1 / 33

Looking at Vulnerabilities

Looking at Vulnerabilities. Dave Dittrich University of Washington dittrich @ cac.washington.edu http://staff.washington.edu/dittrich/. Overview. Background attack concepts Your typical look at Vulnerabilities, Risk vs. Cost A (real!) complex attack scenario

espen
Download Presentation

Looking at Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Looking at Vulnerabilities Dave DittrichUniversity of Washingtondittrich @ cac.washington.eduhttp://staff.washington.edu/dittrich/

  2. Overview • Background attack concepts • Your typical look at • Vulnerabilities, Risk vs. Cost • A (real!) complex attack scenario • A different view of vulnerabilities • Trust relationships • Attack trees • Atypical/uncommon vulnerabilities

  3. Stepping Stones

  4. Internet Relay Chat (IRC)

  5. IRC w/Bots&BNCs

  6. Distributed Denial of Service (DDoS) Networks

  7. Typical DDoS attack

  8. DDoS Attack Traffic (1) One Day Traffic Graph

  9. DDoS Attack Traffic (2) One Week Traffic Graph

  10. DDoS Attack Traffic (3) One Year Traffic Graph

  11. Windows Top 10 Internet Information Server (IIS) Microsoft Data Access Server (MDAC) SQL Server NETBIOS Anonymous login/null session LAN Manager Authentication(Weak LM hash) General Windows Authentication (Accounts w/o pwd, bad pwd) Internet Explorer Remote Registry Access Windows Scripting Host Unix Top 10 Remote Procedure Call (RPC) services Apache Web Server Secure Shell (SSH) Simple Network Management Protocol (SNMP) File Transfer Protocol (FTP) Berkeley “r” utilities(trust relationships) Line Printer Daemon (LPD) Sendmail BIND/DNS General Unix Authentication (accounts w/o pwd, bad pwd) SANS Top 20 Vulnerabilities http://www.sans.org/top20/

  12. Attack sophistication vs. Intruder Technical Knowledge binary encryption Tools “stealth” / advanced scanning techniques High denial of service packet spoofing distributed attack tools sniffers Intruder Knowledge www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking Attackers password guessing Low 2001 1980 1985 1990 1995 Source: CERT/CC (used w/o permission & modified “Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers)

  13. Cost vs. Risk 101

  14. Another view of Cost vs. Risk

  15. UW Medical Center “Kane” Incident • Goal: How hard to obtain patient records? • Windows 98 desktop w/trojan or no pwd • Sniffer • Linux server -> Windows NT PDC/F&P server • Unix email server • Windows PDCs, BDCs • Windows Terminal Server (>400 users) • Access database file (>4000 patient records: Name, SSN, Home number, treatment, date…) • SecurityFocus -> ABC News

  16. Trust relationships • Client<->Server • IP based ACLs • Shared password/symmetric key • Shared network infrastructure • Sensitive data in email • Sensitive files on servers

  17. Attack Trees • “Secrets and Lies,” Bruce Schneier, ISBN 0-471-25311-1, chapter 21 • Goal is root node: Sub-goals are lower nodes/leaves • And/Or relationship between nodes • Attributes: Likelihood, equipment required, cost of attack, skill required, legality, etc.

  18. Attack Tree Example 1 http://www.counterpane.com/attacktrees-fig1.html

  19. Attack Tree Example 2 http://www.counterpane.com/attacktrees-fig6.html

  20. Attack Tree Example 3 Survivability Compromise: Monitor network traffic OR: 1. Install sniffer on desktop. OR: 1. Use email trojan horse. 2. Use remote exploit. 3. Use Windows remote login service. OR: 1. Use passwordless Administrator account. 2. Brute force passwords on all listed accounts. 3. Brute force passwords on common accounts. 2. Install sniffer on Unix/Windows server OR: 1. Use remote exploit. 2. Steal/sniff password to root/Administrator account. 3. Guess password to root/Administrator account. 3. Man-in-the-middle attack on SSL/SSH. …

