Looking at Vulnerabilities - UW Staff Web Server
Download
Report
Transcript Looking at Vulnerabilities - UW Staff Web Server
Looking at Vulnerabilities
Dave Dittrich
University of Washington
dittrich @ cac.washington.edu
http://staff.washington.edu/dittrich/
Overview
Background attack concepts
Your typical look at
Vulnerabilities, Risk vs. Cost
A (real!) complex attack scenario
A different view of vulnerabilities
Trust relationships
Attack trees
Atypical/uncommon vulnerabilities
Stepping Stones
Internet Relay Chat (IRC)
IRC w/Bots&BNCs
Distributed Denial of Service
(DDoS) Networks
Typical DDoS attack
DDoS Attack Traffic (1)
One Day Traffic Graph
DDoS Attack Traffic (2)
One Week Traffic Graph
DDoS Attack Traffic (3)
One Year Traffic Graph
SANS Top 20 Vulnerabilities
Windows Top 10
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Internet Information Server (IIS)
Microsoft Data Access Server
(MDAC)
SQL Server
NETBIOS
Anonymous login/null session
LAN Manager Authentication
(Weak LM hash)
General Windows Authentication
(Accounts w/o pwd, bad pwd)
Internet Explorer
Remote Registry Access
Windows Scripting Host
http://www.sans.org/top20/
Unix Top 10
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Remote Procedure Call (RPC)
services
Apache Web Server
Secure Shell (SSH)
Simple Network Management
Protocol (SNMP)
File Transfer Protocol (FTP)
Berkeley “r” utilities
(trust relationships)
Line Printer Daemon (LPD)
Sendmail
BIND/DNS
General Unix Authentication
(accounts w/o pwd, bad pwd)
Attack sophistication vs.
Intruder Technical Knowledge
binary encryption
“stealth” / advanced
scanning techniques
Tools
High
denial of service
packet spoofing
sniffers
Intruder
Knowledge
GUI
distributed
attack tools
www attacks
automated probes/scans
back doors
network mgmt. diagnostics
disabling audits
hijacking
burglaries sessions
Attack
Sophistication
exploiting known vulnerabilities
password cracking
Attackers
password guessing
Low
1980
1985
Source: CERT/CC (used w/o permission & modified
1990
1995
2001
“Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers)
Cost vs. Risk 101
Another view of Cost vs. Risk
UW Medical Center “Kane”
Incident
Goal: How hard to obtain patient records?
Windows 98 desktop w/trojan or no pwd
Sniffer
Linux server -> Windows NT PDC/F&P server
Unix email server
Windows PDCs, BDCs
Windows Terminal Server (>400 users)
Access database file (>4000 patient records:
Name, SSN, Home number, treatment, date…)
SecurityFocus -> ABC News
Trust relationships
Client<->Server
IP based ACLs
Shared password/symmetric key
Shared network infrastructure
Sensitive data in email
Sensitive files on servers
Attack Trees
“Secrets and Lies,” Bruce Schneier,
ISBN 0-471-25311-1, chapter 21
Goal is root node: Sub-goals are lower
nodes/leaves
And/Or relationship between nodes
Attributes: Likelihood, equipment
required, cost of attack, skill required,
legality, etc.
Attack Tree Example 1
http://www.counterpane.com/attacktrees-fig1.html
Attack Tree Example 2
http://www.counterpane.com/attacktrees-fig6.html
Attack Tree Example 3
Survivability Compromise: Monitor network traffic
OR:
1. Install sniffer on desktop.
OR: 1. Use email trojan horse.
2. Use remote exploit.
3. Use Windows remote login service.
OR: 1. Use passwordless Administrator account.
2. Brute force passwords on all listed accounts.
3. Brute force passwords on common accounts.
2. Install sniffer on Unix/Windows server
OR: 1. Use remote exploit.
2. Steal/sniff password to root/Administrator account.
3. Guess password to root/Administrator account.
3. Man-in-the-middle attack on SSL/SSH.
…
Attack Tree Example 4
(Nested)
Survivability Compromise: Disclosure of Patient Records
OR:
1. Attack Med Center network using connections to the Internet
OR: 1. Compromise central patient records database (PRDB).
AND: 1. Identify central PRDB.
OR: 1. Scan to identify PRDB.
2. Monitor network traffic to identify PRDB.
2. Compromise central PRDB.
OR: 1. Use Remote Exploit.
2. Monitor network traffic to sniff pwd to account.
3. Guess password to account.
2. Obtain file(s) containing patient records.
OR: 1. Monitor network traffic to capture patient records.
2. Compromise file server or terminal server.
OR: 1. Use Remote Exploit.
2. Monitor network traffic to sniff Administrator pwd.
3. Guess password to User/Administrator account.
Atypical Vulnerabilities
Network Infrastructure
Special Devices
Non-technical (Social) Issues
Border Routers
BGP (route insertion/withdrawal)
Address forgery
Source routing
Denial of Service
Remote service exploit & “Root kits”
Lack of visibility/access to traffic flows
Internal Routers/Switches
OSPF, RIP & other protocols
Address forgery
ARP spoofing
Sniffing (SNMP community string, pwd)
Denial of Service
Lack of visibility/access to traffic flows
Servers
Gateways to legacy apps
Web apps
Insufficient logging/auditing
Hiding in plain sight
Control of software configuration
Network Printers
Change “Ready” message
FTP bounce scan, other scanning
File cache
SNMP/web admin front ends, back
doors
Disclosure of print jobs
Passive monitoring
Redirection of print jobs
Medical “devices”,
photocopiers, printers
Proprietary or OEM OS (e.g., Solaris,
IRIX)
Many (non-essential) services turned on
Typically behind the curve on patches
Remote management (HTTP, SNMP)
Heavy use of unencrypted protocols
(e.g., FTP, LPR, Berkeley “r” utilities)
“What? The hackers are back?”
PBXs, voice services
Monitoring
Theft of Service
Fraud/social engineering
Denial of Service
Malware Cache (PC based VM)
Social Issues
Not recognizing threats
Assuming attacks are simple
Assuming things are what they seem
(e.g., Slammer, Nimda)
Assuming attacks/defenses are direct
Assuming you have it handled
Summary
Vulnerabilities exist in places you might not
think
Vulnerabilities are additive, interrelated
Complex attacks call for complex
defenses/response
If you’re not learning something new every
day, you’re falling behind your adversary
Questions?
References
UW Medical Center
Attack trees
http://www.securityfocus.com/news/122/
http://www.hipaausa.com/hacker.html
http://www.cio.com/archive/110102/rules_content.html
http://www.cio.com/archive/031502/plan_content.html
http://www.counterpane.com/attacktrees-ddj-ft.html
Networking
http://www.e-secure-db.us/dscgi/ds.py/View/Collection-24
http://www.securite.org/presentations/secip/CSWcore02-SecIP-v1.ppt
http://www.securityfocus.com/infocus/1594
References (cont)
Routers
http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-akin-cisco/bhus-02-akin-cisco.ppt
http://philby.ucsd.edu/~bsy/ndss/2002/html/1997/slides/gudm_pnl.pdf
http://www.net-tech.bbn.com/sbgp/IETF42.ppt
http://www.cymru.com/Presentations/barry.pdf
BGP, OSPF
http://www.cs.ucsb.edu/~rsg/Routing/references/wang98vulnerability.pdf
http://www.cse.ucsc.edu/research/ccrg/publications/brad.globalinternet96.p
df
References (cont)
Switches, ARP, local network attacks
Printers
http://members.cox.net/ltw0lf/printers/
PBXs
http://www.comnews.com/stories/articles/c0103sfarea.htm
http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01Mike-Beekey.ppt
http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf
DDoS, “root kits”
http://www.cert.org/reports/dsit_workshop.pdf
http://www.cert.org/archive/pdf/Managing_DoS.pdf
http://staff.washington.edu/dittrich/misc/ddos/
http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq