Transcript CIS 442- Chapter 6

CIS 442- Chapter 6
Network Security
Internet Vulnerabilities
• A network vulnerability is an inherent weakness in the design, implementation,
or use of a hardware component or a software routine.
• A vulnerability invites attacks and makes the network susceptible to threats.
• A threat is anything that can disrupt the operation of the network. A threat can
even be accidental or an act of nature, but threats are mostly intentional. A
threat can damage the network, slow it down, or make it unavailable. Any type
of rogue software represents a threat.
• An attack is a specific approach employed to exploit a known vulnerability.
• A passive attack is designed to monitor and record network activity in an
attempt to collect information to be used later in an active attack.
• Examples of passive attacks are packet sniffing and traffic analysis.
• Passive attacks are difficult to detect.
• An active attack tries to damage a network or its operation. Such attacks are
easier to detect, but are also more damaging.
Port Scanning
•
•
•
•
•
•
•
•
When two programs on different computers exchange data, all the data packets sent
between the programs have (among other specifications) the same port number.
Accessing a network opens a port and is similar to opening a door. This makes ports
especially important for network security.
When data packets arrive at a computer from different sources, each stream of packets
uses a port number.
A port is identified by a 16-bit integer and there can be up to 216 − 1 = 65,535 ports.
There are three classes of ports, well known (0 through 1023), registered (1024
through 49,151), and dynamic/private (49,152 through 65,535).
The well-known ports are assigned by [IANA port 04] and are normally used by
operating system processes. Some examples are FTP (port 21), TELNET (port 23), SMTP
(port 25), and HTTP (port 80).
Registered ports are typically used by user applications (as opposed to operating
system processes) when they have to contact a server, but such ports can also identify
named services that have been registered by a third party.
Dynamic/private ports are used by user applications, but their use is rare. Such ports
do not have any meaning outside of any particular TCP connection.
• A port scanner is a program that listens to data arriving
at and departing from certain ports on a computer.
• Port scanning has legitimate uses in managing networks,
but is also used heavily by hackers to gather information
that identifies open doors to the computer.
• Information collected by port scanners is used to
identify operating system utilities installed in the
computer, and exploit known vulnerabilities in those
utilities in order to break into the computer.
• Port scanners are implemented by sophisticated hackers
who make them available on the Internet.
• In many cases, it is easy to detect the activity of a port
scanner simply by checking the log files that are
continuously updated by the operating system.
• Once a port scanner is detected, its transmissions can be
traced back to their origin and sometimes stopped.
However, the mere activity of port scanning is not illegal.
• Newer port scanners exploit a vulnerability associated
with SYN packets and half-open connections. Those are
much harder to detect, because half-open connections
are logged by the operating system.
Examples of Port Scanners
• Vanilla: The scanner attempts to connect to all I/O ports.
• Strobe: A specialized scan looking only for certain services to exploit.
• Fragmented packets: The scanner sends fragments of packets. Such
fragments can sometimes get through certain packet filters in a firewall.
• UDP: The scanner looks for open UDP ports.
• Sweep: The scanner connects to the same port on several (even many)
computers.
• FTP bounce: The scanner goes through an FTP server (to appear
legitimate).
• Stealth scan: The scanner partly disables the log service of the operating
system, so it (the operating system) can no longer record the scanner’s
activities.
• Nmap (Network Mapper) is a free open source utility for network
exploration and security auditing. Among other checks, it looks for port
scanners.
Spoofs
• The term spoof means to pretend to be someone else, to
falsify one’s identity, or to cover tracks.
• It is no wonder that various spoofing methods are used by
hackers to gain access or to obtain information.
• A computer may be protected from attack by restricting the
IP addresses that may send it data.
• A router may have a list of IP numbers and it allows only
data from these numbers to enter the computer.
• A hacker who has this list may spoof the router by sending
data that appears to have come from a legitimate IP
address. Someone who doesn’t have the list may discover
an allowed IP number by sending the computer data
packets with consecutive IP numbers until a packet gains
entry to the computer.
Defending against spoofing
• Filtering. If the computer is part of a local area network, the
network has a range of IP addresses.
• When data is sent outside a local network (uploading), the
filter software at the router should block any source IP
outside the range of the local network. This prevents
someone in the local network from sending spoofed data
outside the local network.
• When data is received (download), the filter should block
any packets with source IPs that are within the range of the
local network.
• Encryption and Authentication. There are Internet
protocols that specify the details of data encryption and
how to authenticate messages. While imperfect, such
protocols may help to eliminate simple IP spoofing attacks.
• Sequence number spoofing. The TCP protocol specifies the use of
sequence numbers within data packets.
• Each data byte has a sequence number, and the receiver must
acknowledge the sequence number of the last contiguous byte it
has received.
• Sequence number spoofing is the case where a hacker can compute
or guess the next set of sequence numbers in a data transmission.
• The hacker can, in such a case, send false packets of data and they
will be received with full trust by the client program in the receiving
computer.
• Good defense against this kind of attack is to encrypt the data. If
the hacker doesn’t know the encryption key, any false data inserted
will not decrypt properly and will therefore be useless to the owner
(who can request a retransmission) as well as to the hacker (who
can try to corrupt the next transmission).
Session hijacking
• This type of attack occurs when a hacker gains privileged
access to a network device, such as a router, that serves as
a gateway between the server and client. The hacker can, in
such a case, use
• IP spoofing to take over the entire session of data
transmission and send any information, rogue programs,
and corrupt data to the client’s computer.
• An alternative is to use “blind” hijacking, where the hacker
guesses the responses of the computers at B and C.
• The hacker can, in such a case, send a command and
cannot see the response, but can guess the response to
many commands. A typical command is to set a password
allowing access to B and C from somewhere else on the
network.
DNS
• A domain name server (DNS) is a computer used
specifically for networking. It has a dictionary with IP
addresses and the corresponding URLs.
• When a computer wants to send data, it has to prepare
packets with the IP address of the receiving computer.
• The human user normally knows the URL (a meaningful
string), so the sending application has to connect to
the DNS first, send it the URL, and receive the
corresponding IP address.
• Only then can the application send data with the
proper IP and TCP headers. This is why, when we want
to browse a certain URL, the browser often displays the
message “looking for. . . ” for a few seconds.
• One threat related to DNS is man in the middle (MIM).
• A hacker may register a domain name, such as
aple.com, that is similar to an existing popular URL.
• When a user mistypes aple instead of apple, the
browser receives from the DNS computer the IP
address of the hacker’s site, and connects to that site.
• Now the hacker is in control. His site can display
information similar to that displayed by the real site,
while also sending its own malicious software.
• The hacker can even retrieve from apple.com the web
pages the user wants, then forward them, perhaps
modified, to the user
• A common MIM attack involves denial-ofservice (DoS) against a network node by
flooding it with messages and so preventing it
from responding to legitimate users and
visitors.
• This attack can be directed either against a
server computer to force it to crash, or against
the network connection to cause heavy packet
loss.
DNS Poisoning
• Another threat related to DNS is DNS poisoning. In the past, the most
common DNS software was the Berkeley Internet name daemon (BIND).
• Early versions of this software had weaknesses that made it easy for a
hacker to modify the IP addresses associated with any URLs.
• Once a hacker changes the IP associated with, say apple.com. Anyone
trying to connect to that URL will be connected to the hacker’s site, with
potentially disastrous results.
• A well-known example of DNS poisoning is the defacing, in 2001, of the
Web site of RSA Security.
• The anonymous hijacker rerouted visitors from RSAsecurity.com to a fake
site that looked like the RSA site but was different in significant ways.
• Anyone who noticed the differences in the Web site, assumed that RSA
Security, an important developer of encryption techniques and products,
had been compromised. In fact, only the DNS was attacked and corrupted.
Spam
• Spam is unwanted, unsolicited email sent in bulk to many unwilling
recipients.
• Most of it is commercial advertising for doubtful products, get-richquick schemes, or quasi-legal or health services.
• Spam is named after the 12-oz cans of spicy ham made by the
Hormel company since 1937.
• By itself, spam is nuisance, not a security concern, but it can be
exploited for a DoS attack. A central computer dedicated to sending
and receiving email for a large organization can be attacked by
sending its many users massive quantities of identical email
messages.
• This consumes valuable network bandwidth, it overloads the CPU,
eats up disk space on the email server, and can cause it to crash (by
overflowing some data structure) or freeze (by keeping the CPU
permanently occupied with receiving, logging, sending, and
forwarding the spam messages).
• It may come as a surprise to many that most spam messages are sent from
computers (mostly private personal computers on high-speed cable or DSL
networks) that have been infected by special strains of viruses.
• Such a virus hijacks the infected computer and turns it into a spam proxie
(a special case of zombie).
• A major spammer may at any time own such a botnet and control
thousands of spam proxies that serve him obediently and send millions of
spam messages anonymously.
• The sobig virus (technically a worm, see year 2003 in Appendix C) was the
first specimen of malicious software designed to create spam proxies, but
similar viruses (mostly variants of the original sobig) are implemented and
released all the time and manage to infect tens of thousands of computers
worldwide every week.
• The virus installs special software known as spamware that takes over the
computer (essentially hijacking it) and handles the distribution of spam.
• URLs such as Specialham.com and Spamforum.biz (both
now defunct), which are hosted mostly in Russia and China
(but also in Florida), may not look very useful or interesting
to a casual visitor or even to security-conscious persons
such as readers of this book, but are familiar and very
useful to spammers.
• These sites also carry advertisements for bullet-proof
hosting (ISPs, most of them Chinese, that allow spam) and
allow spammers to exchange news and information.
• The news is mostly about steps taken by ISPs and law
makers and enforcers in various countries to make the lives
of spammers more difficult.
• Much information is offered on ISPs and networks that
close their eyes to spam in return for the high revenues
obtained from spammers.
• The Send-Safe program has a feature that
speeds up the sending of spam and makes it
harder to identify its source.
• Spamhaus maintains a register of known spam
operations (ROKSO) database with names,
addresses, and much information on the top
200 spammers.
Why Spam is bad ?
• It is easy to send. All that a spammer needs is
spam software and a fast Internet connection.
• Many spam messages ask the user to click on
a link to be removed from the mailing list.
• Spammers tend to use computing resources
illegally or even to steal them outright.
• Spam is trash. We have all seen messages
advertising worthless merchandise and
deceptive or fraudulent services
Avoiding Spam
• As a simple precaution, try to uncheck all the
prechecked boxes before you ask for more
information or subscribe to a free service or
newsletter.
• A Web site that collects names and addresses has
to have a privacy policy where it states whether it
shares this information with other parties.
• If a site does not display such a policy, or if it has
no policy at all, avoid it. Naturally, the worst sites
promise privacy and break this promise all the
time.
• It is also a good idea (practiced by this author) to
leave immediately when you see the words “free
gift.” These words are a sure sign of something
wrong, because a gift, by its very nature, is free.
• A similar scam to avoid is contests. Contests are
very often used as bait to lure unsuspecting users
to submit their names, physical addresses,
telephone numbers, and email addresses.
Protecting emails
• An important technique of collecting email addresses is harvesting
them (some prefer the term scavenging) from the Whois data base.
• The spammer can simply try all the IP numbers in order, and examine
each result automatically, by special software (that he can constantly
tune up and improve), looking for strings that may be email
addresses.
• Spammers use spambots, software that crawls the Web, examining
Web pages looking for email addresses, and harvesting them for
future abuse or for sale.
• An obvious (but alas, not ideal) protection is to obfuscate all email
addresses in a Web page. Instead of writing an email address in your
Web site in a form such as [email protected], it is better
to have something like leopold bloom at ulysses dot name.
Anti Spam tools
• There are commercial services that provide relief from spam for their
members by blocking it. A typical spam-relief service maintains a list of
approved senders and asks each of its members to provide their own list
of approved senders.
• The service “sits” between the member and the member’s mail server,
and the member uses the same email software to send and receive
messages.
• However, the software connects to the service which, in turn, connects to
the member’s email server. Messages whose senders are in the service’s
list of approved senders (or in the individual member’s list) are let through
to the member.
• For any other messages, the service sends the sender a short challenge
message, like the one of Figure 7.5, asking the sender to click (just once)
on a certain link.
• If the sender clicks on the link, he is added to the service’s list of approved
senders. The idea is that a spammer would not be able or willing to
respond to many challenges.
• A simple technique to reduce spam is to open several
alternate email address. When one gets flooded with spam,
tell your correspondents to use another one.
• There are several large companies, such as Yahoo and
Hotmail, that provide free email addresses, but they are
frequently targets of massive spam and various attacks.
• A common sense idea is to avoid giving out your email
address as much as possible.
• If you have a Web site with your address, try to write it in
the form john at abc dot com or a similar format. If you set
up a message board or a discussion group, try to display
just part of any email address.
Zombies
• Certain types of malware are used to capture control of a computer and
command it remotely. Such a captured machine is known as a zombie and
a set of zombies is termed a botnet.
• A botnet is an ideal means of hiding the identity of a perpetrator and
security experts see more and bigger botnets all the time.
• It is known that DoS attacks are often carried out after the attacker has
gained control of many computers and turned them into zombies.
• A targeted Web site is flooded with a vast number of meaningless
messages sent by computers whose innocent users know nothing about
the attack. The attack keeps legitimate users from using the site, causing
inconvenience to users and monetary losses to the site’s owners. Such an
attack is referred to as distributed denial of service (DDoS).
• Zombies are also used by spammers to hide their identities. A spammer
who controls a zombie computer, sends this slave a (normally stolen) list
of email addresses and instructs it to send a message (or several
messages) hawking useless merchandise, fraudulent schemes, or
unwanted services to all the addresses. Zombies are less destructive than
viruses or other types of rogue software because they rarely damage data.
More Spam Advice
• If you have your email program set to preview
messages (i.e., to show you the contents of the
message in a window below the list of email), the
spammer may be able to verify that the email has been
received.
• If you click on a link to unsubscribe from a mailing list,
you have confirmed to the spammer that your email
address is active. The spammer can then sell your
address to others.
• Spammers can include a “web bug” in an email. This is
a link that connects to the spammer’sWeb site as soon
as the email is read or previewed.
• If you want to avoid letting spammers know that their
mail got through, follow the advice given here.
Avoiding Spams
• Use anti-spam software, update and run it
regularly. This software can significantly reduce
unwanted email, especially if it is programmed to
receive feedback from the user/reader and
employ it to learn (from the subject line or
sender’s address) which messages are spam.
• Never buy anything advertised by unsolicited
email because this only encourages future spam.
• If the sender’s name sounds unfamiliar, delete
the email without any hesitation. Most spam is
just a nuisance, but often it includes viruses and
other nasty software.
• Never respond to spam messages or click on any links in them.
Replying to spam—even to unsubscribe from it—confirms to the
spammer that your email address is a valid one, thereby
encouraging more spam.
• Opt out of any further information or free or attractive offers.
When you fill out forms on the Web, uncheck any checkboxes that
offer further information or offers.
• Don’t use the preview mode in your email viewer. Spammers can
verify that a message has been previewed, even if it hasn’t been
opened, because the preview effectively opens the email.) Knowing
that you have read their messages encourages the spammers.
• Try to decide whether an email message is spam based only on the
subject line and sender’s name and address. Use the bcc field if you
email many people at once.
• The bcc (blind carbon copy) field hides the list of recipients from
any individual recipient. If you include the addresses in the To field,
spammers may harvest them and add them to mailing lists.
• Restrict the use of your email address on the Internet.
Don’t publish it on Web sites, newsgroup lists or other
online public forums.
• Spammers have software that crawls the internet to find
addresses in such places, harvest them, and add them to
mailing lists.
• Give your main address only to those you trust (and even
then be ready for your address to be discovered and
abused by spammers).
• Always have several secondary email addresses ready.
(Those are easy to open at sites such as Yahoo, Gmail, and
emailaddresses.com) When you fill out Web registration
forms or surveys on sites with which you don’t want further
contact, use a secondary email address
Denial of Service
• Many Internet attacks try to obtain private data or to damage data.
• In contrast, a denial-of-service attack aims to shut down an entire
network, a single server, or a particular Web site. The attack tries to
prevent legitimate users of a service from using that service.
• This can be done by one of the following methods:
• Flood a network with traffic. This makes it hard or impossible for
legitimate users to send or receive data.
• Disrupt connections between two computers. This prevents remote
access to the machines.
• Attempt to prevent a particular user from accessing a service.
• Disrupt or prevent network access to a particular computer or
network. A hacker may open an account at an ftp site, then store
data and retrieve it repeatedly, thereby consuming disk space and
monopolizing network services at the site.
DOS types
• There are three types of denial-of-service, (1) consumption of scarce or
nonrenewable resources, (2) destruction or alteration of network
information, and (3) physical destruction or alteration of network
components.
• The first type, consumption of scarce resources, relies on the fact that
computers and networks need resources such as electrical power, CPU time,
memory space, disk space, and network connections.
• The easiest resource for a hacker to consume is network connectivity. It is
possible to tie up the network connections of a computer, such that it waits
for some data that never arrives, so it remains hung up.
• All that the hacker has to do is start opening a connection to a network
server but never complete this process. The victim server has reserved a port
and a data structure for the connection, but the port remains half open. The
hacker (or a group of coordinated attackers) can very quickly tie up all the
available ports of a server.
• In the meantime, other users, legitimate or not, who try to establish
connections are denied access. Such an attack is called a SYN flood. Even
someone with only a slow computer and slow modem can stop a large server
very quickly. Here is a detailed description of this threat.
Ping and ICMP
•
•
•
•
•
•
•
Those are commands that were originally developed for testing connectivity in
networks.
The original ping program was written as part of UNIX by Mike Muuss and generated so
much interest that the ping concept became part of the Internet protocol.
If your operating system is experiencing frequent crashes with no apparent cause, it
could be the result of this type of attack.
The obvious defense against the ping of death is to patch the low-level routine that
sends data packets to never send large packets, and patch the routine that receives
packets to ignore packets that are too large.
In practice, this should be done by the makers of the operating system and issued as a
security patch.
The second type of DoS threat involves destruction or alteration of network
information. An attacker may be able to change the IP number of a victim’s personal
computer, change the registration of the operating system, or change prerecorded
telephone numbers used by the modem to call outside servers.
The third type of DoS threat involves physical destruction or alteration of network
components. This can be done by an intruder physically appearing in a computer center
and disabling, breaking, or disconnecting cables and other hardware devices. A hacker
may also climb a utility pole and disconnect telephone lines or television cables,
thereby disrupting service to users in the neighborhood.
Firewalls
• A firewall is a combination of software and hardware that decides
what kinds of requests and what specific data packets can pass to
and from a computer or a local network.
• A firewall for a personal computer is normally fully implemented by
software, whereas a small network of computers often found in a
home (typically consisting of 2–3 computers and a printer) may use
a hardware firewall that’s built into the network’s router.
• The main task of a firewall is to block certain requests for data
transfer, and the firewall makes these decisions based on rules. A
firewall starts with some built-in (default) rules, and its user/owner
can add, delete, and modify rules.
• We can say that a firewall enforces an access policy through the
rules, and a rule tells the firewall what properties of a data packet
to examine and how to decide whether to let the packet through or
not.
Firewalls tasks
• A typical firewall performs the following tasks:
• (1) limit incoming data, so that data coming from
certain senders (or that has certain properties)
will be blocked,
• (2) limit outgoing data, so a program will not be
able to send data outside (to call home) without
the owner’s knowledge,
• (3) generate and save a log of all its activities,
especially on data packets it has blocked, and
• (4) do all this fast and be transparent to the user.
• A firewall rule specifies a set of conditions and
what action to take when a condition occurs.
• A complex rule can check several conditions,
while a simple rule is limited to just one
condition. Rules can also be hierarchical.
• In such a case, each rule is simple and checks one
condition, but a rule can have several child rules,
each checking one condition. This way, each rule
is simple, but the overall performance can be
complex.
• Examples of actions are “delete,” to delete a data packet, “pass,” to
let it through (into or out of the computer), “drop,” to drop the
connection (in case of a DoS attack that tries to hang up the
connection), and “log,” to log the data packet and then apply the
next rule to it. (For incoming data packets, the “drop” action sends
a TCP RESET command to the sender, while for an outgoing packet
the same action sends a small TCP FIN packet.)
• The two main components of a firewall are the gate and the choke
(there can be several such pairs in a large firewall).
• The gate transfers or blocks the data and the choke is the filter that
decides which data to block.
• Those familiar with firewalls like to compare the gate to a security
checkpoint and the choke to a security guard.
Firewall extra tasks
• A modern firewall may also include rules for checking
the data of a data packet, not just the fields of its
header. This useful feature is referred to as content
filtering.
• Another advanced task is to limit the amount of data
(the bandwidth) allocated to certain users or to certain
applications. This way, a firewall can help in bandwidth
management.
• Bandwidth accounting is another important task
performed by modern firewalls. The owner/operator of
a local network needs to know how the network is
used over time.
• Another important picture that a good firewall can
paint is the pattern of connection logging.
Router attacks
• A router is an important component of a computer
network, even a small network used in a home.
• Even if there is only one computer, a router is still
useful.
• Perhaps the simplest attack on a router is to change
the DNS server it uses. Every time the computer user
wants to connect to the Internet, the URL typed by the
user has to be translated to an IP address.
• There are many DNS servers that maintain lists of pairs
(URL, IP), and they supply the needed IP addresses.
Sending the router to a malicious DNS server can be
the key to a whole slew of other attacks.
• A more complex threat is posed if someone can modify the
programs that run the router. Those programs are firmware and
router makers issue firmware updates from time to time. Imagine
someone slipping malware into a new firmware update issued by
the router manufacturer and made available in its website, waiting
to be downloaded by router owners.
• Once a router is updated, the malware in it can send its controller
copies of any data sent and received by the computer. It can even
send executable code to all the devices attached to the router, all
without the router owner’s knowledge.
• Even more dangerous exploits are possible, but they may require
some “help” from the user. Both hackers and security researchers
have proved that a router can be attacked and compromised if the
user can be enticed to click on a bad link or if the user neglects to
change the router’s password from the default (usually admin).
Router usage advices
• Reset the router (even a brand new one) to its
factory state.
• Update the router with the latest firmware
available in the manufacturer’s website.
• Change the default password to a new, secure
one.
• The router may have features to support devices
that you don’t have.
• Turn those features off.
• Turn off all features that allow the device to be
administered from anything other than the
device(s) plugged directly into the router.
The URL-shortening threat
• The Internet is big. There are many sites and even
more files. Each file on the Internet (as also on a
computer) must have a unique name, which is
why many URLs are long. Special
• URL-shortening services exist to alleviate this
problem.
• Examples are tinyurl.com, bit.ly, and is.gd. These
services are useful but they also pose a security
threat. Someone sends you a short URL that
should take you to an interesting site whose URL
is long. Instead, the short URL takes you to an
infected website.
• PDF JBIG2 flaw. In 1993, Adobe introduced the portable document format
(PDF), a file format for documents. The format is independent of the
application software, hardware, and operating system used to create or
view the document.
• A PDF file includes a complete description of the document including text,
fonts, illustrations (images in vector graphics format), and bitmaps. Each
type of data in the file is compressed with an algorithm designed
specifically for that type. Together with the format specification,
• Adobe also released appropriate software that it collectively named
“Acrobat.”
• Adobe Acrobat is a family of computer programs designed to view, create,
manipulate, and manage PDF files. Most of the programs in this family are
commercial, but Adobe Reader (for viewing and printing of PDF files) is
free and can be downloaded from Adobe’s web site.
• The Acrobat family and especially the Reader are widely used to present
and exchange platform independent documents.
Flash weakness
• Adobe Flash is a popular multimedia application for adding
animation and interactivity to Web pages.
• Originally designed and implemented in 1996 by Jonathan
Gay who called it SmartSketch, the program was acquired
by Macromedia in the same year and its name changed to
Flash.
• Since 2007, it has been developed and distributed by
Adobe Systems.
• Flash is commonly used to create animation,
advertisements, and other videos that are included in Web
pages. In July 2009, a weakness (that became known as
zero-day vulnerability) was discovered in Flash player
versions 9 and 10 by an anonymous hacker.