Document Sample
hacking Powered By Docstoc
					COEN 252

     Security Threats
   Untargeted attacks
       Motivation is
            Fun (I can do it)
                  prevalent until ~2000
            Financial Gain
                  Selling access to compute resources
                      Creation of botnets for spamming, computation (distributed

                         decryption, phishing, pharming …)
                  Selling data
                      Credit Card Information

                      E-mails

                      …

                  Targeted Denial of Service Attacks
                      Cloud Nine, a British ISP failed after suffering attacks

            Cyber-warfare, terrorism
   Targeted Attacks
       Theft of information
       Incapacitation of an organization to fulfill
        its purpose by destroying / impeding its
        use of computing resources
Phases of a Targeted Attack
   Reconnaissance
   Scanning
   Gaining Access
   Expanding Access
   Covering Tracks
   Social Engineering
        Incite a human to act imprudently, furthering the goals of the
             “I cannot access my email. What do I do?”
             Countermeasures:
                   Identify security issues
                   Develop policies
                         Need to prevent leakage of information
                         Need buy-in by users and agents
                         Need to maintain user-friendliness of IT
   Physical Reconnaissance
        Dumpster Diving
             Especially bountiful when people move
        Installation of scanning devices
   Finding publicly available information
        Contact information of internet registration
             WhoIs, ARIN, RIPE, …
        Internal documents made publicly available:
             Use search engines
             Check Internet Archive, …
             Identify naming conventions and guess file names
             Scrutinize publications
                   A word document might contain the revision history with old versions of file
                   A PDF file had confidential information obscured by a black box, that could
                    be removed
                   …
        Email, Usenet, Blog postings that identify names of internal
         machines, …
Reconnaissance: Scanning
Once we have a target, we need to get to know
  it better.
 War Dialing (to find out modem access)

 War Driving

 Network Mapping

       Largely obsolete due to better firewall rules
   Vulnerability Scanning
Scanning: War Dialing
Purpose: Find a modem connection.
 Many users in a company install remote PC

  software such as PCAnywhere without setting
  the software up correctly.
 War Dialer finds these numbers by going

  through a range of phone numbers listening
  for a modem.
 Demon Dialer tries a brute force password
  attack on a found connection.
 Typically: war dialing will find an unsecured
Scanning: Network Mapping
 ping is implemented using the Internet
  Control Message Protocol (ICMP) Echo
 A receiving station answers back to the
 Used by system administrators to check
  status of machines and connections.
Scanning: Network Mapping
 Pings a system with ICMP echo requests with
  varying life spans (= # of hops allowed).
 A system that receives a package with
  expired numbers of hops sends an error
  message back to sender.
 Traceroute uses this to find the route to a
  given system.
 Useful for System Administration
    Scanning: Network Mapping

Network Scanner
(UNIX based)

(Uses traceroute and other
   tools to map a network.)

Cheops et Co. are the
  reason that firewalls
  intercept pings.
Reconnaissance: Port Scans
   Applications on a system use ports to
    listen for network traffic or send it out.
   216 ports available, some for known
    services such as http (80), ftp, ...
   Port scans send various type of IP
    packages to target on different ports.
   Reaction tells them whether the port is
    open (an application listens).
Reconnaissance: Nmap
   Uses different types of packets to check
    for open ports.
       Xmas tree, NULL, Syn, … Scans
   Can tell from the reaction what OS is
    running, including patch levels.
   Can run in stealth mode, in which it is
    not detected by many firewalls.
Reconnaissance Prevention
   Firewalls can make it very difficult to scan
    from the outside.
       Drop scan packets.
   Patched OS do not have idiosyncratic
    behavior that allows OS determination.
   IDS can detect internal scans and warn
    against them.
   Example: Detect traceroute by not allowing in
    packets with very small TDL values
Gaining Access
   Fault in Policy
       Weak or no authentication, unwarranted
        trust relationships, …
   Fault in Implementation
       Typical triggered by intentionally
        malformed input
   Extension of a security breach
       Sniffing malware, …
    Security Policy, Software defects,
    flaws, vulnerabilities
   A Security Policy is a set of rules and practices that specify or
    regulate how a system or organization provides security services
    to protect sensitive and critical system resources [Internet
    Society 00].
   Software Defects:
        A software defect is the encoding of a human error into the
         software, including omissions.
   Security Flaw:
        A security flaw is a software defect that poses a potential security
        Eliminating software defects eliminate security flaws.
   Vulnerability
        set of conditions that allows an attacker to violate an explicit or
         implicit security policy.
        Not all security flaws lead to vulnerabilities.
        Not all vulnerabilities are based on a security flaw.
Software Vulnerabilities
   Attacker needs
     to control the environment of the
     or craft input

