Hacker arsenals feature new weapons

ORLANDO - It's never been a better time to be a hacker - or a worse time to be defending your network against intrusion and destruction.

The latest round of hacker tools for cracking passwords, and sniffing out or even remotely hijacking your network is more deadly than ever, according to security experts trying to keep tabs on the hacker front.

Take a new tool called Hunt, for example. Purportedly written by a hacker named Cra, this Unix tool lets an attacker automatically sniff a File Transfer Protocol, rlogin or telnet connection and take over a user's machine.

"This is session hijacking," says Edward Skoudis, technical director at Reston, Va.-based consultancy Global Integrity Corp. Skoudis spoke on the subject at last week's Infosec conference here, and says Hunt outdoes anything he has seen in terms of its effectiveness to monitor and take command.

In addition to Hunt, the hacker arsenal has been stocked in the past few months with impressive upgrades on older standbys, such as L0phtCrack for password cracking and NetBus for remote spying and network control.

The new L0phtCrack 2.5 cracks NT passwords 450 times faster than before and now comes with a sniffer to help capture them, Skoudis says.

For remote spying, NetBus 2.0, out since January, is no longer free but will cost the would-be hacker $15.

Another new tool, Nmap, takes port scanning to new heights - it's not only very effective but it is also much harder to detect than other tools, such as Strobe or Probe.

Skoudis suggests protective maneuvers, such as encrypting network sessions and shutting down used ports. But the reality is that networks are more vulnerable than ever before.

But at Infosec, attended by hundreds of IS professionals representing industry and government, it looked like the good guys aren't giving up the fight.

Charles Schwab & Co., which now handles two-thirds of its trades via its Web site, had plenty of staff attending Infosec. Ed Ehrgott, Charles Schwab's electronic brokerage IS director, puts network snooping at the top of his list of online business dangers.

"The new tools don't only let [intruders] identify what ports are open. They also let them know what operating system is running," Ehrgott points out. "Without a secure operating system, all security bets are off."

To that end, Charles Schwab spends enormous resources testing every electronic commerce-based application line by line to make sure hackers can't break into its Web server through buffer overflows. Buffer overflows take advantage of programming errors in elements such as Common Gateway Interface scripts. By exploiting these errors, hackers can enter information over the Web that gets dumped into the operating system and gives the hacker some measure of control.

Ehrgott emphasizes that organizations have to diligently install every software patch on their machines the minute a new vulnerability is discovered by CERT or other security information resources.

Some hackers use good tools, such as sniffers, to do bad things. Network managers have long relied on commercial analyzer products, such as those from Network Asso-ciates, En Garde, AG Group, Hewlett-Packard and Memco. These products help design and troubleshoot networks and are growing more sophisticated in network intrusion detection.

But Mark Kean, systems security manager at the Des Moines, Iowa-based Multi-State Lottery Association, worries that the free demonstrations that vendors post on Web sites are falling into hackers' hands.

"Some of these products can be used against you," he says.