ELEC5616 computer and network security - PowerPoint PPT Presentation

1 / 22

About This Presentation

Title:

ELEC5616 computer and network security

Description:

ELEC5616 computer and network security matt barrie mattb_at_ee.usyd.edu.au – PowerPoint PPT presentation

Number of Views:114

Avg rating:3.0/5.0

Slides: 23

Provided by: MattB170

Category:

more less

Transcript and Presenter's Notes

Title: ELEC5616 computer and network security

1
ELEC5616computer and network security

matt barrie
mattb_at_ee.usyd.edu.au

2
vendors will save you!

1995 Network Scanning Tools
1996 Firewalls
1997 Virtual Private Networks (VPNs)
1998 Intrusion Detection Systems (IDSs)
1999 Public Key Infrastructure (PKI)
2000 Biometrics
2001 Security Appliances
2002 Unified Threat Management (UTM) Appliances
2003, 2004, 2005, 2006, 2007, 2008, 2009

3
maybe not ...

Only hackers end up running network scanning
tools.
Firewalls are walls with holes in them.
VPNs run over the Internet!
Intrusion Detection Systems dont detect new
attacks, and perform poorly at detecting old
ones.
PKI requires a massive investment in complex
infrastructure management.
Biometrics have lots of problems
They can be easily fooled
They incite violence against the user
What happens if the password file is compromised?
Fundamentally how do you revoke and issue new
keys?
Appliances are pretty boxes running the same
software.
Finally, no-one can configure any of this stuff
properly anyway.

4
so what is going wrong?

We are building the digital world on foundations
of mud
operating systems like Microsoft Windows
the IP stack, 802.11/WEP
poor user protocols (e.g. telnet, ftp, http, rsh)
poor network protocols (e.g. DNS)
poor network management protocols (e.g. SNMP,
etc)
bad (poor security) programming languages (e.g.
C)
there is a lack of proper infrastructure
there is a lack of quality developers
poor design and programming practice
e.g design choices, implementation, assumptions

5
A case study in real world threatsto network
security (and digital business)

With thanks to Joel de la Garza (Securify)

6
background chronology

July 1999 The Computer Emergency Response Team
(CERT) issues an advisory on Denial-of-service
attacks
Sep 1999 Packet Storm receives copies of DDoS
tools
Nov 1999 CERT warns of new class of attacks
(DDoS) and tools in circulation at CISAC
Information Warfare conference
Dec 1999 Packet Storm receives latest copies of
TFN and trinoo (DDoS attack tools)
Dec 1999 Packet Storm release new tools and
launches Storm Chaser 2000 Next Generation
CyberDefence.

7
the packet monkeys attack

Feb 7 2000 Yahoo - 3 hour outage
Feb 8 2000 E-bay - 5 hour outage
Feb 8 2000 buy.com - 4 hour outage - first day
of IPO!
Feb 8 2000 Amazon - 345 outage
Feb 8 2000 CNN - 330 outage
Feb 9 2000 ZDnet - 315 outage
Feb 9 2000 Etrade - 245 outage
The attack
An amplified denial-of-service attack on the
routers connecting these websites to the Internet
Amplified Ping and SYN floods

8
the press respond

Still no news on who is behind the concerted DoS
attacks that so crippled Americas ability to buy
Pokemon trading cards earlier this week. - Need
to Know www.ntk.net
In a case like this, there is no Interpol, no
Pinkertons that you can turn to for help - Wall
Street Journal
Like a distributed pizza attack where you call
every pizza shop in town and deliver them to your
worst enemy - Bruce Schneier
A 16-year-old Montreal boy will be sentenced in
April for his admitted guilt in paralyzing the
Web sites of several U.S. companies, such as
Yahoo, Amazon and eBay, while acting as the
hacker Mafiaboy in February 2000.
The unidentified boy, who quit school and works a
menial job, Thursday pleaded guilty to five
counts of mischief, 51 counts of illegal access
to a computer and one count of breach of bail
conditions -- IDG

9
its all fun and games ...

But to e-Businesses, denial of service of your
website is denial of service to your business
Organisations need to understand that there in
addition to Economies of the Internet (EoI) there
are diseconomies of the Internet
Information leakage
Operationally exposing your internals to the
world 24x7x365
Increased risk associated with increase chance
of compromise
Ease at which attackers can execute and get away
with crime
There is no Internet Police
Multiple barriers make it impossible to pursue

10
why did this happen?

