (1-n) 70, 72 are connected to the ability to communicate through the device 74. Each gateway can communicate with one or more access points. In accordance with an embodiment of the present invention, one of the access points 76 is configured by hardware, software, or combination thereof, to accept technological communication packages and study technological packages to determine whether communication corresponds to one or more rules that are based on HART ® -Protokol, descriptions of devices or a combination thereof. Access point 76 listens to data in wireless network And studies packages when they come. As a result of checks, some aspects of communication traffic can be tracked (source address, intensity of the incoming stream, a known device, a new device, association requests and other), and statistical data and / or warnings can be provided by the gateway when events are detected. Embodiments of the present invention also include the use of a plurality of gateways and the corresponding access points to provide a duplicate pair.

FIG. 4 is a schematic view of a technological protection device in accordance with an embodiment of the present invention. The protection device 100 includes a network interface 102 connected to a data transmission network, such as an Ethernet data network. Port 102 is connected to the physical layer of 104 network interface to form and receive data transfer packages in accordance with known methods. The physical level 104 of the network interface is connected to the controller 106, which is preferably a microprocessor, which includes, or connects with a suitable memory, such as an operational storage device, a constant storage device, flash memory, etc. to store and execute instructions programs. The protection device 100 also preferably includes a wired technological connection port 108 and / or wireless technological connection port 112 connected to an antenna 112. In embodiments, where the protection device 100 is carried out in a wireless access point, the wired technological connection is not required. Each of the ports 108, 110 may be connected to the technological connection HART ®-interface 114. The interface 114 provides the ability to control the controller 106 with external devices, such as field devices using the well-known HART ® -Protokol. In some embodiments, the HART ® -Cell implementation can be provided via the IP network, thus, the physical level 104 of the network interface may also be a source of HART ® -Pakes.

In accordance with an embodiment of the present invention, the protection device 100 includes a storage of 116 rules. In an optional manner, the protection device 100 may include storage 118 device descriptions. The ruler storage 116 includes non-volatile memory that stores one or more rules that can be executed during the technological HART ® -Webo, based on the underlying HART ®-prodocol understanding. Storage 116 rules provides the ability to control 106 to determine whether the design and / or contents of the packages in HART ® are valid. Additionally, the sufficiency of the source and the package recipient can be determined. Finally, the contents of the package itself can be analyzed to determine whether it is correct. For example, a distorted package can have a bad test result by cyclic redundant code, the number of bytes, the amount of payload, etc. If the package is invalid, the defense device 100 will not send the packet to the requested recipient. Additionally, and / or alternatively, the protection device 100 can save an event data related to detecting a distorted package, and / or send the corresponding message to the responsible side. In addition, the controller 106 can track and / or analyze the event data, so if the set of distorted packets are detected from one source in a specific period of time, the controller 106 may determine that the active attack is currently being performed. If this happens, the controller 106 may notify the user and / or the responsible side, which can be performed by the attack, together with the details of the suspected source of the attack. Moreover, the controller 106 can act to discard all the packages from this source until the user intervene.

As illustrated in FIG. 4, protection device 100 may also include device description storage 118. With the current state of the level of memory technology, it is economically feasible so that the storage 118 is large enough to contain descriptions of devices for all known field devices that are associated in accordance with HART ® proteokol, on the production date of the protection device 100. In addition, when new HART ®-connection devices are made, the device description storage 118 can be updated dynamically using the data network port 102. Maintaining storage 118 comprehensive device descriptions provides the ability to perform additional checks and / or tests over technological connection packages. For example, if this technological connection package is a packet of a field device, which, according to its device description, is known only as providing temperature measurement, a package indicating the pressure of the process, will be considered distorted from such a field device, even if the package is otherwise consistent with all the rules, set forth in the storage of 116 rules.

There are many different types Commands that are used in HART ® -Protokol. These types of commands include universal commands, general commands, wireless commands, device family commands and dependent on specific device Teams. With the exception of the specific command-dependent devices, at least some knowledge of commands in each type can be known based on the HART ® specification itself. In addition, even the specific device-dependent commands can be carefully checked if the technological protection device contains a device description relative to a separate specific field device.

One example of the rule that can be applied at the HART ®-Protocol package application level is the following. Since, for this version of HART ®, the number of bytes relative to all to a single commands is known if the package indicates the command, the known number of bytes can be used for the package. Even for the specific command-dependent teams, some rules may be provided. In particular, the range of commands can be tested to determine whether it is in the permissible range (such as 128-240 and 64768-65021). Additionally, the outcome number of the packet bytes can be determined and compared to the contents of the byte number fields to check for permissible compliance.

One of the significant advantages of implementing the functionality of the technological protection device in the gateway, such as Model 1420, is that the gateway knows about all individual field devices on the network. In addition, the gateway has an additional advantage that it has access to all the information required by (especially the decryption keys) to decrypt and check all HART ® -pakets. Additionally, the protection device preferably carried out in the gateway can create a database or a list of known recipients / wireless devices and ensure that messages only for such devices are sent / sent. Moreover, the protection device can check and / or provide the ability to send packets only from known / configured sources. Finally, as described above, the design of the package itself can be checked to determine whether the title content is correct, does the number of bytes correspond to the actual size of the package, whether the CRC checksum is allowed, and whether the recipient's address is allowed. In addition to these security measures, the protection controller processor the protection device can respond to dynamic communication changes. In particular, well-known neural-network algorithms and / or artificial intelligence algorithms can be used to provide the ability to control 106 to actually study the traffic network traffic. Additionally, or alternatively, a set of statistical data relative to network transfer and / or different recipients and sources can be supported. If changes are detected relative to the normal communication and / or statistically saved parameters, the warning can be transmitted to the Responsible Party through either port 102 of the data transmission network, or port 108, 110 of the technological connection. Additionally, suspicious communication behavioral models can be specifically identified on the basis of rules. For example, if the controller 106 monitors the multiple requests for recipient addresses, where the ID device simply increases or decreases with each query, the behavior model will look like an application that finds the device. Such a search can be considered malicious. Additionally, requests for devices of devices that cyclically increase or reduce the advanced device type can also mean an application that finds the hit. It will also be considered a sign of evil intent. Moreover, the recipient's address requests that include simply increasing or decreasing messages, such as a command, byte number, data fields, can specify an application that tries to find an affordable device, and / or break the technological communication network. The detection of such a behavior model can be considered a sign of evil intent.

In the case when the sign of evil intent is detected, it is preferably recorded locally in the protection device. Additionally, the protection device may include a simple network management protocol or a system log version to report event and / or additional information about the status of the responsible side or application information technology. System log is a well-known registration mechanism used by server-type applications to register events / warnings on an external server or in a database for further analysis.

FIG. 5 is a flowchart of a method for ensuring the detection and penetration prevention in a technological installation in accordance with an embodiment of the present invention. Method 200 begins at step 202, where the protection device or a technological communication gateway takes at least one technological connection package and decrypts the package. In step 204, the method 200 applies at least one rule with respect to the decrypted package, where the rule is based on a priori knowledge of the HART protocol. As stated above, one approximate rule is a rule for a given HART command, the number of packet bytes must correspond to the number set out in the HART specification. In step 206, the method 200 determines whether the decoded package has satisfied with all the rules applied in step 204. If all the rules have been successfully satisfied, then the control proceeds to step 208, where the package is sent to its intended recipient. If, however, the package does not satisfy at least one rule, then the control proceeds to step 210, where the security event is preferably recorded or an event is formed, and the package is blocked from further transmission to the intended recipient.

FIG. 6 is a flowchart of a sequence of operations for ensuring the detection and prevention of penetration in a technological installation in accordance with an embodiment of the present invention. Method 300 begins at step 302, where the protection device or technological gateway accepts at least one technological connection package and decrypts the package when required. At step 304, the method 300 applies at least one rule with respect to the decrypted package, where the rule is based on the description (DD) of the technological communication protocol (such as HART or Foundation Fieldbus). As stated above, one exemplary rule, which is based on the description of the device, can be the technological value of the temperature sensor providing the pressure of the process fluid. At step 306, the 300 method determines whether the decrypted package has satisfied with all the rules applied in step 304. If all the rules have been successfully satisfied, then the control proceeds to step 308, where the package is sent to its scheduled recipient. If, however, the package does not satisfy at least one rule, then the control proceeds to step 310, where the security event is preferably registered, and the packet is blocked from further transmission to the intended recipient.

Methods 200 and 300 are not mutually exclusive. Instead of this, positive result One method can be provided as input data for another way to ensure the detection and prevention of penetration into a technological installation based on both the detailed knowledge of technological connection packages and devices descriptions.

Although the present invention is described with reference to preferred embodiments, those skilled in the art should understand that changes can be made in the form and details without retreat from the creature and scope of the invention.

1. Technological connection device comprising:


the rules repository connected to the controller, and in the rules repository there are at least one rule of transmission of technological communication packages, which is based on the technological communication protocol;
device descriptions connected to the controller, while the device description repository has at least one description of the device relating to the technological value measured by at least one field device, and this at least one field device is described by the data of at least one description Devices stored in device description repository,
at the same time, the controller applies at least one transmission rule of technological communication packages and at least one description of the device to at least one technological connection package adopted from the technological communication interface and generates an event information when the technological connection package does not satisfy at least one transmission of technological communication packets or when at least one technological connection package is not in accordance with at least one description of the device for at least one field device; and

2. The technological communication device according to claim 1, with the technological communication protocol is a HART protocol (interaction protocol with a remote sensor with a tire addressing).

3. Technological connection device according to claim 1, and the protocol imposes a digital signal by 4-20 mA analog current signal.

4. Technological communication device according to claim 1, in which the technological interface is a wired technological interface.

5. Technological communication device according to claim 1, in which the technological interface is wireless interface technological connection.

6. Technological communication device according to claim 5, in which the technological interface is also a wired technological interface.

7. Technological communication device according to claim 1, wherein the controller is configured to decrypt at least one technological connection package before applying at least one rules for transmitting technological communication packages.

