SecurityDLTalk

8/7/2019 SecurityDLTalk

1/25

Security Tidbits

Neil Daswani


2/25

Overview

The FLI Model

Infiltrations: Viruses / Worms

Lessons Learned

Firewalls & Attacks

What is a firewall? How do they work?

How to prevent attacks


3/25

Security Problems & Solutions

Failure

(Process/Storage)

Lies Infiltration

Prevention Physical SecurityUninterruptible Power

Firewalls

AuthenticationAuthorization

Non-Repudiation

Time-Stamping

Digital Signatures

Hardware Protection

Firewalls

Common Sense

Management Non-Stop Processes

Fault-Tolerance

Watchdog Processor

Replication, RAID

Backups

Byzantine Agreement

Reputation Systems

Intrusion Detection

Anti-virus Software

Recovery Fail-Over

Hot Swapping

Key Escrow

Fail-Stop Digital

Signatures

Auditing

Certificate

Revocation


4/25

Morris Worm (1988)

Damage: 6000 computers in just a few hours

What: just copied itself; didnt touch data

Exploited:

buffer overflow in fingerd (UNIX)

sendmail debug mode (exec arbitrary cmds)

dictionary of 432 frequently used passwords


5/25

BufferOverflow Example

void sample_func (char *str) {

char buffer[16];strcpy (buffer, str);

}

void main (int argc, char *argv) {sample_func (argv[1]);

}


6/25

Morris Worm (1988)

Lessons Learned from Morris

Diversity is good. Big programs have many exploitable bugs.

Choose good passwords.

Dont shut down mail servers: did prevent worm

from spreading but also shut down defense CERT was created to respond to attacks


7/25

Melissa (1999)

What: just copied itself; did not touch data

When date=time, Twenty-two points, plus triple wordscore, plus fifty points for using all my letters. Games over. Im

outta here.

Exploited:

MS Word Macros (VB) MS Outlook Address Book (Fanout = 50)

Important message from


8/25

Melissa (1999)

Lessons Learned:

Homogeneity is bad. Users will click on anything.

Separation of applications is good.

Users trusted the message since it came from

someone they knew. Dont open attachments unless they are expected.


9/25

Other Viruses / Worms

CIH Chernobyl Virus, 1998, Taiwan:

T

ime bomb: April 26, or 26th

of each

month

Writes random garbage to disk start at sector 0

attempts to trash FLASH BIOS

Hides itself in unused spaces

Worm.ExploreZip, 1999: Melissa + zeroed out files

BubbleBoy, 1999: Melissa-like except doesnt require

opening an attachment (ActiveX)

Love Bug, 2000: I LOVE YOU (like Melissa)


10/25

Code Red (2001)

Runs on WinNT 4.0 or Windows 2000

Scans port 80 on up to 100 random IP addresses Resides only in RAM; no files

Exploits buffer overflow in Microsoft IIS 4.0/5.0(Virus appeared one month after advisory went out)

Two flavors: Code Red I: high traffic, web defacements, DDOS on

whitehouse.gov, crash systems

Code Red II: high traffic, backdoor install, crash systems

Three phases: propagation (1-19), flood (20-27),termination (28-31)

Other victims: Cisco 600 Routers, HP JetDirect Printers


11/25

Code Red (2001)

Lessons Learned:

Dont use IIS! ;) Always keep software up-to-date

Proof-of-concept to hide other attacks?


12/25

Nimda (2001)

Multiple methods of spreading

(email, client-to-server, server-to-client, networksharing)

Server-to-client: IE auto-executes readme.eml (that is attached

to all HTML files the server sends back to the client)

Client-to-server: burrows: scanning is local 75% of time

Email: readme.exe is auto executed upon viewing HTML emailon IE 5.1 or earlier


13/25

Nimda (2001)

Lessons Learned:

Install latest web server and browser patches (orupgrade version altogether)

Dont use MIME auto-execution

Disable JavaScript

Reject using applications that are routinelyexploited???


14/25

Just this week BadTrans Worm

Spread via email; attacks Windows systems

Records (once per second) keystrokes,usernames, & passwords into windows withtitles: LOG, PAS, REM, CON, TER, NET

Sends to

one of 20+ email addresses one of 15+ from addresses

one of 15+ attachment names w/ 2 extensions({.doc/.mp3/.zip},{.pif/.scr})


15/25

Firewalls

Two major technologies:

Packet Filters Proxies

Related technologies

Network Address Translation (NAT)

Virtual Private Networks (VPN)


16/25

Packet Filtering Routers

Filter on: IP Source, IP Dest, Protocol (TCP, UDP, ICMP)

TCP/UDP Source & Dest Ports

ICMP Message Type (req,reply,time exceed)

Packet Size

NICs

Stateful vs. Stateless Inspection i.e., UDP DA/DP checking

Simple Protocol Checking i.e., Format Checking, Disconnect anonymous FTP x-fers


17/25

Packet Filtering

Advantages

One router can protect entire network Simple filtering is efficient

Widely available

Disadvantages

Hard to configure & test

Reduces router performance

Cant enforce some policies (i.e., user-level)


18/25

Proxies

Security vs. Caching Proxies

SOCKS: proxy construction toolkit Trusted Information Systems Firewall Toolkit

(TIS FWTK: Telnet, FTP, HTTP, rlogin, X11)

Most used to control use of outbound services

Can also be used to control inbound services

(reverse proxying)


19/25

Proxies

Advantages

Logging, Caching, Intelligent Filtering User-level authentication

Guards against weak IP implementations

Disadvantages

Lag behind nonproxied services

Requires different servers for each service

Usually requires modifications to client applications


20/25

Firewall Architectures

Dual-Homed Host

Services can only be proxied Screening Router w/ Bastion Host

Security by packet filtering

Bastion host is single point of failure

Screened Subnet Ext Router, Perimeter, Bastion Host, Interior Router

Internal ethernet packets protected from perimeter


21/25

Example Attacks

IP Spoofing

TCP SYN Flood SMURF Attack

ICMP Ping w/ max payload to broadcast address

D-DOS Attack

Infiltrate, set up sleepers, attack at once


22/25

References

White-Hat Security Arsenal, A. Rubin

Security Engineering, R. Anderson www.webtorials.com, Gary Kessler

Building Internet Firewalls, E. Zwicky, et. Al.

Counter Hack, E. Skoudis


23/25


Translates network addresses & ports

Does not provide additional security Possibilities:

One external address per internal address

Dynamically assign external address

Map multiple internal to one external (port sharing)

Dynamically assign external addresses and ports


24/25


Advantages

Helps enforce control over outbound connections

Helps restrict incoming traffic

Helps conceal internal network configuration

Disadvantages

Not good for UDP (guess session lifetimes)

Doesnt deal with embedded IP addresses

Interferes with authentication & encryption

Interferes with logging & packet filtering


25/25

Documents

SecurityDLTalk