- PowerPoint PPT Presentation

About This Presentation
Title:

Description:

Title: PowerPoint Presentation Author: Prafulla Last modified by: Akshai Aggarwal Created Date: 3/28/2002 12:06:46 AM Document presentation format – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 55
Provided by: Praf6
Category:

less

Transcript and Presenter's Notes

Title:


1
  • The advanced exploration of computer systems
    is commonly referred to as hacking.
  • -- from Hackers a Canadian police
    perspective

  • Part I
  • Reference http//www.rcmp-grc.gc.ca/crim_int/inde
    x_e.htm
  •  

2
Security Attacks/Threats
  • These are actions that compromise the security of
    information owned or transferred by an entity.
    Attacks can be one of 4 forms
  • Interruption
  • Interception
  • Modification
  • Fabrication

3
Type Of Attacks/Threats
Information
Information
source
Destination
(a) Normal Flow
I
I
(b) Interruption
(d) Fabrication
I
I
(c) Modification
(e) Interception
4
Active and Passive Attacks
 
5
Active Attacks
  • A Passive attack can only observe communications
    or data. Example Interception ( also called
    eavesdropping or passive wiretapping)
  • An Active attack can actively modify
    communications or data
  • Often difficult to perform, but very
    powerful
  • Mail forgery/modification
  • TCP session hijacking /IP spoofing
  • Examples Interruption, Modification ( also
    called active wiretapping), Fabrication
  • Types of Active Attacks masquerade, replay,
    modification and denial of service.

6
Types of Intruders
  • Intrusion by a
  • Masquerader One, who is not authorized to use a
    computer system, but who penetrates and uses a
    legitimate users account
  • Misfeasor A legitimate user who accesses data,
    programs or resources, for which he is not
    authorized or
  • A legitimate user who misuses his access
    privileges
  • Clandestine User One who seizes supervisory
    control and uses it to evade access and audit
    controls or to suppress audit trail.
  • A masquerader is an outsider,
  • a misfeasor is an insider and
  • the clandestine user can be either an insider or
    an outsider.

7
Why do they attack?
  • The attacker may attack
  • - taking it as an intellectual challenge
  • - to have thrills by seeing reports of his
    exploits in public media.
  • But a large majority of attacks are by
    foot-soldiers, called
  • script kiddies, who use attacks
    discovered, designed and
  • implemented by someone else. The script
    kiddies, simply
  • download the script and launch the
    attack, without
  • understanding anything.
  • Or - they may be indulging in espionage for
    financial gain.

8
Survey Type of attacks
  • FBI/CSI Survey of 2002
  • - 80 of respondents acknowledged financial loss
    due to intrusion
  • - Only 34 reported the intrusions to police
  • - 74 found misfeasors
  • - 40 detected DOS attacks
  • Reference Annual FBI/Computer Security Institute
    Survey http//www.gocsi.com/press/20020407.html

9
Hackers METHODS
  • Port Scan to find, for the target,
  • - which ports/services are running
  • - the O/S
  • nmap
  • - scans all the ports
  • - guesses the operating system (Please refer to
    the paper by Fyodor to understand the methods
    used. These methods depend upon the special
    features that each OS has.)
  • Reference 1.Fyodor, Remote OS detection via
    TCP/IP Stack FingerPrinting June, 2002,
    available at http//www.insecure.org/nmap/nmap-fin
    gerprinting-article.html
  • 2.Stephen Northcutt and Judy Novak, Network
    Intrusion Detection An Analysts Handbook, pp
    81-85

10
Hackers Methods cont.
  • 2. Toolkits provided by manufacturers to make
    products compatible with their products. These
    may be used to discover the vulnerabilities of
    the product.
  • 3. Wireless Nets AirMagnet from
    AirMagnet Inc. Observer from Network
    Instruments Wireless Security Analyzer
    from IBM
  • can check whether a wireless network can
    be accessed by outsiders.
  • (www.guerilla.net/freenets.html contains
    a list of access points, by city, that can be
    accessed by anyone.
  • In 2002 Chris OFerrel, a security consultant,
    was able to connect to the Pentagon wireless net,
    from outside the building.)

11
Impersonation Methods
  • Guess the ID and password of an authorized user
  • - by guessing passwords
  • - by using default passwords given with a system
    by its manufacturer
  • (Many administrators fail to disable the
    defaults)
  • Example SNMP uses a community string as
    a password for the community of devices, that can
    interact with one another. Many administrators
    forget to change the default community string
    installed on a (new) router/switch.
  • - by overflow - in some ill designed systems,
    authentication may be foiled by overflow of
    password (if the password overflows, the system
    may assume authentication)
  • -

12
Impersonation Methods continued
  • by non-existent authentication. In Unix, the
    file
  • -rhosts lists the trusted hosts
  • -rlogin lists trusted users, who can access
    without authentication
  • A user may login one system as a guest- to access
    public information and through this host, he may
    connect to a trusted host.

13
Impersonation A
few Definitions
  • Impersonation vs. Spoofing
  • Impersonation (mis)represents an authorized
    entity during communication on a net.
  • Spoofing A hacker spoofs when he falsely
    carries on one side of the exchange between two
    parties.
  • Masquerade of a site An example
  • Thus xxx.com bank may be the official site.
  • A hacker registers x_xx.com and asks clients
    to visit the site. Thus passwords and pin
    numbers may be collected for misuse.

14
Impersonation A few Definitions
cont.
  • Session Hijacking An example
  • A customer may select books on Amazon.com.
  • When it comes to taking the order and making
    the payment, Amazon.org may hijack the session.
  • Man-in-the-middle Attack vs. Session Hijacking
  • Man-in-the-middle is wire-tapping actively from
    the beginning,
  • whereas a session-hijacker takes over after
    part of the session is over.

15
Examples of Attacks
  • Buffer Overflow
  • Dot-Dot and constrained environment
  • Server-side include problem
  • Incomplete Mediation
  • Time-of-check to Time-of use
  • DoS and DDoS
  • Misuse of Active Code

16
Buffer Overflow
  • All programming languages set aside a specific
    area in memory for every variable.
  • For example
  • char addr10
  • sets aside 10 bytes for the array.
  • If someone were to give an input to addr, which
    is larger, it may overflow into some other area.
    This area may have been allocated to
  • -User data
  • -Users program code
  • -System date
  • -System program code

17
Buffer Overflow cont.
  • Overwriting User Data may affect program result.
    But will not affect any other program.
  • Overwriting Users Program If an instruction
    that has already been executed(and is not to be
    executed again) as overwritten -gt no effect.
  • -Otherwise if the character that has been
    overwritten is not a valid instruction, the
    system halts (Illegal instruction exception)
  • -Otherwise the user program gives wrong output
  • Overwriting System data/program Results similar
    to the ones for user data/program. But it may
    affect all the users since system data and
    programs are used by every user on the machine

18
Buffer Overflow Usual Buffer Overflow
Attacks
  • The attacker may use the data input, close to
    system code. Thus he may be able to go into the
    O.S. which has the highest privileges.
  • He may use the Stack Pointer to return to a part
    of the hackers code, which may have been placed
    earlier.
  • Passing parameters through a URL
  • Consider http//www.website.com/xxx/userinput
  • parm1(519)253-3000parm22003Mar20
  • If instead of parm1 and parm2, a 500 or 100
    digit value is introduced, it could cause a
    problem in the web system.
  • Reference IIS 4.0 remote overflow exploit.
    http//spisa.act.uji.es/spi/progs/codigo/ftp.techn
    otronic.com/microsoft/iishack.asm

19
Buffer Overflow An Example
U.S. Army Web Server Attacked
  • Buffer Overflow Attack A Web server was attacked
    using a URL that was 4KB in length.
  • ( Reference eWeek, March 18, 2003 )
  • The machine was compromised.
  • It began mapping the network around it, looking
    for other vulnerable machines.
  • It then started sending the results of its
    mapping to a remote machine through TCP port 3389
    using terminal services

20
Dot-Dot and constrained environment
  • To prevent an attack, external users, who
    approach through the Internet, may be put in a
    constrained environment.
  • A constrained environment where a user is
    allowed to use only specified and limited system
    resources.
  • Accordingly the server may begin processing a
    users program in a particular directory sub-tree
    which contains everything the server needs.

21
Dot-Dot and constrained environment (cont..)
  • But both in unix and windows,
  • .. is the directory indicator
    for the predecessor.
  • Cereberus discovered in MS Index Server the
    following fault
  • Passing the following url to the web-server
  • http//url/null.htw? CiWebHits File
    /../../../.. /../winnt/system32/autoexec.nt
  • a user is able to get the autoexec.bat file of
    the server.
  • Now the hacker may modify it!

22
Dot-Dot and constrained environment (cont..)
  • Solution Webserver should have no editors,
    telnet programs or any utilities.
  • But the code and data, for web applications, will
    have to be transferred manually to the server or
    may have to be pushed as a raw image. The
    webmaster may not like it.

23
Server-side include problem
  • EXAMPLE contact us part on web-pages includes
    commands, which are supposed to be given by the
    server.
  • Hence such commands may be accepted by the system
    without any scrutiny. These commands may be
    placed in HTML.
  • A hacker may use this facility to modify the
    command to telnet to gain access rights, which
    he should not have.

24
  • Good judgment is the result of experience
  • and experience is the result of poor judgment.

25
Examples of Attacks
Slide 15 again
  • Buffer Overflow
  • Dot-Dot and constrained environment
  • Server-side include problem
  • Incomplete Mediation
  • Time-of-check to Time-of use
  • DoS and DDoS
  • Misuse of Active Code

26
Incomplete Mediation
  • ACCEPTING DATA FROM A USER IN A WEB FORM The
    system could put checks of valid data to screen
    out erroneous data.
  • However after taking the values from the user,
    the program generates the URL line, based on the
    validated data.
  • But the hacker can edit the URL generated by the
    program, and resend it. The web server cannot
    differentiate between an edited URL and a
    system-generated URL.
  • Such a system is said to have
  • incomplete mediation.

27
Application code Errors Example of wrong code
  • Assume that a client selects book1 from page4 of
    the web-site of books.com and then moves to
    another page. Assume that the book cost 69.
  • The webserver may pass the following string to
    the client
  • http//www.books.com/page4isbn1
  • 0849308887pl6900
  • Then the client selects book 2 from page 7. It
    costs 129.
  • The webserver passes to the client
  • http//www.books.com/page7isbn1
    0849308887p16900isbn23540002235p2 12900

28
Application code Errors Example
of wrong code (cont)
  • The malicious client may change the string to
    1900 for both p1 and p2, before clicking order.
    He may get both the books at 38 only.

29
Time-of-check to Time-of use (TOCT TOU)
  • Every OS has access control. A file may be
    presented with a valid user, who can be
    authenticated and a valid job to be done.
  • While the OS is checking for authentication, the
    file remains in the users area. So the user may
    modify the file, with malicious commands. The
    OS comes back after checking authentication and
    allows the file to be processed.
  • And the malicious commands may be executed!

30
Denial of Service Attacks
  • ECHO CHARGEN chargen is a protocol that
    generates a stream of echo packets. (Refer to
    ICMP)
  • If a hacker continuously generates such
    packets for a server, the server would be busy in
    continuously responding to these packets.
  • Ping of Death an attacker, on a wide bandwidth
    net, can overwhelm a victim machine on a smaller
    BW net through sending a large number of ping
    messages.
  • SMURF spoofs a message ( which would generate an
    ICMP error message) as if it is coming from the
    victim. The spoofer broadcasts it on a large net.
    All hosts on the net respond to the victim.

31
SYN FLOOd
  • SYN_RECV queue
  • usually designed to have only 10-20 entries
  • the usual time-out for deleting an entry is of
    many minutes
  • So a SYN packet every few second can keep the
    host from accepting a new connection.
  • To avoid detection, every new SYN packet is
    spoofed from a new IP address. (ICMP dest
    unreachable, sent by the host of the spoofed
    address back to the victim, goes to ICMP module
    of the victim and not to the TCP module of the
    victim)

32
DDoS
  • Distributed Denial of Service attack
  • use trojan horses sent through an exe file thro
    e-mail or by buffer overflow-to a large number of
    machines.
  • All the machines are triggered at the same time
    to jointly attack the victim
  • Example Tribal flood Network of 1999.

