D0004E Datorsäkerhet och drift Computer System Security and Management Introduction Administrative details Course page: http://www.sm.luth.se/csee/courses/d0004e/ (including link to on-line schedule) Examiner: Jingsen Chen Lab instructor: Rumen Kyusakov - Office: A2316 - Email: [email protected]Course credits - Written exam (3 hp) - Laboratory work (4,5 hp) Course Syllabus Course Aim After completing the course the student should be able to •demonstrate knowledge of proven experiences and principles of security within computer systems and computer communication •demonstrate abilities (based on limited information) to critically, independently, and creatively identify, formulate, and handle security vulnerabilities •demonstrate abilities to apply and critically evaluate different strategies and techniques used in computer and communication securities •demonstrate abilities to perform basic security risk analyses, with respect to security policy and analyze implications on users and protected assets •demonstrate abilities to plan and execute basics tasks of installing an operating system and maintaining its integrity and security •show practical skills in independently solving system administration problems and performing common system administration tasks •demonstrate abilities to judge scientific, societal and ethical aspects of system administration and security Main textbook Dieter Gollmann Computer Security . John Wiley And Sons Ltd; latest edition. ISBN: 9780470741153. Additional reading Evi Nemeth, Garth Snyder, Trent R Hein, Ben Whaley Unix and Linux System Administration Handbook . PRENTICE-HALL; 4th edition. ISBN: 9780131480056.
12
Embed
D0004E Datorsäkerhet och drift · 4. The server service 5. SSDP Discovery service 6. IIS Services (FTP Publishing, IIS Admin, NNTP, SMTP, WWW publishing) 7. SNMP service Services
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
D0004E
Datorsäkerhet och drift
Computer System Security and Management
Introduction
Administrative details
Course page: http://www.sm.luth.se/csee/courses/d0004e/(including link to on-line schedule)
Course credits- Written exam (3 hp) - Laboratory work (4,5 hp)
Course Syllabus
Course AimAfter completing the course the student should be able to
•demonstrate knowledge of proven experiences and principles of security within computer systems and computer communication•demonstrate abilities (based on limited information) to critically, independently, and creatively identify, formulate, and handle security vulnerabilities•demonstrate abilities to apply and critically evaluate different strategies and techniques used in computer and communication securities•demonstrate abilities to perform basic security risk analyses, with respect to security policy and analyze implications on users andprotected assets•demonstrate abilities to plan and execute basics tasks of installing an operating system and maintaining its integrity and security •show practical skills in independently solving system administration problems and performing common system administration tasks•demonstrate abilities to judge scientific, societal and ethical aspects of system administration and security
Main textbook
Dieter GollmannComputer Security.John Wiley And Sons Ltd; latest edition.ISBN: 9780470741153.
Additional readingEvi Nemeth, Garth Snyder, Trent R Hein, Ben WhaleyUnix and Linux System Administration Handbook.PRENTICE-HALL; 4th edition.ISBN: 9780131480056.
Course evaluation (2012)
Comments to Course evaluation
The course has a focus on laboratory workSome lectures are needed for the labs others are broadening the area
Changes 2013Not one single lecturer through the whole course
Course outline
Updates on course webpage http://www.sm.luth.se/csee/courses/d0004e/
Lectures (first two weeks):Today: System administration (Andreas Nilsson) 6/9Unix security (Rumen Kyusakov) 9/9Introduction in IT/Information security (Dan Harnesk)
Laboratory work:5/9 Lab intro (Rumen Kyusakov)
Later:Windows security, Authentication/access control, Database security, Cryptography, Communication security, Hacking session…Visit at LTU IT Service
What does System Administrator do?
The system administrator
• ”You are there for the user”• ”You are best when your services are invisible for the users – everything
should just work.”• “All transitions should be seamless for the user”In large systems: • “your work hours are for free – compared to the work hours of all users.”• “take advantage of the hints multiple clients give”• ”Your goal when working is to make yourself obsolete – think ahead, and
solve problems that are repeating – once and for all.”
One computer many computers
One computer• Make setup it simple – unnecessary, you will learn.• You will get the optimal configuration.• If the computer misbehaves it might be hard to find the error• New version of the software – no problem, you will learn• If the computer has to be reinstalled – the entire procedure has to be redoneMany computers• Use a lot of time with the setup – otherwise you will have to teach all others,
hepdesk will be familiar to all systems• You will have to really learn how the users want their setup.• The optimal setting that fit everybody does not exist.• The fact that you can see if it is a common problem might help you if
computers starts to misbehave• New version of software – Is it really necessary? compatibility, learning,
bugs…• If the computer has to be reinstalled – it is easy to get a fresh start again.
Two philosophies regarding setup
Simple(For the user it is just to sit down and start to use)+ Saves time for the user.- Users does not have to learn all features in their system.- The environment is not the optimal for them.
Torgny way (The setup is so hopeless that the users are forced to learn how to tweak
before they can use it)+ The users will learn.- Does not save time for the users initially.- As a sysadm, you will not get many friends the first time – BOFH.
Different ways to install
• Manual installation• Scripted installation• Cloning• Distributed installation, with a shared set of software
Or a combination of all of them above
Windows vs Linux
• UNIX – “heavy” servers not for users• Traditionally UNIX is nothing for sissies• When an application is installed and it starts you are done.• When it is good enough for “root”, you are done
• Windows – mostly clients, directly for users• Windows is for users not only for enthusiasts• When the application is installed your work has just began• When the setup is so simple that you will not get any
questions from the users you are done.
Reinstallation
• Easy for the system administrator, the answer to all questions:“Let us try to reinstall the system”
Installation of a computer should be easy, reinstallation hard.
Users
Beware:• Users can do anything and has – if you check the logs• Users have not done anything – if you ask them• Users newer know the meaning of the word “backup”• Users can newer verify that a backup is up to date• There is a reason why phishing is used• Do or Don’t is impossible to tell apart in the context of “Don’t click on links in
mail messages”• If the user with computer problems at work does not know the difference
between the “desktop” and the table on which the monitor is placed – use the addidas
• If the user, with computer problems at home, does not know the difference between the “mouse” and the four legged cheese eaters, ask the user to hand over the phone to the son or daughter aged 5 or above.
Case #1
User 1 calls support – network down – technician 1 fails to reinstallUser 2 calls support – network down – technician 2 fails to reinstallUser 3 calls support – network down – technician 3 fails to reinstallUser 4-20 calls support – network down – support address MAJOR problem
and hit the panic button.Computers are carried to support center which has net in order to reinstall
them.Everybody is running like chickensThe fault:Network Technician was working with the uplink to the switch serving that
hallway..The consequence:5 reinstalled computers… because network was gone.
Case #1 - Lesson
All users were neighbors, connected to the same switch. Knowledge regarding the physical world is necessary.
One user making a complaint might indicate client failure.Two and more making the same complaint at the same time – is
rarely client failure look for common factors.
Case #2
User 1 complains – backup non functional, not all files in backupUser 2-40 complains – different problems with backupUser 1 complains – login takes too long time, after power failure…Support, let us reinstall.Are you running the backup system?User 1: YesImportant data?User 1: YesThe computer was reinstalled, data from backup was transferred back.User 1: Almost everything is missingWindows recover was attempted – no resultHDD was sent to IBAS – no result to recover
Case #2 - Lesson
A backup software which fails for one user must be considered as a severe failure.
Support can never trust an user that states he/she is running backup – a user can never say that the backup is OK or not.
Reinstall – the last resortClone – before reinstallIf fail – stop trying, hand it to the pros
• Few and large computers, generally not connected to each other.
• Threats: • Physical access – spy on technology.• Information theft• Access control
• Countermeasures• Locks and thick walls• Encryption• Access control lists
History 1980’s
The era of personal computersSmall computers but in business started to be connected into networksNow user control in levels had to be usedThe networks was slow phone modem so no real internetWorms and viruses was introduced – as well as antivirus softwareInternet – was email, FTP, telnet and gopherSCA – 1987 The first virus for the Commodore Amiga platform:Something wonderful has happenedYour AMIGA is alive !!! and, even better... Some of your disks are infected by a VIRUS !!! Another masterpiece of The Mega-Mighty SCA !!
History 1990 – Internet was born
WWW – 1991Mosaic – 1993JavaDenial – of – service attackFirewalls was introducedIDS – Intrusion detection systemsNow: You should not send anything on the network that you does
not accept to see on the tabloids on the way home.
History 2000
Everything is on the web; refrigerators, phones, wall outlets, water pumps, power plants (Stuxnet) – Trudy can cause real damage and hardware is hard to maintain. Trudy can be a state/organization
Everything is to be found on the internet; “Truth”, banking, airplane tickets, merchant, drugs – Trudy have motivation.
One password, username on each site…
Development/Progress?
Services to be closed in Windows XP1. Messenger service2. Remote registry service3. Computer browser service4. The server service5. SSDP Discovery service6. IIS Services (FTP Publishing, IIS Admin, NNTP,
SMTP, WWW publishing)7. SNMP service
Services to be closed in Windows 71. Application Experience2. Computer Browser3. Desktop window manager session manager4. Diagnostic Policy Service5. Distributed Link Tracking Client6. IP Helper7. Offline Files8. Portable Device Enumerator Service9. Print Spooler10.Protected Storage11.Remote Registry12.Secondary Logon13.Security Center14.Server15.Tablet PC Input Service16.TCP/IP Net BIOS Helper17.Themes18.Windows Error Reporting Service19.Windows Media Center Service Launcher20.Windows Serarch21.Windows Time
Meet “Trudy”
•Trudy is the name of a fictive adversary for security people. Trudy is the short for “Intruder”.•The good people are often called “Alice” and “Bob”
• Virus – malware that can replicates it self and inserting copies to parts of the computer (software, files, hard drive sectors…)
• Ransomware – (Scareware) Encrypt part of the computer and the user have to pay a ransom in order to get control of the data again.
• Worms – mass spreading virus• Trojan horses – appears to be something but is something else• Hack Tools/remote access/root kit – want information or recourses• Keyloggers – want information, credentials• Dialers – modem hijackers• Adware – web monitoring, web advertising• Hoax – not a virus, but the behavior of users may became as a virus• Jokeprograms – disturbs the behavior• Spyware – passwords, recourses or behavior• Trackware – log behavior and relay to third party• (Malicious) BHO – Browser ”helper” object
The computer administrators worst nightmare – is not
Trudy – meet the user
The ideal user knows:• Critical thinking• Things on the Internet that are too good to be true - are • To be aware of phishing, social engineering, ”Nigeria letters”
etc• To have no special interests that are more appealing than
others.• To be extremely strict when using the net
Man in the middle (SSL)
Where to do the attack?Assume Credit card money transfer
Exploit
• Trudy takes advantage of a bug/glitch or vulnerability to cause unintended behavior to occur.
Vulnerabilities
• Physical environment around the system• The staff• Management of the system• Administrative procedures and organization measures• Service delivery• Hardware• Software• Communication equipmentand combinations of all of them above.
Buffer overrun
• Was first understood and published 1972• Most likely to occur in systems based on C or C++ systems which does not
have built in protection against accessing any part of the memory.Example:char A[6];
unsigned short B=1972;
strcpy(A,”Andreas”);
ValueHex 0 0 0 0 0 0 7 B4
[Null string]A B
1972
Value 'A' 'n' 'd' 'r' 'e' 'a'Hex 41 6E 64 72 65 61 73 B4
A B29620
Denial-of-service (DoS)
Goal to prevent system to provide its ordinary service• Trudy can ask for 10 G connection/s and Bob’s server only can serve 1000
Connections/s. Alice which want 1 connection is denied service from Bobs server.
• “Ping of Death” was the classic • Nowadays Trudy most likely has to use an exploit in order to succeed.
Distributed Denial-of-service (DDoS)
• Trudy has access over several BOT’s or Smurfs that each are instructed to open/make connections/requests/files.
• Bobs server/net is not powerful enough to handle all requests and cant serve Alice
Privilege elevation
• Trudy has gained some access to the system, then exploits additional bug to gain more privileges.
• In Windows – go from Local User to Administrator(UAC User Account Control)
• In Unix – go from user to “root”
• “Elevation” is also used if Trudy has access but can change user to Bob who also have the same privilege level (but perhaps another banking account...)
Limit the Attack Surface
• Close Open ports• Closed Services• Location of remote access• Firewalls• Updates• User credentials• Password
Security by obscurity
SSH port is 22Lets put SSH on port 28Trudy can not scan130.240.x.y: 22 in order to find SSH servers, Trudy has to scan all
ports on all servers.
This is debated as a real security measure.
The level below
Physical access:• Recovery tools – read directly from the HDD, mainly physical access • Unix devices – if there is a flaw in permissions, you might use unix devices to
read files of your choice.• Object reuse (release of memory) – read allocated memory before it is
written in that part of the memory.• Buffer overrun – write long input so that some part of the “string” will become
software• Backup – backup is good, but who has access to the backup, and the old
media?• Core dump – cause the software to crash, read what's in the dump, and
being lucky.
