Securing Enterprise Network Infrastructure (Towards secure internetworking on Pakistan Educational Research Network) Dr. Adeel Akram Dr. Adeel Akram UET

Securing Enterprise Network Securing Enterprise Network Infrastructure Infrastructure

(Towards secure internetworking on Pakistan Educational Research (Towards secure internetworking on Pakistan Educational Research Network)Network)

Dr. Adeel Dr. Adeel AkramAkram

UET TaxilaUET Taxila

OutlineOutline► Introduction to Enterprise NetworkIntroduction to Enterprise Network►Enterprise Network ArchitecturesEnterprise Network Architectures►Securing Enterprise NetworksSecuring Enterprise Networks►Enterprise Network Security RequirementsEnterprise Network Security Requirements►Pakistan Educational Research NetworkPakistan Educational Research Network►Type of Network Attacks and VulnerabilitiesType of Network Attacks and Vulnerabilities►Case StudiesCase Studies

Hacking of Educational and Govt. Websites !!!Hacking of Educational and Govt. Websites !!!►Lessons LearntLessons Learnt

►RecommendationsRecommendations

Introduction to Enterprise Introduction to Enterprise NetworkNetwork

► Enterprise Network is the network that Enterprise Network is the network that allows communication and resource-sharing allows communication and resource-sharing among all of a company's business functions among all of a company's business functions and workers. and workers.

► In some cases, Enterprise network would In some cases, Enterprise network would even include the company's suppliers, even include the company's suppliers, contractors and distributors.contractors and distributors.

► It consists of hardware, software and media It consists of hardware, software and media connecting information technology connecting information technology resources of an organization.resources of an organization.

Enterprise Network Enterprise Network ArchitecturesArchitectures

Securing Enterprise NetworksSecuring Enterprise Networks





Enterprise Network Security Enterprise Network Security RequirementsRequirements

►Network security has become Network security has become increasingly more difficult to manage increasingly more difficult to manage and evaluate, even as industry and and evaluate, even as industry and government compliance requirements government compliance requirements have become more demanding. have become more demanding.


►The network threats are real, and costly. The network threats are real, and costly. Internal and external vulnerabilities can Internal and external vulnerabilities can cause business disruption, loss of cause business disruption, loss of revenue, or loss of operational revenue, or loss of operational efficiencies.efficiencies.

►Because network security can be Because network security can be breached from both internal and external breached from both internal and external sources, traditional perimeter firewalls sources, traditional perimeter firewalls are not enough to protect the network.are not enough to protect the network.


►Enterprise networks require new Enterprise networks require new network security tools, network network security tools, network appliances, and professional services appliances, and professional services to secure large and small networks. to secure large and small networks.

►The following slides show key The following slides show key components of network security that components of network security that are now required in all organizations to are now required in all organizations to secure their networks:secure their networks:

Enterprise Security Key Enterprise Security Key ComponentsComponents

►Unified Threat Management (UTM) Unified Threat Management (UTM) FirewallsFirewalls

►Network Access Control (NAC), or Network Access Control (NAC), or ROLE-based NetworkingROLE-based Networking

►Mobile Computer Client ProtectionMobile Computer Client Protection►Event Correlation and Log AnalysisEvent Correlation and Log Analysis►Layer-7 Visibility and Packet AnalysisLayer-7 Visibility and Packet Analysis►Managed ServicesManaged Services


►Unified Threat Management (UTM) Unified Threat Management (UTM) FirewallsFirewalls It is too costly and operationally inefficient to It is too costly and operationally inefficient to

add-on each separate component as security add-on each separate component as security threats emerge. Today's solutions use threats emerge. Today's solutions use multiple scanning methods and multiple multiple scanning methods and multiple defense layers in high-throughput appliances. defense layers in high-throughput appliances. IDS/IPS, Anti-Virus, Content-Filtering, VPN, IDS/IPS, Anti-Virus, Content-Filtering, VPN, Anti-Spam, P2P control, etc. all needs to be Anti-Spam, P2P control, etc. all needs to be included in a network security solution.included in a network security solution.


►Network Access Control (NAC), or ROLE-Network Access Control (NAC), or ROLE-based Networkingbased Networking Creating differentiated network services Creating differentiated network services

based on individual access requirements is based on individual access requirements is the key. The era of every user's ability to the key. The era of every user's ability to browse to all network resources should be browse to all network resources should be over. Role-based networking is required to over. Role-based networking is required to limit visibility to networks, servers, and limit visibility to networks, servers, and TCP/IP ports and protocols, regardless of TCP/IP ports and protocols, regardless of the user's point-of-entry into the network.the user's point-of-entry into the network.


►Mobile Computer Client ProtectionMobile Computer Client Protection Also referred to as "Mobile NAC", all Also referred to as "Mobile NAC", all

network devices that can leave and join network devices that can leave and join the network need to have accountability the network need to have accountability and control regardless of location. The and control regardless of location. The ability to control laptops, PDA's, and other ability to control laptops, PDA's, and other mobile devices when they are not mobile devices when they are not connected to a VPN session is a key connected to a VPN session is a key requirement.requirement.


► Event Correlation and Log AnalysisEvent Correlation and Log Analysis Security threats cannot be stopped by Security threats cannot be stopped by

reviewing logs in "post-mortem" analysis. To reviewing logs in "post-mortem" analysis. To stop "zero-day" threats, the network needs stop "zero-day" threats, the network needs event-correlation and adaptive-response event-correlation and adaptive-response tools. While SNMP report tools are important tools. While SNMP report tools are important for network engineers responsible for for network engineers responsible for network health, other tools are required to network health, other tools are required to correlate client, server, and firewall activities correlate client, server, and firewall activities with computer application processes.with computer application processes.


►Layer-7 (Application Layer) Visibility and Layer-7 (Application Layer) Visibility and Packet AnalysisPacket Analysis The ability to classify all applications The ability to classify all applications

regardless of port and protocol is essential regardless of port and protocol is essential for both security and performance analysis. for both security and performance analysis. In-line devices for analyzing and reporting In-line devices for analyzing and reporting network traffic across all OSI layers are network traffic across all OSI layers are essential for compliance, security essential for compliance, security assessment, and resolving performance assessment, and resolving performance issues. issues.


►Managed ServicesManaged Services Many companies can not become experts Many companies can not become experts

in Cyber-Security, PC/Server Management, in Cyber-Security, PC/Server Management, Regulatory Compliance, and Disaster Regulatory Compliance, and Disaster Recovery. But even small businesses are Recovery. But even small businesses are impacted by critical data security threats impacted by critical data security threats and technology maintenance hurdles that and technology maintenance hurdles that detract from the core business goals. detract from the core business goals. Managed Services offer expertise on Managed Services offer expertise on contractual basis.contractual basis.

Educational Enterprise Educational Enterprise NetworkNetwork

►Pakistan Education and Research Pakistan Education and Research NetworkNetwork

Pakistan Educational Research Pakistan Educational Research NetworkNetwork

►PERN - Pakistan Education and PERN - Pakistan Education and Research Network is a national Research Network is a national research and education network of research and education network of Pakistan which connects premiere Pakistan which connects premiere educational and research institutions educational and research institutions of the country. of the country.


►PERN focuses on collaborative PERN focuses on collaborative research, knowledge sharing, resource research, knowledge sharing, resource sharing, and distance learning by sharing, and distance learning by connecting people through the use of connecting people through the use of Intranet and Internet resources.Intranet and Internet resources.


Types of Network AttacksTypes of Network Attacks

Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database

Top Application Top Application VulnerabilitiesVulnerabilities


Top Attack OutcomesTop Attack Outcomes


Hacking Statistics for .gov.pkHacking Statistics for .gov.pk

Hacking Statistics for .edu.pkHacking Statistics for .edu.pk

Cyber Attack Response Cyber Attack Response ProcedureProcedure

FBI Cybercrime Investigation FBI Cybercrime Investigation ProcedureProcedure

► To ensure that your organization can react To ensure that your organization can react to an incident efficiently, make sure that to an incident efficiently, make sure that staff knows who is responsible for cyber staff knows who is responsible for cyber securitysecurity and how to reach them. and how to reach them.

► The following steps will help you document The following steps will help you document an incident and assist federal, state, and an incident and assist federal, state, and local law enforcement agencies in their local law enforcement agencies in their investigation (be sure to act in accordance investigation (be sure to act in accordance with your organization's polices and with your organization's polices and procedures):procedures):

Preserve the state of the computer Preserve the state of the computer at the at the time of the incident by making a backup time of the incident by making a backup copy of logs, damaged or altered files, copy of logs, damaged or altered files, and files left by the intruder. and files left by the intruder.

If the incident is in progress, If the incident is in progress, activate activate auditing softwareauditing software and consider and consider implementing a implementing a keystroke monitoringkeystroke monitoring program if possible. program if possible.


Document the lossesDocument the losses suffered by your suffered by your organization as a result of the incident. These organization as a result of the incident. These could include:could include:►estimated number of hours spent in response/recoveryestimated number of hours spent in response/recovery►cost of temporary help cost of temporary help ►cost of damaged equipment cost of damaged equipment ►value of data lost value of data lost ►amount of credit given to customers for inconvenience amount of credit given to customers for inconvenience ►loss of revenue loss of revenue ►value of any trade secrets value of any trade secrets

To report an incident to the FBI, you can submit a tip report at To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov


https://tips.fbi.gov/

► NR3C CERT (NR3C CERT (Computer Emergency Response TeamComputer Emergency Response Team))► Forensic LabForensic Lab► R&DR&D► Implementation of Standards & ProceduresImplementation of Standards & Procedures► Media and Projection CellMedia and Projection Cell► Technology Development CenterTechnology Development Center► Network Operations & SecurityNetwork Operations & Security► Liaison with LEA(s) & public /private sector Liaison with LEA(s) & public /private sector

organizationsorganizations► Trainings & SeminarsTrainings & Seminars► Legal Regularity & IssuesLegal Regularity & Issues

To report an incident to the NR3C visit: To report an incident to the NR3C visit: http://www.nr3c.gov.pk Federal Investigation Agency Federal Investigation Agency

Headquarters Headquarters Sector-G-9/4,

Islamabad Ph. 051-9261686, Fax.

051-9261685

National Response Centre For Cyber National Response Centre For Cyber CrimesCrimes

http://www.nr3c.gov.pk/

Case StudiesCase Studies

►UET Taxila – Internal Website(s) UET Taxila – Internal Website(s) HackedHacked

►HEC Website(s) – HackedHEC Website(s) – Hacked►LUMS Website(s) – HackedLUMS Website(s) – Hacked►Ministry of Information and Ministry of Information and

Broadcasting Website – HackedBroadcasting Website – Hacked►FIA’s FIA’s NNational ational RResponse esponse CCenter for enter for

CCyber yber CCrime Websiterime Website

UET Taxila Website(s) HackedUET Taxila Website(s) Hacked

UET Taxila’s Internal Website UET Taxila’s Internal Website http://uet.homeip.net Hacked in http://uet.homeip.net Hacked in

2006 !2006 !

Email from HackersEmail from Hackers

The Next DayThe Next Day

Searched for traces of Searched for traces of HackersHackers

►Event ViewerEvent Viewer Application LogsApplication Logs System LogsSystem Logs Security LogsSecurity Logs

►User ManagerUser Manager Any Accounts ModificationsAny Accounts Modifications New Accounts CreationNew Accounts Creation Rights requestsRights requests

Checked Systems for Trojan Checked Systems for Trojan HorsesHorses

►See if any backdoor is created on the See if any backdoor is created on the systemsystem

►Try to figure out how hackers Try to figure out how hackers accomplished to hack the systemaccomplished to hack the system

►Check Task Manager for any Check Task Manager for any suspicious running processsuspicious running process

►Check System/Firewalls Security LogsCheck System/Firewalls Security Logs

Search the LogsSearch the Logs

Checked Logs on the DHCP Checked Logs on the DHCP ServerServer

►Cross Checked the MAC Address of Cross Checked the MAC Address of Hackers from their IP 169.254.2.57Hackers from their IP 169.254.2.57 00-01-02-08-37-A800-01-02-08-37-A8

Checked Hostel Switch LogsChecked Hostel Switch Logs►Went to Hostel Switch and checked Went to Hostel Switch and checked

this MAC address binds to which this MAC address binds to which switch portswitch port Port Number 31 on SwitchPort Number 31 on Switch

►Consulted the Hostel Network Consulted the Hostel Network Diagrams to find out Room Number for Diagrams to find out Room Number for Port # 31Port # 31 Room Number 41Room Number 41

Hackers Caught Red-HandedHackers Caught Red-Handed

Website Restored to Original Website Restored to Original StateState

ObservationsObservations

►The site was hacked by our own students The site was hacked by our own students who were doing internship in Network who were doing internship in Network Center on Windows Server AdministrationCenter on Windows Server Administration

►They were also developing student-portal They were also developing student-portal website on the same server and were website on the same server and were given administrative rights on the web given administrative rights on the web serverserver

►They misused their rights to hack the site They misused their rights to hack the site

The defacing of UET TAXILA’s The defacing of UET TAXILA’s

Examination website in August 2007Examination website in August 2007http://

web.uettaxila.edu.pk/uet/UETsub/uetDownloads/examination/

http://web.uettaxila.edu.pk/uet/index.htm

http://web.uettaxila.edu.pk/uet/UETsub/uetDownloads/examination/

Hacked by Whom?Hacked by Whom?• There were 5 main IP addresses that There were 5 main IP addresses that

used the URL responsible for hacking and used the URL responsible for hacking and planting the pages on our alpha planting the pages on our alpha webserver !webserver !• 202.86.249.21202.86.249.21• 202.86.248.23202.86.248.23• 74.6.25.14174.6.25.141• 88.254.235.588.254.235.5• 85.106.249.9885.106.249.98

Guess What !Guess What !►Who owns this IP Address?Who owns this IP Address?

