230 likes | 415 Views
NETWORK THREAT REVIEW. Agenda. In this section Network threats Worms Hackers Security holes Social engineering. NETWORK THREATS. Threats. Threats Network worms Hackers, crackers Security holes and vulnerabilities User-installed uncontrolled programs
E N D
Agenda • In this section • Network threats • Worms • Hackers • Security holes • Social engineering
Threats • Threats • Network worms • Hackers, crackers • Security holes and vulnerabilities • User-installed uncontrolled programs • Threats can be divided to external and internal ones based on where they originate from
Worm • WORM is a computer program that replicates independently by sending itself to other systems • E-mail worms • Spread using email in attachments • Network worms • Very fast at spreading • Network worms connect directly over the network • Bluetooth worm
Network Worms • Network worms use hacker techniques to automatically sneak in from the Internet • For example Nimda, Slammer, Lovsan, Slapper, Sasser • Connect directly over the network (extremely fast spreading) • Traditional antivirus response times are not enough to stop these worms from spreading, personal firewalls are needed • In a way, network worms are automated hacker attacks
Malware type: Network worm Replication mechanism: Exploits an LSASS security hole in Win 2000 and XP Payload: Installs a backdoor and launches an DDoS attack Effect: Caused unpatched machines to start to reboot Created problems in at least three large banks; rail traffic was halted in Australia on Saturday, leaving 300,000 travellers stranded, etc. Example: Sasser (2004) Writer Sven Jaschen arrested 6 days after seeding
Case: Sasser Attack failedTCP 445 openLSASS patched Attack successful TCP 445 open LSASS unpatched
Virulence vs. Payload • Damage caused by worms can be measured by two key components • VIRULENCE measures how fast a worm spreads, how well the replication mechanism works • Aggressive spreading typically affects resources such as network bandwidth • Extremely virulent worms can cause system overload or failure • PAYLOAD measures what the worm does • May be carried by the worm or distributed later • Doesn’t have to be harmful • Not all worms have payloads, some only exist to propagate
Common Payloads • E-Mail proxies • Installed in stealth • Used as relays for spam distribution • Trojan backdoors • Used by the attacker to control the infected computers • Distributed Denial of Service (D-DoS)
D-DoS • Distributed Denial of Service • Overloading a service by misusing its resources • Very effective way to take someone down, not much one can do about it • Most famous incidents • February 2000: Yahoo, Amazon, CNN, eBay • Attacks done by a teenager “Mafiaboy” • January 2001: Microsoft • March 2003: www.aljazeera.net • August 2004: Gambling sites blackmail during Olympics
Slave Master D-DoS Example
Hacking • CRACKING (also HACKING) is gaining direct access to a target system • Wide range of methods available (stolen access information, finding open ports, known security holes, etc.) • Attacks can be divided to external attacks and internal attacks • EXPLOITis a common term for software that takes advantage of a bug, glitch, security hole or vulnerability • Vulnerability types include buffer overflow, format string attacks, race condition, cross-site scripting, and cross-site request forgery
Security Holes and Vulnerabilities • As all operating systems have security holes, the question is how fast the vulnerabilities are patched • Mostly hackers rely on patches to develop exploits • Full disclosure vs. security through obscurity • The average time between a vulnerability made public and the first exploit is getting shorter • Nimda, 365 days (2001) • Sasser, 18 days (2004) • Witty, 1 day (2004) Product ships Vulnerability found Hole publicied, patch issued Patch implemented Exploits appear
Linux vs. Windows • Average expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months in two years • Windows has an average life expectancy of a few minutes • Still, Microsoft usually is faster at releasing fixes to security holes • Also, Microsoft is becoming more security-conscious (SP2 for XP centres around security features only, anti-spyware tool) • Most direct intrusions are performed against Windows hosts • Lower level of basic protection, especially if not updated regularly • Windows dominates the market, which makes it an attractive target • Monoculture, homogenous environments
There were no major incidents in Linux operating system Linux users were targeted with a spam message that claimed a security vulnerability has been found in Fedora and the fix is available at fedora-redhat.com. The fake update file turned out to be a rootkit. Some bugs were found and SuSE dispatched three local security holes to prevent a local user from hacking the computer Opener, the first real malware for Apple Macintosh OS X was found Bash script containing a keylogger, a backdoor etc. Security holes were found (and patched in silence) in Samba, Squid, PHP and others Linux and OSX is 2004
Social Engineering and Users • Users have the possibility to install software which can leak out information – either by themselves or because they have been fooled in doing so • The line between ’good’ and ’bad’ programs is blurry (spyware, peer-to-peer software, etc.) • Worms and viruses are looking for non-protected entry points, such as Instant Messaging, peer-to-peer networks, Internet Relay Chat (IRC) • Companies typically do not have any means to prevent employees from using software that is not allowed • PHISHING means luring sensitive information (like passwords) from a victim by masquerading as someone trustworthy with a real need for such information
Company Visitors • Unsafe devices (laptops, PDAs, mobile phones) that visitors connect to the corporate network are a big threat • These devices might be infected with a fast spreading network worm • These may then try to infect not just internal but also external targets • Damage to the company reputation!
Other Attack Types • A wealth of other methods are available as well • Hacking • Exploiting a known weakness (vulnerabilities) of the operating system or application • Spoofing • IP spoofing: Changing the packet source address to falsify the actual source • DNS spoofing (poisoning): Changing DNS records • E-Mail spoofing: Changing the source e-mail address (e.g used in spam or phishing attacks) • URL / Web spoofing: Sites that look the same as the real ones, but are in fact plagiates (for example using extended domain names) • Scanning • Systematic scanning to find open ports or operating system
Uninvited Guests • Why? Who? • National interest (spies) • Personal gain (thiefs) • Personal fame (trespassers) • Curiosity (vandals, script kiddies)
Other Malware • MALWARE is a common name for all kinds of unwanted software such as viruses, worms, spyware and trojans • TROJAN HORSE (or trojan) is a program with hidden destructive functionality • SPAM means unsolicited bulk email, something the recipient did not ask for it and that is sent in large volumes
Viruses and Spyware • VIRUS is a computer program that replicates by attaching itself to another object • Boot sector virus • File virus • Macro virus • SPYWARE is software that aids in gathering information about a person or organization without their knowledge, and can relay this information back to an unauthorized third party File virus ”Funlove”
Summary • In this section • Network threats • Worms • Hackers • Security holes • Social engineering