111 100% Security “ ” The only system which is truly secure is one which is switched off and...

111

100% Security100% Security100% Security100% Security

“

”

The only system which is truly secure is one which is switched off and

unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very

highly paid armed guards. Even then, I wouldn’t stake my life on it ….

Gene Spafford—Director, Computer Operations, Audit, and Security Technology (COAST), Purdue University

222

Supply ChainManagement

Customer Care

E-Commerce

E-Learning

Workforce Optimization

The Internet Challenge

Expanded Access Heightened Network Security Risks

Internet AccessInternet Access

CorporateIntranet

CorporateIntranet

InternetPresenceInternet

Presence

InternetBusinessValue

Expansion of E-Business!!Expansion of E-Business!!

333

Threat Capabilities:More Dangerous & Easier To Use

Sophistication of Hacker Tools

Packet Forging/ Spoofing

19901980

Password Guessing

Self Replicating Code

Password Cracking

Exploiting Known Vulnerabilities

Disabling Audits

Back Doors

Sweepers

Sniffers

Stealth Diagnostics

Technical Knowledge Required

High

Low 2000

DDOS

Internet Worms

444

Examples

555

Distributed Denial of Service (DDoS)

•Stacheldraht - “barbed wire”

•Trinoo

•Tribe Flood Network (TFN) and TFN2000

•Shaft

666

Attacks Keep Getting Easier

Connected to www.test.com

www.test.com

777

l0PHT Crack l0PHT Crack Dumps All Passwords Dumps All Passwords from the NT Registryfrom the NT Registry

Specify a Specify a Computer:Computer:

888

l0PHT Crack Dumps the Password Filesl0PHT Crack Dumps the Password Files

999

The Intruder Opens a Word DictionaryThe Intruder Opens a Word Dictionary

101010

and Runs the Crackand Runs the Crack

111111

12© 2001, Cisco Systems, Inc. All rights reserved.

A new generation of attacks:The Internet Worms

131313

The Code Red & NIMDA WormsWhat Happened??

Code Red- July 19-20/2001- 359,104 Hosts in 13 hours- $2.6 Billion in Damages!

Estimates from Computer Economics (Carlsbad, CA)

NIMDA- September 18, 2001- Fastest spreading virus - 300K+ Hosts, 2.2M devices

Damage still being assessed

141414

Code Red Spreads

July 19, Midnight – 159 hosts infected

151515

July 19, 11:40 am – 4,920 hosts infected

Code Red Spreads

161616

July 20, Midnight – 341,015 hosts infected

Code Red Spreads

171717

The Code Red WormHow It Works

• Conceals itself in HTTP Packets. Firewalls alone cannot safeguard against the virus

• The worm exploits vulnerabilities found in Microsoft’s Internet Information Server (IIS) v4&5 via a buffer overflow attack

• It then exploits arbitrary code and installs a copy of itself into the infected computer’s memory – which infects other hosts.

181818

The NIMDA WormHow It Works

• Hybrid of Worm & Virus

• Spread by:

- E-mail attachment (virus)- Network Shares (worm)- Javascript by browsing compromised web site (virus)- Infected hosts scanning for exploitable hosts (worm)- Infected hosts scanning for backdoors created by Code-Red and sadmind/IIS worms (worm)

191919

Anatomy Of A Worm

3 - Payload

2 - Propagation Mechanism

1 - The Enabling Vulnerability

202020

The Enabling Vulnerability

Using the Index Server buffer overflow attack, the worm attempts to install itself on IIS Web servers.

1Internet

IIS

IIS

IIS

IISIIS

212121

Propagation

After gaining access to the servers, the worm replicates itself and selects new targets for infection.

GO

2 IIS

IIS

IIS

222222

Payload

3

When the server is infected with a worm, the attacker has administrator-level access to the server. Not only can the attacker deface Web pages, but they also have the power to reformat the hard drive, install a rootkit, steal credit card numbers, etc.

STEALDEFACEBACK DOORROOTKIT

232323

Additional Information

• Compulsory Reading

"Hacking Exposed".

• Security Links (vulnerabilities, tips, exploits, tools)

http://www.securityfocus.com

http://packetstorm.securify.org

http://www.insecure.org