TSM 352

1
Introduction

• TSM 352
• System Security
• Reference Sheldon Chs 1-3

2
TCP Review

• TCP/IP, though funded by the Military was not
  designed to be highly secure.
• The protocol suite is robust in terms of
  providing protection against failure of nodes and
  lines
• Early Windows systems had a very poor stack.
  Microsoft has spent a lot of time and effort to
  re-write the stack, and it has improved
  considerably for Win2k and XP.
• Some totally new features for Win2k TCP/IP Stack
• Designed to support plug-and-play
• Supports QoS
• Supports IPSec
• Not long after Win2k appeared, there were already
  new attacks out against the Win2k TCP/IP stack.
  UDP fragmentation was one example. It can cause
  Win2k machines to lock up, using 100 of its CPU.
  SP3 clears this up.

3
OSI Model

• Review your OSI Model
• Pay particular attention to relationship to
  TCP/IP Model

4
Microsoft-specific Protocols

• Be aware of other lower layer protocols beyond
  those in the TCP/IP suite.
• Historically, Microsoft networking has been built
  on top of NetBIOS.
• NetBIOS really is a software interface, not a
  protocol.
• Most Microsoft networking implementations today
  use NBT (NetBIOS over TCP/IP).
• With the advent of Win2k, NetBIOS is being
  deprecated. Other Microsoft protocols, such as
  SMB and CIFS (which used to be associated with
  NetBIOS), are still used, but now are running
  directly on TCP or UDP.

5
Security Threats

• Security breaches are on an exponential increase.
• There is a wide range of attacker profiles and
  objectives. Remember that the attacker may be
  after information or resources on your systems.
  The attack may also be simply random. It may be
  to damage your reputation.
• Historically, Microsoft OSs have tended to be
  primary targets for gathering info or reputation
  attacks. With Win2k, there has been an increase
  in resource type attacks, since the systems are
  more powerful.

6
Attack Methods Countermeasures
7
Authentication Compromise

• The method focuses on acquiring an account and
  password
• This is a primary target for attackers
• Many ways to accomplish this
• Sniffers
• Guessing
• Plant bugs
• Tap into wires
• Set up hidden cameras
• Dumpster Diving
• Info-gathering through null sessions, snmp, etc.
• Obtaining the encrypted passwords (hashes) from
  various sources

8
Authentication Compromise cont

• Once an attacker has an account, s/he will
  attempt to elevate their privilege level.
• May also create a BackDoor.
• One of the worst things that can happen to you is
  for an attacker to gain access to an
  administrative account (get root). This gives
  them ultimate control.

9
Authentication Compromise Countermeasures

• Use Authentication System befitting the protected
  resource
• Something you have (smartcard)
• Something you know (password)
• Something you are (retina, fingerprint)
• Basically you want a system that is not subject
  to MitM attacks, replay attacks, and
  cryptanalysis attacks. Some common strong systems
• Dial-back
• Remote Authentication (RADIUS)
• Global Positioning Systems
• Token devices
• Biometric devices
• Make strong passwords
• Control access to authentication files

10
Improper Input Validation

• IIS Web server is notorious for this - form
  variables, etc.
• Buffer Overflows are similar, but encompass more
  potential targets. Apply anytime a program
  accepts input of any sort - even the TCP/IP
  stack.
• Countermeasures
• The fix is theoretically simple - evaluate the
  input.
• Though it seems simple, it is not - and typically
  adds considerable programming time to the
  development of an application.
• There are new API calls appearing with every
  system upgrade that provides a more secure call
  than previous versions.

11
Compromised Trust Relationships

• A trust relationship is where one system trusts
  another system. Once the connection has been
  verified as being the trusted system, a number of
  permissions are granted.
• An attacker will attempt to disguise himself as a
  trusted system.
• Obviously, obtaining account information fits
  into this category, but there are other
  possibilities

12
Compromised Trusts Techniques

• IP Spoofing. Windows doesnt currently have any
  trust relationships based on IPs, but Unix does
• Session Hijacking. The author has confused this
  topic slightly. An attacker can hijack a
  session once it is established. By established
  here we mean that the trusted system has already
  identified itself. At this point, the hijacker
  knocks off the trusted system and disguises
  himself as the trusted system - thereby getting
  access to all of the resources that the trusted
  system could access.

13
Compromised TrustsMan-in-the-Middle (MitM)

• In this approach, the attacker places his machine
  between the two trusted machines. He fools the
  client into thinking he is the server, and fools
  the server into thinking he is the client.
• The client sends all of his requests to the MitM.
• The MitM then forwards those requests to the
  server.
• The server responds to the MitM,
• and the MitM relays the responses back to the
  client.
• The MitM can subvert the requests, supplanting
  them with his own - but this would often lead to
  his discovery.
• Most often, the MitM will simply listen, and
  gather sensitive data.
• MitM is typically only possible on a local basis
  - using ARP poisoning to fool the client and
  server. It is possible in a remote situation only
  if source routing is allowed by all the
  intermediate routers (which is very unlikely
  today).

14
Compromised TrustsDNS Cache Poisoning

• In this type of attack, the DNS resolution for a
  particular domain name is changed, so that the
  domain name points to the attackers machine.
• The unaware client connects to the attackers
  machine, believing that he is connecting to the
  real server.
• The attacker could then have a official-looking
  site that continues to fool the client into
  giving up sensitive information.

15
Compromised Trusts War Dialing

• This is a technique to attempt to find a Modem to
  connect to.
• More often than not, Modems have connections that
  bypass the institutions firewall. This gets the
  attacker immediately on the inside.
• Often also, Modem connections have weak
  passwords, or none at all.
• War dialing refers to running a program that
  dials automatically through ranges of phone
  numbers, and records whenever a Modem answers.

16
Compromised Trusts War Dialing

• This is a technique to attempt to find a Modem to
  connect to.
• More often than not, Modems have connections that
  bypass the institutions firewall. This gets the
  attacker immediately on the inside.
• Often also, Modem connections have weak
  passwords, or none at all.
• War dialing refers to running a program that
  dials automatically through ranges of phone
  numbers, and records whenever a Modem answers.

17
Compromised Trusts Wireless

• Many companies are now going to wireless LANs.
• For the most part, wireless is inherently
  insecure, since the information is transmitted
  through the air, available to anyone in the area
  with a receiver.
• A new term War Driving has appeared - it refers
  to driving around with a wireless receiver
  attempting to find a signal. Once a signal is
  found, it is a fairly easy process to get a
  connection to the targets network and begin
  sniffing and exploring.

18
Compromised TrustsCountermeasures

• Use switches instead of hubs to help avoid
  sniffing and MitM attacks. Also monitor network
  for promiscuous-mode devices. Consider using
  fiber optic cable runs which are out of your
  physical control (fiber cannot be monitored with
  EM devices).
• Secure your DNS Structure. Be sure to define
  which machines can do zone transfers and which
  machines can supply updates.
• Use your router filters to prevent IP spoofing.
• Use encryption where possible. IPSec is a
  built-in W2k solution
• Use wireless challenge-based authentication
  before giving out IP
• Eliminate Modems if possible. If not, insure that
  they are OUTSIDE the firewall, and be sure they
  have adequate authentication with solid passwords

19
Network Services Attacks

• This is why we have computers on the network to
  begin with. We want to supply services to workers
  or customers via the network.
• A network service is a PROGRAM that runs on a
  computer.
• When the service runs, it typically opens a port
  and listens for incoming requests to connect.
• Since services are programs, they are vulnerable
  as any type of program - due primarily to
  programming bugs or issues that were not
  considered when the program was created.

20
Network Services AttacksTraditionally Weak
Services

• Telnet. All traffic is transmitted as clear text
  (including user IDs and passwords). Therefore,
  passwords can easily be sniffed.
• File Sharing. Two major file-sharing protocols
  (NFS from Unix background and SMB from Microsoft)
  have a number of vulnerabilities which we will
  look at throughout the semester.
• Email.
• There have been a lot vulnerabilities discovered
  in almost every version of SMTP that has been
  released. Microsoft Exchange is a relatively safe
  implementation.
• There are lots of ways email can be simply
  forged. Forging return addresses can be used to
  embarrass someone whose name has been forged, or
  to convince a user to give up information.
• Spamming is yet another email issue.
• Digital signatures help avoid such ploys.

21
Network Services AttacksTraditionally Weak
Services

• Mime. (Multipurpose Internet Mail Extensions).
  Provide a way to insert a variety of different
  media formats into email. Potentially dangerous
  since email can now contain viruses, etc.
• FTP. Like telnet, transfers over FTP are clear
  text. FTP is used to transfer files, so the files
  themselves can be malicious. If not configured
  correctly, FTP is often a gateway into the rest
  of the file system.
• DNS. If not configured correctly it can provide
  an attacker with a lot of information concerning
  the organizations network structure. Also, DNS
  servers can be poisoned (as discussed earlier).

22
Network Services AttacksTraditionally Weak
Services

• Web Server-to-Client attacks (often referred to
  as data-driven or content-driven attacks).
• These involve the use of Java, ActiveX, JS,
  VBScript, etc to attack the client by doing
  things like accessing the local file system,
  gathering info, starting services, installing
  services.

23
Network Services AttacksCountermeasures

• We must have network services - otherwise we
  wouldnt need the network. But, there are a few
  fundamental principles that can be applied to
  improve security
• Remove/disable any and all services which are not
  used. Many services are installed by default -
  beware of these.
• Insure that you have installed the latest tested
  version of a service, and the latest patches and
  upgrades for that service (particularly those
  that pertain to security).
• Subscribe to any listservs that deal with the
  particular services that you run - paying special
  attention to those that pertain to security for
  that service.

24
Denial of Service Attacks (DoS)

• An attack that focuses on removing a resource
  from the network.
• Feature- or protocol-driven, takes advantages of
  vulnerabilities of particular features of a
  service. They are basically impossible to prevent
  unless you disable the feature or protocol.
  Flooding attack is an example of this.
• Configuration-based rely on improperly configured
  services.
• Programming-flaws often provide an avenue of
  attack - quite often with a buffer overflow.
• DDoS uses several machines to deliver a DoS at
  the same time. DDoS are most effective when the
  type of attack is a flood of packets.

25
Denial of Service Attacks (DoS)Countermeasures

• DoS on features or protocols are hard to
  prevent.
• The best you can do is set limits.
• Protocol limits can typically only be set with
  border devices, such as routers and firewalls.
• Feature limitations are typically available
  through the service configuration. If you see a
  feature that you are not familiar with, disable
  it. Only enable it when you find you need it.

26
Malicious Software Attacks

• Malicious Software
• Viruses and Worms
• Trojan Horses
• Backdoors
• Countermeasures
• Insure that your companys employees are trained.
  
• Install and use AV software, and insure it stays
  updated.
• Use SMTP filters to remove malicious contents
  of email

27
Basic Countermeasure Principles

• Create policies
• Set up a response team
• Train employees to make good security decision in
  everyday business
• Check your own vulnerabilities
• Identify your important resources and weight them
• Identify your likely targets