Transcript Attacks and

Attacks and
Vulnerabilities
Ilya Chalyt
Nicholas Egebo
March 7 2005
Topics of Discussion
Reconnaissance
Gain information about a system
Vulnerabilities
Attributes of a system that can be maliciously
exploited
Attacks
Procedures to exploit vulnerabilities
Reference 1
Topics of Discussion
Reconnaissance





War Dialing
War Driving
Port Scanning
Probing
Packet Sniffing
War Dialing (Reconnaissance)
Method
Dial a range of phone
numbers searching for
modem
Motivation
Locate potential targets
Detection
Detection impossible
outside of the
telephony
infrastructure
Defense
Disconnect unessential
modems from
outgoing phone lines
Reference 2
War Driving (Reconnaissance)
Method
Surveillance of wireless
signals in a region
Detection
Can only be detected by
physical surveillance
Motivation
Find wireless traffic
Defense
Limit geographic access
to wireless signal
Reference 3
Port Scanning (Reconnaissance)
Method
Send out a SYN packet,
check for response
Motivation
Find potential targets
Detection
Traffic analysis
Defense
Close/silence ports
Reference 4
Probing (Reconnaissance)
Method
Send packets to ports
Detection
Traffic analysis
Motivation
Find specific port
information
Defense
Close/silence ports
Packet Sniffing (Reconnaissance)
Method
Capture and analyze
packets traveling
across a network
interface
Motivation
Gain access to
information traveling
on the network
Detection
None
Defense
Use encryption to
minimize cleartext on
the network
Reference 5
Topics of Discussion
Vulnerabilities





Backdoors
Code Exploits
Eavesdropping
Indirect Attacks
Social Engineering
Backdoors (Vulnerabilities)
Bypass normal means of authentication
Hidden from casual inspection
Installed separately or integrated into
software
Reference 6
Code Exploits (Vulnerabilities)
Use of poor coding practices left uncaught
by testing
Defense: In depth unit and integration
testing
Eavesdropping (Vulnerability)
Data transmitted without encryption can be
captured and read by parties other than
the sender and receiver
Defense: Use of strong cryptography to
minimize cleartext on the network
Indirect Attacks (Vulnerabilities)
Internet users’ machines can be infected
with zombies and made to perform attacks
The puppet master is left undetected
Defense: Train internet users to prevent
zombies and penalize zombie owners
Social Engineering (Vulnerability)
Manipulate the weakest link of
cybersecurity – the user – to gain access
to otherwise prohibited resources
Defense: Train personnel to resist the
tactics of software engineering
Reference 7
Topics of Discussion
Attacks












Password Cracks
Web Attacks
Physical Attacks
Worms & Viruses
Logic Bomb
Buffer Overflow
Phishing
Bots, and Zombies
Spyware, Adware, and Malware
Hardware Keyloggers
Eavesdropping & Playback attacks
DDoS
Password Cracks: Brute Force
Method
Trying all combinations
of legal symbols as
username/password
pairs
Motivation
Gain access to system
Detection
Frequent attempts to
authenticate
Defense
Lockouts – temporary
and permanent
Reference 8
Password Cracks: Dictionary Attack
Method
Trying all entries in a
collection of strings
Motivation
Gain access to system,
faster than brute force
Detection
Frequent attempts to
authenticate
Defense


Lockouts – temporary
and permanent
Complex passwords
Reference 8
Password Cracks: Hybrid Attack
Method
Trying all entries in a
collection of strings adding
numbers and symbols
concatenating them with
each other and or numbers
Motivation
Gain access to system, faster
than brute force, more
likely than just dictionary
attack
Detection
Frequent attempts to
authenticate
Defense
Lockouts – temporary and
permanent
Reference 8
Password Cracks: l0phtcrack
Method
Gain access to operating
system’s hash table
and perform cracking
remotely
Motivation
Detection
Detecting reading of
hash table
Defense
Limit access to system
Gain access to system,
cracking elsewhere –
no lockouts
Reference 8
Web Attacks: Source Viewing
Method
Read source code for
valuable information
Motivation
Find passwords or
commented out URL
Detection
None
Defense
None
Web Attacks: URL Modification
Method
Manipulating URL to find
pages not normally
accessible
Motivation
Gain access to normally
private directories or
pages
Detection
Check website URL logs
Defense
Add access
requirements
Web Attacks: Post Data
Method
Change post data to get
desired results
Motivation
Change information
being sent in your
favor
Detection
None
Defense
Verify post data on
receiving end
Web Attacks: Database Attack
Method
Sending dangerous
queries to database
Motivation
Denial of service
Detection
Check database for
strange records
Defense
Filter database queries
Reference 9
Web Attacks: Database Insertion
Method
Form multiple queries to
a database through
forms
Motivation
Insert information into a
table that might be
unsafe
Detection
Check database logs
Defense
Filter database queries,
make them quotesafe
Reference 9
Web Attacks: Meta Data
Method
Use meta characters to
make malicious input
Motivation
Possibly reveal script or
other useful
information
Detection
Website logs
Defense
Filter input of meta
characters
Reference 10
Physical Attack: Damage
Method
Attack the computer with
an axe
Motivation
Disable the computer
Detection
Video Camera
Defense
Locked doors and
placed security guards
Physical Attack: Disconnect
Method
Interrupt connection
between two elements
of the network
Motivation
Disable the network
Detection
Pings
Defense
Locked doors and
placed security guards
Physical Attack: Reroute
Method
Pass network signal
through additional
devices
Motivation
Monitor traffic or spoof a
portion of the network
Detection
Camera
Defense
Locked doors and
placed security guards
Physical Attack: Spoof MAC & IP
Method
Identify MAC address of
target and replicate
Detection
Monitoring ARP requests
and checking logs
Motivation
Deny target from
receiving traffic
Defense
None as of now
Worms & Virus: File Infectors
Method
Infects executables by
inserting itself into
them
Motivation
Damage files and spread
Detection
Virus scan or strange
computer behavior
Defense
Antivirus, being cautious
on the internet
Reference 10
Worms & Virus: Partition-sector Infectors
Method



Moves partition sector
Replaces with self
On boot executes and
calls original
information
Detection
Virus scan or strange
computer behavior
Defense
Motivation
Damage files and spread
Antivirus, being cautious
on the internet
Reference 10
Worms & Virus: Boot-sector virus
Method
Replaces boot loader,
and spreads to hard
drive and floppies
Motivation
Damage files and spread
Detection
Virus scan or strange
computer behavior
Defense
Antivirus, being cautious
on the internet
Reference 10
Worms & Virus: Companion Virus
Method
Locates executables and
mimics names,
changing the
extensions
Motivation
Damage files and spread
Detection
Virus scan or strange
computer behavior
Defense
Antivirus, being cautious
on the internet
Reference 10
Worms & Virus: Macro Virus
Method
Infects documents, when
document is accessed,
macro executes in
application
Motivation
Damage files and spread
Detection
Virus scan or strange
computer behavior
Defense
Antivirus, being cautious
on the internet
Reference 10
Worms & Virus: Worms
Method
Replicates
Motivation
Variable motivations
Detection
Virus scan or strange
computer behavior
Defense
Antivirus, being cautious
on the internet
Reference 11
Logic Bomb
Method
Discreetly install “time bomb”
and prevent detonation if
necessary
Motivation
Revenge, synchronized
attack, securing get away
Detection
Strange computer behavior
Defense


Keep and monitor logs
Monitor computer systems
closely
Buffer Overflow
Method
Pass too much information to
the buffer with poor
checking
Motivation
Modify to information and/or
execute arbitrary code
Detection
Logs
Defense



Check input size before
copying to buffer
Guard return address
against overwrite
Invalidate stack to execute
instructions
Reference 12 & 13
Phishing
Method
Request information from a
mass audience, collect
response from the gullible
Motivation
Gain important information
Detection
Careful examination of
requests for information
Defense
Distribute on a need to know
basis
Bots & Zombies
Method
Installed by virus or worm,
allow remote unreserved
access to the system
Motivation
Gain access to additional
resources, hiding your
identity
Detection



Network analysis
Virus scans
Notice unusual behavior
Defense
Install security patches and
be careful what you
download
Spyware, Adware, and Malware
Method
Installed either willingly by the
user via ActiveX or as part
of a virus package
Motivation


Gain information about the
user
Serve users
advertisements
Detection


Network analysis
Abnormal computer
behavior
Defense
Virus / adware / spyware /
malware scans
Hardware Keyloggers
Method
Attach it to a computer
Motivation
Record user names,
passwords, and other
private information
Detection
Check physical
connections
Defense
Cameras and guards
Eavesdropping
Method


Record packets to the
network
Attempt to decrypt
encrypted packets
Motivation
Gain access to user data
Detection
None
Defense
Strong cryptography
Playback Attack
Method


Record packets to the
network
Resend packets without
decryption
Motivation
Mimic legitimate commands
Detection
Network analysis
Defense
Time stamps
DDoS: CPU attack
Method
Send data that requires
cryptography to process
Motivation
Occupy the CPU preventing
normal operations
Detection
Network analysis
Defense
None
Reference 14
DDoS: Memory attack
Method
Send data that requires the
allocation of memory
Motivation
Take up resources, crashing
the server when they are
exhausted
Detection
Network analysis
Defense
None
Reference 14
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Amoroso, Edward. Intrusion Detection. Sparta, New Jersey: AT&T Laboratories, 1999.
Gunn, Michael. War Dialing. SANS Institute, 2002.
Schwarau, Winn. “War-driving lessons,” Network World, 02 September 2002.
Bradley, Tony. Introduction to Port Scanning. 2005.
<http://netsecurity.about.com/cs/hackertools/a/aa121303.htm> (04 March 2005).
Bradley, Tony. Introduction to Packet Sniffing. 2005.
<http://netsecurity.about.com/cs/hackertools/a/aa121403.htm> (05 March 2005).
Thompson, Ken. “Reflections on Trusting Trust.” Communications of the ACM, Vol. 27, No. 8,
August 1985.
Mitnick, Kevin. The Art of Deception. Indianapolis, Indiana, 2002.
Coyne, Sean. Password Crackers: Types, Process and Tools. ITS Research Labs, 2004
Friel, Steve. SQL Injection Attacks by Example. 2005 <http://www.unixwiz.net/techtips/sqlinjection.html> (05 March 2005)
Lucas, Julie. The Effective Incident Response Team. Chapter 4. 2003
Worms versus Viruses. 2004. <http://viruses.surferbeware.com/worms-vs-viruses.htm> (06
March 2005)
Grove, Sandeep. “Buffer Overflow Attacks and Their Countermeasures.” Linux Journal. 10
March 2003
Levy, Elias. “Smashing the Stack for Fun and Profit”. Phrack Magazine Issue 49, Fall 1997.
Distributed Denial of Service. 2002 <http://www.tla.org/talks/ddos-ntua.pdf> (05 March 2005)