Transcript Software Security and Systems Design

Information Assurance and
Computing Systems
Special Presentation
By
Dr. AFCCP QSL WYLE (AKA Dr. Yang)
What is the talk not about?
• A thorough coverage of solutions to
information assurance issues,
• An in-depth coverage of cryptography,
database security, operating security, or
network security.
What is the talk about?
• A brief introduction to information
assurance issues in computing,
• A brief introduction to defense strategies
or countermeasures,
• Introduction to the area of computer
forensics, and
• Emerging attacks.
Objectives
• Raise the awareness about information
assurance issues,
• Share the resource about how hackers
attack, how campus networks can defend
against malicious attacks, and
• Survey on how students react to IA topics.
Outline (in disguise)
Outline
• Introduction to the
expedition of software
security
• Attacks
• Countermeasures
• Conclusion
Fasten the seat belt please!
Turbulence detected
ahead!!
Short Stories
Some historical ones:
• (1942) Against Japanese—cryptanalysis found “AF” for
“Midway island” in an intercepted Japanese naval codes.
• (1989) C. Stoll, “The Cuckoo’s Egg”.
• (1988) Robert Morris Worm: released from MIT but originally
from Cornell. Robert was convicted to three years of
probation, a fine of $10,050, and 400 hours of community
service.
Some more recent ones:
• (1999) Chernobyl virus, originated from Taiwan.
• (2005) Virus attacks by the Beagle (or Bagle) Virus.
• And many more.
Are there security issues in
computing areas?
•
•
•
•
•
•
Operating systems - Windows
Database systems - Telephone Database
Application systems - EZ-Pass
Network systems - Too many problems
Web application systems – SQL Injection
E-mail systems – Viruses, SPAM
Is security breach a hole in
software?
• Yes!
– buffer overflow
– SQL injection
– telnet
– ftp
Is security breach a hole in
software?
• No!
– password
– virus
– SPAM
Security
•
•
•
•
•
Confidentiality
Integrity
Availability
Authenticity
Authority and
privileges
Hacking Strategies
Attack Phase I: Reconnaissance & Scanning
Arin and whois Search
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\75CYANG.PASSHE.000>nmap -v -A -T4 -P0 taz.cs.wcupa.edu
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-13 12:06 Eastern Daylight
Time
Initiating Parallel DNS resolution of 1 host. at 12:06
Completed Parallel DNS resolution of 1 host. at 12:06, 0.35s elapsed
Initiating SYN Stealth Scan at 12:06
Scanning taz.cs.wcupa.edu (144.26.29.100) [1697 ports]
Discovered open port 22/tcp on 144.26.29.100
Discovered open port 80/tcp on 144.26.29.100
Discovered open port 21/tcp on 144.26.29.100
Discovered open port 443/tcp on 144.26.29.100
Discovered open port 25/tcp on 144.26.29.100
SYN Stealth Scan Timing: About 9.99% done; ETC: 12:11 (0:04:31 remaining)
Increasing send delay for 144.26.29.100 from 0 to 5 due to 11 out of 20 dropped
probes since last increase.
Attack Phase II: Gaining Access
1. Direct attack: denial-of-service, password guessing
2. Indirect attack with user ports: Trajan Horse, Backdoors, and
RootKits, etc.
3. Indirect attack with well-known ports: Virus, Worms, SPAM
Attack Phase II: Gaining Access – Password Guessing with Cain
1. Configure: choose an adaptor (or machine).
2. Start Dictionary Guessing
Attack Phase II: Gaining Access – Password Guessing with LC4
1. Session>Options
2. Start Dictionary Guessing
Import>From Local Machine
(Brute Force version is not free)
Result of Running LC4
Result of Scanning Protected
Storage
Attack Phase II: Gaining Access –
Packet Sniffing with Ethereal
1. Set the option
2. Open a Command Prompt
3. Start the Capturing
4. Enter the telnet
Attack Phase II: Gaining Access – Packet Sniffing with Ethereal
Attack Phase II: Gaining Access – Packet Sniffing with Ethereal
Attack Phase II: Gaining Access –
Packet Sniffing with Ethereal
Demonstration
Attack Phase II: Gaining Access
More indirect attacks are found
than direct attacks!
What do you mean?
More indirect attacks are found
than direct attacks!
1. User ports are closed unless requested and approved.
2. Most well-known ports are open
(Check the folder C:\WINDOWS\system32\drivers\etc\services to find
some well-known ports.)
Direct Attacks vs. Indirect Attacks
• Direct attacks such as password attacks
become more difficult as users become
smarter.
• Sending viruses, worms, or spyware via email has become more prevalent.
• E-mail spam is almost part of our life.
• Beware of the “wolf”, e.g., Trojan Horse!!
Trojan Horse
• A set of programs known as a Trojan Horse
server and client programs.
• The server must be installed on the victimized
machine.
• Once this was done, the machine is considered
compromised.
• A hacker can use a client program to
communicate with the server from wherever the
Internet accessing is available.
A Trojan Horse Example
Example of a Trojan Horse Server
Example of a Trojan Horse Client
Example of a Trojan Horse Client
One Question Left - How can the
server be installed?
• Clicking an icon that is appealing to your
eye when you serve the web,
• Clicking the attachment that comes with
an e-mail message, or
• Downloading a piece of software from a
unfamiliar web site.
Defense and Countermeasures
Countermeasures:
against Trojan Horse
• DeepFreeze software has been installed in
all WCU computing lab machines.
• Once logged on and logged off, all
software installed or downloaded during
this period will be deleted.
