Looking at Vulnerabilities

1
Looking at Vulnerabilities

• Dave Dittrich The Information School /Computing
  CommunicationsUniversity of Washington

Microsoft campus 8/25/03
2
Overview

• Background concepts
• Your typical look at
• Vulnerabilities, Risk vs. Cost
• A (real!) complex attack scenario
• A different view of vulnerabilities
• Trust relationships
• Attack trees
• Atypical/uncommon vulnerabilities

3
Stepping Stones
4
Internet Relay Chat (IRC)
5
IRC w/BotsBNCs
6
Distributed Denial of Service (DDoS) Networks
7
Typical DDoS attack
8
DDoS Attack Traffic (1)
One Day Traffic Graph
9
DDoS Attack Traffic (2)
One Week Traffic Graph
10
DDoS Attack Traffic (3)
One Year Traffic Graph
11
SANS Top 20 Vulnerabilities

• Unix Top 10
• Remote Procedure Call (RPC) services
• Apache Web Server
• Secure Shell (SSH)
• Simple Network Management Protocol (SNMP)
• File Transfer Protocol (FTP)
• Berkeley r utilities(trust relationships)
• Line Printer Daemon (LPD)
• Sendmail
• BIND/DNS
• General Unix Authentication (accounts w/o pwd,
  bad pwd)

• Windows Top 10
• Internet Information Server (IIS)
• Microsoft Data Access Server (MDAC)
• SQL Server
• NETBIOS
• Anonymous login/null session
• LAN Manager Authentication(Weak LM hash)
• General Windows Authentication (Accounts w/o pwd,
  bad pwd)
• Internet Explorer
• Remote Registry Access
• Windows Scripting Host

http//www.sans.org/top20/
12
Attack sophistication vs. Intruder Technical
Knowledge
binary encryption
Tools
stealth / advanced scanning techniques
High
denial of service
packet spoofing
distributed attack tools
sniffers
Intruder Knowledge
www attacks
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking sessions
burglaries
Attack Sophistication
exploiting known vulnerabilities
password cracking
Attackers
password guessing
Low
2001
1980
1985
1990
1995
Source CERT/CC (used w/o permission modified
Can you say fair use? Sure, I knew you could.
IHO Fred Rogers)
13
Cost vs. Risk 101
14
Another view of Cost vs. Risk
15
UW Medical Center Kane Incident

• Goal How hard to obtain patient records?
• Windows 98 desktop w/trojan or no pwd
• Sniffer
• Linux server -gt Windows NT PDC/FP server
• Unix email server
• Windows PDCs, BDCs
• Windows Terminal Server (gt400 users)
• Access database file (gt4000 patient records
  Name, SSN, Home number, treatment, date)
• SecurityFocus -gt ABC News

16
Trust relationships

• Clientlt-gtServer
• IP based ACLs
• Shared password/symmetric key
• Shared network infrastructure
• Sensitive data in email
• Sensitive files on servers

17
Attack Trees

• Secrets and Lies, Bruce Schneier, ISBN
  0-471-25311-1, chapter 21
• Goal is root node Sub-goals are lower
  nodes/leaves
• And/Or relationship between nodes
• Attributes Likelihood, equipment required, cost
  of attack, skill required, legality, etc.

18
Attack Tree Example 1
http//www.counterpane.com/attacktrees-fig1.html
19
Attack Tree Example 2
http//www.counterpane.com/attacktrees-fig6.html
20
Attack Tree Example 3

• Survivability Compromise Monitor network traffic
• OR 1. Install sniffer on desktop.
• OR 1. Use email trojan horse.
• 2. Use remote exploit.
• 3. Use Windows remote login service.
• OR 1. Use passwordless Administrator
  account.
• 2. Brute force passwords on all
  listed accounts.
• 3. Brute force passwords on common
  accounts.
• 2. Install sniffer on Unix/Windows server
• OR 1. Use remote exploit.
• 2. Steal/sniff password to
  root/Administrator account.
• 3. Guess password to root/Administrator
  account.
• 3. Man-in-the-middle attack on SSL/SSH.

21
Attack Tree Example 4 (Nested)

• Survivability Compromise Disclosure of Patient
  Records
• OR 1. Attack Med Center network using
  connections to the Internet
• OR 1. Compromise central patient records
  database (PRDB).
• AND 1. Identify central PRDB.
• OR 1. Scan to identify PRDB.
• 2. Monitor network traffic to
  identify PRDB.
• 2. Compromise central PRDB.
• OR 1. Use Remote Exploit.
• 2. Monitor network traffic to
  sniff pwd to account.
• 3. Guess password to account.
• 2. Obtain file(s) containing patient
  records.
• OR 1. Monitor network traffic to
  capture patient records.
• 2. Compromise file server or
  terminal server.
• OR 1. Use Remote Exploit.
• 2. Monitor network traffic to
  sniff Administrator pwd.
• 3. Guess password to
  User/Administrator account.

