Modern day hacking

[pcm81]

I was born a bit too late to live through the wild wild west days of hacking, but I do remember the days of IRC groups, Kazza, Morpheous and direct connect P2P networks. Based on documentaries about hacking in 1980 and 1990 there seems to be two distinct attack patterns: exploiting open networks and social engineering. It seems that the ball-field of viruses did not change much since then, someone sends you a piece of code, you run it and if your AV does not know about it yet, you get infected (happens to my parents once a year like on a clock and I can't teach them any better). But in terms of server or PC hacking, how has it changed since then? Is the single node hacking still possible? Now days any "average" net admin will know about SSH tunneling as well as private/public key authentication. So if a "worlds greatest hacker" was given my public IP number and lets say he knew that there is a windows and a Linux box sitting on a properly configured router (only selected ports are open for SSH connections, no default password for router admin, administration over wan port is disabled etc.) behind that IP number are there still any viable "direct" attacks he could do to gain root access or code execution access to those machines without resorting to social engineering?

Often it is said that hackers find and exploit holes in the system. While I am sure that there are still plenty holes to be exploited, will the bulk of these holes be an operator error (leaving default password on a router) or would most of these errors be a manufacturer design flaws (allowing router administration from WAN port by default or something equivalently bad)?

I can see how hackers could explode PHP GET vs. POST on a webserver if there is no back end validation, but that is not the type of hacking I am talking about, I am asking about well organized hackers ability to enter private users computer remotely (assuming user did not do anything stupid like hosted teamviewer and gave Chinese scammer the access code...)

This can also tie into windows 10 privacy issues. As a system architect Microsoft could very easily build in a back door into windows essentially allowing them to "remote desktop" into an "IP number", but how much harder would it be for a brilliant hacker but an outsider to the system to do the same given todays best security practices?

 

[matricks]

You don't seem to understand lateral movement. A "worlds greatest hacker" will not restrain himself to attacking his target directly. A web server in a corporate network is probably a better vantage point to attack a user in the same network, compared to attacking this computer directly from the Internet. Same deal with a poorly configured router, network printer or electronic door sign. The point is, hackers find a vulnerable device, compromise it, and utilize the trust this device has in the network to compromise other devices in the network. Eventually, they're through to the actual target. You can't strip professional hackers of their methods and argue that hacking has changed, same way you can't expect a good soccer player to be good at american football or vice versa, even though both sports are called football in various places around the world.

Networks are often build with a firewall, the big, thick firewall between the Internet and the internal network. Internet bad, internal good. I highly doubt the "average admin" is familiar with and applying every single best security practice. Plenty of admins do not understand public key cryptography to the point they could type out a structured explanation of it (or at all). They may simply not be allowed to implement better practice despite knowledge of it, due to financial constraints or lack of support from decision makers. If you're interested, visit /r/sysadmin. Plenty of stories about all the mistakes admins make as well as outlining what they want to do, but can't due to a situation they don't control.

Compromising a target that accepts no incoming connections (in your suggested scenario no web servers or similar exposed services are mentioned), without any social interaction may be challenging. Some possible attacks would be exploiting router vulnerabilities (it's not just about remote administration, there are vulnerabilities that can be exploited just by deliberately malformed packets), DNS cache poisoning to set up man-in-the-middle attacks. MITM attacks could be used to passively deliver exploits to the end target, e.g. several recent Flash vulnerabilities only depend on the Flash content being loaded. No user interaction other than opening some page with malicious Flash on it (and Flash not blocked), or redirecting (MITM) to such a site. The same thing is true with many recent web browser exploits.

 

[pcm81]

You don't seem to understand lateral movement. A "worlds greatest hacker" will not restrain himself to attacking his target directly. A web server in a corporate network is probably a better vantage point to attack a user in the same network, compared to attacking this computer directly from the Internet. Same deal with a poorly configured router, network printer or electronic door sign. The point is, hackers find a vulnerable device, compromise it, and utilize the trust this device has in the network to compromise other devices in the network. Eventually, they're through to the actual target. You can't strip professional hackers of their methods and argue that hacking has changed, same way you can't expect a good soccer player to be good at american football or vice versa, even though both sports are called football in various places around the world.

Networks are often build with a firewall, the big, thick firewall between the Internet and the internal network. Internet bad, internal good. I highly doubt the "average admin" is familiar with and applying every single best security practice. Plenty of admins do not understand public key cryptography to the point they could type out a structured explanation of it (or at all). They may simply not be allowed to implement better practice despite knowledge of it, due to financial constraints or lack of support from decision makers. If you're interested, visit /r/sysadmin. Plenty of stories about all the mistakes admins make as well as outlining what they want to do, but can't due to a situation they don't control.

Compromising a target that accepts no incoming connections (in your suggested scenario no web servers or similar exposed services are mentioned), without any social interaction may be challenging. Some possible attacks would be exploiting router vulnerabilities (it's not just about remote administration, there are vulnerabilities that can be exploited just by deliberately malformed packets), DNS cache poisoning to set up man-in-the-middle attacks. MITM attacks could be used to passively deliver exploits to the end target, e.g. several recent Flash vulnerabilities only depend on the Flash content being loaded. No user interaction other than opening some page with malicious Flash on it (and Flash not blocked), or redirecting (MITM) to such a site. The same thing is true with many recent web browser exploits.

Thank you for an interesting reply. It seems that you and I are getting to the same meat of the argument, but from different angles. You mentioned web browser and flash attacks; that is exactly what I am asking about. A web browser (with flash enabled for example) that is not running all processes in a sealed container is a security hole that a knowledgeable hacker would exploit. On a flip side, lets consider my home network. I have a multifunction printer which can scan directly to my main machine from printer front panel. So in theory if hacker was to gain access to this printer he could potentially deposit a malicious code into my main machine. Of course this printer has no open ports to outside world, so the only way to access it is through my wifi. Now, if my router is to be compromised and that would allow attacker access http gui of the printer, then may be he could impersonate the printer and deposit malicious code into my main machine. Or if I opened up printer ports to outside world, then may be hacker could do something fishy with it.

I guess my question can be rephrased as the following: "In todays world, to what extent is the art of hacking has to do with exploiting network/system inherent weaknesses rather than exploiting network users/admins stupidity/negligence?" If net admin has the time, budget and man power to properly implement misc services required by users, can a network be made bulletproof or are there still many holes that simply can not be closed by means other than disabling a certain service? For example, if Microsoft chose to sign their system updates with 128-bis RSA key with decently long key life, then for MITM a code injection would be a rather easy task, unless user disabled windows update. Are there many real holes like this fictitious hole I just made up? Or are there "proper and bullet proof" ways to secure "most if not all" services that a customer might want and it simply boils down to time/knowledge/resources that are at net admins disposal?

 

[matricks]

I really don't think things have changed - computer hacking and social manipulation play the same role they did 30 years ago. Both can get you far, and you get farthest by applying both as needed. What has changed is that there are more computers, more users and more uses for computers.

In 2000, Bruce Schneier wrote (among other things) "Only amateurs attack machines; professionals target people". It is just as true today as it was then.

As for your more practical questions, you may not have configured outside connections to reach the printer yourself. But do you know if your printer could configure that on its own? If left to its default settings, my printer will register a dynamic DNS hostname pointing to my public IP address, and use UPnP to configure the router to forward relevant ports to itself. Because it's a smart printer, of course it should do these things without asking me. Multifunctional printers usually scan to PDFs, right? Gain control of it, modify it to append a malicious payload to all PDFs sent from it, sit back and enjoy domination.

For example, if Microsoft chose to sign their system updates with 128-bis RSA key with decently long key life, then for MITM a code injection would be a rather easy task, unless user disabled windows update. Are there many real holes like this fictitious hole I just made up?

I read a report on a possible MITM attack on Windows Update earlier this year. Windows updates (.msu files) are essentially file archives, like ZIP files, with some extra instructions for WU on how to apply the update. Microsoft do not sign .msu files, but the files inside must be signed by a Microsoft certificate before Windows will run them. So you can't pack an arbitrary .exe and have the system execute it. What you can do is find a file that will execute any command for you. PsExec does this, it's a tool designed for administrators to easily execute a command on a computer in the network (that they have full control over, this is a reasonable use case). This tool is signed by Microsoft, so just pack it in an .msu, tell Windows Update to call it to execute whatever malicious command you can think of, and all that's left is to actually deliver the .msu to the target system. Which any compromised network device is capable of doing.

Another attack if you have physical access, or can manipulate someone with physical access, the FAT32 driver in Windows had a vulnerability that would execute code with full system access only by connecting a USB drive with a crafted partition table (because Windows would auto-mount it). Other vulnerabilities include parsing of .LNK files (shortcuts) which could lead to code execution by browsing to a folder with a crafted .LNK file inside - which Windows also might do automatically if you connect a USB drive. These are fixed, but they existed for a long time, and a fresh install of Windows 7 (without updates) is vulnerable.

To design an absolutely bulletproof network that is truly immune to any (system-oriented) attack you do not only need unlimited money, time and manpower, but also unlimited knowledge. Knowledge to know how to code perfectly, and knowledge of all attacks that your code and architecture will open up for. Even the best of programmers still don't code perfectly. Even so, some people has to have access to the system for it to do the things it is intended for. You can't fix social manipulation with code. Great security isn't all about preventing incidents, but well planned handling of them. Have you heard "there are two types of companies; those who have been compromised, and those who don't know they have been compromised". Assume you will be compromised, design your architecture taking compromised devices into account, and plan to handle compromise when it happens.