What would you define as an "advanced" hacker attempt?

Question

This subject might just barely be a programming topic. Though, in my point of view, it is of great concern to programmers because of our responsibility to develop secure code.

Recently, there has been a lot of talk about web exploits in my country. Certain organisation keep posting passwords and databases that they hacked in the last few months. In a few days, over 200,000 login credentials have been exposed to public. Most of the site-owners didn't know anything about the attempts, up to this point.

This quote from a pressman really stuck with me:

This is no advanced attack. The method used to obtain the passwords is relatively simple.

I want to know: what are some characteristics of "advanced attacks?"

My thoughs:

Would you say brute-forcing a login service is advanced? Probably not. Kind of low-tech. Was it advanced once upon a time, when you connected auto-dialers and finally got into communication-line-in (phone) at banks and federations? Back then, maybe.

If you brute-force a login service and avoid around built-in blocking systems and logs, your attack might be considered advanced. If you successfully copy an entire database through a unsecured input form, is it advanced or not?

Is it advanced if a person (Bill?) without any IT skills at all got the database from company XY? Why? Because Bill is a HVAC Service Technician and his friend are employed on XY. Probably, it's advanced, but not really technically advanced.

If we talk about a a user that came over the connectionstring through a adminpage webpart -- Tried the connectionstring finding out there are no ip filter - okey that's hardly called hack attempt. But, if the user in first place, got access to file system (leak in a file-browser-control?) and downloaded all web.config / app.config at first place. Is it advanced? The user would, doubtless, find several sites that uses same file-browser-controls. Is it severe? Probably..

A question that, at least I, often ran into questions "are md5-hash enough secure?", the fact "yes if they need to force it, to get your data". If they got the db with login and password, some of you already know: No.

Question
It's more like a comwiki here, than a specific question. I would like to read about perspectives and experience in the topic. What do you do for "more secure"? What do you define as obvous or well-known security flaws? Such questions and discussion are valuable to give more of security and more intrusion-safe system in mind when developing.

Answer 1

what defines a advanced kind of attack? Advanced for who and how?

Ultimately, an attack is an attack. It doesn't matter if they used social engineering techniques to get an unsuspecting user to divulge their credentials, brute-force methods, obtained a copy of the software and performed reverse engineering or used the system in methods other than intended, or tools to simply bring the system down and render it inoperational for a period of time.

Most attacks take some kind of sophistication and knowledge of the users of the system, how the system works, or where components reside and how to access them. You could say that any successful attack is advanced - it overcame your security measures to prevent attacks. You might also say that any attack that degrades service, even if it doesn't disable the system, is also successful as your current system couldn't withstand it.

What do you do for "more secure"?

More secure depends on the system being built.

I would recommend reading the work of Gary McGraw. He wrote three books that are especially interesting to people building software. Building Secure Software: How to Avoid Security Problems the Right Way, Exploiting Software: How to Break Code, and Software Security: Building Security In discuss how to build secure software, how to break existing software as well as perform security testing on systems that you are building, and complete software development lifecycle approaches to security. As far as I can tell, these are the canonical books on the subject.

What do you define as obvous or well-known security flaws?

Things that have been seen before and have been studied are, or at least should be, obvious. That's why there's a great deal of work done to study security, from building secure software to analyzing security incidents to determine how and why they happened, and then producing documentation so that other people don't fall victim to the same problems.

The US Department of Homeland Security's National Cyber Security Division has a Build Security In program about finding and organizing information relevant to people building systems that must be secure. The Open Web Application Security Project also produces documentation and resources about many aspects of software security so that they are easily accessible to people building systems where security is a concern. The MITRE Corporation also does work in finding, identifying, and producing vocabularies to discuss security concerns.

Answer 2

Basic: using off the shelf tools, scripts, exploits, etc. to compromise systems. No deeper knowledge of what you are exploiting or how. Limited to public-facing internet attacks. Commonly referred to as script kiddies.

Advanced: creating your own tools to exploit holes you have discovered and/or bought. Understanding exactly how you are overflowing those buffers. Attacking non-public targets.

Answer 3

SQL injection is not advanced. It's probably the reason for the loss of those 200,000 passwords you are talking about.

The problem with hacking is that truly "advanced" techniques can suddenly become "simple" if somebody writes a tool for it. A good example of this is the Metasploit tool. When people find advanced new techniques, they add them to Metasploit, which make it easy for low-skilled hackers to pull off.

Another non-advanced technique is custom viruses. It's easy to create a custom virus (from a virus toolkit) that cannot be detected by anti-virus, then send that to a target, and break in. Later, detection will be added for the virus, but by then, you'll have hacked in.

"Advanced" isn't used by the hackers themselves to describe these techniques, but by defenders. When they get hacked, they are embarrassed. They aren't willing to admit they got hacked by one of these simple techniques, so they pretend the attacks are "advanced". They also stress the "illegality" of the attacks.

Answer 4

I'd say you can earn "advanced" badge by demonstrating large amount of effort and knowledge.

Take look at this story, which describes hacking apache.org website. It took a week and required a lot of observations of minor, security details then a lot patitience to exploit them in order to gain more control over the target system. Every step required knowledge about different aspect of operating systems and/or typical server software. Every little detail matters. For example, box running apache web server usually has a number of "httpd" processes running. That is why they have called their bindshell "httpd" and not just "bindshell" which would be way more suspicious.

Also exploiting stack overflows is considered advanced (you need to have some low level knowledge) but these days there is a lot of tools out there that automate such attempts. So, you can consider it advanced up until a script is posted on some hack site for the kids to play with.

Answer 5

Obviously there is no clear line, but there are certainly some kinds of attacks that are fairly easy and can be done casually, if the target has suitable vulnerabilities. Things like simple SQL injection, path traversal, XSS, session spoofing, etc., or just plain old sniffing on a public network. All these are easy to execute, and easy to defend against, but also very common. An off-the-shelf trojan would also qualify as 'easy'.