33
DDOS
T
T
Attacker
Victim
T
T
34
DDOS (cont)
  • The attacker plants a Trojan horse on a large
    number of machines.
  • He then triggers the attack, from all these
    machines (called zombies, now) on the victim.
  • CERT has advised that now a single tool, which
    does the following, is available
  • Identifies the zombies
  • Installs the Trojans horse in Zombies
  • Activates the zombies to wait for a trigger
    signal
  • ReferenceKevin J. Houle and George M. Weaver,
    CERT
  • Coordination Center Trends in Denial of Service
    Attack Technology
  • October 2001 at  http//www.cert.org/archive/pdf/
    DoS_trends.pdf

35
Active or Mobile Code
  • Definition Active or Mobile Code Code sent by a
    server to a client for execution on the client
    machine.
  • The Objective of having the facility of Active or
    Mobile Code
  • Server is not over-loaded.
  • The under loaded work station may be used for
    processing.
  • Bandwidth use is reduced.
  • Disadvantage Without the knowledge or permission
    of the owner of the client machine, a remote
    machine causes a program to be executed on the
    client machine.

36
Examples of Active Code, that can be misused
1. Cookies
  • Definition Cookies Data files caused to be
    stored on client machine by web-server
  • Information
  • - about the client
  • - kept on client machine but encrypted
    by a key known only to
  • web-server.
  • A cookie may be
  • A per-session Cookie or
  • A Persistent Cookie

37
Examples of Active Code, that can be misused
2. Executing Scripts on Server
  • Web Server cannot differentiate between
  • Commands legitimately generated by the browser,
    as the client fills up a web page.
  • A hand-crafted set of commands generated by a
    malicious user.

38
Examples of Active Code, that can be misused
3. Escape Character attack on Server
  • CGI (common Gateway Interface)
  • Commonly used on web servers for scripting.
  • It Uses..
  • nn to represent ASCII special characters.
  • 0a to instruct interpreter to accept characters
    after 0a, as new command.

39
Escape Character attack on Server
continued
  • The following command requests a copy of the
    password file
  • http//www.test.com/cgi-bin/query?0a/bin/cat20/e
    tc/password
  • Another Example A CGI script of the form..
  • lt!-action arg1value arg2value..gt
  • is followed by a command.
  • If someone gives the following string
    immediately after the above..
  • lt!- exec cmd rm gt
  • it would delete all the files in the current
    directory of the web-server.

40
Escape Character attack on Server
continued
  • MS uses ASP for scripting..
  • These pages instruct the browser on
  • how to display files
  • how to maintain context and Interact with the
    server.
  • These pages can be seen at the browser and any
    weaknesses in the ASP code may be exploited by a
    malicious user.

41
Active Code Comments
  • Java Script
  • Java 1.1 sandbox very restrictive.
  • Java 1.2 opened the sandbox to permit stored disk
    files and executable procedures. This makes v1.2
    more convenient to use at the cost of increase in
    security vunerability.
  • Java 1.4 supposed to correct these
    problems??
  • Active X Using it, objects of arbitrary type can
    be downloaded to a client.
  • The Object may lead to an automatic
    download of the handler required for a file type.

42
Active Code Comments
Active X
  • MS uses authentication certificates which certify
    the origins validity.
  • But Proof of origin does not mean safety of
    code.
  • Auto Exec by file-type
  • Besides the files extension, a file contains its
    type information inside the file also.
  • So even if a file does not have an extension, it
    may be opened automatically, if one clicks on it.

43
Active Code Comments Java
vs. Active X
  • You can put only partial trust in a program,
    while ActiveX requires either full trust or no
    trust at all.
  • A Java-enabled browser could keep a record of
    which dangerous operations are carried out by
    each trusted program, so it would be easier to
    reconstruct what happened if anything went wrong.
  • Java offers better protection against accidental
    damage caused by buggy programs.
  • Referencehttp//www.cs.princeton.edu/sip/faq/java
    -vs
  • activex.html SIP Secure
    Internet Programming

44
Procedures for secure active code
  • 1. System must control applets access to
    sensitive system resources, such as
  • File system
  • Processor
  • Network
  • Users Delay
  • Internal State Variables.

