Transcript 1 - PRESENTATION - robbins.UOPX.CMGT441.LECTURE.WEEK01

CMGT/441 Intro. to Information Systems Security Management
Week #1
Ethical Hacking & Desktop, Server, and
Embedded Operating System Vulnerabilities
Philip Robbins – November 21, 2013
Information Technology
University of Phoenix Kapolei Learning Center
1
Ethical Hacking
Topics
•
•
•
•
•
Introductions
Syllabus Review
Fundamentals of Ethical Hacking
Windows & *nix OS Vulnerabilities
Embedded OS Vulnerabilities
•
•
•
•
Class Discussion, Tools, Security Resources
Review Questions, Q&A
Quiz #1
Assignment #1
2
Introductions
Who am I?
• Information Systems Authorizing Official Representative
- United States Pacific Command (USPACOM)
- Risk Management Field
- Assessments to USPACOM Authorizing Official / CIO
•
•
•
•
•
Former Electronics & Environmental Engineer
Bachelor of Science in Electrical Engineering
Master of Science in Information Systems
Ph.D. Student in Communication & Information Sciences
Certified Information Systems Security Professional (CISSP) and Project
Management Professional (PMP)
3
Syllabus
Class Textbook
4
Fundamentals
“A locked door keeps an honest man out.”
5
Fundamentals
• Introduction to Proactive System Security
What this class IS about:
An introductory course in adopting a proactive (v.s. reactive) stance towards
systems security.
What this class IS NOT about:
An offensive class in hacking.
How does one better understand how to defend against system security attacks?
By performing and testing against them.
6
Fundamentals
• What is Hacking?
Classical Definition:
Seeking to understand computer systems
strictly for the love of having that
knowledge.
BEFORE
Modern Definition:
Illegal access to computer or network systems.
NOW
7
Fundamentals
• What is a “Hacker”?
8
9
Fundamentals
Who/what is a “Cracker”?
Term used to describe a hacker with malicious intent.
Crackers (cyber criminals) get into all kinds of mischief,
including breaking or "cracking" copy protection on
software programs, breaking into systems and causing
harm, changing data, or stealing.
10
Fundamentals
• “Hacker” v.s. “Cracker”?
- Today there’s no real distinction between the two terms.
Hacker = Cracker
However…
- Some hackers regard crackers as less educated.
- Some crackers don’t create their own work; simply steal other
people's work to cause mischief, or for personal gain.
11
Fundamentals
• Who are “Script kiddies”?
- Unskilled individuals who use scripts or programs developed by
knowledgeable programmers to attack computer systems.
- Generally considered “posers” or “kiddies” lacking the ability to
write sophisticated scripts or programs on their own.
- Usually seeking to gain credit or impress
their friends.
12
Fundamentals
What is an “Ethical Hacker”?
• Oxymoron: Honest Criminal
- A new breed of network defenders.
- Performs the same activities a hacker does but with the owner / company’s
permission.
- Usually contracted to perform penetration testing.
13
Fundamentals
• Penetration Testing
- Discover vulnerabilities.
- Perform attack and penetration assessments.
- Perform discovery and scanning for open ports & services.
- Apply exploits to gain access and expand access as necessary.
- Activities involving application penetration testing and application source review.
- Interact with the client as required.
- Produce reports documenting discoveries during the engagement.
- Report your findings with the client at the conclusion of each engagement.
v.s.
• Security Testing
+ Participate in research and provide recommendations for improvement.
+ Participate in knowledge sharing.
14
Fundamentals
• Why perform Penetration Tests?
15
Fundamentals
• Steps for a Penetration Test
Step #1: Planning Phase
- Scope & Strategy of the assignment is determined.
- Existing security policies and standards are used for defining the scope.
Step #2: Discovery Phase
- Collect as much information as possible about the system including data in the
system, user names and even passwords (fingerprinting).
- Scan and Probe into the ports.
- Check for vulnerabilities of the system.
Step #3: Attack Phase
- Find exploits for various vulnerabilities.
- Obtain necessary security Privileges to exploit the system & exploit.
16
Fundamentals
• Steps for a Penetration Test
Step #4: Reporting Phase
- Report must contain detailed findings.
