No Slide Title
Download
Report
Transcript No Slide Title
Quiz-2 Review
ECE-6612
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
[email protected]
404 894-5177
fax 404 894-0035
Office: Klaus 3362
email or call for office visit, or call 404 894-5177
March 25, 2015
Quiz-2
Quiz-2Topic
TopicAreas
Areas
Email Security - PGP, S/MIME
IP Security
- IPsec (AH, ESP modes, VPN)
Web Security
- Secure Socket Layers (SSL, TLS)
- Certificates, CA’s, Hashes (MD5)
Intruders (and other Malicious Users) - Protection
DNS - cache poisoning (Birthday Attack used)
IDS - (Base-Rate Fallacy, False-Positive Rate)
Viruses - Worms, Trojan Horses, Logic Bombs, ...
TCP-IP, Firewalls, Secure Electronic Transactions (SET), and Trusted
Systems
We have discussed:
BotNets, DDos, SPAM, Phishing
Slides 17 (1 -11): Buffer Overflows, Stack Frames
2
Definitions
Virus - code that copies itself into other programs.
A “Bacteria” replicates until it fills all disk space, or CPU cycles.
Payload - harmful things the malicious program does, after it has had
time to spread.
Worm - a program that replicates itself across the network
(usually riding on email messages or attached documents (e.g.,
macro viruses). Email “viruses” are technically “worms”.
Trojan Horse - instructions in an otherwise good program
that cause bad things to happen (sending your data or
password to an attacker over the net).
Logic Bomb - malicious code that activates on an event (time, trigger).
Trap Door (or Back Door) - undocumented entry point written into code
for debugging that can allow unwanted users.
“Vulnerability” - a program defect that permits “Intrusions”.
Easter Egg - extraneous code that does something “cool.” A way for
programmers to show that they control the product.
Bot, BotNet - Large P2P network (hundreds to millions) of
compromised computers (Bots) that communicate to commit DDoS,
SPAM, Phish.
3
The Stages of a Network Intrusion [RAERU]
1. Scan the network to: [RECONNAISANCE]
• locate which IP addresses are in use, Flow-based* "CI",
signature-based?
• what operating system is in use,
• what TCP or UDP ports are “open” (being listened to
by Servers). Vulnerability Scan
Signature?, Flow-Based
2. Run “Exploit” scripts against open ports. [ACCESS] Port Profile*
3. Elevate privileges to “root” privileges. [ELEVATE] Host-based
4. Download from Hacker Web site special versions of systems
files that will let Cracker have free access in the future without his
cpu time or disk storage space being noticed by auditing programs.
[ROOT KIT] Signature?, "Port-Profile*", Forbidden Zones*, Host-based
5. Use IRC (Internet Relay Chat) to invite friends to the feast, or
use the computer and its info another way. [UTILIZE]
Signature?, "Port-Profile*", Forbidden Zones*, Host-based
* StealthWatch
4
Protection Protection from a Network Intrusion
1. Use a “Firewall” between the local area network and the worldwide Internet to limit access (Chapter 10).
2. On Microsoft PC’s, with XP and later, use the OS firewall that
limits incoming and outgoing communications by Application
(program), not just port number. For Mac, buy "Little Snitch" ($35).
Detection
1. Use an IDS (Intrusion Detection System) to detect Cracker during
the scanning stage (lock out the IP address, or remove malware from
a local host).
2. Use a program like TripWire* on each host to detect when systems
files are altered, and email an alert to Sys Admin.
Reaction
1. Have a plan and means to implement it.
Rule 2: Multiple Layers of Protection are needed to reach a
high level of security at an affordable cost.
5
Anomaly-Based Intrusion Detection
A Negative Event, True or False, is one
that does not trigger an Alarm
High statistical variation in
most measurable network
behavior parameters results
in high false-alarm rate
Detected as
Positive, ->
Alarm
#False-Positives =
#Normal Events
x FP-rate
False
Alarms,
False Positives
(FP)
# Normal Events =
#TruePositves + #FalsePositives
Figure 9.1
Undetected
Intrusions,
#False-Negatives =
#Bad Events
x FN-rate
False Negatives
(FN)
Detection Threshold
6
"Base-Rate Fallacy"
Calculations
If the “behavior” is a connection:
For legitimate connections (total number = LC)
True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1
Correctly handled connections (no alarms) = TNR * LC
Incorrectly handled connections (false alarms) = FPR * LC
For malicious connections (total number = MC)
False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1
Correctly handled connections (real alarms) = TPR * MC
Incorrectly handled connections (no alarms) = FNR * MC
If LC >> MC then (FPR * LC) >> (TPR * MC)
hence “false alarms” are much greater than “real alarms”
when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1)
See Slide Set 09A, #17 for example calculations.
7
Chapter 10a - Firewalls
Network Firewall - economical, one point to manage.
Host-based FW - can filter based on application, depends on user
unless a central management system is used.
Simple Firewall - drops packets based on IP, port
Stateful - Keeps track of connections, set up inside or outside.
