Network Security

1
Network Security
2
Terry Beasleys Section
3
Hackers

• Many hackers dont really understand the
  systems or software they are hacking.
• Most are foot soldiers teenagers and others
  that simply use packaged programs supplied by the
  few with the know how (referred to as the elite
  leet in the hacker community)
• Just because the attacks are by those with no
  real understanding most of the time, does not
  mean that there is no harm. With no understanding
  of the systems they are hacking, they are more
  likely to cause harm.
• If your computer is on a network, it can be
  hacked.

• There are seven stages of system penetration
• Reconnaissance gather information about the
  target system or network. This
• Probe and attack probe the system for
  weaknesses and deploy the tools.
• Toehold exploit security weakness and gain
  entry into the system.
• Advancement advance from an unprivileged
  account to a privileged account.
• Stealth hide tracks install a backdoor.
• Listening post establish a listening post.
• Takeover expand control from a single host to
  other hosts on the network.
• Source http//rr.sans.org/threats/breakins.php
• This is a CERT advisory board

4
The most secure computer is one that is turned
off.There is always a tradeoff between
security and usefulness. The more secure a
system, the more end-user unfriendly it is. . .
5
Passive vs. Active Attacks

• Passive attacks monitor transmissions
• Active attacks modify transmitted data in order
  to gain access to unauthorized systems.

6
Points of Entry

• A LAN is a broadcast network, meaning the packets
  are subject to being intercepted by software
  known as packet sniffers.
• The frame has the source and destination address.
  A hacker can modify his broadcast and receive
  packets on the LAN not intended for him/her. They
  can then instantaneously transfer them to the
  correct destination (after copying the data)
• Another name for the software is an eavesdropper.
  It can be programmed to scan for passwords, etc.
• It need not be local, with the internet, if the
  system can be entered, it can be monitored
  remotely.

• Other points of entry . . .
• Wiring Closets
• The wiring closet provides links to dedicated
  networks.
• Routers
• Dial Up Modem Banks
• Microwave or Radio Traffic
• Telco POPs (Points of Presence)
• ISDN or DSL Connections
• T1/T3 OC3, etc
• Satellite Transmission
• Cable Internet Providers (especially troublesome,
  as it is a shared medium)
• THE DISGRUNTLED EMPLOYEE!

7
Benign vs. Serious?

• Benign attacks still consume resources and slow
  performance for legitimate users.
• How can you tell if the attack is benign or
  serious? They ALL are serious to the IS manager.

• REASONS FOR ATTACKS
• Globalization
• Hackers will sell their services for Espionage.
• The move to client/server architecture.
• Hackers steep learning curve
• HACKERS LOVE TO SHARE INFORMATION AND THEY ARE
  GOOD AT IT!
• Most hackers acquire their skills as teens or
  EARLIER.Many IS managers do not begin their
  training until their twenties

8
Protection
Detection
Reaction
24,700 Succeed
988 Detected
267 Reported
38,000 Attacks
23,712 Not detected
13,300 Blocked
13,300 Refused
721 Not reported
Results of GAO Vulnerability Assessment
9
Two Points
The High Level of Dependence of organizations on
computerized information and distributed
processing means that the cost of security
failure can be high!
The growing population of users of the Internet
and other networking and dial-in facilities
provides a growing opportunity for unauthorized
access.
10
(No Transcript)
11
What is Social Engineering? An outside hacker's
use of psychological tricks on legitimate users
of a computer system, in order to gain the
information he needs to gain access to the
system." Social Engineering is a way of getting
important information from users without them
knowing they are giving this info to you. To be
able to social engineer you do need a few
things - Some information on the target - You
must be very patient - Good Social
Skills Although it may sound complex social
engineering is probably the best 'tool' that you
can learn and become good at. IT'S ALSO VERY
EASY. Social engineering is simply a hacker
calling your organization posing as a person
(maybe they got the receptionists name) and
asking questions. If they are patient,
convincing, and cautious, eventually they will
find someone in your company that will give them
a password they need to enter your system.
Right now social engineering accounts for many
attacks. Once they have a legitimate password, it
is very hard for a system administrator to catch
this immediately. Source alt.hacking
12
Encryption Methods

• Conventional
• Plaintext
• Encryption Alogrithm
• Secret Key
• Ciphertext
• Decryption Alogrithm

• Two Requirements
• A Strong Alogrithm
• Secure Keys

13
Encryption Attacks

• Cryptanalysis
• Requires knowledge of the alogrithm and exploits.
• Brute- Force
• Simply tries every combination of letters and
  numbers.

