Security “Tidbits” - The Stanford University InfoLab

Download Report

Transcript Security “Tidbits” - The Stanford University InfoLab

Security “Tidbits”
Neil Daswani
Overview


The FLI Model
Infiltrations:
–
–

Viruses / Worms
Lessons Learned
Firewalls & Attacks
–
–
–
What is a firewall?
How do they work?
How to prevent attacks
Security Problems & Solutions
Prevention
Failure
(Process/Storage)
Lies
Infiltration
Physical Security
Uninterruptible Power
Authentication
Authorization
Non-Repudiation
Time-Stamping
Digital Signatures
Hardware Protection
Byzantine Agreement
Reputation Systems
Intrusion Detection
Anti-virus Software
Fail-Stop Digital
Signatures
Certificate
Revocation
Firewalls
Management
Recovery
Non-Stop Processes
Fault-Tolerance
Watchdog Processor
Replication, RAID
Backups
Fail-Over
Hot Swapping
Key Escrow
Auditing
Firewalls
“Common Sense” 
Morris Worm (1988)



Damage: 6000 computers in just a few hours
What: just copied itself; didn’t touch data
Exploited:
–
–
–
buffer overflow in fingerd (UNIX)
sendmail debug mode (exec arbitrary cmds)
dictionary of 432 frequently used passwords
Buffer Overflow Example
void sample_func (char *str) {
char buffer[16];
strcpy (buffer, str);
}
void main (int argc, char *argv) {
sample_func (argv[1]);
}
Morris Worm (1988)

Lessons Learned from Morris
–
–
–
–
–
Diversity is good.
Big programs have many exploitable bugs.
Choose good passwords.
Don’t shut down mail servers: did prevent worm
from spreading but also shut down defense
CERT was created to respond to attacks
Melissa (1999)


What: just copied itself; did not touch data
When date=time, “Twenty-two points, plus triple word
score, plus fifty points for using all my letters. Game’s over. I’m
outta here.”

Exploited:
–
–
MS Word Macros (VB)
MS Outlook Address Book (Fanout = 50)
“Important message from <user name> …”
Melissa (1999)

Lessons Learned:
–
–
–
–
–
Homogeneity is bad.
Users will click on anything.
Separation of applications is good.
Users “trusted” the message since it came from
someone they knew.
Don’t open attachments unless they are expected.
Other Viruses / Worms

CIH Chernobyl Virus, 1998, Taiwan:
–
–
–
–



Time bomb: April 26, or 26th of each month
Writes random garbage to disk start at sector 0
attempts to trash FLASH BIOS
Hides itself in unused spaces
Worm.ExploreZip, 1999: Melissa + zeroed out files
BubbleBoy, 1999: Melissa-like except doesn’t require
opening an attachment (ActiveX)
Love Bug, 2000: “I LOVE YOU” (like Melissa)
Code Red (2001)





Runs on WinNT 4.0 or Windows 2000
Scans port 80 on up to 100 random IP addresses
Resides only in RAM; no files
Exploits buffer overflow in Microsoft IIS 4.0/5.0
(Virus appeared one month after advisory went out)
Two flavors:
–
–


Code Red I: high traffic, web defacements, DDOS on
whitehouse.gov, crash systems
Code Red II: high traffic, backdoor install, crash systems
Three phases: propagation (1-19), flood (20-27),
termination (28-31)
Other victims: Cisco 600 Routers, HP JetDirect Printers
Code Red (2001)

Lessons Learned:
–
–
–
Don’t use IIS! ;)
Always keep software up-to-date
Proof-of-concept to hide other attacks?
Nimda (2001)

Multiple methods of spreading
(email, client-to-server, server-to-client, network
sharing)
–
–
–
Server-to-client: IE auto-executes readme.eml (that is attached
to all HTML files the server sends back to the client)
Client-to-server: “burrows”: scanning is local 75% of time
Email: readme.exe is auto executed upon viewing HTML email
on IE 5.1 or earlier
Nimda (2001)

Lessons Learned:
–
–
–
–
Install latest web server and browser patches (or
upgrade version altogether)
Don’t use MIME auto-execution
Disable JavaScript
Reject using applications that are routinely
exploited???
Just this week… BadTrans Worm



Spread via email; attacks Windows systems
Records (once per second) keystrokes,
usernames, & passwords into windows with
titles: LOG, PAS, REM, CON, TER, NET
Sends to
–
–
–
one of 20+ email addresses
one of 15+ from addresses
one of 15+ attachment names w/ 2 extensions
({.doc/.mp3/.zip},{.pif/.scr})
Firewalls

Two major technologies:
–
–

Packet Filters
Proxies
Related technologies
–
–
Network Address Translation (NAT)
Virtual Private Networks (VPN)
Packet Filtering Routers

Filter on:
–
–
–
–
–

Stateful vs. Stateless Inspection
–

IP Source, IP Dest, Protocol (TCP, UDP, ICMP)
TCP/UDP Source & Dest Ports
ICMP Message Type (req,reply,time exceed)
Packet Size
NICs
i.e., UDP DA/DP checking
Simple Protocol Checking
–
i.e., Format Checking, Disconnect “anonymous” FTP x-fers
Packet Filtering

Advantages
–
–
–

One router can protect entire network
Simple filtering is efficient
Widely available
Disadvantages
–
–
–
Hard to configure & test
Reduces router performance
Can’t enforce some policies (i.e., user-level)
Proxies





Security vs. Caching Proxies
SOCKS: proxy construction toolkit
Trusted Information Systems Firewall Toolkit
(TIS FWTK: Telnet, FTP, HTTP, rlogin, X11)
Most used to control use of outbound services
Can also be used to control inbound services
(reverse proxying)
Proxies

Advantages
–
–
–

Logging, Caching, Intelligent Filtering
User-level authentication
Guards against weak IP implementations
Disadvantages
–
–
–
Lag behind nonproxied services
Requires different servers for each service
Usually requires modifications to client applications
Firewall Architectures

Dual-Homed Host
–

Screening Router w/ Bastion Host
–
–

Services can only be proxied
Security by packet filtering
Bastion host is single point of failure
Screened Subnet
–
–
Ext Router, Perimeter, Bastion Host, Interior Router
Internal ethernet packets protected from perimeter
Example Attacks



IP Spoofing
TCP SYN Flood
SMURF Attack
–

ICMP Ping w/ max payload to broadcast address
D-DOS Attack
–
Infiltrate, set up sleepers, attack at once
References





White-Hat Security Arsenal, A. Rubin
Security Engineering, R. Anderson
www.webtorials.com, Gary Kessler
Building Internet Firewalls, E. Zwicky, et. Al.
Counter Hack, E. Skoudis
Network Address Translation (NAT)



Translates network addresses & ports
Does not provide additional “security”
Possibilities:
–
–
–
–
One external address per internal address
Dynamically assign external address
Map multiple internal to one external (port sharing)
Dynamically assign external addresses and ports
Network Address Translation (NAT)

Advantages
–
–
–

Helps enforce control over outbound connections
Helps restrict incoming traffic
Helps conceal internal network configuration
Disadvantages
–
–
–
–
Not good for UDP (guess session lifetimes)
Doesn’t deal with embedded IP addresses
Interferes with authentication & encryption
Interferes with logging & packet filtering
Virtual Private Networks

Advantages:
–
–

Provides overall encryption
Allows use of protocols that are hard to secure any
other way
Disadvantages:
–
–
Involves “dangerous” network connections
Extends the network that must be protected