Recent Security Threats & Vulnerabilities Computer security Bob Cowles [email protected] HEPiX, Fall 2004 – Brookhaven, NY, USA Work supported.

Recent Security Threats & Vulnerabilities

Computer security

Bob [email protected]

HEPiX, Fall 2004 – Brookhaven, NY, USA

Work supported by U. S. Department of Energy contract DE-AC02-76SF00515

18 October 2004 HEPiX - Fall 2004 2

Windows

Recent Windows Vulnerabilities Windows patching Phishing and viruses Web exposures (IE) Spyware XP SP2

18 October 2004 HEPiX - Fall 2004 3

Recent Windows Vulnerabilities

ASP.NET path vulnerability GDI+ jpeg (can’t just block jpegs) IE patches – lots; Outlook Express update NetDDE (not enabled by default) Windows shell (exploit thru web) IIS (document footer javascript) Allows code execution: NNTP; SMTP, zipped

folders; Excel; WP converter; HTML Help; Task Scheduler; POSIX (old sys)

18 October 2004 HEPiX - Fall 2004 4

Windows Patching

Patches do _NOT_ get e-mailed to you! Windows systems in Active Directory can be

patched automatically (mostly) Offsite users must do their own patching May investigate ”bigfix” as partial solution

Support for Linux / Macintosh Non-Ad users Non Microsoft software (winzip, realplayer, acrobat) http://www.bigfix.com/products/products_patch.html

18 October 2004 HEPiX - Fall 2004 5

18 October 2004 HEPiX - Fall 2004 6

Recent Phishing E-mail

18 October 2004 HEPiX - Fall 2004 7

E-Mail Attacks & Protection

Phishing = Emails (and phonecalls) engineered to get information from you or just to get you to click and download virus

Need to have Multi-Level Protection Email gateways strip attachments Exchange/desktop AV detects & removes Gateway tags as [SPAM:###] if a link in the e-

mail would download malicious code

18 October 2004 HEPiX - Fall 2004 8

Don’t Take the Bait

18 October 2004 HEPiX - Fall 2004 9

Forged FDIC E-mail

18 October 2004 HEPiX - Fall 2004 10

Fake FDIC Website

18 October 2004 HEPiX - Fall 2004 11

Real FDIC Website

18 October 2004 HEPiX - Fall 2004 12

E-mail With Virus Attached

18 October 2004 HEPiX - Fall 2004 13

AD & SUS->WUS

Problematic patching Office vs.Windows Update Require product CD?

XP will have improvements (someday) Who let them name it WUS?

http://www.wordsculpture.se/english_corner/slang.asp But sites still must address non-MS software

18 October 2004 HEPiX - Fall 2004 14

Viruses

More sophistication Run automatically Leave backdoors; smtp for spam Keyboard loggers Alert Oct 18, 2004 – bypass AV for

McAfee, CA, Sophos, Kaspersky, Eset, RAV zip file checking

18 October 2004 HEPiX - Fall 2004 15

IE Exposures

Unpatched vulnerabilities Cannot escape IE (but can control) XP SP2 has fixed some problems There is still problem of user knowledge

18 October 2004 HEPiX - Fall 2004 16

Spyware

Invade privacy Keyloggers compromise security Allowed by some AV products

User agrees to software’s actions through license agreement

US state and federal legislation will solve the problem (just like with SPAM) - NOT

18 October 2004 HEPiX - Fall 2004 17

XP SP2

Problem areas Spyware causes bluescreen Popup blocking causes problems w/ some sites Multiple firewalls cause conflicts

Need to allow vulnerability scanning ICMP off by default (no ping response) Open ports fo file / print sharing or Run software agent that can be “contacted”

18 October 2004 HEPiX - Fall 2004 18

Unix & Linux

Local Exploits = Remote Exploits Samba LSF – rtok lsadmin eauth PHP in web servers chown drivers (sparse code chking tool) sendmail sshd – scanning for weak passwords

18 October 2004 HEPiX - Fall 2004 19

Fedora

Supports RH 7.3 and RH 9 Security fixes can take several months after

vulnerability is announced Large pkg of fixes released Oct 18, 2004 ISO9660, Soundblaster, file offset pointers,

nfs group ID, drivers, several integer oveflows, other DOS, memory leaks, information leaks.

18 October 2004 HEPiX - Fall 2004 20

Universities & Labs

Exploits against Solaris, AIX, Linux Attacker(s) are knowledgeable Install SK rootkit on Linux Install trojaned sshd

gets passwords from keyboard/tty entry accesses RSA keys CERN break-in (LXPLUS) recent example (LSF)

Are one time password tokens in your future?

18 October 2004 HEPiX - Fall 2004 21

Universities and Labs (cont)

User “klogd” scans for open X sessions Forwards captured passwds thru port 8181 Used on patched machines Just notified sites in US (USC, UCSB,

NYU, Princeton, PSU, etc) of problems. Also RAL, Fermilab, SLAC, Cornell,

Bristol, INFN, Stanford

18 October 2004 HEPiX - Fall 2004 22

Cisco

CatOS – Telnet, HTTP, SSH BGP – another DOS

18 October 2004 HEPiX - Fall 2004 23

Macintosh

Safari – open in browser; javascript Disk image mounter libpng kerberos rsync OpenSSH iChat QuickTime

18 October 2004 HEPiX - Fall 2004 24

Other Vulnerabilities

AXIS video camera and server IM – gaim, AIM & Yahoo Messenger CVS RealPlayer Winzip Web HP JetAdmin Acrobat Reader 6.0 Firewire (announced Nov 11)

18 October 2004 HEPiX - Fall 2004 25

Email

Evils of HTML email It’s big & it hides bad stuff

Phishing scams Citibank, eBay, PayPal, Wells Fargo

Outlook 2003 setting (reg for Outlook XP) New default for Outlook Express

18 October 2004 HEPiX - Fall 2004 26

Outlook 2003Tools -> Options -> Preferences

18 October 2004 HEPiX - Fall 2004 27

Final Thoughts

Attacks coming faster; attackers getting smarter No simple solution works

Patching helps Firewalls help AV & attachment removal help Encrypted passwords/tunnels help

You can’t be “secure”; only “more secure” We must share information better

What is the Most Important Component of Computer Security?

YOU!