14
DES Encryption

• In the 70s experts warned it would only be a
  matter of time before it was broken. It only used
  a 56 bit key. This does not sound like a lot, but
  that means that it had 2 to the 56th power number
  of keys.
• DES was broke in 1998 when it was broke with a
  machine that cost less than 250,000 dollars. The
  attack took less than 3 days. The Hacking group
  that broke it published it in details and
  disseminated it globally. Today, the machine can
  be built for less than 10,000 dollars.
• The federal government still uses this method of
  encryption widely, although it is upgrading.

15
Public Key Encryption
16
Public Key Explanation

• The problems of key distribution are solved by
  public key cryptography, the concept of which was
  introduced by Whitfield Diffie and Martin Hellman
  in 1975. (There is now evidence that the British
  Secret Service invented it a few years before
  Diffie and Hellman, but kept it a military secret
  and did nothing with it. J H Ellis The
  Possibility of Secure Non-Secret Digital
  Encryption, CESG Report, January 1970)
• Public key cryptography is an asymmetric scheme
  that uses a pair of keys for encryption a public
  key, which encrypts data, and a corresponding
  private, or secret key for decryption. You
  publish your public key to the world while
  keeping your private key secret. Anyone with a
  copy of your public key can then encrypt
  information that only you can read. Even people
  you have never met.
• It is computationally infeasible to deduce the
  private key from the public key. Anyone who has a
  public key can encrypt information but cannot
  decrypt it. Only the person who has the
  corresponding private key can decrypt the
  information.

17
Example PGP

• Just to illustrate how enormous a task brute
  force attacking a secure alogrithm is, let us
  take the example of PGP (A program that is
  internationally known for being both free and
  secure)
• PGP uses 128 bit encryption (as opposed to 56 bit
  DES)
• Any one of 2 to the 128 bit combinations could be
  a valid key.
• Take a 1 gigahertz processor
• Now take 1 billion 1 gigahertz processors
• It would still require over 10,000,000,000,000
  years to try all of the possible 128 bit keys.
• This is older than the age of the universe.

18
Other Encryption Methods

• 3DES is probably the most studied cryptographic
  algorithm ever. It offers the strength equivalent
  to a 112-bit block cipher. The best attacks
  published require massive amounts of storage and
  still take more than 2108 operations. This is the
  proposed replacement for DES.
• CAST is a well studied 128-bit algorithm. There
  is no known way of breaking it faster then brute
  force.
• AES or Rijndael is a relatice newcomer in
  crypto-algorithms, chosen to replace DES/3DES
  with larger keys (128, 192 or 256 bit) and higher
  performance. Although there is a lot of attention
  to all the AES-contestants and finalists in
  general and Rijndael in particular, it hasn't had
  nearly as much scrutiny as the previously
  mentioned algorithms.
• Blowfish and its newer cousin Twofish have gotten
  much attention but are both still relatively new.
  Because of they do not seem encumbered by patents
  and there are no serious, publicly known attacks,
  these algorithms are popular with many open
  source projects. They use 256 bit keys.

19
What is the easiest way to defeat encryption?

• You can encrypt till your heart is content, but
  if something is logging your passwords, then you
  are defeated.
• If your key is accessed, you are defeated.
• It is only as secure as you are.
• The government can log your keystrokes 3 city
  blocks away from the EMI on your monitor. If the
  government has the technology, then someone else
  is sure to have it as well.

20
Terry Bobos Section
21
Encryption Device Locations

• Link encryption- both ends of a vulnerable
  communications links is equipped with an
  encryption device.
• Message is vulnerable at each switch, because at
  least part of the message must be decrypted each
  time it enters a packet switch.
• End- to- End encryption- The source host or
  terminal encrypts the data, therefore the process
  is carried out by the two end systems
• The user data is secure, but the traffic pattern
  is not, because packet headers are transmitted in
  the clear.

22
Key Distribution

• In the case of key distribution, different
  problems arise dependent on the distribution use
  conventional encryption or public- key
  encryption.

23
Conventional Encryption

• For this to work, the two parties to a message
  exchange must have the same key, which must be
  protected from others.
• Frequent key changes are desirable
• The key distribution technique is the strength of
  the cryptographic system, the means of delivery a
  key to two parties of an exchange, without
  allowing others to see the key.

24
Conventional Encryption (Continued)

• Key Distribution
• A key could be selected by A and physically
  delivered to B
• A third party could select the key and physically
  deliver it to A and B.
• One party could transmit the new key to the
  other, encrypted using the old key.
• C could deliver a key on the encrypted links to A
  and B, if both have an encrypted connection to C.

25
Public Key Distribution

• A single pair of keys is generated between users,
  one private and one public.
• The sender key the private key secure and
  broadcast the public key.
• Only the receiver is able to decrypt the message
  using the matching key to the public key.
• The receiver must be able to sure that the
  message is from the sender.

26
Digital Signatures

• An authentication mechanism that enables the
  creator of a message to attached a code that acts
  as a signature(Stamper pg.591)

• Guarantees the source is who they claim to be.
• Guarantees that the message hasnt been altered
  in any way after being signed.

27
Amits Section
28
Section 20.5

• Web Security
• Companies are moving to the Internet in order to
  maintain competitiveness and increase
  efficiency.
• The simplest use of the web is to provide
  information to the users.
• A website basically consists of a web server that
  runs on the local operating system and web pages
  that are stored in the local database or file
  management system.

• Businesses are increasingly moving towards the
  use of web for electronic commerce. Usage of the
  internet for caring out electronic transaction
  makes it very vulnerable to hacking which is a
  major threat to web security in todays business
  environment.

29
Types of threats faced by Web sites

• Unauthorized alteration of data at the web site.
  
• Unauthorized access to the underlying operating
  system at the Web server.
• Eavesdropping on messages passed between a web
  server and a web browser.
• Impersonation

30
Impersonation

• Impersonation can be carried out in many ways one
  of the most common way of impersonation is taking
  over a persons email account.
• This can lead to loss of privacy from the account
  holders point of view.

31
Potential intruders

• Limited to the use of the relatively simple web
  commands , which only allow viewing web page
  information and filling in web page forms.

• However, this limitation is very easily over
  come by the intruders by the use of UNIX systems
  which allows the intruder to put in their own
  codes by overrunning a software buffer.

32
What do intruders do?

• Suppose if we had to make a transaction with
  www.ebay.com and we are asked by the web server
  of ebay to enter our credit card information.
  Intruders basically follow a method known as
  eavesdropping on a message. In this method they
  intercept the initial sign on dialog box and
  since the user is unaware of this he \ she
  naively enter their credit card and shipping
  information. The shipping information is changed
  by the intruder in this case known as the
  eavesdropper. By doing this the eavesdropper gets
  the credit card information and also gets the
  purchased product.

33
Relationship between Cost and Security of
information on a web site

• The manager needs to evaluate the costs versus
  the benefits.
• Cost and security share a direct relationship.
• Higher the security , higher the cost.

34
2 basic lines of attack on improving security

• Improve web site security. This can be done by
  the use of protocols such as Secure Hyper Text
  Transfer Protocol (SHTTP) and Secure Sockets
  Layer (SSL)
• Improve security of the web application.
• Most of the emphasis in this is given to the web
  server.
• Both of these line of attacks are essential and
  neither one of them can be neglected.

35
Features of protocols

• The most important features of SHTTP and SSL is
  that they allow the client and server to
  negotiate acceptable levels of security for a
  particular transaction or a particular session.

36
20.6 Virtual Private Networks and IPSec

• Virtual Private Networks (VPN) - Mainly a
  corporate site in which workstations, servers and
  databases are linked by one or more local area
  networks.
• IPSec- Authentication and encryption that is
  used for securing the internet protocol is known
  as Internet Protocol Security (IPSec)

37
Features of VPN

• The LANs are under the control of the network
  manager and can be configured and tuned for cost
  effectiveness performance.
• The internet or some other public network can be
  used to interconnect sites, providing a cost
  savings over the use of a private network and
  offloading the wide area network management task
  to the public network provider.

38
Drawbacks of VPN

• Use of public network exposes corporate traffic
  to eavesdropping and provides an entry point for
  unauthorized users.
• However, this problem can be solved by encryption
  and authentication packages and products.

39
Application of IPSec

• Secure branch office connectivity over the
  internet.
• Secure remote access over the internet.
• Establishing extranet and intranet connectivity
  with partners.
• Enhancing electronic commerce security.

40
Functions of IPSec

• An authentication-only function referred to
  Authentication header (AH)
• A combined authentication \ encryption function
  called Encapsulating security payload.
• A key exchange function.