22
Atypical Vulnerabilities

• Network Infrastructure
• Special Devices
• Non-technical (Social) Issues

23
Border Routers

• BGP (route insertion/withdrawal)
• Address forgery
• Source routing
• Denial of Service
• Remote service exploit Root kits
• Lack of visibility/access to traffic flows

24
Internal Routers/Switches

• OSPF, RIP other protocols
• Address forgery
• ARP spoofing
• Sniffing (SNMP community string, pwd)
• Denial of Service
• Lack of visibility/access to traffic flows

25
Servers

• Gateways to legacy apps
• Web apps
• Insufficient logging/auditing
• Hiding in plain sight
• Control of software configuration

26
Network Printers

• Change Ready message
• FTP bounce scan, other scanning
• File cache
• SNMP/web admin front ends, back doors
• Disclosure of print jobs
• Passive monitoring
• Redirection of print jobs

27
Medical devices, photocopiers, printers

• Proprietary or OEM OS (e.g., Solaris, IRIX)
• Many (non-essential) services turned on
• Typically behind the curve on patches
• Remote management (HTTP, SNMP)
• Heavy use of unencrypted protocols (e.g., FTP,
  LPR, Berkeley r utilities)
• What? The hackers are back?

28
PBXs, voice services

• Monitoring
• Theft of Service
• Fraud/social engineering
• Denial of Service
• Malware Cache (PC based VM)

29
Social Issues

• Not recognizing threats risks
• Assuming attacks are simple
• Assuming things are what they seem (e.g.,
  Slammer, Nimda, SoBig)
• Assuming attacks/defenses are direct
• Assuming you have it handled

30
So how do we fix things?

• Information Assurance
• Education (start to finish)
• Research
• Practice (Corporations, government... everyone!)

31
Information Assurance

• Information Assurance (IA) concerns information
  operations that protect and defend information
  and information systems by ensuring availability,
  integrity, authentication, confidentiality, and
  nonrepudiation.
• This includes providing for restoration of
  information systems by incorporating protection,
  detection, and reaction capabilities.
• Source National Security Telecommunications and
  Information Systems Security Instruction
  (NSTISSI) No. 4009, January 1999

32
NSA Centers of Excellence

• Outreach program designed and operated by the
  National Security Agency (NSA)
• Fulfills the spirit of Presidential Decision
  Directive 63 (PDD 63 - National Policy on
  Critical Infrastructure Protection, May 199)
• Goal To reduce vulnerability in our national
  information infrastructure by promoting higher
  education in IA, and producing a growing number
  of professionals with IA expertise in various
  disciplines

33
Where are they?

• As of May 2003, 50 Centers nationwide
• Mostly the East Coast
• Closest to Seattle are Portland State, University
  of Idaho, Idaho State UniversityFor more
  infohttp//www.nsa.gov/isso/programs/coeiae/inde
  x.htm

34
2002 NSA Centers of Excellence
Seattle
35
Benefits to the nation

• Meet national demand for professionals with IA
  expertise in various disciplines
• Professionals enter the workforce better equipped
  to meet challenges facing our national
  information infrastructure
• Centers act as focal points for recruiting
  individuals with IA expertise
• Centers create a climate and foci to encourage
  independent research in critical IA areas

36
Summary

• Vulnerabilities exist in places you might not
  think
• Vulnerabilities are additive, interrelated
• Complex attacks call for complex
  defenses/response
• If youre not learning something new every day,
  youre falling behind your adversary

37
Questions?

• dittrich _at_ u.washington.edu
• http//staff.washington.edu/dittrich/

38
References

• UW Medical Center
• http//www.securityfocus.com/news/122/
• http//www.hipaausa.com/hacker.html
• http//www.cio.com/archive/110102/rules_content.ht
  ml
• http//www.cio.com/archive/031502/plan_content.htm
  l
• Attack trees
• http//www.counterpane.com/attacktrees-ddj-ft.html
  
• Networking
• http//www.e-secure-db.us/dscgi/ds.py/View/Collect
  ion-24
• http//www.securite.org/presentations/secip/CSWcor
  e02-SecIP-v1.ppt
• http//www.securityfocus.com/infocus/1594

39
References (cont)

• Routers
• http//www.blackhat.com/presentations/bh-usa-02/bh
  -us-02-akin-cisco/bh-us-02-akin-cisco.ppt
• http//philby.ucsd.edu/bsy/ndss/2002/html/1997/sl
  ides/gudm_pnl.pdf
• http//www.net-tech.bbn.com/sbgp/IETF42.ppt
• http//www.cymru.com/Presentations/barry.pdf
• BGP, OSPF
• http//www.cs.ucsb.edu/rsg/Routing/references/wan
  g98vulnerability.pdf
• http//www.cse.ucsc.edu/research/ccrg/publications
  /brad.globalinternet96.pdf

40
References (cont)

• Switches, ARP, local network attacks
• http//www.comnews.com/stories/articles/c0103sfare
  a.htm
• http//www.blackhat.com/presentations/bh-usa-01/Mi
  keBeekey/bh-usa-01-Mike-Beekey.ppt
• Printers
• http//members.cox.net/ltw0lf/printers/
• PBXs
• http//csrc.nist.gov/publications/nistpubs/800-24/
  sp800-24pbx.pdf
• DDoS, root kits
• http//www.cert.org/reports/dsit_workshop.pdf
• http//www.cert.org/archive/pdf/Managing_DoS.pdf
• http//staff.washington.edu/dittrich/misc/ddos/
• http//staff.washington.edu/dittrich/misc/faqs/roo
  tkits.faq