- Risks of vulnerabilities found and their impact on business
- Recommendations for solutions, if any (Security Testing).
17
Fundamentals
• Penetration Testing Limitations
- Can’t find all the vulnerabilities on a system.
- Time for tester
- Budget
- Scope
- Skills of testers
- Data loss and corruption
- Downtime for organization
- Increased costs for organization*
* How could pen testing decrease costs for
an organization?
18
Fundamentals
• Roles & Responsibilities of the Pen-Tester
- Testers should collect required information from the
Organization to enable penetration tests (depending on the type of testing model).
- Find flaws that could allow hackers to attack a target machine.
- Pen Testers should think & act like real hackers (ethically).
-Tester should be responsible for any loss in the system or information during the
testing.
- Tester should keep data and information confidential.
19
Fundamentals
• Types of Pen-Testing Methodologies
White Box Model
- Tester is given the company network topology, info on technology used, and
permission to interview all employees (including IT personnel).
Black Box Model
- Tester is not given any information.
- Management doesn’t tell staff about the pen test being conducted.
- Help determine if company’s security personnel are able to detect attacks.
Gray Box Model
- Hybrid of the white and black box models.
- Tester may get partial information.
20
Class Discussion
• Which pen-testing category / model closely mimics
that of an insider threat?
• Which type of pen-testing model is better suited for an
organization on a extremely limited budget?
• Which pen-testing model is most
accurate? Which can be considered to
have the greatest drawback?
21
Class Discussion
22
Fundamentals
• Types of Hats
- White Hats (Ethical / Pen-Testers improving security)
- Black Hats (Hackers / Crackers degrading security)
- Grey Hats (In-between White and Black)
- Red Hat (Enterprise Linux)
23
Fundamentals
• What can you do Legally?
What about:
-
Port scanning?
Possession of hacking tools?
Photographing?
ISP Acceptable Use Policy (AUP)?
Installing viruses on a computer network denying users?
In Hawaii, the state must prove that the person charged with
committing a crime on a computer had the “intent to commit a
crime.”
24
Fundamentals
• Federal Laws:
- Computer Fraud and Abuse Act, Title 18
Crime to access classified information with authorization.
- Electronic Communication and Abuse Act
Illegal to intercept any communication, regardless of how it was
transmitted.
- Stored Wire and Electronic Communications and
Transactional Records Act
Defines unauthorized access to computers that store classified
information.
25
Class Discussion
• What are the advantages of using a written contract
when engaged in a computer consulting job?
• Why is it important that your attorney read over the
contract before you sign it?
• What is upper management’s role
for a penetration test?
26
Class Discussion
• Why do you think the government does not define a
common law for computer-related crimes, rather than
allowing each state to address these issues?
27
Fundamentals
• Ethical Hacking in a Nutshell
- Must have a good understanding of networks &
computer technology.
- Must be able to communicate with management & IT
personnel.
- Must have an understanding of the laws that apply to
your location.
- Must be able to apply the necessary tools to perform
your tasks.
28
Fundamentals
• Professional Certifications
Certified Ethical Hacker (CEH)
Cisco Certified Network Associate (CCNA)
Project Management Professional (PMP)
Certified Information Systems Security
Professional (CISSP)
29
Fundamentals
• Careers
30
Fundamentals
• CEH 22 Domains
31
Tools
Backtrack 5r3
Ubuntu Linux Distribution providing a comprehensive collection of security-related tools for digital forensics and
pen testing use.
http://www.backtrack-linux.org/downloads/
32
Tools
Kali Linux (a.k.a. Backtrack 6)
A debian Linux Distribution rewritten from Backtrack. Preinstalled with numerous penetrationtesting programs, including nmap (a port scanner), Wireshark (a packet analyzer), John the Ripper (a password
cracker), and Aircrack-ng (a software suite for penetration-testing wireless LANs).
http://www.kali.org/downloads
33
Tools
Metasploitable 2.0
Intentionally vulnerable Linux virtual machine.
http://www.offensive-security.com/metasploit-unleashed/Metasploitable
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
34
Tools
Damn Vulnerable Linux (DVL) 1.5 Infectious Disease
Originally formed from Slackware with the goal of being an intentionally vulnerable system for
practice/teaching purposes in regards to Network and Computer Security. Now considered discontinued.
http://distrowatch.com/table.php?distribution=dvl
http://download.vulnhub.com/dvl/DVL_1.5_Infectious_Disease.iso
35
General Security Resources
• Cyber Hui
http://www.cyberhui.org/
Cyber Hui is a community of Hawaii Cyber security professionals dedicated to sharing skills and knowledge with
high school and college students. Join the Hui; check out their resources and discussion forums.
