01 threat

Information about 01 threat

Published on November 19, 2007

Author: Breezy

Source: authorstream.com

Content

The threat we face:  The threat we face What is security? We want computers to Do what they are supposed to do When we want them to do it With restrictions on who can read/modify data/programs Schneier - "enforcing a policy that describes rules for accessing resources" Security can be measured by compliance with that policy Computers and crime:  Computers and crime Computers are often involved in crime in one of two ways: They can be used as an "agent" of a crime They can be the "victim" of a crime Computers used as an agent of the crime:  Computers used as an agent of the crime Communication about drug deals, murder Exchange of copyrighted material Sharing, storing child porn Identity theft Harassment, death threats Fraud Computers as the victim of the crime:  Computers as the victim of the crime Destruction of data Programs subverted, replaced "Malware" installed Denial of service attacks To compromise other computers Share files Hide tracks Who would do this?:  Who would do this? Someone who is out to get you Disgruntled employee Disgruntled patron Someone who is after something you have "Miscreants" "Random acts of violence" Might not be targetting you Most attacks are like muggings - wrong place and time Who would do this?:  Who would do this? Activists (“hacktivists”) Espionage Terrorists Terrorists Hackers/crackers?:  Hackers/crackers? Hackers traditionally were *not* crooks Originally meant someone who is skilled, clever "Taken over" by the popular press Some use "crackers" (myself included at times) This can be confusing Miscreant is a pretty descriptive term Why do they do this?:  Why do they do this? Curiosity, “learning” Computer underground "economy" A means to an ends (file sharing, warez sites) Hacktivism (web defacements, denial of service attacks) A little about the miscreants...:  A little about the miscreants... There's a small number of "clueful" people They write most of the exploit scripts, rootkits and backdoors These tools are "enabling technologies" There's a larger number of potential miscreants They couldn't commit these attacks w/o the tools The tools are *easy* to use How do they do this?:  How do they do this? Scan for computers, services, vulnerabilities Gather information (accounts, operating system, software) Exploit vulnerabilities to gain access (or leverage access) Install back doors, possibly rootkits Use the computers for [fill in the blank] Scanning:  Scanning Host There are typically many unused addresses Which ones have computers listening on them? Ports Determine which network services each computer runs May only be interested in specific services (e.g. IIS) Information Gathering:  Information Gathering O/S Fingerprinting Typically done through TCP/IP stack "fingerprinting" Banner grabbing Helps determine software type, version Account enumeration Through null sessions, finger, whois, ldap, mailing lists, etc. Exploits:  Exploits Typically automated May try multiple exploits Exploits take advantage of bugs, misconfigured systems, human error, design flaws to give the intruder access Exploits:  Exploits Bugs (buffer overflows, race conditions) Misconfigured systems (no admin password) Human gullibility (many viruses) Design flaws (other viruses, attacks against weak passwords) Exploits:  Exploits Most common exploits have patches (or workarounds) available Most people don't install patches 0-day exploits are new, unknown, typically no patches available Exploits:  Exploits The exploit often installs a simple backdoor Root shell via inetd on TCP/1524 on Unix Dameware on Windows Intruder may scan for the backdoor to find successfully compromised systems In some cases (Netbus or Back Orifice installed via email) the intruder needs to search for the infected computers In other cases the backdoor “phones home” (Nethief) Backdoors:  Backdoors On success, intruder will often use the simple backdoor to gain access to the system and: Install a better backdoor Install a rootkit Cleanup traces of their intrusion on the system Remove services or install patches to keep others from gaining access Backdoors:  Backdoors These vary in sophistication Simple: Root shell on special TCP port Extra ssh on a special port Cmd.exe copied to a new location in the web tree Backdoors:  Backdoors Complex: Back Orifice, Netbus DDOS agents Botnets Nethief Seteri Case study: Nethief:  Case study: Nethief Attacker creates a special “agent” with the console, infects one or more victims with it. Console updates a web site with its current IP address (encrypted) Agents check the web site once a minute, send “here I am” traffic to console on udp/8102 Case study: Nethief:  Case study: Nethief Console displays list of agents Attacker picks an agent, console