* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 1998-10-16-MAEDS-NetSecurity
Survey
Document related concepts
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Net neutrality law wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Wireless security wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer security wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
Network Security by: Mark Lachniet ([email protected]) Introductions Mark Lachniet Director of Information Data Systems at Holt Public Schools Novell MasterCNE Freeware Disc Golf <yay!> And the Victim A.K.A. “Fred” “White Hats” and “Black Hats” • The good guys versus the bad guys • Some developers of “hacking” programs do so to educate others and point out flaws for the betterment of computer security • A wide variety of “white hat” help, advisories, and lists are available • Also an ever-growing group of “black hats” armed with easy-to-use scripts known as “script kiddies.” Networks & Servers • Requirement to do business • Time and knowledge intensive to manage • Many connected to the Internet • Easy availability of hacking tools = DANGER Security Risks • • • • • • • Physical, Logical, and policy security User habits - passwords, logging in & out Software bugs, Viruses & Trojans Network attacks Disgruntled employees Competitors Bored K12 students :) Focusing on the Net • Focus on networks and the Internet • Most school districts are connected to the Internet • The threat of a remote compromise • If a hacker can “own” your net, he can get access to virtually all of your important data • Developments in security happen in “Internet Time” (quick!) • Takes a lot of time to research and implement good security Running on Internet time • This presentation represents *my* knowledge at this time (10/98) • I don’t really consider myself a security expert, just a network Administrator • There is undoubtably a great deal I do *not* know and should be telling you • The technology changes quickly - assume that it already has • Nonetheless, hopefully this will help you in your own IT work Types of Risks • • • • • DoS - Denial of Service Exploits - getting administrator access Password cracking - brute force Network mapping - host/port scans Sniffers - intercept passwords on the net • Trojans and backdoors - getting back into the system • Misc - networked printers, routers, etc. • And more... Denial of Service • Through some mechanism, services on the network or server are disabled • Often due to poor programming (for example buffer overflows) • What is a buffer overflow? • DoS attacks exist for virtually every computer type from UNIX to PC • Windows NT is vulnerable to some DoS attacks, even with current service packs • TCP/IP stacks often vulnerable as well • Used for destructive purposes (why else?) Exploits • Generally used to obtain administrator privileges on a server • Most often for UNIX operating systems, but sometimes for NT/Novell as well • Usually distributed as source code or shell scripts (hence “script kiddies”) • Usually involves a server program with administrator privileges that is misconfigured or has a bug in it • Exploits are easy to obtain and run! Network scanners • Useful for getting the “lay of the land” • Determining what computers are connected to the net and the services they offer • Often used in coordination with exploits to scan a LARGE number of IP addresses for hosts which are vulnerable • This is happening right NOW! Take a look at your web server logs and you can bet you will see their handiwork • Some scanners can even tell what kind of computer is in use. About those “script kiddies” • Whereas once hacking was something done by a technical elite, now programs of mass destruction are widely available • People with little or no actual knowledge can use powerful tools to compromise security • If you haven’t been scanned yet, it is just a matter of time • You NEED to know if your security is good before they find out for you Network Sniffers • Used to snoop on network traffic • Can obtain usernames and passwords from plaintext transmissions such as Telnet, FTP, and mail • Can also be used for other malicious purposes • Assume that all traffic on the Internet is being watched by *someone* • Encryption is protection against this kind of attack • Telnet vs. Secure Shell [demo] Network Sniffers, cont. • Some sniffers can “hijack” a connection between two other hosts and take over one of the ends of the conversation. • Some sniffers can destroy a connection as well, rendering the connection useless • Sniffers are often used in combination with other programs such as Trojans • Sniffers are frequently used to obtain additional passwords from an alreadycompromised host Brute force attacks • Most passwords are 1-way encrypted. When you type in your password, it is encrypted and compared to the password the system has on file for you. If the encrypted result matches, you typed the word • Brute force engines attempt to encrypt an entire dictionary, one word at a time, in hopes of getting the password • Can be used to obtain administrator privileges on NT, Novell, and UNIX! • Servers respond by disabling login or slowing down drastically after a certain number of failed logins, thereby making it very time consuming to attack them Brute force on Windows NT • Windows NT is especially vulnerable to brute force