Current Internet Threats
Download
Report
Transcript Current Internet Threats
DePaul University
Security Forum
February 27, 2002
Presentations
Bill Eaheart
Eric Pancer
Systems Security – ISS
The Audience is listening
John Kristoff
Network Security – Network & Telecom
Current Threats
Manager R&D - Network & Telecom
Data Leaks
Rob Thomas
Guest Speaker - Life in the Underground
Information Security at DePaul
Information Security Team (INFOSEC)
Role at the University
Eric Pancer – System Security
Bill Eaheart – Network Security
Promote awareness
Assist with computer security
Provide guidance and resources to DePaul community
Contact
[email protected]
[email protected]
http://networks.depaul.edu/security/
Security Principles
Defense in depth
Physical Security
Intrusion Detection Systems
Firewalls
Auditing
Virtual Private Networks
Encryption
Strong Passwords
Access control Lists
Logging
Prevention is ideal – Detection is a must
Security through obscurity
Who are the threats?
Hackers
A person who enjoys exploring the details of programmable
systems and how to stretch their capabilities
Crackers
One who breaks security on a system
Script Kiddies
Do mischief with scripts and programs written by others, often
without understanding the exploit they are using.
Are you safe?
Hacker/Cracker Skills vs.
Availability of sophisticated tools
12
10
8
Skill Level
6
Sophistication of Tools
4
2
0
92 93 94 95 96 97 98 99 00 01
Show me the numbers!
2001 CSI/FBI Computer Crime and Security Survey
Percentage of Respondents
Unauthorized Use of Computer Systems
within the last 12 months
80
70
60
50
70
6462 64
50
42
1996
1997
1998
37
33
40
25
30
181716
20
1999
2119
1818
1211
10
0
Yes
No
Don't Know
2000
2001
80% of problems are due to ….
Is this changing?
Point of Attack
Percentage of Respondents
80
70
70
60
50
40
54 52
54 57
51
59
47
44
39
38
31
38
35
24
30
20
28
1996
1997
1998
1999
22
2000
18
2001
10
0
Internal Systems
Remote Dial-in
Internet
CERT Web Site
www.cert.org
CERT Statistics
1996 - 2001
Incidents Reported
Year
1996
1997
1998
1999
2000
2001
Incident
2573
2134
3734
9859
21576
52658
Vulnerabilities Reported
Year
1996
1997
1998
1999
2000
2001
Vulner.
345
311
262
417
1090
2437
Why do they do it?
Information
Resources
Corporate
Source Code
Storage
Access
Bandwidth
Launching point
Challenge
Activism
Political - Hacktivism
How do they get in?
Ports
Services
Third-party software
Passwords
Social Engineering
Back Doors
Trojan Horses
Information Gathering
The Company
Find Initial Information
Available information
Whois
Nslookup - Host
Host Look up
[user@test /]# host www.company.com
Server: host.atthome.com
Address: 192.168.10.10
Name: test.company.com
Address: 10.10.81.10
Aliases: www.company.com
Information Gathering
Address Range of the Network
American Registry for Internet numbers www.arin.net
Asia Pacific Network Information www.apnic.net
Reseaux IP Europeens www.ripe.net
Cyberabuse – www.cyberabuse.org
Traceroute
ARIN whois
The Company (NET-COMPANY)
100 South State Street Avenue
Chicago, IL 60612
US
Netname: COMPANY
Netblock: 10.10.0.0 - 10.10.255.255
Coordinator:
Company Administrator (ZD12-ARIN) [email protected]
(312) 323-1234
Domain System inverse mapping provided by:
DNS1.COMPANY.COM
DNS2.COMPANY.COM
10.10.120.120
10.10.240.120
Record last updated on 26-Mar-2001.
Database last updated on 25-Feb-2002 20:01:06 EDT.