Lack of strong authentication
The Internet Protocols are weak
Packets are unmetered and unauthenticated
Packets can flow any way to their destination
This is why the network is resilient
No audit trails
They are based from a history of gentle
behaviour
Why would anyone want to forge email?
Why would anyone want to spam the network?
Network control protocols use in-band signaling
Something the telephone company figured out was
bad a long time ago
A friend of a suspect dared him to do it

11
the fundamental problem

The biggest problem with security architecture
of the Internet is lack of strong authentication
You trust that Im me because I tell you so
You trust my packets as they say they come from
my IP
You trust my machine because I say its called
bullwinkle
You trust me to login because my password is
britney
You trust my email because it says it comes from
mattb_at_ee.usyd.edu.au
You trust my connection because someone other
random machine on the Internet tells you Im from
niceguy.com
You trust my TCP connection because I tell you a
sequence number (that I probably could have
guessed) that you sent across the network to me
earlier (in the clear)

12
and ...

Security is always catch-up
Always a significant time delay between finding,
reporting, advising and fixing problems
Security is usually reactive
Security is perceived as a cost centre, not a
profit centre
Homogenous nature of the Internet (monocultures)
Heterogeneous nature of the Internet
(interoperability)
Political issues, export restrictions
The government really doesnt want you to be
that secure
They want to raise the bar to their level
Patents
Humans use the Internet

13
(No Transcript)
14
the Internet is a monoculture

Most hosts on the Internet run Windows
With over 63,000 known bugs
Most nameservers run Bind
Buggy Internet Name Daemon or 300,000 lines
of bad code (Bernstein)
Most mail servers run sendmail
Historically the buggiest UNIX program (vying
with bind)
Most routers run Cisco IOS
A proprietary operating system
What can you say about the security of a program
if you cant look at the source?
Most web servers run Apache (the exception -
secure!)
IIS at second place with 20 has abysmal
security
Most applications are outlook,
hotmail/passport, MS office
Email viruses would not have been a problem if
Microsoft hadnt decided html emails were a good
idea
Most users have no clue about security

15
the result

Attacks against any of windows, bind, sendmail,
IIS, IOS, outlook, hotmail/passport or apache
will yield large numbers of 0wn3d machines.
By large we mean significant percentages of
the Internet
In other words millions of machines
Get ready for this soon to include your PDA,
mobile phone, VoIP communications, watch,
pacemaker and stereo system.

16
common beliefs are wrong

The common security philosophy is that if you
secure the perimeter, you can keep the insides
soft and gooey (marshmallow)
This has always been a very bad assumption.
Nowadays it is even worse your network is like
Afghanistan
There is no border.
You cannot trust anyone.
There are simply too many ways into your
network
Internet connections (T1, cable, ADSL, frame
relay )
Dialup modems (not just those in the modem pool,
all the others that employees use for testing,
private access etc.)
802.11 wireless networks (the record is well
over 15 kilometres with a good antenna and
amplifier)
Third party connections (vendors, partners,
clients )
Users are 90 of the problem and they are
already inside!

17
hosts are weak

When not weak due to bugs, are often weakly
configured
Default configurations are usually insecure
Too many exposed services, exposed code
Programs are written poorly in bad languages
Programs run with too much privilege
Hosts have users which further erode security
In short there are too many ways to successfully
attack hosts that can then be used to attack
others
Remote exploit to gain access to the system
Subversion of system to gain privileges
Leverage access to other systems across the
whole network
Through trust relationships, packet sniffing,
keystroke logging etc.

18
same old problems, new themes

Weve had fixes for most of these problems for 30
years
SANS Top 20 (2003) www.sans.org
UNIX
A multiple overflows in the remote procedure call
(RPC) mechanism
Vulnerable CGI programs on web servers
Chunk handling bug in Apache and another in
mod_ssl
Protocol problem in SSH1 leading to session
decryption and buggy/trojan OpenSSL
Weak authentication in the simple network
management protocol (SNMP)
Cleartext password sniffing with FTP and multiple
bugs in multiple distributions
Trust problems with the r- services
Buffer overflow in printer (lpd) services
Lots of bugs in sendmail
Lots of bugs in BIND
Accounts with no / default / poor passwords