puts instructions for that agent on the web Agent gets instructions, contacts console on TCP/80 Console now has access to all files (read, write, delete, create, execute…) Greenstuffsoft.com (warning: Chinese) Rootkits:  Rootkits Set of tools that the intruder installs on the system when it has been successfully compromised Typically includes backdoor, install scripts, tools for breaking into other systems, tools for hiding their tracks Rootkits - Hiding:  Rootkits - Hiding Replacements for common applications ps modified to not show certain processes netstat modified to not show certain network connections ls, du, find modified to not show certain files etc. Kernel modules If the O/S doesn't report X, there's little that you can do except image the disk and analyze it Normal Software Hierarchy:  Operating System (kernel) Kernel modules Dynamic Libraries Statically Linked Programs Dynamically Linked Progs Normal Software Hierarchy Compromised Hierarchy:  Compromised Hierarchy Operating System (kernel) Kernel modules Dynamic Libraries Statically Linked Programs Dynamically Linked Progs Intruder replaces “good” programs with “bad” copies intended to hide their activity or provide a back door. E.g. ls, find, du might hide directories, ps might hide some processes, netstat might hide network activity, login might allow root access with a special password Compromised Hierarchy:  Compromised Hierarchy Operating System (kernel) Kernel modules Dynamic Libraries Statically Linked Programs Dynamically Linked Progs Intruder installs a new kernel module that changes how the system behaves. This affects ALL programs running on the system. Case study: Knark:  Case study: Knark Knark – a loadable kernel module rootkit for Linux Hides files, directories, net connections Hides processes – inherited Exec redirection – run sshd.bad when they ask for sshd Hides modules, execute programs as root And so on… Response to kernel rootkits:  Response to kernel rootkits Good argument for prevention  Examine the disk contents (portable forensics) Log reconciliation Compare logs from host against external logs (e.g. network traffic logs), look for differences E.g. telnet connection, but no login session Distributed Attack Tools:  Distributed Attack Tools Basic idea is to split phases of the attack, or pieces of a denial of service mechanism, across multiple hosts Harder to detect – easier to drop below intrusion detection threshold, hard to correlate seemingly pointless traffic from multiple sources. Sample Distributed Attack:  Sample Distributed Attack Probe Sources Victims Attack Hosts Compromised Hosts D of S Sources Denial of Service Victims Probed Hosts 1 2 3 3 Viruses and Worms:  Viruses and Worms The terminology is often misused Virus Malicious software installed into another, otherwise "normal" program "Infection part" looks for other files/programs to infect "Payload part" does something (sends email, deletes files, etc.) Frequently requires human intervention to spread (e.g. execute attachment) Viruses and Worms:  Viruses and Worms Worm Stand-alone program - not attached to another Typically spreads automatically Case study: SQL/Slammer (Saphire) Worm:  Case study: SQL/Slammer (Saphire) Worm How does SQL/Slammer Infect a Computer?:  How does SQL/Slammer Infect a Computer? Through the SQL Locater Service Microsoft SQL is a network database server SQL Locater Service is a network service for finding SQL databases Some versions of the SQL locater service have a bug SQL/Slammer was written to take advantage of this bug More Specifically...:  More Specifically... The bug that SQL/Slammer used is a type of "buffer overflow" attack A buffer overflow attack is when the attack, um, overflows the buffer This can enable the attacker to insert their program into the program receiving the data and execute it If it works the good program is replaced with a copy of the worm Slide36:  SQL Locater Service Buffer SQL/Slammer Slide37:  SQL Locater Service Buffer SQL/Slammer Slide38:  Computer Computer Computer Computer Computer Computer Slide39:  Computer Computer Computer Computer Computer Computer Slide40:  Computer Computer Computer Computer Computer Computer Slide41:  Computer Computer Computer Computer Computer Computer Slide42:  Computer Computer Computer Computer Computer Computer Slide43:  Computer Computer Computer Computer Computer Computer SQL/Slammer Growth:  SQL/Slammer Growth Stats from “The Spread of the Sapphire/Slammer Worm” (www.caida.org) The doubling time in the first minute was 8.5 seconds Reached its full scanning rate after 3 minutes (55 million/second) Most computers were infected within 10 minutes 100 Mb/s link == 30,000 scans/second! More Statistics:  More Statistics 34 OSU computers were infected at the peak “Took out” our network for several hours Peak traffic: 1.4 million/hour in, 26.6 