Internet & Web Security
Simson L. Garfinkel
simsong@vineyard.net
Simson L. Garfinkel
Web Security & Commerce
(With Gene Spafford)
O’Reilly & Associates, 1997
Practical UNIX and Internet Security
Garfinkel & Spafford
O’Reilly & Associates, 1997
Vineyard.NET, Inc.
July 1, 1995-
WARNING #1
I’m not here to sell you anything.
(No easy answers)
WARNING #2
I hate Power Point.
Internet Security Today 1/3
What are the main security-related problems
on the Internet Today?
Hijacked web servers
Denial-of-Service Attacks
Unsolicited Commercial E-Mail
Operator Error, Natural Disasters
Microsoft...
Internet Security Today 2/3
What are not the major security-related
problems?
Eavesdropped electronic mail.
• (Misdirected email is a problem.)
• (Email swiped from backup tapes is a problem.)
Sniffed credit card numbers.
• (Credit card numbers stolen from databases is a
problem.)
Hostile Java & ActiveX applets.
Internet Security Today 3/3
So why does the press focus on the non-
problems?
The real problems are old problems.
(see Practical UNIX Security, 1991)
The real problems are hard to solve
(I’m not here to sell you anything.)
Netscape IPO
(Netscape sells a product, not a service.)
Hijacked Web
Servers
Hijacked Web Servers
FBI
August 17, 1996 - Attacks on the
Communications Decency Act.
CIA
September 18, 1996 - “Central Stupidity
Agency”
NetGuide Live
“CMP Sucks.”
Hijacked Web Servers
Attacker gains access and changes contents
of web server.
Usually stunts.
Can be very bad:
Attacker can plant hostile applets.
Attacker can plant data sniffers
Attacker can use compromised machine to take
over internal system.
Hijacked Web Servers
Usually outsiders.
(Could be insiders masquerading as
outsiders.)
Nearly impossible to trace.
How do they do it?
Administrative passwords captured by a
password sniffer.
Utilize known vulnerability:
sendmail bug.
Buffer overflow.
Use web server CGI script to steal
/etc/passwd file, then crack passwords.
Mount the web server’s filesystem.
How do you defend against it?
Patch known bugs.
Don’t run unnecessary services on the web
server.
Don’t run sendmail
Use smap if possible.
Large sites may just after to suffer.
How do you defend? (2)
Never use telnet or ftp to access web server.
ssh/scp
stel
Security Dynamics’ SecureID
Digital Pathways’s SecureNet Key
(S/Key, Kerberos)
How do you defend? (3)
Practice good host security.
Don’t run SunOS.
Use tools like SATAN, ISS, COPS, Tiger...
Monitor system for unauthorized changes.
Tripwire
Monitor system for signs of penetration
Intrusion detection systems
How do you defend? (3)
Make frequent backups.
Have a hot spare ready.
Monitor your system frequently.
Denial-of-Service
Attacks
Denial-of-Service
Publicity is almost as good as changing
somebody’s web server.
Attack on PANIX
Attack on CyberPromotions
Costs real money
Lost Sales
Damage to reputation
Kinds of Denial-of-Service Attacks
Direct attack: attack the machine itself.
Indirect attack: attack something that points
to the machine.
Reputation attack: attack has nothing to do
with the machine, but references it in some
way.
Direct Denial-Of-Service Attack
Send a lot of requests
(HTTP, finger, SMTP)
Easy to trace.
Relatively easy to defend against with TCP/IP
blocking at router.
Direct Denial-Of-Service Attack 2
SYN Flooding
Subverts the TCP/IP 3-way handshake
• SYN / ACK / ACK
Hard to trace
• Each SYN has a different return address.
Defenses now well understood
• Ignore SYNs from impossible addresses.
• Large buffer pools (10 1024)
• Random drop, Oldest drop.
Direct Denial-Of-Service Attack 2
SYN Flooding 2
Most machines are not protected.
Indirect Denial-Of-Service Attack
Attack DNS
http://www.vineyard.net/ 204.17.195.200
DNS spoofing (hard)
Upstream DNS server (easier)
InterNIC (easy!)
Indirect Denial-Of-Service Attack
Attack Routing
Attack routers (hard)
Inject bogus routes on BGP4 peering
sessions (easy)
Accidents have been widely reported.
Expect to see an actual BGP4 attack sometime
this year.
Reputation-based Denial-Of-Service Attack
Spoofed e-mail
To: everybody@AOL.COM
From: astrology@mail.vineyard.net
Subject: Call Now!
Hello. My name is Jean Dixon …
We got 3.9MB of angry responses.
Unsolicited
Commercial E-Mail
Unsolicited Commercial E-Mail
Pits freedom-of-speech against right of
privacy.
Consumes vast amounts of management
time.
Drain on system resources.
Who are the bulk-mailers?
Advertising for Internet neophytes.
Advertising for sexually-oriented services.
Advertising get-rich-quick schemes.
Advertising bulk-mail service.
How do they send out messages?
Send directly from their site.
Send through an innocent third party.
Coming soon:
Sent with a computer virus or ActiveX applet
How did they get my e-mail addresses?
Usenet & Mailing list archives.
Collected from online address book.
AOL registry.
University directory.
Guessed
Sequential CompuServe addresses.
Break into machine & steal usernames.
Operator Error &
Natural Disasters
Operator Error & Natural Disasters
Still a major source of data loss.
Hard to get management to take seriously.
Not sexy.
Preparation is expensive.
If nothing happens, money seems misspent.
Operator Error
Accidentally delete a file.
Accidentally install a bad service.
Accidentally break a CGI script.
Psychotic break.
Natural Disaster
Fire
Flood
Earthquake
Solutions
Frequent Backups
Backup to high-speed tape.
Real-time backup to spare machines.
Make sure some backups are off-site.
Recovery plans.
Recovery center.
Test your backups & plans!
Microsoft
Microsoft
Danger of homogeneous environment.
No demonstrated commitment to computer
security.
Windows 95 is not secure.
Word Macro Viruses.
ActiveX
SMB
Windows NT …?