• SANS Institute
http://www.sans.org/
Source for information security training and security certification; develops, maintains, and makes available at no
cost, a collection of research documents about various aspects of information security. Find whitepapers here
that interest you.
• Symantec Connect
http://www.securityfocus.com/
Technical community for Symantec customers, end-users, developers, and partners.
• SearchSecurity
http://searchsecurity.techtarget.com/
Online Information Security Magazine providing immediate access to late breaking industry news, virus alerts,
new hacker threats and attacks.
• Internet Storm Center
https://isc.sans.edu/forums/Diary+Discussions/
Community forums, discussions, and daily podcasts on auditing, forensics, network security, pen testing.
36
General Security Resources
• CyberPatriot
http://www.uscyberpatriot.org/CP5/Training.aspx
Air Force Cyber Defense Competition.
37
General Security Resources
• IASE
http://iase.disa.mil/policy-guidance/
Most comprehensive compilation of DoD Policies & Guidance documentation for Information Assurance .
38
Review Questions
• Question #1
The U.S. Department of Justice defines a hacker as which
of the following?
a. A person who accesses a computer or network without the
owner’s permission.
b. A penetration tester.
c. A person who uses telephone services without payment.
d. A person who accesses a computer or network with the
owner’s permission.
39
Review Questions
• Question #1
The U.S. Department of Justice defines a hacker as which
of the following?
a. A person who accesses a computer or network without the
owner’s permission.
b. A penetration tester.
c. A person who uses telephone services without payment.
d. A person who accesses a computer or network with the
owner’s permission.
40
Review Questions
• Question #2
A penetration tester is which of the following?
a. A person who accesses a computer or network without
permission from the owner.
b. A person who uses telephone services without payment.
c. A security professional who’s hired to hack into a network to
discover vulnerabilities.
d. A hacker who accesses a system without permission but does
not delete or destroy files.
41
Review Questions
• Question #2
A penetration tester is which of the following?
a. A person who accesses a computer or network without
permission from the owner.
b. A person who uses telephone services without payment.
c. A security professional who’s hired to hack into a network to
discover vulnerabilities.
d. A hacker who accesses a system without permission but does
not delete or destroy files.
42
Review Questions
• Question #3
Some experienced hackers refer to inexperienced
hackers who copy or use prewritten scripts or programs
as which of the following?
a.
b.
c.
d.
Script Monkey
Packet Kiddies.
Packet Monkeys.
Script Kiddies.
43
Review Questions
• Question #3
Some experienced hackers refer to inexperienced
hackers who copy or use prewritten scripts or programs
as which of the following?
a.
b.
c.
d.
Script Monkey
Packet Kiddies.
Packet Monkeys.
Script Kiddies.
44
Review Questions
• Question #4
A team composed of people with varied skills who
attempt to penetrate a network is referred to as which of
the following?
a.
b.
c.
d.
Green Team
Blue Team
Black Team
Red Team
45
Review Questions
• Question #4
A team composed of people with varied skills who
attempt to penetrate a network is referred to as which of
the following?
a.
b.
c.
d.
Green Team
Blue Team
Black Team
Red Team
46
Review Questions
• Question #5
What portion of your ISP contract might affect your
ability to conduct a penetration test over the internet?
a.
b.
c.
d.
Scanning Policy
Port Access Policy
Acceptable Use Policy
Warranty Policy
47
Review Questions
• Question #5
What portion of your ISP contract might affect your
ability to conduct a penetration test over the internet?
a.
b.
c.
d.
Scanning Policy
Port Access Policy
Acceptable Use Policy
Warranty Policy
48
Review Questions
• Question #6
Which federal law prohibits unauthorized access of
classified information?
a. Computer Fraud and Abuse Act, Title 18
b. Electronic Communication and Abuse Act
c. Stored Wire and Electronic Communications and Transactional
Records Act
d. Fourth Amendment
49
Review Questions
• Question #6
Which federal law prohibits unauthorized access of
classified information?
a. Computer Fraud and Abuse Act, Title 18
b. Electronic Communication and Abuse Act
c. Stored Wire and Electronic Communications and Transactional
Records Act
d. Fourth Amendment
50
Review Questions
• Question #7
Which federal law prohibits intercepting any
communication, regardless of how it was transmitted?
a. Computer Fraud and Abuse Act, Title 18
b. Electronic Communication and Abuse Act
c. Stored Wire and Electronic Communications and Transactional
Records Act
d. Fourth Amendment
51
Review Questions
• Question #7
Which federal law prohibits intercepting any
communication, regardless of how it was transmitted?
a. Computer Fraud and Abuse Act, Title 18
b. Electronic Communication and Abuse Act
c. Stored Wire and Electronic Communications and Transactional
Records Act
d. Fourth Amendment
52
Review Questions
• Question #8
Which federal law amended Chapter 119 of Title 18, U.S.
Code?
a. Computer Fraud and Abuse Act, Title 18
b. Electronic Communication and Abuse Act
c. Stored Wire and Electronic Communications and Transactional
Records Act
d. U.S. Patriot Act, Sec. 217: Interception of Computer Trespasser
Communications
53
Review Questions
• Question #8
Which federal law amended Chapter 119 of Title 18, U.S.
Code?
a. Computer Fraud and Abuse Act, Title 18
b. Electronic Communication and Abuse Act
c. Stored Wire and Electronic Communications and Transactional
Records Act
d. U.S. Patriot Act, Sec. 217: Interception of Computer
Trespasser Communications
54
Review Questions
• Question #9
To determine whether scanning is illegal in your area,
you should do which of the following?
a.
b.
c.
d.
Refer to the U.S. code
Refer to the U.S. Patriot Act
Refer to the state laws
Contact your ISP
55
Review Questions
• Question #9
To determine whether scanning is illegal in your area,
you should do which of the following?
a.
b.
c.
d.
Refer to the U.S. code
Refer to the U.S. Patriot Act
Refer to the state laws
Contact your ISP
56
Review Questions
• Question #10
As a security tester, what should you do before installing
hacking software on your computer?
a.
b.
c.
d.
Check with local law enforcement agencies.
Contact your hardware vendor.
Contact your software vendor.
Contact your ISP.
57
Review Questions
• Question #10
As a security tester, what should you do before installing
hacking software on your computer?
a.
b.
c.
d.
Check with local law enforcement agencies.
Contact your hardware vendor.
Contact your software vendor.
Contact your ISP.
58
Review Questions
• Question #11
Before using hacking software over the Internet, you
should contact which of the following?
a.
b.
c.
d.
Your ISP.
Your vendor.
Local law enforcement authorities to check for compliance
The FBI
59
Review Questions
• Question #11
Before using hacking software over the Internet, you
should contact which of the following?
a.
b.
c.
d.
Your ISP.
Your vendor.
Local law enforcement authorities to check for compliance
The FBI
60
Review Questions
• Question #12
Which organization issues the Top 20 list of current
network vulnerabilities?
a.
b.
c.
d.
SANS Institute
ISECOM
EC-Council
OPST
61
Review Questions
• Question #12
Which organization issues the Top 20 list of current
network vulnerabilities?
a.
b.
c.
d.
SANS Institute
ISECOM
EC-Council
OPST
62
OS Vulnerabilities
• Windows
How do we deal with this?
63
OS Vulnerabilities
• Windows
- OSs contain serious vulnerabilities that attackers can exploit.
- Default installations are especially at risk.
How do we deal with this?
- Reducing our attack surface.
- Disable, reconfigure, uninstall unnecessary services.
- Employ System Hardening techniques.
- Monitor new vulnerabilities / automatic updates.
- Periodic assessment / scans.
- Patch.
- Patch.
- Patch.
64
OS Vulnerabilities
• CVE search on NVD
http://www.cve.mitre.org/cve/index.html
http://web.nvd.nist.gov/view/vuln/search?execution=e2s1
65
66
OS Vulnerabilities
• Windows File Systems
Purpose is to store and manage information.
File Allocation Table (FAT):
Standard File System for most removable media.
512 B = 1 sector
1 cluster = smallest allocated unit for a file
Why would using FAT in a multiuser environment be considered a critical
vulnerability?
67
OS Vulnerabilities
• Windows File Systems
Purpose is to store and manage information.
File Allocation Table (FAT):
Standard File System for most removable media.
512 B = 1 sector
1 cluster = smallest allocated unit for a file
Why would using FAT in a multiuser environment be considered a critical
vulnerability?
Because FAT doesn’t support file-level access control lists (ACLs)!
68
OS Vulnerabilities
• Windows File Systems
New Technology File System (NTFS):
Supports larger files and disk volumes while
addressing security through ACLs and FS journaling.
Alternate Data Streams (ADSs) is a NTFS feature used
for compatibility with the old Apple Hierarchical File
System, using both data forks (contents of documents),
and resource forks (file type identification) to store data.
Why are ADSs considered a security risk?
69
OS Vulnerabilities
• Windows File Systems
New Technology File System (NTFS):
Supports larger files and disk volumes while
addressing security through ACLs and FS journaling.
Alternate Data Streams (ADSs) is a NTFS feature used
for compatibility with the old Apple Hierarchical File
System, using both data forks (contents of documents),
and resource forks (file type identification) to store data.
Why are ADSs considered a security risk?
ADSs make it possible for hackers who want to hide & store, exploitation tools,
and other malicious files on compromised systems.
70
OS Vulnerabilities
• Windows File Systems
New Technology File System (NTFS): Tools used for detecting ADSs --
• LADS
http://www.heysoft.de/en/software/lads.php
Program lists all alternate data streams of an NTFS directory.
• lns
http://ntsecurity.nu/toolbox/lns
LNS is a tool that searches for NTFS streams (aka alternate data streams or multiple data streams).
• Tripwire
http://www.tripwire.com/
Enterprise Vulnerability Management Solution using signatures to find vulnerabilities.
• dir /r
Command Prompt (cmd)
Command used from the directory you want to display and ADSs available in Windows Vista and later.
71
OS Vulnerabilities
• Windows File Systems
New Technology File System (NTFS): Using LADS & lns to detect ADSs.
LADS - Freeware version 4.00 (C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de) This program lists
files with alternate data streams (ADS) Use LADS on your own risk!
Scanning directory C:
size
ADS in file ----------
---------------------------------
Error 32 opening C:\pagefile.sys
The following summary might be incorrect because there was at least one error!
0 bytes in 0 ADS listed
Uncompromised System
LADS - Freeware version 4.00 (C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de) This program lists
files with alternate data streams (ADS) Use LADS on your own risk!
Scanning directory C:\compaq
C:\compaq\test_file:ipeye.exe
size ADS in file ---------32768
C:\compaq\test_file2:klogger.exe
143360
C:\compaq\test_file3:psexec.exe
86016
---------------------------------
32768
C:\compaq\test_file4:pslist.exe
294912 bytes in 4 ADS listed
Compromised System
lns 1.0 - (c) 2002, Arne Vidstrom ([email protected])
- http://ntsecurity.nu/toolbox/lns/
c:\compaq\test_file
- Alternative data stream [:ipeye.exe:$DATA] c:\compaq\test_file2
- Alternative data stream
[:klogger.exe:$DATA] c:\compaq\test_file3
- Alternative data stream [:psexec.exe:$DATA] c:\compaq\test_file4
Alternative data stream [:pslist.exe:$DATA]
Compromised System
72
OS Vulnerabilities
• Remote Procedure Call (RPC)
Interprocess communication mechanism.
Allows a computer program to cause a
subroutine or procedure (program) to
execute in another address space
(on another computer within a shared
network).
73
OS Vulnerabilities
• Remote Procedure Call (RPC)
http://technet.microsoft.com/en-us/security/bulletin/
74
OS Vulnerabilities
• Remote Procedure Call (RPC)
75
OS Vulnerabilities
http://www.microsoft.com/technet/security/tools/mbsahome.mspx/
76
OS Vulnerabilities
77
OS Vulnerabilities
http://www.dorkatron.com/docs/ISA330/W2%20-%20READING%20-%20MBSA%20Report%20for%20Philip%20Robbins.pdf
78
OS Vulnerabilities
• Network Basic Input / Output System (NetBIOS)
- OSI Session Layer 5.
