300 likes | 559 Views
Attacks on Computer Systems. Hans Hedbom. Attacks. “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines Technical attacks Example See following slides Cause Transitive trust Bugs and configuration errors in apps and OS
E N D
Attacks on Computer Systems Hans Hedbom
Attacks • “Non-Technical” attacks • Example • Social engineering • Phishing • Cause • Low user awareness or missing policies/routines • Technical attacks • Example • See following slides • Cause • Transitive trust • Bugs and configuration errors in apps and OS • Vulnerabilities in protocols and Network Infrastructure
Threats to confidentiality Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010
SYN-Attacks Client Server SYN Timeout ~4 min. SYN,ACK ACK TCP event diagram • The attacker sends a large amount of SYN-packets to the server fills-up the SYN-buffer server is unable to accept more connections Denial of Service
IP Fragmentation Attack IP-packet Data Original Header Fragment 1 Fragment 2 Fragmented Data Header H Data Offset 16 Offset 0 Offset 20 IP-packet Data Header Assembled Overlap! Intentional fragmentation of IP-packets may confuse routers, firewalls and servers
Sniffer Attacks Telnet (password in the clear) IP Network Telnet Client Telnet Server Telnet Attacker Eavesdropping on a network segment.
Passwords over the Net Telnet FTP Rlogin Rexec POP SNMP NFS SMB HTTP
IP-Spoofing NFS-request IP Network NFS Client NFS Server NFS-response SYN-attack Attacker Counterfeiting of IP-sender-addresses when using UDP and TCP
Session Hijacking Telnet traffic IP Network Telnet client Telnet server SYN-attack IP-Spoofing Attacker • Attacker hijacks a session between a client and a server it could for example be an administrator using telnet for remote login
DNS Cache Poisoning • DNS = Domain Name Service • is primarily used to translate names into IP-addresses • e.g. ”www.sunet.se” to ”192.36.125.18” • data injection into the DNS server • cross checking an address might help
Race Condition Attacks Application Create file /tmp/sh Store data /usr/bin/ps Create link Set SUID /tmp/ps_data Use data Remove file Explores software that performs operations in an improper sequence. e.g. psrace (Solaris 2.x).
Buffer overflows Buffer overflow accounts for 50 % of the security bugs (Viega and McGraw) Data is stored in allocated memory called buffer. If too much data need to be stored the additional bytes have to go somewhere. The buffer overflows and data are written past the bounds.
Browser Vulnerabillities Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010
Window of Exposure Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010
Phishing Phishing (only works with predictable or time invariant values) Trick the user to access a forged web page. Forged Web Page SSL/TLS 1. Username 2. Ask for login credentials 3. Give login credentials 4.Ok alt Deny (error code)
Phishing Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010
Phishing Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010
Pharming 5.Chalange 6. Responce 9.Ok alt Deny 4.Chalange 7 .Responce 1.Username 2.Username 3.Chalange 8.Responce 9.Ok alt Deny
What is SQL Injection? $name = $HTTP_POST_VARS["name"]; $passwd = $HTTP_POST_VARS[“passwd"]; $query = “select name from users where name = ‘”.$name.”’ and passwd = ‘”.$passwd.”’” ; $result = mysql_query($query);
Bot-nets A bot-net is a large collection of compromised computers under the control of a command and control server. A bot-net consists of bots (the malicious program), drones (the hijacked computers) and (one or more) C&C server. A bot is usually a combination of a worm and a backdoor. IRC and HTTP are the primary communication protocols in today's bot-nets. Bots are usually self spreding and modular.
Uses of bot-nets • Bot-nets could be used for the following: • Click Fraud • Making drones click on specific advertisements on the web. • DDoS • For financial gain or blackmail. • Keyloging • For financial gain and identity theft. • Warez • Collecting, spreading and storing • Spam • For financial gain. • And of course as a private communication network.
Detecting and preventing bot-nets • Detection is all about finding the C&C server. • Look for suspicious traffic patterns in firewall logs and other logs. • Take note of servers whit a high number of incoming connections. • Monitor the suspicious C&C and inform the owner and the authorities when you are sure that it is a bot-net controller. • Prevention • All the usual rules apply: patch and protect. Do egress filtering in firewalls as well as ingress. This will stop infections from spreading and could block outgoing traffic from drones within the intranet. • Problems • Some bot-nets are encrypted. • Tracking the C&C to the real bot-net owner can be hard.
Bot activity Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010