December 7, 2011 Security test and implementation of terminal computer Authors: Armandas Rokas Andrius Sinkevicius Edvinas Butenas
Jan 14, 2015
December 7, 2011
Security test and implementation
of terminal computer
Authors:Armandas Rokas
Andrius SinkeviciusEdvinas Butenas
Overview Background story Breakin attacks Risk determination and security control recommendations
for breakin attacks Network attacks Risk determination and security control recommendations
for network attacks Security solutions Questions?
Background story
XpUnlimited.LT company Software works on all previous Windows OS`s Try the security of terminal server Built fully protected ( included network security)
Network diagram
System characterization
Hardware: Acer , i3, 4GB RAM gt320 1GB video
Software: Windows 7 Ultimate SP1 32bit/Windows Xp SP3
with XPUnlimited
Data: Pictures, Sensitive Documents.
System characterization
System interfaces SATA2, USB, 802.11b/g/n, HDMI, VGA, Ethernet.
Users Administrator, Remote Users.
Services running Printer, Web Server (IP Consult HTTP server),
Remotes Desktops, Internal Database For ERP.
Control analysis
Os Security Policies Local Access Policies System Backup Firewall Policies
Break-in attacks
Exploit (Infection with key logger)
Exploited by executing file on victims machine File with payload Meterpreter command line Key log:
On Windows 7 only affectedonly affected user On Windows Xp allall user
Mail infection
External attack Attack was made from BackTrack 5 to infect the
Terminal thin client server with Windows 7 operating system.
Exploit which let me break in to victim computer when he got the infected message to his mail box.
Example
Some details
reverse_tcp payload. local port 4444(it is vulnerable port) to create active
server which listening when victim click on message.
After victim activate the payload included into message I open meterpreter.
Human Threats
Threat-Source Motivation Threat Action
Computer Criminal Monetary Gain-my credit card info
Computer CrimeFraudulent Act
Hacker, Cracker Challenge, Ego Hacking, Social Engineering, System Intrusion, Unauthorized System Access.
User NegligenceIdiocy
Spill Fluids on SystemDrop System
Vulnerability Identification
Vulnerability Threat-Source Threat Action
Outdated Software Hacker, Cracker, Computer Criminal.
System File Loss, Unauthorized System Accesses.
Misconfigured System Users, Computer Criminal. Hacker, Cracker.
System Files Loss, System Failure
Absence Of Security Software
Hacker, Cracker, Computer Criminal.
System Files Loss, System Failure.
Likelihood Determination
Threat-Source Vulnerability Likelihood
Hacker, Cracker, Computer Criminal.
Outdated Software Medium
Users, Computer Criminal.
Misconfigured System Medium
Hacker, Cracker, Computer Criminal.
Absence Of Security Software
High
Impact Analysis
Threat-Source Loss of Integrity
Loss of Availability
Loss of Confidentiality
Hacker, Cracker.
None High High
Computer Criminal.
None High High
Users Low Low Low
Likelihood, Impact Analysis & Risk
Vulnerability Threat - Source
Likelihood Impact Risk
Outdated Software
Hacker, Cracker, Computer Criminal.
Medium Medium Medium
Misconfigured System
Users, Computer Criminal. Hacker, Cracker.
High High High
Absence Of Security Software
Hacker, Cracker, Computer Criminal.
High Medium Medium
Control Recommendations
Risk Risk Level
Recommended Controls Activity Priority
Outdated Software Medium Regularly Updating Software. Medium
Misconfigured System
High Hire Qualified Specialists. High
Absence Of Security Software
Medium Install legally IPS & IDS. Medium
Network attacks
ARP - Man in the middle attack
After I broke in through Metasploit exploit to victim pc I try do more harm to him.
I use ARP protocol vulnerability, with which you are invisible, but same time making damage to victim.
With fake arpsoof regues and response package sending I make MITM “Man In The Middle” attack.
After that I get full information float from router and my selected other computer.
In that information are included logins, emails other sensitive information.
Victim become full infected, he needs get out of this situation and prevent for another time.
• Used tools: Bactrack5 network penetration OS within Ettercap tool for maninthemidlle attack.• Goal: Make the terminal server unavailable to its intended users
Dos attack
DoS
TS before DoS attack
TS after DoS attack
Human Threats
Threat-Source Motivation Threat Action
Computer Criminal Monetary Gain-my credit card info
Computer CrimeFraudulent Act
Hacker, Cracker Challenge, Ego Hacking, Social Engineering, System Intrusion, Unauthorized System Access.
Competitors Injure Company Stability. Compromise Network work.
Economic Exploitation, System Penetration, Spoofing/Sniffing of Network. Run Of Company Data.
Vulnerability Identification
Vulnerability Threat-Source Threat Action
Absence Of System Security
Hacker, Cracker CompetitorsComputer Criminal
System Failure, Connection Damage, Information Conversion.
Likelihood Determination
Threat-Source Vulnerability Likelihood
Hacker, Cracker CompetitorsComputer Criminal
Absence Of System Security
Medium
Impact Analysis
Threat-Source Loss of Integrity
Loss of Availability
Loss of Confidentiality
Hacker, Cracker.
None High High
Computer Criminal.
None High High
Competitors Medium High High
Likelihood, Impact Analysis & Risk
Vulnerability Threat - Source
Likelihood Impact Risk
Absence Of System Security
Hacker, Cracker CompetitorsComputer Criminal
Medium High Medium
Control Recommendations
Risk Risk Level
Recommended Controls Activity Priority
Absence Of System Security
Medium Install legally IPS & IDS. Implement encryption. Users Access Control.
High
Security solutions
User groups:• Administrative Users group – privileges to
configure terminal server• Remote Desktop Users group – privileges only to
connect remote desktop without possibility to configure it.
• All users including administrator have credentials to login the services, no password less connection available.
Terminal server security configuration
• The users can use only specified applications by the system administrator.
• Not active user sessions are terminated according time limit.
• Applications that can be started by other application are not visible to user.
• User attempt to open not assigned application are restricted by popout message that user have not privilege to open it.
Application control for users
Anti-virus
Implement security antivirus, which gives you updated database and protect from intruders.
Shut down any untruthful connection. Scanning web pages, your downloads. Made with reliable Firewall. Security isn’t about blocking malicious actions, it’s about
keeping your data safe, so arrange the reliable Encryption software.
Users to upload viruses for future updates. #1 Bitdefender
Security against network attacks
● IPS&IDS● Snort
● Firewall● Ipcop APF (Advanced Policy Firewall) from rfxnetworks
● Optional expensive solutions● Cisco router● Paid firewall
Questions?