230 likes | 504 Views
Threat Management Case studies of threats that have occurred and how to be prepared for them. Presented by Kunal Bansal kbansal@cs.odu.edu. Introduction. Constraints in software due to budget, time and resources pose a problem for applications.
E N D
Threat ManagementCase studies of threats that have occurred and how to be prepared for them Presented by Kunal Bansal kbansal@cs.odu.edu
Introduction • Constraints in software due to budget, time and resources pose a problem for applications. • Threat management and analysis are usually ignored till the “last minute” or until a breach occurs. • Thwarting threats requires detailed modeling involving identification of scenarios, threats and vulnerabilities, along with measures to counter them. • There is no single good measure to effectively root out all threats. Threat Management and its Implications
Anatomy of an attack • The fundamental steps an attacker initiates against a web application constitute of Survey (and Analysis), exploitation and penetration, escalation of privileges, maintain access (for self use) and denying access to others.
Application Overview • Key steps which can be taken in identifying risks associated with threats for an application are 1. Identification of Security Objectives 2. Creation of overview and attack trees 3. Decentralizing the application 4. Identification of threats for the model 5. Identification of vulnerabilities
Security Objectives (Microsoft Strategy) • Assets which include data stored in databases or are part of a system resource. • Threats can be classified as one which harm assets. • Vulnerability can be described as a weakness exploited by a threat. • Action is a measure taken to harm an asset based on its vulnerability • Countermeasures are one which are taken to protect assets against threats and thwart actions of an individual.
Attack Trees • Concept invented by Bruce Schneir. • Consists of one root, leaves and children. • Child nodes are conditions whose satisfaction to make parent nodes true when the root condition is satisfied leads to the completion of an attack. • Most effective way to mitigate an attack is to stop it at the root. • Desk – Computer example
Decentralizing and Securing the Application • Securing a web application involves securing the network, host along with the application, database and web server. • Firewalls to prevent malicious code and unauthorized entry is essential. • Weakness in any one of the tiers makes the entire application prone to attacks.
Identification of Vulnerabilities • Requires a good understanding of the system and the attacks which are possible against it. • Threats can be classified as exploits, eavesdropping, social engineering and human errors, denial of service attacks, backdoor attacks, direct access attacks. • Lack of Garbage collection can be considered as a threat too since memory is not infinite and redundant memory could cause applications to crash in the long term.
Security Threats (Authentication) • Network Eavesdropping involves capturing of passwords and usernames passed in clear text using network monitoring software. • Dictionary and Brute Force Attacks (Demo) using computer hardware and trial and error methods to crack hashed and encrypted passwords by using massive dictionaries. • Cookie Replay and Credential Theft attacks
Security Threats (Authorization and Cryptography) • Elevation of privilege using RevertToSelf API to run on the local system with the most power and privilege. • Disclosure of Confidential Data • Checksum Spoofing is possible since hashes such as Secure Hash Algorithm (SHA1) and Message Digest Compression algorithm can be easily changed. Plaintext: Place 10 orders. Hash: T0mUNdEQh13IO9oTcaP4FYDX6pU= • Attackers can capture the message and modify the order resulting in Plaintext: Place 100 orders. Hash: oEDuJpv/ZtIU7BXDDNv17EAHeAU=
Breaching Applications in Commerce (Buffer Overflow) • Buffer Overflow with data being copied without any checks can further cause injection attacks and denial of service. • Not a major problem in managed code, however still a problem when managed code calls upon unmanaged API’s void SomeFunction( char *pszInput ) { char szBuffer[10]; // Input is copied straight into the buffer when no type checking is performed strcpy(szBuffer, pszInput); . . . }
Breaching Applications in Commerce (Cross Site Scripting) • Cross site scripting which can enable arbitrary code to execute when the browser is in a trusted zone. • Internet security zones provide no protection and since the attacker’s code has access to cookies stored on the users computer, his authentication cookies are targeted. • Attack starts when a user clicks on a malicious link disguised as a genuine one. Legitimate Link www.yourwebapplication.com/logon.aspx?username=bob Malicious Link www.yourwebapplication.com/logon.aspx?username=<script>alert('hacker code')</script>
Breaching Applications in Commerce (SQL Injection) • Arbitrary commands can run in a database. Stored procedure which accept unfiltered user input can cause unwanted manipulation, destruction and/or retrieval of data. SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT * FROM Users WHERE UserName ='" + txtuid.Text + "'", conn); • SQL injection occurs when the original statement is terminated by the single quote character followed by a semicolon to begin a new command (of the attacker’s choice). '; DROP TABLE Customers – • The original statement has now changed from a simple select statement to a harmful drop statement below SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --'
Countermeasures (Buffer overflow, Cross Scripting and SQL Injection) • Buffer Overflow -> Through input validation. Validate length, type, format and range. Limit Unmanaged Code and use unmanaged API’s should be cross examined. • Cross Scripting -> Input Validation, permit only valid form fields and cookies, regular expression validations should be used regularly. HTMLEncode and URLEncode functions to encode user input (convert script to HTML). • SQL Injection -> validate requests from applications before sending them to databases. Least privilege accounts should be used to connect to the database. Check input strings for possible execution. Idle sessions using sqlplus /nolog or connectsys /as sysdba should be disabled.
