Transcript Week2 - Seneca - School of Information & Communications

SEC835
Major types of attacks
Application architecture
Components, or building blocks, that perform
certain functionality
Business logic implementation
Persistent data store
Middleware
Communication interfaces (GUI, API)
Communication channels (Internet, LAN, WAN)
Communication protocols
Communication Protocol
Communication protocol – the set of
standard rules for data representation (data
structure, and data formats), signalling,
authentication, and error handling, that are
used to transport data over the network.
Data usually is sent in packets, and each
packet contains both service data and
payload data.
Communication protocols (cont)
Internet:
IP – internet level protocol used to establish connection
between a sender and a receiver
TCP
Transport level protocol used to transmit data over the
network
TCP/IP uses the handshaking mechanism to establish a
session
http
Application level protocol used to present data for the
browser
Communication protocols
UDP (user datagram protocol)
• Another transport level protocol used to transfer data
• UDP does not use a handshaking mechanism, it is
simpler but less reliable
Use of UDP requires prior arrangement of
sessions and error checking, normally provided
by the application
Application level protocol is required to present
data semantic, e.g. VoIP protocol
Target of attacks
Data
In memory
In transit
In store
Exploit vulnerabilities of
Interfaces
Communication protocols
Data storage
Programs
As the result, technology components also become a target
of attacks
Microsoft classification of methods
of attacks
A well-known classification method for attacks is
STRIDE*, which stands for:
S – Spoofing
T – Tampering
R – Repudiation
I – Information disclosure
D – Denial of service
E – Elevation of privileges
* From Threat Modeling, by Frank Swiderski and Window Snyder.
Real life attacks
Each real life attack is a logical combination
of different techniques and methods
The most often and dangerous types of
attacks:
Denial of Service (DoS)
Impersonation
Malicious code planted
Social engineering
History of attacks
Classical attacks are network based
It means they exploit network vulnerabilities
Later, attacks which are based on insecure
coding were developed
The same attacks can be performed now by exploiting
security holes in the code
Example:
DoS
Impersonation
Attacks – Denial of Service (DoS),
network based
Mechanism – to overload a specific computer (most often
server) with data, so it cannot process it fast enough to
keep it.
Evidences – System crash or reboot, the amount of Internet
bandwidth drop, drain on a specific resource, such as
system’s processor
Attacks – Denial of Service (DoS)
Implementations
Ping flood – Exploits ICMP by sending enormous number of ping
requests to the victim that cannot handle it
SYN flood – exploits of the TCP three-way handshake. The source
sends a flood of synch requests but never sends the final
acknowledgement, thus creating a half-open TCP sessions.
Connection to computer is getting blocked
Land – exploits OS behavior in respect to TCP/IP stacks. The
attacker spoofs a TCP/IP synch packet to the victim with the same
source and destination IP address and ports. This confuses the
system as it tries to respond
TCP Connection Handshake
DoS continuing
Implementations
Teardrop – exploits a User Datagram Protocol (UDP)
behavior in the TCP/IP stack. Attacker sends
fragmented packets with odd offset values in
subsequent packets. When the system attempts to
rebuild the packet, fragments overwrite each other,
causing confusion.
Network DoS Attack Defenses
Defense has been provided mostly at the
system (not application) level
System monitoring tools
Firewalls
Denial of service (cont)
Impact from the application
Resource may be incapacitated by exploiting
the application security holes. E.g. DB is not
available due to the ODBC parameters changed
Other application related issues have been
described in the following article
Study the example
http://www.owasp.org/index.php/Denial_of
_Service
Lab 2 starts – Task 1
List and comment in your own words software
weaknesses you have discovered
Store your results on your personal drive
Impersonation
With this attack a legitimate user has been
replaced by an attacker
It also may apply to network or software
components, e.g. legitimate web page is
replaced with a fraudulent one.