8. Technological communication device according to claim 7, while the technological communication device is carried out in the technological gateway.

9. The technological communication device according to claim 1, wherein at least one transmission rule of the technological connection relates the permissible number of packet bytes to the technological communication protocol command contained in the package.

10. Technological communication device according to claim 1, in which at least one rule of transmission of technological communication packages includes a permissible range of commands.

11. Technological communication device according to claim 1, while the technological communication device is carried out at the access point.

12. A method for ensuring technological communication protection containing the steps where:
obtain at least one technological connection package sent from the field device, in accordance with the technological communication protocol;
apply at least one rule with respect to this technological connection package, with this at least one rule is based on the technological communication protocol;
using at least the second rule with respect to this technological connection package, with the at least the second rule based on the description of the device for a field device belonging to the technological value measured by the field device;
determine the event based on whether the method mentioned at least one technological connection has been satisfied with each of the following rules mentioned in at least one rule and mentioned at least the second rule; and
selectively forward-mentioned at least one technological connection package based on whether this at least one technological connection has been satisfied with each of the at least one rule and mentioned at least the second rule.

13. The method according to claim 12, further comprising the stage in which the event is recorded.

14. Technological connection device comprising:
the technological connection interface configured to communicate with at least one field device along the circuit of the technological connection in accordance with the technological communication protocol;
controller connected to a technological communication interface;
device descriptions connected to a controller, and in the device description repository there is at least one rule of transmission of technological communication packages, which is based on the description of the device relating to the technological value measured by at least one field device for this at least one field devices
at the same time, the controller applies at least one rule of transmission packets to at least one technological connection package adopted from the technological communication interface and generates an event information when the technological connection package does not satisfy at least one technological connection package rule; and
the network interface connected to the controller, while the controller is configured to forward the technological connection package through the network interface if the technological connection package satisfies all the rules for transmitting technological communication packages.

15. A method for ensuring technological communication protection containing the steps where:
at least one technological connection package is obtained in accordance with the technological communication protocol, and this at least one technological connection is transferred information to at least one field device or from it;
extract a description of the device from the device descriptions storage in a technological communication device, which describes at least one field device and refers to the technological value measured by this at least one field device;
at least one rule is used with respect to this technological connection package, and this is at least one rule is based on the extracted device description;
determine the event on the basis of whether the method-mentioned at least one technological connection has been satisfied with each of the following rules mentioned; and
selectively forward-mentioned at least one technological connection package based on whether this at least one technological connection has been satisfied with each of the most mentioned at least one rule.

16. The method according to p. 15, which additionally contains the step in which the event is recorded.

Similar patents:

The invention relates to a method and device for transporting the initialization segments of the dynamic adaptive streaming over HTTP (DASH) as fragments of the description of user services.

The invention relates to the field of wireless communication. The technical result of the invention is to compatibility of a digital enhanced wireless communication standard (DECT) with a VoIP network with the possibility of smooth transmission of sessions between base stations.

The invention is intended for feeding and watering domestic animals, in particular cats and dogs. In the housing of the feeder are at least one food supply device in the tray, at least one video camera, microphone, monitor, or means for connecting tablet computer or smartphone, at least one speaker, communication module, power supply and control unit.

The invention relates to the field of communication. The technical result is the ability to carry out through differentiated flow processing, ensure a differentiated impression of the service for different levels of users and different types of services and effectively increase the coefficient of use of radio resources.

The invention relates to a method and network object to register the user object in the communication network. The technical result is to ensure registration of the user object in the communication network through another communication network. The method of registration of the user object in the first network of communication, where the user object and the access object that provides access to the first communication network is recorded in the second communication network, includes: transmitting at least one registration message to register the specified user object in the first communication network between the user object and the object of access to the second communication network, and the registration message contains a request transmitted from the user object to the access to the second communication network, and the request requests at least one access key to the first communication network; And the response to the transmitted request from an object of access to the user to the second communication network, if the transmitted request meets the configurable authorization rule, while the specified answer includes at least one requested access key to the first communication network. 2N. and 10 zp F-ls, 4 il.

The invention relates to methods of a multimodal telephone call. The technical result is to ensure the ability to exchange both by voice messages and data in the telephone call context. The method implemented on the first computing device to establish a multimodal telephone call contains the steps on which: receive a telephone call from the second computing device; send a response to the second computing device that the session telephone communication set between the first computing device and the second computing device; Send a request message to register the first computing device for the data exchange session in the online registration service, and the request message includes a telephone number associated with the first computing device, and a telephone number associated with the second computing device; Accept a response message that indicates that the first computing device is registered in the online registration service, and the response message includes a key that uniquely identifies the data exchange session, and use the key to establish data exchange session with the second computing device. 3N. and 7 zp F-lies, 10 yl.

The invention relates to means for rapid data distribution. The technical result consists in reducing the loading of the CPU and the storage device during data transmission between the storage and the network interface controller. Send, via a central processor, data description information to a quick redirection module, and the data description information contains addresses information and data lengths requested by the user. Read, by means of a quick redirection module according to the data description information, data requested by the user, from the repository and redirect the data requested by the user to the network interface controller. Send, by means of a network interface controller, data requested by the user, user. In this case, the central processor, the storage and the network interface controller is interconnected using the PCI switch and the fast redirection module is a function module that is embedded in the PCI switch and provides direct sending and reception functions. 4N. and 12 zp F-lies, 12 yl.

The invention relates to K. mobile communications Through communication networks, in particular to the application server for managing a relationship with a group of user objects. The technical result of the invention is to ensure efficient communication management with a group of user objects. The application server contains a receiver (201) for receiving the first query (202) of the session initiation with a publicly accessible identifier identifier to a group of user objects, processor (203) configured to determine the current state of communication of the first user object when receiving the first session initiation request, and transmitter (205 configured to transmit a second request (204) of the session initiation with the first user ID to establish a communication channel with the first user object depending on its current communication state. 3rd and 11 zp. F-lies, 7 yl.

The invention relates to multimedia data processing and distribution devices, as well as identifying identification information of multimedia data. The technical result consists in increasing the effectiveness of multimedia data recording and is achieved due to the fact that multimedia data that should be recorded is supplied with the identity data identification data to the device. In this case, the recording device identifies multimedia data using the corresponding multimedia data identification information. Sendments through the distribution device, the recording instructions into the recording device without sending multimedia data, while the recording device identifies the multimedia data on the relevant identifying multimedia data information, performs access to identification information to the storage device of this data and records multimedia data. 5 n and 32 zp. F-lies, 15 yl.

The invention relates to the method and system of displaying postal attachments on the webmail page. The technical result is to improve the security of the processing of postal messages by identifying the content of investments. In the method, receive a receipt to the mail server from the recipient communication device email Request for consideration of messages intended for the email recipient, receiving a mail server from the email mail database, which have a destination address associated with the email recipient, and electronic messages include an electronic message with postal attachment, transmitting an initiating element communication device, Performing a function in initiating the display of the webmail page connection to view the email recipient, which displays the name of the e-mail sender, the e-mail header on each line, creating an icon, and the webmail page additionally displays on the e-mail line possessing the postal attachment , a pictogram representing the postal attachment and illustrating the content of the postal investment. 2N. and 38 zp F-lies, 8 yl.

The invention relates to the field of Internet applications, in particular to obtaining dynamic information. The technical result is to reduce the number of dynamic messages. The method of obtaining dynamic information, including receipt, the first user client, the first user interrelation chains, with the first user interrelation chain, includes at least one second user, defining the degree of activity of the specified at least one second user in specified first The time period, determining the reference value of the time interval of the dynamic information request according to the degree of activity, determining the degree of updating the information of the specified at least one user in a given second time period, determining the value of the time interval of the dynamic information query based on the degree of information update, definition of the client. Interval according to the reference value of the time interval and the value of the time interval of the dynamic information request, as well as the request for dynamic information of the specified at least one second user according to the value of the time interval of the dynamic information request. 3N. and 17 zp F-ls, 4 il.

The invention relates to the region network security. Technical result - Ensuring effective safety account User. A method of binding a token key to an account contains the steps that: send a binding request message, carrying an account, server, so that the server generates a reference to the certificate and the first token key, the corresponding account; Receive a reference to the certificate and the first key of the token and form the displayed information according to the reference to the certificate and the first key of the tokeny, so that the mobile terminal receives encrypted information according to the first token key and sends an access request message that transfers a reference to the certificate and encrypted information, and additionally, that the server accepts the access request message and sends encrypted information; Get encrypted information and receive a second token key according to encrypted information and send a message about the successful binding server after determining that the second token key is consistent with the first key of the tokeny, so the server binds the first token key to the account. 9 n. and 8 zp F-lies, 10 yl.

The invention relates to the field of wireless communication. Technical result - network access control. The method of replacing compromised digital certificates associated with electronic universal maps with an integrated circuit (EUICC) included in mobile devicescomprising the steps on which on the EUICC management server: take an indication that the signing center associated with a plurality of digital certificates is compromised; and for each digital certificate from this set Digital Certificates: Identify (i) EUICC associated with this digital certificate, and (ii) the mobile device into which this EUICC is enabled, identify the public key (PKEUICC), which (i) corresponds to the EUICC and (II) associated with the digital certificate mentioned, cause the updated digital certificate, and the updated digital certificate is based on PKEUICC and updated secret key (skupdated_sa), which corresponds to the signator, prescribe the EUICC mentioned to replace the mentioned digital certificate with an updated digital certificate. 3N. and 17 zp F-lies, 19th.

The invention relates to network communication technologies. The technical result consists in increasing the data transfer rate. The method comprises the steps that: take a real-time multilateral conference session data in real-time multilateral communication session from another communication device, with real-time multilateral conference session data stream data flow packets in real time include data stream identification media content in real-time multilateral conference session in real-time; And the pause request from the receiving communication device to another communication device is transmitted, while the pause request includes identifying the data stream of the media system in real-time multilateral conference conference session and the sequence number of the pause request. 4N. and 28 Z.P. F-lies, 11 yl.

The invention relates to communication technology and can be used in technological communication systems. The technical result consists in improving the reliability of communication. To do this, the device includes a technological connection interface for communications contour in accordance with the technological communication protocol. The controller is connected to the technological connection interface. The rules repository connects to the controller and has at least one rule of transmission of technological communication packages, which is based on the technological communication protocol. The controller applies at least one transmission rule of technological communication packets at least one technological communication package adopted from the technological communication interface and generates an event information when the technological connection package does not satisfy at least one technological connection package rule. 4N. and 12 zp F-li, 6 yl.

Traditionally it is believed that the system security testing is performed only from outside when the attack is simulated on remote penetration into the network. In most cases, companies make efforts to protect against remote penetration, using firewall and other ways to enhance safety.

Traditionally it is believed that the system security testing is performed only from outside when the attack is simulated on remote penetration into the network. In most cases, companies make efforts to protect against remote penetration, using firewall and other ways to enhance safety. However, given the large distribution of smartphones and Wi-Fienet, there are ways to penetrate the network inside the office space.

Mobile phones have multiple functions: Wi -Fi support, camcorder, hDD, Connect connection to 3G and 4G standard networks and a large number of applications. At the same time, if there is a root in the phone, its hardware and network capabilities are not only comparable to desktop computerBut even surpass it according to some parameters. All this allows you to use smartphones for testing to penetrate the network as well as computers, and even more efficiently, since the mobile device can be easily hidden in your pocket or inside the office space.

A warning: Information in this article is provided for informational purposes only. The presented tools should be used only for research and testing their own networks and / or with the consent of the administrator. Some of the programs can disrupt the work, both the phone and the network. Do not use these methods on work networks or where you do not allow it.

Setting up phone

In your experiments, I use the phone on the operating room android system, and more precisely, Samsung Galaxy S with a privileged user rights. I strongly recommend getting root access by installing new firmware, eg, Cyanogen (I used Cyanogen 7). Many are mentioned in the application article require the right of a privileged user. It is also desirable to conduct experiments not on your working phone, but on any other, since the phone with root access is less protected from the penetration of malicious programs.

You can install most Linux distributions on Android phones, including BackTrack 5, using GitBrew. However, the use of Linux in the Android phone is somewhat confused, and it may be more convenient for you to use a netbook. Although in this article I will use some special applications For Android OS, which provide certain hardware benefits for smartphones. If you have a successful experience of using other platforms, share it in the comments.

Network and vulnerability scanners

The first application used by me during tests is a network browser. There are many such programs on Android MarketPlace. One of them is Network Discovery, which is free and does not require the rights of a privileged user. The developers of this application created a convenient design that allows one view of the network objects, which is not so easy to do, given the limited area of \u200b\u200bthe mobile phone screen. The program defines the operating system, the type and manufacturer of the network device. Network Discovery is compatible with Wi-Fi networks, allowing you to connect both open networks and networks available by password.

In addition to connecting to the network, you need to be able to search available networks, open ports devices, vulnerabilities, and so on, and the like. It takes a lot of time and requires a large number of tools. Here we will help two utilities. One of them - created by the Israeli company Zimperium. Second -, open source project. The last product was not fully studied, since there were errors in the testing process, but as soon as I had a DSPloit working version, I would write an additional article.

The Anti and DspLoit utilities allow you to automate vulnerabilities. When starting, they are looking for open networks, scan devices on the network and try to test each device for vulnerabilities. If you are detected, Anti tries to access this device, running exploits from the Metasploit and Exploitdb database, after which you can perform remote administration, for example, take a screenshot from the screen or remove the disk from the device (to make sure you have administrator rights in system).

Basic anti version Supports a small amount of exploits, although in the extended version that the developers kindly provided to me, this list is significantly larger. In addition, this utility allows you to select passwords using various dictionaries, and other functions, some of which contains a paid version of the program.

The "Cracker" function selects passwords to all open ports, and its work time depends on the number of ports and the amount of the loaded dictionary. When testing the network, I managed to detect several vulnerabilities. These were mainly public directories, as well as a router, which had a standard password in the settings.

The built-in monitor allows you to get a list of WI -FI networks, find out the signal power and network availability. The network scanner is quite fast, and I managed to explore a very large network about 30 seconds. When you start scanning, the program will ask whether it is necessary to conduct an additional detailed study of devices on vulnerability.

Anti and Dsploit utilities Excellent means to search for vulnerabilities using mobile devices. Testing itself starts in one click, allowing you to find unprotected Wi-Fi network and receive more detailed information in automatic mode. In fact, you can start the search and remove the phone into your pocket, which makes mobile devices with a powerful tool for network security check.

3. EUMM network protection

EUMM network protection: nomenclature, status, relationship

According to experts in the defense policy, at least the following aspects should be considered:

  • authorization of access to computer systems, user identification and authentication;
  • control of access rights;
  • monitoring protection and analysis of statistics;
  • configuring and testing systems;
  • training measures;
  • physical safety;
  • network security.

The first of the listed items is the outpost, which is formulated by criteria allowing to connect to the system only to those users who have the right to this, and all others will not even be able to try to register. Standard tool for implementing this feature - special files or lists of hosts from which the remote input is allowed. True, the developers of this device will always care about the temptations for administrators (for some reason there is always a "button", which opens the entrance to everyone). Probably, in some cases, the removal of control has its explanations - usually refer to the reliability of other means, the lack of direct inputs, but provide for all situations possible when working with networks, is difficult. Therefore, it is necessary to configure the validation of access without resorting to the default settings.
As practice shows, this type of protection is not able to significantly reduce the probability of penetration. Real valueit (defining a central role) is different - in registration and accounting that are trying to enter the system of network users.

Central role In modern security systems, assigned to identification and authentication procedures. Three basic ways of their implementation are known:

  • using the user-known password or conditional phrase;
  • using a personal / document that owns only a user: smart cards, a pocket authenticator or simply a specially manufactured identity card (it is assumed that the authistitor never will be transmitted to anyone);
  • through the authentication of the user itself - according to fingerprints, voice, drawing of the retina, etc. These methods of identification are developing within biometrics.

The most reliable authentication schemes are built as a combination of these methods, and the most massive remains the firstsymbol . It is not surprising that the hackers are well armed with means for mining registration names and passwords. If they manage to copy the password file to their machine, the selection program is launched, typically using a large-volume dictionary. Such programs work quickly even on weak computersAnd if there is no control over the security system in the way of forming passwords, the likelihood of a guess of at least one is great. Then the attempt should be obtained from the disclosed accounting name privileged rights - and the case is done.
Especially dangerous, and not only for themselves, machines with disabled protection mechanisms or do not possess them at all. Administrators have funds for establishing trust relationships between hosts using Hosts.equiv, Xhost files. With unsuccessful configuration, the hacker can enter into an unprotected machine and without any identification transitive access to all hosts of the corporate network.

FAQ 1 FAQ 2

The next defense policy point is to control the access rights. It is intended to ensure that after successfully executing the authentication procedure, the user becomes available only to a subset of the files and services of the system. Thanks to this mechanism, users can read, for example, exclusively their emails received bye-mail but not a letter of neighbor. Usually, access rights are set by the users themselves: the data owner may allow anyone else to work with them, just as the system administrator manages the rights to access system and configuration files. It is only important that the owner always has been personal responsible for his property.
The delimitation of rights is not reduced exclusively to the data - parallel to users are allocated subsensions of permissible operations. Take at least the system of automated sale of air tickets. The cashier will certainly be able to connect to the central database, requesting information about the presence of free places and issuing sales. But his rights must be limited so much so that he cannot change the settlement accounts of the organization or increase salary.
Usually, in multiplayer applications, distinction is carried out by discretionary access control (Discretionary Access Controls), and in operating systems - file attributes and EUID process identifiers, GLJID. The slender picture violate the SUID and SGID bits that allow you to programmatically modify the permissions of processes. Potential security threats are scripts with SETUID function, especially setuid root. They are either not to create at all, or they themselves must be reliably protected.
It is impossible to achieve security, if not maintaining order on the entire non-stroke infrastructure of the enterprise. The configuration management is a set of technology that monitors the status of software, equipment, users and networks. Usually, the configuration of the computer system and its components is clearly defined at the moment of commissioning, but over time the control is increasingly lost. The configuration management means are designed to formalize and detail all changes occurring in the system.
With high-quality control, firstly, a strict procedure for making changes must be thought out and determined and determines. Secondly, all changes should be assessed from the point of view of the overall protection policy. Although it is possible that this policy will be adjusted, it is important that the coherence of solutions for everyone continued on each vitka of the life cycle. Even outdated, but remaining in the network systems - otherwise they will turn into the very "weak link".
All listed aspects of protection are somehow based on software technologies, however, there are extremely important issues emerging from this circle. The corporate network includes the real world: Users, physical devices, media, etc., which can also cause trouble. Our users, apparently, by virtue of historical traditions relate to the questions of the secrecy of ironically. In network work, such attitude urgently needs to be changed, seeking awareness of the basic principles of protection. This is the first stage, after which you can move to the following - technical learning, and not only users, but also professionals should pass it. As security policy specifications are developed, system administrators and databases must be familiar with them to such an extent to be able to embody them into specific software solutions.
Typical lazework for hackers - "weak", that is, easily disclosed passwords. It is possible to correct the position by tracing users to consciously refer to access control: periodically change passwords, to form them correctly. No matter how surprisingly, even in a qualified environment, a common puncture is a password formed from the registration name and a single thing at the end. Although, as physical security technologies progress, it is reduced while it constitutes an important part of the general policy. If the violator can access the physical components of the network, it, as a rule, can log in to the system without authorization. Moreover, the possibility of physical user access to the critical components of the system increases the likelihood of non-personal failures. Hence, direct contact with vital computer and network equipment should be limited The minimum possible range of personnel is system administrators and engineers. This does not mean any exceptional confidence in them, it simply decreases the likelihood of incidents and, if anything happens, the diagnosis becomes more defined. Recalling your own experience, I can confirm the usefulness of simple organizational measures - do not put valuable equipment in the passage yard.
Hoping for the best, it is not bad to foresee and bad options. It will not hinder to have an emergency plan in case of failure of nutrition or other cataclysms, including malicious penetration. If the hacking still happened, you need to be prepared to respond very quickly until the attackers have time to cause severe damage to the system or replace administrative passwords.
Network security issues in the overall protection policy context should cover various types of access:

Accordingly, the mechanisms of two types are used: internal and lying on the perimeter of the enterprise network - where external connections occurs.
For internal network security, it is important to ensure the correct configuration of the equipment and software, making the configuration management. External network security implies the determination of clear boundaries of the network and installation in critical places of firewalls.