    in order to trigger a vulnerability.
Software Vulnerabilities
   In a typical environment, attacker needs to be able to
    set a single value at a single address in order to
    execute arbitrary code.
   Typical Targets
       Global Offset Table in Unix
            Used to link to library functions
       .dtors
            Used by gcc to link to destructors that run at termination of
       Virtual Function Tables
       Exception Handling Table in Windows
Software Vulnerabilities
   Typical Vulnerabilities
        Buffer Overruns:
             Input string is stored on a buffer, but buffer is too small
             Input located outside of buffer has overwritten data
             Stack based buffer overflow: Overwrite the return address of a function
        Format String Vulnerability: (Specific to C)
             Arises by not specifying a format string
             The %n construct allows attacker to control a random memory location
        Integer Overflow
        Race Conditions
             Especially when accessing files
Software Vulnerabilities
   Typical Vulnerabilities
       Injection Attacks
            Input (e.g. user input to web server) is used to generate
             arguments for a command to be executed: Command
            Input (e.g. user input to web server) is used to generate
             arguments for a sql query to be executed and displayed: SQL
       Name Resolution Attacks
            Different modules use different ways to canonicalize / resolve
             names of resources such as files
                  HFS2 file names are not case sensitive, but Apache configuration
                  Homonyms (e.g. kyrillic vs. regular o)
Software Vulnerabilities
   Use of magic names
       Instance of security by obfuscation
            Magic URL
            Hidden Form Fields
Software Vulnerabilities
   False amount of security information results
    in poor usability
       Too many warnings: Users are confused and
        trained to ignore warnings
       Too few warnings: Users are not made aware of
   Bad networking protocols
       Unauthenticated key exchange
       Trusting network name resolution
Gaining Access through Network
Attacks: Sniffing
   Sniffer: Gathers traffic from a LAN.
   Examples: Snort, Sniffit
   To gain access to packages, use
    spoofed ARP (Address Resolution
    Protocol) to reroute traffic.
Gaining Access through Network
Attacks: Sniffing
   Sniffing through a hub:
       MAC flooding:
            Switches store MAC addresses in a cache.
            Switches accept MAC advertising.
            Attacker sends a flood of MAC advertisings.
            Switch’s cache fills up.
            Switch moves into promiscuous mode.
       Spoofed ARP messages
Gaining Access through Network
Attacks: Sniffing
   Sniffing through a hub:
       Spoofed ARP messages:
            ARP resolves between IP addresses and MAC addresses.
            Step 1: Attacker sets up IP Forwarding to the default
             router on LAN.
            Step 2: Send a faked ARP reply to victims machine to
             reroute default router IP to attackers MAC address.
            Step 3: Victim sends out a message to the outside world.
             This is routed to the default router IP, i.e. to the
             attackers machine.
            Step 4: Attacker reads traffic.
            Step 5: Because of forwarding, packet is forwarded to
             actual default router.
Gaining Access through Network
Attacks: Sniffing
   Man in the Middle Attack with DSniff:
       Step 1: Send fake DNS response with IP address
        for the web site to be attacked to the victim.
       Step 2: Victim connects to website.
       Step 3: DNS resolves to the attacker’s machine,
        request send there.
       Step 4: Attacker’s site receives request, acts as
        proxy, forwards it to real website.
       Step 5: Real website answers, attackers site
        forwards to victim.
       …
Gaining Access: Session
   IP Address Spoofing: Send out IP packages
    with false IP addresses.
   If an attacker sits on a link through which
    traffic between two sites flows, the attacker
    can inject spoofed packages to “hijack the
   Attacker inserts commands into the
   Details omitted.
Exploiting and Maintaining
After successful intrusion, an attacker should:
 Attack privileged programs to gain root or

  administrator privileges.
 Erase traces (e.g. change log entries).

 Take measures to maintain access.

