Transcript lec21

CSCE 815 Network Security
Lecture 21
Intrusion Detection Systems
April 8, 2003
Hackers and Crackers
The Difference


A hacker is a person intensely interested in the workings of
the Operating System
A cracker is someone who breaks into or violates system
integrity
Tools of the Trade



Reconnaissance of targets systems and users
Port Scanners
Passive Operating System Identification
Exploits and the SANS top 20


–2–
Exploits – known ways to break into a system
SANS Top 20 Most Critical Internet Security Threats
CSCE 815 Sp 03
Tools of the Trade
Tools of the Trade



Reconnaissance of targets systems and users
Port Scanners
Passive Operating System Identification
Exploits and the SANS top 20


–3–
Exploits – known ways to break into a system
SANS Top 20 Most Critical Internet Security Threats
CSCE 815 Sp 03
Reconnaissance
Reconnaissance of targets systems and users


Social Engineering [Corporate Espionage, Ira Winkler]
E.g.
1. Call main number “I’m new employee, what the help desk
number?”
2. Call help desk explain again and ask for username, a
password, and how to access the system remotely.
3. Help desk worker never questions.


–4–
Dumpster diving
Impersonations – “This is Dean White and I’ve forgotten my
password and I’ve got to get this email to the President
before 5:00. Give me my password!”
CSCE 815 Sp 03
Scanners
Port Scanners


Programs that check the computer’s TCP/IP stack for ports
in the listen state
Port ranges: www.iana.org/assignments/port-numbers
 1-1023 – well known e.g. on port 80 the web server is listening
 1024-49151 – registered ports
 49152-65535 – dynamic ports
TCP three way handshake RFC 793

TCP packets: SYN, ACK, FIN, RST, sent and response noted
Scanners – do not use these!!! People will infer things!


–5–
Nmap (www.insecure.org)
hping2
CSCE 815 Sp 03
Passive Operating System Identification
aka Operating System Fingerprinting – identify the type
of Operating System from it TCP/IP stack
TCP/IP parameters





ip_default TTL (time to live) (Linux=64, Windows=128)
ip_forward tcp_sack Selective Acknowledgement Std. (Linux = 1)
tcp_timestamps (Linux = 1)
tcp_window_scaling (Linux = 1)
Send various packets and observe fields in headers.
–6–
CSCE 815 Sp 03
Exploits
Exploiting weaknesses in the system
http://www.online.securityfocus.com/archive/1
–7–
CSCE 815 Sp 03
SANS Top 20
SANS Institute http://www.sans.org/top20
Top 20 Most Critical Internet Security Threats
Common Vulnerabilities and Exposures

–8–
www.cve.mitre.org
CSCE 815 Sp 03
Computer Security
Not a state, it’s a constant process
 Configure system as securely as possible
 Discover vulnerability
 Exploit becomes public knowledge
 Vendor responds with upgrade or patch
 Stay on top of alerts/patches



–9–
Learn of exploit
Assess potential impact
Download patch, test, install
CSCE 815 Sp 03
Information Overload
Web Sites
Mailing Lists



Out of 100 messages
12-15 worthwhile
Rest: me-too’s and spam
Tips for System Administrators



– 10 –
Set-up special “security” email account
Or partition it further
Perl scripts analyze email and save into directories by OS
CSCE 815 Sp 03
Computer Emergency Response Team
Computer Emergency Response Team (CERT)
Software Engineering Institute, Carnegie Mellon
www.cert.org
Created in response to 1988 Morris Worm incident
Issued hundreds of advisories
Responded to more than 140,000 reports of internet break-ins
Responded to more than 7000 vulnerabilities
[www.cert.org/stats/cert_stats]
On call 24 hours a day for those suffering break-in
Others:


Dept of Energy Computer Incident Advisory Cap: www.cisc.org/ciac
National Inst. of Standards and Tech.(NIST) csrc.nist.gov
Mailing Lists
– 11 –
CSCE 815 Sp 03
Usenet Security Newsgroups
alt.2600.crackz
alt.2600.hackerz
alt.computer.security
alt.hackers.malicious
alt.security
alt.security.pgp
comp.security.firewalls
comp.lang.java.security
comp.os.linux.security
– 12 –
CSCE 815 Sp 03
Physical Security
Mentality “firewalls fix everything”
More than 50% of security breaches come from inside
Types of Harm