►202.86.249.21202.86.249.21

►Pakistan Pakistan

Whois 202.86.249.21Whois 202.86.249.21► WHOIS - 202.86.249.21WHOIS - 202.86.249.21► inetnum: 202.86.249.0 - 202.86.249.255inetnum: 202.86.249.0 - 202.86.249.255► netname: DIALLOGnetname: DIALLOG► descr: Great Bear International Services (Pvt) Ltd, Wireless Local Loopdescr: Great Bear International Services (Pvt) Ltd, Wireless Local Loop► descr: CDMA Operator, Pakistandescr: CDMA Operator, Pakistan► country: PKcountry: PK► person: Artem Orangeperson: Artem Orange► nic-hdl: AO71-APnic-hdl: AO71-AP► e-mail: e-mail: [email protected] ► address: Great Bear International Services (Pvt) Ltdaddress: Great Bear International Services (Pvt) Ltd► address: 106-E, Asif Plaza 3rd & 4th Flooraddress: 106-E, Asif Plaza 3rd & 4th Floor► address: Fazal-ul-Haq Road, Blue Area,address: Fazal-ul-Haq Road, Blue Area,► address: Islamabadaddress: Islamabad► phone: +92 51 2806222phone: +92 51 2806222► country: PKcountry: PK► changed: [email protected] 20060111changed: [email protected] 20060111► mnt-by: MAINT-PK-DIALLOGmnt-by: MAINT-PK-DIALLOG► source: APNICsource: APNIC

mailto:[email protected]

Who owns the 2Who owns the 2ndnd Attacker Attacker IP?IP?

►Who owns this IP Address?Who owns this IP Address?►202.86.248.23202.86.248.23

►SingaporeSingapore

Whois 74.6.25.141Whois 74.6.25.141► WHOIS - 74.6.25.141WHOIS - 74.6.25.141► OrgName: Inktomi Corporation OrgName: Inktomi Corporation ► OrgID: OrgID: INKT ► Address: 701 First Ave Address: 701 First Ave ► City: Sunnyvale City: Sunnyvale ► StateProv: CA StateProv: CA ► PostalCode: 94089 PostalCode: 94089 ► Country: US Country: US ► NetRange: 74.6.0.0 - 74.6.255.255 NetRange: 74.6.0.0 - 74.6.255.255 ► CIDR: 74.6.0.0/16 CIDR: 74.6.0.0/16 ► NetName: INKTOMI-BLK-6 NetName: INKTOMI-BLK-6 ► NetHandle: NET-74-6-0-0-1 NetHandle: NET-74-6-0-0-1 ► Parent: NET-74-0-0-0-0 Parent: NET-74-0-0-0-0 ► NetType: Direct Allocation NetType: Direct Allocation ► NameServer: NS1.YAHOO.COM NameServer: NS1.YAHOO.COM ► RAbuseEmail: RAbuseEmail: [email protected]

http://www.dnsstuff.com/tools/whois.ch?ip=!INKT&server=whois.arin.net&type=O


Whois 85.106.249.98Whois 85.106.249.98► WHOIS - 85.106.249.98WHOIS - 85.106.249.98► Location: Turkey (high) [City: Adana, Adana]Location: Turkey (high) [City: Adana, Adana]► inetnum: 85.106.128.0 - 85.106.255.255inetnum: 85.106.128.0 - 85.106.255.255► netname: TurkTelekomnetname: TurkTelekom► descr: TT ADSL-alcatel dynamic_ulusdescr: TT ADSL-alcatel dynamic_ulus► country: trcountry: tr► admin-c: BADB3-RIPEadmin-c: BADB3-RIPE► tech-c: ZA66-RIPEtech-c: ZA66-RIPE► status: ASSIGNED PAstatus: ASSIGNED PA► mnt-by: as9121-mntmnt-by: as9121-mnt► notify: notify: [email protected] ► changed: changed: [email protected] 20070220 20070220► source: RIPEsource: RIPE

role: TT Administrative Contact Rolerole: TT Administrative Contact Roleaddress: Turk Telekomaddress: Turk Telekomaddress: Network Direktorluguaddress: Network Direktorluguaddress: Aydinlikevleraddress: Aydinlikevleraddress: 06103 ANKARAaddress: 06103 ANKARAphone: +90 312 555 1927phone: +90 312 555 1927fax-no: +90 312 313 1924fax-no: +90 312 313 1924e-mail: e-mail: [email protected] source: RIPEsource: RIPE





