Docstoc

Integrity andrew cmu edu andrew cmu edu

Document Sample
Integrity andrew cmu edu andrew cmu edu Powered By Docstoc
					INTEGRITY & POLICY

            Leticia Nisbett
           Lauren Walters
              Andrew Yao
Overview
   Leticia – Basic Integrity and Writing Policies
    to ensure integrity

   Lauren – Access controls Security Models,
    and Integrity Tools

   Andrew – Applications to Case Study and
    Examples
                                                     2
What is Integrity?
   Integrity is a VERY important security
    requirement
       Protecting your information is highest priority
       protecting integrity of your network is critical in
        ability to protect the information it contains.
   Can be defined in a number of ways…..




                                                              3
How would you define Integrity?




                                  4
Definitions of Integrity


   Integrity requires that computer system
    assets and transmitted information be
    capable of modification only by authorized
    parties.
       not modified by unauthorized persons
       not created by unauthorized persons




                                                 5
Integrity
   In cryptography and information security
       integrity refers to the validity of data.
   Integrity can be compromised in two main ways:
       Malicious altering
         Attacker alters account number in a bank transaction

         Forging an identity document

       Accidental altering
         Transmission errors: “my name Leticia and u have a car”

         Harddisk crash




** According to Wikipedia
                                                                    6
Integrity 2
   In telecommunication, the term data integrity has the following
    meanings:
     The condition in which data are identically maintained during any
        operation, such as transfer, storage, and retrieval.
     The preservation of data for their intended use.
   Specifically, data integrity in a relational database is concerned
    with three aspects of the data in a database:
     Accuracy
     Correctness
     Validity

*** according to Wikipedia




                                                                          7
What happens if integrity is
compromised?
   Modification is an attack on integrity
   Modification: the data is changed, delayed or
    reordered to produce an unauthorized,
    undesired effect.
   A breach in the integrity of your network can
    be extremely costly in time and effort, and it
    can open multiple avenues for continued
    attacks.

                                                     8
        Network Considerations
   When considering what to protect within your network, you are concerned with
    maintaining the integrity of:
        the physical network
        your network software
        any other network resources
        your reputation

   This Integrity involves
        the verifiable identity of computers and users
        proper operation of the services that your network provides
        and optimal network performance

   all these concerns are important in maintaining a productive network
    environment.


                                                                             9
Common Methods of Attack on
Integrity
   The four methods of attack that are
    commonly used to compromise the integrity
    of a network:
       Network packet sniffers
       IP spoofing
       Password attacks
       Application layer attacks



                                                10
Network Packet Sniffers
   Network packet sniffers can yield critical system information,
    such as user account information and passwords.
     When an attacker obtains the correct account information, he or
       she has the run of your network.
   Worst-case scenario
     an attacker gains access to a system-level user account
     creates a new account that can be used at any time as a back
       door
     can modify system-critical files such as:
           the password for the system administrator account
           the list of services and permissions on file servers
           the login details for other computers that contain confidential
           information.


                                                                              11
Network Packet Sniffers 2
   Packet sniffers provide information about the topology of your
    network that many attackers find useful. such as
     what computers run which services
     how many computers are on your network
     which computers have access to others
   A network packet sniffer can be modified
     to interject new information
     change existing information in a packet.
   Attack can cause network connections to shut down prematurely,
    as well as change critical information within the packet.
     Imagine modification to the accounting system




                                                                 12
IP Spoofing
   IP spoofing can yield access to user accounts and
    passwords, and it can also be used in other ways.
       Attacker emulates one of your internal users in ways that
        prove embarrassing for your organization
   Such attacks are easier when an attacker has a
    user account and password
   Are possible by combining simple spoofing attacks
    with knowledge of messaging protocols.
       Telnetting directly to the SMTP port on a system allows the
        attacker to insert bogus sender information.




                                                                    13
Password Attacks
   A brute-force password attack can provide access to
    accounts that can be used to modify critical network
    files and services.
   Can compromise network's integrity
       Once an attacker gets the password and gains access to
        the system
       he can modify the routing tables for the network.
       attacker ensures that all network packets are routed to him
        or her before they are transmitted to their final destination



                                                                    14
Application Layer Attacks
   Application Layer attacks can be implemented using
    several different methods.
       A common method is exploiting well-known weaknesses in
        software commonly found on servers, such as sendmail,
        PostScript, and FTP.
        By exploiting these weaknesses, attackers can gain access
        to a computer with the permissions of the account running
        the application
       usually a privileged system-level account




                                                                15
Application Layer Attacks
 Trojan horse attacks
  implemented using bogus programs that attacker
    substitutes for common programs.
  programs provide all functionality of a normal application or
    service
  also include other features that are known to
    the attacker
  programs can capture sensitive information and distribute it
    back to the attacker




                                                               16
Network considerations when
defining security policies

   Three main types of networks must be
    considered when defining a security policy
       Trusted
       Un-trusted
       Unknown.




                                                 17
Trusted Networks
 Networks inside your network security perimeter.
 Networks that you are trying to protect.
   Someone in the organization administers the computers that
     comprise these networks (most times)
   Organization controls their security measures.
   Usually, trusted networks are within the security perimeter.
 To set up firewall server
   explicitly identify the type of networks that are attached to the
     firewall server through network adapter cards
   After the initial configuration, the trusted networks include the
     firewall server and all networks behind it.
One exception to this general rule is the inclusion of virtual private
  networks (VPNs)



                                                                         18
Un-trusted Networks

   Networks known to be outside your security
    perimeter.
       Un-trusted because they are outside your control
       No control over the administration or security policies for
        these sites
       Private, shared networks from which you are trying to
        protect your network
       Still need and want to communicate with these networks
        although they are un-trusted.
   To set up the firewall server
       explicitly identify the un-trusted networks from which that
        firewall can accept requests


                                                                      19
Unknown Networks

   Networks that are neither trusted nor un-trusted.
       Unknown quantities to the firewall because you cannot
        explicitly tell the firewall server that the network is a trusted
        or un-trusted
       Unknown networks exist outside your security perimeter
       By default, all non-trusted networks are considered
        unknown networks, and the firewall applies the security
        policy that is applied to the Internet node in the user
        interface, which represents all unknown networks.




                                                                        20
Establishing a Security Perimeter
   When you define a network security policy,
    you must define procedures to safeguard
    your network and its contents and users
    against loss and damage.
   A network security policy plays a role in
    enforcing the overall security policy defined
    by an organization.


                                                    21
Establishing a Security Perimeter
   A critical part of an overall security solution is a network firewall
       monitors traffic crossing network perimeters
       imposes restrictions according to security policy.
   Perimeter routers are found at any network boundary
       between private networks, intranets, extranets, or the Internet.
   Firewalls most commonly separate internal (private) and external
    (public) networks.
   A network security policy focuses on controlling the network traffic and
    usage
       identifies a network's resources and threats
       defines network use and responsibilities
       details action plans for when the security policy is violated
   When a network security policy is deployed it should be strategically
    enforced at defensible boundaries within your network. These strategic
    boundaries are called perimeter networks.


                                                                               22
Three Types of Perimeter Networks Exist:
Outermost, Internal, and Innermost




                                           23
 Example Two-Perimeter Network Security
Design




                                          24
Developing Your Security Design
   The design of the perimeter network and
    security policies require certain subjects to be
    addressed.




                                                   25
Important considerations for
defining a security policy

   1. Know your enemy
   2. Count the cost
   3. Identify any assumptions
   4. Control your secrets
   5. Human factors
   6. Know your weakness
   7. Limit the scope of access
   8. Understand your environment
   9. Limit your trust
   10. Remember physical security
   11. Make security pervasive


                                     26
Know Your Enemy

   Know attackers or intruders.
   Consider who might want to circumvent your security measures
   Identify their motivations.
   Determine what they might want to do and the damage that they
    could cause to your network.
   Security measures can never make it impossible for a user to
    perform unauthorized tasks with a computer system; they can
    only make it harder.
   The goal is to make sure that the network security controls are
    beyond the attacker's ability or motivation.



                                                                      27
Count the Cost

   Security measures usually reduce convenience, especially for
    sophisticated users.
   Security can delay work and can create expensive administrative
    and educational overhead.
   Security can use significant computing resources and require
    dedicated hardware.
   When you design your security measures, understand their costs
    and weigh those costs against the potential benefits.
   To do that, you must understand the costs of the measures
    themselves and the costs and likelihood of security breaches. If
    you incur security costs out of proportion to the actual dangers,
    you have done yourself a disservice.




                                                                    28
Identify Any Assumptions

   Every security system has underlying
    assumptions.
       For example, you might assume that your network
        is not tapped, that attackers know less than you
        do, that they are using standard software, or that
        a locked room is safe. Be sure to examine and
        justify your assumptions. Any hidden assumption
        is a potential security hole.


                                                         29
Control Your Secrets

   Most security is based on secrets.
     Eg. Passwords and encryption keys
   Too often, the secrets are not all that secret. The most important
    part of keeping secrets is in knowing the areas that you need to
    protect.
   What knowledge would enable someone to circumvent your
    system?
   You should jealously guard that knowledge and assume that
    everything else is known to your adversaries.
    The more secrets you have, the harder it will be to keep them
    all. Security systems should be designed so that only a limited
    number of secrets need to be kept.


                                                                     30
Human Factors
   Many security procedures fail because their designers do not consider
    how users will react to them.
       Automatically generated nonsense passwords often written on the
        undersides of keyboards- difficult to remember
       A secure door that leads to the system's only tape drive is sometimes
        propped open- for convenience
       Unauthorized modems are often connected to a network to avoid onerous
        dial-in security measures- for expediency
   If security measures interfere with essential use of the system they will
    be resisted and perhaps circumvented.
   To get compliance, make sure users can get their work done, and must
    emphasize (sell) security measures to users. Users must understand
    and accept the need for security.




                                                                                31
Human Factors 2
   Users can compromise system security, at least to some degree
       Passwords can be found out simply by calling legitimate users on the
        telephone claiming to be a system administrator, and asking for them.

   If your users understand security issues, and if they understand the
    reasons for your security measures, they are far less likely to make an
    intruder's life easier.

   At minimum
       Users should be taught never to release passwords or other secrets over
        unsecured telephone lines or e-mail
       Users should be wary of people who call them on the telephone and ask
        questions
   Some companies have implemented formalized network security
    training so that employees are not allowed access to the Internet until
    they have completed a formal training program


                                                                                  32
Know Your Weaknesses
   Every security system has vulnerabilities.
   You should understand your system's weak points and
    know how they could be exploited.
   You should also know the areas that present the greatest
    danger and should prevent access to them immediately.
   Understanding the weak points is the first step toward
    turning them into secure areas.




                                                               33
Limit the Scope of Access

   You should create appropriate barriers in
    your system so that if intruders access one
    part of the system, they do not automatically
    have access to the rest of the system.
   The security of a system is only as good as
    the weakest security level of any single host
    in the system.


                                                    34
Understand Your Environment


   Understanding how your system normally
    functions, knowing what is expected and
    what is unexpected, and being familiar with
    how devices are usually used will help you
    detect security problems.
   Noticing unusual events can help you catch
    intruders before they can damage the
    system. Auditing tools can help you detect
    those unusual events.

                                                  35
Limit Your Trust


   You should know exactly which software you
    rely on, and your security system should not
    have to rely on the assumption that all
    software is bug-free.




                                                   36
Remember Physical Security

   Physical access to a computer (or a router) usually
    gives a sufficiently sophisticated user total control
    over that computer.
   Physical access to a network link usually allows a
    person to tap that link, jam it, or inject traffic into it. It
    makes no sense to install complicated software
    security measures when access to the hardware is
    not controlled.


                                                                 37
Make Security Pervasive
   Administrators, programmers, and users
    should consider the security implications of
    every change they make.
   Understanding the security implications of a
    change takes practice; it requires lateral
    thinking and a willingness to explore every
    way that a service could potentially be
    manipulated.


                                                   38
  Ten suggested ways to improve
   the security of your computer!!!



****http://web.mit.edu/ist/topics/security/pamphlets/tensteps.pdf

                                                                    39
1. patch, Patch, PATCH!


   Set up your machine for automatic updates.
       For Windows:
           Start Menu>Control Panel>Services>Windows
            Update: set to automatic
       For Macs
           System Preferences>Software Update: set to
         daily or weekly.
       For Red Hat Linux, refer to:
           http://mit.edu/ist/topics/Linux/rhn.html


                                                         40
2. Install anti-virus software.
   Install the appropriate version of the antivirus
    software for your computer.
    Set it to scan your files on a regular basis.




*** software is available on IS&T’s Getting Started CD or at http://web.mit.edu/software



                                                                                           41
3. Choose strong passwords.




 Some suggestions for choosing strong
           passwords!!??




                                        42
3. Choose strong passwords.


   Choose strong passwords by picking letter, number,
    and special characters to create a mental image or
    an acronym that is easy for you to remember.
   Change passwords regularly.
   Do not reuse your password among different
    accounts. It’s bad if your email account is hacked,
    it’s even worse if it’s your email account AND your
    bank account.
***http://web.mit.edu/network/passwords.html




                                                      43
DEMO


       MAC Password Helper




                             44
4. backup, Backup, BACKUP!


   Backing up your data on a regular basis
    helps protect you from the unexpected.
   Ask yourself how many days of work you are
    willing to lose if your computer is
    compromised and the hackers decide to
    overwrite your disk space with their favorite
    movies and music.

***http://web.mit.edu/net-security/www/faq.html#backup


                                                         45
5. Control access to your machine.


   Don’t leave your machine unattended and
    logged on.
   Don’t leave your PDA unattended in public
    places.
   Disable guest accounts, and delete unused
    accounts in a timely manner.

***More information on securing your Windows machine can be found at
    http://web.mit.edu/ist/topics/windows


                                                                       46
6. Use email safely.

   Filter your spam e-mail.
   Check with the sender when receiving unexpected
    attachments from people you know.
   Never open attachments from people you don’t
    know.
   Always use your virus scanner on any attachment
    before opening it.
***MIT Spam Screening is described at http://web.mit.edu/ist/services/email/nospam



                                                                                     47
7. Use secure connections.


Using a secure connection is essential. On the Internet
  your data is vulnerable unless you do something to
  protect it.

   For Linux, SSH and SCP are best for secure logins
    and secure file transfers.
   For Windows, use Filezilla and SecureFX for file
    transfers, Host Explorer and SecureCRT for secure
    remote logins.
***http://web.mit.edu/net-security/www/faq.html#secure-connections

                                                                     48
8. Encrypt sensitive files.


    Sensitive data is frequently stored on your
    hard drives. Protecting the data can protect
    you from identity theft.

   Encrypt sensitive files.
   Have password-protected documents.



                                                   49
9. Use desktop firewalls.


 Apple Mac OS X and Microsoft Windows XP
 have basic desktop firewalls as part of their
 operating systems. It is recommended that
 users activate these firewalls unless there are
 known software conflicts.




                                               50
10.Stay informed.


 To stay current with the latest developments
 for Windows, Macs, and *nix systems,
 subscribe to the security-fyi mailing list by
 visiting

http://mailman.mit.edu/mailman/listinfo/security-
  fyi


                                                 51
Access Controls
   Mandatory Access Control
   Discretionary Access Control
   Role-Based Access Control




                                   52
Mandatory Access Control
   The MAC technique protects and contains
    computer processes, data, and system
    devices from being misused.




                                              53
Mandatory Access Control
   Four modes of security operation
       Dedicated Security Mode
         All users can access ALL data.
       System-High Security Mode
         All users can access SOME data, based on their need to
          know.
       Compartmented Security Model
         All users can access SOME data, based on their need to
          know and formal access approval.
       Multilevel Security Mode
         All users can access SOME data, based on their need to
          know, clearance and formal access approval.

                                                                   54
Discretionary Access Control
   DAC defines basic access control policies to
    objects at the discretion of the object’s
    owner.
   MAC and DAC can be applied
    to the same file




                                                   55
Role-Based Access Control
   RBAC is an new alternative approach to MAC
    and DAC
   Access Control is determined by the job
    function, not the individual staff member.




                                             56
Access Control
   In your opinion, which is the better method for
    access control?
       MAC,
       DAC,
       and/or RBAC




                                                  57
Security Models
   Security models are an important concept in
    the design and analysis of secure computer
    systems
   Examples of security models
       Information Flow Model*
       Biba Security Model*
       Clark-Wilson Model*
       Chinese Wall Model
       The Bell-LaPadula Model
                                                  58
Information Flow Model
   The Information flow model is a variation of
    the access control model
   This model attempts to control the transfer of
    information from one object to another which
    is constrained by the two objects’ security
    attributes
   Information can flow to the same or
    higher level of security

                                                     59
The Biba Model
   The Biba Integrity Model describes read and
    write restrictions based on integrity classes of
    subject and objects
   Two main principles:
       A subject can write to an object only if the integrity
        access class of the subject is larger than the
        integrity class of the object
       A subject can read an object only if the integrity
        access class of the subject is less than that of the
        integrity class of the object

                                                             60
    The Biba Model*
                         Layer of
                    Higher Secrecy
                                                                                  Contaminated




                                             Read                     Write




                                                       Get
                                                       Contaminated
                           Layer of        Simple                     Integrity
                      Lower Secrecy        Integrity                    Star
                                           Property                   Property
                                                                                             61
*Official (isc)2 Guide to the CISSP Exam
The Clark-Wilson Model
   The model address integrity requirements which are
    based on process and data integrity
   The model identifies three rules of integrity
       Unauthorized users should not make changes
       Authorized users should not make unauthorized changes
       The system should maintain internal and external
        consistency
   Enforce policies by
       Well-formed transactions
       Separation of duties

                                                                62
The Clark-Wilson Model
   Data
       Constrained data items (CDI)
       Unconstrained data items (UDI)
   Procedures
       Integrity verification procedure (IVP)
       Transformation procedure (TP)




                                                 63
Example of CW Model
1.   Purchasing clerk creates an order for a supply,
     sending copies to the supplier and the receiving
     department.
2.   Upon receiving the items, a receiving clerk checks
     the delivery and, if all is well, signs a delivery form.
     Then the delivery form and original order form will
     go to the accounting department.
3.   Supplier sends an invoice to the accounting
     department. The accounting clerk will compare
     the invoice with the original order and delivery
     form and issues a check to the supplier.
                                                            64
Example of CW Model
   Users?
       Purchasing clerk
       Receiving clerk
       Supplier
       Accounting clerk
   Constrained Data?
       Order
       Delivery form
       Invoice
       check
   Transformation Procedures?
       Create order, Send order
       Create delivery form, Send delivery form, Sign delivery form
       Create invoice, Send invoice
       Compare invoice to order
       And so on…

                                                                       65
Tools
   Integrity Management Software
   Anti-Virus Software




                                    66
Integrity Management Software
   Encryption is most commonly used for
    secrecy but it can also be used for integrity.
   Check for integrity by specifically utilizing…
       Hash functions
       Digital Signatures
       File Size
   Example
       Tripwire Enterprise

                                                     67
Hash Functions
   A public function that maps a plaintext message of
    any length to a fixed length hash value
   Are used as an authenticator
   Pros
       Offers integrity
   Cons
       No confidentiality
   Examples
       CRC
       MD5
       SHA-1

                                                         68
Cyclic Redundancy Check
   CRC is a type of hash function that is utilized
    to create a checksum
   Useful for error detection, CRC cannot be
    relied upon to verify data integrity
   Example of Tools solely use CRC
       Crckit




                                                      69
Message-Digest Algorithm 5
   MD5 is a popular cryptographic function with
    a 128-bit hash value
   Utilized in a variety of security applications
   Also commonly used for checking the
    integrity of files
   It is computationally unrealistic to find two
    messages that have the same message
    digest

                                                     70
Secure Hash Algorithm
   SHA is a set of related cryptographic hash
    functions
   SHA-1 is the most commonly used for a large
    variety of security applications and protocols
   SHA-1 is considered the successor to MD5




                                                 71
Digital Signatures
   Digital signatures also known as public-key
    digital signature is an encryption scheme
    utilizing public key cryptography
   This method has two complementary
    algorithms, one for signing and the other for
    verification, and the output of this process is
    a digital signature


                                                      72
Tripwire Enterprise
   http://www.tripwire.com/
   Captures a baseline of server file systems,
    desktop file systems, directory servers and
    network device configurations in a known
    good state, and then automatically performs
    integrity checks that compare current states
    against baselines to detect changes.
   Tripwire Demo

