Docstoc

Attacks and

Document Sample
Attacks and Powered By Docstoc
					Attacks and
      Vulnerabilities
      Ilya Chalyt
    Nicholas Egebo


                     March 7 2005
      Topics of Discussion
Reconnaissance
Gain information about a system
Vulnerabilities
Attributes of a system that can be maliciously
  exploited
Attacks
Procedures to exploit vulnerabilities


                                         Reference 1
          Topics of Discussion
Reconnaissance
     War Dialing
     War Driving
     Port Scanning
     Probing
     Packet Sniffing
War Dialing (Reconnaissance)
Method                     Detection
Dial a range of phone      Detection impossible
  numbers searching for     outside of the
  modem                     telephony
                            infrastructure


Motivation                 Defense
Locate potential targets   Disconnect unessential
                             modems from
                             outgoing phone lines

                                          Reference 2
War Driving (Reconnaissance)
Method                     Detection
Surveillance of wireless   Can only be detected by
 signals in a region        physical surveillance


Motivation
Find wireless traffic      Defense
                           Limit geographic access
                             to wireless signal



                                          Reference 3
Port Scanning (Reconnaissance)
Method                   Detection
Send out a SYN packet,   Traffic analysis
 check for response



Motivation               Defense
Find potential targets   Close/silence ports




                                            Reference 4
  Probing (Reconnaissance)
Method                  Detection
Send packets to ports   Traffic analysis



Motivation
Find specific port      Defense
  information           Close/silence ports
Packet Sniffing (Reconnaissance)
Method                    Detection
 Capture and analyze      None
  packets traveling
  across a network
  interface

                          Defense
Motivation
                          Use encryption to
 Gain access to            minimize cleartext on
  information traveling    the network
  on the network

                                         Reference 5
          Topics of Discussion
Vulnerabilities
     Backdoors
     Code Exploits
     Eavesdropping
     Indirect Attacks
     Social Engineering
 Backdoors (Vulnerabilities)
Bypass normal means of authentication
Hidden from casual inspection
Installed separately or integrated into
software




                                   Reference 6
Code Exploits (Vulnerabilities)
Use of poor coding practices left uncaught
by testing

Defense: In depth unit and integration
testing
Eavesdropping (Vulnerability)
Data transmitted without encryption can be
captured and read by parties other than
the sender and receiver

Defense: Use of strong cryptography to
minimize cleartext on the network
Indirect Attacks (Vulnerabilities)
 Internet users’ machines can be infected
 with zombies and made to perform attacks
 The puppet master is left undetected

 Defense: Train internet users to prevent
 zombies and penalize zombie owners
Social Engineering (Vulnerability)
Manipulate the weakest link of
cybersecurity – the user – to gain access
to otherwise prohibited resources

Defense: Train personnel to resist the
tactics of software engineering



                                    Reference 7
            Topics of Discussion
Attacks
      Password Cracks
      Web Attacks
      Physical Attacks
      Worms & Viruses
      Logic Bomb
      Buffer Overflow
      Phishing
      Bots, and Zombies
      Spyware, Adware, and Malware
      Hardware Keyloggers
      Eavesdropping & Playback attacks
      DDoS
Password Cracks: Brute Force
Method                    Detection
Trying all combinations   Frequent attempts to
  of legal symbols as       authenticate
  username/password
  pairs

                          Defense
Motivation                Lockouts – temporary
Gain access to system       and permanent



                                         Reference 8
Password Cracks: Dictionary Attack
 Method                     Detection
 Trying all entries in a    Frequent attempts to
   collection of strings      authenticate



 Motivation                 Defense
 Gain access to system,        Lockouts – temporary
  faster than brute force       and permanent
                               Complex passwords


                                             Reference 8
 Password Cracks: Hybrid Attack
Method                           Detection
Trying all entries in a          Frequent attempts to
  collection of strings adding     authenticate
  numbers and symbols
  concatenating them with
  each other and or numbers


Motivation
                                 Defense
Gain access to system, faster
  than brute force, more         Lockouts – temporary and
  likely than just dictionary      permanent
  attack


