ELEC5616 computer and network security - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

ELEC5616 computer and network security

Description:

ELEC5616 computer and network security matt barrie mattb_at_ee.usyd.edu.au – PowerPoint PPT presentation

Number of Views:129
Avg rating:3.0/5.0
Slides: 23
Provided by: MattB170
Category:

less

Transcript and Presenter's Notes

Title: ELEC5616 computer and network security


1
ELEC5616computer and network security
  • matt barrie
  • mattb_at_ee.usyd.edu.au

2
vendors will save you!
  • 1995 Network Scanning Tools
  • 1996 Firewalls
  • 1997 Virtual Private Networks (VPNs)
  • 1998 Intrusion Detection Systems (IDSs)
  • 1999 Public Key Infrastructure (PKI)
  • 2000 Biometrics
  • 2001 Security Appliances
  • 2002 Unified Threat Management (UTM) Appliances
  • 2003, 2004, 2005, 2006, 2007, 2008, 2009

3
maybe not ...
  • Only hackers end up running network scanning
    tools.
  • Firewalls are walls with holes in them.
  • VPNs run over the Internet!
  • Intrusion Detection Systems dont detect new
    attacks, and perform poorly at detecting old
    ones.
  • PKI requires a massive investment in complex
    infrastructure management.
  • Biometrics have lots of problems
  • They can be easily fooled
  • They incite violence against the user
  • What happens if the password file is compromised?
  • Fundamentally how do you revoke and issue new
    keys?
  • Appliances are pretty boxes running the same
    software.
  • Finally, no-one can configure any of this stuff
    properly anyway.

4
so what is going wrong?
  • We are building the digital world on foundations
    of mud
  • operating systems like Microsoft Windows
  • the IP stack, 802.11/WEP
  • poor user protocols (e.g. telnet, ftp, http, rsh)
  • poor network protocols (e.g. DNS)
  • poor network management protocols (e.g. SNMP,
    etc)
  • bad (poor security) programming languages (e.g.
    C)
  • there is a lack of proper infrastructure
  • there is a lack of quality developers
  • poor design and programming practice
  • e.g design choices, implementation, assumptions

5
A case study in real world threatsto network
security (and digital business)
  • With thanks to Joel de la Garza (Securify)

6
background chronology
  • July 1999 The Computer Emergency Response Team
    (CERT) issues an advisory on Denial-of-service
    attacks
  • Sep 1999 Packet Storm receives copies of DDoS
    tools
  • Nov 1999 CERT warns of new class of attacks
    (DDoS) and tools in circulation at CISAC
    Information Warfare conference
  • Dec 1999 Packet Storm receives latest copies of
    TFN and trinoo (DDoS attack tools)
  • Dec 1999 Packet Storm release new tools and
    launches Storm Chaser 2000 Next Generation
    CyberDefence.

7
the packet monkeys attack
  • Feb 7 2000 Yahoo - 3 hour outage
  • Feb 8 2000 E-bay - 5 hour outage
  • Feb 8 2000 buy.com - 4 hour outage - first day
    of IPO!
  • Feb 8 2000 Amazon - 345 outage
  • Feb 8 2000 CNN - 330 outage
  • Feb 9 2000 ZDnet - 315 outage
  • Feb 9 2000 Etrade - 245 outage
  • The attack
  • An amplified denial-of-service attack on the
    routers connecting these websites to the Internet
  • Amplified Ping and SYN floods

8
the press respond
  • Still no news on who is behind the concerted DoS
    attacks that so crippled Americas ability to buy
    Pokemon trading cards earlier this week. - Need
    to Know www.ntk.net
  • In a case like this, there is no Interpol, no
    Pinkertons that you can turn to for help - Wall
    Street Journal
  • Like a distributed pizza attack where you call
    every pizza shop in town and deliver them to your
    worst enemy - Bruce Schneier
  • A 16-year-old Montreal boy will be sentenced in
    April for his admitted guilt in paralyzing the
    Web sites of several U.S. companies, such as
    Yahoo, Amazon and eBay, while acting as the
    hacker Mafiaboy in February 2000.
  • The unidentified boy, who quit school and works a
    menial job, Thursday pleaded guilty to five
    counts of mischief, 51 counts of illegal access
    to a computer and one count of breach of bail
    conditions -- IDG

9
its all fun and games ...
  • But to e-Businesses, denial of service of your
    website is denial of service to your business
  • Organisations need to understand that there in
    addition to Economies of the Internet (EoI) there
    are diseconomies of the Internet
  • Information leakage
  • Operationally exposing your internals to the
    world 24x7x365
  • Increased risk associated with increase chance
    of compromise
  • Ease at which attackers can execute and get away
    with crime
  • There is no Internet Police
  • Multiple barriers make it impossible to pursue

10
why did this happen?
  • Lack of strong authentication
  • The Internet Protocols are weak
  • Packets are unmetered and unauthenticated
  • Packets can flow any way to their destination
  • This is why the network is resilient
  • No audit trails
  • They are based from a history of gentle
    behaviour
  • Why would anyone want to forge email?
  • Why would anyone want to spam the network?
  • Network control protocols use in-band signaling
  • Something the telephone company figured out was
    bad a long time ago
  • A friend of a suspect dared him to do it

