Security Threats: Network Based Attacks Lecture 2 George Berg/Sanjay Goel 1
Administrivia Starting next week, we will met in BA 349. A conference room, in keeping with the topics of the next 3 classes. 2
Administrivia I have to be away on Tuesday the 16th. I propose we have that week s class on Thursday the 18th. That would make the schedule Tuesday, March 9th Thursday, March 18th Tuesday, March 23rd. 3
Network Based Attacks Types Self-Propagating Programs Spoofing Session Hijacking Buffer Overflow 4
Self-Propagating Programs 5
Self-Propagating Programs Types Behavior: Self-replicate and propagate through the network. Basic Types: Virus Worm Trojan Horse Many variants of the basic types exist. 6
Self-Propagating Programs Types Self-replicating programs attach themselves parasitically to existing programs to propagate Consists of two parts Viral Portion Payload The program spreads by creating replicas of itself and attaching itself to other executable programs to which it has write access. 7
Self-Propagating Programs Types Viral Portion: When a user executes an infected program (e.g. runs an executable file or inserts a disk with an infected boot sector), the viral portion of the code typically executes first and then the control returns to the original program, which executes normally. 8
Self-Propagating Programs Types Payload: The action that a self-replicating program performs. It may be benign such as printing a weird message, playing music or malicious such as destroying data or corrupting the hard disk. Unless there is a visible payload that the user observes s/he is not likely to notice the malicious program. 9
Self-Propagating Programs Types Polymorphic Viruses: Viruses that modify themselves prior to replicating. These are hard to detect since they are constantly changing their signature. 10
Self-Propagating Programs Types Worms are another form of self-replicating programs that can automatically spread. They do not need a carrier program. Replicate by spawning copies of themselves. They find an exploit software vulnerabilities in order to spread. Mail servers, database servers, etc. More complex and are much harder to write than virus programs. 11
Virus Definition: Malicious software that attaches itself to other software. Typical Behavior: Replicates within a computer system, potentially attaching itself to every other program. Behavior categories: e.g. Innocuous, Humorous, Data altering, Catastrophic. 12
Virus Targets & Prevention Vulnerabilities: All computers Common Categories: Boot sector Terminate and Stay Resident (TSR) Application software Stealth (or Chameleon) Prevention Limit connectivity Limit downloads Use only authorized media for loading data and software Enforce mandatory access controls. Viruses generally cannot run unless the host application is running. 13
Virus Protection Detection Changes in file sizes or date/time stamps Computer is slow starting or slow running Unexpected or frequent system failures Change of system date/time Increased computer memory usage Increased bad blocks on disks. 14
Virus Protection Countermeasures: Overall strategy: contain, identify and recover. Anti-virus scanners: look for known viruses. Anti-virus monitors: look for virus-related application behaviors. Attempt to determine the source of infection and issue an alert. 15
Worm Definition: Malicious software which is a stand-alone application (i.e. can run without a host application) Typical Behavior: Often designed to propagate through a network, rather than just a single computer Vulnerabilities: Multitasking computers, especially those employing open network standards. 16
Worm Prevention & Detection Prevention: Limit connectivity Employ Firewalls Maintain software in a secure state Watch for alerts. Detection: Computer is slow starting or slow running Unexpected or frequent system failures Countermeasures Overall methodology: Contain, identify and recover Attempt to determine the source of the infection and issue an alert. 17
Worm Example In November of 1988, a self propagating worm known as the Internet Worm was released onto the ARPANET by Robert Morris Jr. It attached itself to the computer system rather than a single program. 18
Worm Example Process: The worm obtained a new target machine name from the host it had just infected and then attempted to get a shell program running on the target machine. The virus used several means to get the shell program running. It primarily exploited errors in two network connected server programs on computers: the sendmail routine (a debug option left enabled in the program release), and the 'finger' routine. It also attacked weak passwords. 19
Worm Example The shell program served as a beachhead and was used to download several binary executables that were used to crack passwords A common password dictionary and the system dictionary were used for password cracking The virus then attacked a new set of target hosts using any cracked accounts it may have obtained from the current host. 20
Worm Example The worm was also designed to be stealthy. If the beachhead program was unable to fully infect a machine, it deleted itself and all other files. The worm ran in memory, leaving no trace on disk. The worm changed its name and process ID frequently, so as to avoid showing long runtimes or large CPU usage. 21
Worm Example The virus was (supposedly) not intended to be malicious and did not harm any data on the systems it infected. A bug prevented the worm from always checking to tell if a host was infected causing the worm to overload the host computers it infected. 22
