Computer Security CS 426 Lecture 27

1
Computer Security CS 426Lecture 27

• SANS Top-20 Internet Security Attack Targets

2
Operating Systems

• W1. Internet Explorer
• W2. Windows Libraries
• W3. Microsoft Office
• W4. Windows Services
• W5. Windows Configuration Weaknesses
• M1. Mac OS X
• U1. UNIX Configuration Weaknesses

3
Cross-Platform Applications

• C1 Web Applications
• C2. Database Software
• C3. P2P File Sharing Applications
• C4 Instant Messaging
• C5. Media Players
• C6. DNS Servers
• C7. Backup Software
• C8. Security, Enterprise, and Directory
  Management Servers

4
Others

• Network Devices
• N1. VoIP Servers and Phones
• N2. Network and Other Devices Common
  Configuration Weaknesses
  
• Security Policy and Personnel
• H1. Excessive User Rights and Unauthorized
  Devices
  
• H2. Users (Phishing/Spear Phishing)
• Special Section
• Z1. Zero Day Attacks and Prevention Strategies

5
W1. Internet Explorer

• Unpatched or older versions of Internet Explorer
  contain multiple vulnerabilities that can lead to
  memory corruption, spoofing and execution of
  arbitrary scripts. The most critical issues are
  the ones that lead to remote code execution
  without any user interaction when a user visits a
  malicious webpage or reads an email.
• These flaws have been widely exploited to install
  spyware, adware and other malware on users'
  systems.
  
• The VML zero-day vulnerability fixed by Microsoft
  patch MS06-055 was widely exploited by malicious
  websites before the patch was available.

6
W2 Windows Libraries

• These libraries usually have the file extension
  DLL or OCX (for libraries containing ActiveX
  controls).
  
• During the past year, several windows libraries
  were reported to have critical vulnerabilities.
  In a number of cases, exploit codes were
  discovered before patches were available
  (zero-day).
• In December 2005, a vulnerability (CVE-2005-4560)
  was reported in the Graphics Rendering Engine
  when handling specially crafted Windows Metafile
  (WMF) images, it could cause arbitrary code to be
  executed. A patch was not available until early
  January 2006 .

7
W3. Microsoft Office

• Vulnerabilities in these products can be
  exploited via the following attack vectors
  
• malicious Office document in an email message.
• hosts the document on a web server or shared
  folder. Note that IE automatically opens Office
  documents. Hence, browsing the malicious webpage
  or folder is sufficient for the vulnerability
  exploitation.
• runs a news server or hijacks a RSS feed that
  sends malicious documents to email clients.
  
• A large number critical flaws were reported last
  year in MS Office applications. A few of them
  were exploited at a zero-day.

8
W4. Windows Services

• Several of the core system services are exposed
  through named pipe endpoints accessible through
  the Common Internet File System (CIFS) protocol,
  well known TCP/UDP ports and in certain cases
  ephemeral TCP/UDP ports.
• When exploited, these vulnerabilities afford the
  attacker the same privileges that the service had
  on the host.
  
• Critical vulnerabilities reported within the past
  year
  
• Server Service (MS06-040, MS06-035)
• iRouting and Remote Access Service (MS06-025)
• Exchange Service (MS06-019)

9
W5 Windows Configuration Weaknesses

• 1. User Configured Password Weaknesses
• 2. Service Account Passwords
• Non-system Service accounts need passwords in
  Windows.
  
• 3. Null Log-on
• null sessions have allowed anonymous users to
  enumerate systems, shares, and user accounts.
  

10
M1. Mac OS X

• The majority of the critical flaws discovered in
  the past year fall into six different
  categories
  
• Safari
• ImageIO - Vulnerabilities in this framework could
  potentially affect many different applications.
  
• Unix
• Wireless - A critical vulnerability in Mac OS X's
  wireless network subsystem allows
  physically-proximate attackers to gain complete
  control. Attack can occur even if that system was
  not part of the same logical network as the
  attacker. Additional flaws were discovered in the
  Bluetooth wireless interface subsystem, with
  similar results.
• Virus/Trojan - The first viruses and trojans for
  the Mac OS X platform were discovered in the past
  year.
  
• Other

11
U1. UNIX Configuration Weaknesses

• Most Unix/Linux systems include a number of
  standard services in their default installation.
  
• These services, even if fully patched, can be the
  cause of unintended compromises.
  
• Of particular interest are brute-force attacks
  against command line access such as SSH, FTP, and
  telnet.
  
• It is important to remember that brute forcing
  passwords can be a used as a technique to
  compromise even a fully patched system.

12
C1 Web Applications

• Applications such as Content Management Systems
  (CMS), Wikis, Portals, Bulletin Boards,
  
• Every week hundreds of vulnerabilities are being
  reported in these web applications, and are being
  actively exploited.
  
• The number of attempted attacks every day for
  some of the large web hosting farms range from
  hundreds of thousands to even millions.
  
• PHP Remote File Include
• SQL Injection
• Cross-Site Scripting (XSS)
• Cross-site request forgeries (CSRF)
• Directory Traversal

13
C2. Database Software

• Use of default configurations with default user
  names and passwords.
  