  21. Attack Tree Example 4 (Nested) Survivability Compromise: Disclosure of Patient Records OR: 1. Attack Med Center network using connections to the Internet OR: 1. Compromise central patient records database (PRDB). AND: 1. Identify central PRDB. OR: 1. Scan to identify PRDB. 2. Monitor network traffic to identify PRDB. 2. Compromise central PRDB. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff pwd to account. 3. Guess password to account. 2. Obtain file(s) containing patient records. OR: 1. Monitor network traffic to capture patient records. 2. Compromise file server or terminal server. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff Administrator pwd. 3. Guess password to User/Administrator account.

  22. Atypical Vulnerabilities • Network Infrastructure • Special Devices • Non-technical (Social) Issues

  23. Border Routers • BGP (route insertion/withdrawal) • Address forgery • Source routing • Denial of Service • Remote service exploit & “Root kits” • Lack of visibility/access to traffic flows

  24. Internal Routers/Switches • OSPF, RIP & other protocols • Address forgery • ARP spoofing • Sniffing (SNMP community string, pwd) • Denial of Service • Lack of visibility/access to traffic flows

  25. Servers • Gateways to legacy apps • Web apps • Insufficient logging/auditing • Hiding in plain sight • Control of software configuration

  26. Network Printers • Change “Ready” message • FTP bounce scan, other scanning • File cache • SNMP/web admin front ends, back doors • Disclosure of print jobs • Passive monitoring • Redirection of print jobs

  27. Medical “devices”, photocopiers, printers • Proprietary or OEM OS (e.g., Solaris, IRIX) • Many (non-essential) services turned on • Typically behind the curve on patches • Remote management (HTTP, SNMP) • Heavy use of unencrypted protocols (e.g., FTP, LPR, Berkeley “r” utilities) • “What? The hackers are back?”

  28. PBXs, voice services • Monitoring • Theft of Service • Fraud/social engineering • Denial of Service • Malware Cache (PC based VM)

  29. Social Issues • Not recognizing threats • Assuming attacks are simple • Assuming things are what they seem (e.g., Slammer, Nimda) • Assuming attacks/defenses are direct • Assuming you have it handled

  30. Summary • Vulnerabilities exist in places you might not think • Vulnerabilities are additive, interrelated • Complex attacks call for complex defenses/response • If you’re not learning something new every day, you’re falling behind your adversary Questions?

  31. References • UW Medical Center • http://www.securityfocus.com/news/122/ • http://www.hipaausa.com/hacker.html • http://www.cio.com/archive/110102/rules_content.html • http://www.cio.com/archive/031502/plan_content.html • Attack trees • http://www.counterpane.com/attacktrees-ddj-ft.html • Networking • http://www.e-secure-db.us/dscgi/ds.py/View/Collection-24 • http://www.securite.org/presentations/secip/CSWcore02-SecIP-v1.ppt • http://www.securityfocus.com/infocus/1594

  32. References (cont) • Routers • http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-akin-cisco/bh-us-02-akin-cisco.ppt • http://philby.ucsd.edu/~bsy/ndss/2002/html/1997/slides/gudm_pnl.pdf • http://www.net-tech.bbn.com/sbgp/IETF42.ppt • http://www.cymru.com/Presentations/barry.pdf • BGP, OSPF • http://www.cs.ucsb.edu/~rsg/Routing/references/wang98vulnerability.pdf • http://www.cse.ucsc.edu/research/ccrg/publications/brad.globalinternet96.pdf

  33. References (cont) • Switches, ARP, local network attacks • http://www.comnews.com/stories/articles/c0103sfarea.htm • http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01-Mike-Beekey.ppt • Printers • http://members.cox.net/ltw0lf/printers/ • PBXs • http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf • DDoS, “root kits” • http://www.cert.org/reports/dsit_workshop.pdf • http://www.cert.org/archive/pdf/Managing_DoS.pdf • http://staff.washington.edu/dittrich/misc/ddos/ • http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq

More Related