Traceroute
user@test /]#
Tracing route to DNS1.company.com [10.10.80.10]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms badguy.home.com [192.20.40.50]
2 <1 ms <1 ms <1 ms rtr-isp.com [192.10.30.30]
3 <1 ms <1 ms <1 ms rtr-isp.com [192.10.20.20]
4 <1 ms <1 ms <1 ms 192.10.10.10
5 1 ms 1 ms 1 ms isp.location.net [16.6.9.33]
6 1 ms 1 ms 1 ms 16.6.9.122
7 15 ms 14 ms 11 ms 16.6.9.218
8 8 ms 10 ms 5 ms 10.10.1.1.
9 48 ms 84 ms 59 ms test.company.com [10.10.120.120]
Trace complete.
Information Gathering
Find Active Machines
Ping
Ping Sweep
Ping Sweep
[user@test /]# nmap –sP 10.10.82.11-30
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Host d8211.company.com (10.10.82.11) appears to be up.
Host d8212.company.com (10.10.82.12) appears to be up.
Host d8213.company.com (10.10.82.13) appears to be up.
Host d8214.company.com (10.10.82.14) appears to be up.
Host d8215.company.com (10.10.82.15) appears to be up.
Host d8216.company.com (10.10.82.16) appears to be up.
Host d8217.company.com (10.10.82.17) appears to be up.
Host d8218.company.com (10.10.82.18) appears to be up.
Host d8220.company.com (10.10.82.20) appears to be up.
Host d8221.company.com (10.10.82.21) appears to be up.
Nmap run completed -- 21 IP addresses (18 hosts up) scanned in 2 seconds
Information Gathering
Find open ports
Port scanners
Scanport for Windows
Nmap for *nix
Modems – War dialing
Figure out the operating system
Nmap
Nmap
[user@test /]# nmap -O 10.10.82.11
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on test.company.com (10.10.1.1):
(The 1520 ports scanned but not shown below are in state: closed)
Port
State
Service
7/tcp
open
echo
9/tcp
open
discard
13/tcp open
daytime
19/tcp open
chargen
21/tcp open
ftp
23/tcp open
telnet
25/tcp open
smtp
37/tcp open
time
6112/tcp open dtspc
Remote OS guesses: Windows ME or Windows 2000 RC1 through final release
Uptime 20.028 days (since Wed Feb 6 11:05:16 2002)
Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds
Information Gathering
Figure out which services are running
Assumptions
Telnet
Vulnerability scanners
Commercial
ISS – Internet Scanner
CyberCop
Secure Scanner
Shareware
SARA
Nessus
SAINT
Nessus
Nessus Scan Report
-----------------SUMMARY
- Number of hosts which were alive during the test : 1
- Number of security holes found : 4
- Number of security warnings found : 18
- Number of security notes found : 4
TESTED HOSTS
test.company.com (Security holes found)
DETAILS - List of open ports :
. Information found on port telnet (23/tcp)
Remote telnet banner :
HP-UX test B.11.00 U 9000/800 (tc)
login:
ÿü ÿü ÿþÿþ!ÿþ
. Vulnerability found on port snmp (161/udp) : SNMP community name: public
CVE : CAN-1999-0517
CVE : CVE-1999-0018
-----------------------------------------------------This file was generated by the Nessus Security Scanner
Information Gathering
Exploiting the system
Clear map of the network
Active Machines
Types of Machines
Ports and Services
Potential vulnerabilities
Look for known vulnerabilities and run
exploits
Security Tools
Port Scanner – Nmap
Anti Virus – Norton’s, McAfee, Inoculate IT
Vulnerability Scanner – Nessus
Firewall – ZoneAlarm, PortSentry
IDS - Snort
Encryption Software – PGP, GNU PG
SSH
OpenSSH
PuTTY – ssh client
MD5
Encryption - secure communication and data storage
Pretty Good Privacy – PGP
GNU PG
Develop by Philip Zimmerman
Restricted use
Complete and free replacement for PGP
Can be used without restriction
Public/Private Key
Encryption
Plain Text
This is a test message.
