Embed Size (px)
Citation preview
Network Security
• Lecture# 10• Lecture Slides Prepared by:
• Syed Irfan Ullah• N.W.F.P. Agricultural University Peshawar
Outline• Intruders
– Intrusion Techniques– Password Protection– Password Selection Strategies– Intrusion Detection
• Viruses and Related Threats– Malicious Programs– The Nature of Viruses– Antivirus Approaches– Advanced Antivirus Techniques
Intruders• Three classes of intruders (hackers or crackers):
– Masquerader: • An individual who is not authorized to use the computer,and
who penetrates a system’s access controls to exploit a legitimate user’s account.
– Misfeasor:• A legitimate user who access date,programs, or resources for
which such access is not authorized, or who is authorized for such access but misuses his or her prevailages.
– Clandestine user:• An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls or to suppress audit collection altogether.
Intrusion Techniques
• System maintain a file that associates a password with each authorized user.
• Password file can be protected with:– One-way encryption– Access Control
Intrusion Techniques• Techniques for guessing passwords:
• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic dictionary(60,000).• Collect information about the user’s hobbies, family
names, birthday, etc.• Try user’s phone number, social security number,
street address, etc.• Try all license plate numbers.• Use a Trojan horse• Tap the line between a remote user and the host
system.
Prevention: Enforce good password selection (Ij4Gf4Se%f#)
UNIX Password Scheme
Loading a new password
UNIX Password Scheme
Verifying a password file
Storing UNIX Passwords
• UNIX passwords were kept in a publicly readable file, etc/passwords.
• Now they are kept in a “shadow” directory and only visible by “root”.
”Salt”
• The salt serves three purposes:– Prevents duplicate passwords.– Effectively increases the length of the password.– Prevents the use of hardware implementations
of DES
Password Selecting Strategies• User education:
• Users can be told the importance of using hard to guess passwords and can be provided with guidelines for selecting strong passwords.
• Computer-generated passwords:• The computer generates a random number and select it as a password.
Problem is how a user can remember it.• Reactive password checking:
• is one in which the system periodically runs its own password cracker to find guessible passwords. It the system detects a password, it is rejected and notifies to user.
• Proactive password checking:• a user is allowed to select his or her own password. However, at the
time of selection, the system checks to see if the password is allowable and, if not reject it.
The Stages of a Network Intrusion
1. Scan the network to:• locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers).
2. Run “Exploit” scripts against open ports3. Get access to Shell program which is “suid” (has “root”
privileges).4. Download from Hacker Web site special versions of
systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.
5. Use IRC (Internet Relay Chat) to invite friends to the feast.
11
Intusion Detection
• The intruder can be identified and ejected from the system.
• An effective intrusion detection can prevent intrusions.
• Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.
Intrusion Detection
• Statistical anomaly detection– Treshold detection– Profile based
• Rule based detection– Anomaly detection– Penetration identidication
Profiles of Behavior of Intruders and Authorized Users
Measures used for Intrusion Detection
• Login frequency by day and time.• Frequency of login at different locations.• Time since last login.• Password failures at login.• Execution frequency.• Execution denials.• Read, write, create, delete frequency.• Failure count for read, write, create and delete.
Distributed Intrusion Detection
Developed at University of California at Davis
Distributed Intrusion Detection
Viruses and ”Malicious Programs”
• Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).
• Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).
Taxanomy of Malicious Programs
Need Host Program
Independent
Trapdoors Logic Bombs
TrojanHorses
Viruses Bacteria Worms
Malicious Programs
Definitions
• Virus - code that copies itself into other programs.• A “Bacteria” replicates until it fills all disk space,
or CPU cycles.• Payload - harmful things the malicious program
does, after it has had time to spread. • Worm - a program that replicates itself across the
network (usually riding on email messages or attached documents (e.g., macro viruses).
Definitions• Trojan Horse - instructions in an otherwise good program
that cause bad things to happen (sending your data or password to an attacker over the net).
• Logic Bomb - malicious code that activates on an event (e.g., date).
• Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.
• Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.