Trojan Horse Definition: a worm which pretends to be a useful program or a virus which is purposely attached to a useful program prior to distribution Typical Behaviors: Same as Virus or Worm, but also sometimes used to send information back to or make information available to perpetrator Vulnerabilities: Unlike Worms, which self-propagate, Trojan Horses require user cooperation Untrained users are vulnerable 23
Trojan Horse Prevention and Detection Prevention: User cooperation allows Trojan Horses to bypass automated controls. User training is best prevention Detection: Same as Virus and Worm Countermeasures: Same as Virus and Worm Alert must be issued, not only to other system administrators, but to all network users. 24
Time Bomb Definition: A Virus or Worm designed to activate at a certain date/time Typical Behaviors: Same as Virus or Worm, but widespread throughout organization upon trigger date Vulnerabilities: Same as Virus and Worm Time Bombs are usually found before the trigger date 25
Time Bomb Prevention and Detection Prevention: Run associated anti-viral software immediately as available Detection: Correlate user problem reports to find patterns indicating a possible Time Bomb Countermeasures: Contain, identify and recover Attempt to determine the source of infection and issue an alert 26
Logic Bomb Definition: A Virus or Worm designed to activate under certain conditions Typical Behaviors: Same as Virus or Worm Vulnerabilities: Same as Virus and Worm Prevention: Same as Virus and Worm Detection: Correlate user problem reports indicating possible Logic Bomb Countermeasures: Contain, identify and recover Determine the source and issue an alert 27
Rabbit Definition: A worm designed to replicate to the point of exhausting computer resources Typical Behaviors: A rabbit consumes all CPU cycles, disk space or network resources, etc. Vulnerabilities: Multitasking computers, especially those on a network 28
Rabbit Prevention & Detection Prevention: Limit connectivity Employ Firewalls Detection: Computer is slow starting or running Frequent system failures Countermeasures: Contain, identify and recover Determine the source and issue an alert 29
Bacterium Definition: A virus designed to attach itself to the OS in particular (rather than any application program) and exhaust computer resources, especially CPU cycles Typical Behaviors: Operating System consumes more and more CPU cycles, resulting eventually in noticeable delay in user transactions Vulnerabilities: Older versions of operating systems are more vulnerable than newer versions since hackers have had more time to write Bacteria. 30
Bacterium Prevention and Detection Prevention: Limit write privileges and opportunities to OS files System administrators should work from non-admin accounts whenever possible. Detection: Changes in OS file sizes, date/time stamps Computer is slow in running Unexpected or frequent system failures Countermeasures Anti-virus scanners: look for known viruses Anti-virus monitors: look for virus-related system behaviors 31
Spoofing 32
Spoofing Definition: A computer on a network pretends to have the identity of another computer, usually one with special access privileges, so as to obtain access to the other computers on the network. 33
Spoofing Typical Behaviors: The spoofing computer often doesn t have access to user-level commands so attempts to use automation-level services, such as email or message handlers, are employed to implement its attack. Vulnerabilities: Automation services designed for network interoperability are especially vulnerable, especially those adhering to open standards. 34
Spoofing Types IP Spoofing: Typically involves sending packets with spoofed IP-addresses to machines to fool the machine into processing the packets. Types of IP-spoofing Basic Address Change Use of source routing to intercept packets. Exploiting of trust relationships on Unix machines Email Spoofing: Attacker sends messages masquerading as some one else Techniques for email spoofing Fake email accounts Changing email configuration Telnet to mail port 35
Spoofing Types Web Spoofing: Assume the web identity and control traffic to and from the web server Several types of attacks Basic: Setting up fake sites Man-in-the-Middle Attack URL Rewriting Tracking State 36
Spoofing Prevention and Detection Prevention: Limit system privileges of automation services to the absolute minimum necessary Upgrade via security patches as they become available Detection: Monitor transaction logs of automation services, scanning for unusual behaviors Countermeasures: Disconnect automation services until patched Monitor automation access points, such as network sockets, scanning for next spoof, in attempt to track perpetrator 37
Masquerade Definition: Accessing a computer by pretending to have an authorized user identity Typical Behaviors: Masquerading user often employs network or administrator command functions to access even more of the system, e.g., by attempting to download password, routing tables Vulnerabilities: Placing false or modified login prompts on a computer is a common way to obtain user IDs, as are Snooping, Scanning and Scavenging. 38
Masquerade Prevention and Detection Prevention: Limit user access to network or administrator command functions Implement multiple levels of administrators, with different, restricted privileges for each. Detection: Correlate user identification with shift times or increased frequency of access Correlate user command logs with administrator command functions Countermeasures: Change user password or use standard administrator functions to determine access point, then trace back to perpetrator 39
