I have been interested in the computer, network, and information security since my university years. I used every opportunity to practice and improve my skills. I never made an action as a black hat hacker, nor damaged any system. Though, I am aware that to secure a system you need a digital security strategy and know how the attacker would think and act.
I will not mention classic tips like “use a firewall“, “apply latest security patches“, “close unused ports“, “do not install/run untrusted software“, “change default admin passwords“. Instead, I want to share a simple digital security strategy I have found very useful and effective over the years: Diversion and Deception.
First, let’s understand how most hackers work:
1. Analyze target system
A hacker first starts with identifying the system used on the target system. What kind of server software is being used, what is the web server version, what is the application language used for the website, what are the mail and FTP servers installed etc..
2. Plan how to attack
Does not matter how stable and secure it is, every software has some weaknesses. Identified or not. The more it is popular and widely used the more chance the weaknesses are identified. While developers patch the identified security holes constantly, the users continue to find new ones. That’s why Flash plug-in is being updated almost every week. That’s why Windows is still getting new security updates and patches.
Hackers start targeting at weaker points. If you haven’t patched your web server and for the version you are using there is an identified (which means became publicly known) security hole; the hacker would choose to use it instead of trying to discover new holes.
Even if all of your software is up-to-date, patched with latest updates, a good hacker can find a new way to get in. Especially if the hacker knows the target software/application well.
3. Action: Entering target system
Once the attack ways are identified, the final action is up to the hacker, depending on hacker’s motivation. Some will just be satisfied by sneaking in and getting out without any trail (hobby) while some other will try to steal valuable information (intruder/spy). Some will try to damage the system (black hats), and some will leave a mark like his/her underground nickname without damaging anything to show how good he/she is (self-ego). Some will inform the owners of the target system about security weakness and offer help or share the details (white hats). The action would depend on how white or black hatted the hacker is.
Time for the digital security strategy: Diversion & Deception
The idea is misdirecting the attacker at level 1, “Analyze” stage. If you can manage to convince the attacker that you are using another software, all the “plan” stage will be built on this wrong and invalid analysis.
Sample case: Suppose you have an FTP server installed on your web server to update the web content. FTP servers use port 21 by default and often have security holes. How can you make this FTP server more secure?
Change connect/welcome message. Every FTP server will send a message to the FTP client tries to connect. This message by default starts with the FTP software name and version. The attacker would easily learn about the FTP server software and version you are using by just trying to connect. You can easily edit this welcome message. Changing it to a meaningless text is not a deception unless you change it to a message used by another FTP software. So the attacker would be misled by the software info your server is using. The hacker will try to use techniques applicable to that deceptive software version and will be wondering why those methods are not working.
The attacker is misled about the actual software, diverted to a fake software, but he/she still knows there is an FTP server running on your port 21. Let’s double the deception:
Change the default port of FTP server, make it work from a port other than 21. Changing the port itself is not enough because if port 21 is unused, the attacker will immediately think that FTP server is installed on some other port. Therefore, install another safe, dummy software which is welcoming port 21 with your deceived version of welcome text chosen on the first step. Since you started to use this welcome on port 21 with a dummy software, better you change the real FTP server’s welcome message to something not related to “FTP” anymore.
Result: The attacker will believe that port 21 has an FTP server running but in fact not. Another port which is running the FTP server will respond like another software, hiding the real FTP server’s location. Hacker is free to apply techniques to these fictitious applications. You’ll either keep your system secured or gain enough time to identify there is an attack attempt going on.
History and Practices
Deception strategy is not a new one. High-level bureaucrats use it during travels. Misdirection is the core of being an illusionist. It was also used in many real wars as well as to attract an audience in war movies. The early submarines were carrying junk submarine parts ready to throw in a case of an attack to make the enemy think the shoot was successful. Submarine simulation game “Silent Service” I was playing around 1988 with my Commodore 64, I was using this defensive ability often.
In early 90’s, BBS sysops were using doors to have the ability to connect their computer and drop to shell remotely, when away from home. Therefore, many users were trying to find the key combination activates the sysop door. There was a fake version of the sysop door where you make the user think he/she has found the door and if a user tries any harmful command like “format” then immediately banned and disconnected. I was using “fake sysop door” in my BBS as well, and it helped me a lot to figure out malicious users.
In late 90’s, trojans (trojan horses) were very popular. Simple Trojans were being used by lamers (they know who they are) who have no idea about hacking. Complicated and well-designed ones are still in use, and I believe the method will stay as one of the most critical digital security topics. As in the movie Troy, the Trojan concept relies on deception. Briefly, you are injecting a malicious software (virus/backdoor/keylogger/remote access, etc.) to a regular software and distribute them together. That’s why it’s so important to download software from trusted sources only. Otherwise, it will most likely have a Trojan hidden inside. Why do you think they provide this software free to you?
After I have started web programming, I was back to fake sysop strategy I’ve been using in BBS era. In early 2000’s, I used it to change the displayed version of the forum software and open source CMS packages since these were usually full of security leakages and attractive targets for the newbie hackers. If I was using Joomla, I replaced meta tags with another CMS package’s ones. An average hacker can still figure out what the real software is but you are saved at least from the lamers who just use Google to find out unsecured targets using a Joomla version with known security holes and weaknesses.
In late 2000’s, I used the deception strategy to secure admin panels of web applications. Attackers first try simple subdirectory or subdomain names to find the entrance of admin panels, like “admin”, “administrator”, “panel”. Then, they try similar common usernames and passwords or use a robot to try millions of combinations. Your username and password can both be tough to guess but computers became faster, and they don’t need to sleep. They can try until they find the correct combination. So, why would you risk it? Give a fake admin entrance page like yourdomain.com/admin. Make it look like a login page for your admin panels. Log every try to this page and set an alert if a few consecutive attempts come in a short period. Hide your real admin panel entrance to some “difficult to guess” address, like; yourdomian.com/findmeifyoucan.
Unfortunately, the same techniques often used by the dark side as well. Both Trojan Horse and Phishing attacks are typical results of these methods. That’s why I believe it is important to know how it works not only to secure your system but also yourself from malicious attacks.
Do not forget that there is no completely secure system. There is readiness! Plan your digital security strategy well!