Safety risk assessment

The protection policy is implemented - you can relax, but it is better not to wait for the arrival of the hackers, but to make sure how your system is able to withstand external attacks. The goal is to evaluate the degree of security, to identify strong and weak protection points. The assessment procedure can be performed on its own, although it may be easier to contact the services of a company specializing in such activities. Own experts will have additional difficulties: they will have to ask difficult questions to their colleagues and make conclusions that someone may not be too pleasant.

Assessment and testing safety policies
The first step is to compare the provisions planned in the safety policies so that there is a place in reality. To do this, you need to find answers about such questions.

  • Who determines what is confidential?
  • Are there procedures for working with confidential information?
  • Who establishes the composition of confidential information reported to personnel to perform operating functions?
  • Who adminines the security system and on what basis?

It is not always easy to get such information. In the best embodiment, you need to collect and read published formal documents containing the provisions of the security policy, work procedures, architectural charts, and so on. However, in the mass of organizations there are no such documents at all, and if they are, they are practically ignored. Then, in order to identify the real state of affairs, you will have to carry out one-time observations of workplaces, determining at the same time whether it is possible to notice the manifestations of any unified policy.
The difference between the written rules and typical techniques of staff can be very large. For example, published policies may comprise that passwords nor the situation are not Can be used by several employees. And, apparently, there are many organizations in which it is observed, but even more their number suffers from the separation of passwords.
On some weaknesses of corporate culture can be found only through secret intelligence operations. For example, corporate policies may argue that passwords are secret and should not be recorded anywhere, and a runaway walk through the premises will show that they are drawn directly on the keyboard or monitor. Another effective reception is a survey of users about the rules for working with information. From such an interview, you can find out what information is most valuable for the employee and how it is represented within the corporate network and outside.

Study of open sources
Knowledge is power. Following this motto, an attacker can extract a fair share of the actual private internal information of the company, fighting in its open, publicly affordable materials. In the second stage of safety assessment and it is necessary to find out how much an outsider can learn about the company. "Useful" information that gives penetrating force may be: Types of operating systems used, installed postparters, canonical standards of user registration names, internal IP addresses or closed host names and servers.
It is possible (and necessary) to take measures to reduce the number of information that hackers and hackers can collect, but for this you need to have an idea of \u200b\u200bwhat has already leaked and understand how this leakage occurred. Close attention is the study of materials published by employees inInternet . A case is known when one company presented on its page a fragment of the source text of a critical application is critical. Similar collisions can be in materials placed in newspapers, magazines, other sources.
The results of the study of open materials should be the basis for making adjustments to the rules for the preparation of open publications.

Host-System Safety Assessment
Central processing systems (host systems), as a rule, in terms of safety look better than everyone else. According to a simple reason: the host systems are more mature, their operating systems and protection is better worked and mastered. Some of the most popular protection products for mainframes and medium power computers have experience in several decades.
This, of course, does not mean that it is your host system safe a priori. The old host may be the weaker link, for example, if it was created in "prehistoric" times, when no one thought about any local or global. It is necessary to evaluate the security scheme and its implementation on the host system from new positions, determine how coordinatedly work together applied software, operating system protection mechanisms and network. Since at least two groups of specialists participate in the organization of computing - according to the operating system and according to applications - it is possible that each of them has concerns to protect against colleagues, and the total result may be zero.

Safety Analysis Servers
Unlike host systems, file servers, applications, databases are younger and relatively less detected - for many of them, the age of the defense apparatus has only a few years. Most of these means undergoes constant updates and Latania. Often and administering servers is conducted by experts with small experience, so the safety of this class system usually leaves much to be desired. The situation is exacerbated by the fact that, by definition, the servers have access to a completely diverse public on telephone or remote communication lines. Consequently, the server safety assessment requires increased attention. For this there is some funds, including Kane Analyst (Novell and NT). Products of this kind are examining the servers (using privileged access) and make a configuration report, the practice of administering the protection system and user population. Use automatic tools makes sense - single scanning can identify problems that can hardly be detected even by many hours of manual analysis. For example, scanning can quickly identify the percentage of users who have an excessive level of access rights or are members of too many groups.
The following section discussed two more stages - security analysis of network connections.

Imitation of controlled penetration
Apparently, one of the best ways to verify the reliability of protection is to hire a qualified hacker and ask him to demonstrate its achievements on your network. This type of assessment is called testing by controlled penetration.
In preparing such a test, it is harmful to agree on the restrictions on the scope of the attack and its type - after all, it is only about checking, which in no case should lead to violations of the normal working condition. Based on certain rules, "battle" further makes a choice of test types.
There are two approaches here. In the first testing is made as if it had made a real hacker. This approach is called blind penetration. His distinguishing feature is that the person who produces testing is reported for example,URL but internal information - additional access points inInternet , direct connections to the network are not disclosed.
In the second approach, "informed penetration" - the hacking team has some information about the network structure before the attack. Such an approach is noted, therefore, checks should be required to undergo certain components. For example, when a network screen is installed in the system, a set of rules must be tested separately.
Many tests can be divided into two groups: penetration fromInternet and penetration to telephone lines.

Connection scanning with internet
Usually, the main security hopes are assigned to the network screens between the internal corporate network and the Internet. It should, however, be aware that the network screen is only good to the extent that its good installations - it must be installed in the proper point and on a reliable operating system. Otherwise, he will simply be a source of a false sense of security.
To check the network screens and similar systems, scan and penetration tests are performed, imitating the attacking system directed to the verified systemInternet . For testing, there are many software tools, for example, two popular -ISS SCANER. (commercial product) andSATAN (freely distributed; approx. Not updated since 1995). You can choose some other scanners, but the tests will make sense only when performing three conditions: you need to master the correct control of the scanner, the scanning results must be carefully analyzed, the maximum possible part of the infrastructure should be scanned.
The main "goals" of this group of tests - open Internet service servers (WWW, SMTR FTP etc.). To get to these servers themselves easily - their names are known, the entrance is free. And then the hacker will try to get to the interest of the data. There are several hacking techniques that you can try to apply directly against the server. In addition, based on the server IP address, scanning can be initiated in an attempt to identify any other hosts in the same address range. If something is caught, then for each IP address involved, the port survey is launched in order to determine the services running on the host. In many cases, when you try to connect or use the service, you can get such information as the server platform, version operating system and even the service version (for example,sendmail 8.6).
Armed with these information, a hacker can take a series of attacks according to well-known vulnerable points of hosts. As experience shows, in most situations, it is possible, by collecting the sufficient amount of information, to get some level of unauthorized access.

Attack by telephone numbers
Over the past decade, the modem has made a revolution in computer communications. However, the same modems, if they are installed on the computers included in the network and left in the auto-repudent mode are the most vulnerable points. Phone numbers attack (war Dialaning ) - this is a bust of all combinations in order to find sound signal modem.
The running program in automatic mode is able to run a huge range of phone numbers per night, registering detected modems. Hacker at the morning cup of coffee will receive text file with modem addresses and can attack them. The special danger of this kind attachment gives the fact that many companies allow themselves to keep either uncontrollable or unauthorized links that bypass network screens withInternet And open direct access to the internal network.
You can implement the same attack in test mode - the results will be shown, by any number of modem you can subjected to the present hacking. This type of testing is quite simple. In the blind version, the penetration command finds the company's telephone switches (from various open sources, including the Web page), and if the test is not blind, this information is reported to it. The range of telephone numbers in switches is automatically nicknamed, in order to determine the numbers for which modems are connected. Modems attack methods can rely on terminal programs such asHyperTerminal. and remote access control programs, such asPC Anyware. . Again, the goal is to get any level of access to the internal network device. If the connection and successful entrance occurred - a new game begins.

From all this, you can seem to make the followingoutput : The safety of the network can be maintained and on their own, but it must be high-professional activities, and not a one-time company. The network of the enterprise is almost always a large system and one fear of all security problems do not solve.

Leaving aside the state laws on computer security and standards, one can recommend three types of the most useful and necessary in the practical activity of the source of information:

  • relevant sections of documentation for operating operational systems and applications;

    • Web pages of software manufacturers and OS, which publishes reports of new versions with corrected errors and payments;

  • there are at least two organizations: CERT (Computer Emergency Response Team) and C1As (Computer Incident Advisory Capability), which collect and distribute hacking information, give advice to eliminate their consequences, report the identified software errors using which attackers penetrate into computer systems.

Just like prerequisite The reliability of protection is systematic, and any system has its own life cycle. For security system it is: Designing - Implementation - Evaluation - update.

Methods of penetration of malicious programs in the system

The task necessary for virus writers and cyber criminals is the introduction of a virus, a worm or Trojan program in a sacrifice or mobile phone. This goal is achieved in various ways that are divided into two main categories:

social Engineering (also used the term "social engineering" - tracing with English "Social Engineering");

technical techniques of implementation malicious code In the infected system without the user's knowledge.

Often these methods are used simultaneously. At the same time, special measures are used to counter anti-virus programs.

Social engineering

Methods of social engineering in one way or another make the user run the infected file or open the link to the infected website. These methods are applied not only by numerous postal worms, but also by other types of malicious software.

The task of hackers and virus writers - to attract the user's attention to the infected file (or HTTP link to the infected file), interest the user, make it click on the file (or on the link to the file). The "classic of the genre" is the Loveletter postwall in May 2000, still retaining leadership on the scale of financial damage caused, according to Computer Economics data. The message that the worm was displayed on the screen, looked like this:

On the recognition "I Love You" reacted very many, and as a result mail Servers Large companies could not withstand the load - the worm sent their copies on all contacts from the address book each time the invested VBS file is opening.

The mail worm of MyDoom, "rushing" on the Internet in January 2004, used texts that simulate the technical messages of the mail server.

It is also worth mentioning the SWEN worm, who issued himself for the message from Microsoft and masked under a patch that eliminates a number of new vulnerabilities in Windows (it is not surprising that many users succumbed to setting the "next compartment from Microsoft").

There are also cases, one of which occurred in November 2005. In one of the versions of the worm Sober, it was reported that the German criminal police investigate the cases of visiting illegal websites. This letter fell to a fan of child pornography, who took it for the official letter - and obediently surrendered to the authorities.

Recently, not popularity has been made in the letter invested in the letter, but links to files located on the infected site. The message is sent to the potential victim - postal, via ICQ or another pager, less often - through IRC Internet chats (in the case of mobile viruses, an SMS message is used in the usual delivery method). The message contains any attractive text that makes the unsuspecting user click on the link. This method of penetration in computers - the victims is today the most popular and effective, since it allows you to bypass vigilant anti-virus filters on mail servers.

The possibilities of file sharing networks (P2P network) are also used. The worm or the Trojan program is laid out in the P2P network under a variety of "delicious" names, for example:

AIM & AOL PASSWORD HACKER.EXE

Microsoft CD Key Generator.exe

play Station Emulator Crack.exe

In the search for new programs, users of P2P networks are stumbled into these names, download files and run them to execute.

The "wiring" is also fairly popular when the victim sends a free utility or instructions for hacking various payment systems. For example, offer to get free internet access or cellular operator, download numbered generator credit cards, increase the amount of money in a personal internet wallet, etc. Naturally, victims of such fraud are unlikely to go to law enforcement agencies (after all, in fact, they themselves tried to earn a fraudulent way), and Internet-criminals are used by this.

The unusual way of "wiring" used an unknown attacker from Russia in 2005-2006. The Trojan program was sent to the addresses found on the Job.ru website specializing in employment and search for personnel. Some of those who published their resumes there, received an alleged proposal to work with a file invested in a letter, which was proposed to open and familiarize themselves with its contents. The file was, of course, the Trojan program. It is also interesting that the attack was carried out mainly on corporate postal addresses. Calculation, apparently, was built on the fact that employees of companies are unlikely to report the source of infection. So it happened - the Kaspersky Lab specialists for more than six months could not get intelligible information about the method of penetrating the Trojan Program in users' computers.

There are also fairly exotic cases, for example, a letter with an invested document, in which the Bank's client is asked to confirm (or rather - to report) their access codes - print the document, fill out the attached form and then send it by fax to the phone number specified in the letter.

Another unusual case of delivery of the spyware "to the house" occurred in Japan in the fall of 2005. Some attackers sent the CD-drives infect with Trojan spy to home addresses (city, street, house) of clients of one of the Japanese banks. At the same time, information was used from a pre-stolen client base of this bank itself.

Technology implementation

These technologies are used by intruders to implement the malicious code in the system is secretive, not attracting the attention of the owner of the computer. It is carried out through vulnerabilities in the security system of operating systems and in software. The presence of vulnerabilities allows a network worm-made network worm or a Trojan program to penetrate the sacrifice and independently launch itself.

Vulnerabilities are essentially errors in code or in the logic of the work of various programs. Modern operating systems and applications have a complex structure and extensive functionality, and it is simply impossible to avoid errors in their design and development. This is used by viruses and computer intruders.

Vulnerabilities in Outlook postal customers used Nimda and Aliz postal worms. In order to start the worm file, it was enough to open an infected letter or simply to bring the cursor on it in the preview window.

Also, malicious programs have actively used vulnerabilities in the network components of operating systems. For its distribution, worms of Codered, Sasser, Slammer, Lovesan (Blaster) and many other worms running under Windows used such vulnerabilities. Under the blow and the Linux Systems - worms Ramen and Slapper have penetrated computers through vulnerabilities in this operating environment and applications for it.

In recent years, one of the most popular methods of infection has become the introduction of malicious code through web pages. It is often used vulnerabilities in Internet browsers. The web page is placed in advance file and script program that uses vulnerability in the browser. When the user arrives at the infected page, the script program is triggered, which vulnerability downloads the infected file to the computer and starts it there for execution. As a result, to infect a large number of computers, it is enough to lure as much as possible of users to such a web page. This is achieved in various ways, for example, sending spam with the address of the page, sending similar messages through Internet pagers, sometimes even search engines use for this. On the infected page there is a varied text, which sooner or late is checked by search engines - and the link to this page is in the list of other pages in the search results.

A separate class is the Trojan programs that are designed to download and launch other Trojan programs. Usually, these Trojans who have a very small size, one way or another (for example, using the next vulnerability in the system) "fit" on the sacrifice computer, and then independently roll out from the Internet and establish other malicious components to the system. Often such Trojans change the browser settings to the most unsafe to "facilitate the road" to other Trojans.

The vulnerabilities of which become known are quite promptly corrected by developers, but information on new vulnerabilities are constantly appearing, which are immediately beginning to be used by numerous hackers and viruses. Many Trojan "bots" use new vulnerabilities to increase their numbers, and new errors in Microsoft Office. Immediately begin to be used to introduce regular Trojan programs in computers. At the same time, unfortunately, there is a tendency to reduce the temporary gap between the appearance of information on the next vulnerability and the beginning of its use of the worms and the Trojans. As a result, manufacturers of vulnerable software and developers of antivirus programs are in the situation of zeietic. The first must be fixed as quickly as possible, test the result (usually called a "patch", "patch") and send it to users, and the second is to immediately release the detection tool and blocking objects (files, network packets) using vulnerability.

Simultaneous use of technologies for the implementation and methods of social engineering

Quite often, computer intruders are used at once both methods. The social engineering method is to attract the attention of a potential victim, and technical - to increase the likelihood of the penetration of the infected object into the system.

For example, MiMail's postal worm spread as an attachment in email. In order for the user to pay attention to the letter, a specially decorated text was inserted into it, and to start a copy of the worm from the ZIP archive invested in the letter - vulnerability in the browser Internet Explorer.. As a result, when opening a file from the archive, the worm created a copy on the disk and started it on execution without any system warnings or additional actions of the user. By the way, this worm was one of the first, intended for theft of personal information of users of the E-Gold Internet wallets.

Another example is the spam mailing with the "Hi" and the text "see what they write about you." The text followed the link to a certain web page. When analyzed, it turned out that this web page contains a script program that, using another vulnerability in Internet Explorer, loads the LDPinch Trojan program to the user, intended for theft of various passwords.

Countering antivirus programs

Since the goal of computer intruders is to introduce malicious code in victim computers, then for this they need not only to force the user to start a contaminated file or enter the system through any vulnerability, but also imperceptibly slip by the installed antivirus filter. Therefore, it is not surprising that the attackers are purposefully struggling with antivirus programs. The technical techniques used are very diverse, but most often the following are found:

Packing and encryption code. A significant part (if not most) of modern computer worms and Trojan programs are packaged or encrypted in one way or another. Moreover, computer undercurrent is created specifically for this designed packaging and encryption utilities. For example, malicious turned out to be absolutely all the files treated with Cryptexe, Exeref, Polycrypt utilities and some others.

To detect such worms and Trojans, anti-virus programs have to either add new methods of unpacking and decryption, or add signatures for each sample of a malicious program, which reduces the quality of detection, since all possible modified code samples are in the hands of the anti-virus company.

Code mutation. Dilution of the Trojan code "trash" instructions. As a result, the functionality of the Trojan program is maintained, but its "appearance" is significantly changing. Cases occur periodically when the code mutation occurs in real time - with each download of the Trojan program from the infected website. Those. All or a significant part of the Samples of the Trojan falling from such a site are different. An example of the application of this technology is the mail worm of Warezov, several versions of which caused significant epidemics in the second half of 2006.

Hiding its presence. The so-called "rootkit technologies" (from the English "Rootkit), commonly used in Trojan programs. The interception and substitution of system functions is carried out, thanks to which the infected file is not visible, neither by regular means of the operating system nor antivirus programs. Sometimes the registry branches are also hidden in which a copy of the Trojan, and other system areas of the computer are recorded. These technologies are actively used, for example, Trojan-backdoor HACDEF.

Stopping the work of antivirus and the system for obtaining updates of antivirus bases (updates). Many Trojan programs and network worms take special actions against anti-virus programs - looking for them in the list of active applications and try to stop their work, spoil antivirus databases, block the receipt of updates, etc. Antivirus programs have to protect themselves with adequate ways - monitor the integrity of the databases, hide their processes from the Trojans, etc.

Hiding your code on websites. Addresses of web pages on which Trojan files are present, sooner or later, antivirus companies become known. Naturally, such pages fall under close attention of anti-virus analysts - the contents of the page periodically downloads, new versions of Trojan programs are recorded in antivirus updates. To counteract this, the web page is modified in a special way - if the request goes from the address of the anti-virus company, then some nucleani file is downloaded instead of Trojan.

Attack quantity. Generation and distribution on the Internet large number of new versions of Trojan programs in a short period of time. As a result, anti-virus companies are "risen" with new samples, which requires the time to analyze the time, which gives an attachable code an additional chance for successful introduction into computers.

These and other methods are used by computer underground to counteract antivirus programs. At the same time, the activity of cybercriminals is growing year after year, and now we can talk about the present "technologies race", which turned between the anti-virus industry and the viral industry. At the same time, the number of individual hackers and criminal groups, as well as their professionalism, is growing. All this together greatly increases the complexity and amount of work necessary for antivirus companies to develop sufficient levels.