41
Encapsulating security payload.

• ESP supports two modes of use Transport mode
  and Tunnel mode.
• Transport mode - Provides protection primarily
  for upper-layer protocols. That is, transport
  mode protection extends to the payload of an IP
  packet. Typically, used for end to end
  communication between 2 hosts.

42
Tunnel Mode

• Tunnel mode- Provides protection to the entire
  IP packet, the entire packet plus security fields
  is treated as the payload of new outer IP
  packet with a new outer IP header. The entire
  original, or inner, packet travels through a
  tunnel from one point of IP network to another.
  Mainly used when one or both ends is a security
  gateway, such as a firewall or router that
  implements IPSec.

43
Key management

• The key management portion of IPSec involves the
  determination and distribution of secret keys.
  The IPSec architecture document mandates support
  for 2 types of management manual key management
  and automated key management.

44
Cindys Section
45
Case Study The Hacker in All of Us
46
Day 1 Finding the Goods

• Track down publicly available information on the
  internet.
• Deploy a few common network trouble shooting
  tools to correlate data between the backup and
  primary servers and Name Service lookup.
• Use traceroute to view the network topology and
  identify potential access control devices like
  routers and firewalls.
• Port-Scan to find out what ports are open and
  what services are running on those ports.

47
Day 2 Gaining Root Access

• Root Access is the most privileged level of
  access
• Start by picking the target
• Establish Null session
• Log Off and then back on as legitimate users in
  order to grab the password hashes and submit them
  to the password-cracking tools
• Copy files and encrypted password hashes onto
  hard drive

48
Day 2 continued

• Log off and hit the hashes with L0phtcrack and
  John the Ripper tool that are available on the
  web. Both tools test passwords against a
  dictionary of common passwords until they break
  open.
• 70 of plain-test passwords are found within
  minutes
• The remaining 30 may take a day
• After obtaining all passwords, it is possible to
  hack back into the machine at administrator level
  and get root control of the machine.

49
18 Things to Do After Youve Hacked Admin

• Disable auditing
• Grab the password file
• Create an adminkit (hacker tools)
• Enumerate server information
• Enumerate secrets of LSA (Windows NTs Local
  Security Authority in the registry where password
  hashes are kept)
• Dump registry info
• Use N1test (a tool that queries NT servers
  remotely)
• Pilfer the box
• Add an administrator account

50

• 10. Grab a remote command shell
• 11. Hijack the graphical user interface
• Disable Passprop (NTs password policy
• settings)
• 13. Install a back door
• 14. Install Trojan horses and sniffers
• 15. Repeat
• Hide the adminkit (so you can use the machine
• as a launch point to attack others)
• 17. Enable auditing
• 18. Eat a nice meal

51
Day 3 Capturing the UNIX Flag

• Begin by repeating discovery and gaining entry
  the same way as discussed on NT.
• Corrupt the DNS server to reroute traffic to a
  phony IP address on an evil.com server where
  its then possible to a.) grab information or b.)
  reroute the message into oblivion.
• Conduct common HTTP attacks like test-Common
  Gateway Interface, which forces the victim to
  give up files and directories with a simple get
  command, and how to execute remote commands that
  would disable access controls

52
Day 3 Continued..

• Install Trojan Horses (executable code to do
  bidding remotely) and open back doors to get back
  in using a Telnet terminal session without
  needing identifications or passwords.
• Finally, the flag is captured by leapfrogging
  among Unix boxes

53
Lessoned Learned

• - Network and security managers have a difficult
  task to handle and bullet-proof security is a
  misnomer
• - Managing security risk is the best anyone
  can hope for.
• - There's a little bit of a hacker in everyone
  and by cultivating the hacker within, information
  security professionals can better fight the
  cracker.

54
Summary of Network Security

• There is an increasing reliance by business on
  the use of data processing systems and the
  increasing use of networks and communications
  facilities to build distributed systems have
  resulted in a strong requirement for computer and
  network security.
• Requirements for security are best assessed by
  examining the various security threats faced by
  an organization.

55

• Encryption is by far the most important automated
  tool for network and communications security.
• Conventional encryption and public-key encryption
  are often combined in secure networking
  applications to provide a spectrum of security
  services.
• Internet Web site application areas encompass
  most of the security threats encountered by
  businesses, as we learned through the case study.

56
THATS ALL FOLKS!