- Software loaded into memory that allows a program to
interact with a shared network resource or device.
- NetBIOS frees an application from understanding the details
of a network.
- Still used today for ensuring backward capability.
- Uses ports open to the internet:
UDP/137
UDP/138
TCP/139
79
OS Vulnerabilities
• Network Basic Input / Output System (NetBIOS)
Why is NetBIOs over TCP/IP considered a security risk?
80
OS Vulnerabilities
• Network Basic Input / Output System (NetBIOS)
Why is NetBIOs over TCP/IP considered a security risk?
81
OS Vulnerabilities
• Network Basic Input / Output System (NetBIOS)
Why is NetBIOs over TCP/IP considered a security risk?
Because an attacker can gain the following information:
- Computer name
- Contents of the remote name cache, including IP addresses
- A list of local NetBIOS names
- A list of names resolved by broadcast or via WINS
- Contents of the session table with the destination IP addresses
82
OS Vulnerabilities
• Server Message Block (SMB)
- OSI Application Layer 7.
- Used for sharing access to files, printers, serial ports, and misc
communications between nodes on a network.
- Uses TCP/445 port.
- Vulnerabilities are associated with Microsoft’s implementation
of the SMB protocol and the components it directly relies on.
http://uwnthesis.wordpress.com/2013/05/29/metasploit-how-to-use-server-message-block-smb-or-file-sharing-scanning/
83
OS Vulnerabilities
• Common Internet File System (CIFS)
- Replaces SMB but allows backward capability.
- Remote File System Protocol that allows computers to share
network resources over the internet.
84
OS Vulnerabilities
• Domain Controllers
- Servers that handle authentication.
- DC’s using CIFS listen on the following ports:
DNS (53), HTTP (80), Kerberos (88), RPC (135),
NetBIOS (137 & 139), LDAP (389), HTTPS (443),
SMB/CIFS (445), LDAP over SSL (636),
Active Directory Global Catalog (328)
- Most attackers look for DCs because they
contain so much information they want to
access.
85
OS Vulnerabilities
• Null Sessions
- Allows you to connect to a remote machine without using a
user name or password.
- Anonymous logins.
- i.e. FTP, SQL (null SA password), IPC$, etc…
This is the most frequently used method for network
reconnaissance employed by hackers.
86
OS Vulnerabilities
• Buffer Overflows
- Occurs when data is written to a buffer (temporary memory
space) and, because of insufficient bounds checking, corrupts
data in memory next to the allocated buffer.
- Applications written in C & C++ are vulnerable.
- Can allow attackers to run shell code.
87
OS Vulnerabilities
• Trojan
-
Non replicating type of malware.
Program that appears to perform a desired function.
Gains privileged access.
Allows remote
administration (backdoors).
- Creates a file server (FTP).
- Drops malicious payload.
88
OS Vulnerabilities
• Rootkits
-
Installed by intruders who have gained root access.
Contains malicious Trojan binary programs.
Designed to hide and maintain privileged access.
Can reside in the kernel.
Removal becomes complicated.
89
Class Discussion
• What are the benefits of using passwords as an
authentication method?
• Why can it be considered a weakness / vulnerability?
90
Class Discussion
• What are the benefits of using passwords as an
authentication method?
Cost effective and disposable.
• Why can it be considered a weakness / vulnerability?
“What you know” v.s. “what you are” or “what you have.”
A username and password is all that stands between
an attacker and access.
91
OS Vulnerabilities
• Passwords
-
All users / admins should change their passwords regularly.
Establish minimum length for users (8 chars) and admins (15 chars)
Require complexity: include letters, numbers, symbols, both upper and
lower case chars.
No dictionary (common) or slang words (in any language).
No connection to the user: ss#, birthdays, or names.
Never write passwords down (esp. online, through email, or store on a
users computer).
Be aware of shoulder surfing.
Limit reuse of old passwords.
Set account lockout duration (i.e. timeout 30 seconds after first attempt).