Whois 88.254.235.5Whois 88.254.235.5► WHOIS - 88.254.235.5WHOIS - 88.254.235.5► Location: Turkey (high) [City: Adana, Adana]Location: Turkey (high) [City: Adana, Adana]► inetnum: 88.254.128.0 - 88.254.255.255inetnum: 88.254.128.0 - 88.254.255.255► netname: TurkTelekomnetname: TurkTelekom► descr: TT ADSL-alcatel dynamic_ulusdescr: TT ADSL-alcatel dynamic_ulus► country: trcountry: tr► admin-c: TTBA1-RIPEadmin-c: TTBA1-RIPE► tech-c: TTBA1-RIPEtech-c: TTBA1-RIPE► status: ASSIGNED PAstatus: ASSIGNED PA► mnt-by: as9121-mntmnt-by: as9121-mnt► notify: notify: [email protected] ► changed: changed: [email protected] 20070220 20070220► source: RIPEsource: RIPE

role: TT Administrative Contact Rolerole: TT Administrative Contact Roleaddress: Turk Telekomaddress: Turk Telekomaddress: Bilisim Aglari Dairesiaddress: Bilisim Aglari Dairesiaddress: Aydinlikevleraddress: Aydinlikevleraddress: 06103 ANKARAaddress: 06103 ANKARAphone: +90 312 313 1950phone: +90 312 313 1950fax-no: +90 312 313 1949fax-no: +90 312 313 1949e-mail: e-mail: [email protected] source: RIPEsource: RIPE





How it was done?How it was done?►An ASP Shell script An ASP Shell script CP5.aspCP5.asp was was

planted under planted under http://web.uettaxila.edu.pk/uet/UETsub/uetDownloads/examination/ folder that had Write rights on it with folder that had Write rights on it with Directory Browsing turned ONDirectory Browsing turned ON

►Our Firewall Logs showed that the first Our Firewall Logs showed that the first call to the malicious asp page was call to the malicious asp page was done on done on 30/Aug/2007 at 14:45:24 PST30/Aug/2007 at 14:45:24 PST. .



Home of CyberSpy 5 Home of CyberSpy 5 (CP5.asp)(CP5.asp)

CP5.asp Removed from CP5.asp Removed from Server!Server!

► I didn’t understand the Turkish language, I didn’t understand the Turkish language, but the icons were pretty intuitive to but the icons were pretty intuitive to indicate that the indicate that the means means DeleteDelete and and

means means DownloadDownload..► So after So after indirindiring the CP5.asp for my ing the CP5.asp for my

personal interest and further investigation, personal interest and further investigation, SilSiled the cp5.asp using its own page.ed the cp5.asp using its own page.

► Thanks to the author of CP5 for self Thanks to the author of CP5 for self destructive features ;-)destructive features ;-)

ObservationsObservations

► The CP-5 (CyberSpy 5) ASP Shell Script code The CP-5 (CyberSpy 5) ASP Shell Script code was intentionally/unintentionally planted in was intentionally/unintentionally planted in the Examination website by someone having the Examination website by someone having physical access to the serverphysical access to the server

► The network supervisors of exam branch The network supervisors of exam branch didn’t confess their faultdidn’t confess their fault

► CyberSpy 5 is now detected by newer CyberSpy 5 is now detected by newer Antiviruses as PhP/C99Shell.A.Trojan and Antiviruses as PhP/C99Shell.A.Trojan and ASP/Ace.DC. TrojanASP/Ace.DC. Trojan

What security measures were What security measures were taken?taken?

►As the first step during the revival of As the first step during the revival of web.uettaxila.edu.pk website, All web.uettaxila.edu.pk website, All traffic for traffic for web.uettaxila.edu.pk was was redirected to redirected to www.uettaxila.edu.pk to to get the original website contents from get the original website contents from our hosted services server directly our hosted services server directly instead of the local Hacked Server.instead of the local Hacked Server.

http://www.uettaxila.edu.pk/

http://web.uettaxila.edu.pk/


►Browsed through the IIS Service Browsed through the IIS Service manager on Hacked Server to check manager on Hacked Server to check the rights on all folders related to the the rights on all folders related to the Website.Website.

►Removed Write rights by IUSR_ALPHA Removed Write rights by IUSR_ALPHA on all folders.on all folders.

►Changed the default webpage at Changed the default webpage at web.uettaxila.edu.pk from web.uettaxila.edu.pk from index.htmindex.htm to to index1.aspindex1.asp


►Backed up the Hacked pages and emailed Backed up the Hacked pages and emailed them to my account for further investigation.them to my account for further investigation.

► I deleted the Hacked index.htm file and I deleted the Hacked index.htm file and replaced the original files from Hosted replaced the original files from Hosted Services Server to Local Hacked Server.Services Server to Local Hacked Server.

►At this time, the hackers tried to reinstall At this time, the hackers tried to reinstall their hacked page on our server by their hacked page on our server by overwriting the index.htm with their hacked overwriting the index.htm with their hacked page.page.


►As the Webserver was now set to show As the Webserver was now set to show index1.asp instead of index.htm, the hacked index1.asp instead of index.htm, the hacked page was no longer visible on the main page was no longer visible on the main page.page.

►The hackers realized that they should leave The hackers realized that they should leave the server now.the server now.

►As a protective measure, we blocked all IP As a protective measure, we blocked all IP ranges of hackers IP class to Firewall block ranges of hackers IP class to Firewall block list.list.

► In future they will not be able to use the In future they will not be able to use the same addresses to access our server.same addresses to access our server.


►The domain accounts of all users were The domain accounts of all users were checked for their security privileges.checked for their security privileges.

►Un-necessary administrative group Un-necessary administrative group members were removed.members were removed.

►Passwords were changed on all Passwords were changed on all Administrative accounts.Administrative accounts.

►[email protected] was [email protected] was removed.removed.

Response to the HackersResponse to the Hackers► Used network forensic tools to track the hackersUsed network forensic tools to track the hackers

► Used OS fingerprinting to identify the types of Used OS fingerprinting to identify the types of systems used by the attackerssystems used by the attackers

► Tried to gain access of their network resourcesTried to gain access of their network resources

► Tried to get personal information about hackersTried to get personal information about hackers

Who owned 88.254.235.5?Who owned 88.254.235.5?

I changed its old password for future I changed its old password for future communicationcommunication

This is the ADSL Router of Attacker in This is the ADSL Router of Attacker in TurkeyTurkey

ZyXEL ADSL Router on Turk ZyXEL ADSL Router on Turk IP!IP!

Who owned 88.254.235.5?Who owned 88.254.235.5?

Suggestions and CommentsSuggestions and Comments► Routine checking of Firewall Logs should be Routine checking of Firewall Logs should be

performed to see obnoxious calls to URL performed to see obnoxious calls to URL addresses on server.addresses on server.

► All servers should be shifted behind a UTM All servers should be shifted behind a UTM FirewallFirewall

► Intrusion Prevention System on UTM should be Intrusion Prevention System on UTM should be configured to detect and block such attacks in configured to detect and block such attacks in future.future.

► Concerned ISPs and Security Agencies should be Concerned ISPs and Security Agencies should be contacted for Logs to get access to the owners of contacted for Logs to get access to the owners of these attacker IP Addresses.these attacker IP Addresses.

HEC Website(s) HackedHEC Website(s) Hacked


►Domain:Domain: http://hjp.hec.gov.pk http://hjp.hec.gov.pk Hacking Reported on:Hacking Reported on: 2010-05-19 2010-05-19

10:47:3310:47:33 Notified by:Notified by: Ashiyane Digital Security Ashiyane Digital Security

TeamTeam IP address:IP address: 111.68.100.144 111.68.100.144 System:System: Linux Linux Web server:Web server: Apache Apache

http://hjp.hec.gov.pkhttp://hjp.hec.gov.pk


►Domain:Domain: http://dev.hec.gov.pk http://dev.hec.gov.pk Hacking Reported on:Hacking Reported on: 2010-07-06 2010-07-06

16:50:0616:50:06 Notified by:Notified by: r4diationz r4diationz IP address:IP address: 72.249.151.41 72.249.151.41 Sub directory:Sub directory: /appsup/submit.asp /appsup/submit.asp Attack Type: Attack Type: Database injectionDatabase injection

http://dev.hec.gov.pkhttp://dev.hec.gov.pk


►Domain:Domain: http://app.hec.gov.pk http://app.hec.gov.pk Hacking Reported on:Hacking Reported on: 2010-07-06 2010-07-06

16:51:2516:51:25 Notified by:Notified by: r4diationz r4diationz IP address:IP address: 72.249.151.41 72.249.151.41 Sub directory:Sub directory: /appsup/submit.asp /appsup/submit.asp Attack Type: Attack Type: Database injectionDatabase injection

http://app.hec.gov.pkhttp://app.hec.gov.pk


►Domain:Domain: http://sc.hec.gov.pk/aphds/Submit.asphttp://sc.hec.gov.pk/aphds/Submit.asp

Hacking Reported on:Hacking Reported on: 2010-02-05 2010-02-05 16:09:2116:09:21

Notified by:Notified by: sacred_relic sacred_relic IP address:IP address: 111.68.100.150 111.68.100.150 System:System: Win 2003 Win 2003 Web server:Web server: IIS/6.0 IIS/6.0

http://sc.hec.gov.pkhttp://sc.hec.gov.pk

LUMS Website(s) HackedLUMS Website(s) Hacked


►Domain:Domain: http://cmer.lums.edu.pk http://cmer.lums.edu.pk Hacking Reported on:Hacking Reported on: 2009-07-12 2009-07-12

21:17:0821:17:08 Notified by:Notified by: syniack syniack IP address:IP address: 203.128.0.46 203.128.0.46 System:System: Linux Linux Web server:Web server: Apache Apache

http://cmer.lums.edu.pkhttp://cmer.lums.edu.pk


►Domain:Domain: http://suraj.lums.edu.pk/~lrs/forum/phpBB2http://suraj.lums.edu.pk/~lrs/forum/phpBB2

Hacking Reported on:Hacking Reported on: 2006-07-19 2006-07-19 15:39:5215:39:52

Notified by:Notified by: SanalYargic SanalYargic IP address:IP address: 203.128.0.6 203.128.0.6 System:System: SolarisSunOS SolarisSunOS Web server:Web server: Apache Apache

http://suraj.lums.edu.pkhttp://suraj.lums.edu.pk


►Domain: Domain: http://sedp.lums.edu.pk/index2.htmhttp://sedp.lums.edu.pk/index2.htm Hacking Reported on: Hacking Reported on: 2003-08-15 2003-08-15

22:39:4122:39:41 Notified by:Notified by: INDIAN TIGERS INDIAN TIGERS IP address:IP address: 203.128.1.242 203.128.1.242 System:System: Win 2000 Win 2000 Web server:Web server: IIS/5.0 IIS/5.0

http://sedp.lums.edu.pkhttp://sedp.lums.edu.pk


►Domain: Domain: http://sedp.lums.edu.pkhttp://sedp.lums.edu.pk Hacking Reported on: Hacking Reported on: 2003-08-16 2003-08-16

17:38:4017:38:40 Notified by:Notified by: INDIAN TIGERS INDIAN TIGERS IP address:IP address: 203.128.1.242 203.128.1.242 System:System: Win 2000 Win 2000 Web server:Web server: IIS/5.0 IIS/5.0

http://sedp.lums.edu.pkhttp://sedp.lums.edu.pk

InfoPak.gov.pk Website HackedInfoPak.gov.pk Website Hacked

Ministry of Information and Ministry of Information and Broadcasting Website HackedBroadcasting Website Hacked►Domain: Domain: http://www.infopak.gov.pkhttp://www.infopak.gov.pk►Hacking Reported on :Hacking Reported on : 2010-07-13 2010-07-13 09:20:12 09:20:12 Notified by:Notified by: Sovalye Sovalye IP address:IP address: 174.143.146.58174.143.146.58 System:System: Win 2003 Win 2003 Web server:Web server: IIS/6.0 IIS/6.0

http://www.infopak.gov.pkhttp://www.infopak.gov.pk

NR3C Website HackedNR3C Website Hacked

FIA’s FIA’s NNational ational RResponse esponse CCenter enter for for CCyber yber CCrime Website rime Website

HackedHacked►Domain: Domain: http://www.nr3c.gov.pkhttp://www.nr3c.gov.pk Hacking Reported on :Hacking Reported on : 2010-01-07 2010-01-07