Identification of Vulnerabilities (Continued) • Performance and speed can be effected as C# programs execute faster than C++ programs. • C# system can allocate memory by incrementing the pointer from a region of memory set aside for new applications. class A { private int x; public A() { x = 0; x++; } } class Example { public static void Main() { for(int i = 0; i < 1000000000; i++) { A a = new A(); } System.Console.WriteLine("DING!"); } }
Performance Issues • C++ programs need new blocks of memory to allocate new instances for ‘A’ class. • The C++ allocater would need to hunt for free blocks of memory in a fragmented heap for allocation. class A { int x; public: A() { x = 0; x++; } }; int main() { for(int i = 0; i < 1000000000; i++) { A* a = new A(); delete a; } std::cout << "DING!" << std::endl; }
Countermeasures • Spoofing -> Strong Authentication, SSL, Strong passwords in encrypted format • Data Tampering -> Data Hashing, Digital Signature, Authorization, X.509 Certificates, Trusted Zones. • Repudiation -> Secure Audit Trails, Digital Signatures. • Denial of Service -> Resource and Bandwidth throttling techniques along with packet sniffing and filtering input. • Privilege Elevation -> Least privilege accounts should perform operations with higher privilege accounts for accessing resources locked.
Additional Countermeasures • Sniffing -> Strong physical security and segmentation to prevent local collection of information. • Session Hijacking -> Encrypted sessions, platform patches to prevent TCP/IP vulnerabilities. • Footprinting -> Lock down unused ports, firewall and configuration settings and and monitoring of suspect ports. • Password Cracking -> Lock out polices, deny use of default passwords, audit multiple failed logins for an account. • Arbitrary Code Execution -> configuration of IIS to reject ../ URL’s. Prevent idle session logins in Oracle Database with sqlnet.ora file.
Case Studies (Real Life examples) • Unauthorized access at North Bay Health Care Group by fraudulent alteration of 127 electronic checks by Jessica Sabatia resulting in a loss of $875,035 to the company. • Malicious insider attack at UBS Paine Webber with the use of a ‘logic bomb’ resulting in simultaneous deletion of 1000 documents across 1500 networked branches. Loss of $3 million suffered by the firm. • 26.5 million records stolen from the Veterans Administration as a result of an employees house being burglarized in May 2006. Data included SSN, names and addresses. • Melissa Worm in March 1999 infected Microsoft Outlook shutting down mail servers in companies such as Microsoft, Intel, Lockheed Martin and Lucent and causing $400 million in cumulative damages, the costliest in North America to date.
Attacks on Databases (Demo Prelude) • Databases such as Oracle and MS SQL are frequently targeted as they contain large amounts of data. • SQL injection attacks, buffer overflow, heap overflow and code injection are some of the common attacks. • Default passwords can be easily stolen from an Oracle database by querying the dba_users table. • Though the passwords are hashed, they can be decrypted and displayed in clear text in most cases.
Demo (Combination of a Dictionary and Brute Force Attack on an Oracle DB) • Users in an Oracle Database are authenticated by re-computing the hash based on the value stored in password column in dba_users. • A user which can obtain all the hashed passwords can compare them to the ones stored in a single or multiple dictionary resulting in the a clear text view of the password. • Oracle in Jan 2006 itself provides an excel sheet which contains all the default passwords for locked and unlocked accounts for Oracle databases. • A random user can locate and view all the default passwords in a database thereby increasing the risk.
References • MSDN – Threats, Causes and Breakage http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/tmwaglance.asp • Wikipedia – Security Threats and Exploits http://en.wikipedia.org/wiki/Category:Security_exploits http://en.wikipedia.org/wiki/Computer_insecurityhttp://en.wikipedia.org/wiki/Computer_fraud_case_studies • United States Government – Department of Defense (DITSCAP) http://iase.disa.mil/ditscap/DITSCAP.html • Practical Threat Analysis – Dealing with Threats http://www.securitydocs.com/library/2848