                                                   Reference 8
  Password Cracks: l0phtcrack
Method                     Detection
Gain access to operating   Detecting reading of
 system’s hash table        hash table
 and perform cracking
 remotely

                           Defense
Motivation                 Limit access to system
Gain access to system,
 cracking elsewhere –
 no lockouts

                                           Reference 8
  Web Attacks: Source Viewing
Method                  Detection
Read source code for    None
 valuable information



Motivation              Defense
Find passwords or       None
  commented out URL
 Web Attacks: URL Modification
Method                     Detection
Manipulating URL to find   Check website URL logs
 pages not normally
 accessible


                           Defense
Motivation                 Add access
Gain access to normally     requirements
 private directories or
 pages
      Web Attacks: Post Data
Method                    Detection
Change post data to get   None
 desired results


Motivation                Defense
Change information        Verify post data on
 being sent in your        receiving end
 favor
  Web Attacks: Database Attack
Method                 Detection
Sending dangerous      Check database for
 queries to database    strange records



Motivation             Defense
Denial of service      Filter database queries




                                       Reference 9
Web Attacks: Database Insertion
Method                      Detection
Form multiple queries to    Check database logs
  a database through
  forms

                            Defense
Motivation                  Filter database queries,
Insert information into a     make them quotesafe
  table that might be
  unsafe


                                            Reference 9
      Web Attacks: Meta Data
Method                      Detection
Use meta characters to      Website logs
 make malicious input


Motivation                  Defense
Possibly reveal script or   Filter input of meta
 other useful                 characters
 information



                                             Reference 10
     Physical Attack: Damage
Method                     Detection
Attack the computer with   Video Camera
  an axe


Motivation                 Defense
Disable the computer       Locked doors and
                             placed security guards
   Physical Attack: Disconnect
Method                   Detection
Interrupt connection     Pings
  between two elements
  of the network


                         Defense
Motivation               Locked doors and
Disable the network        placed security guards
      Physical Attack: Reroute
Method                       Detection
Pass network signal          Camera
 through additional
 devices


                             Defense
Motivation                   Locked doors and
Monitor traffic or spoof a     placed security guards
 portion of the network
Physical Attack: Spoof MAC & IP
Method                    Detection
Identify MAC address of   Monitoring ARP requests
  target and replicate     and checking logs



Motivation
Deny target from          Defense
 receiving traffic        None as of now
  Worms & Virus: File Infectors
Method                    Detection
Infects executables by    Virus scan or strange
  inserting itself into     computer behavior
  them



Motivation                Defense
Damage files and spread   Antivirus, being cautious
                           on the internet


                                          Reference 10
Worms & Virus: Partition-sector Infectors

 Method                       Detection
    Moves partition sector   Virus scan or strange
    Replaces with self         computer behavior
    On boot executes and
     calls original
     information
                              Defense
 Motivation                   Antivirus, being cautious
 Damage files and spread       on the internet


                                              Reference 10
   Worms & Virus: Boot-sector virus

Method                    Detection
Replaces boot loader,     Virus scan or strange
 and spreads to hard        computer behavior
 drive and floppies



Motivation                Defense
Damage files and spread   Antivirus, being cautious
                           on the internet


                                          Reference 10
Worms & Virus: Companion Virus
Method                    Detection
Locates executables and   Virus scan or strange
  mimics names,             computer behavior
  changing the
  extensions


                          Defense
Motivation                Antivirus, being cautious
Damage files and spread    on the internet


                                          Reference 10
   Worms & Virus: Macro Virus
Method                    Detection
Infects documents, when   Virus scan or strange
  document is accessed,     computer behavior
  macro executes in
  application


                          Defense
Motivation                Antivirus, being cautious
Damage files and spread    on the internet


                                          Reference 10
       Worms & Virus: Worms
Method                 Detection
Replicates             Virus scan or strange
                         computer behavior




Motivation             Defense
Variable motivations   Antivirus, being cautious
                        on the internet


                                       Reference 11
                    Logic Bomb
Method                           Detection
Discreetly install “time bomb”   Strange computer behavior
  and prevent detonation if
  necessary




                                 Defense
Motivation                          Keep and monitor logs
Revenge, synchronized               Monitor computer systems
  attack, securing get away          closely
                Buffer Overflow
Method                         Detection
Pass too much information to   Logs
  the buffer with poor
  checking



                               Defense
Motivation                        Check input size before
Modify to information and/or       copying to buffer
  execute arbitrary code          Guard return address
                                   against overwrite
                                  Invalidate stack to execute
                                   instructions

                                               Reference 12 & 13
                      Phishing
Method                         Detection
Request information from a     Careful examination of
  mass audience, collect         requests for information
  response from the gullible




Motivation                     Defense
Gain important information     Distribute on a need to know
                                 basis
                Bots & Zombies
Method                        Detection
Installed by virus or worm,      Network analysis
   allow remote unreserved       Virus scans
   access to the system          Notice unusual behavior




Motivation                    Defense
Gain access to additional     Install security patches and
  resources, hiding your         be careful what you
  identity                       download
    Spyware, Adware, and Malware

Method                              Detection
Installed either willingly by the      Network analysis
   user via ActiveX or as part         Abnormal computer
   of a virus package                   behavior




Motivation                          Defense
   Gain information about the      Virus / adware / spyware /
    user                               malware scans
   Serve users
    advertisements
         Hardware Keyloggers
Method                    Detection
Attach it to a computer   Check physical
                           connections



Motivation                Defense
Record user names,        Cameras and guards
 passwords, and other
 private information
                 Eavesdropping
Method                      Detection
   Record packets to the   None
    network
   Attempt to decrypt
    encrypted packets



Motivation                  Defense
Gain access to user data    Strong cryptography
                Playback Attack
Method                       Detection
   Record packets to the    Network analysis
    network
   Resend packets without
    decryption



Motivation                   Defense
Mimic legitimate commands    Time stamps
             DDoS: CPU attack
Method                      Detection
Send data that requires     Network analysis
  cryptography to process




Motivation                  Defense
Occupy the CPU preventing   None
  normal operations



                                               Reference 14
         DDoS: Memory attack
Method                        Detection
Send data that requires the   Network analysis
  allocation of memory




Motivation                    Defense
Take up resources, crashing   None
  the server when they are
  exhausted




                                                 Reference 14
                              References
1.    Amoroso, Edward. Intrusion Detection. Sparta, New Jersey: AT&T Laboratories, 1999.
2.    Gunn, Michael. War Dialing. SANS Institute, 2002.
3.    Schwarau, Winn. “War-driving lessons,” Network World, 02 September 2002.
4.    Bradley, Tony. Introduction to Port Scanning. 2005.
      <http://netsecurity.about.com/cs/hackertools/a/aa121303.htm> (04 March 2005).
5.    Bradley, Tony. Introduction to Packet Sniffing. 2005.
      <http://netsecurity.about.com/cs/hackertools/a/aa121403.htm> (05 March 2005).
6.    Thompson, Ken. “Reflections on Trusting Trust.” Communications of the ACM, Vol. 27, No. 8,
      August 1985.
7.    Mitnick, Kevin. The Art of Deception. Indianapolis, Indiana, 2002.
8.    Coyne, Sean. Password Crackers: Types, Process and Tools. ITS Research Labs, 2004
9.    Friel, Steve. SQL Injection Attacks by Example. 2005 <http://www.unixwiz.net/techtips/sql-
      injection.html> (05 March 2005)
10.   Lucas, Julie. The Effective Incident Response Team. Chapter 4. 2003
11.   Worms versus Viruses. 2004. <http://viruses.surferbeware.com/worms-vs-viruses.htm> (06
      March 2005)
12.   Grove, Sandeep. “Buffer Overflow Attacks and Their Countermeasures.” Linux Journal. 10
      March 2003
13.   Levy, Elias. “Smashing the Stack for Fun and Profit”. Phrack Magazine Issue 49, Fall 1997.
14.   Distributed Denial of Service. 2002 <http://www.tla.org/talks/ddos-ntua.pdf> (05 March 2005)

				
DOCUMENT INFO