INTEGRITY - PowerPoint PPT Presentation

About This Presentation
Title:

INTEGRITY

Description:

INTEGRITY & POLICY Leticia Nisbett Lauren Walters Andrew Yao Overview Leticia Basic Integrity and Writing Policies to ensure integrity Lauren Access controls ... – PowerPoint PPT presentation

Number of Views:375
Avg rating:3.0/5.0
Slides: 102
Provided by: TheHein
Category:

less

Transcript and Presenter's Notes

Title: INTEGRITY


1
INTEGRITY POLICY
  • Leticia Nisbett
  • Lauren Walters
  • Andrew Yao

2
Overview
  • Leticia Basic Integrity and Writing Policies to
    ensure integrity
  • Lauren Access controls Security Models, and
    Integrity Tools
  • Andrew Applications to Case Study and Examples

3
What is Integrity?
  • Integrity is a VERY important security
    requirement
  • Protecting your information is highest priority
  • protecting integrity of your network is critical
    in ability to protect the information it
    contains.
  • Can be defined in a number of ways..

4
How would you define Integrity?
5
Definitions of Integrity
  • Integrity requires that computer system assets
    and transmitted information be capable of
    modification only by authorized parties.
  • not modified by unauthorized persons
  • not created by unauthorized persons

6
Integrity
  • In cryptography and information security
  • integrity refers to the validity of data.
  • Integrity can be compromised in two main ways
  • Malicious altering
  • Attacker alters account number in a bank
    transaction
  • Forging an identity document
  • Accidental altering
  • Transmission errors my name Leticia and u have
    a car
  • Harddisk crash
  • According to Wikipedia

7
Integrity 2
  • In telecommunication, the term data integrity has
    the following meanings
  • The condition in which data are identically
    maintained during any operation, such as
    transfer, storage, and retrieval.
  • The preservation of data for their intended use.
  • Specifically, data integrity in a relational
    database is concerned with three aspects of the
    data in a database
  • Accuracy
  • Correctness
  • Validity
  • according to Wikipedia

8
What happens if integrity is compromised?
  • Modification is an attack on integrity
  • Modification the data is changed, delayed or
    reordered to produce an unauthorized, undesired
    effect.
  • A breach in the integrity of your network can be
    extremely costly in time and effort, and it can
    open multiple avenues for continued attacks.

9
Network Considerations
  • When considering what to protect within your
    network, you are concerned with maintaining the
    integrity of
  • the physical network
  • your network software
  • any other network resources
  • your reputation
  • This Integrity involves
  • the verifiable identity of computers and users
  • proper operation of the services that your
    network provides
  • and optimal network performance
  • all these concerns are important in maintaining a
    productive network environment.

10
Common Methods of Attack on Integrity
  • The four methods of attack that are commonly used
    to compromise the integrity of a network
  • Network packet sniffers
  • IP spoofing
  • Password attacks
  • Application layer attacks

11
Network Packet Sniffers
  • Network packet sniffers can yield critical system
    information, such as user account information and
    passwords.
  • When an attacker obtains the correct account
    information, he or she has the run of your
    network.
  • Worst-case scenario
  • an attacker gains access to a system-level user
    account
  • creates a new account that can be used at any
    time as a back door
  • can modify system-critical files such as
  • the password for the system administrator
    account
  • the list of services and permissions on file
    servers
  • the login details for other computers that
    contain confidential information.

12
Network Packet Sniffers 2
  • Packet sniffers provide information about the
    topology of your network that many attackers find
    useful. such as
  • what computers run which services
  • how many computers are on your network
  • which computers have access to others
  • A network packet sniffer can be modified
  • to interject new information
  • change existing information in a packet.
  • Attack can cause network connections to shut down
    prematurely, as well as change critical
    information within the packet.
  • Imagine modification to the accounting system

13
IP Spoofing
  • IP spoofing can yield access to user accounts and
    passwords, and it can also be used in other ways.
  • Attacker emulates one of your internal users in
    ways that prove embarrassing for your
    organization
  • Such attacks are easier when an attacker has a
    user account and password
  • Are possible by combining simple spoofing attacks
    with knowledge of messaging protocols.
  • Telnetting directly to the SMTP port on a system
    allows the attacker to insert bogus sender
    information.

14
Password Attacks
  • A brute-force password attack can provide access
    to accounts that can be used to modify critical
    network files and services.
  • Can compromise network's integrity
  • Once an attacker gets the password and gains
    access to the system
  • he can modify the routing tables for the network.
  • attacker ensures that all network packets are
    routed to him or her before they are transmitted
    to their final destination

15
Application Layer Attacks
  • Application Layer attacks can be implemented
    using several different methods.
  • A common method is exploiting well-known
    weaknesses in software commonly found on servers,
    such as sendmail, PostScript, and FTP.
  • By exploiting these weaknesses, attackers can
    gain access to a computer with the permissions of
    the account running the application
  • usually a privileged system-level account

16
Application Layer Attacks
  • Trojan horse attacks
  • implemented using bogus programs that attacker
    substitutes for common programs.
  • programs provide all functionality of a normal
    application or service
  • also include other features that are known to
    the attacker
  • programs can capture sensitive information and
    distribute it back to the attacker

17
Network considerations when defining security
policies
  • Three main types of networks must be considered
    when defining a security policy
  • Trusted
  • Un-trusted
  • Unknown.

18
Trusted Networks
  • Networks inside your network security perimeter.
  • Networks that you are trying to protect.
  • Someone in the organization administers the
    computers that comprise these networks (most
    times)
  • Organization controls their security measures.
  • Usually, trusted networks are within the security
    perimeter.
  • To set up firewall server
  • explicitly identify the type of networks that are
    attached to the firewall server through network
    adapter cards
  • After the initial configuration, the trusted
    networks include the firewall server and all
    networks behind it.
  • One exception to this general rule is the
    inclusion of virtual private networks (VPNs)

19
Un-trusted Networks
  • Networks known to be outside your security
    perimeter.
  • Un-trusted because they are outside your control
  • No control over the administration or security
    policies for these sites
  • Private, shared networks from which you are
    trying to protect your network
  • Still need and want to communicate with these
    networks although they are un-trusted.
  • To set up the firewall server
  • explicitly identify the un-trusted networks from
    which that firewall can accept requests

20
Unknown Networks
  • Networks that are neither trusted nor un-trusted.
  • Unknown quantities to the firewall because you
    cannot explicitly tell the firewall server that
    the network is a trusted or un-trusted
  • Unknown networks exist outside your security
    perimeter
  • By default, all non-trusted networks are
    considered unknown networks, and the firewall
    applies the security policy that is applied to
    the Internet node in the user interface, which
    represents all unknown networks.

21
Establishing a Security Perimeter
  • When you define a network security policy, you
    must define procedures to safeguard your network
    and its contents and users against loss and
    damage.
  • A network security policy plays a role in
    enforcing the overall security policy defined by
    an organization.

22
Establishing a Security Perimeter
  • A critical part of an overall security solution
    is a network firewall
  • monitors traffic crossing network perimeters
  • imposes restrictions according to security
    policy.
  • Perimeter routers are found at any network
    boundary
  • between private networks, intranets, extranets,
    or the Internet.
  • Firewalls most commonly separate internal
    (private) and external (public) networks.
  • A network security policy focuses on controlling
    the network traffic and usage
  • identifies a network's resources and threats
  • defines network use and responsibilities
  • details action plans for when the security policy
    is violated
  • When a network security policy is deployed it
    should be strategically enforced at defensible
    boundaries within your network. These strategic
    boundaries are called perimeter networks.

23
Three Types of Perimeter Networks Exist
Outermost, Internal, and Innermost
24
Example Two-Perimeter Network Security Design
25
Developing Your Security Design
  • The design of the perimeter network and security
    policies require certain subjects to be
    addressed.

26
Important considerations for defining a security
policy
  • 1. Know your enemy
  • 2. Count the cost
  • 3. Identify any assumptions
  • 4. Control your secrets
  • 5. Human factors
  • 6. Know your weakness
  • 7. Limit the scope of access
  • 8. Understand your environment
  • 9. Limit your trust
  • 10. Remember physical security
  • 11. Make security pervasive

27
Know Your Enemy
  • Know attackers or intruders.
  • Consider who might want to circumvent your
    security measures
  • Identify their motivations.
  • Determine what they might want to do and the
    damage that they could cause to your network.
  • Security measures can never make it impossible
    for a user to perform unauthorized tasks with a
    computer system they can only make it harder.
  • The goal is to make sure that the network
    security controls are beyond the attacker's
    ability or motivation.