NAT - Network Address Translation, Private Address ranges (10. ,
192.168, …). Inbound connections must match “forwarding table”
Proxy Server - checks application header and data. Mail proxy may
filter spam, viruses, and worms. Web may filter URLs, & domains.
Attacks - how does Firewall protect against scanning, badfragments, bad TCP flags, Smuft attack, ...
Host-based Firewalls - xinetd (/etc/hosts.allow), iptables, Zone
Alarm, Black Ice (now ISS Desktop Proventia), “Little Snitch”
8
Chapter 10b - Trusted Systems
Subject, Object, Access Rights (permissions)
Policy - Access matrix or ACL (access control list)
Basic Security Rules:
No read up (simple security property)
No write down (do not widen accessibility)
Need to Know.
Reference Monitor, audit file, security kernel database.
Requirements to be a “Trusted System”:
Complete Mediation,
Isolation,
Verifiability
“Common Criteria” Security Specifications are multinational trust ratings.
9
Chapter 11 - TCP/IP
Bad fragments can crash Operating System (OS): "Teardrop"
ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3=
Unreachable [Codes: 0= Network, 1=Host,3= Port])
• "Ping of Death" - fragment extends beyond 2^16 bytes,
• "Smurf" (Pong multiplication, Ping to broadcast address).
“Spoofed” addresses for Flood DoS attacks (Source IP in Smurf).
TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN
Flags - bad combinations to 1) map OS, 2) cause crashes.
TCP - Highjacked connection. IP address of one host can change
if sequence numbers and acknowledge numbers are consistent.
Original host must be DoS'ed (silenced).
DNS - UDP port 53 used for DNS lookups, reverse lookups.
What is “Fast Flux DNS” and “DNS Cache Poisoning”?
ARP - Used by IP layer to find the MAC layer address to use.
What is “ARP Poisoning”?
10
Chapter 10a - Firewalls
Network Firewall - economical, one point to manage.
Host-based FW - can filter based on application, depends on user
unless a central management system is used.
Simple Firewall - drops packets based on IP, port
Stateful - Keeps track of connections, set up inside or outside.
NAT - Network Address Translation, Private Address ranges (10. ,
192.168, …). Inbound connections must match “forwarding table”
Proxy Server - checks application header and data. Mail proxy may
filter spam, viruses, and worms. Web may filter URLs, & domains.
Attacks - how does Firewall protect against scanning, badfragments, bad TCP flags, Smuft attack, ...
Host-based Firewalls - xinetd (/etc/hosts.allow), iptables, Zone
Alarm, Black Ice (now ISS Desktop Proventia), “Little Snitch”
11
Chapter 10b - Trusted Systems
Subject, Object, Access Rights (permissions)
Policy - Access matrix or ACL (access control list)
Basic Security Rules:
No read up (simple security property)
No write down (do not widen accessibility)
Need to Know.
Reference Monitor, audit file, security kernel database.
Requirements to be a “Trusted System”:
Complete Mediation,
Isolation,
Verifiability
“Common Criteria” Security Specifications are multinational trust ratings.
12
Chapter 11 - TCP/IP
Bad fragments can crash Operating System (OS): "Teardrop"
ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3=
Unreachable [Codes: 0= Network, 1=Host,3= Port])
• "Ping of Death" - fragment extends beyond 2^16 bytes,
• "Smurf" (Pong multiplication, Ping to broadcast address).
“Spoofed” addresses for Flood DoS attacks (Source IP in Smurf).
TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN
Flags - bad combinations to 1) map OS, 2) cause crashes.
TCP - Highjacked connection. IP address of server can change if
sequence numbers and acknowledge numbers are consistent.
Original host must be DoS'ed (silenced).
DNS - UDP port 53 used for DNS lookups, reverse lookups.
What is “Fast Flux DNS” and “DNS Cache Poisoning”?
ARP - Used by IP layer to find the MAC layer address to use.
What is “ARP Poisoning”?
13
HW
What was learned from homework problems?
Outside Reading
Lenovo – Removing "Starfish" – https man-in-the-middle
Dell – "System Detect" vulnerability
Apple Pay – Credit Card scams 7x higher than normal
"Wipe the Drive" – what to do with a compromised PC
"Olympic Games" (Flame, Stuxnet, Iran)
Crypto-Locker malware
14
The test will cover the slide sets 06-IP Networks.ppt, 07-SSL-SET, 08a Safer
Downloading.ppt, 09a-Intrusion.ppt, 09b-Viruses, 10a-Firewalls.ppt, 10bTrusted Systems, 11-TCP-IP.ppt, 13-Netsec Utilities.ppt, and 18-Shellcode.ppt
(slides 1-11).
It will not cover Simple Network Management Protocol (08-SNMP.ppt).
You will be able to bring your Quiz-1 reference sheet. You should review areas
you missed on Quiz-1.
We discussed SSL/TLS in connection with Public-Private keys, and secure
email.
We did cover SET (Secure Electronic Transactions) protocol this year . It has
some interesting technology, like the "dual signature," but the standard has not
gained traction after several years, but it, or something like it, may be necessary
in the future.
15