45
Procedures for secure active code

continued
  • 2.The Language must protect memory by preventing
  • forged memory pointers and
  • array(buffer) overflows.
  • 3. The system must prevent object reuse by
    clearing memory contents for new objects.

46
Procedures for secure active code

continued
  • The system must perform garbage collection to
    reclaim memory no longer in use.
  • 4. The system must control
  • inter applet communication as well as
  • applets effects on the environment outside the
    Java System through system calls.
  • Reference Dean, D. Felten, E.W. Wallach, D.S.,
    Java security from HotJava to Netscape and
    beyond Proceedings of IEEE Symposium on Security
    and Privacy, 1996, pp190-200

47
A Networked System More
Vulnerable?
  • Attacker can be
  • anonymous,
  • safe behind an electronic shield,
  • at a great distance, and
  • can make his system hide behind a chain of other
    hosts.
  • A large network has many points from which attack
    may be mounted and many targets.
  • Sharing-Networks permit a number of users to
    share the services. ? a larger number of attacker
    entities-users/systems

48
A Networked System More Vulnerable?
cont.
  • Complexity of a system Each operating system is
    complex. A network operating system, which may
    deal with multiple operating system, is even more
    complex.
  • Even desktops have become powerful. So the user
    may not even know fully what his system is doing.
  • Ill-defined perimeter since networks are
    interconnected in a variety of ways.
  • Multiple paths may exist between two legitimate
    communicatorshosts/networks in each path may
    have different security policies.
  • Reference Pfleeger and Pfleeger, Security in
    Computing
  • Prentice Hall 3rd Ed., 2003, pp 387-389

49
Security Services
  • Confidentiality Protection of the message
    from disclosure to unauthorized persons
  • In addition the secrecy of the identity of the
    sender may also be required. Confidentiality may
    be compromised by
  • -misdelivery, exposure in some part of the
    network, traffic flow analysis
  • Integrity Maintaining data consistency
  • message may not be altered during
    transmission.
  • AUTHENTICATION Verifying a principals claimed
    identity.
  • Principal a user logged on a remote system
    or
  • - a local user logged on the
    server or
  • - the server itself

50
Security Services Authentication
continued
  • Authentication A two - step process
  • -
    User Name
  • - Password
  • (check - something you know (common)
  • - Something you have
  • - Something you are
  • - what you do (Exkey-stroke patterns)
  • - where you are )

51
Security Services (continued )
  • Distributed Authentication of users, processes,
    servers and services is even more difficult.
    Thus NT 4.0 had the concept of a single Primary
    Domain Controller.
  • Windows 2000 has a Multi-master system. It
    makes the system more robust, but more vulnerable
  • Non-repudiation Originator of communications
    cant deny it later
  • Digital Signatures are used to relate an
    entity to information.

52
Security Services (continued )
  • Availability
  • Legitimate users have access when they need it
  • Access control
  • Unauthorized users are kept out
  • Receipt
  • Acknowledgement for received information
  • Certificate
  • Endorsement of information by a trusted
    party
  • Anonymity
  • Hiding the identity of an entity

53
Security Services (continued )
  • Most Internet security problems are
  • access control or
  • authentication ones
  • Denial of service is also popular, but mostly an
    annoyance
  • Security services are often combined
  • User authentication used for access control
    purposes
  • Non-repudiation combined with
    authentication

54
CERT Coordination Center (CERT/CC)
  • CERT/CC a part of Software Engineering Institute
    (SEI) Networked Systems Survivability Program,
    Carnegie Mellon University, Pittsburgh,
    Pennsylvania
  • History
  • 2nd November 1988 Morris worm incident, 1988,
    which brought 10 percent of Internet systems to a
    halt
  • Defense Advanced Research Projects Agency (DARPA)
    charged the SEI with setting up a center
  • to coordinate communication among experts during
    security emergencies and
  • to help prevent future incidents.
  • 17th November 1988 Computer Emergency Response
    Team was set up.
  • Today CERT/CC a Center of Internet security
    expertise.
Write a Comment
User Comments (0)
About PowerShow.com