Practical implementations come in diferrent
flavours
Masquerading (impersonation)
Spoofing
Session hijacking
Man-in-the-middle
Replay
Spoofing
Mechanism – spoofing network address of the
source by changing a packet header. It can mimic
even internal IP address. Destination computer is
confused. Trusted relationships on Unix can be
easy exploited
Evidences – incoming external packets with
internal IPs
Samples – often used by hackers to hide the
identity
Mitigating – firewalls or router filtering
TCP/IP session Hijacking
Goal – to hijack TCP session after authentication
Mechanism – built to intercept communication and direct it
to spoofed address
Evidences – practically none. Can be just short interruption
in communication
Sample - complex tool involving traffic monitoring,
spoofing and DoS. Monitoring the traffic, an attacker
determines IP address of a participant. Then, through DoS,
communication will be interrupted and then resumed by
spoofing the IP address of disconnected user. The other
user is tricked into thinking they are still communicating to
the right address
Mitigating – strong encryption
Man-in-the-Middle
Mechanism – a form of hijack attack. A person interfere
into communication, listening to the information. Needs
some tools to implement – sniffer, special programs
capable to intercept packets
Different from sniffing because this is not only sniffing,
but also acting as a communication partner
Evidences – none
Samples – often used in Telnet and wireless
communication
Mitigating – sophisticated encryption mechanisms. Protect
access to routers, wiring closets, switches, DNS server
Replay
Mechanism – unauthorized user captures an
encrypted and password protected communication,
breaks it, and later starts acting as the original
sender.
Evidences – none
Samples – often happen with authentication
systems that issue authentication tickets, such as
Kerberos.
Mitigating – implement time stamps or sequence
numbers checked by authenticating system
Masquerading attacks defence
Defences must be provided at both system
and application level
System level – IDS
Application level:
Strong authentication
Strong session management
Encryption
Sniffing
Attacker gains access to the network using a
utility or device that intercept network
packets
Practically no evidence of attack
Both traditional and wireless networks are
vulnerable
Mitigating – strong encryption
Password Attacks
Mechanisms
Brute force – simply trying to guess through repeating
attempts
Dictionary – using words from a dictionary
Social engineering – an attacker tricks a victim to tell
the password
Protection – the minimum is to setup password protection
policy to specify at least password length (not less than 6
characters), required complexity, periodical changes,
locking the account after 3-5 unsuccessful attempts. More
complex authentication systems also apply
Lab 2 continuing
http://webappsec.pbworks.com/Credentialand-Session-Prediction
http://webappsec.pbworks.com/ContentSpoofing
Malicious code planting
Malicious Software
programs exploiting system vulnerabilities
known as malicious software or malware
program fragments that need a host program
• e.g. viruses, logic bombs, and backdoors
independent self-contained programs
• e.g. worms, bots
replicating or not
sophisticated threat to computer systems
Malware Types
Virus
Worm
Logic bomb
Trojan horse
Backdoor (trapdoor)
Mobile code
Auto-rooter Kit (virus generator)
Spammer and Flooder programs
Keyloggers
Rootkit
Zombie, bot
Malicious Code - Viruses
Viruses – computer programs that replicate themselves by attaching
themselves to other files. The virus activates itself when the file is
opened or executed
Types of viruses
Boot Sector, infects boot sector. Ways of infecting – boot a
computer from the disk containing virus. Repairing – boot from
clean floppy and run anti-virus software
Companion, disguises themselves as a program with some valid
name but different extension, e.g. replace program.exe with
program.com. Typically runs the real program after virus, so the
system seems performing normally
File Infectors, generally have the extensions .com or .exe.
Sometime overwrite original code that results in its complete
destruction
Macro – typically attached to MS Office files and is executed by
MS Office applications. Can perform malicious operations. Infect
other files and standard templates
Viruses continuing
Types of viruses
Memory resident, attached to a program, reveals itself in runtime
and infects all other program and files that are in memory at the
same time
Polymorphic, capable to recompile itself into a new form, thus the
code is different for each infection. It is difficult to detect
Stealth, hides itself by encrypting its code, making it difficult to
detect. When a stealth virus infects it takes over system functions
that read files. Later, upon the attempt to read file, stealth virus
reports the original file is there. In reality the original data is gone.
Metamorphic, As with a polymorphic virus ,a metamorphic virus
mutates with every infection. The difference is that a metamorphic
virus rewrites itself completely at each iteration, increasing the
difficulty of detection. Metamorphic viruses may change their
behavior as well as their appearance.
Viruses Program File Types
.bat, contains a series of commands to execute
.com, MS DOS command file
.doc, extension of MS Word
.dll, a library of executable functions or data
.exe, executable file
.html, html code that can be read by web browser
.mdb, MS Access database extension
.scr, Windows screen savers
.vbs, extension of MS Visual Basic scripting
.xls, extension of MS Excel spreasheet
.zip, extension used to compress files
Virus Countermeasures
Antivirus software installed
prevention - ideal solution but difficult
realistically need:
detection
identification
removal
if detect but can’t identify or remove, must
discard and replace infected program
Worms
replicating program that propagates over net
using email, remote exec, remote login
has phases like a virus:
dormant, propagation, triggering, execution
propagation phase: searches for other systems,
connects to it, copies self to it and runs
may disguise itself as a system process
implemented by Xerox Palo Alto labs in 1980’s
Famous Worm Attacks
Code Red
July 2001 exploiting MS IIS bug
probes random IP address, does DDoS attack
consumes significant net capacity when active
Code Red II variant includes backdoor
SQL Slammer
early 2003, attacks MS SQL Server
compact and very rapid spread
Mydoom
mass-mailing e-mail worm that appeared in 2004
installed remote access backdoor in infected systems
Worm Technology
Multiplatform
Newer worms are not limited to Windows machines but can attack a variety of platforms,
especially the popular varieties of UNIX
multi-exploit
New worms penetrate systems in a variety of ways, using exploits against Web
servers, browsers, e-mail, file sharing, and other network-based applications.
ultrafast spreading
polymorphic
metamorphic
transport vehicles
Because worms can rapidly compromise a large number of systems, they are ideal
for spreading other distributed attack tools, such as distributed denial of service
bots.
zero-day exploit
To achieve maximum surprise and distribution, a worm should exploit an unknown
vulnerability that is only discovered by the general network community when the
worm is launched.
Worm Countermeasures
Overlaps with anti-virus techniques
Rootkits
set of programs installed for admin access
malicious and stealthy changes to host O/S
may hide its existence
subverting report mechanisms on processes, files,
registry entries etc
may be:
persisitent or memory-based
user or kernel mode
installed by user via trojan or intruder on system
range of countermeasures needed
Trojan Horses
Program that hides on a computer system until
called to perform a certain task. Masks itself as a
normal program. Usually can be downloaded from
Internet or extracted from email attachment
The Trojan is secretly installed on the computer to
capture data or provide unauthorized access for
remote user
Example – NetBus, take control over computer
Protection – firewall can detect suspicious traffic
that belongs to Trojan
Logic Bombs
Has been hiding in the system until some
particular event happens.
Usually appears as the result of malicious
actions of software developers
Can make serious damage to the system or
data
Protection – examine source code
Back Door
Mechanism – coded by the programmer during
development, so at a later time, they can break into the
system without authentication. Often runs as a service and
uses a specific port. Typically installed as a Trojan horse
as a part of other software package
Evidences – nothing visible immediately. Can be detected
by specialized tools only, such as port scanning, firewall,
anti-virus
Samples – Simpsons (delete files from the computer),
NetBus (takes control over infected computer)
Mitigating – any tools capable to discover malicious code
or identify suspicious behavior, scanning tools, firewalls.
Evidences of being infected
Abnormal behavior of well known systems
Unknown registry entries
Memory has been quickly eaten by some
program
Data files cannot be opened
Slow communication
Malware protection
Both system and application level
Study the examples
Connect to http://www.owasp.org/index.php/Man-in-thebrowser_attack
Read the article
Write a short essay that explains the role of a Trojan horse
code in implementing the attack
Read the article
http://www.owasp.org/index.php/Trojan_Horse
Give the example of how a Trojan horse may be injected
into your computer. Upon your opinion, what is the most
common way to inject the code?
Social engineering
Attack that plays on human behavior
Crafted specifically to mislead users and
make them disclose confidential data
Examples - phishing emails, telephone calls
Protection
Educate users
Non-repudiation acts (secure phrases, words,
etc.)
Summary of protection mechanisms against attacks
To protect you need
Policy of system usage (email, Internet)
Strong password policy
Firewalls
Routers and other technical controls
Physical security
But still, you cannot rest assured that your
messages are not intercepted
That’s why you need them encrypted
Security advisors
The list of companies who advise new
vulnerabilities or new types of attacks. They also
advise ways of protection or work around
Cert Advisory www.cert.org
X-Force http://xforce.iss.net
SANS www.sans.org
Anti-phishing service has been provided by
www.cyveillance.com
They will monitor if your brand name is used to
organize phishing attack