720 likes | 1.19k Views
Acknowledgments. Giovanni Vigna (UCSB) Chris Kruegel (UCSB) Engin Kirda ( Eurecom ) Paolo Milani (TUV). Reading. Hackers, Heroes of the Computer Revolution by Steven Levy http://www.gutenberg.org/etext/729
E N D
Acknowledgments • Giovanni Vigna (UCSB) • Chris Kruegel (UCSB) • EnginKirda (Eurecom) • Paolo Milani (TUV)
Reading • Hackers, Heroes of the Computer Revolution by Steven Levyhttp://www.gutenberg.org/etext/729 • The Hacker Crackdown: Law and Disorder on the Electronic Frontier by Bruce Sterlinghttp://www.mit.edu:8001/hacker/hacker.html • The Jargon File, version 4.4.7 by Eric S. Raymondhttp://www.catb.org/jargon/oldversions/jarg447.txt
References • SecurityFocus.com – Bugtraq – Focus-ids – … • Phrack.org • Milw0rm.com • Packetstormsecurity.org • Zone-h.org • Many other security sites…
Errors, bugs, and failures network: • Networks: composed of hardware whose behavior is determined by software (roughly...)
Errors, bugs, and failures network: • Networks: composed of hardware whose behavior is determined by software (roughly...) software software software
Errors, bugs, and failures network: • Networks: composed of hardware whose behavior is determined by software (roughly...) • Applications run on operating systems OS OS OS
Errors, bugs, and failures network: • Networks: composed of hardware whose behavior is determined by software (roughly...) • Applications run on operating systems • interoperate through protocols OS OS protocols protocols OS
Errors, bugs, and failures network: • Networks: composed of hardware whose behavior is determined by software (roughly...) • Applications run on operating systems • interoperate through protocols • Designed by humans • Not perfect! OS OS protocols protocols OS
Errors, bugs, and failures network: • Networks: composed of hardware whose behavior is determined by software (roughly...) • Applications run on operating systems • interoperate through protocols • Designed by humans • Not perfect! OS OS protocols protocols OS • A human error may introduce a bug (or fault) The IEEE Standard Glossary of Software Engineering Terminology defines “fault” as “an incorrect step, process, or data definition in a computer program” • When a fault gets triggered, it might generate a failure...
SecurityBugs Errors Failures • A security error is made by a human • As a consequence, a security bug is introduced • A security bug is also called a “vulnerability” • When the bug is triggered (or “exploited”) it generates a security failure • The security of a system is compromised...
Other security problems • There is an overall concept of “system security” in terms of • Privacy/Confidentiality • Integrity/Consistency • Availability • Some applications work as designed but contain vulnerabilities • When installed in systems with a conflicting security policy • “We thought it was a good idea to let allow students to have PHP applications in their web home directories...” • Whenconfiguredinsecurely • “Our secure remote terminal service is protected by a 16 character password, which is currently set to ‘AAAAAAAAAAAAAAAA’...”
There is nothing to worry about , because… • No one will do that! • Why would anyone do that? • We’venever been attacked • We’re secure: we usecryptography • We’re secure: we use ACLs • We’re secure: we use a firewall • We’vereviewed the code, and there are no security bugs • We know it’s the default, but the administrationcan turn itoff • If we don’t run as administrator, stuff breaks • But we’ll slip the schedule • It’s notexploitable • But that’s the way we’ve alwaysdoneit • If we only had better tools...