Virus Phases
• Dormant phase - the virus is idle• Propagation phase - the virus places an identical
copy of itself into other programs• Triggering phase – the virus is activated to
perform the function for which it was intended• Execution phase – the function is performed
Virus ProtectionHave a well-known virus protection program, configured to
scan disks and downloads automatically for known viruses.
Do not execute programs (or "macro's") from unknownsources (e.g., PS files, Hypercard files, MS Office documents,
Avoid the most common operating systems and email
programs, if possible.
Virus Structure
A Compression Virus
Types of Viruses• Parasitic Virus - attaches itself to executable files as part of their
code. Runs whenever the host program runs.
• Memory-resident Virus - Lodges in main memory as part of the residual operating system.
• Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).
• Stealth Virus - explicitly designed to hide from Virus Scanning programs.
• Polymorphic Virus - mutates with every new host to prevent signature detection.
Macro Viruses
• Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File).
• Platform independent.• Infect documents, delete files, generate email and
edit letters.
Antivirus Approaches1st Generation, Scanners: searched files for any of a library of
known virus “signatures.” Checked executable files for length changes.
2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes.
3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).
4th Generation, Full Featured: combine the best of the techniques above.
Advanced Antivirus Techniques
• Generic Decryption (GD)– CPU Emulator– Virus Signature Scanner– Emulation Control Module
• For how long should a GD scanner run each interpretation?
Advanced Antivirus Techniques
• Trusted Systems– Data Access Control– The Concept of Trusted systems– Trojan Horse Defense
• One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology
• Through the user access control procedure (log on), a user can be identified to the system
• Associated with each user, there can be a profile that specifies permissible operations and file accesses
• The operating system can enforce rules based on the user profile
• General models of access control:– Access matrix– Access control list– Capability list
• Access Matrix
• Access Matrix: Basic elements of the model– Subject: An entity capable of accessing objects, the
concept of subject equates with that of process– Object: Anything to which access is controlled (e.g.
files, programs)– Access right: The way in which an object is accessed
by a subject (e.g. read, write, execute)
• Access Control List: Decomposition of the matrix by columns
• Access Control List– An access control list lists users and their
permitted access right– The list may contain a default or public entry
• Capability list: Decomposition of the matrix by rows
• Capability list– A capability ticket specifies authorized objects
and operations for a user– Each user have a number of tickets
• Trusted Systems– Protection of data and resources on the basis of
levels of security (e.g. military)– Users can be granted clearances to access
certain categories of data
• Multilevel security– Definition of multiple categories or levels of data
• A multilevel secure system must enforce:– No read up: A subject can only read an object of less or
equal security level (Simple Security Property)– No write down: A subject can only write into an object
of greater or equal security level (*-Property)
• Reference Monitor Concept: Multilevel security for a data processing system
• Reference Monitor– Controlling element in the hardware and
operating system of a computer that regulates the access of subjects to objects on basis of security parameters
– The monitor has access to a file (security kernel database)
– The monitor enforces the security rules (no read up, no write down)
• Properties of the Reference Monitor– Complete mediation: Security rules are
enforced on every access– Isolation: The reference monitor and database
are protected from unauthorized modification– Verifiability: The reference monitor’s
correctness must be provable (mathematically)
• A system that can provide such verifications (properties) is referred to as a trusted system
Overview
• What is Trojan Horse?• Types of Trojan Horses?• How can you be infected?• What do attackers want?
Definition
• a Trojan horse is a malicious program that is disguised as legitimate software.
• Like the gift horse left outside the gates of Troy by the Greeks, Trojan Horses appear to be useful or interesting to an unsuspecting user, but are actually harmful
Virus or Worm?
• Trojan horse programs cannot replicate themselves, in contrast to some other types of malware, like viruses or worms.
• A Trojan horse can be deliberately attached to otherwise useful software by a cracker, or it can be spread by tricking users into believing that it is a useful program.