Email

Email remains one of the main sources of penetration into the corporate network of malware. Several basic ways of using email can be distinguished as a means of transferring a malicious program:

sending malware "in pure form" - in this case, malware is an attachment in the letter and its automatic launch is not provided. The launch of the malicious program is performed by the user itself, for which it is often in the letter to use elements of social engineering. Nested malware is not necessarily executable file - there are often malicious scripts, such as Worm.Win32.feebs, which are sent by mail in the form of HTA? Files containing an encrypted script that uploads an executable file from the Internet;

malicious program with a modified extension - this method differs from the previous one that the executable file embedded in the letter has a double extension, for example document.doc .pif. In this case, the spaces are used to disguise the real expansion of the file and their number may vary from 10-15 to hundreds. The more original masking method is to apply the * .com extension - as a result, the subfile file can be mistakenly considered by the user as a link to the site, such as www.playboy.com, is most likely to consider a link to the site, and not invested file named www.Playboy and the extension * .com;

malicious program in the archive - Archiving is an additional level of protection against anti-virus scanners, and the archive can be deliberately damaged (but not so much so that it cannot be removed from it a malicious file) or encrypted with a password. In the event of a password archive protection, the latter is located in the body of the letter in the form of a text or picture - a similar technique, for example, was used in Bagle mail. The launch of a malicious program in this case is possible solely because of the curiosity of the user, which must be manually entering the password and then run the extracted file;

a letter in an HTML-format with an exploit for the launch of the nested malware - currently such postal viruses are rare, but in 2001-2003 they were widespread (typical examples - email-worm.win32.avron, email-worm.win32. Badtransii, Net-worm.win32.nimda);

Letters with reference to the malicious object have recently obtained wide distribution, so this method Deserves more detailed consideration. It is based on the fact that there is no malicious code in the letter, and therefore the mail antivirus cannot detect it and block the sending of the letter. The text of the letter is prepared according to the methods of social engineering and aims to convince the user to open a link in the television. Typical examples - disguise under the greeting card (Fig. 1).

Fig. 1. "Greeting card"

The figure shows a very rough counterfeit: it is clearly seen that the letter came from some incomprehensible address, and the link with the IP address instead of the site name does not inspire confidence. Nevertheless, according to the statistics of the author, thousands of users come across such letters. A better version of the fake message about a greeting card is shown in Fig. 2.

Fig. 2. A better fake postcard

In this case, recognize the fake is much more difficult: a visual letter really came from service PostCard.ru and the link to the postcard page leads to this site. In this case, the deception is based on the fact that the letter has an HTML format and the reference is made by the standard tag . As you know, the design of the reference with this tag has the form:

text Description

A text description may be arbitrary, as it is not connected with the URL open. Therefore, in this letter, the text description of the link is www.postcard.ru/card.php?4295358104, and the real link indicates a completely different resource. This reception is elementary implemented and easily enters the user to delusion.

the link leads directly to the executable malware file is the simplest case. When you open this link, the user will request what to do with the file for this link: save or run. The choice of "run" leads to the launch of a malicious code and the affix of the PC. Practice shows that users usually do not think about danger. The most fresh example is the malware Virus.vbs.Agent.c, which destroys the files on the disk (actually, because of this, it is found to the Virus category) and distributes itself by mailing via email "greeting card" with reference to your executable The file placed directly on the virus developer website. A large number of users affected by this virus - a visual example of the effectiveness of this method;

link to the site disguised as a legitimate program site. A typical example - programs for "hacking" of cellular providers and mailboxes, which often have a home page, plausible documentation and installation package;

the link leads to an HTML page with an exploit. This is a common option (while writing the article, the author recorded the real epidemic of such letters), and it is more dangerous to the direct link to the executable file, since this link is very difficult to detect the proxy server protocols and block. In case of successful execution, the exploit performs loading of a malicious code, and as a result, more than ten malware can be installed on an affected computer. The usual set: postal worms, cargo passwords Trojan program, a set of Trojan programs of Trojan-Spy and Trojan-proxy.

Protection measures from malicious programs spread via e-mail are quite obvious. At a minimum, you need to install the antivirus on the mail server (or when choosing a hoster, pay attention to the anti-virus mail protection offered to them). In addition, it is worth a number of events:

explain to users than dangerously discovery of programs invested in letters and links in them. It is very useful to teach users to determine the real URL references;

if you have a technical ability to block the shipment and reception of letters with nested executable files and encrypted archives. In SmolenskEnergo, for example, such a blocking has been operating for a long time and showed its high efficiency (while blockable letters are placed in quarantine and can be retrieved by the administrator);

install filters to block letters in content and maintain them up to date. Such filters are effective against letters containing links to malicious programs - usually they are easy to filter by keywords Type Animated Card or Postcard. The side effect is the blocking of real greeting cards and similar letters, a compromise solution - installing such a filter in antispam system and labeling letters as spam.

the Internet

By the number of investigated Internet incidents is also one of the main sources of malware penetration. Several basic methods widely used by intruders can be distinguished:

all sorts of cracks and generators serial numbers - Statistics show that during the search for a key or crack on hacker sites, the likelihood of computer damage to malicious programs is very large. Moreover, such a program can be loaded in an archive with the crac or obtained during working with the site as a result of the activities of exploits and malicious scripts on hacker sites. Countermeasures - blocking access to hacker sites at the proxy-server level and prohibiting their visits at the security policy level and other guidance documents of the company;

hacked legitimate sites - according to statistics, recently hacking sites frequent and are conducted according to typical schemes. A small code is introduced into the HTML code of the contaminated site - usually leading to a page with an IFRAME tag, or an encrypted script, in one way or another, a call forwarding user on an infected site (a dynamic insertion of IFRAME tag in the body of the page is possible to the exploit page and t. P.). The main danger lies in the fact that it is impossible to predict the site hacking and, accordingly, it is very difficult to protect the user from it (Fig. 3).

Fig. 3. Explant code added by the end of the HTML page

hacked site.

As can be seen in the figure, the exploit code has been added to the end of the HTML page by automatic means and is an encrypted script. The encryption of the script is a measure of protection against research, but its main purpose is to protect against signature detection. In more complex cases, hacker inserts can be placed in the page code, which makes it difficult to detect them.

Protection against exploit in Web pages is reduced to the operational installation of operating system and browser updates. In addition, good results give a browser with minimally possible privileges, which can significantly reduce damage in the event of an exploit.

Flash carriers

Media of this type is currently very widely used - these are flash drives and flash cards, HDDs with a USB interface, cell phones, cameras, dictaphones. Dissemination of these devices leads to an increase in the amount of malicious programs that use these carriers as a transfer means. Three basic methods of infection of the flash drive can be distinguished:

creating a file of the Autorun.inf file at the root for launching a malicious program and place it anywhere on the disk (optional at the root of the disk). The autorun.inf operation on the flash drive is identical to the operation of a similar file on the CD-ROM, respectively, when connecting or opening a disk, a malicious program is launched;

creating a disk or in the files existing on the disk, which resembles files or folders on the disk, which are reminded by their names and icons. The author was done by experience: an innocuous executable executable with an icon, visually indistinguishable from the folder icon, who participated in the user experiment was placed on the flash drives. Experience has shown that users immediately showed interest in the new folder and decided to see its contents, having completed a double click on the "folder", which led to the start of the executable file;

using the principle of "Virus-Companion". In fact, this method is identical to the previous one, but in this case the malicious program creates many of its copies, and their names coincide with the names of the files available on the flash drive or folders.

Methods of protection against the dissemination of malicious programs on flash media are quite simple:

on computers, you should install anti-virus protection with a monitor checking the files in real time;

effective protection measure is to turn off the autorun;

on strategically important PCs, a good safety measure is to block the possibility of using flash media. The lock can be mechanically (shutting down USB ports and their sealing) and logically using a special software;

writing local security policies blocking the launch of applications from the flash drive.

Laptops and PDAs

Mobile computers are another means of transfer for malicious programs. A typical situation is the use of a laptop on a business trip when it, as a rule, connects to someone else's network. During the work, a laptop infection may occur, most often with a network worm. When an infected laptop connects to the "native" network, it is possible to infect PCs in it. It is difficult to protect against this, a set of security measures can be reduced to the following:

installation on a laptop of antivirus and firewall with mandatory periodic control of their performance by administrator;

checking the laptop before connecting it to the network, however, this operation is not always possible technically, requires high time costs and reduces user mobility;

creating a special "guest" subnet for laptops and take measures to protect the main LAN from this subnet.


This part describes the teaching technique windows computers 2000 / XP in TCP / IP networks. In class 1, we discussed methods and means used by hackers to penetrate the organization's computer system. There we pointed out that to implement such a task, the hacker can use local access, say, for elementary theft of equipment, for example, hard disk, or hack the system remotely. Remote penetration can be performed either from within the local network, connecting a computer with hacker software to the network cable, or from the outside - using the Internet or telephone line with the modem. Threats to local penetration and attacks from the Internet We discussed in previous chapters, and in this part of the book we will concentrate on Windows 200 / XP computers from the inside local network. We will consider the vulnerability of TCP / IP protocols, remote administration tools, firewalls, network connections.

Hucking Computers Windows 2000 / XP

So, hacker managed to connect to the local network, using some abandoned (foreign) computer, or illegally connected to the network cable passing out somewhere in the basement, applying a special device. However, all this, as a rule, is unnecessary - with reigning in the current local networks, the chaos is enough to access the usual network computer - and then it all depends on you. So, the hacker got access to the local network and now wants to access information resources Network hosts. How can he do it?

Next, the work of the Hucking utility is illustrated by the example of our TCP / IP experimental network, which we used throughout the book. This network will allow you to demonstrate a set of TCP / IP network hacking techniques without violation of someone's confidentiality of information. The author categorically insists on the non-use of the tools described further to real networks and warns of possible liability.

In Chapter 1, we described all the steps of a hacker attack and pointed out that the Hacker first tries to find out all that it is possible to organize an attacked network and network technologies used in it. In this chapter, we will lower the preliminary data collection step - it is described in detail in detail in Chapter 12 in relation to the tasks of the hacking of Web sites. Instead, we will consider in more detail all the subsequent stages of the network attack, which, in fact, make a hacking such "interesting" occupation. As shown in Chapter 1, the first thing to do a hacker to penetrate the network is to perform its scanning and inventory.