Session Hijacking 40
Session Hijacking Definition: The attacker takes over an existing active session and exploits the existing trust relationship. 41
Session Hijacking Process: The user makes a connection to the server by authenticating using his user ID and password. After the users authenticate, they have access to the server as long as the session lasts. Hacker takes the user offline (e.g. by denial of service) Hacker gains access to the server by impersonating the user. Typical Behaviors: Attacker usually monitors the session, periodically injects commands into session and can launch passive and active attacks from the session. 42
Session Hijacking Process Bob telnets to Server Bob Bob authenticates to Server Server Die! Hi! I am Bob Protection: Use Encryption Use a secure protocol Limit incoming connections Minimize remote access Have strong authentication Attacker 43
Session Hijacking Popular Programs Juggernaut Network sniffer that that can also be used for hijacking Get from http://packetstorm.securify.com Hunt Can be use to listen, intercept and hijack active sessions on a network http://lin.fsid.cvut.cz/~kra/index.html TTY Watcher Freeware program to monitor and hijack sessions on a single host http://www.cerias.purdue.edu IP Watcher Commercial session hijacking tool based on TTY Watcher http://www.engrade.com 44
Buffer Overflow & Other Attacks 45
Buffer Overflow Attacks Definition: Attacker tries to store more information on the stack than the size of the buffer. This causes a malfunction in the computer program which the attacker exploits to execute malicious code. 46
Buffer Overflow Attacks Typical Behaviors: Can be used against many network services. Can be used for denial-ofservice (easier to do) or to obtain privileges on a machine (harder). Vulnerabilities: Takes advantage of the way in which information is stored by computer programs. Programs which do not do not have a rigorous memory check in their code are vulnerable to this attack. 47
Buffer Overflow Attacks Scenario: If memory allocated for name is 50 characters, someone can break the system by sending a fictitious name of more than 50 characters Impact: Can be used for espionage, denial of service or compromising the integrity of the data Some vulnerable software: NetMeeting Buffer Overflow Outlook Buffer Overflow AOL Instant Messenger Buffer Overflow SQL Server 2000 Extended Stored Procedure Buffer Overflow 48
Denial of Service Definition: Attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the system so that no one else can use it. 49
Denial of Service Typical Behaviors: Crashing the system or network: Send the victim data or packets which will cause system to crash or reboot. Exhausting the resources by flooding the system or network with information. Since all resources are exhausted others are denied access to the resources Distributed DOS attacks are coordinated denial of service attacks involving several people and/or machines to launch attacks 50
Denial of Service Popular Programs Ping of Death SSPing Land Smurf SYN Flood CPU Hog Win Nuke RPC Locator Jolt2 Bubonic Microsoft Incomplete TCP/IP Packet Vulnerability HP Openview Node Manager SNMP DOS Vulnerability Netscreen Firewall DOS Vulnerability Checkpoint Firewall DOS Vulnerability 51
Tunneling Definition: Attempts to get under a security system by accessing very lowlevel system functions (e.g., device drivers, OS kernels). 52
Tunneling Typical Behaviors: Behaviors such as unexpected disk accesses, unexplained device failure, halted security software, etc. Vulnerabilities: Tunneling attacks often occur by creating system emergencies to cause system re-loading or initialization. 53
Tunneling Prevention: Design security and audit capabilities into even the lowest level software, such as device drivers, shared libraries, etc. Detection: Changes in date/time stamps for low-level system files or changes in sector/block counts for device drivers Countermeasures: Patch or replace compromised drivers to prevent access Monitor suspected access points to attempt trace back. 54
Trap Door Definition: System access for developers inadvertently left available after software delivery. Sometimes installed by malicious software. 55
Trap Door Typical Behaviors Unauthorized system access enables viewing, alteration or destruction of data or software Vulnerabilities Software developed outside organizational policies and formal methods 56
Trap Door Prevention: Enforce defined development policies Limit network and physical access Detection Audit trails of system usage especially user identification logs Countermeasures Close trap door or monitor ongoing access to trace pack to perpetrator Virus and worm countermeasures. 57
Identity Theft 58
Sequential Scanning Definition: Sequentially testing passwords/authentication codes until one is successful Typical Behaviors: Multiple users attempting network or administrator command functions, indicating multiple Masquerades Vulnerabilities: Prompts have a time-delay built in to foil automated scanning, accessing the encoded password table and testing it off-line is a common technique. 59
Sequential Scanning Prevention: Enforce organizational secure password policies. Make system administrator access to password files secure. Detection: Correlate user identification with shift times. Correlate user problem reports relevant to possible Masquerades. Countermeasures: Change entire password file or use baiting tactics to trace back to perpetrator 60
Dictionary Scanning Definition: Scanning through a dictionary of commonly used passwords/authentication codes until one is successful. Typical Behaviors: Multiple users attempting network or administrator command functions, indicating multiple Masquerades. Vulnerabilities: Use of common words and names as passwords or authentication codes (so-called Joe Accounts, e.g. guest, test) 61
Dictionary Scanning Prevention: Enforce organizational password policies Detection: Correlate user identification with shift times Correlate user problem reports relevant to possible Masquerades Countermeasures: Change entire password file or use baiting tactics to trace back to perpetrator 62
Digital Snooping Definition: Electronic monitoring of digital networks to uncover passwords or other data Typical Behaviors: System administrators found on-line at unusual or off-shift hours Changes in behavior of network transport layer Vulnerabilities: Example of how COMSEC (communications security) affects COMPUSEC (computer security) Links can be more vulnerable to snooping than nodes 63
Digital Snooping Prevention: Employ data encryption Limit physical access to network nodes and links Detection: Correlate user identification with shift times Correlate user problem reports. Monitor network performance Countermeasures: Change encryption schemes or employ network monitoring tools to attempt trace back to perpetrator 64
Shoulder Surfing Definition: Direct visual observation of monitor displays to obtain access. Typical Behaviors: Authorized user found on-line at unusual or off-shift hours, indicating a possible Masquerade. Authorized user attempting administrator command functions Vulnerabilities: Sticky notes used to record account & password information Password entry screens that do not mask typed text Loitering opportunities 65
Shoulder Surfing Prevention: Limit physical access to computer areas Require frequent password changes by users Detection: Correlate user identification with shift times or increased frequency of access Correlate use command logs with administrator command functions Countermeasures: Change user password or use standard administrator functions to determine access point, then trace back to perpetrator 66
Dumpster Diving Definition: Accessing discarded trash to obtain passwords and other data Typical Behaviors: Multiple users attempting network or administrator command functions, indicating multiple Masquerades. Vulnerabilities: Sticky notes used to record account and password information System administrator printouts of user logs 67
Dumpster Diving Prevention: Destroy discarded hardcopy Detection: Correlate user identification with shift times Correlate user problem reports relevant to possible Masquerades. Countermeasures: Change entire password file or use baiting tactics to trace back to perpetrator 68
Browsing Definition: Automated scanning of large unprotected data sets to obtain clues to gain access e.g. discarded media or on-line finger -type commands Typical Behaviors: Authorized user found on-line at unusual or off-shift hours, indicating a possible Masquerade Authorized user attempting admin command functions. 69
Browsing Vulnerabilities Vulnerabilities: Finger type services provide information to any and all users The information is usually assumed safe but can give clues to passwords (e.g., spouse s name) 70
Browsing Prevention & Detection Prevention: Destroy discarded media When on open networks especially, disable finger type services Detection: Correlate user identification with shift times or increased frequency of access. Correlate user command logs with administrator command functions Countermeasures: Change user password or use standard administrator functions to determine access point, then trace back to perpetrator. 71
Other Security Risks 72
Equipment Malfunction Definition: Hardware operates in abnormal, unintended ways. Typical Behaviors: Immediate loss of data due to abnormal shutdown. Continuing loss of capability until equipment is repaired Vulnerabilities: Vital peripheral equipment is often more vulnerable that the computers themselves Prevention: Replication of entire system including all data and recent transaction Detention: Hardware diagnostic systems 73
Software Malfunction Definition: Software does not work in its intended manner. Typical Behaviors: Immediate loss of data due to abnormal end Repeated failures when faulty data used again Vulnerabilities: Poor software development practices Prevention: Enforce strict software development practices Comprehensive software testing procedures Detection: Use software diagnostic tools. 74
Software Malfunction Countermeasures Backup software Robust operating systems 75
User Error Definition: Inadvertent alteration, manipulation or destruction of programs, data files or hardware Typical Behaviors Incorrect data entered into system or incorrect behavior of system Vulnerabilities Poor user documentation or training. 76
User Error Prevention: Enforcement of training policies and separation of programmer/operator duties Detection Audit trails of system transactions Countermeasures Backup copies of software and data On-site replication of hardware. 77
Spam Definition: system with incoming message or other traffic to cause Typical Behaviors: crashes, eventually traced to overfull buffer or swap space Vulnerabilities: Open source networks especially vulnerable. 78
Spam Prevention: Require authentication fields in message traffic Detection: partitions, network sockets, etc. for overfull conditions. Countermeasures: Headers to attempt trace back to perpetrator 79
References Sources & Further Reading CERT & CERIAS Web Sites Security by Pfleeger & Pfleeger Hackers Beware by Eric Cole NIST web site Other web sources 80