• Buffer overflows in processes that listen on well
  known TCP/UDP ports.
  
• SQL Injection via the database's own tools or web
  front-ends added by users.
  
• Use of weak passwords for privileged accounts
• 37 CVE entries on Oracle since October 2005

14
C3. P2P File Sharing Applications

• The P2P networks themselves may be attacked by
  modifying legitimate files with malware, seeding
  malware files into shared directories, exploiting
  vulnerabilities in the protocol or errors in
  coding, blocking (filtering) the protocol, denial
  of service by making the network function slowly,
  spamming and identity attacks that identify
  network users and harass them.

15
C4. Instant Messaging

• Recent attacks include new variations in the
  establishment and spread of botnets, and the use
  of compromised instant messaging accounts to lure
  users into revealing sensitive information.
• Malware -- Worms, viruses, and Trojans
  transferred through the use of instant messaging.
  
  
• Information confidentiality -- Information
  transferred via instant messaging can be subject
  to disclosure
  
• Network -- Denial of service attacks excessive
  network capacity utilization, even through
  legitimate use.
  
• Application vulnerabilities -- Instant messaging
  applications contain vulnerabilities that can be
  exploited to compromise affected systems.
  

16
C5. Media Players

• Vulnerabilities allow a malicious webpage or a
  media file to completely compromise a user's
  system without requiring much user interaction.
  The user's system can be compromised simply upon
  visiting a malicious webpage.
• CVE entries over the past year
• RealPlayer and Helix Player (7)
• iTunes (3)
• Winamp (3)
• Quicktime (12)
• Windows Media Player (3)
• Macromedia Flash Player (2)

17
C6. DNS Servers

• During the past year, the following types of
  attacks have been carried out by botnets against
  DNS servers.
  
• Recursion Denial of Service Attacks A Botmaster
  publishes a large DNS record in a compromised DNS
  server or in a DNS server set up for this
  purpose. The botmaster then directs the botnet to
  send small UDP/53 queries to public recursive
  name servers with a forged return address pointed
  at the targeted victim. This effect can be
  amplified further by making the DNS records
  larger than a typical UDP/53 response packet,
  thus forcing a TCP/53 transaction.
• Spoofing Authoritative zone Answers The
  botmaster establishes a fake web site (phishing
  site) on a compromised web server. The botmaster
  then directs the botnet to listen for requests
  and spoof DNS replies for a particular zone with
  an answer pointing to the compromised web server.

18
C7. Backup Software

• During the last year a number of critical backup
  software vulnerabilities have been discovered.
  These vulnerabilities can be exploited to
  completely compromise systems running backup
  servers and/or backup clients. An attacker can
  leverage these flaws for an enterprise-wide
  compromise and obtain access to the sensitive
  backed-up data. Exploits have been publicly
  posted for some of these flaws, and these
  vulnerabilities are getting exploited in the
  wild.

19
C8. Security, Enterprise, and Directory
Management Servers

• Directory Servers
• Monitoring Systems
• Configuration and Patch Systems
• Spam and Virus Scanners

20
N1 VoIP Servers and Phones

• Various products such as Cisco Unified Call
  Manager , Asterisk and a number of VoIP phones
  have been found to contain vulnerabilities that
  can either lead to a crash or a complete control
  over the vulnerable server/device. By gaining a
  control over the VoIP server and phones, an
  attacker could carry out VoIP phishing scams,
  eavesdropping, toll fraud or denial-of-service
  attacks.

21
N2. Network and Other Devices Common
Configuration Weaknesses

• N2.2.1 Default SNMP Community StringsDefault and
  often a hard-coded community string continues to
  be an issue with networking products.
  
• N2.2.2 Default Accounts, Passwords, Encryption
  Keys, and TokensN2.2.3 Unnecessary
  ServicesN2.2.4 Unencrypted and Unauthenticated
  Administration Protocols

22
H1. Excessive User Rights and Unauthorized Devices

• Unwary users can be enticed to do unsafe things.
  Clever users can find unsafe ways to get things
  done, unintentionally exposing the company to
  attack.
• H.1a Unauthorized and/or infected devices on
  network
  
• A rogue wireless access point, a personal laptop,
  a router or PC secretly connected to an open
  ethernet port by a visitor, a USB flash drive
  
• H.1b Excessive User Rights and Unauthorized
  software
  

23
H2. Users (Phishing/Spear Phishing)

• Password/PIN Phishing
• VoIP phishing
• Spear Phishing
• highly targeted
• Spear phishing has become one of the most
  damaging forms of attacks on military
  organizations in the US and other developed
  countries.

24
Z1 Special Section Zero Day Attacks and
Prevention Strategies

• While the risks of zero day vulnerabilities in
  popular applications and subsequent exploitation
  have been discussed for several years, zero day
  attacks saw a significant upward trend in 2006. A
  zero day vulnerability occurs when a flaw in
  software code has been discovered and exploits of
  the flaw appear before a fix or patch is
  available. If a working exploit of the
  vulnerability is released into the wild, users of
  the affected software are exposed to attacks
  until a software patch is available or some form
  of mitigation is taken by the user.

25
Coming Attractions

• December 5
• Database Security, guest lecture by Ji-Won Byun