• It is somewhat conservative but effective.
• User awareness is the key!! But …
Countermeasures:
Techniques
• Unplug the machine and
• Reformat the drive if you are sure the
machine has been compromised.
• But…..are there other ways?
Countermeasures:
Techniques
•
•
•
•
Cryptology: Cryptography/Cryptanalysis
Users: Use appropriate passwords
Use Intrusion Detection software
Network users: Stop using telnet, ftp. Use
putty in lieu of telnet, and secure ftp (or
WinScp3) in lieu of ftp
• Forensics: Manual removal of beagle
virus, forensic tools.
Cryptography
• So What is my first name?
• My name is AFCCP QSL WYLE (aka Dr.
Yang)
Cryptography
• So What is my first name?
• My name is AFCCP QSL WYLE (aka Dr.
Yang)
• A: Cheer Sun Yang
Use SpyWare Detection –
Netscape Browser
Use SpyWare Detection –
Netscape Browser
Protect Password
• Use strong passwords – length > 7,
consist of alphabets, numbers, special
characters.
• Use the first letter of a password phrase,
e.g., IlteiaCra7S (I love to eat in an
Chinese restaurant at 7pm on Sunday)
• Don’t write it down and store it in a
README file at your laptop.
Countermeasures:
Techniques – Forensics
•
•
•
•
•
Understand how data hiding can be done,
Prepare for incidents,
Use incident response tools,
Develop a methodology, and
Know What to look for.
Countermeasures:
Techniques – Forensic Tools
• Installing Perl Package Manager (PPM)
• Refer to the book “Windows Forensics and
Incident Recovery” for more techniques.
C:\Documents and Settings\75CYANG.PASSHE.000>ppm install
win32-api
Downloading ActiveState Package Repository packlist...done
Updating ActiveState Package Repository database...done
Syncing site PPM database with .packlists...done
Downloading Win32-API-0.46...done
Unpacking Win32-API-0.46...done
Generating HTML for Win32-API-0.46...done
Updating files in site area...done
18 files installed
Example of Intrusion Detection
Sophos Anti-Virus Program
Is this a real virus or a false alarm?
Countermeasures:
Techniques – Forensics
•
•
•
•
•
Understand how data hiding can be done,
Prepare for incidents,
Use incident response tools,
Develop a methodology, and
Know What to look for.
Countermeasures:
Techniques – Forensics
• What should we do first assuming our
machine has probably been
compromised?
• A: Disconnect from the network
• Then what?
• A: Find out where the spyware hides
• Remove the spyware using anti-virus
software.
Finding the Spyware Manually
Finding the Spyware Manually
Finding the Spyware Manually
Finding the Spyware Manually
Finding the Spyware Manually
Protect Windows
Protect Windows
The windows HOST file stored in C:
Protect Windows
The host file stored in
C:\WINDOWS\system32\drivers\etc\host
contains some IP addresses for some
URL’s. Be sure that these are correct IP
addresses.
Protect Windows
Browser Helper Objects – stored under
the Registry Key:
[HKEY_LOCAL_MACHINE\Software\Micr
osoft\Windows\CurrentVersion\Explorer\Br
owser Helper Objects]
Under the key will be a list of globally
unique identifier
Check the value at www.sysinfo.org
Protect Windows
Protect Windows
Protect Windows – Detection and
Removal Tools
•
•
•
•
•
HijackThis
a2HiJackFree
InstallWatch Pro
Unlocker
VMWare
Countermeasures:
responsibilities
•
•
•
•
System administrators
Network users
Teachers
Students
End of the Trip
Conclusion
• Security does not depend on secure
software alone.
• Security does not depend on security
officers alone.
• Security does not depend on any single
user alone.
• Security does not depend on network
security alone.
Bibliography(Classic)
• Ed Skoudis, “Counter Hack,” Prentice Hall PTR,
2006.
• Pfleeger and Pfleeger, “Security in Computing,”
Prentice-Hall PTR.
• Warren G. Kruse II, Jay Heiser, “Computer
Forensics,” Addison Wesley, 2002.
• Matt Bishop, “Computer Security,” Addison
Wesley, 2003.
• Kaufman et. Al., “Network Security,” Prentice
Hall.
Bibliography(Recent)
• Christopher Kruegel et. Al., “Intrusion Detection and
Correlation,” Springer-Verlag, 2005.
• Mihai Christodorescu et. Al., “Malware Detection,”
Springer-Verlag, 2006.
• John Daniel et. Al., “Computer Viruses and Malware,”
Springler-Verlag, 2006.
• Ed Skoudis, “Malware,” Pearson Education, 2003.
• Mark Osborne, “How to Cheat at Managing Information
Security,” Syngress, 2006.
• David Maynor et. Al., “Emerging Threat Analysis,”
Syngress, 2006.
Bibliography(Recent)
• Ed Skoudis, “Counter Hack Reload,” PHPTR, 2006.
• Michael Simpson, “Hands-On Ethical Hacking and
Network Defense,” Thomson Course Technology, 2006.
• Ankit Fadia, “The Unofficial Guide to Ethical Hacking,”
Thomson Course Technology, 2005.
• Jon Edney, William Arbaugh, “Real 802.11 Security,”
Addison Wesley, 2004.
• Peter Szor, “The Art of Computer Virus Research and
Defense,” Addison Wesley, 2005.
• Harlan Carvey, “Windows Forensics and Incident
Recovery,” Addison Wesley, 2005.
That’s all folks!
• Questions? Comments?
• Eggs and Tomatoes?