When Bad Things Happen to Computer Networks A demonstration of how hackers break into systems, and what we can all do to reduce our risks Mike O’Leary School of Emerging Technologies Towson University Edward V. Badolato Distinguished Speaker Series September 7, 2012 Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 1 / 81
81
Embed
Fall 2012 Badolato Presentation: When Bad Things Happen to Computer Networks
Dr. Mike O'Leary's presentation, "When Bad Things Happen to Computer Networks", presented on September 7, 2012 as part of the Badolato Distinguished Speaker Series.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
When Bad Things Happen to Computer Networks
A demonstration of how hackers break into systems,and what we can all do to reduce our risks
Mike O’Leary
School of Emerging TechnologiesTowson University
Edward V. Badolato Distinguished Speaker SeriesSeptember 7, 2012
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 1 / 81
Physical Attacks
Suppose you have physical access to a fully patched Windows 7machine, but don’t have the password.
Can you log on?
Sure!
What happens when you press the blue and white button on thebottom left of a Windows logon screen?
What happens if you change that program?
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 2 / 81
Physical Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 3 / 81
Physical Attacks- Demo
Rather than boot to the hard drive, we will boot to a CD-ROM; sayBacktrack 5.
BIOS passwords can prevent this, but physical access also lets mereset BIOS passwords, usually via jumper settings on the motherboard.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 4 / 81
Physical Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 5 / 81
Physical Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 6 / 81
Physical Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 7 / 81
Physical Attacks- Others
The “Sticky Keys” feature can be attacked in the same fashion; theprogram is c:\Windows\System32\sethc.exe
To log in as a particular user (rather than as System), one can use ahex editor to modify c:\Windows\System32\msv1 0.dll. Changingtwo bytes in that file allows you to log on to any account without apassword.Kon-Boot.
Boot to the CD, and let the tool do the work for you.The tool is picked up as a virus by many anti-virus tools, so carefuldownloading!
Bart’s PE
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 8 / 81
Physical Attacks- Countermeasures
Protect the phyisical deviceEncrypt important data.
BitlockerWindows 7 component, but required Windows 7 Enterprise or Windows 7Ultimate.
TrueCrypt: http://www.truecrypt.org/Free softwareLet’s you encrypt a volume of files; the volume is treated as a separatehard drive in Windows.Encrypted volumes can take on any name, and can be nested.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 9 / 81
Physical Attacks- Countermeasures Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 10 / 81
Passwords
Why attack passwords?They give authenticated access, meaning that they will not trip intrusiondetection systems.
How are passwords stored?Plain text (disaster!)Hashed (terrible!)Salted & Hashed (Might be OK)
How can you attack a stored password?Brute force attacksWord listsRainbow tables
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 11 / 81
Passwords
The speed of a brute force attack depends on the underlying hashingalgorithm.
A PC with a high end graphics card using an older algorighm (SHA1)can try roughly one billion password guesses per second.Amazon’s cloud service would let a user try roughly 100,000passwords on 400,000 accounts each day, for a cost of roughly $3501
m3g9tr0n claims to have cracked 122 million passwords (MD5, SHA1)in five months2
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 12 / 81
Password Attacks
In 2009, RockYou.com was compromised, leading to the loss of 32million passwords.
These passwords were in plain text.Attackers have used this as starting point to generate word lists.
In 2010, Gawker lost 1.5 million unsalted hashed passwordsOn June 6, LinkedIn lost 6.46 million unsalted password hashes
LinkedIn has 160 million accounts.More than 90% of these hashes have been cracked.
On June 6, eHarmony lost 1.5 million unsalted password hashes.On July 12, Yahoo! voices lost 400,000 plain text passwords andemail addresses.On July 23, Gamigo (a German gaming company) lost 11 millionhashed passwords.
They also lost 8.2 million email addressesOn August 10, Blizzard lost an unknown number of password hashes,including all of the accounts from their North American servers.
The number of Blizzard accounts runs well into the millions, just inNorth America.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 13 / 81
Password Attacks
Do you re-use your passwords?
Could an attacker guess your account name?
What would happen?
Ask Mat Honan. After an hour-long attack on August 3, he discoveredthat3
His Google account was taken over, then wiped.His Twitter account was compromised and used to spread vitriolHis AppleID account was hackedAll of the data on his iPhone, iPad, and MacBook was wiped.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 14 / 81
Password Attacks- Demo
We can perform a live attack on a password protected service bysimply trying various combinations.
This is often noticeable to intrusion detection systems, but if it isspread across multiple attacker machines, it is difficult to stop.
In this first example, we attack a simple e-commerce site.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 15 / 81
Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 16 / 81
Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 17 / 81
Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 18 / 81
Password Attacks- Demo
Looking at the source, we see that the request to log in isA request made via SSLTarget page is http://shop.index.phpGET parameters include
main page = loginaction = processzenid = 65dsqnj1qs9hn8h57ij6dkk22veopsul
POST parameters includepassword, specified by the usersecurityToken = d597db5e25bda24bb43c65307d9c21ca as a hiddenfield.
We build a corresponding request using Hydra.We specify a list of user names (-L)We specify a list of passwords (-P)We specify what we expect to see in an error page (the text “Error”)We specify the number of threads (-t)We specify the timeout (-w)We specify where we dump the resulrs (-o)We use verbose output (-vV)
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 19 / 81
Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 20 / 81
Password Attacks- Demo
These attacks can also be performed against domain controllers.
Suppose that the domain UNSEEN has the domain controllerephebe.unseen.disc.tu located at the address 192.168.1.30.We again use hydra
The method is now smbThe address is specified as wellOther parameters are chosen as in the previous example.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 21 / 81
Password Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 22 / 81
Passwords Attacks- Countermeasures
Lots of folks have given you lots of advice on passwordsUse an uncommon wordInlude some captial lettersMake some substitutions- say replace an “a” with an “4”Include a numberInclude a symbol
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 23 / 81
Password Attacks- Countermeasures
Source: http://xkcd.com/936/
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 24 / 81
Password Attacks- Countermeasures
There is no substitute for length in your passwords.If you are using random symbols & characters, then at least 12characters.If you use word(s), then double this.
Attackers already know the common tricks for making passwordsmore “complex”; they use wordlists and then permute them with all ofthese common tricks.
Use different passwords for different accountsHow can I manage different passwords?
Use PasswordSafe, a free program available athttp://passwordsafe.sourceforge.net/
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 25 / 81
Password Attacks- Countermeasures
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 26 / 81
Password Attacks- Countermeasures
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 27 / 81
Password Attacks- Countermeasures
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 28 / 81
Password Attacks- Countermeasures
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 29 / 81
Application Attacks
Most computer attacks rely on software vulnerabilitiesThese are mistakes in a program that can be exploited to violate asecurity policyWhen found, these are classified and given a common CVE name &number (http://cve.mitre.org)
Some vulnerabilities allow a third-party access to a systemOthers allow a user a greater level of access to a system thanintented (privilege escalation)Some vulnerabilities do not require user actionVulnerabilities in the core operating system can be particularlyproblematic.
Microsoft patches are numbered by year and patch number.MS08-067 (CVE 2008-4250)- Microsoft Server Service Vulnerability
Windows 2000, 2003, XPMS03-026 (CVE 2003-0352)- Microsoft RPC DCOM.
Affects Windows NT, 2000, 2003.Root cause of Blaster worm, Nachi worm.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 30 / 81
Application Attacks
Attackers have turned their attention to application level atacksThese focus on
4/20/2012 CVE 2008-5499 Adobe Flash Player ActionScriptLaunch Command ExecutionVulnerability
10.0.12.36 (10/4/2008)
3/8/2012 CVE 2012-0754 Adobe Flash Player .mp4 ’cprt’Overflow
11.1.102.55 (11/11/2011)
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 34 / 81
Application Attacks
How does an application attack work?Let’s demonstrate an attack based on CVE 2012-1889, MS12-043Microsoft XML Core Services MSXML Uninitialized MemoryCorruption
This is a vulnerability in how Windows handles XML, and is of criticalimportance for Internet Explorer.Code to exploit this vulnerability was publicly released on June 15 (viaMetasploit); it is likely that this vulnerability was being exploited byothers privately before this time.Microsoft did not patch this vulnerability until they released MS12-043,on July 10.Anyone using Internet Explorer prior to the release of the patch wouldhave been vulnerable.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 35 / 81
Application Attacks- Demo
The attacking machine will be using Backtrack 5 R3.
The victim machine will be a Windows 7 workstation, running ServicePack 1 (the latest), but not patched with MS12-043.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 36 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 37 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 38 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 39 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 40 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 41 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 42 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 43 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 44 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 45 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 46 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 47 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 48 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 49 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 50 / 81
Application Attacks
Another common attack target, especially lately has been Java.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 51 / 81
Application Attacks
We demonstrate the use of the July Java attack (CVE 2012-1723,Java Applet Field Bytecode Verifier Cache Remote Code Execution)on a system.
The target will be a Windows 7 machine, but this time it will not bepatched up to Service Pack 1.After compromising the target, we will use CVE 2010-3338,(MS10-092 Windows Escalate Task Scheduler XML PrivilegeEscalation) which is one of the vulnerabilties exploited by Stuxnet.
This will allow us to gain full control over the system at the SYSTEMlevel.We will grab the password hashes and crack them.We will add a new administrator to the system (us!)We will ensure that the system connects back to us, even if the systemis subsequently rebooted.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 52 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 53 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 54 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 55 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 56 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 57 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 58 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 59 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 60 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 61 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 62 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 63 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 64 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 65 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 66 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 67 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 68 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 69 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 70 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 71 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 72 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 73 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 74 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 75 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 76 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 77 / 81
Application Attacks- Demo
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 78 / 81
Application Attacks- Countermeasures
Be sure all of your software is up to date.Pay special attention to:
Don’t install software if you do not need it!The attacks on IE succeeded in part because we leveraged the existingJava install!
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 79 / 81
Application Attacks- Countermeasures
The final attack succeded because the user:Clicked on a malicious linkWas running an outdated version of JavaWas running an unpatched version of Windows
This attack required multiple failures in multiple places!
Don’t be fearful that your security posture is imperfect; instead make itdifficult for an attacker to exploit you by being aware and resposive tothe threats.
Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 80 / 81