million/hour out 1 computer sourced ~80Mb/s of traffic We are still seeing slammer traffic, infected computers at OSU Macro Viruses:  Macro Viruses The "virus" is code (e.g. VBscript) in a document of some sort Could be called worms We frequently refer to all malicious software as "malware" Denial Of Service (DOS) attacks:  Denial Of Service (DOS) attacks Goal is to undermine the availability of a computer or service Attacks on Dalai Lama web sites Escalating arguments from miscreants on chat rooms Can be done various ways Send *large* amounts of traffic at a target Send traffic that triggers a bug that causes the network server to hang, or causes the computer to crash Distributed Denial of Service (DDOS) attacks:  Distributed Denial of Service (DDOS) attacks Attacker installs an agent program Agents are controlled through a master program Attacker sends commands to the agents through the master: Scan Various types of DOS attacks Update Uninstall DDOS attacks:  DDOS attacks Frequently uses encryption Imagine 1000 agents sending large amounts of traffic at a target! Example: TFN, Stacheldraht Slide50:  Attacker Master Master Master Master Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Victim Botnets:  Botnets Agent programs that communicate through messaging services (typically IRC) Similar to DDOS networks No master More generic uses: file sharing, scanning, DOS 10,000-50,000 botnets, biggest with 18,000 computers Backdoors in the bots Hacker tools:  Hacker tools Typically automate task of scan, data collection, exploit, and rootkit installation Increasingly sophisticated Easy to use GUI, interactive help, 800 numbers for support... Enabling technology Neptune Network sniffing:  Network sniffing Old school: plain old promiscuous sniffing Switches “fixed” that New school: “directed” sniffing (“dsniff”) Switch learn table overloading ARP redirection DHCP hijacking Wireless attacks:  Wireless attacks Wardriving, stumbling, chalking (kismet, netstumbler) Blackhat 2002 - Mike Lynn and Robert Baird WLAN-jack - kick everyone off ESSID-jack - get essid Monkey-jack - create fake AP, force people to assign to it, facilitates "man in the middle" attacks Router Attacks:  Router Attacks Cisco IOS exploits Boxes with default or no password Exploring BGP 17,000 owned Cisco's, 2 running BGP 15,000 Caymen 64,000 “smurf” networks Anti-forensics:  Anti-forensics Defiler's toolkit - inode, deleted file scrubbing Evidence-eliminator.com Software Distribution Woes:  Software Distribution Woes *Not* just a problem for the open-source community Sendmail FTP scam Intruders apparently modified the FTP server Every ~10th caller gets modified sendmail distribution Distribution installs a backdoor as part of the installation process Software Distribution (continued):  Software Distribution (continued) Trojaned OpenSSH distribution Intruders gained access to the FTP server, replaced the distribution with their own Answer: Download software with care! Always check distribution signatures with PGP, MD5, etc. Compile/install software with least privileges Disabling Local Security Measures:  Disabling Local Security Measures Bugbear disables local firewall, anti-virus services On the other hand, it is increasingly common for exploit scripts to install patches or disable services Not altruism!  An attempt to keep other miscreants from “owning” this computer Increased Use of Spyware:  Increased Use of Spyware Increasingly common for malware to use keystroke loggers (bugbear) There are various plug-ins, peer to peer file sharing programs that “share” personal information with other parties Syscall Proxies:  Syscall Proxies Blackhat 2002 – Maximiliano Caceres Old school: use buffer overflow to execute a shell where you execute commands remotely New school: set up a simple RPC syscall proxy. Applications on the attacking end can then “run” on the victim end transparently Spike, Other Vulnerability Discovery Tools:  Spike, Other Vulnerability Discovery Tools Blackhat 2002 – Dave Aitel Toolkit to reproduce a protocol and automate the process of finding buffer overflows Doesn’t automate the whole process, but takes much of the tedium out of it Some trends:  Some trends Faster Code Red took several hours to infect "everything" "Research" on so-called "Warhol Worms" Slammer took 10 minutes Stealthier Use of encryption, authentication Kernel modules Some trends:  Some trends Firewall-aware Nethief, Seteri DC Phone Home (Blackhat Briefings, US, August 2002) Multi-exploit, multi-platform Sadmind worm Increasing automation Some trends:  Some trends Dynamic updates Imagine if they can add exploits, platforms "on the fly" Distributed, cooperative “New” communications channels ICMP, IM, web sites and proxies Increasing use of cryptography Some trends:  Some trends Remote file sharing (NFS, SMB) For tools, logs As exploit avenue

Related presentations


Other presentations created by Breezy

Plant Anatomy
03. 01. 2008
0 views

Plant Anatomy

Learning Long Division
15. 06. 2007
0 views

Learning Long Division

ADO Net
24. 10. 2007
0 views

ADO Net

Ch 2 Chemistry of Life
05. 01. 2008
0 views

Ch 2 Chemistry of Life

REORGANIZATION
27. 09. 2007
0 views

REORGANIZATION

Enhanced Fujita Scale 6 23 04
05. 10. 2007
0 views

Enhanced Fujita Scale 6 23 04

severe convection punkka
07. 10. 2007
0 views

severe convection punkka

lsad07 psp
09. 10. 2007
0 views

lsad07 psp

idioms1
10. 10. 2007
0 views

idioms1

SabadosCiencia2006
13. 10. 2007
0 views

SabadosCiencia2006

Rousset EID06
19. 10. 2007
0 views

Rousset EID06

TheodoreRoosevelt
22. 10. 2007
0 views

TheodoreRoosevelt

Timss
17. 10. 2007
0 views

Timss

Wynn ASA 2000
04. 10. 2007
0 views

Wynn ASA 2000

aas strom
29. 08. 2007
0 views

aas strom

element connections
29. 08. 2007
0 views

element connections

hwr clustering
29. 08. 2007
0 views

hwr clustering

Pov map 20060717 1
29. 11. 2007
0 views

Pov map 20060717 1

CONSTRUCTING BUD VASES ADN BOWS
11. 12. 2007
0 views

CONSTRUCTING BUD VASES ADN BOWS

nobel talk
15. 10. 2007
0 views

nobel talk

18 FOSIS
24. 10. 2007
0 views

18 FOSIS

Lec 08 FO1 06 Urbanisation
01. 11. 2007
0 views

Lec 08 FO1 06 Urbanisation

America vs The World
22. 10. 2007
0 views

America vs The World

Vasco Da Gama Slide Show
07. 11. 2007
0 views

Vasco Da Gama Slide Show

Fliess
15. 11. 2007
0 views

Fliess

Konsolen
21. 11. 2007
0 views

Konsolen

the dancers
23. 11. 2007
0 views

the dancers

Probil
26. 11. 2007
0 views

Probil

UNE Benz
27. 11. 2007
0 views

UNE Benz

Galaxies
29. 08. 2007
0 views

Galaxies

DB2 XML DatabaseFINAL
23. 10. 2007
0 views

DB2 XML DatabaseFINAL

akzonobel
15. 10. 2007
0 views

akzonobel

ilana
29. 08. 2007
0 views

ilana

lauter
07. 11. 2007
0 views

lauter

GradSch GPOs
04. 10. 2007
0 views

GradSch GPOs

PHYS402 01
16. 10. 2007
0 views

PHYS402 01

cry beloved
02. 08. 2007
0 views

cry beloved

curtis
02. 08. 2007
0 views

curtis

Chaplet of Divine Mercy
02. 08. 2007
0 views

Chaplet of Divine Mercy

CS583 opinion mining
02. 08. 2007
0 views

CS583 opinion mining

A TIME FOR ANDREW Pres 2
02. 08. 2007
0 views

A TIME FOR ANDREW Pres 2

arthur powerpoint 11 20 03
02. 08. 2007
0 views

arthur powerpoint 11 20 03

cheryl toner ific
02. 08. 2007
0 views

cheryl toner ific

bats
02. 08. 2007
0 views

bats

23 stavros thurs
02. 08. 2007
0 views

23 stavros thurs

aas04 jeff
29. 08. 2007
0 views

aas04 jeff

moustakis
29. 08. 2007
0 views

moustakis

irsurveys07
29. 08. 2007
0 views

irsurveys07

venice oct03
29. 08. 2007
0 views

venice oct03

Office of Homeleand Security
29. 10. 2007
0 views

Office of Homeleand Security

agn presentation 102106
29. 08. 2007
0 views

agn presentation 102106

ReginaSchulteLadbeck 042104
29. 08. 2007
0 views

ReginaSchulteLadbeck 042104

Weingarten
03. 01. 2008
0 views

Weingarten

Presentation NASDAQ
24. 02. 2008
0 views

Presentation NASDAQ

nov retail ebony
24. 02. 2008
0 views

nov retail ebony

APAsymp04AIDMAN
02. 08. 2007
0 views

APAsymp04AIDMAN

Ray Flores Roadmap
04. 03. 2008
0 views

Ray Flores Roadmap

Beloved
02. 08. 2007
0 views

Beloved

2004 4050S1 11 Levin
02. 08. 2007
0 views

2004 4050S1 11 Levin

Konstantinidis
29. 09. 2007
0 views

Konstantinidis

Qin and Han Dynasties
25. 03. 2008
0 views

Qin and Han Dynasties

andy powell presentation
02. 08. 2007
0 views

andy powell presentation

arena rome minier
13. 11. 2007
0 views

arena rome minier

Presentation010605
10. 04. 2008
0 views

Presentation010605

03edclark lecture
13. 04. 2008
0 views

03edclark lecture

richard mushotzky
29. 08. 2007
0 views

richard mushotzky

Lawrence D Boston 2006
14. 04. 2008
0 views

Lawrence D Boston 2006

DMCH13
16. 04. 2008
0 views

DMCH13

ERates
17. 04. 2008
0 views

ERates

JHAN 14
18. 04. 2008
0 views

JHAN 14

4884061 firstfileFILE
22. 04. 2008
0 views

4884061 firstfileFILE

ppt26
23. 12. 2007
0 views

ppt26

Operations
28. 04. 2008
0 views

Operations

CH10 Outline
07. 04. 2008
0 views

CH10 Outline

CIM research
30. 04. 2008
0 views

CIM research

komossa
29. 08. 2007
0 views

komossa

ieee sp 2004
18. 06. 2007
0 views

ieee sp 2004

icws 2006 3
18. 06. 2007
0 views

icws 2006 3

ICTP intro
18. 06. 2007
0 views

ICTP intro

human mating beh 2005
18. 06. 2007
0 views

human mating beh 2005

IMDS CIESP
14. 11. 2007
0 views

IMDS CIESP

welch adv camp july05
02. 10. 2007
0 views

welch adv camp july05

Glycosylation
15. 06. 2007
0 views

Glycosylation

Making a Story Board
15. 06. 2007
0 views

Making a Story Board

Story Literary Elements
15. 06. 2007
0 views

Story Literary Elements

Life Cycle of Plants and Animals
15. 06. 2007
0 views

Life Cycle of Plants and Animals

Session1Alila
02. 11. 2007
0 views

Session1Alila

beetleborers
02. 01. 2008
0 views

beetleborers

2006 IADB
10. 10. 2007
0 views

2006 IADB

robo wk1
03. 01. 2008
0 views

robo wk1

Rosemary Panama
22. 10. 2007
0 views

Rosemary Panama

ec06nicapan
25. 10. 2007
0 views

ec06nicapan

Allies Pre Training Module
02. 08. 2007
0 views

Allies Pre Training Module

Carmona
30. 12. 2007
0 views

Carmona

TheSuccessofSingapor e2006
27. 03. 2008
0 views

TheSuccessofSingapor e2006

Advisory Board Presentation
02. 08. 2007
0 views

Advisory Board Presentation

Cameron SAS44 A Century of OA
27. 02. 2008
0 views

Cameron SAS44 A Century of OA

dubrovnik
16. 10. 2007
0 views

dubrovnik

sprfett
07. 01. 2008
0 views

sprfett

mccune albright syndrome
15. 10. 2007
0 views

mccune albright syndrome

michael soendermann 2007
18. 10. 2007
0 views

michael soendermann 2007

astro12Summer12
29. 08. 2007
0 views

astro12Summer12

familyweek1
19. 02. 2008
0 views

familyweek1