Upload
shrikant28101986
View
219
Download
0
Embed Size (px)
Citation preview
8/7/2019 SecurityDLTalk
1/25
Security Tidbits
Neil Daswani
8/7/2019 SecurityDLTalk
2/25
Overview
The FLI Model
Infiltrations: Viruses / Worms
Lessons Learned
Firewalls & Attacks
What is a firewall? How do they work?
How to prevent attacks
8/7/2019 SecurityDLTalk
3/25
Security Problems & Solutions
Failure
(Process/Storage)
Lies Infiltration
Prevention Physical SecurityUninterruptible Power
Firewalls
AuthenticationAuthorization
Non-Repudiation
Time-Stamping
Digital Signatures
Hardware Protection
Firewalls
Common Sense
Management Non-Stop Processes
Fault-Tolerance
Watchdog Processor
Replication, RAID
Backups
Byzantine Agreement
Reputation Systems
Intrusion Detection
Anti-virus Software
Recovery Fail-Over
Hot Swapping
Key Escrow
Fail-Stop Digital
Signatures
Auditing
Certificate
Revocation
8/7/2019 SecurityDLTalk
4/25
Morris Worm (1988)
Damage: 6000 computers in just a few hours
What: just copied itself; didnt touch data
Exploited:
buffer overflow in fingerd (UNIX)
sendmail debug mode (exec arbitrary cmds)
dictionary of 432 frequently used passwords
8/7/2019 SecurityDLTalk
5/25
BufferOverflow Example
void sample_func (char *str) {
char buffer[16];strcpy (buffer, str);
}
void main (int argc, char *argv) {sample_func (argv[1]);
}
8/7/2019 SecurityDLTalk
6/25
Morris Worm (1988)
Lessons Learned from Morris
Diversity is good. Big programs have many exploitable bugs.
Choose good passwords.
Dont shut down mail servers: did prevent worm
from spreading but also shut down defense CERT was created to respond to attacks
8/7/2019 SecurityDLTalk
7/25
Melissa (1999)
What: just copied itself; did not touch data
When date=time, Twenty-two points, plus triple wordscore, plus fifty points for using all my letters. Games over. Im
outta here.
Exploited:
MS Word Macros (VB) MS Outlook Address Book (Fanout = 50)
Important message from
8/7/2019 SecurityDLTalk
8/25
Melissa (1999)
Lessons Learned:
Homogeneity is bad. Users will click on anything.
Separation of applications is good.
Users trusted the message since it came from
someone they knew. Dont open attachments unless they are expected.
8/7/2019 SecurityDLTalk
9/25
Other Viruses / Worms
CIH Chernobyl Virus, 1998, Taiwan:
T
ime bomb: April 26, or 26th
of each
month
Writes random garbage to disk start at sector 0
attempts to trash FLASH BIOS
Hides itself in unused spaces
Worm.ExploreZip, 1999: Melissa + zeroed out files
BubbleBoy, 1999: Melissa-like except doesnt require
opening an attachment (ActiveX)
Love Bug, 2000: I LOVE YOU (like Melissa)
8/7/2019 SecurityDLTalk
10/25
Code Red (2001)
Runs on WinNT 4.0 or Windows 2000
Scans port 80 on up to 100 random IP addresses Resides only in RAM; no files
Exploits buffer overflow in Microsoft IIS 4.0/5.0(Virus appeared one month after advisory went out)
Two flavors: Code Red I: high traffic, web defacements, DDOS on
whitehouse.gov, crash systems
Code Red II: high traffic, backdoor install, crash systems
Three phases: propagation (1-19), flood (20-27),termination (28-31)
Other victims: Cisco 600 Routers, HP JetDirect Printers
8/7/2019 SecurityDLTalk
11/25
Code Red (2001)
Lessons Learned:
Dont use IIS! ;) Always keep software up-to-date
Proof-of-concept to hide other attacks?
8/7/2019 SecurityDLTalk
12/25
Nimda (2001)
Multiple methods of spreading
(email, client-to-server, server-to-client, networksharing)
Server-to-client: IE auto-executes readme.eml (that is attached
to all HTML files the server sends back to the client)
Client-to-server: burrows: scanning is local 75% of time
Email: readme.exe is auto executed upon viewing HTML emailon IE 5.1 or earlier
8/7/2019 SecurityDLTalk
13/25
Nimda (2001)
Lessons Learned:
Install latest web server and browser patches (orupgrade version altogether)
Dont use MIME auto-execution
Disable JavaScript
Reject using applications that are routinelyexploited???
8/7/2019 SecurityDLTalk
14/25
Just this week BadTrans Worm
Spread via email; attacks Windows systems
Records (once per second) keystrokes,usernames, & passwords into windows withtitles: LOG, PAS, REM, CON, TER, NET
Sends to
one of 20+ email addresses one of 15+ from addresses
one of 15+ attachment names w/ 2 extensions({.doc/.mp3/.zip},{.pif/.scr})
8/7/2019 SecurityDLTalk
15/25
Firewalls
Two major technologies:
Packet Filters Proxies
Related technologies
Network Address Translation (NAT)
Virtual Private Networks (VPN)
8/7/2019 SecurityDLTalk
16/25
Packet Filtering Routers
Filter on: IP Source, IP Dest, Protocol (TCP, UDP, ICMP)
TCP/UDP Source & Dest Ports
ICMP Message Type (req,reply,time exceed)
Packet Size
NICs
Stateful vs. Stateless Inspection i.e., UDP DA/DP checking
Simple Protocol Checking i.e., Format Checking, Disconnect anonymous FTP x-fers
8/7/2019 SecurityDLTalk
17/25
Packet Filtering
Advantages
One router can protect entire network Simple filtering is efficient
Widely available
Disadvantages
Hard to configure & test
Reduces router performance
Cant enforce some policies (i.e., user-level)
8/7/2019 SecurityDLTalk
18/25
Proxies
Security vs. Caching Proxies
SOCKS: proxy construction toolkit Trusted Information Systems Firewall Toolkit
(TIS FWTK: Telnet, FTP, HTTP, rlogin, X11)
Most used to control use of outbound services
Can also be used to control inbound services
(reverse proxying)
8/7/2019 SecurityDLTalk
19/25
Proxies
Advantages
Logging, Caching, Intelligent Filtering User-level authentication
Guards against weak IP implementations
Disadvantages
Lag behind nonproxied services
Requires different servers for each service
Usually requires modifications to client applications
8/7/2019 SecurityDLTalk
20/25
Firewall Architectures
Dual-Homed Host
Services can only be proxied Screening Router w/ Bastion Host
Security by packet filtering
Bastion host is single point of failure
Screened Subnet Ext Router, Perimeter, Bastion Host, Interior Router
Internal ethernet packets protected from perimeter
8/7/2019 SecurityDLTalk
21/25
Example Attacks
IP Spoofing
TCP SYN Flood SMURF Attack
ICMP Ping w/ max payload to broadcast address
D-DOS Attack
Infiltrate, set up sleepers, attack at once
8/7/2019 SecurityDLTalk
22/25
References
White-Hat Security Arsenal, A. Rubin
Security Engineering, R. Anderson www.webtorials.com, Gary Kessler
Building Internet Firewalls, E. Zwicky, et. Al.
Counter Hack, E. Skoudis
8/7/2019 SecurityDLTalk
23/25
Network Address Translation (NAT)
Translates network addresses & ports
Does not provide additional security Possibilities:
One external address per internal address
Dynamically assign external address
Map multiple internal to one external (port sharing)
Dynamically assign external addresses and ports
8/7/2019 SecurityDLTalk
24/25
Network Address Translation (NAT)
Advantages
Helps enforce control over outbound connections
Helps restrict incoming traffic
Helps conceal internal network configuration
Disadvantages
Not good for UDP (guess session lifetimes)
Doesnt deal with embedded IP addresses
Interferes with authentication & encryption
Interferes with logging & packet filtering
8/7/2019 SecurityDLTalk
25/25