Passwords – how to crack
Tools• Brute force – test everything start by A, AA, AB, AC and so on• Dictionary attack – test acai, acaizeiro,aight,agame,...
(http://nws.merriam-webster.com/opendictionary/newword_display_alpha.php)• Find them in cache, memory, etc• Fool the user
Passwords – how to create
1. Change all default passwords immediately! The password of the admin user must not be “admin”
2. Newer use empty passwords, not even behind a firewall3. The longer password the better (for the safety manner) 4. Avoid obvious passwords, that can be looked up in a dicitionary5. Mix upper and lower passwords the bigger character space the betterUpper case only => |26|^8 = 208 827 064 576 combinations
1. Password checker (make sure the password is longer than X character, upper and lower case and with digits, simple dictionary attack is run on the password)
2. Password generated by random and checked and then the user has to learn the password.
3. Password ageing – the password is valid for X days, then the user have to change. Last Y passwords are remembered.
4. Limit login attempts
The ultimate safety for an office clerk?
• The password length is 20 characters• Upper signs, lower signs and digits have to be mixed• The password has to be changed every week• A dictionary attack is run on every password change• The system remembers 10 old passwords, but does only
authenticate on the last.
Ultimate? No
• The password which will be common will look like:• “passwordDEC13”• ”Qazxswedcvfr01”• ”Qwertyuio45”• And are hence easy to guess for Trudy
• The password will be found under the keyboard or on the screen.• The system administrators will have to change the passwords for users all
the time.• A lot of users will just be irritated to the system administrators and change
the password 10 times so that they can use their favorite password.• How are the 10 last passwords stored?
Single Sign on – or one system one password?
Single sign on • E.g. Kerberos, authenticate to one server and then the server authenticates
you towards other systems.+ Users remembers the password+ If Kerberos is safe – the authentication is safe even if a system is compromised.- If the password is out – Trudy has access to all systems!
One system one password+ If one password is out, only that system is compromised....or- Users have trouble to remember rarely used password- Users tend to have similar “pattern” to generate passwords to the different systems or choose simple passwords.
Phishing, Spoofing, Social Engineering
Social Engineering• Spoofing – example: Make a program look like a login screen and fool the
user to make a login in order to harvest the username and password combination. ssh ssh.lut.se
• Phishing – example: Send a mail stating that you are Swedbank Nordea AB stating that you want user credentials to retrieve some money back.
• Engineering – Trudy have to figure out who to fool to get what Trudy wants. Perhaps call, state you are working for Windows Update and ask you to log in to a particular web page and install some updates from there.... Or Trudy states that Trudy is the system administrator needing the password to....
Password Storage
• If the server operating system is providing password access protection that is safe, it is possible to store the passwords in plane text.
• If password access is not protecting, encryption necessary.• Most common is a combination of operating system providing access
protection to an encrypted database.• Preferable as a one way crypto
PaSSWord => 0ySWf5Pc but0ySWf5Pc can not be decrypted to PaSSWord
compare 6637639 mod 100 = 3939 * 100 =! 6637639
Early YP (unix)
/etc/password - -rw-r--r-- user root, group root
user1:Xop0FYH9:UID:GID:/home/user2::::
user2:agUDsm1J:UID:GID:/home/user1::::
Offline password attack1. encrypt “Password” to “agUDsm1J”
2. check if “agUDsm1J” exist in /etc/password
One password, many users password checked
YP (later approach, shadow and salt added)
/etc/password - -rw-r--r-- user root, group rootuser1:*:UID:GID:/home/user2::::user2:*:UID:GID:/home/user1::::
/etc/shadow - -rw-r----- user root, group shadow#username:[SALT][PasswordHash]:UID:GID:/home/user2::::user1:H1Xop0FYH9:UID:GID:/home/user2::::user2:jTagUDsm1J:UID:GID:/home/user1::::
Offline password attack1. Privilege escalation to root is required 2. encrypt “Password” use SALT from user1 to “BhFurs1J”3. check if user1 has “H1BhFurs1J” password /etc/shadowEach password has to be checked for every individual user
How can Authentication be done
What you know – the passwordSomething you hold – a keyWho you are – biometrics Who you are – motion, keystrokes phase, habitsWhere you are - location