Meanwhile in the real world… Software vulnerabilities Source: http://web.nvd.nist.gov/view/vuln/statistics
Security Analysis • Security analysis is the process of determining the security of a system • With respect to a set of known design guidelines • With respect to a set of known security problems • With respect to its environment • Itanswersquestionslike: • Is itdesignedsecurely? • Is itimplementedsecurely? • Is it deployed and configured securely? • The security analysis process is difficult to automate and requires experience and skills
Goals and skills • Learn how to identify design and implementation vulnerabilities in operating systems, network protocols, and applications • Learn by example: vulnerabilities and how to exploit them • The Devil Is In The Details • Lessonlearned, attackpatterns, design patterns • Learn about protection/detection mechanisms and techniques • Skills: • Ability to understand and assess the security implications of networkedsystems • Ability to perform the security analysis of a system • Ability to understand and contribute to the research on this topic
History • Crypto is old (Caesar Cipher) • Even hacking has a bit of a history
Brief history of hacking • 1876. Alexander Graham Bell invents telephone. • 1878. First teenage males flung off phone system by enraged authorities.
But also in other fields… • In 1961, students from Caltech (California Institute of Technology, in Pasadena) hacked the Rose Bowl football game. • 1982, MIT hacked the Harvard-Yale football game. Balloon with ‘MIT’ popped out of the ground.
Seriously now… • 1972, John Draper builds the blue box and starts phone phreaking • Dec 1973, Bob Metcalfe, “The Stockings Were Hung by the Chimney with Care,” Request for Comments no. 602 • August 1986: German hackers penetrateLawrence Berkeley Laboratory systems and try to obtain secrets to be sold to the KGB • November 1988: The Internet worm brings down the Internet (Robert Morris Jr.) • December 1994: Kevin Mitnickattacks the Supercomputer Center in San Diego using a TCP spoofing attack • 2010: Stuxnet attack uranium enrichment facilities in Iran
Cap’n Crunch • In 1972 John Draper finds that the whistle that comes with the Cap’n Crunch cereal produces a sound at 2600 Hz • The 2600 frequency was used by AT&T to authorize long-distance calls
Phone Phreaking • John Draper became “Captain Crunch” and built a blue box • produced a number of different tones that could be usedforin-bandsignaling • Draper was eventually sentenced to five years’ probation for toll fraud • His story became an integral part of hacker culture
Metcalfe’s story • Inventor of Ethernet • “The Stockings Were Hung by the Chimney with Care,” Request for Comments no. 602 • Identifies vulnerabilities in the ARPAnet • Says we should worry
The German Hackers Incident Cliff Stoll was a system administrator at LBL in August 1986 • On his first day, he started investigating a 75 cent accounting discrepancyfor CPU time • He found out that an account had been created with no billing address • More investigation identified the presence of an intruder • Instead of cutting out the intruder, Cliff Stoll decided to monitor the intruder in order to find out who he/she was and how he/she was able to gain privileged access
The German Hackers Incident • The intruder was using a configuration problem in the Emacseditor • Emacs can work as a mailer and it used the “movemail” program to move a user’s inbox from /var/spool/mail to the home directory usinginterlocking • The LBL configuration of /var/spool/mail didn’t allow the program to work as an uprivileged process • Therefore the “movemail” program was installed setuid root
The German Hackers Incident • In this configuration, movemail allowed anybody to move files to any directory of the system • The intruder used the bug to substitute his own copy of the “atrun” program, which is executed every 5 minutes to perform scheduled jobs and housecleaning tasks • The program ran with administrative privileges • After the execution of the operation the legitimate copy would be copied back to hide tracks
The German Hackers Incident • The intruder gained administrative privileges and started creating accounts and backdoor programs • The intruder was using the LBL hosts to connect to military systems in the MILNET • Military sites and databases were searched for keywords such as “SDI” (Strategic Defense Initiative), “stealth”, “SAC” (Strategic Air Command), “nuclear”, “NORAD” • Cliff Stoll, at this point, called the FBI
The German Hacker Incident • With the help of the FBI and of the Bundeskriminalamt (BKA) he was able to trace the intruder to Hanover • 1989: the investigation ends with the arrest of Markus Hess in Germany, who apparently worked for the Eastern Bloc • Markus was sentenced to a year and eight months and a 10,000 DM fineHe was put on probation • Other “hackers” were involved in the break-in and received similarsentences
1988 The Internet Falls Over • November 2, 1988: The “Internet worm”, developed by Robert T. Morris, was injected in the Internet • A mistake in the replication procedure led to unexpected proliferation • The Internet had to be “turned off” • Damages were estimated in the order of several hundred thousand dollars • RTM was sentenced to three years’ probation, a $10,000 fine, and 400 hours of community service • The CERT (Computer Emergency Response Team) was created as a reaction to this incident heh-heh
The Internet Worm • A worm is a self-replicating program that spreads across a network of computers • The worm worked only on Sun 3 systems and VAX computers running BSD UNIX • The worm consisted of two parts: • A main program • A bootstrap program
The Internet Worm • First step: Remote privileged access • fingerd buffer overflow charline[512]; line[0] = ‘\0’; gets(line); • sendmail (the DEBUG option allows one to specify a number of commands to beexecuted) • The bootstrap program (99 lines of C code) was transferred using a connection from the infecting machine • The bootstrap program was compiled and run, causing the transfer of a precompiled version of the main program on the infected host
Kevin Mitnick • One of the most well-known “hackers” in the community • 1982: One-year probation for breaking into PacBell’s offices • 1982: Enrolls at University of Southern California and uses campus machines to perform illegal activities: 6 months of juvenileprison in Stockton, California • 1987: Mitnick breaks into SCO. Sentence: three-year probation • 1988: Enrolls at Pierce and misuses campus systems. Expelled, appealedunsuccessfully • 1988: Mitnick breaks into DEC and steals software. Caught by FBI. One-year sentence at Lompoc, California
Kevin Mitnick • 1992: Mitnick violates probation and goes into hiding • 1994: California Department of Motor Vehicles issues $1-million warrant for Mitnick's arrest on charges of fraudulently trying to acquiredriveridentification • Christmas 1994: Mitnick accused of invading San Diego Supercomputer Center
Kevin Mitnick against SDSC • A very sophisticated TCP spoofing attack • The attack exploits the trust between hosts: • X-terminal: disklessSPARCstation running Solaris 1 • server: host providing boot image to x-terminal • X-terminal allows unauthenticated logins (and command execution requests) coming from server • Denial-of-serviceattackagainst server • Impersonation of server with respect to the x-terminal when executing: rshx-terminal "echo + + >>/.rhosts"
Kevin Mitnick • February 1995: FBI arrests Mitnick in Raleigh, North Carolina.Sentenced to 46 months in prison (concurrently with a 22-monthsentence) • January 2000: Mitnick released from prison after almost 5 years (probation forbade him from connecting to the Internet or sending e-mail) • January 2003: Mitnick can surf the Internet after 8 years
Stuxnet • four zero days • 1 known exploit • 2 stolen certificates • 2 rootkits (one in PLC!) • 2 Siemens security issues • 1 target
Hacking • The term “hacker” was introduced at MIT in the 60s to describe “computer wizards” • It has been eventually used to denote “malicious hackers” or “crackers”, that is, people that perform intrusions and misuse computer systems • We will use the term “hacker” with this last connotation keeping in mind that it is also used to describe […] someone who lives and breathes computers, who knows all about computers, who can get a computer to do anything. Equally important, though, is the hacker's attitude. Computer programming must be a hobby, something done for fun, not out of a sense of duty or for the money. (Brian Harvey, University of Berkeley http://www.cs.berkeley.edu/~bh/hackers.html)
Other terms of the hackers’ jargon • 31337, l33t, eleet: Clueful. Plugged-in. One of the cognoscenti. Also used as a general positive adjective. This term is not actually native hacker slang; it is used primarily by crackers and warezd00dz, for which reason hackers use it only with heavy irony. The term used to refer to the folks allowed in to the “hidden” or “privileged” sections of BBSes in the early 1980s (which, typically, contained pirated software). A true hacker would be more likely to use “wizardly”. Oppose “lamer” • haXOr • 0-day exploit