Recent Security Threats

1
Recent Security Threats VulnerabilitiesCompute
r security
In

• Bob Cowles
• bob.cowles_at_slac.stanford.edu
• HEPiX, Fall 2004 Brookhaven, NY, USA

Work supported by U. S. Department of Energy
contract DE-AC02-76SF00515
2
Windows

• Recent Windows Vulnerabilities
• Windows patching
• Phishing and viruses
• Web exposures (IE)
• Spyware
• XP SP2

3
Recent Windows Vulnerabilities

• ASP.NET path vulnerability
• GDI jpeg (cant just block jpegs)
• IE patches lots Outlook Express update
• NetDDE (not enabled by default)
• Windows shell (exploit thru web)
• IIS (document footer javascript)
• Allows code execution NNTP SMTP, zipped
  folders Excel WP converter HTML Help Task
  Scheduler POSIX (old sys)

4
Windows Patching

• Patches do _NOT_ get e-mailed to you!
• Windows systems in Active Directory can be
  patched automatically (mostly)
• Offsite users must do their own patching
• May investigate bigfix as partial solution
• Support for Linux / Macintosh
• Non-Ad users
• Non Microsoft software (winzip, realplayer,
  acrobat)
• http//www.bigfix.com/products/products_patch.html
  

5
(No Transcript)
6
Recent Phishing E-mail
7
E-Mail Attacks Protection

• Phishing Emails (and phonecalls) engineered to
  get information from you or just to get you to
  click and download virus
• Need to have Multi-Level Protection
• Email gateways strip attachments
• Exchange/desktop AV detects removes
• Gateway tags as SPAM if a link in the
  e-mail would download malicious code

8
Dont Take the Bait
9
Forged FDIC E-mail
10
Fake FDIC Website
11
Real FDIC Website
12
E-mail With Virus Attached
13
AD SUS-gtWUS

• Problematic patching
• Office vs.Windows Update
• Require product CD?
• XP will have improvements (someday)
• Who let them name it WUS?
• http//www.wordsculpture.se/english_corner/slang.a
  sp
• But sites still must address non-MS software

14
Viruses

• More sophistication
• Run automatically
• Leave backdoors smtp for spam
• Keyboard loggers
• Alert Oct 18, 2004 bypass AV for McAfee, CA,
  Sophos, Kaspersky, Eset, RAV zip file checking

15
IE Exposures

• Unpatched vulnerabilities
• Cannot escape IE (but can control)
• XP SP2 has fixed some problems
• There is still problem of user knowledge

16
Spyware

• Invade privacy
• Keyloggers compromise security
• Allowed by some AV products
• User agrees to softwares actions through license
  agreement
• US state and federal legislation will solve the
  problem (just like with SPAM) - NOT

17
XP SP2

• Problem areas
• Spyware causes bluescreen
• Popup blocking causes problems w/ some sites
• Multiple firewalls cause conflicts
• Need to allow vulnerability scanning
• ICMP off by default (no ping response)
• Open ports fo file / print sharing or
• Run software agent that can be contacted

18
Unix Linux

• Local Exploits Remote Exploits
• Samba
• LSF rtok lsadmin eauth
• PHP in web servers
• chown
• drivers (sparse code chking tool)
• sendmail
• sshd scanning for weak passwords

19
Fedora

• Supports RH 7.3 and RH 9
• Security fixes can take several months after
  vulnerability is announced
• Large pkg of fixes released Oct 18, 2004
• ISO9660, Soundblaster, file offset pointers, nfs
  group ID, drivers, several integer oveflows,
  other DOS, memory leaks, information leaks.

20
Universities Labs

• Exploits against Solaris, AIX, Linux
• Attacker(s) are knowledgeable
• Install SK rootkit on Linux
• Install trojaned sshd
• gets passwords from keyboard/tty entry
• accesses RSA keys
• CERN break-in (LXPLUS) recent example (LSF)
• Are one time password tokens in your future?

21
Universities and Labs (cont)

• User klogd scans for open X sessions
• Forwards captured passwds thru port 8181
• Used on patched machines
• Just notified sites in US (USC, UCSB, NYU,
  Princeton, PSU, etc) of problems.
• Also RAL, Fermilab, SLAC, Cornell, Bristol, INFN,
  Stanford

22
Cisco

• CatOS Telnet, HTTP, SSH
• BGP another DOS

23
Macintosh

• Safari open in browser javascript
• Disk image mounter
• libpng
• kerberos
• rsync
• OpenSSH
• iChat
• QuickTime

24
Other Vulnerabilities

• AXIS video camera and server
• IM gaim, AIM Yahoo Messenger
• CVS
• RealPlayer
• Winzip
• Web HP JetAdmin
• Acrobat Reader 6.0
• Firewire (announced Nov 11)

25
Email

• Evils of HTML email
• Its big it hides bad stuff
• Phishing scams
• Citibank, eBay, PayPal, Wells Fargo
• Outlook 2003 setting (reg for Outlook XP)
• New default for Outlook Express

26
Outlook 2003

• Tools -gt Options -gt Preferences

27
Final Thoughts

• Attacks coming faster attackers getting smarter
• No simple solution works
• Patching helps
• Firewalls help
• AV attachment removal help
• Encrypted passwords/tunnels help
• You cant be secure only more secure
• We must share information better

28
What is the Most Important Component of Computer
Security?

• YOU!