28
Count the Cost
  • Security measures usually reduce convenience,
    especially for sophisticated users.
  • Security can delay work and can create expensive
    administrative and educational overhead.
  • Security can use significant computing resources
    and require dedicated hardware.
  • When you design your security measures,
    understand their costs and weigh those costs
    against the potential benefits.
  • To do that, you must understand the costs of the
    measures themselves and the costs and likelihood
    of security breaches. If you incur security costs
    out of proportion to the actual dangers, you have
    done yourself a disservice.

29
Identify Any Assumptions
  • Every security system has underlying assumptions.
  • For example, you might assume that your network
    is not tapped, that attackers know less than you
    do, that they are using standard software, or
    that a locked room is safe. Be sure to examine
    and justify your assumptions. Any hidden
    assumption is a potential security hole.

30
Control Your Secrets
  • Most security is based on secrets.
  • Eg. Passwords and encryption keys
  • Too often, the secrets are not all that secret.
    The most important part of keeping secrets is in
    knowing the areas that you need to protect.
  • What knowledge would enable someone to circumvent
    your system?
  • You should jealously guard that knowledge and
    assume that everything else is known to your
    adversaries.
  • The more secrets you have, the harder it will be
    to keep them all. Security systems should be
    designed so that only a limited number of secrets
    need to be kept.

31
Human Factors
  • Many security procedures fail because their
    designers do not consider how users will react to
    them.
  • Automatically generated nonsense passwords often
    written on the undersides of keyboards- difficult
    to remember
  • A secure door that leads to the system's only
    tape drive is sometimes propped open- for
    convenience
  • Unauthorized modems are often connected to a
    network to avoid onerous dial-in security
    measures- for expediency
  • If security measures interfere with essential use
    of the system they will be resisted and perhaps
    circumvented.
  • To get compliance, make sure users can get their
    work done, and must emphasize (sell) security
    measures to users. Users must understand and
    accept the need for security.

32
Human Factors 2
  • Users can compromise system security, at least to
    some degree
  • Passwords can be found out simply by calling
    legitimate users on the telephone claiming to be
    a system administrator, and asking for them.
  • If your users understand security issues, and if
    they understand the reasons for your security
    measures, they are far less likely to make an
    intruder's life easier.
  • At minimum
  • Users should be taught never to release passwords
    or other secrets over unsecured telephone lines
    or e-mail
  • Users should be wary of people who call them on
    the telephone and ask questions
  • Some companies have implemented formalized
    network security training so that employees are
    not allowed access to the Internet until they
    have completed a formal training program

33
Know Your Weaknesses
  • Every security system has vulnerabilities.
  • You should understand your system's weak points
    and know how they could be exploited.
  • You should also know the areas that present the
    greatest danger and should prevent access to them
    immediately.
  • Understanding the weak points is the first step
    toward turning them into secure areas.

34
Limit the Scope of Access
  • You should create appropriate barriers in your
    system so that if intruders access one part of
    the system, they do not automatically have access
    to the rest of the system.
  • The security of a system is only as good as the
    weakest security level of any single host in the
    system.

35
Understand Your Environment
  • Understanding how your system normally functions,
    knowing what is expected and what is unexpected,
    and being familiar with how devices are usually
    used will help you detect security problems.
  • Noticing unusual events can help you catch
    intruders before they can damage the system.
    Auditing tools can help you detect those unusual
    events.

36
Limit Your Trust
  • You should know exactly which software you rely
    on, and your security system should not have to
    rely on the assumption that all software is
    bug-free.

37
Remember Physical Security
  • Physical access to a computer (or a router)
    usually gives a sufficiently sophisticated user
    total control over that computer.
  • Physical access to a network link usually allows
    a person to tap that link, jam it, or inject
    traffic into it. It makes no sense to install
    complicated software security measures when
    access to the hardware is not controlled.

38
Make Security Pervasive
  • Administrators, programmers, and users should
    consider the security implications of every
    change they make.
  • Understanding the security implications of a
    change takes practice it requires lateral
    thinking and a willingness to explore every way
    that a service could potentially be manipulated.

