Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Distributed firewall wikipedia , lookup
Wireless security wikipedia , lookup
Information privacy law wikipedia , lookup
Unix security wikipedia , lookup
Information security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Security-focused operating system wikipedia , lookup
Mobile security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Computer security wikipedia , lookup
DePaul University Security Forum February 27, 2002 Presentations Bill Eaheart Eric Pancer Systems Security – ISS The Audience is listening John Kristoff Network Security – Network & Telecom Current Threats Manager R&D - Network & Telecom Data Leaks Rob Thomas Guest Speaker - Life in the Underground Information Security at DePaul Information Security Team (INFOSEC) Role at the University Eric Pancer – System Security Bill Eaheart – Network Security Promote awareness Assist with computer security Provide guidance and resources to DePaul community Contact [email protected] [email protected] http://networks.depaul.edu/security/ Security Principles Defense in depth Physical Security Intrusion Detection Systems Firewalls Auditing Virtual Private Networks Encryption Strong Passwords Access control Lists Logging Prevention is ideal – Detection is a must Security through obscurity Who are the threats? Hackers A person who enjoys exploring the details of programmable systems and how to stretch their capabilities Crackers One who breaks security on a system Script Kiddies Do mischief with scripts and programs written by others, often without understanding the exploit they are using. Are you safe? Hacker/Cracker Skills vs. Availability of sophisticated tools 12 10 8 Skill Level 6 Sophistication of Tools 4 2 0 92 93 94 95 96 97 98 99 00 01 Show me the numbers! 2001 CSI/FBI Computer Crime and Security Survey Percentage of Respondents Unauthorized Use of Computer Systems within the last 12 months 80 70 60 50 70 6462 64 50 42 1996 1997 1998 37 33 40 25 30 181716 20 1999 2119 1818 1211 10 0 Yes No Don't Know 2000 2001 80% of problems are due to …. Is this changing? Point of Attack Percentage of Respondents 80 70 70 60 50 40 54 52 54 57 51 59 47 44 39 38 31 38 35 24 30 20 28 1996 1997 1998 1999 22 2000 18 2001 10 0 Internal Systems Remote Dial-in Internet CERT Web Site www.cert.org CERT Statistics 1996 - 2001 Incidents Reported Year 1996 1997 1998 1999 2000 2001 Incident 2573 2134 3734 9859 21576 52658 Vulnerabilities Reported Year 1996 1997 1998 1999 2000 2001 Vulner. 345 311 262 417 1090 2437 Why do they do it? Information Resources Corporate Source Code Storage Access Bandwidth Launching point Challenge Activism Political - Hacktivism How do they get in? Ports Services Third-party software Passwords Social Engineering Back Doors Trojan Horses Information Gathering The Company Find Initial Information Available information Whois Nslookup - Host Host Look up [user@test /]# host www.company.com Server: host.atthome.com Address: 192.168.10.10 Name: test.company.com Address: 10.10.81.10 Aliases: www.company.com Information Gathering Address Range of the Network American Registry for Internet numbers www.arin.net Asia Pacific Network Information www.apnic.net Reseaux IP Europeens www.ripe.net Cyberabuse – www.cyberabuse.org Traceroute ARIN whois The Company (NET-COMPANY) 100 South State Street Avenue Chicago, IL 60612 US Netname: COMPANY Netblock: 10.10.0.0 - 10.10.255.255 Coordinator: Company Administrator (ZD12-ARIN) [email protected] (312) 323-1234 Domain System inverse mapping provided by: DNS1.COMPANY.COM DNS2.COMPANY.COM 10.10.120.120 10.10.240.120 Record last updated on 26-Mar-2001. Database last updated on 25-Feb-2002 20:01:06 EDT. Traceroute user@test /]# Tracing route to DNS1.company.com [10.10.80.10] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms badguy.home.com [192.20.40.50] 2 <1 ms <1 ms <1 ms rtr-isp.com [192.10.30.30] 3 <1 ms <1 ms <1 ms rtr-isp.com [192.10.20.20] 4 <1 ms <1 ms <1 ms 192.10.10.10 5 1 ms 1 ms 1 ms isp.location.net [16.6.9.33] 6 1 ms 1 ms 1 ms 16.6.9.122 7 15 ms 14 ms 11 ms 16.6.9.218 8 8 ms 10 ms 5 ms 10.10.1.1. 