                                                   73
Examples of
Integrity Management Software
   Advanced CheckSum Verifier (ACSV)        Radmind
   Advanced Intrusion Detection             Samhain
    Environment (AIDE)                       Secure Hash Signature Generator
   Cambia CM                                Sentinel
   Crckit                                   Sha_verify
   FileCheckMD5                             Spidernet
   FTimes                                   SysCheck
   Hashdig                                  Sysdiff
   Integrit                                 Tripwire - Commercial
   Intrusec CM                              Tripwire – OpenSource
   Jacksum                                  Veracity System Integrity Assurance
   LANGuard Security Integrity Monitor      ViperDB
   MD5 Hashing Utilities                    Yafic
   Md5deep                                  Winalysis
   Nabou                                    WinInterrogate
   NIST_Crc                                 Xintegrity




                                                                                    74
Anti-virus Software
       The techniques for detecting a virus include
         Checking unexpected increases in file size
         Noting changes in timestamps
         Sudden decreases in free space
         Calculating checksums
         Saving images on the internal control tables
          and noting unexplained changes



                                                         75
Examples of
Anti-virus Software
   AntiVir PersonalEdition      NOD32 Antivirus System
    Classic                       v2.0
   AVAST 4 Home Edition         Norton AntiVirus 2002
   AVG Free Edition             Panda Titanium Antivirus
   Bullguard Antivirus           2004
    Software, Firewall and       PC-cillin Internet Security
    Backup                        2004
   Command Antivirus            Platinum Internet Security
   F-Prot Antivirus for          2005
    Windows                      Rising AntiVirus
   F-Secure                     Virex
   Kaspersky Anti-Virus         Windows Live OneCare
   McAfee VirusScan 2006

                                                                76
Case Study - Integrity
Hamlet:
  Being thus be-netted round with villanies,--
  I sat me down,
  Devised a new commission, wrote it fair:
  He should the bearers put to sudden death.
  I had my father's signet in my purse,
  Which was the model of that Danish seal;
  Subscribed it, gave't the impression, placed it safely,
The changeling never known.




                                                            77
              Case study - Attacks
Attacks on integrity
 alter teleprompter speeches/
      presentation slides
 alter scheduling

 alter voting results

 alter outgoing media reports
 attacker   could be other media or
  outsider
Attackers
“The cold passed reluctantly from the earth,
  and the retiring fogs revealed an army
  stretched out on the hills, resting.”
      - The Red Badge of Courage




                                               79
Case study - Outside attacker

   Henry is a member of a small revolutionary
    anarchist group
       Assigned to disrupt the event using information
        warfare tactics.
       Attacks from an open wireless network at a public
        library.




                                                        80
“How you gonna call yourself a revolutionary… and you ain’t got
  no poems?”
-Dewey




                    QuickTime™ and a
                   H.263 decompressor
              are neede d to see this picture.




                                                                  81
Case study - Attacker 1 recon

Scan port 0-65535 with an aggressive stealth scan with OS and
  application fingerprinting.
# nmap -sS -F -P0 -O -T4 -v –A –p0-65535 [event network address]
Starting nmap 3.50 ( http://www.insecure.org/nmap/ )
[...]
Interesting ports on contractor2.event.net (XX.227.165.100):
(The 65535 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
22/tcp open ssh       OpenSSH 3.7.1p1 (protocol 1.99)
Running: Linux 2.4.X
OS details: Linux 2.4.18 (x86)
Uptime 316.585 days
[...]

                                                                       82
Preventing recon
   Only open service on the network:
       contractor left an SSH server running.
    How can we prevent the attacker from
    finding it?




                                                 83
Preventing recon cont’d
    At the firewall, prevent all incoming
    connections
    Use NAT so internal boxes are not Internet
    addressable
    Put a firewall between Ops and Organization
    in case a contractor is compromised or
    malicious.
    Policy that no one may run listening servers
    without IT authorization.
                                                84
Finding vulnerabilities
   Henry looks up OpenSSH 3.7.1p1 on various security websites
    such as SecurityFocus BID and OSVDB.org.

   http://www.kb.cert.org/vuls/id/602204

   When PAM and SSHv1 are enabled, OpenSSH 3.7.1p1 has a
    vulnerability that allows an attacker to login to any account by
    using a null password.




