320 likes | 472 Views
Security. Cosc 4750. Security. Computer security and internet Electronic War is becoming more common. Attack systems, bring down the infrastructure. Crackers and business Break into business computers, to “blackmail” the company for money. Disgruntled employees
E N D
Security Cosc 4750
Security • Computer security and internet • Electronic War is becoming more common. • Attack systems, bring down the infrastructure. • Crackers and business • Break into business computers, to “blackmail” the company for money. • Disgruntled employees • Maybe damage computers, when fired or “unhappy”.
What do you think are the biggest threats computer security? • When looking at the security issues, What is the biggest issue in computer security?
Unix and Security • Optimized for convenience • makes security difficult and unnatural • UNIX security is effectively binary: Either you have no priv’s or you have root priv’s • slight lapses in security can compromise the entire system • Administrative functions are outside the kernel • meaning, hackers have easier access to the system.
Common-sense rules • Don’t put important files on open systems • Plug holes in your system. Check for security bulletins and patches • avoid writable ftp directories, group accounts, and bad passwords • Set traps with tools like tripwire, tcpd, crack • Use packet filtering and/or firewalls.
Monitor the system, read logs, check out minor problems, in case they are covering break ins. • Read up on UNIX system security. Security exports only cost about $250K, for what you can read and do on your own • Monitor reports from security traps and tools.
How Security is compromised • Unreliable and uneducated Wetware (people): • Teach users to never give out their passwords. • But recent studies show it may not matter. • Even to System Administrators. “We don’t need them.” • Software bugs: • Hackers/crackers are able to exploit bugs to break into systems.
Open Doors: • guest accounts that have no password. • most UNIX systems have system accounts, many of them come without passwords. You have to lock them. These accounts should have an * as the password.
Passwords • Enforce a policy in which passwords are not a single word from the dictionary. • Best if a nonsense series of letter (upper and lower case), numbers, and special characters • But hard for users to remember. They then have a tendency to write down passwords! • Root should be at least 8 characters long with 2 special characters and no meaning what so ever.
setuid or suid • Minimize the number suid programs. • suid programs run as another user, usually a normal user can run a program as root.
File Permissions • /etc/passwd should be owned by root and not world writable • /etc/shadow is only readable and writable by root. • FTP directories should have not world write priv’s and the ~ftp/etc/password file should not have any users and NO passwords in it.
Remote security issues • use ssh instead of rlogin, rshd, and rcp • Turn off rexecd and tftpd unless you must use them. • Also turn off the fingerd. • For such a simple program, many security holes have been found in it over the years. • Turn off any services/daemons that you do not need.
Backup regularly • Worse case, you rebuild the machine and recover the users data. • Sometimes the easiest way to get rid of a hacker who has gotten in, is to reinstall everything and start clean.
Security Tools • nmap: Scan network ports • Scans for open ports on a computer (UNIX and windows) and reports back what it found. • SAINT: An upgrade of SATAN (1995) • Knows about UNIX ports and vulnerabilities and looks for them. • Uses a web server and reports back a great deal of information with HTML. • “Run it on your system before hackers do.”
crack: find insecure passwords on a UNIX password file. • tcpd: protect Internet services • Also called “TCP wrappers” • allow you log connections and restrict where they can come from.
COPS: audit system security • warns of problems in many areas • including: file, directory and device permissions and modes • contents and /etc/passwd and /etc/group • contents of the systems startup and crontab files • writability of users’ home directories
Tripwire: monitor changes to system files • Reports when system files have been changes • One trick of a Hacker is to change or replace the login program with one that generates a list of decrypted passwords • Doesn’t always work.
Cryptographic Security Tools • Kerberos, a system that “guarantees” that users and services are in fact who they claim to be. • PGP: Pretty Good Privacy. • Can be used to encrypt data, e-mail, etc • SSH: the secure shell • authentication to confirm the user’s identity and encrypts all communications between two hosts.
Security Information • System Administrators and Hackers get their information from the same places • CERT: a registered service mark of Carnegie Mellon University • www.cert.org provides advisories and when patches are released to fix problems.
SecurityFocus.com and BugTraq mail list • specializes in security-related new and information. • see the book about how to get on their mailing lists • SANS: the System Administration, Networking, and Security Institute • www.sans.org
Vendor-specific security resources • Each vendor from SUN, sgi, and linux groups all have specific mailing lists or places to look for patches and/or information about security problems.
firewalls • packet-filtering firewalls • limits types of traffic that can pass through your "internet gateway". • You can specify destination addresses, port number, and protocol types that are acceptable and discard the rest. • Can be done with most routers, instead of purchases a separate piece of equipment.
firewalls • Hardware firewalls. • firewall: a system that can not be broken into • It monitors traffic, "protects" computer behind the firewall from access from the outside world. • configure so some machine can only be accessed on specific ports (such as web server), while other can't be accessed at all.
Software Firewall • A piece of software on the computer itself. • Not as good, because the computer is doing the work (ie instead of what the computer is for) • Linux uses iptables. • setups a set of rules about which packets the machine will allow (inbound and outbound) • Details in a couple of slides.
VPN • Virtual Private Networks (VPNs) • also called tunnelling. • Avoid split tunnelling if possible. • a computer makes a secure connection to a "VPN server" and then all traffic appears to be coming from the server. • the tunnel between server and computer is encrypted for added security. • Similar to what ssh attempts to do
What to do when your site has been attacked and possibly compromised?
The attack usually happened hours or even days ago. Don’t Panic. • Figure out who all needs to deal with the problem • Find and make copies all of tracking information • logs, accounting files, traps logs, etc.
Assess your degree of exposure • Find out what they damaged, removed, added, etc and what information might they have stolen. • If necessary disconnect the computer from the network. • Don’t let the problem compromise other computers.
Based on the damage, figure out the recovery plan. • communicate the plan • Also take this time to educate users and management about the problem and steps to prevent from happening again. • Implement the recovery plan
Lastly, report the incident to authorities • CERT has a phone number, fax number, and web site to report the incident. • And if need be, call the police or FBI • At worse this covers your “assests” in case of future problems, law suits, etc.
Q A &