Set account lockout thresholds (i.e. disable account after 3 attempts).
92
OS Vulnerabilities
• Passwords
http://splashdata.com/press/pr121023.htm
93
OS Vulnerabilities
http://www.labnol.org/internet/common-passwords-to-avoid/14136/
94
Vulnerability Scanners
• eEye Retina
http://www.eeye.com/
95
Vulnerability Scanners
• Tenable Nessus
http://www.tenable.com/products/nessus
96
Vulnerability Scanners
• GFI Languard
http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard
97
Vulnerability Scanners
• OpenVAS
http://www.openvas.org/
98
Patch Scanners
• HFNetchk & Shavlik
-
Created by Mark Shavlik.
MBSA is based on HFNetchk.
Shavlik for Patch Management.
http://www.shavlik.com/
99
Patch Scanners
• Microsoft’s System Management Server (SMS)
-
Patch Management for all computers on your network.
http://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx
100
Patch Scanners
• Windows Software Update Services (WSUS)
-
Patch Management from the network.
-
WSUS downloads patches
and publishes them internally.
-
Control over which updates
are deployed.
http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
101
OS Vulnerabilities
• System Hardening
-
Patch all known vulnerabilities (automatic updates v.s. patch testing).
Remove unwanted services.
Enforce password complexity & policies.
Removed unused user accounts.
Configure and manage user privileges.
Implement an Antivirus Solution.
Enable logging / monitoring tools.
Closed unused open network ports:
FTP (20, 21), TFTP (69), Telnet (23), DNS (53), NNTP (119),
NetBIOS (135, 137, 138, 139, 445), RDP (3389),
SNMP (161, 162), RPC (1025-1039)
102
OS Vulnerabilities
• *nix
103
Class Discussion
• Why do you think people believe windows is more
vulnerable than *nix OSs?
104
Class Discussion
• Why do you think people believe windows is more
vulnerable than *nix OSs?
Because a majority of people use windows, most attackers focus on compromising that OS.
• Why do you think only 1% of all desktop users use
Linux?
105
Class Discussion
• Why do you think only 1% of all desktop users use
Linux?
Even if Grandma knew about the alternative, (i) would she even prefer it, and (ii) is she capable?
106
OS Vulnerabilities
• *nix
Samba
- Free software.
- *nix servers can share resources with
Windows clients, and vice versa without
prejudice.
- Designed to trick Windows resources into believing that *nix
resources are Windows resources.
http://www.samba.org/
107
OS Vulnerabilities
Samba
- Search NVD for *nix vulnerabilities related to samba.
108
Embedded OS Vulnerabilities
• What are Embedded Systems?
Any computer system that isn’t a general-purpose PC.
• What are Embedded Operating Systems?
Embedded Systems that include their own operating system,
including stripped-down versions of commonly used OSs.
What are some examples of embedded systems that contain embedded Oss?
109
Embedded OS Vulnerabilities
• Things to keep in mind:
Don’t underestimate the security risks associated with embedded
systems simply because they’re small, perform simple tasks, or the
belief that no one would bother attacking them.
Embedded OSs are networked and are everywhere (think about
Critical Infrastructure & SCADA).
Many of the vulnerabilities seen in common OSs directly carry over.
Coding of the OS and patching can be difficult due to memory
Constraints. How do you patch a PIC16F877?
110
Embedded OS Vulnerabilities
• W32.Stuxnet
- Identified in 2010.
- Considered first cyber weapon.
- Affected Supervisory Control and
Data Acquisition Systems (SCADA) and Programmable Logic
Controllers (PLC) within IRANS nuclear enrichment facilities.
111
Embedded OS Vulnerabilities
• Android
112
Embedded OS Vulnerabilities
• Android
http://www.wtop.com/1253/3433568/Govt-warns-Android-vulnerable-to-mobile-hacks
113
Class Discussion
• What are some of the vulnerabilities associated with
embedded devices like smart phones?
• What are the risks?
114
115
Embedded OS Vulnerabilities
116
Embedded OS Vulnerabilities
117
Class Tools
Vulnerable targets…
Practice researching and identifying vulnerabilities within our isolated test environment.
localhost
user: root
password: toor
localhost
user: Administrator
password: password
118
Review Questions
• Question #1
MBSA performs which of the following security checks?
a.
b.
c.
d.
