Introduction thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/
Content Introduction Identifying Risks Taxonomy of Possible Attacks Security Fundamentals and Defense Components
Attack sophistication vs. intruder technical knowledge from: Howard F. Lipson. Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues. Technical report, CERT Coordination Center, November 2002.
Attackers Lonely attackers Social background Publicity is impulsion Might want to set a political statements Usually take low risk Organized crime Money as impulsion Medium risks Terrorists Politically or socially motivated Take highes risk up to danger of life Destruction / confusion Competitors Want low risk of unveiling, depending of worth of information Information theft or destruction Governmental organizations Industrial espionage for the sake of domestic companies Military espionage
Most dangerous attacks http://www.sans.org/top20/ Unix problems as of June 2006: Computer Associates License Manager Overflows (CVE-2005-0581, CVE- 2005-0582, CVE-2005-0583) Novell edirectory imonitor and ZENWorks Buffer Overflows (CVE-2005-2551, CVE-2005-1543) Computer Associates Message Queuing Vulnerabilities (CVE-2005-2668) Sun Java Security Vulnerabilities (CVE-2004-1029, CVE-2005-0418, CVE- 2005-0836, CVE-2005-1973, CVE-2005-1974) HP Radia Management Software Overflows (CVE-2005-1825, CVE-2005-1826) Snort BackOrifice Preprocessor Buffer Overflow (CVE-2005-3252) RSA SecurID Web Agent Overflow (CVE-2005-1471)
Attacks and goals of an attacker Information theft resulting in Advantage in competition Embarrassment Extortion Destruction resulting in Fun and self glorification Political statements
Attacks against a computer Information gathering Information will be send to an attacker Network attached computers are obviously at much higher risk Attacker needs to gain access through: Social engineering Viruses / trojans / worms Physical theft of storage media Sniffing
Attacks against a computer Information destruction Information will be lost Physical attacks / fire / natural disasters Intended deletions Performed via: Social engineering Viruses / trojans / worms
Attacks against a computer Viruses File infection System and boot record infection Macro viruses Functions: Destruction Confusion Publicity
Attacks against a computer Worms Mailing worms spreads through e-mail Payload might be a virus / trojan Example: Melissa Network worms spreads through exploiting know software flaws, such as buffer overflows Stages: Target Selection Exploit Infect Spread / Propagate Example: SQL Slammer
Attacks against a computer Trojans Malicious software hides inside useful software Functions might be: Logging Destroying Installation of further software, such as DoS clients or root kits Conditional start of processes / time bomb Examples: Back Orifice
Attacks against a computer Denial of Service Attacker wants to overload a service provided by a computer or device Attacks against competitors or as a polical / social statement Bad requests are not distinguishable from normal ones Examples: HTTP DNS DoS SYN Flooding
Attacks against a computer Distributed Denial of Service Increased impact by distributing the attack Attacker controls Target server Daemon nodes ( zombies )
Attacks against a computer Spoofing Attacker claims someone else s identity Usually attacker and target have to share a network segment Attacker might deliver false information Routes Names Basically all protocol s responses are potentially subject of spoofing Examples: MAC spoofing IP spoofing DNS spoofing
Attacks against a computer Session highjacking Attacker breaks into an existing session without the need to log in Examples: telnet http ftp pop / imap / smtp
Attacks against a computer WWW attacks Cross side scripting Cookie tampering Attacks against the HTTP server Parameter tampering Session hijacking
Attacks against a computer Password / key attacks Brute force Guessing / dictionary attacks Flaws in implementation e.g. passwords saved as plain text
Attacks against a computer Port / network scanning Attacker wants to gain further information about the structure of the network Sniffing Mapping Port scans Management protocols such as SNMP or ICMP
Attacks against a computer Security scanning Attacker wants to gain further information about installed software which has known exploits Looking for certain versions of server processes / daemons HTTP scan FTP scan
Taxonomies M. Bishop and D. Bailey. A critical analysis of vulnerability taxonomies, September 1996. Matt Bishop. A Taxonomy of (Unix) System and Network Vulnerabilities. Technical Report CSE- 9510, Department of Computer Science, University of California at Davis, May 1995. Richard Bisbey II and Dennis Hollingworth. Protection Analysis: Final Report. Technical report, University of Southern California, May 1978 R. P. Abbott, J. S. Chin, J. E. Donnelley, W. L. Konigsford, S. Tokubo, and D. A. Webb. Security Analysis and Enhancements of Computer Operating Systems. Technical Report NBSIR 76 1041, Institute for Computer Sciences and Technology, National Bureau of Standards, April 1976.