TCP / IP network scan

Scanning The goal is to determine the IP addresses of the host hosts, and to execute the scanning you can use the Ping utility from the set of means presented in the W2RK package (Windows 2000 Resource Pack). This utility sends to network hosts with IP addresses in a specified ICMP protocol package (Internet Control Message Protocol - Internet Control Messages on the Internet). If, in response to the sent package, the answer comes - it means on the relevant address there is a network host. In fig. 1 shows the result of scanning a utility ping host SWORD-2000.

Fig. 1. The result of the host scanning SWORD-2000 Utility Ping.

From the result it is clear that the computer at the specified address is connected to the network and the connection works normally. This is the easiest way to scan network, however, it does not always lead to the desired results, since many nodes block the response sending ICMP packets using special means of protection. If the exchange of data on the ICMP protocol is blocked, other utilities, such as hping, can be used. http://www.hping.org/). This utility is capable of fragment (i.e., to divide into fragments) ICMP packets, which allows you to bypass simple access blocking devices that do not know how to make a reverse assembly of fragmented packages.

Another way to scan access is scanning using utilities to determine the open ports of the computer, which in some cases can deceive simple protection systems. An example of such a utility is SuperScan ( http://www.foundstone.com.), which provides users with a handy graphical interface (see Fig. 2).

Fig. 2. Network Scan Results SuperScan 3.0 Utility

In fig. 2 shows the result of the network scan in the range of IP addresses 192.168.0.1-192.168.0.100 . Pay attention to the tree list at the bottom of the window displaying the list of all open ports of the computer Ws7scit1xp, among which is a TCP-port-port 139 NetBIOS sessions. By remembering this, we turn to a more detailed network study - to its inventory.

Network Inventory

The network inventory is to define general network resources, user accounts and groups, as well as in identifying applications executed on network hosts. At the same time, hackers very often use the following lack of computers Windows NT / 2000 / XP - the ability to create a null NetBIOS session with port 139.

Zero session

The zero session is used to transfer some information about Windows NT / 2000 computers required for network operation. Creating a zero session does not require a compound authentication procedure. To create a zero communication session, run from the command windows strings NT / 2000 / XP Next command.

net Use \\\\ 1.0.0.1 \\ IPC $ "" / User: ""

Here 1.0.0.1 is the IP address of the attacked computer SWORD-2000, IPC $ is an Inter-Process Communication abbreviation - interprocessing interaction (network sharing name), the first pair of quotes "" means using an empty password, and the second pair in the recording / user: "" indicates an empty name of the remote client. The anonymous user connected by zero session is the ability to run the user manager applied to view users and groups, execute the event log view program. It also includes other remote administration programs by the SMB (Server Message Block - server message block). Moreover, the user connected to zero session has the rights to view and modify individual sections of the system registry.

In response to entering the above command, the computer not secured properly displays a successful connection message; Otherwise, an access refusal message will be displayed. In our case, a message appears on the successful implementation of the computer connection. ALEX-Z. (Windows XP) with a computer SWORD-2000 (Windows 2000 system). However, the zero session SWORD-2000 from ALEX-Z. It is no longer possible - obviously, the developers of Windows XP took into account the sad experience of "use" of the zero session in Windows 2000 systems, which, by default, allowed zero sessions.

Zero communication sessions are used by all Windows NT / 2000 / XP computer network resources inventory utilities. The easiest method of inventory is to use utilities nET VIEW. and nbtstat. From the W2RK package. The NET View utility allows you to display a list of network domains.

As a result, the name was displayed. working Group Sword. If you specify the found domain name, the utility will display computers connected to it.

And now we will define registered on this moment SWORD-2000 server computer user and services running on a computer. For this purpose, the NBTSTAT utility is applicable; The result of its use is shown in Fig. 3.

Fig. 3. The NBTSTAT utility has identified users and computer services A1EX-3.

In fig. 3 Displayed a table in which the first column indicates the NetBIOS name, the NetBIOS service code is displayed after the name. In particular, the code<00> After the computer name, means the workstation service, and the code<00> After the domain name - the name of the domain. The code<03> Means the message distribution service sent to the user to the system, whose name is facing the code<03> - In this case, Administrator. The MSBROWSE browser service is also running on the computer, which indicates the code.<1 Е> After the name of the Sword Working Group.

So, we already have a username registered at the moment on the computer - Administrator. What are the general network resources of the computer SWORD-2000 he uses? Refer to NET View procedure again by specifying it the name of the remote computer. The results are presented in Fig. four.

Fig. 4. Common computer resources SWORD-2000

As you can see, the ADMINISTRATOR user account opens a shared network access to some folders. file System Computer SWORD-2000 and CD-ROM drive. Thus, we already know a lot about a computer - it allows NetBIOS zero sessions, the administrator user works on it, ports 7, 9, 13, 17, 139, 443, 1025, 1027 computers are open, and included in the total resources. separate folders local disk FROM:. Now it remains only to know the Administrator user access password - and at our disposal will be all the information on the hard drive with: computer. Just below we will show how the utility is used for this pwdump3.exe. Remote password removal from the Windows NT / 2000 / XP system registry and the LC4 program of their decryption.

And what can be done if the NetBIOS protocol via TCP / IP will be disabled (Windows 2000 / XP computers provide such an opportunity)? There are other inventory tools, such as SNMP (Simple Network Management Protocol - Simple Network Management Protocol), which provides monitoring windows networks NT / 2000 / XP.

And now, after we collected information about the attacked system, we turn to her hacking.

Realization of the goal

Execution of the attack on Windows NT / 2000 / XP system consists of the following steps.

Penetration into the system consistent with access.

Expanding access rights, consisting in hacking password passwords with great rights, such as the system administrator.

The purpose of the attack is to extract data, destruction of information, etc.

Penetration into the system

Penetration into the system begins with the use of an account identified at the previous stage of inventory. To determine the desired account, the hacker could use the NBTStat command or MIB browser, or any hacker utilities, abundant on the Internet. Having reveaning the account, the hacker can try to connect to the attacked computer using it for input authentication. He can do it from the command line by entering the command.

D: \\\u003e NET USE \\\\ 1.0.0.1 \\ IPCS * / uradministrator

The "*" symbol in the team row indicates that to connect to the remote IPC resource, you need to enter a password for the Administrator account. In response to entering a command, a message will be displayed:

Type password for \\\\ 1.0.0.1 \\ IPC $:

Entering the correct password leads to the establishment of an authorized connection. Thus, we get a tool for selecting passwords input to a computer - generating random combinations of characters or turning through the contents of dictionaries, in the end, it is possible to come together to the desired combination of password characters. To simplify the selection, there are utilities that automatically make all these operations, for example, SMBGRIND, which is included in the Network Associates Cybercop Scanner commercial package. Another method - the creation batch file. With cyclic passwords.

However, the remote selection of passwords is not the most powerful hack gun. All modern servers are usually equipped with protection from multiple password shift attempts, interpreting them as an attack on the server. To hack the Windows NT / 2000 / XP protection system, a more powerful tool is used to extract the SAM database passwords (Security Account Manager -Cet for security credentials). The SAM database contains encrypted (or, as they say hached) password codes of accounts, and they can be extracted, including remotely, with the help of special utilities. Further, these passwords are decrylling with the help of the decryption utility using any method of hacking, for example, "coarse force" or by the vocabulary attack, by combining words from the dictionary.

The most well-known decryption utility used for hacking Passwords SAM is the LC4 program (reduction from the LOPHTCRACK name, the latest version - LC4) ( http://www.atstake.com/research/redirect.html.), which is acting paired with such utilities.

SAMDUMP - Removing hached passwords from the SAM database.

PWDUMP - Extraction of hashized passwords from the computer registry of the computer, including remote systems. This utility does not support the enhanced encryption of SYSKEY SAM base (for details about syskey, see Chapter 4).

PWDUMP2 - Removing hashized passwords from the system registry in which SYSKEY encryption is applied. This utility supports work only with local systems.

PWDUMP3 is the same as PWDUMP2, but with support for remote systems.

What is SYSKEY encryption, we discussed in detail in chapter 4; Here, we point out that this is a means of enhanced SAM base encryption, which is installed in the default Windows 2000 / XP systems, and for Windows NT systems should be installed as an additional possibility.

Chapter 4 described how to extract passwords from the local system registry, now we will look at how this operation is performed remotely. To extract hached passwords from the computer SWORD-2000 Apply the PWDimp3 utility by running it from the command line:

C: \\\u003e PWDUMP3 SWORD-2000\u003e PASSWORD.PSW

Here on the command line specified the target computer SWORD-2000And then it is set to redirect the output of the extracted data into the file named password.psw. The contents received as a result of the file is presented in the Notepad application window (NotePad) (Fig. 5).

Fig. 5. The result of extracting hached passwords from the computer SWORD-2000

As you can see, the Password.PSW file contains the Administrator account, which we found at the inventory phase. To decipher passwords, you should apply the LC4 program, and though trial version This program only supports password decryption by the vocabulary attack method, we still can hack computer passwords SWORD-2000 (Fig. 6).

Fig. 6. Confirmation of passwords remotely extracted from the computer registry SWORD-2000

For this it took only a few seconds of the computer with the Celeron 1000 MHz processor, since the password 007 consists of only three digits and is very weak. The use of more complex passwords significantly increases the crypto-resistance of the system, and their hacking may require an unacceptable increase in the operation time of the LC4 application.

Thus, a hacker, having one small hook - the ability to create zero NetBIOS connection sessions to a computer - in principle, you can get passwords for computer accounts, including system administrators. If he cannot immediately get a password of account with great rights, the hacker will try to expand its access rights.