Types of Trojans• erasing or overwriting data on a computer• corrupting files in a subtle way• spreading other malware, such as viruses. In this case the Trojan horse
is called a 'dropper'.• setting up networks of zombie computers in order to launch DDoS
attacks or send Spam.• logging keystrokes to steal information such as passwords and credit
card numbers (known as a key logger)• phish for bank or other account details, which can be used for criminal
activities.• installing a backdoor on a computer system.
How can you be infected• Websites: You can be infected by visiting a rogue website. Internet
Explorer is most often targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox, if Java is enabled, your computer has the potential of receiving a Trojan horse. Very severe in Windows OS.
• Instant message: Many get infected through files sent through various messengers. This is due to an extreme lack of security in some instant messengers, such of AOL's instant messenger.
• E-mail: Attachments on e-mail messages may contain Trojans. Trojan horses via SMTP.
Sample Delivery
• Attacker will attach the Trojan to an e-mail with an enticing header
• The Trojan horse is typically a Windows executable program file, and must have an executable file extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is configured by default to hide extensions from a user, the Trojan horse's extension might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file.
Where They Live• Autostart Folder
The Autostart folder is located in C:\Windows\Start Menu\Programs\startup and as its name suggests, automatically starts everything placed there.
• Win.iniWindows system file using load=Trojan.exe and run=Trojan.exe to execute the Trojan
• System.iniUsing Shell=Explorer.exe trojan.exe results in execution of every file after Explorer.exe
• Wininit.iniSetup-Programs use it mostly; once run, it's being auto-deleted, which is very handy for trojans to restart
Where They Live(con’t)• Winstart.bat
Acting as a normal bat file trojan is added as @trojan.exe to hide its execution from the user
• Autoexec.batIt's a DOS auto-starting file and it's used as auto-starting method like this -> c:\Trojan.exe
• Config.sysCould also be used as an auto-starting method for trojans
• Explorer StartupIs an auto-starting method for Windows95, 98, ME, XP and if c:\explorer.exe exists, it will be started instead of the usual c:\Windows\Explorer.exe, which is the common path to the file.
What the attacker wants?• Credit Card Information (often used for domain
registration, shopping with your credit card) • Any accounting data (E-mail passwords, Dial-Up
passwords, WebServices passwords, etc.) • Email Addresses (Might be used for spamming, as
explained above) • Work Projects (Steal your presentations and work related
papers) • Children's names/pictures, Ages (pedophile attacker?!) • School work (steal your papers and publish them with
his/her name on it)
Are you infected?
• Its normal to visit a web site and several more pop-ups to appear with the one you've visited. But when you do completely nothing and suddenly your browser directs you to some page unknown to you, take that serious.
• A strange and unknown Windows Message Box appears on your screen, asking you some personal questions.
• Your Windows settings change by themselves like a new screensaver text, date/time, sound volume changes by itself, your mouse moves by itself, CD-ROM drawer opens and closes.
• Secure, trusted operating systems are one way to secure against Trojan Horse attacks
Well Known Trojans
• AceBot is a tremendous backdoor Trojan, which was designed for performing a lot of different destructive actions. The parasite detects, terminates and totally disables running antivirus software installed on the target computer. AceBot also connects to the IRC network and uses it for giving the hacker a remote control over the compromised system. Moreover, the Trojan is able to connect to various malicious servers and download other harmful parasites from there.
Well Know Trojans• The Secup Trojan displays fake security related messages.
When the user clicks on such a message the Trojan opens malicious web site that quietly installs potentially harmful software. Secup also serves undesirable commercial advertisements.
• Dmsys is a dangerous Trojan that specializes in infecting various instant messengers and stealing user confidential information. By using its keystroke logging technique, Dmsys easily steals user passwords and captures private conversations. This information is written into a log file, which is then sent to the hacker.
VNC
• Remote desktop program freely distributed
• Server executable attached to e-mail and unknowingly installed on your system
• Attacker can use client to uses your system as if he was sitting at the terminal
Not All Malware?
• Sony Copyright Trojan is installed on your computer when you play a BMG music CD
• Secretly installs software that conflicts with Apple’s ITunes, provides no method of uninstalling, and will cloak itself from your operating system.
The End
Thanks
