Basics of security threats

Document Sample
Basics of security threats Powered By Docstoc
					                                                      1




Overview of security threats
    Fundamentals of network security / Part I

                     Gorazd Božič
              gorazd.bozic@arnes.si
   ARNES, Academic and Research Network of Slovenia
SI-CERT, Slovenian Computer Emergency Response Team
            CEENet Workshop, August 2000
                  Budapest, Hungary
                                  2




       Outline of the lecture
 security and internet
 types of attacks
 methods and tools
 common scenario of the attack
3
                           4
Internet Security - Hype
                         5




How much security?




convenience
              security
                                 6




                   The threats
 inconvenience
 unstable operation,
    denial of service
   unauthorised use of
    resources
   stolen information

 financial loss
                                                                     7




              Crime/loss breakdown
                               Outsider
                    Viruses    attacks
                       4%         2%
       Physical
        security
       problems
          20%

                                                      Human errors
Disgruntled                                              55%
employees
    9%
                   Dishonest
                   employees
                      10%
                               Source: Computer Security Institute
                                                                             8




                     The attacker
 hacker / cracker / “script kiddie”
   – age: 15-25 years, limited social life, “rebelling against the system”
     self-image, seeks affirmation within the “cyber-community”

 vandal
   – angry at something / somebody, motivation not always known

 insider
   – disgruntled or bribed employee / student / staff member

 industrial espionage, terrorism
   – hired specialist, motivation: financial or political gain
                                            9


      How to gain unauthorized
              access
           physical access

                             phone lines




computer
networks
                                removable
                                media
                                                        10




            Network access
                     request

                     reply

   data processing

All communication basically consists of
  – requests to information servers
  – processing of data according to the given request
  – properly formatted response to the request
                                                                  11




         What can go wrong?
                      request

                      reply

    data processing
                                              data interception



improperly handled requests            redirection of replies
- crash the system
- allow future unauthorized accesses
- execute arbitrary code sent with the
  request
                                           12




Basic internet protocols

      application-level protocols



       TCP                UDP




                  IP                ICMP
                                                  13




                      ICMP
 check reachability of hosts/networks
 ICMP types:
  –   echo request/reply (ping)
  –   destination/host/network/port unreachable
  –   source quench
  –   redirect
  –   router advertisement
  –   time exceeded in transit
  –   parameter problem
                                           14




             UDP and TCP
 UDP
  – DNS, SNMP, NFS, NetBIOS, TFTP, BOOTP
  – connectionless protocol
 TCP
  – HTTP, SMTP, POP3, IMAP
  – connection-oriented protocol
                    15




UDP communication
                          16




TCP three-way handshake
                          17




TCP three-way handshake
                                  18




           Types of attack
 password guessing/cracking
 denial of service
 spoofing/masquerading
 system break-in
 eavesdropping
 viruses, trojan horses, worms
                                                    19




Breakdown by type of attack
     Spoofing   Other
       6%        9%
Mailbombs
    8%                                  Break-in
                                          49%
Denial of
service
  8%
 Violation of
     AUP        Unautho-
     9%         rized use
                   11%      Source: ARNES SI-CERT
                                                                      20




         Password attacks (1)
 social engineering and user mistakes
     Hello, my name is John Smith and I forgot my
    password. I need it really urgently - can you set it
         to „js1234‟ and I‟ll change it myself?




                              Certainly, sir. If there‟s anything
                            else we can do, don‟t hesitate to call.
                                                         21




       Password attacks (2)
 guessing weak passwords
  – name of partner, child, pet, favourite movie, book
    title, band name, birthdays, …
  – guesses based on known previous passwords
  – keyboard sequences
                                                     22




       Password attacks (3)
 dictionary attacks (UNIX Crack, L0pht Crack
  for Windows NT)

 original password                   s6gbs84hNd6gY

                     hash function         …
                                     hndz7HndUndp8
                                     s6gbs84hNd6gY
                                     7/Vbjsopdf9.K
                                           …
                                                     23




       Password attacks (4)
 cached passwords in cleartext
  – storing cleartext passwords in temporary files
  – caching passwords on servers
  – weak XOR encryption
                                                  24




       Denial of service (DoS)
 network floods (ICMP, UDP, SYN flood),
    with spoofed source address
   distributed denial of service (DDoS)
   crashing servers with carefully constructed
    requests
   redirecting network traffic on the backbone
   mailbombs
                                               25




                Spoofing
 inserting false source IP address
 obscures real source of attack
 possible session hijacking
 TCP communication with spoofing must
 employ redirection or prediction of replies
                                                               26




               Spoofed ping floods

ICMP ECHO REQUEST                 C
Source: C, Destination: B
                                       ICMP ECHO REPLY
                                       Source: B, Destination: C

                            Internet



                                               B
             A
                                                     27




A              Smurf attack

           Internet                              C




                      ICMP ECHO REQUEST
                      Source: C,
                      Dest.: subnet B
                             broadcast address




    subnet B
                                                28




           Smurf attack

       Internet                             C




                  ICMP ECHO REPLY
                  Source: whole subnet B,
                  Destination:C




subnet B
                                               29




           Distributed DoS
 Trin00, Tribal Flood Network, Stacheldraht
                          agents

               handlers
30
                                                    31




                  SYN flood
 send a flood of SYN packets to target host
 target host allocates a buffer for each
    requests and replies with SYN|ACK packets
   target host waits for ACKs that don’t come
   if you’re quick enough, target hosts runs out
    of available buffers and denies all further
    connections until connection attempts reach
    timeout
                                      32




Spoofing trusted hosts



 SYN flood                   SYN(A)




             trusted hosts
                                                33




Spoofing trusted hosts



 SYN flood

               unable to process and send RST



             ACK(A+1) SYN(B)
                                     34




Spoofing trusted hosts



 SYN flood
                 ACK(B+1)



     sequence number predicted
     from “legitimate” connections
                                                      35




            System break-in
 common break-in scenario:
  – gain unauthorised user level access
  – transition from user level to privileged access
  – hide your presence
                                                 36




       Break-in consequences
 system can be used as a source of attacks to
    other sites on the Internet
   information can be lost, altered or stolen
   blackmail
   the system, local network, all users and
    maybe even your organisation may be at the
    mercy of the attacker
                                             37


    Ways to gain unauthorised
             access
 poor or no authentication
 weak, sniffed or stolen passwords
 “forgotten” services
 server buffer overruns
 backdoors, trojan horses and poor
    implementation of OS code and services
   spoofing trusted hosts
                                              38




   Some common examples
 sendmail (prior to v8.9)
 BIND (prior to 8.2-P5)
 IMAP, some POP3 servers
 PHP CGI scripts
 MS IIS (last vulnerability: August 2000)
 TCP/IP stack implementations
 Web browsers (redirects, buffer overruns)
 mail clients (MS Outlook & worms)
                                                 39




             Buffer overruns
 result of programming errors
 arguments or requests exceed server’s buffer
    length
   can cause crash of server program or even
    execution of arbitrary code
   most notorious examples: UNIX sendmail,
    POP/IMAP servers, BIND
40
41
                                                  42




             Malicious code
 a wide range of benign and malicious viruses
    and worms, including MS Word macro viruses
    attached to documents sent by email
   trojan horses are programs disguised as
    useful tools or replacements of normal
    programs with “added functionality”
   ActiveX, JavaScript, VBScript, Java Applets
   platform/OS specific
                                                      43




             Trojan horses
 BackOrifice, BO2k, NetBus, SubSeven
  – target MS Windows systems
  – install as a service at boot time
  – accepts network connections (some encrypt their
    traffic)
  – allow full access to the system (specialised
    commands for grabbing dial-up passwords)
                                                   44




                Mail relaying
 SMTP servers that don’t restrict access can be
    used for bulk-mailing (spam)
   your server does the work for an
    unauthorized user
   spammers can hide the origin of the spam
    with some older servers
   your server will be put on a “black list” of
    open relays
                                                      45


      Common scenario of the
            attack
 find a scanner for latest OS/server
    vulnerabilities and scan a wide range of
    address space
   use available exploits to gain access
   hide yourself on attacked host
   install sniffers to collect passwords on remote
    sites
                                                                              46
       Script-kiddie attack
                     collect ready-made
                     tools, scan the net                      first test of
                                                              abilities


disable the                                      break into
  system                                        the system


                           root
                        compromise


              browse the           install back-
                                                              second test
              information         doors & trojans             of abilities



                   brag about the hacker
                    wisdom you posses
                                                       47
    Professional attack
              collect info on the
             system and its users

            collect & develop tools

           break into the system and
                gain privileges




retrieve                               alter/destroy
  data                                     data
                  cover your
                    tracks


                 financial gain
                    48
securityfocus.com
49
                                                   50




                 Scanning
 scan for open TCP/UDP ports
 collect server type and version information
 “clever” portscans
  – do not complete TCP handshake (no final ACK)
  – drown the scan with large number of spoofed
    probing packets
  – OS fingerprinting
 tools: nmap, sscan
                                                                          51




                         Example
--------------------------<[ * report for host XXX.YYY.ZZ *
<[ tcp port: 110 (pop-3) ]>     <[ tcp port: 111 (sunrpc) ]>
<[ tcp port: 53 (domain) ]>     <[ tcp port: 25 (smtp) ]>
<[ tcp port: 21 (ftp) ]>        <[ tcp port: 22 (unknown) ]>
<[ tcp port: 1114 (unknown) ]>
--<[ *OS*: XXX.YYY.ZZ: os detected: linux 2.0.x
--<[ *VULN*: XXX.YYY.ZZ: linux running mysql 2.0, remote stack overflow
--<[ *VULN*: XXX.YYY.ZZ: linux bind/iquery remote buffer overflow
---------------------------<[ * scan of XXX.YYY.ZZ completed *


 vulnerabilities described in
    – CERT/CC CA-98.05
    – BugTraq #591
                                    52




             Find exploits
 BugTraq/NTBugTraq mailing lists
 Hacker News Network
 L0pht
 Phrack magazine
                                                      53




                      Rootkit
 tools for removing log entries
 substitutes for original binaries
   – login (accepts special usernames with root
     privileges)
   – ps, ls, netstat, du (hide processes and files)
   – ifconfig (hides promiscuous mode - sniffer)
 includes a user-friendly sniffer
                                                     54




                    Sniffer
 listens to all traffic on a local network
 privileged access needed on UNIX systems
    (Windows 95/98: every user is a “privileged”
    users)
   specialised sniffers grab and log passwords in
    nice human-readable form
   generally undetectable over network
                                                           55




       Find a weaker element
 install a trojan on a user’s PC
    – find open HTTP proxies that hide IP addresses
    – send trojan as an attractive attachment via a free
      web-mail interface
 collect passwords used for connecting to the
    victim site (stored passwords, /keyboard/
    sniffers)
   cover tracks by tunneling scans via the
    infected PC
                                                                                        56




                           References
   Garfinkel, Spafford: Practical UNIX & Internet Security, Second Edition, O’Reilly
    & Associates, 1996
   Icove, Seger, VonStorch: Computer Crime, O’Reilly & Associates, 1995
   Proceedings of the 10th FIRST Conference, Monterrey, Mexico, 1998
   CERT/CC - Computer Emergency Response Team Co-ordination Center,
    http://www.cert.org/
   Microsoft Security, http://www.eu.microsoft.com/security/
   Bugtraq mailing list archives, http://www.dataguard.no/bugtraq/index.html
   NT Bugtraq, http://www.ntbugtraq.com/
                                                                           57




                          Useful tools
   TCP Wrapper            http://www.cert.org/ftp/tools/tcp_wrappers/
   Tripwire               http://www.cert.org/ftp/tools/tripwire/
   Crack                  http://www.cert.org/ftp/tools/crack/
   SSH (Secure Shell)     ftp://ftp.arnes.si/security/ssh/
   Pretty Good Privacy    http://www.pgpi.com/
   Argus                  http://www.ciac.org/ciac/ToolsUnixNetMon.html
   SATAN                  http://www.ciac.org/ciac/ToolsUnixNetSec.html
   ISS                    http://www.iss.net/

				
DOCUMENT INFO