39
  • Ten suggested ways to improve the security of
    your computer!!!
  • http//web.mit.edu/ist/topics/security/pamphle
    ts/tensteps.pdf

40
1. patch, Patch, PATCH!
  • Set up your machine for automatic updates.
  • For Windows
  • Start MenugtControl PanelgtServicesgtWindows Update
    set to automatic
  • For Macs
  • System PreferencesgtSoftware Update set to
  • daily or weekly.
  • For Red Hat Linux, refer to
  • http//mit.edu/ist/topics/Linux/rhn.html

41
2. Install anti-virus software.
  • Install the appropriate version of the antivirus
    software for your computer.
  • Set it to scan your files on a regular basis.
  • software is available on ISTs Getting
    Started CD or at http//web.mit.edu/software

42
3. Choose strong passwords.
  • Some suggestions for choosing strong passwords!!??

43
3. Choose strong passwords.
  • Choose strong passwords by picking letter,
    number, and special characters to create a mental
    image or an acronym that is easy for you to
    remember.
  • Change passwords regularly.
  • Do not reuse your password among different
    accounts. Its bad if your email account is
    hacked, its even worse if its your email
    account AND your bank account.
  • http//web.mit.edu/network/passwords.html

44
DEMO
  • MAC Password Helper

45
4. backup, Backup, BACKUP!
  • Backing up your data on a regular basis helps
    protect you from the unexpected.
  • Ask yourself how many days of work you are
    willing to lose if your computer is compromised
    and the hackers decide to overwrite your disk
    space with their favorite movies and music.
  • http//web.mit.edu/net-security/www/faq.htmlba
    ckup

46
5. Control access to your machine.
  • Dont leave your machine unattended and logged
    on.
  • Dont leave your PDA unattended in public places.
  • Disable guest accounts, and delete unused
    accounts in a timely manner.
  • More information on securing your Windows
    machine can be found at http//web.mit.edu/ist/top
    ics/windows

47
6. Use email safely.
  • Filter your spam e-mail.
  • Check with the sender when receiving unexpected
    attachments from people you know.
  • Never open attachments from people you dont
    know.
  • Always use your virus scanner on any attachment
    before opening it.
  • MIT Spam Screening is described at
    http//web.mit.edu/ist/services/email/nospam

48
7. Use secure connections.
  • Using a secure connection is essential. On the
    Internet your data is vulnerable unless you do
    something to protect it.
  • For Linux, SSH and SCP are best for secure logins
    and secure file transfers.
  • For Windows, use Filezilla and SecureFX for file
    transfers, Host Explorer and SecureCRT for secure
    remote logins.
  • http//web.mit.edu/net-security/www/faq.htmlse
    cure-connections

49
8. Encrypt sensitive files.
  • Sensitive data is frequently stored on your
    hard drives. Protecting the data can protect you
    from identity theft.
  • Encrypt sensitive files.
  • Have password-protected documents.

50
9. Use desktop firewalls.
  • Apple Mac OS X and Microsoft Windows XP have
    basic desktop firewalls as part of their
    operating systems. It is recommended that users
    activate these firewalls unless there are known
    software conflicts.

51
10.Stay informed.
  • To stay current with the latest developments
    for Windows, Macs, and nix systems, subscribe to
    the security-fyi mailing list by visiting
  • http//mailman.mit.edu/mailman/listinfo/security-f
    yi

52
Access Controls
  • Mandatory Access Control
  • Discretionary Access Control
  • Role-Based Access Control

53
Mandatory Access Control
  • The MAC technique protects and contains computer
    processes, data, and system devices from being
    misused.

54
Mandatory Access Control
  • Four modes of security operation
  • Dedicated Security Mode
  • All users can access ALL data.
  • System-High Security Mode
  • All users can access SOME data, based on their
    need to know.
  • Compartmented Security Model
  • All users can access SOME data, based on their
    need to know and formal access approval.
  • Multilevel Security Mode
  • All users can access SOME data, based on their
    need to know, clearance and formal access
    approval.

55
Discretionary Access Control
  • DAC defines basic access control policies to
    objects at the discretion of the objects owner.
  • MAC and DAC can be applied
  • to the same file

56
Role-Based Access Control
  • RBAC is an new alternative approach to MAC and
    DAC
  • Access Control is determined by the job function,
    not the individual staff member.

57
Access Control
  • In your opinion, which is the better method for
    access control?
  • MAC,
  • DAC,
  • and/or RBAC

58
Security Models
  • Security models are an important concept in the
    design and analysis of secure computer systems
  • Examples of security models
  • Information Flow Model
  • Biba Security Model
  • Clark-Wilson Model
  • Chinese Wall Model
  • The Bell-LaPadula Model

59
Information Flow Model
  • The Information flow model is a variation of the
    access control model
  • This model attempts to control the transfer of
    information from one object to another which is
    constrained by the two objects security
    attributes
  • Information can flow to the same or higher level
    of security

60
The Biba Model
  • The Biba Integrity Model describes read and write
    restrictions based on integrity classes of
    subject and objects
  • Two main principles
  • A subject can write to an object only if the
    integrity access class of the subject is larger
    than the integrity class of the object
  • A subject can read an object only if the
    integrity access class of the subject is less
    than that of the integrity class of the object

61
The Biba Model
Layer of Higher Secrecy
Contaminated
Read
Write
Get Contaminated
Layer of Lower Secrecy
Simple Integrity Property
Integrity Star Property
Official (isc)2 Guide to the CISSP Exam
62
The Clark-Wilson Model
  • The model address integrity requirements which
    are based on process and data integrity
  • The model identifies three rules of integrity
  • Unauthorized users should not make changes
  • Authorized users should not make unauthorized
    changes
  • The system should maintain internal and external
    consistency
  • Enforce policies by
  • Well-formed transactions
  • Separation of duties

63
The Clark-Wilson Model
  • Data
  • Constrained data items (CDI)
  • Unconstrained data items (UDI)
  • Procedures
  • Integrity verification procedure (IVP)
  • Transformation procedure (TP)

64
Example of CW Model
  1. Purchasing clerk creates an order for a supply,
    sending copies to the supplier and the receiving
    department.
  2. Upon receiving the items, a receiving clerk
    checks the delivery and, if all is well, signs a
    delivery form. Then the delivery form and
    original order form will go to the accounting
    department.
  3. Supplier sends an invoice to the accounting
    department. The accounting clerk will compare
    the invoice with the original order and delivery
    form and issues a check to the supplier.

65
Example of CW Model
  • Users?
  • Purchasing clerk
  • Receiving clerk
  • Supplier
  • Accounting clerk
  • Constrained Data?
  • Order
  • Delivery form
  • Invoice
  • check
  • Transformation Procedures?
  • Create order, Send order
  • Create delivery form, Send delivery form, Sign
    delivery form
  • Create invoice, Send invoice
  • Compare invoice to order
  • And so on

66
Tools
  • Integrity Management Software
  • Anti-Virus Software

67
Integrity Management Software
  • Encryption is most commonly used for secrecy but
    it can also be used for integrity.
  • Check for integrity by specifically utilizing
  • Hash functions
  • Digital Signatures
  • File Size
  • Example
  • Tripwire Enterprise

68
Hash Functions
  • A public function that maps a plaintext message
    of any length to a fixed length hash value
  • Are used as an authenticator
  • Pros
  • Offers integrity
  • Cons
  • No confidentiality
  • Examples
  • CRC
  • MD5
  • SHA-1

69
Cyclic Redundancy Check
  • CRC is a type of hash function that is utilized
    to create a checksum
  • Useful for error detection, CRC cannot be relied
    upon to verify data integrity
  • Example of Tools solely use CRC
  • Crckit

70
Message-Digest Algorithm 5
  • MD5 is a popular cryptographic function with a
    128-bit hash value
  • Utilized in a variety of security applications
  • Also commonly used for checking the integrity of
    files
  • It is computationally unrealistic to find two
    messages that have the same message digest

71
Secure Hash Algorithm
  • SHA is a set of related cryptographic hash
    functions
  • SHA-1 is the most commonly used for a large
    variety of security applications and protocols
  • SHA-1 is considered the successor to MD5

72
Digital Signatures
  • Digital signatures also known as public-key
    digital signature is an encryption scheme
    utilizing public key cryptography
  • This method has two complementary algorithms, one
    for signing and the other for verification, and
    the output of this process is a digital signature

73
Tripwire Enterprise
  • http//www.tripwire.com/
  • Captures a baseline of server file systems,
    desktop file systems, directory servers and
    network device configurations in a known good
    state, and then automatically performs integrity
    checks that compare current states against
    baselines to detect changes.
  • Tripwire Demo

