Internet

1
Internet Web Security

• Simson L. Garfinkel
• simsong_at_vineyard.net

2
Simson L. Garfinkel

• Web Security Commerce
• (With Gene Spafford) OReilly Associates, 1997
• Practical UNIX and Internet Security
• Garfinkel SpaffordOReilly Associates, 1997
• Vineyard.NET, Inc.
• July 1, 1995-

3
WARNING 1

• Im not here to sell you anything. (No easy
  answers)

4
WARNING 2

• I hate Power Point.

5
Internet Security Today 1/3

• What are the main security-related problems on
  the Internet Today?
• Hijacked web servers
• Denial-of-Service Attacks
• Unsolicited Commercial E-Mail
• Operator Error, Natural Disasters
• Microsoft...

6
Internet Security Today 2/3

• What are not the major security-related problems?
• Eavesdropped electronic mail.
• (Misdirected email is a problem.)
• (Email swiped from backup tapes is a problem.)
• Sniffed credit card numbers.
• (Credit card numbers stolen from databases is a
  problem.)
• Hostile Java ActiveX applets.

7
Internet Security Today 3/3

• So why does the press focus on the non-problems?
• The real problems are old problems. (see
  Practical UNIX Security, 1991)
• The real problems are hard to solve (Im not
  here to sell you anything.)
• Netscape IPO (Netscape sells a product, not a
  service.)

8
Hijacked Web Servers

9
Hijacked Web Servers

• FBI
• August 17, 1996 - Attacks on the Communications
  Decency Act.
• CIA
• September 18, 1996 - Central Stupidity Agency
• NetGuide Live
• CMP Sucks.

10
Hijacked Web Servers

• Attacker gains access and changes contents of web
  server.
• Usually stunts.
• Can be very bad
• Attacker can plant hostile applets.
• Attacker can plant data sniffers
• Attacker can use compromised machine to take over
  internal system.

11
Hijacked Web Servers

• Usually outsiders.
• (Could be insiders masquerading as outsiders.)
• Nearly impossible to trace.

12
How do they do it?

• Administrative passwords captured by a password
  sniffer.
• Utilize known vulnerability
• sendmail bug.
• Buffer overflow.
• Use web server CGI script to steal /etc/passwd
  file, then crack passwords.
• Mount the web servers filesystem.

13
How do you defend against it?

• Patch known bugs.
• Dont run unnecessary services on the web server.
• Dont run sendmail
• Use smap if possible.
• Large sites may just after to suffer.

14
How do you defend? (2)

• Never use telnet or ftp to access web server.
• ssh/scp
• stel
• Security Dynamics SecureID
• Digital Pathwayss SecureNet Key
• (S/Key, Kerberos)

15
How do you defend? (3)

• Practice good host security.
• Dont run SunOS.
• Use tools like SATAN, ISS, COPS, Tiger...
• Monitor system for unauthorized changes.
• Tripwire
• Monitor system for signs of penetration
• Intrusion detection systems

16
How do you defend? (3)

• Make frequent backups.
• Have a hot spare ready.
• Monitor your system frequently.

17
Denial-of-Service Attacks

18
Denial-of-Service

• Publicity is almost as good as changing
  somebodys web server.
• Attack on PANIX
• Attack on CyberPromotions
• Costs real money
• Lost Sales
• Damage to reputation

19
Kinds of Denial-of-Service Attacks

• Direct attack attack the machine itself.
• Indirect attack attack something that points to
  the machine.
• Reputation attack attack has nothing to do with
  the machine, but references it in some way.

20
Direct Denial-Of-Service Attack

• Send a lot of requests (HTTP, finger, SMTP)
• Easy to trace.
• Relatively easy to defend against with TCP/IP
  blocking at router.

21
Direct Denial-Of-Service Attack 2

• SYN Flooding
• Subverts the TCP/IP 3-way handshake
• SYN / ACK / ACK
• Hard to trace
• Each SYN has a different return address.
• Defenses now well understood
• Ignore SYNs from impossible addresses.
• Large buffer pools (10 ? 1024)
• Random drop, Oldest drop.

22
Direct Denial-Of-Service Attack 2

• SYN Flooding 2
• Most machines are not protected.

23
Indirect Denial-Of-Service Attack

• Attack DNS
• http//www.vineyard.net/ ? 204.17.195.200
• DNS spoofing (hard)
• Upstream DNS server (easier)
• InterNIC (easy!)

24
Indirect Denial-Of-Service Attack

• Attack Routing
• Attack routers (hard)
• Inject bogus routes on BGP4 peering sessions
  (easy)
• Accidents have been widely reported.
• Expect to see an actual BGP4 attack sometime this
  year.

25
Reputation-based Denial-Of-Service Attack

• Spoofed e-mail To everybody_at_AOL.COM From
  astrology_at_mail.vineyard.net Subject Call
  Now! Hello. My name is Jean Dixon
• We got 3.9MB of angry responses.

26
Unsolicited Commercial E-Mail

27
Unsolicited Commercial E-Mail

• Pits freedom-of-speech against right of privacy.
• Consumes vast amounts of management time.
• Drain on system resources.

28
Who are the bulk-mailers?

• Advertising for Internet neophytes.
• Advertising for sexually-oriented services.
• Advertising get-rich-quick schemes.
• Advertising bulk-mail service.

29
How do they send out messages?

• Send directly from their site.
• Send through an innocent third party.
• Coming soon
• Sent with a computer virus or ActiveX applet

30
How did they get my e-mail addresses?

• Usenet Mailing list archives.
• Collected from online address book.
• AOL registry.
• University directory.
• Guessed
• Sequential CompuServe addresses.
• Break into machine steal usernames.

31
Operator Error Natural Disasters

32
Operator Error Natural Disasters

• Still a major source of data loss.
• Hard to get management to take seriously.
• Not sexy.
• Preparation is expensive.
• If nothing happens, money seems misspent.

33
Operator Error

• Accidentally delete a file.
• Accidentally install a bad service.
• Accidentally break a CGI script.
• Psychotic break.

34
Natural Disaster

• Fire
• Flood
• Earthquake

35
Solutions

• Frequent Backups
• Backup to high-speed tape.
• Real-time backup to spare machines.
• Make sure some backups are off-site.
• Recovery plans.
• Recovery center.
• Test your backups plans!

36
Microsoft

37
Microsoft

• Danger of homogeneous environment.
• No demonstrated commitment to computer security.
• Windows 95 is not secure.
• Word Macro Viruses.
• ActiveX
• SMB
• Windows NT ?