 Erase security holes so that no-one else can

  gain illicit access and do something stupid to
  wake up the sys. ad.
Maintaining Access: Trojans
   A program with an additional, evil
       Running MS Word also reinstalls a
       ps does not display the installed sniffer.
Maintaining Access: Backdoors
 Bypass normal security measures.
              Example: netcat
 Install  netcat on victim with the
C:\ nc -1 –p 12345 –e
 In the future: connect to port 12345

  and start typing commands.
Maintaining Access: Backdoors
   BO2K (Back Orifice 2000) runs in
    stealth mode (you cannot discover it by
    looking at the processes tab in the
   Otherwise, it is a remote control
    program like pcAnyWhere, that allows
    accessing a computer over the net.
Maintaining Access: Backdoors
   RootKit:
    A backdoor built as a Trojan of system
      executables such as ipconfig.
   Kernel-Level RootKit:
    Changes the OS, not only system
Covering Tracks:
   Altering logs.
   Create difficult to find files and directories.
   Covert Channels through Networks:
       Loki uses ICMP messages as the carrier.
       Use WWW traffic.
       Use unused fields in TCP/IP headers.
   Use antiforensics
       Change registry values to delete traces of installed
       Change Date-Time stamps
Hacker Profile
   Internal Hacker
       Disgruntled employee
       Contracted employee
            Targets for corporate espionage.
            Are not bound by employee policies and
       Indirectly contracted employee
            Perform shared or subcontracted services
Hacker Profile
   External Hacker
       Recreational Hacker
            85% 90% male.
            Between 12 and 25.
            Highly intelligent low-achiever.
            Typically from dysfunctional families.
       Professional Hacker
            Hackers for hire.
            Electronic warfare, corporate espionage.
            So-called “Security Consultants” who look for blackmail or
             exploit for hire
            Security Consultants
Hacker Profile
   Virus writers1
       Teenagers, College Students, Professionals
       Drop out of the scene as adults or have social
       Intelligent, educated, male.

        Study by Sarah Gordon, IBM, in Beiser, Vince, “Inside the Virus
        Writer’s Mind”
Hacker Profile
   Script Kiddy
       Uses scripts of programs written by others
        to exploit known vulnerabilities
       Goal is bragging rights, defacing web sites
       Sweep IP addresses for vulnerability
       Typically not explicitly malicious, but can
        cause damage inadvertently
Hacker Profile
   Dedicated Hacker
       Does research.
       Knows in and outs of OS, system, auditing
        and security tools.
       Writes or modifies programs and shell
       Reads security bulletins (CERT, NIST)
       Searches the underground.
Hacker Profile
   Skilled Hacker
       Thorough understanding of system at the level of Sys Ad or
       Can read OS source code.
       Understands network protocols.
   Superhacker
       Does not brag or post.
       Can enter or bring down any system.
    Hacker Motives
   Intellectually Motivated
       Educational experimentation
            28 year old computer expert diverted 2585 US West computers
             to search for a new prime number.
            Used 10.63 years of computer time.
            Lengthened telephone number lookup to 5 minutes
            Almost shut down the Phoenix Service Delivery Center
       “Harmless Fun”
            Web defacing
       Wake-up Call
            Free-lance security consultant (still illegal)
Hacker Motives
   Personally motivated
       Disgruntled employee.
       Cyber-stalking
            E.g. to show of superiority to someone they feel / are inferior
            Danger of escalation to physical attack.
                  A 50-year old security guard used the internet to solicit the rape
                   of a 28-year old woman who rejected him.
                  Impersonated her in chat rooms and online bulletins.
                  Impersonated rape fantasies.
                  At least six man knocked at her door at night offering to rape her.
                  Six years in prison.
Hacker Motives
   Socially motivated
        Cyber-activism
        Politically motivated
             Hacking KKK or NAACP websites
        Cyber-Terrorism
             Threatens serious disruption of the infrastructure
                   Power
                   Water
                   Transportation
                   Communication
             1988: Israeli Virus and logic bomb in Israeli government computers
        Cyber-warfare
Hacker Motives
    Financially Motivated
         Personal profit.
              Two Cisco Systems consultants issued almost $8 M
               Cisco stock to themselves.
              Accessed a system used to manage stock option
               disbursals to find control numbers for forged
               authorization forms.
         Damage to the organization.
              British internet provider, Cloud Nine, went out of
               business after crippling series of DOS attacks.
    Ego Motivated
Hacking Damage
   Releasing Information
   Releasing Software
       By circumventing copying protection.
       Through IP theft
   Consuming Unused(?) Resources
   Discover and Document Vulnerabilities
   Compromise Systems and Increase their
   Website Vandalism

Shared By: