1 / 22

Quiz 2: Email Security, IP Security, Web Security, Intruders, DNS, IDS, Viruses, TCP-IP, Firewalls

This quiz covers various topics including email security, IP security, web security, intruders, DNS, IDS, viruses, TCP-IP, and firewalls. It also includes buffer overflows and stack frames. Be sure to review the relevant slide sets mentioned.

dillons
Download Presentation

Quiz 2: Email Security, IP Security, Web Security, Intruders, DNS, IDS, Viruses, TCP-IP, Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quiz-2 Review ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, or call 404 894-5177 March 28, 2016

  2. Quiz-2 Topic Areas Quiz-2 Topic Areas Email Security - PGP, S/MIME IP Security - IPsec (AH, ESP modes, VPN) Web Security - Secure Socket Layers (SSL, TLS) - Certificates, CA’s, Hashes (MD5) Intruders (and other Malicious Users) - Protection DNS - cache poisoning (Birthday Attack used) IDS - (Base-Rate Fallacy, False-Positive Rate) Viruses - Worms, Trojan Horses, Logic Bombs, ... TCP-IP, Firewalls, Secure Electronic Transactions (SET), and Trusted Systems We have discussed: BotNets, DDos, SPAM, Phishing Slides 17 (1 -11): Buffer Overflows, Stack Frames 2

  3. The test will also cover these slide sets: • 06a DNS.ppt (5 hacks) • 06-IP Networks.ppt (after Slide 9) • Ethernet Addresses (how far do they go?), ARP • Routing Tables, IPsec: ESP, AH • * Know uses of: nslookup, whois, traceroute, google. 3

  4. The combinations are called: HTTPS SFTP ESMTP SSH SSL and TLS are above the TCP Socket, so it is part of the Application Layer (a “shim”) TLS is Transport Layer Security (is not “IPsec Transport Level Security”) TLS is used for email (SMTP/TLS or POP/TLS or IMAP/TLS) SSL is used for secure Web access (HTTPS) (now uses TLS v1.2) Secure Shell, SSH, is Telnet + SSL + other features Secure Copy, SCP, copies files using SSH (SFTP has FTP-like functions) Versions of SSL (v.1, v.2, v.3) and TLS (v1.0, v.1.1) should be replaced by TLS v.1.2 4

  5. Internet Architecture Browser Web Server Router Application Application Layer Layer (HTTP) (HTTP) Port 31337 Port 80 Buffers Packets that Transport Transport need to be forwarded (based on IP address). Layer Layer (TCP,UDP) (TCP,UDP) Segment No. Segment No. Network Network Layer (IP) Layer (IP) IP Address 130.207.22.5 IP Address 24.88.15.22 Network Network Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Token Ring Ethernet Token Ring E'net Phys. Phys. Layer Phys. Layer Layer Phys. Layer 5

  6. IPsec - Security Associations Transport, Host-Host Tunnel, Gateway-Gateway (Routers) 6

  7. local DNS server dns.poly.edu Fast Flux DNSURL in Phish -> One of Many bots root DNS server • Host at poly.edu wants IP address for www.urhckd.com • Host sends a "recursion-requested" query request to dns.poly.edu. • [Host is doing a non-recursive search] • Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. 2 3 TLD DNS server 4 5 Fast Flux - many IP’s of bot Phishing sites. 6 7 1 8 Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu. authoritative DNS server dns.urhcked.com requesting host joe.poly.edu $ nslookup www.urhckd.com. answer 78.82.245.12 $ nslookup www.urhckd.com. answer 53.119.24.124 DNS Hack #3 2: Application Layer 7 From “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross

  8. DNS Cache Poisoning - Birthday Attack <- Sending 260 requests for same domain, cnn.com, and N Replies with fake Auth. N.S. IP address. with random IDs Lookup www.cnn.com Time * www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 <- Correct guess of one ID. Probable no. of hits 260*N/(256^2) =1 if N =252 Prob(hits>0)=0.63 Total packets = 512 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 Local DNS -> caches www.cnn.com = 66.66.66.66 www.cnn.com is 66.66.66.66 dns.cnn.com is64.236.90.21 * Local DNS sends 260 queries with different IDs. DNS Hack #4 Local DNS NS-CNN.COM Hacker DOS Attack 8

  9. Five DNS Hacks DNS Hack #0 – modify /etc/resolv.conf or Windows’ Registry, to change the IP of the Local DNS Server. DNS Hack #1 – add a line to /etc/hosts or Windows’ Registry. DNS Hack #2 – In URL link, hide the actual domain: e.g., http://www.usbank.com.customer.dhs5134.hk DNS Hack #3 – Fast-Flux DNS: gives different IP every time. DNS Hack #4 – Poison the Local DNS Server’s cache (using a “Birthday” Attack) 9

  10. Definitions Virus - code that copies itself into other programs. A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). Email “viruses” are technically “worms”. Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (time, trigger). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. “Vulnerability” - a program defect that permits “Intrusions”. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product. Bot, BotNet - Large P2P network (hundreds to millions) of compromised computers (Bots) that communicate to commit DDoS, SPAM, Phish. 10

  11. The Stages of a Network Intrusion [RAERU] 1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports. [ACCESS] 3. Elevate privileges to “root” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE] Flow-based* "CI", signature-based? Vulnerability Scan Signature?, Flow-Based Port Profile* Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based * StealthWatch 11

  12. Protection from a Network Intrusion Protection 1. Use a “Firewall” between the local area network and the world-wide Internet to limit access (Chapter 10). 2. On Microsoft PC’s, with XP and later, use the OS firewall that limits incoming and outgoing communications by Application (program), not just port number. For Mac, buy "Little Snitch" ($35). Detection 1. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or remove malware from a local host). 2. Use a program like TripWire* on each host to detect when systems files are altered, and email an alert to Sys Admin. Reaction 1. Have a plan and the means to implement it. Rule 2: Multiple Layers of Protection are needed to reach a high level of security at an affordable cost. 12

  13. Anomaly-Based Intrusion Detection A Negative Event, True or False, is one that does not trigger an Alarm High statistical variation in most measurable network behavior parameters results in high false-alarm rate Detected as Positive, -> Alarm #False-Positives = #Normal Events x FP-rate #False-Negatives = #Bad Events x FN-rate False Alarms, False Positives (FP) Undetected Intrusions, False Negatives (FN) # Normal Events = #TruePositves + #FalsePositives Detection Threshold Figure 9.1 13

  14. "Base-Rate Fallacy" Calculations If the “behavior” is a connection: For legitimate connections (total number = LC) True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1 Correctly handled connections (no alarms) = TNR * LC Incorrectly handled connections (false alarms) = FPR * LC For malicious connections (total number = MC) False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1 Correctly handled connections (real alarms) = TPR * MC Incorrectly handled connections (no alarms) = FNR * MC If LC >> MC then (FPR * LC) >> (TPR * MC) hence “false alarms” are much greater than “real alarms” when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1) See Slide Set 09A, #17 for example calculations. 14

  15. Chapter 10a - Firewalls Network Firewall - economical, one point to manage. Host-based FW - can filter based on application, depends on user unless a central management system is used. Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set up inside or outside. NAT - Network Address Translation, Private Address ranges (10. , 192.168, …). Inbound connections must match “forwarding table” Proxy Server - checks application header and data. Mail proxy may filter spam, viruses, and worms. Web may filter URLs, & domains. Attacks - how does Firewall protect against scanning, bad-fragments, bad TCP flags, Smurf attack, ... Host-based Firewalls - xinetd (/etc/hosts.allow), iptables, Zone Alarm, Black Ice (now ISS Desktop Proventia), “Little Snitch” 15

  16. Chapter 10b - Trusted Systems Subject, Object, Access Rights (permissions) Policy - Access matrix or ACL (access control list) 3 Basic Security Rules: No read up (simple security property) No write down (do not widen accessibility) Need to Know. Reference Monitor, audit file, security kernel database. 3 Requirements to be a “Trusted System”: Complete Mediation, Isolation, Verifiability “Common Criteria” Security Specifications are multi-national trust ratings. 16

  17. Chapter 11 - TCP/IP Bad fragments can crash Operating System (OS): "Teardrop" ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3= Unreachable [Codes: 0= Network, 1=Host,3= Port]) • "Ping of Death" - fragment extends beyond 2^16 bytes, • "Smurf" (Pong multiplication, Ping to broadcast address). “Spoofed” addresses for Flood DoS attacks (Source IP in Smurf). TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN Flags - bad combinations to 1) map OS, 2) cause crashes. TCP - Highjacked connection. IP address of one host can change if sequence numbers and acknowledge numbers are consistent. Original host must be DoS'ed (silenced). DNS - UDP port 53 used for DNS lookups, reverse lookups. What is “Fast Flux DNS” and “DNS Cache Poisoning”? ARP - Used by IP layer to find the MAC layer address to use. What is “ARP Poisoning”? 17

  18. Chapter 11 - TCP/IP Bad fragments can crash Operating System (OS): "Teardrop" ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3= Unreachable [Codes: 0= Network, 1=Host,3= Port]) • "Ping of Death" - fragment extends beyond 2^16 bytes, • "Smurf" (Pong multiplication, Ping to broadcast address). “Spoofed” addresses for Flood DoS attacks (Source IP in Smurf). TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN Flags - bad combinations to 1) map OS, 2) cause crashes. TCP - Highjacked connection. IP address of server can change if sequence numbers and acknowledge numbers are consistent. Original host must be DoS'ed (silenced). DNS - UDP port 53 used for DNS lookups, reverse lookups. What is “Fast Flux DNS” and “DNS Cache Poisoning”? ARP - Used by IP layer to find the MAC layer address to use. What is “ARP Poisoning”? 18

  19. Chapter 13 - NetSec Utilities What do they do? John the Ripper Metasploit dsniff nmap Tripwire Wireshark, tcpdump, nslookup, traceroute, whois, netstat, dd Security Organizations: US-CERT (U.S. Computer Emergency Response Team) SANS NIPC (FBI - Nat. Infrastructure Protection Center) What to do if a host is compromised. Evidence – preserve chain of custody Disconnect from network, by power-off if possible. UNIX 'dd' utility good for making an image of a hard disk 19

  20. Slide Set 14 - Wireless Security WEP is weak security, but far better than nothing (GTother). WPA is better, but needs long passphases (22 characters) WPA2 is best, but not completely compatible with older cards (GTwpa - available in 2010,  GTwifi in 2012). Use longest key-length possible. WPS 7-digit install is broken. Enable use of “allowed list” of MAC addresses. Use higher-layer security - IPsec or HTTPS(SSL), email w TLS. Use a firewall and IDS to isolate wireless access points (WAP’s) just like you do for the Internet gateways. What is an Rogue WAP, an “Evil Twin” attack? Authentication: RADIUS, CHAP - Challenge Authentication 20

  21. HW What was learned from homework problems? Outside Reading "How Hackers Took Down a Power Grid" http://www.bloomberg.com/news/articles/2016-01-14/how-hackers-took-down-a-power-grid "Auto Industry, U.S. Reach Agreement on Cybersecurity" - http://bloom.bg/1WezUFd "Anti-Virus Software can itself have a Vulnerability" http://www.csoonline.com/article/3020459/security/antivirus-software-could-make-your-company-more-vulnerable.html 21

  22. The test will cover the slide sets 06-IP Networks.ppt, 07-SSL-SET, 08a Safer Downloading.ppt, 09a-Intrusion.ppt, 09b-Viruses, 10a-Firewalls.ppt, 10b-Trusted Systems, 11-TCP-IP.ppt, 13-Netsec Utilities.ppt, 14-Wireless Security, and 18-Shellcode.ppt (slides 1-14). It will not cover Simple Network Management Protocol (08-SNMP.ppt). You will be able to bring your Quiz-1 reference sheet. You should review areas you missed on Quiz-1.  We discussed SSL/TLS in connection with Public-Private keys, and secure email. We did cover SET (Secure Electronic Transactions) protocol this year .  It has some interesting technology, like the "dual signature,"  but the standard has not gained traction after several years, but it, or something like it, may be necessary in the future. 22

More Related