74
Examples of Integrity Management Software
  • Advanced CheckSum Verifier (ACSV)
  • Advanced Intrusion Detection Environment (AIDE)
  • Cambia CM
  • Crckit
  • FileCheckMD5
  • FTimes
  • Hashdig
  • Integrit
  • Intrusec CM
  • Jacksum
  • LANGuard Security Integrity Monitor
  • MD5 Hashing Utilities
  • Md5deep
  • Nabou
  • NIST_Crc
  • Radmind
  • Samhain
  • Secure Hash Signature Generator
  • Sentinel
  • Sha_verify
  • Spidernet
  • SysCheck
  • Sysdiff
  • Tripwire - Commercial
  • Tripwire OpenSource
  • Veracity System Integrity Assurance
  • ViperDB
  • Yafic
  • Winalysis
  • WinInterrogate
  • Xintegrity

75
Anti-virus Software
  • The techniques for detecting a virus include
  • Checking unexpected increases in file size
  • Noting changes in timestamps
  • Sudden decreases in free space
  • Calculating checksums
  • Saving images on the internal control tables and
    noting unexplained changes

76
Examples ofAnti-virus Software
  • AntiVir PersonalEdition Classic
  • AVAST 4 Home Edition
  • AVG Free Edition
  • Bullguard Antivirus Software, Firewall and Backup
  • Command Antivirus
  • F-Prot Antivirus for Windows
  • F-Secure
  • Kaspersky Anti-Virus
  • McAfee VirusScan 2006
  • NOD32 Antivirus System v2.0
  • Norton AntiVirus 2002
  • Panda Titanium Antivirus 2004
  • PC-cillin Internet Security 2004
  • Platinum Internet Security 2005
  • Rising AntiVirus
  • Virex
  • Windows Live OneCare

77
Case Study - Integrity
  • Hamlet
  • Being thus be-netted round with villanies,--
  • I sat me down,
  • Devised a new commission, wrote it fair
  • He should the bearers put to sudden death.
  • I had my father's signet in my purse,
  • Which was the model of that Danish seal
  • Subscribed it, gave't the impression, placed
    it safely,
  • The changeling never known.

78
Case study - Attacks
  • Attacks on integrity
  • alter teleprompter speeches/ presentation
    slides
  • alter scheduling
  • alter voting results
  • alter outgoing media reports
  • attacker could be other media or
  • outsider

79
Attackers
  • The cold passed reluctantly from the earth, and
    the retiring fogs revealed an army stretched out
    on the hills, resting.
  • - The Red Badge of Courage

80
Case study - Outside attacker
  • Henry is a member of a small revolutionary
    anarchist group
  • Assigned to disrupt the event using information
    warfare tactics.
  • Attacks from an open wireless network at a public
    library.

81
  • How you gonna call yourself a revolutionary and
    you aint got no poems?
  • -Dewey

82
Case study - Attacker 1 recon
  • Scan port 0-65535 with an aggressive stealth scan
    with OS and application fingerprinting.
  • nmap -sS -F -P0 -O -T4 -v A p0-65535 event
    network address
  • Starting nmap 3.50 ( http//www.insecure.org/nmap/
    )
  • ...
  • Interesting ports on contractor2.event.net
    (XX.227.165.100)
  • (The 65535 ports scanned but not shown below are
    in state filtered)
  • PORT STATE SERVICE VERSION
  • 22/tcp open ssh OpenSSH 3.7.1p1 (protocol
    1.99)
  • Running Linux 2.4.X
  • OS details Linux 2.4.18 (x86)
  • Uptime 316.585 days
  • ...

83
Preventing recon
  • Only open service on the network
  • contractor left an SSH server running.
  • How can we prevent the attacker from finding it?

84
Preventing recon contd
  • At the firewall, prevent all incoming
    connections
  • Use NAT so internal boxes are not Internet
    addressable
  • Put a firewall between Ops and Organization in
    case a contractor is compromised or malicious.
  • Policy that no one may run listening servers
    without IT authorization.

85
Finding vulnerabilities
  • Henry looks up OpenSSH 3.7.1p1 on various
    security websites such as SecurityFocus BID and
    OSVDB.org.
  • http//www.kb.cert.org/vuls/id/602204
  • When PAM and SSHv1 are enabled, OpenSSH 3.7.1p1
    has a vulnerability that allows an attacker to
    login to any account by using a null password.