A Taxonomy - Dimensions By category Virus, Worm, Trojan, Buffer Overflow, DoS, Network attack, Physical attack, Password attack, Information gathering By target being attacked Hardware Computer harddiscs, Cabling, Peripheral devices Software Applications, Operating systems Network Protocols By exploit being used for the attack By payload of the attacking protocol By damage caused By costs of the attack By propagation of the attacking program
History 1978 term worm used by Xerox PARC 1981 first virus (for Apple II OS) 1983 first formal use of the term virus 1995 first DoS attack 1999 first DDoS attack
Security Components Packet filter Stateful firewall Intrusion Detection System VPN gateways Border routers Internal networks Demilitarized zones
Security Components Packet filter Static packet filters inspect network packets Source address Destination address Ports (TCP / UDP for instance) Type of packet Decides whether a packet can pass the filter or will be dropped Examples: Smurf attack : ICMP echo request packets (ping) with false source address send to internal broadcast addresses Used February 2000 against Yahoo! and CNN
Security Components Packet filter Faster than stateful inspection On the fly Function integrated in routers Linux iptables realizes packet filtering
Security Components Stateful firewalls Most common type of firewalls Keep track of connections / sessions Know the state-machines of stateful protocols Simpliest type are connection tracker packets are accepted if they belong to an open connection connection requests (TCP: SYN) will be accepted from the internal network Example / Exercise: nmap ACK scan passes non-stateful firewalls (considered to be answers to responses), but will be stopped at stateful firewall (http://www.insecure.org/nmap/)
Example [root@titan ~]# nmap -A -T4 139.30.241.7 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-06-26 17:16 CEST Interesting ports on ruri.informatik.uni-rostock.de (139.30.241.7): (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.8.1p1 Debian-8.sarge.4 (protocol 2.0) 53/tcp open domain 80/tcp open http Apache httpd 2.0.54 ((Debian GNU/Linux) DAV/2 PHP/4.3.10-16 mod_ssl/2.0.54 OpenSSL/0.9.7e) 110/tcp open pop3 143/tcp open imap? 443/tcp open ssl/http Apache httpd 2.0.54 ((Debian GNU/Linux) DAV/2 PHP/4.3.10-16 mod_ssl/2.0.54 OpenSSL/0.9.7e) 608/tcp open rpc.unknown 993/tcp open imaps Cyrus imapd 995/tcp open ssl/pop3 Cyrus pop3sd 6667/tcp open irc Unreal ircd MAC Address: 00:90:27:1C:02:86 (Intel) Device type: general purpose Running: Linux 2.4.X 2.5.X 2.6.X OS details: Linux 2.4.18-2.6.7 Uptime 44.804 days (since Fri May 12 22:01:52 2006) Nmap finished: 1 IP address (1 host up) scanned in 158.194 seconds [root@titan ~]#
Security Components Proxy firewalls Alternative to stateful firewalls Least common type Block any non-established, non-permitted connections Internal and external hosts never communicate directly Proxy works on behalf of both sides Examine entire packet to ensure that only protocol-compliant traffic passes Example: HTTP proxy Internal client sends request to proxy proxy requests URL from external server External server responses Proxy sends own response to internal client
Security Components Proxy firewalls Attack example: Attacker sends HTML e-mail with embedded images Users open e-mail Images will be loaded from webserver Webserver harvests browser data Manipulated images and software flaws might be another threat Other functions: Prevent user from seeing pornographic material Protect (to a certain extend) information from being send to outside site Combination with other systems (virus filter, spam filter, IDS, filter for know attack patterns)
Security Components Intrusion Detection Systems Identification of attacks / suspicious traffic Help to setup / configure firewalls
Security Components Virtual Private Networks VPNs create a common address range VPNs protect communications over unprotected networks as it would happen within a single network Mutual authentication of communication partners VPNs offer significant cost savings over dedicated connections Examples: Employee works at home and connects to the company network Threats: VPNs bypass all perimeter security mechanisms VPN users might connect to personal connections
Security Components Zones demilitarized zones DMZ screened subnets Small network containing public services such as HTTP DMZ are often protected by firewalls etc. DMZ are outside the internal network DMZ are considered to be more insecure than the internal network Screened subnets are isolated networks inside the internal network Well fortified services inside the isolated network Examples: Subnet for mobile computers Subnet for public services Subnet with WLAN
Security Components Internal Network Limited acccess to external network via well known gateways only People accessing the internal network are usually more trustworthy, but not necessarily Internal attack risk depends on: The number of users Trust in users The way users access the network (notebook computers?) Skills of users Conclusion: hosts have to be protected Personal firewalls Anti-virus software Configuration
Summary There are several severe types of attacks Attackers have different motivation and ressources Networked computers are at much higher risk Several components are necessary to protect network and computers Firewalls, IDS, VPN, DMZ are those components Don t forget the human factor!
Excercise for this lecture nmap examples