1 / 74

External Threats - People & Technology

External Threats - People & Technology. Rudeyna Quadri February 11, 2003. Outline. Threats in the Digital World People in the Digital World Prelude to Hacking Footprinting Scanning Enumeration. Threats in the Digital World. They mirror the threats in the physical world

evita
Download Presentation

External Threats - People & Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. External Threats -People & Technology Rudeyna Quadri February 11, 2003

  2. Outline • Threats in the Digital World • People in the Digital World • Prelude to Hacking • Footprinting • Scanning • Enumeration

  3. Threats in the Digital World • They mirror the threats in the physical world • Digital embezzlement • Digital bank robbery • Invasion of privacy • Theft • Racketeering • Vandalism • Exploitation • Extortion • fraud

  4. Threats in the Digital World • Changing nature of the attacks • Attacks may have same goals and share a lot of the techniques with the physical world, they are very different • More common • More widespread • Harder to track • Effects will be more devastating

  5. What happened: Front page replaced How: Two years since server code was updated Lesson: Update systems frequently What happened: Customer details compromised on web site How: Glitch on the web site Lesson: Usage of stronger customer authentication needed & development control processes What happened: Home page text replaced How: Failed to update operating system in timely fashion Lesson: Always apply latest patches Real-Life Lessons Source: Internet World

  6. Threats in the Digital World • Internet has three features which make the threats more horrifying • Automation • Action at a Distance • Technique Propogation

  7. Automation • Computer excel at dull, repetitive tasks • Salami Attack • Fast automation makes attacks with a minimal rate of return profitable • Even a success rate of 1 in 10,000 is acceptable • Violation of privacy

  8. Action At a Distance • Internet has no borders..every two points are adjacent • Internet hackers don’t have to be anywhere near their prey • Finding attackers sometime becomes impossible • Lack of uniform international laws make it harder to track cyber criminals across national borders.

  9. Technique Propagation • Electronic counterfeiter • Only the first attacker has to be skilled..everyone else can use his/her software

  10. Threats to the Digital World..People • Who are the adversaries in the digital world? • We can categorize them in several ways • Objectives • Access • Resources • Expertise • Risk

  11. Objectives • Raw damage • Financial gain • Information

  12. Levels of Access, resource & Expertise • Insider has much more access than someone outside the organization • Access to different levels of resources: some are well funded, while others operate on a shoestring • Some have technical expertise while others have none

  13. Levels of Risk • Risk tolerance is varied • Publicity seekers probably won’t want to go to jail.

  14. Definitions • Risk = Threat X Vulnerability • Being “at risk" is being exposed to threats. • Risks are subjective -- the potential to incur consequences of harm or loss of target assets. • A Risk Factor is the likelihood of resources being attacked. Threats are dangerous actions that can cause harm. • The degree of threat depends on the attacker's Skills, Knowledge, Resources, Authority, and Motives. • Vulnerabilities are weaknesses in victims that allow a threat to become effective.

  15. Hacker Jargons (Some) • A rogue user is an authorized user who, without permission, accessesrestricted assets. • A bogie is an unauthorized user who subverts security systems. • A cracker breaks into others’ computing facilities for their own personal gain - be it financial, revenge, or amusement. • A hacktivist is a cracker with a cause. (Example of hactivism: Building Peekabooty to get around governments blocking websites) • A terrorist uses fear to blackmail others into doing what they want.

  16. Hacking Jargons (Some) • White Hats are also called “ethical" hackers, such as the Axent (now Symantec) Tiger Team • Black Hats disregard generally accepted social conventions and laws. • Script kiddie is a derogatory term for a wannabe cracker who lacks programming skills and thus relies on prewritten scripts and toolkits for their exploits. • Journeyman is an experienced hacker: someone who has collected many tools and made many connections. • A Puppet Master (wizard) produces exploits. Source: http://www.wilsonmar.com/1secvul.htm

  17. Types of Adversaries • The Hacker • FBI Seeks Hacker Who Stole eBay Info Sat Feb 8,10:50 AM ET CHARLOTTE, N.C. - A hacker used a University of North Carolina computer system to steal personal financial information from eBay users, and at least one person lost money, the FBI (news - web sites) said Friday.

  18. The Hacker • “Cracker” for the bad guys– “Hacker for the good ones • Today’s hackers are • Twenty-something & younger • Usually male • Have their own counterculture • Hacker names, handles, lingo, rules • Only a small percentage of the hackers are actually smart.

  19. The Hacker • Hacker stereotyped • Real hackers have an understanding of technology at a basic level. The rest are called lames or Script Kiddies • Usually have a lot of time but limited financial resources

  20. The Hacker • Hackers write hacking tools which can automate the process of breaking into systems.

  21. Lone Criminals • Lone criminals cause the bulk of computer related crimes • Maybe insiders who notice a flaw in the system & decide to exploit • Lone criminals will usually target commerce systems.

  22. Malicious Insiders • Someone in the system who wants to attack • Perimeter defense not relevant • Not always attack system • 1991: employees in Charles Scwab in SF used company’s e-mail system to buy and sell cocaine. • Insiders are not necesarrily employess. Maybe: • Contractors • Consultants

  23. Insider Attack • Most of the security measures are powerless against insiders. Systems are more vulnerable to them • Motivational factors for Insiders: • Revenge • Financial Gain • Institutional Change • Publicity

  24. Other Adversaries • Industrial Spy: • Precise motivation of gaining edge over competitors • admissions administrator at Princeton broke into a Yale admissions computer to look at student applicant records. Source: http://www.all.net/ • Press: • Subspecies of industrial spy, but different motivation—creating sensation. • Organized Crime: • Use technology in two ways: • New Venue for crime: Hacking tools to break into bank computers, stealing cell phone ID’s and reselling them. • Uses computers to assist in its core business.

  25. Other Adversaries • Police • Information gathering • Have legal right to “eavesdrop” (with warrant) • No guarantee that the information will be used ethically in the future. • Terrorist • More concerned with causing harm than information gathering • Denial of Service, and outright destruction.

  26. Other Adversaries • National Intelligence Organizations • CIA, NSA, KGB, MI5, MI6 • Usually extremely well funded • Some national intelligence organizations are involved in industrial espionage and passing on the info to their national companies.

  27. Infowarriors • Military adversary who targets enemy’s information or network infrastructure. • Attacks range from subtly modifying systems so that they do not work to blowing up the system. • Usually have the resources of the government behind. • More short term goal oriented • Higher risk tolerance.

  28. Hacking..first steps • Before in-depth hacking can be performed, three essential tasks must be completed • Footprinting • Scanning • Enumerating

  29. Footprinting • Create a complete profile of an organization’s security posture • Steps • Determine the scope of activities • Check organization’s website for info • Review HTML source code for comments • Network Enumeration • Identify domain names and associated networks • DNS Interrogation • Query the DNS • Zone Transfer

  30. Scanning • Footprinting provides a list of network and IP addresses through whois queries • Scanning determines what systems are alive and reachable from the Internet

  31. Scanning • Tools for Scanning • Ping Sweeps • Port Scans • Automated Discovery Tools

  32. Scanning – Ping Sweeps • One of the basic steps in mapping out a network is performing an automated ping sweep on a range of IP addresses. • Ping traditionally sends ICMP ECHO to elicit an ICMP ECHO REPLY

  33. Tools for Ping Sweeps • fping • Operates in UNIX • Available in http://www.fping.com • uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. • “fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable”

  34. Tools for Ping Sweeps • Pinger • Freeware for Windows • http://www.nmrc.org/files/snt/#chk-scan • Like fping, Pinger sends out multiple ICMP ECHO packets in parralel and waits and listens for responses. • Allows user to resolve hostnames and save output to file

  35. Tools for Ping Sweeps • For Windows • WS_Ping ProPack • www.ipswitch.com Price Price withService Agreement Single User $37.50 $87.50 10 User Pack $280 $330 20 User Pack $540 $637 50 User Pack $1,300 $1,534 100 User Pack$2,450 $2,891 Source: www.ipswitch.com

  36. Ping Sweep • Other Devices • NMAP provides Ping Sweep facilities • Icmpenum from Simple Nomad • Special feature • ICMP TIME STAMP REQUEST • ICMP INFO REQUEST • Can use spoofed packets to avoid detection

  37. Ping Sweep Countermeasures • Detection • Through network based IDS like snort • Other Unix-Based: • Scanlogd, Ippl 1.4.14 etc. • Windows based • Genius( freeware): detects TCP Scan to a particular port • BlackIce (Commercial)

  38. Ping Sweep Countermeasures • Prevention • Carefully evaluate the ICMP traffic to allow in the network or into specific systems. • ICMP Traffics can be limited with ACLs to specific IP addresses of the ISP.

  39. Port Scanning • Process of connecting to TCP and UDP ports on the target system to determine what services are running or are in a LISTENING state • Three main objectives: • Identify both the TCP and UDP services running on the target system • Identify the type of operating system • Identify specific application or versions of an operating system.

  40. Port Scanning • Types of port scan • TCP connect scan: connects to the target port and completes a full three-way hand-shake (SYN, SYN/SCK, and ACK). Easily detected by the target system. • TCP SYN scan: SYN packet sent to the target port, if SYN/ACK is received, it is in listening state. If RST/ACK received, port is not listening. Stealthier than full scan, and may not be logged by the target system.

  41. Types of Port Scan • TCP Fin Scan: sends a FIN packet to the target port, target port sends back RST for all closed ports. Usually only works on Unix based TCP/IP stacks. • TCP Xmas Tree scan: sends a FIN, URG and PUSH packet to the target port. Target sends back RST for all closed ports. • TCP Null Scan: turns off all flags. Targeyt system sends back RST for all closed ports. • TCP ACK Scan: used to map out firewall rulesets. Helps determine if firewall is stateless or stateful

  42. Port Scanning Toolkit • Unix Based: • Strobe: • TCP Port Scanning Utility • One of the fastest and most reliable • Optimizes system and network resources and scan target system efficiently. • We only see half the picture as Strobe does not provide UDP scanning capabilities. • UDP_scan • Reliable • Sometimes triggers a message from major IDS products..not stealthy

  43. Port Scanning Toolkit • Unix based • Netcat • Provides both TCP and UDP scanning abilities • Network Mapper (NMAP) • Nmap can scan a system or an entire network • Possible to save output to a file • Able to launch decoy scans • Can do identity scanning

  44. Port Scanning Toolkit • Windows Based • Port Probe (From NetScan Tools Pro 2003) • Target IP & portlists can be imported from files. • TCP & UDP Scan • SuperScan & WinScan • TCP Port scanner • Free • ipEye • Performs source port scanning, as well as SYN, FIN and Xmas tree scans. • Windows UDP Port Scanner (WUPS).

  45. Port Scanning Countermeasures • Detection • Detecting port scan activity is important to understand when an attack may occur and by whom. Primary methods for detection are network based IDS programs like: • Internet Security Sytems’ Real Secure • Snort

  46. Port Scanning Countermeasures • Detection • Unix Host based perspective: • Scanlogd: detect & log attacks • Psionic PortSentry: detect and respond to active attacks. Respond: automatically set kernel filtering rules that add a rule to prohibit access from the offending system. • Cons to retaliation? Spoofing. • Firewalls: can be configured to detect port scan attempts.

  47. Port Scanning Countermeasures • Detection • Windows based • Genius • BlackIce • Prevention: • Disable all unnecessary services

  48. Detecting the Operating System • The Second objective of scanning to to determine the operating system. • Tools: • NMAP (again) • Queso • Both of these provide Stack Fingerprinting capabilities

  49. Detecting the Operating System • Stack Fingerprinting • There are many nuances that vary between one vendor’s IP stack implementation and another. Probing these differences can help us begin to make an educated guess as to the exact operating system in use. This is known as stack fingerprinting.

  50. Stack Fingerprinting • Types of Probes: • FIN Probe • Bogus Flag Probe • Initial Sequence Number Sampling • “Don’t Fragment Bit” monitoring • TCP intial window size • ACK Value • ICMP error Message Quneching • ICMP message quoting • ICMP error message-echoing integrity • Types of Service (TOS) • Fragmentation Handling • Please see Hacking Exposed (pp55-56) for details of these probes.

More Related