Security update checks.
IIS checks.
System time checks.
Computer logon checks.
119
Review Questions
• Question #1
MBSA performs which of the following security checks?
a.
b.
c.
d.
Security update checks.
IIS checks.
System time checks.
Computer logon checks.
120
Review Questions
• Question #2
Which ports should be filtered out to protect a network
from SMB attacks?
a.
b.
c.
d.
134 to 138 and 445.
135, 139, and 443.
137 to 139 and 445.
53 and 445.
121
Review Questions
• Question #2
Which ports should be filtered out to protect a network
from SMB attacks?
a.
b.
c.
d.
134 to 138 and 445.
135, 139, and 443.
137 to 139 and 445.
53 and 445.
122
Review Questions
• Question #3
Applications written in which programming language(s)
are especially vulnerable to buffer overflow attacks?
a.
b.
c.
d.
C
Perl
C++
Java
123
Review Questions
• Question #3
Applications written in which programming language(s)
are especially vulnerable to buffer overflow attacks?
a.
b.
c.
d.
C
Perl
C++
Java
124
Review Questions
• Question #4
Which of the following is the most efficient way to
determine which OS a company is using?
a.
b.
c.
d.
Run Nmap or other port-scanning programs.
Use the whois database.
Install a sniffer on the company’s network segment.
Call the company and ask.
125
Review Questions
• Question #4
Which of the following is the most efficient way to
determine which OS a company is using?
a.
b.
c.
d.
Run Nmap or other port-scanning programs.
Use the whois database.
Install a sniffer on the company’s network segment.
Call the company and ask.
126
Review Questions
• Question #5
Which program can detect rootkits on *nix systems?
a.
b.
c.
d.
chkrootkit
rktdetect
SELinux
Ionx
127
Review Questions
• Question #5
Which program can detect rootkits on *nix systems?
a.
b.
c.
d.
chkrootkit
rktdetect
SELinux
Ionx
128
Review Questions
• Question #6
Which of the following doesn’t use an embedded OS?
a.
b.
c.
d.
An ATM
A workstation running Windows Vista Business
A NAS device running Windows Server 2008 R2
A slot machine
129
Review Questions
• Question #6
Which of the following doesn’t use an embedded OS?
a.
b.
c.
d.
An ATM
A workstation running Windows Vista Business
A NAS device running Windows Server 2008 R2
A slot machine
130
Review Questions
• Question #7
Which of the following is a major challenge of securing
embedded OSs?
a.
b.
c.
d.
Training users
Configuration
Patching
Backup and recovery
131
Review Questions
• Question #7
Which of the following is a major challenge of securing
embedded OSs?
a.
b.
c.
d.
Training users
Configuration
Patching
Backup and recovery
132
Review Questions
• Question #8
SCADA systems are used for which of the following?
a.
b.
c.
d.
Monitoring embedded OSs
Monitoring ATM access codes
Monitoring equipment in large-scale industries
Protecting embedded OSs from remote attacks
133
Review Questions
• Question #8
SCADA systems are used for which of the following?
a.
b.
c.
d.
Monitoring embedded OSs
Monitoring ATM access codes
Monitoring equipment in large-scale industries
Protecting embedded OSs from remote attacks
134
Review Questions
• Question #9 (last one)
Cell phone vulnerabilities make it possible for attackers
to do which of the following? (Choose all that apply.)
a.
b.
c.
d.
Use your phone as a microphone to eavesdrop on meetings.
Install a BIOS-based rootkit.
Clone your phone to make illegal long-distance phone calls.
Listen to your phone concersations.
135
Review Questions
• Question #9 (last one)
Cell phone vulnerabilities make it possible for attackers
to do which of the following? (Choose all that apply.)
a.
b.
c.
d.
Use your phone as a microphone to eavesdrop on meetings.
Install a BIOS-based rootkit.
Clone your phone to make illegal long-distance phone calls.
Listen to your phone concersations.
136
Quiz #1
• Multiple choice, closed book, closed notes.
137
Questions?
[email protected]
www2.hawaii.edu/~probbins
https://www.dorkatron.com/docs/CMGT441/
138