Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.

Looking at Vulnerabilities

Dave Dittrich The Information School /Computing &

CommunicationsUniversity of Washington

Microsoft campus 8/25/03

Overview Background concepts Your typical look at

Vulnerabilities, Risk vs. Cost A (real!) complex attack scenario A different view of vulnerabilities

Trust relationships Attack trees Atypical/uncommon vulnerabilities

Stepping Stones

Internet Relay Chat (IRC)

IRC w/Bots&BNCs

Distributed Denial of Service (DDoS) Networks

Typical DDoS attack

DDoS Attack Traffic (1)

One Day Traffic Graph

DDoS Attack Traffic (2)

One Week Traffic Graph

DDoS Attack Traffic (3)

One Year Traffic Graph

SANS Top 20 Vulnerabilities

Windows Top 101. Internet Information Server (IIS)2. Microsoft Data Access Server

(MDAC)3. SQL Server4. NETBIOS5. Anonymous login/null session6. LAN Manager Authentication

(Weak LM hash)7. General Windows Authentication

(Accounts w/o pwd, bad pwd)8. Internet Explorer9. Remote Registry Access10. Windows Scripting Host

Unix Top 101. Remote Procedure Call (RPC)

services2. Apache Web Server3. Secure Shell (SSH)4. Simple Network Management

Protocol (SNMP)5. File Transfer Protocol (FTP)6. Berkeley “r” utilities

(trust relationships)7. Line Printer Daemon (LPD)8. Sendmail9. BIND/DNS10. General Unix Authentication

(accounts w/o pwd, bad pwd)

http://www.sans.org/top20/

High

Low

1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

binary encryption

Source: CERT/CC (used w/o permission & modified “Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers)

Attack sophistication vs. Intruder Technical Knowledge

Cost vs. Risk 101

Another view of Cost vs. Risk

UW Medical Center “Kane” Incident Goal: How hard to obtain patient records? Windows 98 desktop w/trojan or no pwd Sniffer

Linux server -> Windows NT PDC/F&P server Unix email server

Windows PDCs, BDCs Windows Terminal Server (>400 users) Access database file (>4000 patient records:

Name, SSN, Home number, treatment, date…) SecurityFocus -> ABC News

Trust relationships

Client<->Server IP based ACLs Shared password/symmetric key Shared network infrastructure Sensitive data in email Sensitive files on servers

Attack Trees

“Secrets and Lies,” Bruce Schneier, ISBN 0-471-25311-1, chapter 21

Goal is root node: Sub-goals are lower nodes/leaves

And/Or relationship between nodes Attributes: Likelihood, equipment

required, cost of attack, skill required, legality, etc.

Attack Tree Example 1

http://www.counterpane.com/attacktrees-fig1.html

Attack Tree Example 2

http://www.counterpane.com/attacktrees-fig6.html

Attack Tree Example 3Survivability Compromise: Monitor network trafficOR: 1. Install sniffer on desktop. OR: 1. Use email trojan horse. 2. Use remote exploit. 3. Use Windows remote login service. OR: 1. Use passwordless Administrator account. 2. Brute force passwords on all listed accounts. 3. Brute force passwords on common accounts. 2. Install sniffer on Unix/Windows server OR: 1. Use remote exploit. 2. Steal/sniff password to root/Administrator account. 3. Guess password to root/Administrator account. 3. Man-in-the-middle attack on SSL/SSH. …

Attack Tree Example 4 (Nested)

Survivability Compromise: Disclosure of Patient RecordsOR: 1. Attack Med Center network using connections to the Internet OR: 1. Compromise central patient records database (PRDB). AND: 1. Identify central PRDB. OR: 1. Scan to identify PRDB. 2. Monitor network traffic to identify PRDB. 2. Compromise central PRDB. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff pwd to account. 3. Guess password to account. 2. Obtain file(s) containing patient records. OR: 1. Monitor network traffic to capture patient records. 2. Compromise file server or terminal server. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff Administrator pwd. 3. Guess password to User/Administrator account.

