Transcript Desktop Security 2

CSCD 303
Essential Computer
Security
Winter 2014
Security Hole
Lecture 7 Desktop Security Vulnerabilities
Reading: References at end of Slides
Overview
• Learning Objectives
• Introduce OS Vulnerabilities
• What are they
• Why do they happen
• Study Access Control Vulnerabilities
• Users - Passwords
Security and Vulnerabilities
• According to Merriam-Webster,
Vulnerable Defined
Vulnerable means “exposed to possibility of
being attacked or harmed, either physically or
emotionally: ‘we were in a vulnerable position’.”
• Computer Security, Vulnerability
Defined
Security Vulnerability refers to system flaw that
can leave
OS Vulnerabilities
• What are some vulnerabilities common to
all OS's?
OS Vulnerabilities
Look Common OS Vulnerabilities
1. Buffer Overflow
2. Unvalidated input
3. Race conditions
4. Access-control problems
5. Weaknesses in authentication
Buffer Overflow
• Every program that allows input
– Needs to store input in memory
until it can use for its intended purpose
– Examples: Web form, enter your name
Saving a file, enter file name,
Search engine, enter search string
What is the definition of a buffer?
Buffer Defined




A temporary storage area, usually in RAM
Purpose of most buffers is to act as holding area,
enabling CPU to manipulate data before transferring it to
a device
Because processes of reading and writing data to a
disk are relatively slow, many programs keep track of
data changes in a buffer and then copy the buffer to a
disk
For example, word processors employ a buffer to keep
track of changes to files
Buffer overflow
• Program should check user input to make
sure its correct length
– Frequently programmer does not bother to
check length of input Programmer assumes
user will not do anything unreasonable
– Language allows him/her to overwrite buffer
– For example
•
Form asks you to enter your first name
Has room for 12 characters
Overflow Chars
F r a n c First
e s s cName
a - A lly
Buffer Overflows
• How are buffer overflows used to
compromise your computer?
– As part of long data input, attacker will include
some of his own code
– Then, manipulates flow of program in memory
to execute his code ...more on this later
– If program that is overflowing is running with
administrator privileges, attacker code has
administrator privileges
– Then, they can do anything to your computer !!!
Microsoft Vulnerabilities
• Does anyone know about the vulnerability
described in
Microsoft Security Bulletin MS08-067 ?
Buffer Overflow MS08-067
• Buffer overflow vulnerability in Windows
Server Service
– For systems running Windows 2000, XP, Windows
7 and Server 2003, remote, unauthenticated
attacker could exploit this vulnerability
• In Vista, attacker would need to be authenticated
– Since Server service runs with Administrator
privileges, an attacker could take complete control
of a vulnerable system
– This IS the vulnerability that Conficker exploited!
Details of MS08-067
• Specifically, this vulnerability is a buffer overflow
in an unauthenticated Windows SMB file sharing
session
– SMB = Server Message Block, protocol
for sharing server resources like files and
printers
• Malicious client can bind to service and issue a
request with an overly long argument
– Overflowing a buffer and possibly
executing arbitrary code on the vulnerable
server
• This is one way malware is getting onto systems
What is the Server Message
Block?

Operates as an application-layer network protocol

Provides shared access to files, printers,
serial ports, and miscellaneous communications
between nodes on a network

Also provides an authenticated inter-process
communication mechanism
Linux Buffer Overflow Vulnerabilities



Is Linux or Mac OS X immune to buffer overflows?

No. They have these too …
Google search of “buffer overflow vulnerabilities in linux
2013”

Came back with 286,000 hits

Among the problems

Stack based X-Windows vulnerability

Affects all linux distributions

Adobe flash player – Linux
Re-ran the search “buffer overflow vulnerabilities in linux
kernel 2013”

Came back with 74,000 hits
Unvalidated Input Attacks
• Any input received by a program from an
untrusted source is a potential target for attack
– Hackers look at every source of input
– Try to inject their own code or script to be run by
the system accepting the input
– May allow them unauthorized access
Validating Input

Input needs to meet programmer expectations
For whatever input required:
•


HTML, email, userid or valid database request
Compare input to what is known to be
acceptable
Commonly use regular expressions, which
are patterns of characters describe allowable
input
Bad input is either rejected or altered
Race Condition
• A race condition exists when two events can occur
out of sequence … unexpected
– If correct sequence is required for proper functioning of
program, potential vulnerability can be exploited
– If attacker can cause correct sequence not to happen
and insert malicious code, change a filename, or
otherwise interfere with normal operation
– Race condition is a security vulnerability
• Attackers can sometimes take advantage of small time
gaps in processing of code
– Interfere with sequence of operations
– Which they then exploit
Race Conditions
• There are two basic types of race condition
that can be exploited
1. Time of check/time of use
2. Interprocess communication
Race Condition:
Time of Check/Time of Use
• Application checks some condition before
undertaking an action
• For example, it might check to see if file exists
before writing to it
• Attacker, by continuously running program that
creates new temporary file can create file in gap
between when application checked to make sure
temporary file didn't exist and when it opens it for
writing
• Application then opens attacker's file and writes to it
...
• System routine opens an existing file if there is one,
and creates a new file only if there is no existing file
Race Condition:
Interprocess Communication
• Separate processes—either within a single
program or in two different programs—sometimes
have to share information
– For example, if two processes share same
data, potential attacker to alter data after one
process sets it but before other reads it
– Solution to race conditions of this type is to use
some locking mechanism to prevent one
process from changing a variable until another
is finished with it
Access Control
• Many OS security vulnerabilities are created by
careless or improper use of access controls, or by
failure to use them at all
– Exploits involve an attacker somehow gaining
more privileges than they should have
• Privileges, also called permissions, are access
rights granted by the operating system
• Controls who is allowed to read and write files, see
directories, execute a program
Access Controls
Operating Systems




Access controls provided with an operating system
typically authenticate users using some mechanism
such as passwords or Kerberos, then mediate their
access to files, communications ports, and other system
resources
Their effect can often be modelled by a matrix of
access permissions, with columns for files and rows for
users.
Following Example ...
We’ll write r for permission to read, w for permission to
write, x for permission to execute a program, and (–) for
no access at all
Access Controls
Operating Systems



Alice, the manager, needs to execute the operating system
and application, she mustn’t have the ability to tamper with
them, She also needs to read and write the data.
Bob, the auditor, can read everything, and execute OS
Sam, the Accountant needs read, write and execute OS,
Prog
Access Control
Operating Systems

Individual and Group Access Control

So far, talked about individual Access
Control

Group Access Control is another level of
security

Typical to have several groups

Users vs Administrators

Could also be distinctive roles

Accountants

Managers

Sales Staff
Access Control Lists

Groups Implemented via Access Control Lists

Formally, can specify individual and
group access with Access Control Lists

Store ownership and access along with
resource

Example – Accounting Data
Sam and Alice can
read and write – rw
Bob can only read - r
Access Control
• Of particular interest to attackers is gaining
of root or administrator privileges
– Unrestricted permission to perform any
operation on system
• Application running with root privileges can access
everything and change anything
– Many security vulnerabilities involve
programming errors that allow an attacker to
obtain root privileges
– Some involve taking advantage of buffer
overflows or race conditions ...
Authentication and Authorization
• Access control enforced by applications,
requires users to authenticate before
granting authorization to perform an
operation
• Authentication can involve requesting a
users credentials
1. User name and password
2. Digital certificates
3. Biometrics – Fingerprints, Iris/retina scan
Authentication as Security
Mechanism

What is authentication?


Authentication is the process of
determining whether someone or
something is, in fact, who or what it is
declared to be
How do we do this in the real world?
Digital Authentication

How do computers use authentication ?



Grant access to resources
Typically, information, but also access to
hardware, printers, other systems
Also, access to being able to run certain
programs
Users as Vulnerabilities
• Often weakest link in chain of security
features protecting a user's data and
software is the user himself
• Attackers increasingly concentrate on fooling users
into executing malicious code, handing over
passwords, credit-card numbers, and other private
information
– Default Passwords, no passwords or weak
passwords contribute to users as vulnerabilities
Passwords
as Authentication Mechanisms
Users and Passwords
• Fortunately or unfortunately ...
• Users must be entrusted with security of
their own systems
– Passwords still used extensively as way to
authenticate people
– Why are they still used?
– Easy to use, know how to use them, people are
familiar with them, cheap!!
– Can be used both locally and remotely
• On your home PC and over the Internet
Passwords
• While we may find them annoying, and
even take them for granted,
• Important to remember why passwords are
important
– Passwords are often first and possibly only
defense against intrusion
Password Weaknesses
• If password is sent in clear, can be
intercepted
• Password is encrypted, requires
establishment of encryption key
Where is key stored, can key be
compromised?
• People choose bad passwords
• Passwords are easily observed
• Passwords can be sniffed by spyware
People Give away Passwords
http://news.bbc.co.uk/2/hi/technology/3639679.stm
• Security crumbles in the face of sweet bribes
• More than 70% of people would reveal their computer
password in exchange for a bar of chocolate, according to
a survey
• It also showed that 34% of respondents volunteered their
password when asked without even needing to be bribed
Disadvantages of
Passwords
Note: Passwords are generally pretty
weak
• University of Michigan: 5% of passwords were goblue
• Passwords often used in more than one place
Disadvantages of Passwords
Attacker can access the hashed password
–
Can guess and test passwords offline
“password cracking”
Lots of help
– John the Ripper
– Cain and Able
– THC Hydra
• You will get to see how easy it is to use Cain and Able
How to Break Passwords
• Three main ways programs “crack”
passwords
1. Dictionary attack - tries thousands of words
from dictionary files as possible passwords
– Every word from dictionary is tested in a
variety of modifications, cat – tac, cat1, cated
– Encrypt words from list of English words,
compare each encryption against stored
encrypted version of users' passwords
How to Break Passwords
2. Brute Force Attack
• Finds passwords by checking all possible
combinations of characters from the Symbol Set
– You can make a big Brute-Force-Dictionary to
implement Brute-Force attack
– Actually, don't have to … these come with
automated tools !!!
How to Break Passwords
3. Guessing Attack – Guess based on something “known”
– blank (none)
– words "password", "passcode", "admin" and their derivatives
– a row of letters from the qwerty keyboard -- qwerty itself,
asdf, or uiop
– user's name or login name
– name of their significant other, a friend, relative or pet
– birthplace or date of birth, or a friend's, or a relative's
– automobile license plate number, or a friend's, or a relative's
– office number, residence number or most commonly, their
mobile number
Effectiveness of
Password Guessing
How well do these work?
Guessing ...
• September 2008, Yahoo e-mail account of Governor
of Alaska and Vice President of the United States
nominee Sarah Palin
• Accessed without authorization by someone who
researched answers to two of her security questions
– Zip code and date of birth and was able to guess
the third, where she met her husband!
Twitter Hacker Succeeded with
Self-authored Tool

Weak Password Brings ‘Happiness’ to
Twitter Hacker
An 18-year-old hacker with a history of
celebrity pranks has admitted to hijacking of
multiple high-profile Twitter accounts,
including President-Elect Barack Obama’s,
and the official feed for Fox News – 2009
http://www.wired.com/threatlevel/2009/01/profe
ssed-twitt/
Effectiveness Password Guessing
• Another Example
– Gary McKinnon, accused of perpetrating
"biggest military computer hack of all time",
– Claimed that he was able to get into military's
networks by using Perl script that searched for
blank passwords
– His report suggests that there were computers
on these networks with no passwords at all!
Effectiveness of Password Cracking
Penn state CS Engineering Department
•
Ran John the Ripper on CSE authentications
– 3500 in all
•
In first hour, 25% were recovered
– About half of these due to dictionary attacks
– But, half using other heuristics and brute force
• Over 5 days, 35% were recovered
– Steady state recovery due to brute force
Top Password cracking software listed here
http://sectools.org/crackers.html
Password Cracking Stats
Common Password Advice
Cat or Dog – Bad
Qvmerx49z! - Good
Should be at least 8 characters
Use characters from each of the following four classes:
• English upper case letters
• English lower case letters
• Arabic numerals (0,1,2,…)
• Non-alphanumeric (special) characters such as
punctuation symbols
Don’t use a proper name or any word in dictionary
without misspelling it in some way
Don’t reuse password you have used before
Don’t use the same password for different types of
systems
How Passwords are Used
• Windows Files
On Windows systems password hashes are
stored in the SAM (Security Accounts Manager) database
• Unix/Linux Files
On Unix/Linux systems the password hashes are stored in
the /etc/shadow file
• Authentication Process
• User enters password, Example: catdog
• Hash is computed, Hash(catdog) =
sMxYb7$og4uxH4oHXAVwf
• The computed hash is compared to stored hash
• Access granted or denied
Summary
• Vulnerabilities are in ALL current popular OS's
– Hard to go beyond the “hype” to understand how
vulnerable you are given a certain OS
– Try to discover for yourself how secure OS is that
you are using
– Read bulletins, seek opinions of people you trust
and try to protect yourself
– Buy add-on security products, disable OS features,
run with reduced privilege
References and Reading Material
Secure Coding in Linux – Free Book
http://www.dwheeler.com/secure-programs/
Secure Coding Guide
https://developer.apple.com/library/mac/#documentation/sec
urity/Conceptual/SecureCodingGuide/Articles/TypesSecVu
ln.html
The End
Next Time:
Specifics Windows vs. Linux, go over Assignment