DePaul University Computer Network Security

1
DePaul UniversityComputer Network Security

• Are We Safe?

2
Internet 101

• Telephone System
• central authority
• network in control
• billing records per connection
• legal issues well understood
• provisions for law enforcement (wiretapping)

• Internet
• no central authority
• end systems in control
• no central knowledge of connections
• no per-packet billing
• legal issues not well understood
• anonymity is easy

3
Internet Security Stinks

• Hosts are hard to secure
• Bad defaults
• Poor software
• Fixes rarely applied
• Average user/administrator is clueless
• An overly secure system is not useful
• Its difficult to coordinate among sites

4
Exploits Overview

• Passwords
• hacking and sniffing
• System specific
• NT, UNIX, NetWare, Linux
• Application specific
• web browser, ftp, email, finger
• Protocol specific
• spoofing, TCP hijacking, ICMP redirects, DNS
• Denial of Service
• PING of death, trinoo, tribe flood

5
The Process

• Reconnaissance
• Scanning
• Exploit Systems
• Keep access with backdoors/trojans
• Use system
• Often as a springboard
• Cover any tracks

6
The Problem is Real

• Just over a year ago...
• ResNet/DPO
• cgi-bin/phf
• Oracle
• CTI
• Plain text

7
Recently...

• We receive hundreds of probes every day
• This weekend a single host sent at least 2000
  scans to our address space for port 23
• .kr and .tw are popular sources
• DNS scans
• _at_home.com, aol.com are frequent flyers
• ResNet students

8
Gotcha!
9
Password Hacking

• Attackers can watch packets go by
• Usually part of the attackers plan when
  compromising a host
• One of the most common problems
• Encryption for remote access helps
• Note even encrypted password files can be cracked

10
Denial of Service Attacks

• A Very Difficult Problem to Solve!
• Real World Example
• Everyone dials 911 at the same time
• How do you screen and more importantly, stop the
  bad ones?
• Most effective when source address is spoofed

11
Example Distributed Denial of Service Illustrated
12
Viruses and Worms

• Programs written with the intent to spread
• Worms are very common today
• Usually email based (e.g. ILOVEYOU)
• Viruses infect other programs
• Code copied to other programs (e.g. macros)
• Requires the code to be executed
• Proves users continue to do dumb things
• Sometimes software is at fault too

13
Buffer Overflows and Weak Validation of Input

• One of the most popular security issues
• Popular exploits with CGI scripts
• Regular users can gain root access
• Can pass commands to be executed
• e.g. Network Solutions easysteps.pl
• Sometimes root access can be gained

14
Network Mapping

• PING
• DNS mapping (dont need zone transfer)
• dig pfset0x2020 -x 10.x.x.x
• rpcinfo -p lthostnamegt
• nmap lthttp//www.insecure.org/nmap/gt
• very nice!
• Microsoft Windows is NOT immune
• nbtstat, net commands
• Just look around the net!

15
Firewall Solutions

• They help, but not a panacea
• A network response to a host problem
• Packet by packet examination is tough
• Dont forget internal users
• Need well defined borders
• Can be a false sense of security

16
Internal Security

• Most often ignored
• Most likely the problem
• Disgruntled (ex-)end user
• Curious, but dangerous end user
• Clueless and dangerous end user

17
Security by Obscurity

• Is no security at all.
• However
• Its often best not to advertise unnecessarily
• Its often the only layer used (e.g. passwords)
• Probably need more security

18
Layered Defenses

• The belt and suspenders approach
• Multiple layers make it harder to get through
• Multiple layers take longer to get through
• Basic statistics and probability apply
• If Defense A stops 90 of all attacks and Defense
  B stops 90 of all attacks, you might be able to
  stop up to 99 of all attacks
• Trade-off in time, money and convenience

19
Physical Security

• Trash bins
• Social engineering
• Its much easier to trust a face than a packet
• Protect from the whoops
• power
• spills
• the clumsy
• software really can kill hardware

20
If I Were You, Id...

• Keep up on your host patches/fixes
• Be very careful with email attachments
• Disable unnecessary services
• Use encryption (ssh) whenever possible
• avoid telnet, ftp, pop-3 email, etc.
• Audit often
• keep logs, keep backups

21
A Word About Network Address Translation

• It has no place in this talk
• It is misunderstood and misapplied
• It is fundamentally bad for the Internet
• Just say NO to RFC 1918

22
Food For Thought

• http//networks.depaul.edu/security/
• dpu.security
• DePaul FIRST Team
• Any further interest in security education and
  research?

23
References

• bugtraq mailing list
• http//www.sans.org
• http//www.cert.org
• http//www.cerias.perdue.edu
• http//www.securityportal.com/lasg/
• http//cale.cs.depaul.edu
• http//www.securityfocus.com
• http//www.denialinfo.com
• http//www.enteract.com/lspitz/pubs.html
• http//www.robertgraham.com/pubs/
• http//cm.bell-labs.com/who/ches/
• http//www.research.att.com/smb/
• http//packetstorm.securify.com

24
My Information

• Networks Group, DePaul University
• http//condor.depaul.edu/jkristof/
• jtk_at_depaul.edu
• (312) 362-5878