– 13 –
Server compromise
Network infrastructure compromise
Workstation compromise (Trojans)
Loss or theft of proprietary data
Transmission of inaccurate data
Denial of Service
CSCE 815 Sp 03
The Human Dimension
Dimension: least risk to most






Members of public
Temporary employees
Departmental users
Infrastructure
Server
Administrators
Scofflaw employees – that want to bypass security
rules for their convenience, e.g., installing own
modem
IT employees: logic bomb
– 14 –
CSCE 815 Sp 03
Physical Security: “Do”s
Do: lock wiring closets
Do: use switches rather than hubs (esp. for admins)
Do: change locks immediately when employee leaves
Do: erase hard drives when you take them out of
service
Do: use a paper shredder
Do: lock the server cabinets
Do: restrict or forbid the use of modems on desktops
Do: make sure road laptops and PDAs are secure
Do: consider use of smart-cards rather than passwords
for administrators
– 15 –
CSCE 815 Sp 03
Recommended Reading
Comer, D. Internetworking with TCP/IP, Volume I:
Principles, Protocols and Architecture. Prentic Hall,
1995
Stevens, W. TCP/IP Illustrated, Volume 1: The Protocols.
Addison-Wesley, 1994
– 16 –
CSCE 815 Sp 03
Physical Security: “Don’t”s
Don’t: send off-site backups to unsecured sites
Don’t: give keys to vendors
Don’t: allow adhoc access to data center
Don’t: share wire closets with printers etc.
Don’t: put servers in unsecured areas
Don’t: leave server keys on back on server
Don’t: let cleaning people in without escort
Don’t: store sensitive data on user drives (or encrypt)
Don’t: discuss passwords over non-secure channels
Don’t: put consoles near windows
– 17 –
CSCE 815 Sp 03
Protocol Review
IP internet protocol – routing packets through network
TCP – connection oriented transport
UDP –
ARP – address resolution protocol
ICMP – internet control message protocol
Application layer – FTP, HTTP, SMTP, SNMP, SSH
– 18 –
CSCE 815 Sp 03
Spoofing Attacks
Spoofing means fraudulently authenticating one
machine as another
P 131 “A Short Overview of IP Spoofing”
www.nmrc.org/files/unix/ip.exploit.txt
Preventing IP spoofing
have your routers reject packets with local
addresses from the outside
also have them reject internal packets claiming to
originate from the outside
– 19 –
CSCE 815 Sp 03
ARP Spoofing
Address resolution Protocol (ARP)
IP address  hardware(ethernet) address mapping
send ARP packet “who has IP address and what is
your hardware address?”
ARP cache – table of recent responses
ARP Spoofing
1. Assume IP address “a” of trusted host
2. Respond to ARP packets for address “a”
3. Sending false hardware address (I.e. the fraud’s
address)
Solution: make ARP cache static (manual updates!?!)
– 20 –
CSCE 815 Sp 03
DNS Spoofing
Domain Name System (DNS)


– 21 –
hierarchical name servers map FQDN  IP address
UDP packet sent with name to name server
CSCE 815 Sp 03
Web Spoofing
– 22 –
CSCE 815 Sp 03
Security Myth
“The only secure computer is the one that is turned off
and unplugged”
Once connected to internet it becomes a target
So shutdown all unnecessary services.
Myth 2 “My firewall will stop the pesky crackers!”
– 23 –
CSCE 815 Sp 03
The Players, Platforms and Attacks
The Players:



The Black Hats
Script kiddies
The White Hats
Platforms of attackers
1.
2.
3.
Windows
Linux/NetBSD/FreeBSD
OpenBSD billed as “the most secure OS freely available”
Attacks



– 24 –
Denial of Service
Viruses, Trojans, malicious scripts
Web defacement
CSCE 815 Sp 03
– 25 –
CSCE 815 Sp 03
– 26 –
CSCE 815 Sp 03