Organizations use hacker tools to find weaknesses

Organizations use hacker tools to find weaknesses

By William Jackson

GCN Staff

Depending on the network manager's viewpoint, two remote administration and monitoring tools announced at last month's DefCon hackers convention in Las Vegas can be used for either good or evil.

Back Orifice 2000, an upgrade from San Francisco's Cult of the Dead Cow group, supports'or undermines'systems running Microsoft BackOffice under Microsoft Windows NT and Windows 9x.

Representatives of several security companies called it a Trojan horse, but cult members said they intend Back Orifice 2000 to be a wake-up call 'to finally implement a security model in Windows operating systems.'

L0pht Heavy Industries, a Boston hacker think tank, announced a beta release of AntiSniff, which supposedly can detect sniffing devices on networks.

'It can be used for good, and it can be used for evil,' said L0pht's chief scientist, who goes by the alias Dr. Mudge. He said AntiSniff can tell whether a network has been compromised, but it also can help a hacker sidestep intrusion detection systems.

L0pht reverse-engineers commercial software to see how it works, finds faults and publicizes them. Its tools to exploit flaws have drawn greater attention to them.

Paying attention

'These groups create a lot of noise about vulnerabilities in popular software,' said Drew Williams, information technology assurance product manager for Axent Technologies Inc. of Rockville, Md. 'The good news is, among the noise, there's some real value as vendors and agencies start paying more attention to product security.'

Back Orifice, released a year ago, reportedly has had 300,000 copies downloaded from the Web. The new release, which supports NT and strong encryption, claims to let administrators perform typical desktop support duties at their desks.

Representatives of Network-1 Security Solutions of Wellesley, Mass., one of the companies bringing Back Orifice 2000-related products to market, said, 'Back Orifice 2000 gives remote hackers more control of the captive Windows NT machine than the person physically sitting at the keyboard has.'

When a hacker covertly installs Back Orifice as a Trojan horse, unseen by the desktop user, the hacker can gather information, reconfigure the machine and perform other functions via the Web. The software is not a virus and does not replicate, so it must be installed on each machine, often surreptitiously under the guise of a legitimate program.

Internet Security Systems Inc. of Atlanta claimed that the Back Orifice 2000 controller has access to more than 70 commands within BackOffice, the Microsoft suite of server applications that it exploits.

The company's representatives boasted that within 24 hours of Back Orifice 2000's release, they had decoded its protocols and encryption algorithms and within another day had updated their Internet scanner to detect its presence. They also plan a new release of the RealSecure intrusion detection system to spot it.

Network-1 claimed that its CyberwallPlus-SV intrusion prevention product could protect NT systems by blocking transmissions between a hijacked computer and the remote hacker.

L0pht's AntiSniff 1.0 looks for sniffing devices, which can passively collect data such as passwords for a hacker. A sniffing device sets a network interface card to promiscuous mode, so that it monitors all the packets on a network, not just those addressed to the specific NIC.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected