1 / 25

Security “Tidbits”

Security “Tidbits”. Neil Daswani. Overview. The FLI Model Infiltrations: Viruses / Worms Lessons Learned Firewalls & Attacks What is a firewall? How do they work? How to prevent attacks. Failure (Process/Storage). Lies. Infiltration. Prevention. Physical Security

Rita
Download Presentation

Security “Tidbits”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security “Tidbits” Neil Daswani

  2. Overview • The FLI Model • Infiltrations: • Viruses / Worms • Lessons Learned • Firewalls & Attacks • What is a firewall? • How do they work? • How to prevent attacks

  3. Failure (Process/Storage) Lies Infiltration Prevention Physical Security Uninterruptible Power Firewalls Authentication Authorization Non-Repudiation Time-Stamping Digital Signatures Hardware Protection Firewalls “Common Sense”  Management Non-Stop Processes Fault-Tolerance Watchdog Processor Replication, RAID Backups Byzantine Agreement Reputation Systems Intrusion Detection Anti-virus Software Recovery Fail-Over Hot Swapping Key Escrow Fail-Stop Digital Signatures Auditing Certificate Revocation Security Problems & Solutions

  4. Morris Worm (1988) • Damage: 6000 computers in just a few hours • What: just copied itself; didn’t touch data • Exploited: • buffer overflow in fingerd (UNIX) • sendmail debug mode (exec arbitrary cmds) • dictionary of 432 frequently used passwords

  5. Buffer Overflow Example void sample_func (char *str) { char buffer[16]; strcpy (buffer, str); } void main (int argc, char *argv) { sample_func (argv[1]); }

  6. Morris Worm (1988) • Lessons Learned from Morris • Diversity is good. • Big programs have many exploitable bugs. • Choose good passwords. • Don’t shut down mail servers: did prevent worm from spreading but also shut down defense • CERT was created to respond to attacks

  7. Melissa (1999) • What: just copied itself; did not touch data • When date=time, “Twenty-two points, plus triple word score, plus fifty points for using all my letters. Game’s over. I’m outta here.” • Exploited: • MS Word Macros (VB) • MS Outlook Address Book (Fanout = 50)“Important message from <user name> …”

  8. Melissa (1999) • Lessons Learned: • Homogeneity is bad. • Users will click on anything. • Separation of applications is good. • Users “trusted” the message since it came from someone they knew. • Don’t open attachments unless they are expected.

  9. Other Viruses / Worms • CIH Chernobyl Virus, 1998, Taiwan: • Time bomb: April 26, or 26th of each month • Writes random garbage to disk start at sector 0 • attempts to trash FLASH BIOS • Hides itself in unused spaces • Worm.ExploreZip, 1999: Melissa + zeroed out files • BubbleBoy, 1999: Melissa-like except doesn’t require opening an attachment (ActiveX) • Love Bug, 2000: “I LOVE YOU” (like Melissa)

  10. Code Red (2001) • Runs on WinNT 4.0 or Windows 2000 • Scans port 80 on up to 100 random IP addresses • Resides only in RAM; no files • Exploits buffer overflow in Microsoft IIS 4.0/5.0(Virus appeared one month after advisory went out) • Two flavors: • Code Red I: high traffic, web defacements, DDOS on whitehouse.gov, crash systems • Code Red II: high traffic, backdoor install, crash systems • Three phases: propagation (1-19), flood (20-27), termination (28-31) • Other victims: Cisco 600 Routers, HP JetDirect Printers

  11. Code Red (2001) • Lessons Learned: • Don’t use IIS! ;) • Always keep software up-to-date • Proof-of-concept to hide other attacks?

  12. Nimda (2001) • Multiple methods of spreading(email, client-to-server, server-to-client, network sharing) • Server-to-client: IE auto-executes readme.eml (that is attached to all HTML files the server sends back to the client) • Client-to-server: “burrows”: scanning is local 75% of time • Email: readme.exe is auto executed upon viewing HTML email on IE 5.1 or earlier

  13. Nimda (2001) • Lessons Learned: • Install latest web server and browser patches (or upgrade version altogether) • Don’t use MIME auto-execution • Disable JavaScript • Reject using applications that are routinely exploited???

  14. Just this week… BadTrans Worm • Spread via email; attacks Windows systems • Records (once per second) keystrokes, usernames, & passwords into windows with titles: LOG, PAS, REM, CON, TER, NET • Sends to • one of 20+ email addresses • one of 15+ from addresses • one of 15+ attachment names w/ 2 extensions ({.doc/.mp3/.zip},{.pif/.scr})

  15. Firewalls • Two major technologies: • Packet Filters • Proxies • Related technologies • Network Address Translation (NAT) • Virtual Private Networks (VPN)

  16. Packet Filtering Routers • Filter on: • IP Source, IP Dest, Protocol (TCP, UDP, ICMP) • TCP/UDP Source & Dest Ports • ICMP Message Type (req,reply,time exceed) • Packet Size • NICs • Stateful vs. Stateless Inspection • i.e., UDP DA/DP checking • Simple Protocol Checking • i.e., Format Checking, Disconnect “anonymous” FTP x-fers

  17. Packet Filtering • Advantages • One router can protect entire network • Simple filtering is efficient • Widely available • Disadvantages • Hard to configure & test • Reduces router performance • Can’t enforce some policies (i.e., user-level)

  18. Proxies • Security vs. Caching Proxies • SOCKS: proxy construction toolkit • Trusted Information Systems Firewall Toolkit (TIS FWTK: Telnet, FTP, HTTP, rlogin, X11) • Most used to control use of outbound services • Can also be used to control inbound services (reverse proxying)

  19. Proxies • Advantages • Logging, Caching, Intelligent Filtering • User-level authentication • Guards against weak IP implementations • Disadvantages • Lag behind nonproxied services • Requires different servers for each service • Usually requires modifications to client applications

  20. Firewall Architectures • Dual-Homed Host • Services can only be proxied • Screening Router w/ Bastion Host • Security by packet filtering • Bastion host is single point of failure • Screened Subnet • Ext Router, Perimeter, Bastion Host, Interior Router • Internal ethernet packets protected from perimeter

  21. Example Attacks • IP Spoofing • TCP SYN Flood • SMURF Attack • ICMP Ping w/ max payload to broadcast address • D-DOS Attack • Infiltrate, set up sleepers, attack at once

  22. References • White-Hat Security Arsenal, A. Rubin • Security Engineering, R. Anderson • www.webtorials.com, Gary Kessler • Building Internet Firewalls, E. Zwicky, et. Al. • Counter Hack, E. Skoudis

  23. Network Address Translation (NAT) • Translates network addresses & ports • Does not provide additional “security” • Possibilities: • One external address per internal address • Dynamically assign external address • Map multiple internal to one external (port sharing) • Dynamically assign external addresses and ports

  24. Network Address Translation (NAT) • Advantages • Helps enforce control over outbound connections • Helps restrict incoming traffic • Helps conceal internal network configuration • Disadvantages • Not good for UDP (guess session lifetimes) • Doesn’t deal with embedded IP addresses • Interferes with authentication & encryption • Interferes with logging & packet filtering

  25. Virtual Private Networks • Advantages: • Provides overall encryption • Allows use of protocols that are hard to secure any other way • Disadvantages: • Involves “dangerous” network connections • Extends the network that must be protected

More Related