Transcript Patch
CSCD 303
Essential Computer
Security
Fall 2010
Lecture 8 - Desktop Security
Recovery, Prevention and Hardening
Reading: Links are in Lecture
Overview
• Recovery and Prevention
•Recovery
• Antivirus/Antitrojan
• Restore System
– Restore – Windows
• Boot disks
Prevention
• Patching – All systems
• Harden OS - Features
The Attack Surface
• Security folks talk about “Reducing the
Attack Surface”
–What does that mean?
– Get Secure
• Reduce the Attack Surface
• Patch
• Harden
– Stay Secure
• Maintain secure infrastructure
–
–
–
–
Patches
Updates
Upgrades
Read, Research, Results
The Attack Surface
• What is an Attack Surface?
Weak
Passwords
Open File
Shares
Open Ports
Systems
too complex
Unknowns
People
Unused Services Left
On
Un-patched
Web Server
Excessive privileges
No
Policies
No Auditing
The Attack Surface
• Now for The Attacks ...
Port Scanners
Viruses
Password
Cracking
Trojan Horses
Unknowns
People
Network
Spoofing
Denial of
Service
Packet Sniffing
Worms
Poisons
(Packets, DNS,
etc.)
Anti-virus
• Anti-virus
– Will identify infections, viruses, trojans, worms
– Not always able to exactly identify what got you
– First step, detect something is wrong
– Try to identify it - Key
– Then, try to remove it and restore the files if
possible
– Two main ways – Treating Infection
• Quarantine
• Disinfect
Anti Virus Software
• Quarantine
– Only temporary until user decides how to handle
it, user asked to make a decision
Anti Virus Software
• Why do Anti-Virus Programs Quarantine?
– Virus detection was generic, can’t determine
how to clean it off of system
– Want user, you, to make a decision
– Quarantine Actions
• Copy infected file to quarantine directory
• Remove original infected file
• Disable file permissions so user can’t
accidentally transfer it out of directory
Anti Virus Software
• Disinfect Files
• a. Disinfection by Specific Virus
– Multiple ways to disinfect files
– Depends on the type of virus
– From virus DB, get file executable start address
• Run generic clean-up routine with start address
• Can derive this information by running virus in
test lab, recording information from infected file
• Store this information for specific virus
Anti Virus Software
• b. Disinfect by Virus Behavior
– Disinfect based on assumptions from virus behavior
• Prepend or Appended viruses
• Restore original program header
• Move original byte contents back to original location
– Can store in advance for each executable file on an
uninfected system, system file
•Program header, file length, checksum of executable file
contents, which is a computed check of the file contents
•Compute various checksums until you get the exact
checksum of the file, can be tricky need to figure out which
part of the file is original, look for checksum match
Test Your Virus Scanner
• Good to test your anti-virus software to see how
well it does
• There is test file you can use to test your antivirus software
–The Anti-Virus or Anti-Malware test file
• From the European Expert Group for IT Security,
www.eicar.org
–Run this file against your virus scanner to
determine its effectiveness
http://www.eicar.org/anti_virus_test_file.htm
System Restore Windows
• Purpose of System Restore
– Create snapshot of system's configuration
– Want to return a system back to a known good
configuration
• System Restore is designed to automatically
create a restore point
– Each time system recognizes a significant change
in the file or application
System Restore
Go to Start>> All Programs>> Accessories>> System
Tools>> System Restore
System Restore and Viruses
• Virus authors intentionally write viruses with same
extensions as Windows files that are backed up by System
Restore
• Common for people to have a virus, then run virus scans to
remove the virus
– But, once System Restore recovers computer to an
earlier date, it is very possible to introduce that same
virus back to system
• When a virus is found on a system,
• System Restore should be completely disabled, all Restore
Points should be deleted ...
– So, whats the point? System restore not for malware!!
• After scanning computer, restore can be turned back on
Making a Boot Disk Vista and
Other OS's
• If your computer is un-bootable, what do
you do?
– Try to use a recovery disk.
– How many know where the recovery disk is?
– Can you make one?
Vista Recovery Disk
• Recovery Disk or a Recovery Partition will
allow you to restore your computer to
original settings from hardware
manufacturer,
– Will not be able to use it to repair your
Windows Vista installation
– For that, you will need an actual Windows Vista
DVD that contains the Windows Recovery
Environment
Making a Boot Disk Vista/Windows 7
• Yes, you can make an installation disk if your
computer didn't come with one
– Complete burnable images for Vista
– And ... a DVD or CD writer
http://www.howtogeek.com/howto/windows-vista/how-tomake-a-windows-vista-repair-disk-if-you-dont-have-one/
http://neosmart.net/blog/2008/download-windowsvista-x64-recovery-disc/
– Versions of 32 and 64 bit and Windows 7
Boot Disk for Ubuntu
• Ubuntu
– Can make Ubuntu into a live image CD
– Really easy, Use it to boot and possibly fix
Ubuntu
– Instructions are here
https://help.ubuntu.com/community/LiveCD
Patching
Patching
• What does patching your computer do?
– Allows it to limp along until the next major
version
• Windows XP before Vista
• Vista then quickly Windows 7 etc.
– Software producers give you patches to fix
“holes” in between major software versions
Study on Unpatched Computers
http://www.computerworld.com/s/article/9109938/Unpatched_Windows_PCs_fall_to_hackers_in
_under_5_minutes_says_ISC?taxonomyId=82&intsrc=kc_top&taxonomyName=cybercrime_
and_hacking
• 2008
• Computerworld - It takes less than five minutes for
hackers to find and compromise an unpatched
Windows PC after it's connected to the Internet, a
security researcher said today.
• The SANS Institute's Internet Storm Center (ISC)
currently estimates the "survival" time of an Internetconnected computer running Windows at around four
minutes if it's not equipped with the latest Microsoft
Corp. security patches
More Patching Stories
http://www.circleid.com/posts/20090915_major_organizations_ove
rlooking_high_priority_security_risks/
• Security report by SANS Institute, TippingPoint and
Qualys, Sept. 2009
– Number of vulnerabilities found in applications in
far greater than the number of vulnerabilities
discovered in operating systems
– "On average, major organizations take at least
twice as long to patch client-side vulnerabilities as
they take to patch operating system vulnerabilities
– In other words highest priority risk is getting less
attention than the lower priority risk"
Patching
• Types of Patches
– Patch – Simple small fix, one or two problems
– Update – Add or fix problem or earlier patch
– Cumulative – Includes all previously released
patch for one application
– Service Pack – Generally, large files, typically
include lots of patches to many problems
– Vista is up to service pack 2
– Windows 7 - not even to service pack 1
What Should you Patch?
• Microsoft releases Windows security updates
on the second Tuesday of every month
– Recommended you turn on automatic updates,
all versions of Windows
– Configure this in control panel
Updates for Microsoft Vista/7
• What gets updated?
– Updates OS & Internet Explorer,also other
Microsoft Windows software, such as Microsoft
Office, Windows Live applications, and
Microsoft Expression
– But, older versions of Windows updated only
OS components,
• Windows Updates vs. Microsoft update
• Users had to go to Microsoft update to update their
Office suite and SQL Server ... etc.
http://arstechnica.com/microsoft/news/2010/04/isvs-toblame-for-vista7-infections-office-updates-ignored.ars
Updates for Microsoft Vista/7
• Does it update other software on your
computer? Like Adobe Flash Player ...
• Microsoft does not, update other software running
on your computer
Updates for Ubuntu, Mac OS X
• Ubuntu updates
– All the software on its distribution automatically
– Built into the system as a service
– Need to turn it on,
update manager
• Mac OS X
– Updates all software on Mac
Patching
• Third party Software
– Vendors often provide free patches on their
web sites
• Should know how vendor supplies patches
• Provide programs bundled with their systems
automatically contact their web sites looking for
patches specifically
• Automatic updates tell you when patches are
available, download them, and install them
Patching
• Boring but ...
– Make a list of the software on your computer
• Games, office, document readers, Adobe, media
players – like Flash, Database, Multi-media, voip –
Skype, security software – Semantic, Browser
• What is their patching strategy?
• Websites? Auto-update?
Patch Management
• Patches are issued for good reasons
– Always test before deploying
• Are some Automation Tools
– Monitoring/Alerting
– Data Collection/Archiving
• HfNetChk – weird name, great tool!
– Windows machines queries it for up-to-date
patches
http://majorgeeks.com/HFNetChk-FE_d1103.html
Harden OS
OS Hardening Defined
• What is Operating System Hardening?
Reconfiguring an OS to be more secure, stable
and resistant to attacks.
• Examples:
–
–
–
–
Removing unnecessary processes.
Setting file permissions.
Patching or updating software.
Setting network access controls.
Hardening Utilities
• Bastille Linux
www.bastille-linux.org
– Automated security
program, Security wizard
• SUID restrictions
• SecureInetd
• DoS attack detection and
prevention
• Automated firewall
scripting
• User privileges
• Education
– You can try it against your
computer ....
Linux Hardening
• Examine Linux System Features
– Recall ....
• Linux is more modular than Windows
• Multi-user design from the beginning
– Challenge in cracking Linux
• Gain Root access
– Goal in Defense of Linux
• Make unauthorized root access impossible
Linux Hardening
• Setuid and Setgid
– Everything in Linux is a file
• Files have read, write and execute permissions
• One more permission is setuid (similar with setgid)
• Executable programs run with same privileges of file
owner
• If owner is root ... gain root privileges
• Goal is to use buffer overrun or some other means
of gaining a root shell session, attacker can do
anything after that
Linux Hardening
• Example
chmod 4755 removemyfiles.sh
-rwsr-xr-- 1 ctaylor fac removemyfiles.sh
Assume remove my files is a script
#! /bin/bash
rm -rf /home/ctaylor/*.*
The -rws in above permissions on file, says to run this
program with the privileges of ctaylor
Linux Servers
• Don't install some software
– X - windows
– RPC Services
– R-Services, rlogin, rpc - ssh instead
– Inetd daemon
– SMTP daemons - enabled by default
– Telnet, ftp, pop3 and Imap
– Might want to disable LKM - Loadable Kernel
Modules
Windows Hardening
Overview
•
•
•
•
Services
Account types of policies
Software Restrictions
Data lock down
– Bit Locker
– EFS
Windows Vista and 7 Security Features
• Windows Service Hardening
– Most Windows exploits, install malware, result of
flaws in Windows services
– Windows services have been changed as follows:
•
•
•
•
Each service is given a SID number, Security ID
Services run with a lower privilege level by default
Unnecessary privileges for services have been removed
Services are isolated and cannot interact with users
Account Policies
• Contain the password policy and the
account lockout policy
• Must be configured at the domain level
• Password policy
– Controls password characteristics for local user
accounts
– Available settings
•
•
•
•
Enforce password history
Maximum, Minimum password age
Minimum, Maximum password length
Complexity requirements
41
Account Policies
• Account lockout policy
– Prevents unauthorized access to Windows
Vista
– Can configure an account to be temporarily
disabled after a number of incorrect log-on
attempts
42
Software Restriction Policies
• Defines which programs are allowed or
disallowed in the system
• Used in corporate environments where
parental controls are not able to be used
• Default security level for applications
– Disallowed
– Basic User
– Unrestricted
MCTS Guide to Microsoft Windows Vista
43
Software Restriction Policies
• Software not affected by software
restriction policies
– Drivers or other kernel mode software
– Programs run by the SYSTEM account
– Macros in Microsoft Office 2000 or Microsoft
Office XP documents
– .NET programs that use the common
language runtime (alternate security is used)
44
Software Restriction Policies
• Software restriction configuration options
– Policies are evaluated each time an
executable file is accessed
– Executable files are identified by file extension
• You can customize the list of extensions
– Many Windows applications use DLL files
when they are executing
– DLL files are considered a lower risk than
executable files and are not evaluated by
default
45
Data Security
• NTFS permissions
– Most basic level of data security in Windows
Vista
– Stop logged-on users from accessing files and
folders that they are not assigned read or write
permission to
• Relatively easy to work around NTFS
permissions!!!!
