Transcript Internet & Web Security

Internet & Web Security
Simson L. Garfinkel
[email protected]
Simson L. Garfinkel
 Web Security & Commerce
(With Gene Spafford)
O’Reilly & Associates, 1997
 Practical UNIX and Internet Security
Garfinkel & Spafford
O’Reilly & Associates, 1997
 Vineyard.NET, Inc.
July 1, 1995-
WARNING #1
 I’m not here to sell you anything.
(No easy answers)
WARNING #2
 I hate Power Point.
Internet Security Today 1/3
 What are the main security-related problems
on the Internet Today?
 Hijacked
web servers
 Denial-of-Service Attacks
 Unsolicited Commercial E-Mail
 Operator Error, Natural Disasters
 Microsoft...
Internet Security Today 2/3
 What are not the major security-related
problems?
 Eavesdropped
electronic mail.
• (Misdirected email is a problem.)
• (Email swiped from backup tapes is a problem.)
 Sniffed
credit card numbers.
• (Credit card numbers stolen from databases is a
problem.)
 Hostile
Java & ActiveX applets.
Internet Security Today 3/3
 So why does the press focus on the non-
problems?
 The
real problems are old problems.
(see Practical UNIX Security, 1991)
 The real problems are hard to solve
(I’m not here to sell you anything.)
 Netscape IPO
(Netscape sells a product, not a service.)
Hijacked Web
Servers
Hijacked Web Servers
 FBI
 August 17, 1996 - Attacks on the
Communications Decency Act.
 CIA
 September 18, 1996 - “Central Stupidity
Agency”
 NetGuide Live
 “CMP Sucks.”
Hijacked Web Servers
 Attacker gains access and changes contents
of web server.
 Usually stunts.
 Can be very bad:
 Attacker
can plant hostile applets.
 Attacker can plant data sniffers
 Attacker can use compromised machine to take
over internal system.
Hijacked Web Servers
 Usually outsiders.
 (Could be insiders masquerading as
outsiders.)
 Nearly impossible to trace.
How do they do it?
 Administrative passwords captured by a
password sniffer.
 Utilize known vulnerability:
 sendmail
bug.
 Buffer overflow.
 Use web server CGI script to steal
/etc/passwd file, then crack passwords.
 Mount the web server’s filesystem.
How do you defend against it?
 Patch known bugs.
 Don’t run unnecessary services on the web
server.
 Don’t run sendmail
 Use
smap if possible.
 Large sites may just after to suffer.
How do you defend? (2)
 Never use telnet or ftp to access web server.
 ssh/scp
 stel
 Security Dynamics’ SecureID
 Digital Pathways’s SecureNet Key
 (S/Key, Kerberos)
How do you defend? (3)
 Practice good host security.
 Don’t run SunOS.
 Use tools like SATAN, ISS, COPS, Tiger...
 Monitor system for unauthorized changes.
 Tripwire
 Monitor system for signs of penetration
 Intrusion detection systems
How do you defend? (3)
 Make frequent backups.
 Have a hot spare ready.
 Monitor your system frequently.
Denial-of-Service
Attacks
Denial-of-Service
 Publicity is almost as good as changing
somebody’s web server.
 Attack
on PANIX
 Attack on CyberPromotions
 Costs real money
 Lost Sales
 Damage to reputation
Kinds of Denial-of-Service Attacks
 Direct attack: attack the machine itself.
 Indirect attack: attack something that points
to the machine.
 Reputation attack: attack has nothing to do
with the machine, but references it in some
way.
Direct Denial-Of-Service Attack
 Send a lot of requests
(HTTP, finger, SMTP)
 Easy
to trace.
 Relatively easy to defend against with TCP/IP
blocking at router.
Direct Denial-Of-Service Attack 2
 SYN Flooding
 Subverts the TCP/IP 3-way handshake
• SYN / ACK / ACK
 Hard
to trace
• Each SYN has a different return address.
 Defenses
now well understood
• Ignore SYNs from impossible addresses.
• Large buffer pools (10  1024)
• Random drop, Oldest drop.
Direct Denial-Of-Service Attack 2
 SYN Flooding 2
 Most machines are not protected.
Indirect Denial-Of-Service Attack
 Attack DNS
 http://www.vineyard.net/  204.17.195.200
 DNS spoofing (hard)
 Upstream DNS server (easier)
 InterNIC (easy!)
Indirect Denial-Of-Service Attack
 Attack Routing
 Attack routers (hard)
 Inject bogus routes on BGP4 peering
sessions (easy)
 Accidents
have been widely reported.
 Expect to see an actual BGP4 attack sometime
this year.
Reputation-based Denial-Of-Service Attack
 Spoofed e-mail
To: [email protected]
From: [email protected]
Subject: Call Now!
Hello. My name is Jean Dixon …
 We got 3.9MB of angry responses.
Unsolicited
Commercial E-Mail
Unsolicited Commercial E-Mail
 Pits freedom-of-speech against right of
privacy.
 Consumes vast amounts of management
time.
 Drain on system resources.
Who are the bulk-mailers?
 Advertising for Internet neophytes.
 Advertising for sexually-oriented services.
 Advertising get-rich-quick schemes.
 Advertising bulk-mail service.
How do they send out messages?
 Send directly from their site.
 Send through an innocent third party.
 Coming soon:
 Sent with a computer virus or ActiveX applet
How did they get my e-mail addresses?
 Usenet & Mailing list archives.
 Collected from online address book.
 AOL registry.
 University directory.
 Guessed
 Sequential CompuServe addresses.
 Break into machine & steal usernames.
Operator Error &
Natural Disasters
Operator Error & Natural Disasters
 Still a major source of data loss.
 Hard to get management to take seriously.
 Not sexy.
 Preparation is expensive.
 If nothing happens, money seems misspent.
Operator Error
 Accidentally delete a file.
 Accidentally install a bad service.
 Accidentally break a CGI script.
 Psychotic break.
Natural Disaster
 Fire
 Flood
 Earthquake
Solutions
 Frequent Backups
 Backup to high-speed tape.
 Real-time backup to spare machines.
 Make sure some backups are off-site.
 Recovery plans.
 Recovery center.
 Test your backups & plans!
Microsoft
Microsoft
 Danger of homogeneous environment.
 No demonstrated commitment to computer
security.
 Windows
95 is not secure.
 Word Macro Viruses.
 ActiveX
 SMB
 Windows NT …?