logging in or signing up 01 threat Breezy Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: Embed: Flash iPad Dynamic Copy Does not support media & animations Automatically changes to Flash or non-Flash embed WordPress Embed Customize Embed URL: Copy Thumbnail: Copy The presentation is successfully added In Your Favorites. Views: 1188 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: November 19, 2007 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript The threat we face: The threat we face What is security? We want computers to Do what they are supposed to do When we want them to do it With restrictions on who can read/modify data/programs Schneier - "enforcing a policy that describes rules for accessing resources" Security can be measured by compliance with that policyComputers and crime: Computers and crime Computers are often involved in crime in one of two ways: They can be used as an "agent" of a crime They can be the "victim" of a crimeComputers used as an agent of the crime: Computers used as an agent of the crime Communication about drug deals, murder Exchange of copyrighted material Sharing, storing child porn Identity theft Harassment, death threats FraudComputers as the victim of the crime: Computers as the victim of the crime Destruction of data Programs subverted, replaced "Malware" installed Denial of service attacks To compromise other computers Share files Hide tracksWho would do this?: Who would do this? Someone who is out to get you Disgruntled employee Disgruntled patron Someone who is after something you have "Miscreants" "Random acts of violence" Might not be targetting you Most attacks are like muggings - wrong place and timeWho would do this?: Who would do this? Activists (“hacktivists”) Espionage Terrorists TerroristsHackers/crackers?: Hackers/crackers? Hackers traditionally were *not* crooks Originally meant someone who is skilled, clever "Taken over" by the popular press Some use "crackers" (myself included at times) This can be confusing Miscreant is a pretty descriptive termWhy do they do this?: Why do they do this? Curiosity, “learning” Computer underground "economy" A means to an ends (file sharing, warez sites) Hacktivism (web defacements, denial of service attacks)A little about the miscreants...: A little about the miscreants... There's a small number of "clueful" people They write most of the exploit scripts, rootkits and backdoors These tools are "enabling technologies" There's a larger number of potential miscreants They couldn't commit these attacks w/o the tools The tools are *easy* to useHow do they do this?: How do they do this? Scan for computers, services, vulnerabilities Gather information (accounts, operating system, software) Exploit vulnerabilities to gain access (or leverage access) Install back doors, possibly rootkits Use the computers for [fill in the blank]Scanning: Scanning Host There are typically many unused addresses Which ones have computers listening on them? Ports Determine which network services each computer runs May only be interested in specific services (e.g. IIS)Information Gathering: Information Gathering O/S Fingerprinting Typically done through TCP/IP stack "fingerprinting" Banner grabbing Helps determine software type, version Account enumeration Through null sessions, finger, whois, ldap, mailing lists, etc.Exploits: Exploits Typically automated May try multiple exploits Exploits take advantage of bugs, misconfigured systems, human error, design flaws to give the intruder accessExploits: Exploits Bugs (buffer overflows, race conditions) Misconfigured systems (no admin password) Human gullibility (many viruses) Design flaws (other viruses, attacks against weak passwords)Exploits: Exploits Most common exploits have patches (or workarounds) available Most people don't install patches 0-day exploits are new, unknown, typically no patches availableExploits: Exploits The exploit often installs a simple backdoor Root shell via inetd on TCP/1524 on Unix Dameware on Windows Intruder may scan for the backdoor to find successfully compromised systems In some cases (Netbus or Back Orifice installed via email) the intruder needs to search for the infected computers In other cases the backdoor “phones home” (Nethief)Backdoors: Backdoors On success, intruder will often use the simple backdoor to gain access to the system and: Install a better backdoor Install a rootkit Cleanup traces of their intrusion on the system Remove services or install patches to keep others from gaining accessBackdoors: Backdoors These vary in sophistication Simple: Root shell on special TCP port Extra ssh on a special port Cmd.exe copied to a new location in the web treeBackdoors: Backdoors Complex: Back Orifice, Netbus DDOS agents Botnets Nethief SeteriCase study: Nethief: Case study: Nethief Attacker creates a special “agent” with the console, infects one or more victims with it. Console updates a web site with its current IP address (encrypted) Agents check the web site once a minute, send “here I am” traffic to console on udp/8102Case study: Nethief: Case study: Nethief Console displays list of agents Attacker picks an agent, console puts instructions for that agent on the web Agent gets instructions, contacts console on TCP/80 Console now has access to all files (read, write, delete, create, execute…) Greenstuffsoft.com (warning: Chinese)Rootkits: Rootkits Set of tools that the intruder installs on the system when it has been successfully compromised Typically includes backdoor, install scripts, tools for breaking into other systems, tools for hiding their tracks Rootkits - Hiding: Rootkits - Hiding Replacements for common applications ps modified to not show certain processes netstat modified to not show certain network connections ls, du, find modified to not show certain files etc. Kernel modules If the O/S doesn't report X, there's little that you can do except image the disk and analyze itNormal Software Hierarchy: Operating System (kernel) Kernel modules Dynamic Libraries Statically Linked Programs Dynamically Linked Progs Normal Software HierarchyCompromised Hierarchy: Compromised Hierarchy Operating System (kernel) Kernel modules Dynamic Libraries Statically Linked Programs Dynamically Linked Progs Intruder replaces “good” programs with “bad” copies intended to hide their activity or provide a back door. E.g. ls, find, du might hide directories, ps might hide some processes, netstat might hide network activity, login might allow root access with a special password Compromised Hierarchy: Compromised Hierarchy Operating System (kernel) Kernel modules Dynamic Libraries Statically Linked Programs Dynamically Linked Progs Intruder installs a new kernel module that changes how the system behaves. This affects ALL programs running on the system. Case study: Knark: Case study: Knark Knark – a loadable kernel module rootkit for Linux Hides files, directories, net connections Hides processes – inherited Exec redirection – run sshd.bad when they ask for sshd Hides modules, execute programs as root And so on…Response to kernel rootkits: Response to kernel rootkits Good argument for prevention Examine the disk contents (portable forensics) Log reconciliation Compare logs from host against external logs (e.g. network traffic logs), look for differences E.g. telnet connection, but no login sessionDistributed Attack Tools: Distributed Attack Tools Basic idea is to split phases of the attack, or pieces of a denial of service mechanism, across multiple hosts Harder to detect – easier to drop below intrusion detection threshold, hard to correlate seemingly pointless traffic from multiple sources.Sample Distributed Attack: Sample Distributed Attack Probe Sources Victims Attack Hosts Compromised Hosts D of S Sources Denial of Service Victims Probed Hosts 1 2 3 3Viruses and Worms: Viruses and Worms The terminology is often misused Virus Malicious software installed into another, otherwise "normal" program "Infection part" looks for other files/programs to infect "Payload part" does something (sends email, deletes files, etc.) Frequently requires human intervention to spread (e.g. execute attachment)Viruses and Worms: Viruses and Worms Worm Stand-alone program - not attached to another Typically spreads automaticallyCase study: SQL/Slammer (Saphire) Worm: Case study: SQL/Slammer (Saphire) WormHow does SQL/Slammer Infect a Computer?: How does SQL/Slammer Infect a Computer? Through the SQL Locater Service Microsoft SQL is a network database server SQL Locater Service is a network service for finding SQL databases Some versions of the SQL locater service have a bug SQL/Slammer was written to take advantage of this bugMore Specifically...: More Specifically... The bug that SQL/Slammer used is a type of "buffer overflow" attack A buffer overflow attack is when the attack, um, overflows the buffer This can enable the attacker to insert their program into the program receiving the data and execute it If it works the good program is replaced with a copy of the wormSlide36: SQL Locater Service Buffer SQL/SlammerSlide37: SQL Locater Service Buffer SQL/SlammerSlide38: Computer Computer Computer Computer Computer ComputerSlide39: Computer Computer Computer Computer Computer ComputerSlide40: Computer Computer Computer Computer Computer ComputerSlide41: Computer Computer Computer Computer Computer ComputerSlide42: Computer Computer Computer Computer Computer ComputerSlide43: Computer Computer Computer Computer Computer ComputerSQL/Slammer Growth: SQL/Slammer Growth Stats from “The Spread of the Sapphire/Slammer Worm” (www.caida.org) The doubling time in the first minute was 8.5 seconds Reached its full scanning rate after 3 minutes (55 million/second) Most computers were infected within 10 minutes 100 Mb/s link == 30,000 scans/second!More Statistics: More Statistics 34 OSU computers were infected at the peak “Took out” our network for several hours Peak traffic: 1.4 million/hour in, 26.6 million/hour out 1 computer sourced ~80Mb/s of traffic We are still seeing slammer traffic, infected computers at OSUMacro Viruses: Macro Viruses The "virus" is code (e.g. VBscript) in a document of some sort Could be called worms We frequently refer to all malicious software as "malware"Denial Of Service (DOS) attacks: Denial Of Service (DOS) attacks Goal is to undermine the availability of a computer or service Attacks on Dalai Lama web sites Escalating arguments from miscreants on chat rooms Can be done various ways Send *large* amounts of traffic at a target Send traffic that triggers a bug that causes the network server to hang, or causes the computer to crashDistributed Denial of Service (DDOS) attacks: Distributed Denial of Service (DDOS) attacks Attacker installs an agent program Agents are controlled through a master program Attacker sends commands to the agents through the master: Scan Various types of DOS attacks Update UninstallDDOS attacks: DDOS attacks Frequently uses encryption Imagine 1000 agents sending large amounts of traffic at a target! Example: TFN, StacheldrahtSlide50: Attacker Master Master Master Master Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Victim Botnets: Botnets Agent programs that communicate through messaging services (typically IRC) Similar to DDOS networks No master More generic uses: file sharing, scanning, DOS 10,000-50,000 botnets, biggest with 18,000 computers Backdoors in the botsHacker tools: Hacker tools Typically automate task of scan, data collection, exploit, and rootkit installation Increasingly sophisticated Easy to use GUI, interactive help, 800 numbers for support... Enabling technology NeptuneNetwork sniffing: Network sniffing Old school: plain old promiscuous sniffing Switches “fixed” that New school: “directed” sniffing (“dsniff”) Switch learn table overloading ARP redirection DHCP hijackingWireless attacks: Wireless attacks Wardriving, stumbling, chalking (kismet, netstumbler) Blackhat 2002 - Mike Lynn and Robert Baird WLAN-jack - kick everyone off ESSID-jack - get essid Monkey-jack - create fake AP, force people to assign to it, facilitates "man in the middle" attacksRouter Attacks: Router Attacks Cisco IOS exploits Boxes with default or no password Exploring BGP 17,000 owned Cisco's, 2 running BGP 15,000 Caymen 64,000 “smurf” networksAnti-forensics: Anti-forensics Defiler's toolkit - inode, deleted file scrubbing Evidence-eliminator.comSoftware Distribution Woes: Software Distribution Woes *Not* just a problem for the open-source community Sendmail FTP scam Intruders apparently modified the FTP server Every ~10th caller gets modified sendmail distribution Distribution installs a backdoor as part of the installation processSoftware Distribution (continued): Software Distribution (continued) Trojaned OpenSSH distribution Intruders gained access to the FTP server, replaced the distribution with their own Answer: Download software with care! Always check distribution signatures with PGP, MD5, etc. Compile/install software with least privilegesDisabling Local Security Measures: Disabling Local Security Measures Bugbear disables local firewall, anti-virus services On the other hand, it is increasingly common for exploit scripts to install patches or disable services Not altruism! An attempt to keep other miscreants from “owning” this computerIncreased Use of Spyware: Increased Use of Spyware Increasingly common for malware to use keystroke loggers (bugbear) There are various plug-ins, peer to peer file sharing programs that “share” personal information with other partiesSyscall Proxies: Syscall Proxies Blackhat 2002 – Maximiliano Caceres Old school: use buffer overflow to execute a shell where you execute commands remotely New school: set up a simple RPC syscall proxy. Applications on the attacking end can then “run” on the victim end transparentlySpike, Other Vulnerability Discovery Tools: Spike, Other Vulnerability Discovery Tools Blackhat 2002 – Dave Aitel Toolkit to reproduce a protocol and automate the process of finding buffer overflows Doesn’t automate the whole process, but takes much of the tedium out of itSome trends: Some trends Faster Code Red took several hours to infect "everything" "Research" on so-called "Warhol Worms" Slammer took 10 minutes Stealthier Use of encryption, authentication Kernel modulesSome trends: Some trends Firewall-aware Nethief, Seteri DC Phone Home (Blackhat Briefings, US, August 2002) Multi-exploit, multi-platform Sadmind worm Increasing automationSome trends: Some trends Dynamic updates Imagine if they can add exploits, platforms "on the fly" Distributed, cooperative “New” communications channels ICMP, IM, web sites and proxies Increasing use of cryptographySome trends: Some trends Remote file sharing (NFS, SMB) For tools, logs As exploit avenue You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.