11
the fundamental problem
  • The biggest problem with security architecture
    of the Internet is lack of strong authentication
  • You trust that Im me because I tell you so
  • You trust my packets as they say they come from
    my IP
  • You trust my machine because I say its called
    bullwinkle
  • You trust me to login because my password is
    britney
  • You trust my email because it says it comes from
    mattb_at_ee.usyd.edu.au
  • You trust my connection because someone other
    random machine on the Internet tells you Im from
    niceguy.com
  • You trust my TCP connection because I tell you a
    sequence number (that I probably could have
    guessed) that you sent across the network to me
    earlier (in the clear)

12
and ...
  • Security is always catch-up
  • Always a significant time delay between finding,
    reporting, advising and fixing problems
  • Security is usually reactive
  • Security is perceived as a cost centre, not a
    profit centre
  • Homogenous nature of the Internet (monocultures)
  • Heterogeneous nature of the Internet
    (interoperability)
  • Political issues, export restrictions
  • The government really doesnt want you to be
    that secure
  • They want to raise the bar to their level
  • Patents
  • Humans use the Internet

13
(No Transcript)
14
the Internet is a monoculture
  • Most hosts on the Internet run Windows
  • With over 63,000 known bugs
  • Most nameservers run Bind
  • Buggy Internet Name Daemon or 300,000 lines
    of bad code (Bernstein)
  • Most mail servers run sendmail
  • Historically the buggiest UNIX program (vying
    with bind)
  • Most routers run Cisco IOS
  • A proprietary operating system
  • What can you say about the security of a program
    if you cant look at the source?
  • Most web servers run Apache (the exception -
    secure!)
  • IIS at second place with 20 has abysmal
    security
  • Most applications are outlook,
    hotmail/passport, MS office
  • Email viruses would not have been a problem if
    Microsoft hadnt decided html emails were a good
    idea
  • Most users have no clue about security

15
the result
  • Attacks against any of windows, bind, sendmail,
    IIS, IOS, outlook, hotmail/passport or apache
    will yield large numbers of 0wn3d machines.
  • By large we mean significant percentages of
    the Internet
  • In other words millions of machines
  • Get ready for this soon to include your PDA,
    mobile phone, VoIP communications, watch,
    pacemaker and stereo system.

16
common beliefs are wrong
  • The common security philosophy is that if you
    secure the perimeter, you can keep the insides
    soft and gooey (marshmallow)
  • This has always been a very bad assumption.
  • Nowadays it is even worse your network is like
    Afghanistan
  • There is no border.
  • You cannot trust anyone.
  • There are simply too many ways into your
    network
  • Internet connections (T1, cable, ADSL, frame
    relay )
  • Dialup modems (not just those in the modem pool,
    all the others that employees use for testing,
    private access etc.)
  • 802.11 wireless networks (the record is well
    over 15 kilometres with a good antenna and
    amplifier)
  • Third party connections (vendors, partners,
    clients )
  • Users are 90 of the problem and they are
    already inside!

17
hosts are weak
  • When not weak due to bugs, are often weakly
    configured
  • Default configurations are usually insecure
  • Too many exposed services, exposed code
  • Programs are written poorly in bad languages
  • Programs run with too much privilege
  • Hosts have users which further erode security
  • In short there are too many ways to successfully
    attack hosts that can then be used to attack
    others
  • Remote exploit to gain access to the system
  • Subversion of system to gain privileges
  • Leverage access to other systems across the
    whole network
  • Through trust relationships, packet sniffing,
    keystroke logging etc.

18
same old problems, new themes
  • Weve had fixes for most of these problems for 30
    years
  • SANS Top 20 (2003) www.sans.org
  • UNIX
  • A multiple overflows in the remote procedure call
    (RPC) mechanism
  • Vulnerable CGI programs on web servers
  • Chunk handling bug in Apache and another in
    mod_ssl
  • Protocol problem in SSH1 leading to session
    decryption and buggy/trojan OpenSSL
  • Weak authentication in the simple network
    management protocol (SNMP)
  • Cleartext password sniffing with FTP and multiple
    bugs in multiple distributions
  • Trust problems with the r- services
  • Buffer overflow in printer (lpd) services
  • Lots of bugs in sendmail
  • Lots of bugs in BIND
  • Accounts with no / default / poor passwords

19
the top 10 security problems
  • Windows
  • Three major bugs in IIS (poor handling of user
    data, buffer overflows)
  • Program flaws in MDAC components
  • Remote exploit in MSSQL
  • Unprotected NETBIOS shares (no passwords, poor
    passwords)
  • Anonymous login / null sessions
  • Weak hashing with LANMAN passwords
  • Accounts with no passwords / poor passwords
  • Multiple vulnerabilities in multiple classes with
    Internet Explorer
  • Poor security settings allowing remote registry
    access
  • Worm exploiting windows scripting facility

20
note
  • None of these problems are stopped by encryption
  • None of these problems are stopped by firewalls
  • None of these problems are stopped by VPNs
  • None of these problems are stopped by biometrics
  • None of these problems are stopped by IDSs
  • None of these problems are stopped by PKIs
  • Some are a result of lack of strong
    authentication
  • Some are a result of bad programming
  • Some are a result of poor security administration

21
moral of the story
22
references
  • SANS Top Twenty Vulnerabilities
  • http//www.sans.org/top20.htm
  • Packetstorm
  • www.packetstormsecurity.org
Write a Comment
User Comments (0)
About PowerShow.com