86
Exploiting OpenSSH
  • psychegt ssh -1 root_at_ contractor2.event.net
  • The authenticity of host contractor2.event.net
    (XX.227.165.212)' can't be established.
  • RSA1 key fingerprint is 2dfb27e0abaddeadca
    febabe53022838.
  • Are you sure you want to continue connecting
    (yes/no)? yes
  • root_at_contractor2.event.net's password
  • whoami
  • root
  • How could we prevent this?

87
Preventing OpenSSH Exploit
  • How could we prevent this?
  • Keep on top of patch management
  • automated scan when they connect to the network
  • Use PermitRootLogin no in sshd_config to
    prevent root login

88
Dictionary attack on SSH
  • Henry uses hydra to attempt to do a dictionary
    attack and guess a users password.
  • hydra -L names.txt -P passwords.txt
    contractor2.event.net ssh2
  • Hydra v5.2 (c) 2006 by van Hauser / THC - use
    allowed only for legal purposes.
  • DATA 400000 tasks, 1 servers, 400000 login
    tries (l1/p2), 1 tries per task
  • DATA attacking service ssh2 on port 22
  • STATUS attack finished for contractor2.event.net
    (waiting for childs to finish)
  • 22ssh2 host XX.227.165.212 login test
    password trustno1

89
Preventing Dictionary Attack
  • Unable to guess a password for root, but did get
    user test with password trustno1 (Fox
    Mulders password on The X-Files)
  • How to prevent this attack?

90
Preventing Dictionary Attack contd
  • Choose strong passwords on all accounts, not
    just root
  • Enforceable by having IT people run hydra?
  • Ban an IP address for some length of time after
    a certain number of failed attempts.

91
Privilege Escalation
  • Henry has a user level shell on the contractors
    box.
  • Inside the firewall, uses same dictionary attack
    technique to get a user account on the podium
    server.
  • Wants to alter the presentations, but cant with
    current privileges.

92
Privilege Escalation
  • uname -a
  • Linux podium.event.net 2.4.18 3-i686-UP (034)
    i686 i386 GNU/Linux
  • This is a relatively old kernel version, and
    there is a privilege escalation vulnerability in
    versions below 2.4.22.
  • http//www.kb.cert.org/vuls/id/301156
  • An integer overflow vulnerability in the brk
    system call.

93
Privilege Escalation
  • He downloads and uses a publicly available
    exploit to get root privileges.
  • As root, he subtly modifies the saved
    presentations for several presenters in an
    embarrassing way.
  • How to prevent this?

94
Preventing Privilege Escalation
  • Again patch management, even on computers which
    are supposedly safe because theyre inside the
    firewall
  • Use Tripwire or other integrity checking programs
    to detect modifications to sensitive files
  • But?
  • Minimize set of programs which are setuid or run
    as root
  • Backups on removable media

95
Attacking the Media LAN attacks
  • Media share a wired network.
  • Many network attacks available when on the same
    network.
  • ARP poisoning to sniff or do MITM
  • Alter or forge media reports
  • http//en.wikipedia.org/wiki/ARP_spoofing

96
LAN attacks
  • SSL not foolproof if MITM possible.
  • Animation at http//crimemachine.com/Tuts/Flash/SS
    LMITM.html

97
Preventing LAN attacks
  • Static ARP/Port Security
  • But?
  • Detect ARP poisoning with arpwatch
  • But?
  • Train them not to click through SSL warnings
  • Media connect to home base with VPN

98
Social Engineering
  • There was much food for thought in the manner in
    which he replied. He came near to convincing
    them by disdaining to produce proofs.
  • -The Red Badge of Courage

99
Social Engineering
  • http//en.wikipedia.org/wiki/The_Yes_Men
  • Set up a fake WTO website. Invited to speak on
    behalf of the WTO at events, including a CNBC
    news program.
  • Successfully impersonated a Dow Chemical
    spokesman on BBC television, at a London banking
    conference, and at Dows annual shareholder
    meeting
  • In this case study, attacker could speak at
    event, or could fool the media into printing
    lies.
  • How to prevent this?

100
Preventing social engineering
  • Educate staff to authenticate people and data
  • Run live tests with fake conmen

101
Case study conclusion
  • Its about quality, yall.
  • And mad loot for yours truly.
Write a Comment
User Comments (0)
About PowerShow.com