16:16:5616:16:56 Notified by:Notified by: ZombiE_KsA ZombiE_KsA IP address:IP address: 72.9.156.44 72.9.156.44 System:System: Linux Linux Web server:Web server: Apache Apache

http://www.nr3c.gov.pkhttp://www.nr3c.gov.pk

Lessons LearntLessons Learnt► The faster the network the more are the attacks The faster the network the more are the attacks

from the internetfrom the internet► Greater availability/always online connectivity Greater availability/always online connectivity

increases the chances for hacking attacksincreases the chances for hacking attacks► Internal users are mostly responsible for Internal users are mostly responsible for

compromising network securitycompromising network security► Easy availability of hacking scripts have Easy availability of hacking scripts have

encouraged script kiddies to try hackingencouraged script kiddies to try hacking► Lack of regular security audits, shortage of Lack of regular security audits, shortage of

certified ethical hackers and knowledge sharingcertified ethical hackers and knowledge sharing

RecommendationsRecommendations► EEnable ROLE-based Network Servicesnable ROLE-based Network Services►DDisable Windows File Sharingisable Windows File Sharing► UUpdate the Operating Systempdate the Operating System► CChoose Strong Passwordshoose Strong Passwords► AAnti-virus Software Installation and Updatenti-virus Software Installation and Update► TTrain the End Users to maintain their PCsrain the End Users to maintain their PCs► IInstall A Personal Firewall and Email Security nstall A Personal Firewall and Email Security

AppsApps►OOn demand and Startup Scan For Spywaren demand and Startup Scan For Spyware►NNetwork Access Controletwork Access Control

Tips for End UsersTips for End Users► Deploy Internet Security Software (FW+AV+UTM)Deploy Internet Security Software (FW+AV+UTM)

ESET NOD32 Business EditionESET NOD32 Business Edition TrendMicro Internet SecurityTrendMicro Internet Security Symantec Endpoint protection + Network Access ControlSymantec Endpoint protection + Network Access Control

► Keep Security Software updatedKeep Security Software updated► Keep OS and Installed Software updatedKeep OS and Installed Software updated► Report abnormal system behavior to AdminsReport abnormal system behavior to Admins► Enable System Restore and Backup SystemEnable System Restore and Backup System

Tips for Network and Sys Tips for Network and Sys AdminsAdmins

► Block TCP Port 25 (Commonly used by Spam-bots)Block TCP Port 25 (Commonly used by Spam-bots)► Block TCP Port 135 (Used by W32/Blaster worm)Block TCP Port 135 (Used by W32/Blaster worm)► Block TCP Port 445, NetBIOS-DGM, NetBIOS-NS, Block TCP Port 445, NetBIOS-DGM, NetBIOS-NS,

NetBIOS-SSN, Kerberos, LDAP, WINS, RDP and Ping NetBIOS-SSN, Kerberos, LDAP, WINS, RDP and Ping to/from WANto/from WAN

► Turn off File and Printer Sharing for Microsoft Turn off File and Printer Sharing for Microsoft Networks on WAN Interfaces of all serversNetworks on WAN Interfaces of all servers

► Install Firewall and Antivirus software on serversInstall Firewall and Antivirus software on servers► Create Backups / Images of ServersCreate Backups / Images of Servers

ReferencesReferences► http://www.nle.com http://www.nle.com ► www.networkdictionary.com/networking/e.php www.networkdictionary.com/networking/e.php ► http://www.cisco.com/web/about/security/intelligence/worm-mitigation-http://www.cisco.com/web/about/security/intelligence/worm-mitigation-

whitepaper.html whitepaper.html ► http://www.firewall.cx/firewall_topologies.php http://www.firewall.cx/firewall_topologies.php ► http://webappsec.pbworks.com/Web-Hacking-Incident-Database http://webappsec.pbworks.com/Web-Hacking-Incident-Database ► http://www.zone-h.com/archive http://www.zone-h.com/archive ► http://www.dnsstuff.com/tools http://www.dnsstuff.com/tools ► http://www.ip-whois-lookup.com/lookup.php?ip=88.254.235.5 http://www.ip-whois-lookup.com/lookup.php?ip=88.254.235.5 ► http://www.hec.gov.pk http://www.hec.gov.pk ► http://www.pern.edu.pk http://www.pern.edu.pk ► http://www.cert.org/tech_tips/FBI_investigates_crime.htmlhttp://www.cert.org/tech_tips/FBI_investigates_crime.html► http://www.insecure.org http://www.insecure.org ► http://www.eeye.com http://www.eeye.com ► https://secure.dshield.org/reports.html https://secure.dshield.org/reports.html

QuestionsQuestions

[email protected]@uettaxila.edu.pku.pk

Documents

Securing Enterprise Network Infrastructure (Towards secure internetworking on Pakistan Educational Research Network) Dr. Adeel Akram Dr. Adeel Akram UET