Embed Size (px)
Citation preview
111
100% Security100% Security100% Security100% Security
“
”
The only system which is truly secure is one which is switched off and
unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very
highly paid armed guards. Even then, I wouldn’t stake my life on it ….
Gene Spafford—Director, Computer Operations, Audit, and Security Technology (COAST), Purdue University
222
Supply ChainManagement
Customer Care
E-Commerce
E-Learning
Workforce Optimization
The Internet Challenge
Expanded Access Heightened Network Security Risks
Internet AccessInternet Access
CorporateIntranet
CorporateIntranet
InternetPresenceInternet
Presence
InternetBusinessValue
Expansion of E-Business!!Expansion of E-Business!!
333
Threat Capabilities:More Dangerous & Easier To Use
Sophistication of Hacker Tools
Packet Forging/ Spoofing
19901980
Password Guessing
Self Replicating Code
Password Cracking
Exploiting Known Vulnerabilities
Disabling Audits
Back Doors
Sweepers
Sniffers
Stealth Diagnostics
Technical Knowledge Required
High
Low 2000
DDOS
Internet Worms
444
Examples
555
Distributed Denial of Service (DDoS)
•Stacheldraht - “barbed wire”
•Trinoo
•Tribe Flood Network (TFN) and TFN2000
•Shaft
666
Attacks Keep Getting Easier
Connected to www.test.com
www.test.com
777
l0PHT Crack l0PHT Crack Dumps All Passwords Dumps All Passwords from the NT Registryfrom the NT Registry
Specify a Specify a Computer:Computer:
888
l0PHT Crack Dumps the Password Filesl0PHT Crack Dumps the Password Files
999
The Intruder Opens a Word DictionaryThe Intruder Opens a Word Dictionary
101010
and Runs the Crackand Runs the Crack
111111
12© 2001, Cisco Systems, Inc. All rights reserved.
A new generation of attacks:The Internet Worms
131313
The Code Red & NIMDA WormsWhat Happened??
Code Red- July 19-20/2001- 359,104 Hosts in 13 hours- $2.6 Billion in Damages!
Estimates from Computer Economics (Carlsbad, CA)
NIMDA- September 18, 2001- Fastest spreading virus - 300K+ Hosts, 2.2M devices
Damage still being assessed
141414
Code Red Spreads
July 19, Midnight – 159 hosts infected
151515
July 19, 11:40 am – 4,920 hosts infected
Code Red Spreads
161616
July 20, Midnight – 341,015 hosts infected
Code Red Spreads
171717
The Code Red WormHow It Works
• Conceals itself in HTTP Packets. Firewalls alone cannot safeguard against the virus
• The worm exploits vulnerabilities found in Microsoft’s Internet Information Server (IIS) v4&5 via a buffer overflow attack
• It then exploits arbitrary code and installs a copy of itself into the infected computer’s memory – which infects other hosts.
181818
The NIMDA WormHow It Works
• Hybrid of Worm & Virus
• Spread by:
- E-mail attachment (virus)- Network Shares (worm)- Javascript by browsing compromised web site (virus)- Infected hosts scanning for exploitable hosts (worm)- Infected hosts scanning for backdoors created by Code-Red and sadmind/IIS worms (worm)
191919
Anatomy Of A Worm
3 - Payload
2 - Propagation Mechanism
1 - The Enabling Vulnerability
202020
The Enabling Vulnerability
Using the Index Server buffer overflow attack, the worm attempts to install itself on IIS Web servers.
1Internet
IIS
IIS
IIS
IISIIS
212121
Propagation
After gaining access to the servers, the worm replicates itself and selects new targets for infection.
GO
2 IIS
IIS
IIS
222222
Payload
3
When the server is infected with a worm, the attacker has administrator-level access to the server. Not only can the attacker deface Web pages, but they also have the power to reformat the hard drive, install a rootkit, steal credit card numbers, etc.
STEALDEFACEBACK DOORROOTKIT
232323
Additional Information
• Compulsory Reading
"Hacking Exposed".
• Security Links (vulnerabilities, tips, exploits, tools)
http://www.securityfocus.com
http://packetstorm.securify.org
http://www.insecure.org