9 48 ms 84 ms 59 ms test.company.com [10.10.120.120] Trace complete. Information Gathering Find Active Machines Ping Ping Sweep Ping Sweep [user@test /]# nmap –sP 10.10.82.11-30 Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Host d8211.company.com (10.10.82.11) appears to be up. Host d8212.company.com (10.10.82.12) appears to be up. Host d8213.company.com (10.10.82.13) appears to be up. Host d8214.company.com (10.10.82.14) appears to be up. Host d8215.company.com (10.10.82.15) appears to be up. Host d8216.company.com (10.10.82.16) appears to be up. Host d8217.company.com (10.10.82.17) appears to be up. Host d8218.company.com (10.10.82.18) appears to be up. Host d8220.company.com (10.10.82.20) appears to be up. Host d8221.company.com (10.10.82.21) appears to be up. Nmap run completed -- 21 IP addresses (18 hosts up) scanned in 2 seconds Information Gathering Find open ports Port scanners Scanport for Windows Nmap for *nix Modems – War dialing Figure out the operating system Nmap Nmap [user@test /]# nmap -O 10.10.82.11 Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports on test.company.com (10.10.1.1): (The 1520 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 37/tcp open time 6112/tcp open dtspc Remote OS guesses: Windows ME or Windows 2000 RC1 through final release Uptime 20.028 days (since Wed Feb 6 11:05:16 2002) Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds Information Gathering Figure out which services are running Assumptions Telnet Vulnerability scanners Commercial ISS – Internet Scanner CyberCop Secure Scanner Shareware SARA Nessus SAINT Nessus Nessus Scan Report -----------------SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 4 - Number of security warnings found : 18 - Number of security notes found : 4 TESTED HOSTS test.company.com (Security holes found) DETAILS - List of open ports : . Information found on port telnet (23/tcp) Remote telnet banner : HP-UX test B.11.00 U 9000/800 (tc) login: ÿü ÿü ÿþÿþ!ÿþ . Vulnerability found on port snmp (161/udp) : SNMP community name: public CVE : CAN-1999-0517 CVE : CVE-1999-0018 -----------------------------------------------------This file was generated by the Nessus Security Scanner Information Gathering Exploiting the system Clear map of the network Active Machines Types of Machines Ports and Services Potential vulnerabilities Look for known vulnerabilities and run exploits Security Tools Port Scanner – Nmap Anti Virus – Norton’s, McAfee, Inoculate IT Vulnerability Scanner – Nessus Firewall – ZoneAlarm, PortSentry IDS - Snort Encryption Software – PGP, GNU PG SSH OpenSSH PuTTY – ssh client MD5 Encryption - secure communication and data storage Pretty Good Privacy – PGP GNU PG Develop by Philip Zimmerman Restricted use Complete and free replacement for PGP Can be used without restriction Public/Private Key Encryption Plain Text This is a test message. Encrypted -----BEGIN PGP MESSAGE----Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> qANQR1DBwU4DSTJMC1F2PksQCACdcf2IVYDlAr76yd5HF25PA3Qh6CCGBucLxgbt KQ5DfRqHduaU7BiCFbbbf188PM2iJraUsYUTz7kZAJ8DNx7JsJZcmo1gvs8UGUuP 7jkSBEGSv59C3sXOMq9Zvzcd0uReWzzsZv+cjqZNBkKlueC88sYZvaFM4DAfbpkf gXK2XWRVbgymilclY3drHiyBVAk+EGmmQ2gZ4sNLZmoFlPD1G2SOuQhp63n2XgHT ce/DpZ+rjDvF0dpDkv30G609cC82E0mVnzV9Ca6qNmxB2LY5P94ido2mfPp55T8h 5VBGL2k3pQOblpjE0fN8un8vHzM6fab5pCALDnUI06v5YVzZB/4yFGXOqUvd3fgf 1o/ayYkKZ+Cb6eKkUz4EmXASBmQNM9VBgXTjaizEHC4WCj3Crm7R1InDO9c47/9i YZZ6sHLJ0h5TU8SM1KfFRuJat438B2DElc9AECDQsqEM64BEOmqTKRkZ8OGdV0aE GcUpwcaif7WbrOlA8c/8kiNOOGGP/SqjnEesxjNfloKkhuy3Ck+j+D6jGu8B/96c YsKcKKk6GQwzopSmivhCZHOmDOdA4LIHzY+KTma+ASJGDlO1RTCECvQncn1G77Ll ktbBo5AtgeHi1uvk4qj1ZFr7fyVhwRdGP2wbxq8JupZ8h5DPyT4wM7TpgtlEjeSJ l4vuObkzyS4QPOiAADW3IxHheN/8ZAnW9V1M7B26ZXK0v15htVNwUPFuKghw4kOP epYVa+8f =WOpm -----END PGP MESSAGE----- Telnet Telnet Plain Text!! SSH Secure Shell program to log into another computer over a network, secure communications over insecure channels. Encrypted text I smell a password… Telnet session: Frame 30 (61 on wire, 61 captured) Frame 32 (55 0n wire, 55 captured) Frame 36 (55 on wire, 55 captured) Frame 48 (55 on wire, 55 captured) Frame 51 (55 on wire, 55 captured) Frame 53 (54 on wire, 54 captured) Frame 60 (55 on wire, 55 captured) Frame 62 (55 on wire, 55 captured) Frame 65 (55 on wire, 55 captured) Frame 66 (55 on wire, 55 captured) Frame 68 (55 on wire, 55 captured) Frame 69 (60 on wire, 60 captured) Frame 72 (55 on wire, 55 captured) Telnet Telnet Telnet Telnet Telnet Telnet Telnet Telnet Telnet Telnet Telnet Telnet Telnet Data: login: Data: f Data: r Data: e Data: d Data: Password: Data: f Data: r Data: e Data: d Data: f Data: o Data: o MD5 MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. [user@test /]# md5sum test.txt 2d282102fa671256327d4767ec23bc6b test.txt [user@test /]# md5sum test.txt 2bc4fd1e721de48ca6dfd992b2e88712 test.txt Security Sites www.cert.org www.ciac.org/ciac www.incidents.org www.securityfocus.com http://csrc.ncsl.nist.gov/ Vendor sites for patches References Network Security, Private Communication in a PUBLIC World, by Charlie Kaufman, Radia Perlman and Mike Speciner Computer Security Issues and Trends, Vol. VII No. 1 by Richard Power Hackers Beware by Eric Cole www.webopedia.com www.nessus.org www.nmap.org www.cert.org