Encrypted
-----BEGIN PGP MESSAGE----Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
qANQR1DBwU4DSTJMC1F2PksQCACdcf2IVYDlAr76yd5HF25PA3Qh6CCGBucLxgbt
KQ5DfRqHduaU7BiCFbbbf188PM2iJraUsYUTz7kZAJ8DNx7JsJZcmo1gvs8UGUuP
7jkSBEGSv59C3sXOMq9Zvzcd0uReWzzsZv+cjqZNBkKlueC88sYZvaFM4DAfbpkf
gXK2XWRVbgymilclY3drHiyBVAk+EGmmQ2gZ4sNLZmoFlPD1G2SOuQhp63n2XgHT
ce/DpZ+rjDvF0dpDkv30G609cC82E0mVnzV9Ca6qNmxB2LY5P94ido2mfPp55T8h
5VBGL2k3pQOblpjE0fN8un8vHzM6fab5pCALDnUI06v5YVzZB/4yFGXOqUvd3fgf
1o/ayYkKZ+Cb6eKkUz4EmXASBmQNM9VBgXTjaizEHC4WCj3Crm7R1InDO9c47/9i
YZZ6sHLJ0h5TU8SM1KfFRuJat438B2DElc9AECDQsqEM64BEOmqTKRkZ8OGdV0aE
GcUpwcaif7WbrOlA8c/8kiNOOGGP/SqjnEesxjNfloKkhuy3Ck+j+D6jGu8B/96c
YsKcKKk6GQwzopSmivhCZHOmDOdA4LIHzY+KTma+ASJGDlO1RTCECvQncn1G77Ll
ktbBo5AtgeHi1uvk4qj1ZFr7fyVhwRdGP2wbxq8JupZ8h5DPyT4wM7TpgtlEjeSJ
l4vuObkzyS4QPOiAADW3IxHheN/8ZAnW9V1M7B26ZXK0v15htVNwUPFuKghw4kOP
epYVa+8f
=WOpm
-----END PGP MESSAGE-----
Telnet
Telnet
Plain Text!!
SSH
Secure Shell program to log into another
computer over a network,
secure communications over insecure
channels.
Encrypted text
I smell a password…
Telnet session:
Frame 30 (61 on wire, 61 captured)
Frame 32 (55 0n wire, 55 captured)
Frame 36 (55 on wire, 55 captured)
Frame 48 (55 on wire, 55 captured)
Frame 51 (55 on wire, 55 captured)
Frame 53 (54 on wire, 54 captured)
Frame 60 (55 on wire, 55 captured)
Frame 62 (55 on wire, 55 captured)
Frame 65 (55 on wire, 55 captured)
Frame 66 (55 on wire, 55 captured)
Frame 68 (55 on wire, 55 captured)
Frame 69 (60 on wire, 60 captured)
Frame 72 (55 on wire, 55 captured)
Telnet
Telnet
Telnet
Telnet
Telnet
Telnet
Telnet
Telnet
Telnet
Telnet
Telnet
Telnet
Telnet
Data: login:
Data: f
Data: r
Data: e
Data: d
Data: Password:
Data: f
Data: r
Data: e
Data: d
Data: f
Data: o
Data: o
MD5
MD5 is a one-way hash function, meaning that
it takes a message and converts it into a fixed
string of digits, also called a message digest.
[user@test /]# md5sum test.txt
2d282102fa671256327d4767ec23bc6b test.txt
[user@test /]# md5sum test.txt
2bc4fd1e721de48ca6dfd992b2e88712 test.txt
Security Sites
www.cert.org
www.ciac.org/ciac
www.incidents.org
www.securityfocus.com
http://csrc.ncsl.nist.gov/
Vendor sites for patches
References
Network Security, Private Communication in a PUBLIC World, by
Charlie Kaufman, Radia Perlman and Mike Speciner
Computer Security Issues and Trends, Vol. VII No. 1 by Richard
Power
Hackers Beware by Eric Cole
www.webopedia.com
www.nessus.org
www.nmap.org
www.cert.org