Computer Security CS 426 Lecture 27 - PowerPoint PPT Presentation


PPT – Computer Security CS 426 Lecture 27 PowerPoint presentation | free to view - id: 14b7f-NWRkM


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Computer Security CS 426 Lecture 27


Internet Explorer. W2. Windows Libraries. W3. ... Internet Explorer ... or older versions of Internet Explorer contain multiple vulnerabilities that can ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 26
Provided by: NINGH7


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Computer Security CS 426 Lecture 27

Computer Security CS 426Lecture 27
  • SANS Top-20 Internet Security Attack Targets

Operating Systems
  • W1. Internet Explorer
  • W2. Windows Libraries
  • W3. Microsoft Office
  • W4. Windows Services
  • W5. Windows Configuration Weaknesses
  • M1. Mac OS X
  • U1. UNIX Configuration Weaknesses

Cross-Platform Applications
  • C1 Web Applications
  • C2. Database Software
  • C3. P2P File Sharing Applications
  • C4 Instant Messaging
  • C5. Media Players
  • C6. DNS Servers
  • C7. Backup Software
  • C8. Security, Enterprise, and Directory
    Management Servers

  • Network Devices
  • N1. VoIP Servers and Phones
  • N2. Network and Other Devices Common
    Configuration Weaknesses
  • Security Policy and Personnel
  • H1. Excessive User Rights and Unauthorized
  • H2. Users (Phishing/Spear Phishing)
  • Special Section
  • Z1. Zero Day Attacks and Prevention Strategies

W1. Internet Explorer
  • Unpatched or older versions of Internet Explorer
    contain multiple vulnerabilities that can lead to
    memory corruption, spoofing and execution of
    arbitrary scripts. The most critical issues are
    the ones that lead to remote code execution
    without any user interaction when a user visits a
    malicious webpage or reads an email.
  • These flaws have been widely exploited to install
    spyware, adware and other malware on users'
  • The VML zero-day vulnerability fixed by Microsoft
    patch MS06-055 was widely exploited by malicious
    websites before the patch was available.

W2 Windows Libraries
  • These libraries usually have the file extension
    DLL or OCX (for libraries containing ActiveX
  • During the past year, several windows libraries
    were reported to have critical vulnerabilities.
    In a number of cases, exploit codes were
    discovered before patches were available
  • In December 2005, a vulnerability (CVE-2005-4560)
    was reported in the Graphics Rendering Engine
    when handling specially crafted Windows Metafile
    (WMF) images, it could cause arbitrary code to be
    executed. A patch was not available until early
    January 2006 .

W3. Microsoft Office
  • Vulnerabilities in these products can be
    exploited via the following attack vectors
  • malicious Office document in an email message.
  • hosts the document on a web server or shared
    folder. Note that IE automatically opens Office
    documents. Hence, browsing the malicious webpage
    or folder is sufficient for the vulnerability
  • runs a news server or hijacks a RSS feed that
    sends malicious documents to email clients.
  • A large number critical flaws were reported last
    year in MS Office applications. A few of them
    were exploited at a zero-day.

W4. Windows Services
  • Several of the core system services are exposed
    through named pipe endpoints accessible through
    the Common Internet File System (CIFS) protocol,
    well known TCP/UDP ports and in certain cases
    ephemeral TCP/UDP ports.
  • When exploited, these vulnerabilities afford the
    attacker the same privileges that the service had
    on the host.
  • Critical vulnerabilities reported within the past
  • Server Service (MS06-040, MS06-035)
  • iRouting and Remote Access Service (MS06-025)
  • Exchange Service (MS06-019)

W5 Windows Configuration Weaknesses
  • 1. User Configured Password Weaknesses
  • 2. Service Account Passwords
  • Non-system Service accounts need passwords in
  • 3. Null Log-on
  • null sessions have allowed anonymous users to
    enumerate systems, shares, and user accounts.

M1. Mac OS X
  • The majority of the critical flaws discovered in
    the past year fall into six different
  • Safari
  • ImageIO - Vulnerabilities in this framework could
    potentially affect many different applications.
  • Unix
  • Wireless - A critical vulnerability in Mac OS X's
    wireless network subsystem allows
    physically-proximate attackers to gain complete
    control. Attack can occur even if that system was
    not part of the same logical network as the
    attacker. Additional flaws were discovered in the
    Bluetooth wireless interface subsystem, with
    similar results.
  • Virus/Trojan - The first viruses and trojans for
    the Mac OS X platform were discovered in the past
  • Other

U1. UNIX Configuration Weaknesses
  • Most Unix/Linux systems include a number of
    standard services in their default installation.
  • These services, even if fully patched, can be the
    cause of unintended compromises.
  • Of particular interest are brute-force attacks
    against command line access such as SSH, FTP, and
  • It is important to remember that brute forcing
    passwords can be a used as a technique to
    compromise even a fully patched system.

C1 Web Applications
  • Applications such as Content Management Systems
    (CMS), Wikis, Portals, Bulletin Boards,
  • Every week hundreds of vulnerabilities are being
    reported in these web applications, and are being
    actively exploited.
  • The number of attempted attacks every day for
    some of the large web hosting farms range from
    hundreds of thousands to even millions.
  • PHP Remote File Include
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Cross-site request forgeries (CSRF)
  • Directory Traversal

C2. Database Software
  • Use of default configurations with default user
    names and passwords.
  • Buffer overflows in processes that listen on well
    known TCP/UDP ports.
  • SQL Injection via the database's own tools or web
    front-ends added by users.
  • Use of weak passwords for privileged accounts
  • 37 CVE entries on Oracle since October 2005

C3. P2P File Sharing Applications
  • The P2P networks themselves may be attacked by
    modifying legitimate files with malware, seeding
    malware files into shared directories, exploiting
    vulnerabilities in the protocol or errors in
    coding, blocking (filtering) the protocol, denial
    of service by making the network function slowly,
    spamming and identity attacks that identify
    network users and harass them.

C4. Instant Messaging
  • Recent attacks include new variations in the
    establishment and spread of botnets, and the use
    of compromised instant messaging accounts to lure
    users into revealing sensitive information.
  • Malware -- Worms, viruses, and Trojans
    transferred through the use of instant messaging.

  • Information confidentiality -- Information
    transferred via instant messaging can be subject
    to disclosure
  • Network -- Denial of service attacks excessive
    network capacity utilization, even through
    legitimate use.
  • Application vulnerabilities -- Instant messaging
    applications contain vulnerabilities that can be
    exploited to compromise affected systems.

C5. Media Players
  • Vulnerabilities allow a malicious webpage or a
    media file to completely compromise a user's
    system without requiring much user interaction.
    The user's system can be compromised simply upon
    visiting a malicious webpage.
  • CVE entries over the past year
  • RealPlayer and Helix Player (7)
  • iTunes (3)
  • Winamp (3)
  • Quicktime (12)
  • Windows Media Player (3)
  • Macromedia Flash Player (2)

C6. DNS Servers
  • During the past year, the following types of
    attacks have been carried out by botnets against
    DNS servers.
  • Recursion Denial of Service Attacks A Botmaster
    publishes a large DNS record in a compromised DNS
    server or in a DNS server set up for this
    purpose. The botmaster then directs the botnet to
    send small UDP/53 queries to public recursive
    name servers with a forged return address pointed
    at the targeted victim. This effect can be
    amplified further by making the DNS records
    larger than a typical UDP/53 response packet,
    thus forcing a TCP/53 transaction.
  • Spoofing Authoritative zone Answers The
    botmaster establishes a fake web site (phishing
    site) on a compromised web server. The botmaster
    then directs the botnet to listen for requests
    and spoof DNS replies for a particular zone with
    an answer pointing to the compromised web server.

C7. Backup Software
  • During the last year a number of critical backup
    software vulnerabilities have been discovered.
    These vulnerabilities can be exploited to
    completely compromise systems running backup
    servers and/or backup clients. An attacker can
    leverage these flaws for an enterprise-wide
    compromise and obtain access to the sensitive
    backed-up data. Exploits have been publicly
    posted for some of these flaws, and these
    vulnerabilities are getting exploited in the

C8. Security, Enterprise, and Directory
Management Servers
  • Directory Servers
  • Monitoring Systems
  • Configuration and Patch Systems
  • Spam and Virus Scanners

N1 VoIP Servers and Phones
  • Various products such as Cisco Unified Call
    Manager , Asterisk and a number of VoIP phones
    have been found to contain vulnerabilities that
    can either lead to a crash or a complete control
    over the vulnerable server/device. By gaining a
    control over the VoIP server and phones, an
    attacker could carry out VoIP phishing scams,
    eavesdropping, toll fraud or denial-of-service

N2. Network and Other Devices Common
Configuration Weaknesses
  • N2.2.1 Default SNMP Community StringsDefault and
    often a hard-coded community string continues to
    be an issue with networking products.
  • N2.2.2 Default Accounts, Passwords, Encryption
    Keys, and TokensN2.2.3 Unnecessary
    ServicesN2.2.4 Unencrypted and Unauthenticated
    Administration Protocols

H1. Excessive User Rights and Unauthorized Devices
  • Unwary users can be enticed to do unsafe things.
    Clever users can find unsafe ways to get things
    done, unintentionally exposing the company to
  • H.1a Unauthorized and/or infected devices on
  • A rogue wireless access point, a personal laptop,
    a router or PC secretly connected to an open
    ethernet port by a visitor, a USB flash drive
  • H.1b Excessive User Rights and Unauthorized

H2. Users (Phishing/Spear Phishing)
  • Password/PIN Phishing
  • VoIP phishing
  • Spear Phishing
  • highly targeted
  • Spear phishing has become one of the most
    damaging forms of attacks on military
    organizations in the US and other developed

Z1 Special Section Zero Day Attacks and
Prevention Strategies
  • While the risks of zero day vulnerabilities in
    popular applications and subsequent exploitation
    have been discussed for several years, zero day
    attacks saw a significant upward trend in 2006. A
    zero day vulnerability occurs when a flaw in
    software code has been discovered and exploits of
    the flaw appear before a fix or patch is
    available. If a working exploit of the
    vulnerability is released into the wild, users of
    the affected software are exposed to attacks
    until a software patch is available or some form
    of mitigation is taken by the user.

Coming Attractions
  • December 5
  • Database Security, guest lecture by Ji-Won Byun