1 Crimes 1 A student intern with access to credit card data at a New York bank has been arrested in connection with using the card details to spend $30,000.

1

Crimes 1

• A student intern with access to credit card data at a New York bank has been arrested in connection with using the card details to spend $30,000 of the bank's money on expensive fashion items.– Bryant Alexander, aged 16, had been working at the JP Morgan

Chase bank branch on Long Island since August of this year and is reported to have mailed himself copies of customers' credit cards, using the cards to go shopping for high-end sneakers, amongst other items.

– He has since been charged with grand larceny and computer tampering.

2

Crimes 2

• The ongoing tension in the Middle East is causing the IT security industry a headache, says mi2g, the London-based research group. – The research company says it has noted a rise in hacker activity

during September as a direct result of the Middle East problems.– the Unix Security Guards (USG), a pro-Islamic macro hacker group,

increased its activity tenfold during September to highlight the Palestinian Intifada and to show solidarity with the Arab world

– DK Matai, mi2g's chairman, said that the industry has seen the close of the worst quarter in terms of overt digital attacks and the financial market indices in over a decade.

– Quarter on quarter, mi2g says that the number of overt digital attacks doubled in 2002, with 21,814 attacks in Q3, 13,434 attacks in Q2 and just 6,937 attacks in Q1 of this year.

Dec 2002 Report

3

Crimes 3

• A security hole in Tower Records' web site exposed customer data, including names, addresses and items purchased, for several hours last week. – The flaw was in a script that placed customers' order

numbers in a URL; by altering the numbers, others' data could be viewed.

– Credit card information was not exposed. – Tower has changed their site so that customers must log in with a

password and e-mail address before looking at their order information

Dec 2002 Report

4

Honeypot ExampleHoneypot Example

5

The Honeynet Project• The Honeynet project has published several

examples of attacks on their systems

• They illustrate the type of information that is gathered by a honeynet during an attack

• Two examples are presented in the next set of slides:– A Windows 98 hack– A Solaris hack

6

Windows 98 Target

• otto was a Windows 98 machine placed on the Honeynet Projects site in response to a huge increase in the number of NetBIOS scans the Honeynet was receiving, over 520 scans in one

month. – This honeypot was a default installation of

Windows98 with C drive share enabled

7

The Initial Probe• The hacker begins by probing the honeypot for its

NetBIOS name. – This confirms that the system is up and running the Windows

operating system– This probe was sent against every single IP address in the

Honeynet.

Probing the honeypot

UDP to port 137

The remote system is attempting to learn the name of the honeypot, in this case DIONYSYS.

Response

8

Checking the C Drive• Once the system has been confirmed as a

Windows system, the hacker identifies whether or not the C: drive is shared (it is).

the remote system GHUNT from the DOMAIN HSFOPROV query the honeypot to see if the C drive share is enabled

The honeypot replies by grantingaccess to c:

9

The Attack 1• The hacker now executes his attack.

– He begins by copying the configuration file dnetc.ini to the system.

This configuration file is used by the binary dnetc.exe.

10

The Attack 2• The hacker then copies over the executable dnetc.exe.

This file is a valid program, part of the distributed.net group. Users can participate in challenges by having their spare CPU cycles attempt to crack a challenge, in this case encryption challenge.

So, what is hetrying to do?

11

A Worm• The next step seems to be a worm installing itself.

– This indicates that the hacker is not a person, but an automated worm that is probing the Internet on its own and self-replicating itself.

The author of the worm is

attempting to win the

distributed.net challenge by

having thousands of victims

do its work for him.

12

The Infection• The worm now reconfigures the window.ini file, which

will cause the worm to start once the system reboots

13

Summary

• The honeypot became the victim of an automated worm that randomly scans the Internet for vulnerable victims.

• Once exploited, the worm replicates itself, looking for more victims.

14

Solaris Honeypot• The Honeynet project had an unpatched

Solaris 2.6 system

• On June 4, 2000 the Solaris honeypot was compromised with the rpc.ttdbserv vulnerability.

• Once compromised, a rootkit was implemented.

15

Attack Detected• Snort detected the attack

– Here is the alert entry in the log file. – Snort is an excellent, free IDS system that works for either Unix or NT. – You can find snort at http://www.snort.org

• Notice the alert has the IDS entry IDS241. – This number corresponds to Max Vision’s ArachNIDs signature database. – You can go to his website and query these signatures, based on the

numbers (in this case, 241). – You can find his website at http://www.whitehats.com/ids/index.html

16

Attack Effects

• This exploit creates a root shell, allowing the hacker to execute commands as root.

the actual keystrokes used by the hacker. He connects to port 1524, then add two accounts to the system

Saves the currentpassword filesAdds two

accounts

17

Taking Control 1• Once the hacker created these two accounts, he telneted

in and proceeded to take control of the system.

He creates a password for re

Becomes superuser under r

Creates a hidden directory

Copies a rootkit “sun2.tar” onto the system

18

Taking Control 2• He now installs the rootkit by untaring

sun2.tar and running the setup program

19

The Rootkit

• These are the programs in his rootkit:

20

Logcleaning• Here we see the script

going through the log files and removing any entries caused by the black-hat.

• this ‘log-scrubbing’ was extremely effective. – The only evidence of

the attack in the logs after this was the actual ‘rpc.ttdbserv’ error in /var/log/messages, and a single entry in /var/log/sulog, he forgot about that

21

Securing• This is rather unique.

Not only does this rootkit clear the log files, but it secured the system.– Apparently, the

black-hat doesn’t want anyone else compromising there system.

22

Trojan Installation• The rootkit also installed trojan binaries.

• Binaries include:– /usr/bin/login– /usr/bin/ps– /usr/bin/ls– /usr/bin/netstat

• The attacker could reenter the system using these trojan’s

23

The bot• The last is the installation of an IRC (Internet Relay Chat) bot.

– IRC is the net's equivalent of CB radio. But unlike CB, Internet Relay Chat lets people all over the world participate in real-time conversations.

– Using an IRC client (program) you can exchange text messages interactively with other people all over the world

– Apparently, that was the whole purpose of this attack, to gain systems for IRC bots.

– IRC bots allow people to maintain control on IRC channels.

24

IRC Chats• Over a two week period the blackhats were monitored as they

communicated over IRC.– You can gain a better understanding of their motives and

psychology by reviewing their conversations.

• Two main characters, D1ck and J4ne, discuss owning systems on the Internet.– Their main motivation seems to own as many systems as

possible for bots and DoS attacks. – Later on, they looked for stolen credit cards.

25

Chat Text 1• Here we see D1ck

and J4n3 setting up an exploit database so they can quickly share exploits to compromise systems.

26

Chat Text 2• Here we see a more

criminal aspect of the black-hat community.

– They begin looking for stolen credit cards to be used to setup new accounts and possibly a new website.

27

Introduction to FirewallsIntroduction to Firewalls

28

Concept• In building construction, a firewall is designed to keep a fire

from spreading from one part of the building to another

• A network firewall, however, can be better compared to a moat of a medieval castle:– It restricts people to entering at one carefully controlled

point– It prevents attackers from getting close to other defenses– It restricts people to leaving at one carefully controlled

point

• Usually, a network firewall is installed at a point where the protected subnetwork is connected to a less trusted network

29

Firewall Capabilities• What firewalls can do:

– A firewall is a focus for security decisions– A firewall can enforce a security policy, i.e. concerning access

control– A firewall can log Internet activity efficiently– A firewall can limit exposure to security problems in one part of a

network

• What firewalls can not do:– A firewall can’t protect against malicious insiders– A firewall can’t protect against connections that don’t go through it

• If, for example, there is a modem pool behind a firewall that provides PPP service to access a subnetwork, the firewall can not provide any protection against malicious traffic from dial-in users

– A firewall can’t protect against completely new threats– A firewall can’t fully protect against viruses– A firewall can’t set itself up correctly

30

Best Firewall

Internet

Poor Functionality

31

Compromise Firewall

Internet

firewall (p: packet) { if (allow (p)) forward (p); else drop (p);}

32

Firewall Components• Bastion host – Dual homed. Connected to

external and internal networks. Must be highly secure.

• Screening router – A router with some kind of packet filtering.

• Proxy server – A program that deals with external servers on behalf of internal clients. Also known as Application Level Gateway.

33

Firewall Policy• Default deny strategy: “Everything that is not explicitly permitted is denied”

– Examine the services the users of the protected network need– Consider the security implications of these services and how the

services can be safely provided– Allow only those services that can be safely provided and for which

there is a legitimate need– Deny any other service

• Default permit strategy: “Everything that is not explicitly forbidden is denied”– Permit every service that is not considered dangerous– Example:

• Network file system (NFS) and X-Windows is not permitted across the firewall

• Incoming telnet connections are only allowed to one specific host

34

What Should be Covered?• Electronic mail: simple mail transfer protocol (SMTP)• File exchange: file transfer protocol (FTP), network file

system (NFS)• Remote terminal access and command execution: telnet,

rlogin, ssh• Usenet news: network news transfer protocol (NNTP)• World wide web: hypertext transfer protocol (HTTP)• Information about people: finger• Real-time conferencing services: CUseeMe, Netmeeting,

Netscape conference, MBone tools, ...• Name services: domain name service (DNS)• Network management: simple network management

protocol (SNMP)• Time service: network time protocol (NTP)• Window systems: X-Windows• Printing systems: line printing protocols (LPR/LPD)

35

IP Packet w/TCP• The IP and Transport headers for a data packet:

Payload

CheckSum Urgent Data Pointer

HeadLength Reserved U A P R S F Receiver Window Size

Acknowledgement NumberSequence Number

Source Port # Destination Port #

Destination IP AddressSource IP Address

Time to Live Protocol Header ChecksumIdentification 0 D M Fragment Offset

Version Length TOS Total Length (in bytes)

A firewall must examine partsof theseheaders

36

Important Fields• IP:

– Source address– Destination address– Flags, especially the indication of an IP fragment– Protocol type: TCP, UDP, ICMP, ...

• TCP:– Source Port, Destination Port:

• Evaluation of source and destination ports allow to determine (with a limited degree of confidence) the sending / receiving application, as most Internet services use well-known port numbers

– Control:• ACK: this bit is set in every segment but the very first one transmitted in

a TCP connection, it therefore helps to identify connection requests• SYN: this bit is only set in the first two segments of a connection, so it

can be used to identify connection confirmations• RST: if set this bit indicates an ungraceful close of a connection, it can

be used to shut peers up without returning helpful error messages