Expansion of access rights and implementation of ATAKU

To expand access rights to the burglary system use a wide variety of methods, but their main difference is the need to introduce into a computer special Programallowing you to perform remote control system, including the registration of user actions. The goal is to master the account that allows you to get the highest access to the computer resources. To do this, the so-called keyboard spies can be embedded on the attacked computer - programs that register keystrokes. All received data is recorded in a separate file, which can be released on the computer cracker on the network.

As an example of a keyboard spy, a popular recorder can be called INVISIBLE KEY LOGGER STEALTH (IKS) ( http://www.amecisco.com/iksnt.htm.). Keylogger IKS is an example of passive Trojan, which works by itself and does not provide its master of remote control means.

Another version of Hacker's actions is a room in an active Trojan system, i.e., for example, popular trojan Konya. NetBus. (http://www.netbus.org.) or In02k (BACK ORIFICE 2000) ( http://www.bo2k.com) that provide funds hidden remote control and monitoring for the attacked computer.

Utilities NetBus. and In 2k Allow one of the most important goals of a hacker attack is the creation in a remote secret movement system. Having broken down once in the victim's computer, the Hacker creates many additional "secret" moves in it. The calculation is based on the fact that while the owner of the computer is looking for and finds one move, the hacker with the help of still open moves creates new advantageous moves, and so on. Secret moves - an extremely unpleasant thing, get rid of them almost impossible, and with their help the hacker gets the opportunity to do anything on the attacked computer - to follow the user's activities, change the system settings, and also make it any nasty disk type for him to reboot or format hard drives .

As an example of the Trojan horse, consider the work of the old, deserved Trojan horse NetBus, developed by the CDC Hacker Group (Cult of the Dead Cow - the Cult of the Dead Cow).

NetBus application

NetBus applies to the number of client-server programs, i.e. One of its part, server, is installed on the attacking computer, and the other part, client, on the Hacker's computer. Installation of the application performed on the local computer does not cause problems. In the installation wizard dialog, you should specify the desired component - server or client, after which it is loaded to the computer. Hidden, remote, installation of the server on the attacked computer and the launch of the server program is the task more complicated, and we will post it. First, consider the work of the NetBus application on the example of two of our network computers: Client - Computer Ws7scit1xp (IP address 192.168.0.47), and server - computer Ws6scit1xp (IP address 192.168.0.46).

For the successful work of the Trojan horse NetBus on the attacking computer, it is first necessary to start the server component of the application, called NBSVR (real hackers must manage to do it remotely). When starting the NBSVR program, a dialog is displayed, presented in Fig. 7.

Fig. 7. NetBus Server Dialog

Before using the NETBUS server, the NBSVR utility must be configured. To do this, follow such a procedure.

In dialogue NB Server (Server NB) Click on the button Settings (Parameters). Dialog will appear on the screen Server Setup (Server Settings), presented in Fig. eight.

Fig. 8. NetBus Server Setup Dialog

Check the box Accept Connections (Take compounds).

In field Password. (Password) Enter the password to access the server NetBus..

From the opening list Visibility of Server. (Server Visibility) Select Full Visible (Full visibility), which will allow you to observe the server NetBus. (But it is better to choose complete invisibility to work).

In field Access Mode. (Access Mode) Select Full Access (Full access), which will allow you to do on your computer Ws7scit1xp All possible remote control operations.

Check the box AUTOSTART EVERY Windows Session (Autoloader with each Windows work session) so that the server is automatically loaded when logging into the system.

Click on the button OK. The server is ready for work. Now we will configure the client's work - utility NetBus.exe..

Run the utility NetBus.exe., after which the window will appear NetBus 2.0 Pro.presented in fig. nine.

Fig. 9. NetBus client work window

Select Menu command Host * Neighborhood * Local (Host * Neighboring host * local). Displayed dialogue Network (Network) presented in Fig. 10.

Fig. 10. Host selection dialog for NetBus client

Click on item Microsoft Windows. Network (Microsoft Windows network) and open a list of network hosts (Fig. 11).

Fig. 11. Server Host Selection Dialog for Connection

Choose Computer C. installed server NetBus in our case Ws7scit1xpand click on the button Add. (Add). Dialog will appear on the screen Add Host (Add Host), presented in Fig. 12.

Fig. 12. Dialog for adding a new host - NetBus server

In field HOST NAME / IP (Host / IP Name) Enter the IP address of the server host 192.168.0.46.

In field User Name. (Username) Enter the name of the cracked account Administrator.and in the field Password. (Password) - decrypted utility LC4 password 007 .

Click on the button OK. The screen displays the dialogue Network (Net).

Close dialogue Network (Network) by clicking on the button Close (Close). The window displays the window NetBus 2.0 Pro. With the recording of the added host (Fig. 13).

Fig. 13. NetBus 2.0 Pro window with a new host recording - NetBus server

To connect to the host Ws7scit1xpClick right-click mice at the list item Ws7scit1xp And from the context menu displayed, select the command Connect. (Connect). In case of success in the window status bar NetBus 2.0 Pro. A message will be displayed Connected to 192.168.0.46 (v.2.0) (Connected to 192.168.0.46 (v.2.0)).

After a successful connection with the NetBus server component, the hacker using the NetBus client tools can do anything with an attacked computer anything. Practically, it will be available to the same opportunities as the local user Administrator. In fig. 14 Presented a list of NetBus client tools displayed in the menu Control (Control).

Fig. 14. The Control menu contains an extensive list of remote host management tools.

Among these tools, we note the funds collected in the submenu. Spy Functions (Espionage tools) and containing useful tools such as keyboard spy, screen interceptors and information obtained from the camcorder, as well as sound recording tools. Thus, the hacker penetrated into your computer can pry, overheard and read everything you see, say or enter from the computer keyboard. And that is not all! Hacker can modify the system registry of the computer SWORD-2000, Run any applications and restart the remote Windows system, not to mention the features of viewing and copying any documents and files.

As already mentioned, the NetBus server utility described in this section, as well as described in the previous section keyboard spy IKS require pre-launch on the attacking computer. The last task is a whole separate area of \u200b\u200bthe hacking and is to find the IIS of the IIS Information Server Non-Dispersion, as well as in the use of "social engineering" methods used to implement Trojan horses or viruses to the computer. (More details of "social engineering" are considered throughout the book).

Cocking tracks

The audit is undoubtedly one of the most serious means of protection against the hucking of the computer system, and disabling the audit tools is one of the first operations that hackers perform when hacking a computer system. For this, various utilities apply to clear the registration log and / or disable the audit of the system before starting "work".

To disable audit, hackers can open the MMS console and disable the audit policy by using the tools of the operating system. Another, more powerful tool is the utility auditpol.exe. W2RK tool kit. With it, you can disable (and enable) audit both local and remote computer. To do this, enter the command to enter such a command.

C: \\ Auditpol\u003e Auditpol \\\\ Sword-2000 / Disable

The screen will appear on the screen:


Team parameter \\\\ Sword-2000 - This is the name of the remote computer, and the key / disable Specifies the audit on this computer. Utility auditpol.exe. - A very effective tool created to manage network resources, but also see, a very convenient hacking tool. To get acquainted with its capabilities, just enter the team auditpol /?, after which the screen displays reference Information Using the utility. In particular, this utility allows you to enable / disable SAM database audit, which is a prerequisite for using the utility pwdump3.exe. To extract passwords from the SAM base.

Clearing security logs can be performed either using the viewing utility windows magazines 2000 / XP, or with the help of special utilities (usually used by hackers). In the first case, the following steps should be performed.

Click on the Start button and in the Main Menu that appears, click the Settings command * Control Panel (Settings * Control Panel).

In the displayed control panel, open the Administration folder (Administrative Tools).

Double click on the applet Computer Management (COMPUTER MANAGEMENT). The MMS console dialog appears on the screen.

Sequentially open the folders Service Programs * View events (System Tools * Event Viewer).

Right-click on the point Safety (Security Log); The context menu appears.

Select the context menu command Erase all events (Clear All Events). Dialog will appear on the screen View events (Event Viewer) with a suggestion save logging in the file.

Click on the button Not (NO) If you no longer need event recorded in the log. The magazine will be cleaned.

When performing a security journal cleaning operation, pay a characteristic feature. When cleaning the security log, all events are deleted from it, but a new event is immediately installed - just performed cleaning the audit log! Thus, the hacker will still leave his mark - a blank magazine with a fixed event cleaning the magazine. Let's see if we will help us in such a case hacker utilities.

Let's try to apply an event log cleaning utility. elsave.exe. (http://www.ibt.ku.dk/jesper/elsave/default.htm.). This utility is designed primarily for cleaning Windows NT 4 logs, but its latest version works with windows system 2000. This is how it starts from the command line.

C: \\ ELS004\u003e ELSAVE -S \\\\ SWORD-2000 -S

Here the key -s sets the remote cleaner mode, and the key is set to the operation of cleaning the log. In addition to cleaning, the utility allows you to copy log events to a file. (Entering the ELSAVE / command? Leads to a reference, and you can experience the effectiveness of all the opportunities offered). Check shows that the lack of the above remains - the use of the utility elsave.exe. Registered in the Security Journal as an event cleaning the magazine, similar to the use of the journal cleaning team by means of a applet Computer Management (Computer Management).

How to protect yourself from all these utilities? It should be removed from the computer (or disguise) all the utilities of the W2RK set, set the SAM database audit, the system registry and all important resources Systems. After that, the security log should be regularly viewed. Detection of incomprehensible security of security logs or access to secure resources will help to bring the chamber's trail.

Conclusion

Network hacking computers is a very common occupation of hackers. However, as we see, the occupation is quite laborious, and if you wish to identify this kind of manipulation simply. To do this, it is enough to use templates windows security And download server security template. Other passive defense measures are in configuring Windows protection, firewalls and IDS systems. In special cases, the antihar can also resort to the detection of a hacker by its own methods, since IDS systems are usually able to identify the IP address of the violator (for example, this makes the Blacklce Defender program). However, Antihakra should consider that penetrating the Hacker's computer, he himself is likened to the enemy, so that the use of proxy servers and other disguise means will be worth it.