Hans Hedbom - PowerPoint PPT Presentation

About This Presentation
Title:

Hans Hedbom

Description:

... hot r att avs ndarens IP-adress ofta anv nds f r autenticering (rsh m.fl.). Problemet ligger i att avs ndarens IP-adress inte kontrolleras ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 30
Provided by: han47
Category:
Tags: adress | hans | hedbom

less

Transcript and Presenter's Notes

Title: Hans Hedbom


1
Attacks on Computer Systems
  • Hans Hedbom

2
Attacks
  • Non-Technical attacks
  • Example
  • Social engineering
  • Phishing
  • Cause
  • Low user awareness or missing policies/routines
  • Technical attacks
  • Example
  • See following slides
  • Cause
  • Transitive trust
  • Bugs and configuration errors in apps and OS
  • Vulnerabilities in protocols and Network
    Infrastructure

3
Threats to confidentiality
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
4
Network attacks
5
SYN-Attacks
  • The attacker sends a large amount of SYN-packets
    to the server
  • fills-up the SYN-buffer server is unable to
    accept more connections Denial of Service

Client
Server
SYN
Timeout 4 min.
SYN,ACK
ACK
TCP event diagram
6
IP Fragmentation Attack
  • Intentional fragmentation of IP-packets may
    confuse routers, firewalls and servers

IP-packet
Data
Original
Header
Fragment 1
Fragment 2
Fragmented
Data
Header
Data
H
Offset 0
Offset 16
Offset 20
IP-packet
Data
Header
Assembled
Overlap!
7
Sniffer Attacks
  • Eavesdropping on a network segment.

Telnet (password in the clear)
IP Network
Telnet Client
Telnet Server
Telnet
Attacker
8
Passwords over the Net
Telnet FTP Rlogin Rexec POP SNMP NFS SMB H
TTP
9
IP-Spoofing
  • Counterfeiting of IP-sender-addresses when using
    UDP and TCP

NFS-request
IP Network
NFS Client
NFS Server
NFS-response
SYN-attack
Attacker
10
Session Hijacking
  • Attacker hijacks a session between a client and a
    server
  • it could for example be an administrator using
    telnet for remote login

Telnet traffic
IP Network
Telnet client
Telnet server
SYN-attack
IP-Spoofing
Attacker
11
DNS Cache Poisoning
  • DNS Domain Name Service
  • is primarily used to translate names into
    IP-addresses
  • e.g. www.sunet.se to 192.36.125.18
  • data injection into the DNS server
  • cross checking an address might help

12
OS (Software) attacks
13
Race Condition Attacks
  • Explores software that performs operations in an
    improper sequence. e.g. psrace (Solaris 2.x).

Application
Create file
/tmp/sh
Store data
/usr/bin/ps
Create link
Set SUID
/tmp/ps_data
Use data
Remove file
14
Buffer overflows
  • Buffer overflow accounts for 50 of the security
    bugs (Viega and McGraw)
  • Data is stored in allocated memory called buffer.
    If too much data need to be stored the additional
    bytes have to go somewhere.? The buffer
    overflows and data are written past the bounds.

15
Web Attacks
16
Browser Vulnerabillities
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
17
Window of Exposure
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
18
Phishing
Phishing (only works with predictable or time
invariant values) Trick the user to access a
forged web page.
Forged Web Page
SSL/TLS
1. Username
2. Ask for login credentials
3. Give login credentials
4.Ok alt Deny (error code)
19
Phishing
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
20
Phishing
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
21
Pharming
5.Chalange
6. Responce
9.Ok alt Deny
4.Chalange
7 .Responce
1.Username
2.Username
3.Chalange
8.Responce
9.Ok alt Deny
22
XSS
23
What is SQL Injection?
  • name HTTP_POST_VARS"name"
  • passwd HTTP_POST_VARSpasswd"
  • query select name from users where name
    .name. and passwd .passwd.
  • result mysql_query(query)

24
What is SQL Injection?
25
BOT-NETS
26
Bot-nets
  • A bot-net is a large collection of compromised
    computers under the control of a command and
    control server.
  • A bot-net consists of bots (the malicious
    program), drones (the hijacked computers) and
    (one or more) CC server.
  • A bot is usually a combination of a worm and a
    backdoor.
  • IRC and HTTP are the primary communication
    protocols in today's bot-nets.
  • Bots are usually self spreding and modular.

27
Uses of bot-nets
  • Bot-nets could be used for the following
  • Click Fraud
  • Making drones click on specific advertisements on
    the web.
  • DDoS
  • For financial gain or blackmail.
  • Keyloging
  • For financial gain and identity theft.
  • Warez
  • Collecting, spreading and storing
  • Spam
  • For financial gain.
  • And of course as a private communication network.

28
Detecting and preventing bot-nets
  • Detection is all about finding the CC server.
  • Look for suspicious traffic patterns in firewall
    logs and other logs.
  • Take note of servers whit a high number of
    incoming connections.
  • Monitor the suspicious CC and inform the owner
    and the authorities when you are sure that it is
    a bot-net controller.
  • Prevention
  • All the usual rules apply patch and protect. Do
    egress filtering in firewalls as well as ingress.
    This will stop infections from spreading and
    could block outgoing traffic from drones within
    the intranet.
  • Problems
  • Some bot-nets are encrypted.
  • Tracking the CC to the real bot-net owner can be
    hard.

29
Bot activity
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
Write a Comment
User Comments (0)
About PowerShow.com