attacks such as NAT (NetBios Audit Tool) • Under NT, the Administrator account cannot be disabled, so it is open to unlimited (and fast) brute force attacks • Never let your NT admin password be in the dictionary! • Can be hacked from anywhere on the Internet if your server is connected to the net Screen-shot of a NT hack on my home server • • • • • • • • • • • • • • • [*]--- Attempting to connect with name: PUTZY [*]--- CONNECTED with name: PUTZY [*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03 [*]--- Server time is Mon Oct 5 12:08:15 1998 [*]--- Timezone is UTC-4.0 [*]--- Remote server wants us to encrypt, telling it not to [*]--- Attempting to connect with name: PUTZY [*]--- CONNECTED with name: PUTZY [*]--- Attempting to establish session [*]--- Was not able to establish session with no password [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `10th' [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `1st' [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `2nd' [*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `3rd' And so on... Microsoft sharing shares too much information - another screen from home • • • • • • • • • • • • • • • [*]--- Checking host: 10.0.0.4 [*]--- Obtaining list of remote NetBIOS names [*]--- Remote systems name tables: PUTZY LACHNIET LACHNIET PUTZY LACHNIET PUTZY ADMINISTRATOR LACHNIET INet~Services LACHNIET IS~PUTZY ^A^B__MSBROWSE__^B NT server name Workgroup name Admin’s name Programs running on the server All of this information helps the hackers... NetWare is not immune • NetWare can also be brute force attacked • NetWare 3.x is more vulnerable than 4.x+ • Pandora - designed to crack a copy of directory services • For NetWare 4.x+, generally requires access to the console or administrator access to acquire a copy of directory services Brute force and UNIX • Brute force attacks originated on UNIX to crack the /etc/passwd file • Requires a user account or stolen password file • Shadow passwords or other more advanced authentication systems can reduce the risk of this type of attack in UNIX environments • Once again, just don’t ever use a password that is in the dictionary, or a place, or your mom, or your dog, etc. Miscellaneous Attacks • Lots of other strange bugs exist in everything from server software to routers and printers • For example, HP Jet Direct printers can be controlled and crashed remotely • With physical access, certain routers (e.g. Cisco) can be taken over • “Fake Mail” is a good example of the lack of security on the Internet [demo] Trojans and back doors • Are used to obtain or keep access to a system • Are remotely accessible, often with a simple password • Allow full control of the host computer • For UNIX, usually provides a root shell through a booby-trapped server program • Under Windows 95, “Back Orifice” is all the rage in Trojan technology • Once you have one, as you will see, nothing is safe State of the art software “Back Orifice” • Written by the “Cult of the Dead Cow” • Is small and powerful (only 128k bytes!) • Is similar to a virus - some program containing the program must be run on the computer in question • Generally distributed hidden inside of other legitimate programs (such as FTP downloads or E-Mail attachments) • Quietly installs itself and hides the evidence, running in the background at all times • Makes use of additional features through “Butt plug-ins” Back Orifice Butt Plug-ins • A Butt plug-in is installed along with the trojan and provides additional capabilities • Butt-Trumpet sends and Email stating the IP address of the compromised computer (making you vulnerable even if you have a dialup connection) • Butt-Sniffer allows a remote user to monitor network traffice on *your* local area network • The potential is limitless [demo] Are you ever going to trust an attachment again? • Since Email can be forged to appear to be coming from just about anyone, ALL email attachments are suspect! • Make people in your organization aware of this risk - many people will click on anything that comes their way L0pht Crack • Multi-purpose NT hacking utility • Performs brute force attacks on NT passwords (from the registry, from Emergency Repair discs, and from sniffed network traffic • Integral sniffer to snatch NT passwords off the network for hacking • http://www.l0pht.com (web site) Nessus • Is a client/server hacking program similar to “Satan” • Server runs on a UNIX host (usually someone else’s who has already been hacked) • The hacker runs a client remotely and submits requests to the Nessus server • The nessus server scans a range of hosts for known vulnerabilities and provides a detail report back to the client • All the activity appears to come from the hacked server host, so the hacker goes free! • The next big thing: coordinated server attacks! Getting help! • • • • Okay, so now you are worried! Research your operating systems on the net Subscribe to Bug-Traq and other listserves The best way to know that you are secure is to hack your own network! it would be in your best interests to get someone to audit your security. If you don’t, someone will! • Always keep up to date with service packs and patches • Register your product so you will be made aware of security issues by the manufacturer • Allow time for technical personnel to research security and improve their skills END [email protected]