                                                                       85
Exploiting OpenSSH
psyche> ssh -1 root@ contractor2.event.net
The authenticity of host ‘contractor2.event.net
  (XX.227.165.212)' can't be established.
RSA1 key fingerprint is
  2d:fb:27:e0:ab:ad:de:ad:ca:fe:ba:be:53:02:28:38.
Are you sure you want to continue connecting (yes/no)?
  yes
root@contractor2.event.net's password:
# whoami
root

   How could we prevent this?


                                                         86
Preventing OpenSSH Exploit
   How could we prevent this?

   Keep on top of patch management
       automated scan when they connect to the
        network
   Use “PermitRootLogin no” in sshd_config to
    prevent root login


                                                  87
   Dictionary attack on SSH
Henry uses hydra to attempt to do a dictionary attack and guess a user’s
  password.

$ hydra -L names.txt -P passwords.txt contractor2.event.net ssh2
Hydra v5.2 (c) 2006 by van Hauser / THC - use allowed only for legal
   purposes.
[DATA] 400000 tasks, 1 servers, 400000 login tries (l:1/p:2), ~1 tries
   per task
[DATA] attacking service ssh2 on port 22
[STATUS] attack finished for contractor2.event.net (waiting for childs to
   finish)
[22][ssh2] host: XX.227.165.212 login: test password: trustno1


                                                                    88
Preventing Dictionary Attack
   Unable to guess a password for root, but did
    get user ‘test’ with password ‘trustno1’ (Fox
    Mulder’s password on The X-Files)

   How to prevent this attack?




                                                89
Preventing Dictionary Attack cont’d

   Choose strong passwords on all accounts,
    not just root
   Enforceable by having IT people run hydra?
   Ban an IP address for some length of time
    after a certain number of failed attempts.




                                                 90
Privilege Escalation
    Henry has a user level shell on the
    contractor’s box.
    Inside the firewall, uses same dictionary
    attack technique to get a user account on the
    podium server.

   Wants to alter the presentations, but can’t
    with current privileges.

                                                  91
Privilege Escalation
$ uname -a
Linux podium.event.net 2.4.18 #3-i686+-UP (034) i686 i386
   GNU/Linux

This is a relatively old kernel version, and there is a
  privilege escalation vulnerability in versions below
  2.4.22.

http://www.kb.cert.org/vuls/id/301156
An integer overflow vulnerability in the brk system call.


                                                            92
Privilege Escalation
   He downloads and uses a publicly available
    exploit to get root privileges.
   As root, he subtly modifies the saved
    presentations for several presenters in an
    embarrassing way.

   How to prevent this?



                                                 93
Preventing Privilege
Escalation
      Again patch management, even on computers which
      are supposedly safe because they’re inside the
      firewall
     Use Tripwire or other integrity checking programs to
      detect modifications to sensitive files
         But?
     Minimize set of programs which are setuid or run as
      root
     Backups on removable media



                                                            94
Attacking the Media: LAN
attacks
   Media share a wired network.
   Many network attacks available when on the
    same network.
   ARP poisoning to sniff or do MITM
       Alter or forge media reports
       http://en.wikipedia.org/wiki/ARP_spoofing




                                                    95
LAN attacks
   SSL not foolproof if MITM possible.
   Animation at
    http://crimemachine.com/Tuts/Flash/SSLMITM.html




                                                      96
Preventing LAN attacks
   Static ARP/Port Security
       But?
   Detect ARP poisoning with arpwatch
       But?
   Train them not to click through SSL warnings
   Media connect to home base with VPN



                                               97
Social Engineering
   “There was much food for thought in the
    manner in which he replied. He came near to
    convincing them by disdaining to produce
    proofs.”
             -The Red Badge of Courage




                                              98
Social Engineering
   http://en.wikipedia.org/wiki/The_Yes_Men
   Set up a fake WTO website. Invited to speak on
    behalf of the WTO at events, including a CNBC
    news program.
   Successfully impersonated a Dow Chemical
    spokesman on BBC television, at a London banking
    conference, and at Dow’s annual shareholder
    meeting
   In this case study, attacker could speak at event, or
    could fool the media into printing lies.
   How to prevent this?
                                                        99
Preventing social engineering
   Educate staff to authenticate people and data
       Run live tests with fake conmen




                                                100
Case study conclusion
   It’s about quality, y’all.
       And mad loot for yours truly.




                                        101

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:1
posted:6/25/2012
language:
pages:101
jolinmilioncherie jolinmilioncherie http://
About