Atypical Vulnerabilities

Network Infrastructure Special Devices Non-technical (Social) Issues

Border Routers

BGP (route insertion/withdrawal) Address forgery Source routing Denial of Service Remote service exploit & “Root kits” Lack of visibility/access to traffic

flows

Internal Routers/Switches

OSPF, RIP & other protocols Address forgery ARP spoofing Sniffing (SNMP community string,

pwd) Denial of Service Lack of visibility/access to traffic

flows

Servers

Gateways to legacy apps Web apps Insufficient logging/auditing Hiding in plain sight Control of software configuration

Network Printers Change “Ready” message FTP bounce scan, other scanning File cache SNMP/web admin front ends, back

doors Disclosure of print jobs

Passive monitoring Redirection of print jobs

Medical “devices”, photocopiers, printers

Proprietary or OEM OS (e.g., Solaris, IRIX) Many (non-essential) services turned

on Typically behind the curve on patches

Remote management (HTTP, SNMP) Heavy use of unencrypted protocols

(e.g., FTP, LPR, Berkeley “r” utilities) “What? The hackers are back?”

PBXs, voice services

Monitoring Theft of Service Fraud/social engineering Denial of Service Malware Cache (PC based VM)

Social Issues

Not recognizing threats & risks Assuming attacks are simple Assuming things are what they

seem (e.g., Slammer, Nimda, SoBig) Assuming attacks/defenses are

direct Assuming you have it handled

So how do we fix things?

Information Assurance Education (start to finish) Research Practice (Corporations, government...

everyone!)

Information Assurance Information Assurance (IA) concerns information

operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and nonrepudiation.

This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Source: National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999

NSA Centers of Excellence Outreach program designed and operated by the

National Security Agency (NSA) Fulfills the spirit of Presidential Decision

Directive 63 (PDD 63 - National Policy on Critical Infrastructure Protection, May 199)

Goal: To reduce vulnerability in our national information infrastructure by promoting higher education in IA, and producing a growing number of professionals with IA expertise in various disciplines

Where are they?

As of May 2003, 50 Centers nationwide Mostly the East Coast Closest to Seattle are Portland State,

University of Idaho, Idaho State University

For more info:http://www.nsa.gov/isso/programs/coeiae/index.htm

2002 NSA Centers of Excellence

Benefits to the nation Meet national demand for professionals with IA

expertise in various disciplines Professionals enter the workforce better equipped

to meet challenges facing our national information infrastructure

Centers act as focal points for recruiting individuals with IA expertise

Centers create a climate and foci to encourage independent research in critical IA areas

Summary Vulnerabilities exist in places you might

not think Vulnerabilities are additive, interrelated Complex attacks call for complex

defenses/response If you’re not learning something new

every day, you’re falling behind your adversary

Questions? dittrich @ u.washington.edu http://staff.washington.edu/dittrich/

References UW Medical Center

http://www.securityfocus.com/news/122/ http://www.hipaausa.com/hacker.html http://www.cio.com/archive/110102/rules_content.html http://www.cio.com/archive/031502/plan_content.html

Attack trees http://www.counterpane.com/attacktrees-ddj-ft.html

Networking http://www.e-secure-db.us/dscgi/ds.py/View/Collection-24 http://www.securite.org/presentations/secip/CSWcore02-SecIP-v1.p

pt http://www.securityfocus.com/infocus/1594

References (cont) Routers

http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-akin-cisco/bh-us-02-akin-cisco.ppt

http://philby.ucsd.edu/~bsy/ndss/2002/html/1997/slides/gudm_pnl.pdf

http://www.net-tech.bbn.com/sbgp/IETF42.ppt http://www.cymru.com/Presentations/barry.pdf

BGP, OSPF http://www.cs.ucsb.edu/~rsg/Routing/references/wang98vulnerabil

ity.pdf http://www.cse.ucsc.edu/research/ccrg/publications/brad.globalinte

rnet96.pdf

References (cont) Switches, ARP, local network attacks

http://www.comnews.com/stories/articles/c0103sfarea.htm http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-

usa-01-Mike-Beekey.ppt Printers

http://members.cox.net/ltw0lf/printers/ PBXs

http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf DDoS, “root kits”

http://www.cert.org/reports/dsit_workshop.pdf http://www.cert.org/archive/pdf/Managing_DoS.pdf http://staff.washington.edu/dittrich/misc/ddos/ http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq