COEN 252
Security Threats
Hacking
Untargeted attacks
Motivation is
Fun (I can do it)
prevalent until ~2000
Financial Gain
Selling access to compute resources
Creation of botnets for spamming, computation (distributed
decryption, phishing, pharming …)
Selling data
Credit Card Information
E-mails
…
Targeted Denial of Service Attacks
Cloud Nine, a British ISP failed after suffering attacks
Cyber-warfare, terrorism
Hacking
Targeted Attacks
Theft of information
Incapacitation of an organization to fulfill
its purpose by destroying / impeding its
use of computing resources
Hacking
Phases of a Targeted Attack
Reconnaissance
Scanning
Gaining Access
Expanding Access
Covering Tracks
Reconnaissance
Social Engineering
Incite a human to act imprudently, furthering the goals of the
attacker:
“I cannot access my email. What do I do?”
Countermeasures:
Identify security issues
Develop policies
Need to prevent leakage of information
Need buy-in by users and agents
Need to maintain user-friendliness of IT
Physical Reconnaissance
Dumpster Diving
Especially bountiful when people move
Installation of scanning devices
Reconnaissance
Finding publicly available information
Contact information of internet registration
WhoIs, ARIN, RIPE, …
Internal documents made publicly available:
Use search engines
Check Internet Archive, …
Identify naming conventions and guess file names
Scrutinize publications
A word document might contain the revision history with old versions of file
A PDF file had confidential information obscured by a black box, that could
be removed
…
Email, Usenet, Blog postings that identify names of internal
machines, …
Reconnaissance: Scanning
Once we have a target, we need to get to know
it better.
Methods:
War Dialing (to find out modem access)
War Driving
Network Mapping
Largely obsolete due to better firewall rules
Vulnerability Scanning
Scanning: War Dialing
Purpose: Find a modem connection.
Many users in a company install remote PC
software such as PCAnywhere without setting
the software up correctly.
War Dialer finds these numbers by going
through a range of phone numbers listening
for a modem.
Demon Dialer tries a brute force password
attack on a found connection.
Typically: war dialing will find an unsecured
Scanning: Network Mapping
Ping:
ping is implemented using the Internet
Control Message Protocol (ICMP) Echo
Request.
A receiving station answers back to the
sender.
Used by system administrators to check
status of machines and connections.
Scanning: Network Mapping
Traceroute:
Pings a system with ICMP echo requests with
varying life spans (= # of hops allowed).
A system that receives a package with
expired numbers of hops sends an error
message back to sender.
Traceroute uses this to find the route to a
given system.
Useful for System Administration
Scanning: Network Mapping
Cheops:
Network Scanner
(UNIX based)
(Uses traceroute and other
tools to map a network.)
Cheops et Co. are the
reason that firewalls
intercept pings.
Reconnaissance: Port Scans
Applications on a system use ports to
listen for network traffic or send it out.
216 ports available, some for known
services such as http (80), ftp, ...
Port scans send various type of IP
packages to target on different ports.
Reaction tells them whether the port is
open (an application listens).
Reconnaissance: Nmap
Uses different types of packets to check
for open ports.
Xmas tree, NULL, Syn, … Scans
Can tell from the reaction what OS is
running, including patch levels.
Can run in stealth mode, in which it is
not detected by many firewalls.
Reconnaissance Prevention
Firewalls can make it very difficult to scan
from the outside.
Drop scan packets.
Patched OS do not have idiosyncratic
behavior that allows OS determination.
IDS can detect internal scans and warn
against them.
Example: Detect traceroute by not allowing in
packets with very small TDL values
Gaining Access
Fault in Policy
Weak or no authentication, unwarranted
trust relationships, …
Fault in Implementation
Typical triggered by intentionally
malformed input
Extension of a security breach
Sniffing malware, …
Security Policy, Software defects,
flaws, vulnerabilities
A Security Policy is a set of rules and practices that specify or
regulate how a system or organization provides security services
to protect sensitive and critical system resources [Internet
Society 00].
Software Defects:
A software defect is the encoding of a human error into the
software, including omissions.
Security Flaw:
A security flaw is a software defect that poses a potential security
risk.
Eliminating software defects eliminate security flaws.
Vulnerability
set of conditions that allows an attacker to violate an explicit or
implicit security policy.
Not all security flaws lead to vulnerabilities.
Not all vulnerabilities are based on a security flaw.
Software Vulnerabilities
Attacker needs
to control the environment of the
application
or craft input
in order to trigger a vulnerability.
Software Vulnerabilities
In a typical environment, attacker needs to be able to
set a single value at a single address in order to
execute arbitrary code.
Typical Targets
Global Offset Table in Unix
Used to link to library functions
.dtors
Used by gcc to link to destructors that run at termination of
program
Virtual Function Tables
Exception Handling Table in Windows
Software Vulnerabilities
Typical Vulnerabilities
Buffer Overruns:
Input string is stored on a buffer, but buffer is too small
Input located outside of buffer has overwritten data
Stack based buffer overflow: Overwrite the return address of a function
Format String Vulnerability: (Specific to C)
Arises by not specifying a format string
The %n construct allows attacker to control a random memory location
Integer Overflow
Race Conditions
Especially when accessing files
Software Vulnerabilities
Typical Vulnerabilities
Injection Attacks
Input (e.g. user input to web server) is used to generate
arguments for a command to be executed: Command
Injection
Input (e.g. user input to web server) is used to generate
arguments for a sql query to be executed and displayed: SQL
Injection
Name Resolution Attacks
Different modules use different ways to canonicalize / resolve
names of resources such as files
HFS2 file names are not case sensitive, but Apache configuration
is
Homonyms (e.g. kyrillic vs. regular o)
Software Vulnerabilities
Use of magic names
Instance of security by obfuscation
Magic URL
Hidden Form Fields
Software Vulnerabilities
False amount of security information results
in poor usability
Too many warnings: Users are confused and
trained to ignore warnings
Too few warnings: Users are not made aware of
risks
Bad networking protocols
Unauthenticated key exchange
Trusting network name resolution
Gaining Access through Network
Attacks: Sniffing
Sniffer: Gathers traffic from a LAN.
Examples: Snort www.snort.org, Sniffit
reptile.rug.ac.be/~coder/sniffit/sniffit.ht
ml
To gain access to packages, use
spoofed ARP (Address Resolution
Protocol) to reroute traffic.
Gaining Access through Network
Attacks: Sniffing
Sniffing through a hub:
MAC flooding:
Switches store MAC addresses in a cache.
Switches accept MAC advertising.
Attacker sends a flood of MAC advertisings.
Switch’s cache fills up.
Switch moves into promiscuous mode.
Spoofed ARP messages
Gaining Access through Network
Attacks: Sniffing
Sniffing through a hub:
Spoofed ARP messages:
ARP resolves between IP addresses and MAC addresses.
Step 1: Attacker sets up IP Forwarding to the default
router on LAN.
Step 2: Send a faked ARP reply to victims machine to
reroute default router IP to attackers MAC address.
Step 3: Victim sends out a message to the outside world.
This is routed to the default router IP, i.e. to the
attackers machine.
Step 4: Attacker reads traffic.
Step 5: Because of forwarding, packet is forwarded to
actual default router.
Gaining Access through Network
Attacks: Sniffing
Man in the Middle Attack with DSniff:
Step 1: Send fake DNS response with IP address
for the web site to be attacked to the victim.
Step 2: Victim connects to website.
Step 3: DNS resolves to the attacker’s machine,
request send there.
Step 4: Attacker’s site receives request, acts as
proxy, forwards it to real website.
Step 5: Real website answers, attackers site
forwards to victim.
…
Gaining Access: Session
Hijacking
IP Address Spoofing: Send out IP packages
with false IP addresses.
If an attacker sits on a link through which
traffic between two sites flows, the attacker
can inject spoofed packages to “hijack the
session”.
Attacker inserts commands into the
connection.
Details omitted.
Exploiting and Maintaining
Address
After successful intrusion, an attacker should:
Attack privileged programs to gain root or
administrator privileges.
Erase traces (e.g. change log entries).
Take measures to maintain access.
Erase security holes so that no-one else can
gain illicit access and do something stupid to
wake up the sys. ad.
Maintaining Access: Trojans
A program with an additional, evil
payload.
Running MS Word also reinstalls a
backdoor.
ps does not display the installed sniffer.
Maintaining Access: Backdoors
Bypass normal security measures.
Example: netcat
Install netcat on victim with the
GAPING_SECURITY_HOLE option.
C:\ nc -1 –p 12345 –e cmd.sh
In the future: connect to port 12345
and start typing commands.
Maintaining Access: Backdoors
BO2K (Back Orifice 2000) runs in
stealth mode (you cannot discover it by
looking at the processes tab in the
TASK MANAGER.
Otherwise, it is a remote control
program like pcAnyWhere, that allows
accessing a computer over the net.
Maintaining Access: Backdoors
RootKit:
A backdoor built as a Trojan of system
executables such as ipconfig.
Kernel-Level RootKit:
Changes the OS, not only system
executables.
Covering Tracks:
Altering logs.
Create difficult to find files and directories.
Covert Channels through Networks:
Loki uses ICMP messages as the carrier.
Use WWW traffic.
Use unused fields in TCP/IP headers.
Use antiforensics
Change registry values to delete traces of installed
programs
Change Date-Time stamps
Hacker Profile
Internal Hacker
Disgruntled employee
Contracted employee
Targets for corporate espionage.
Are not bound by employee policies and
procedures.
Indirectly contracted employee
Perform shared or subcontracted services
Hacker Profile
External Hacker
Recreational Hacker
85% 90% male.
Between 12 and 25.
Highly intelligent low-achiever.
Typically from dysfunctional families.
Professional Hacker
Hackers for hire.
Electronic warfare, corporate espionage.
So-called “Security Consultants” who look for blackmail or
exploit for hire
Security Consultants
Hacker Profile
Virus writers1
Teenagers, College Students, Professionals
Drop out of the scene as adults or have social
problems.
Intelligent, educated, male.
Study by Sarah Gordon, IBM, in Beiser, Vince, “Inside the Virus
Writer’s Mind”
Hacker Profile
Script Kiddy
Uses scripts of programs written by others
to exploit known vulnerabilities
Goal is bragging rights, defacing web sites
Sweep IP addresses for vulnerability
Typically not explicitly malicious, but can
cause damage inadvertently
Hacker Profile
Dedicated Hacker
Does research.
Knows in and outs of OS, system, auditing
and security tools.
Writes or modifies programs and shell
scripts
Reads security bulletins (CERT, NIST)
Searches the underground.
Hacker Profile
Skilled Hacker
Thorough understanding of system at the level of Sys Ad or
above.
Can read OS source code.
Understands network protocols.
Superhacker
Does not brag or post.
Can enter or bring down any system.
http://www.securityfocus.com/news/203
Hacker Motives
Intellectually Motivated
Educational experimentation
28 year old computer expert diverted 2585 US West computers
to search for a new prime number.
Used 10.63 years of computer time.
Lengthened telephone number lookup to 5 minutes
Almost shut down the Phoenix Service Delivery Center
“Harmless Fun”
Web defacing
Wake-up Call
Free-lance security consultant (still illegal)
Hacker Motives
Personally motivated
Disgruntled employee.
Cyber-stalking
E.g. to show of superiority to someone they feel / are inferior
to.
Danger of escalation to physical attack.
A 50-year old security guard used the internet to solicit the rape
of a 28-year old woman who rejected him.
Impersonated her in chat rooms and online bulletins.
Impersonated rape fantasies.
At least six man knocked at her door at night offering to rape her.
Six years in prison.
Hacker Motives
Socially motivated
Cyber-activism
Politically motivated
Hacking KKK or NAACP websites
Cyber-Terrorism
Threatens serious disruption of the infrastructure
Power
Water
Transportation
Communication
1988: Israeli Virus and logic bomb in Israeli government computers
Cyber-warfare
Hacker Motives
Financially Motivated
Personal profit.
Two Cisco Systems consultants issued almost $8 M
Cisco stock to themselves.
Accessed a system used to manage stock option
disbursals to find control numbers for forged
authorization forms.
Damage to the organization.
British internet provider, Cloud Nine, went out of
business after crippling series of DOS attacks.
Ego Motivated
Hacking Damage
Releasing Information
Releasing Software
By circumventing copying protection.
Through IP theft
Consuming Unused(?) Resources
Discover and Document Vulnerabilities
Compromise Systems and Increase their
Vulnerabilities
Website Vandalism