– When you have physical access to the
computer
• To secure data on desktop computers and laptops,
encryption is required
– Vista includes Encrypting File System (EFS) 46
and BitLocker Drive Encryption
Encryption Algorithms
• Symmetric Encryption
– What is Symmetric Encryption?
– Same key to encrypt data and decrypt data
– Symmetric encryption is strong and fast
• Good for encrypting large volumes of data such as
files
– Used by both EFS and BitLocker Drive
Encryption
– Biggest problem is securing the key
47
Encrypting File System
• Encrypting File System (EFS)
– First included with Windows 2000 Professional
– Encrypts individual files and folders on a
partition
– Suitable for protecting data files and folders on
workstations and laptops
– Can also be used to encrypt files and folders
on network servers
• File or folder must be located on an NTFS-formatted
partition
MCTS Guide to Microsoft Windows Vista
48
Encrypting File System
• To use EFS, users must have a digital certificate with
a public key and a private key
– Windows Vista can generate one for you
• From the user perspective,
• Encryption is a file attribute
• Files can also be encrypted using the command-line
utility Cipher
• Lost encryption keys
– If a user loses the EFS key, then an encrypted file
is unrecoverable with the default configuration
49
Encrypting File System
• Lost encryption keys
– Some ways EFS keys may be lost
• The user profile is corrupted
• The user profile is deleted accidentally
• The user is deleted from the system
• The user password is reset
– Backing up your EFS key is done by using the
Certificates MMC snap-in
• Only you can back up your own key
– Creating a recovery certificate allows the files encrypted
by all users to be recovered if required
50
BitLocker Drive Encryption
• BitLocker Drive Encryption
– Data encryption feature included with Windows
Vista
• An entire volume is encrypted when you use
BitLocker Drive Encryption
– Also protects the operating system
• Designed to be used with a Trusted Platform
Module (TPM)
– Part of the motherboard in your computer and
used to store encryption keys and certificates
MCTS Guide to Microsoft Windows Vista
51
BitLocker Drive Encryption
MCTS Guide to Microsoft Windows Vista
52
BitLocker Drive Encryption
• BitLocker Hard Drive Configuration
– Hard drive must be divided into two partitions
• Encrypted partition: the operating system volume
• Unencrypted system partition: contains necessary
files to boot the operating system
MCTS Guide to Microsoft Windows Vista
53
BitLocker Drive Encryption
• Recovering BitLocker-Encrypted Data
– A recovery password is generated
automatically
– You can save it to a USB drive or folder,
display on the screen, or print
MCTS Guide to Microsoft Windows Vista
54
BitLocker Drive Encryption
• Recovering BitLocker-Encrypted Data
– Recovery password is required when the normal
decryption process is unable to function
– Most common reasons include:
• Modified boot files
• Lost encryption keys
• Lost or forgotten startup PIN
• Disabling BitLocker Drive Encryption
– Decrypts all of the data on the hard drive and
makes it readable again
55
Summary
• Recovery, Prevention and Hardening
– Learn about restoring your computer and
preventing problem before bad things happen
– Learn how to use some tools now, while your
computer is still running
– Learn how to restore your system, learn how to
patch and to keep updated on patches
– What else to do to Harden your system beyond
the usual default configuration
The End
• Next Time
– Authentication and Biometrics
• Creative Midterm