Security “Tidbits” Neil Daswani. Overview The FLI Model Infiltrations: – Viruses / Worms – Lessons Learned Firewalls & Attacks – What is a firewall? –

Security “Tidbits”

Neil Daswani

Overview

The FLI Model Infiltrations:

– Viruses / Worms– Lessons Learned

Firewalls & Attacks– What is a firewall?– How do they work?– How to prevent attacks

Security Problems & Solutions

  Failure (Process/Storage)

Lies Infiltration

Prevention Physical Security Uninterruptible Power

Firewalls  

AuthenticationAuthorizationNon-RepudiationTime-StampingDigital Signatures 

Hardware Protection

Firewalls

“Common Sense” Management Non-Stop ProcessesFault-ToleranceWatchdog ProcessorReplication, RAID Backups

Byzantine AgreementReputation Systems

Intrusion DetectionAnti-virus Software

Recovery Fail-OverHot SwappingKey Escrow     

Fail-Stop Digital Signatures

Auditing

Certificate Revocation  

Morris Worm (1988)

Damage: 6000 computers in just a few hours What: just copied itself; didn’t touch data Exploited:

– buffer overflow in fingerd (UNIX)– sendmail debug mode (exec arbitrary cmds)– dictionary of 432 frequently used passwords

Buffer Overflow Example

void sample_func (char *str) {

char buffer[16];

strcpy (buffer, str);

}

void main (int argc, char *argv) {

sample_func (argv[1]);

}

Morris Worm (1988)

Lessons Learned from Morris– Diversity is good.– Big programs have many exploitable bugs.– Choose good passwords.– Don’t shut down mail servers: did prevent worm

from spreading but also shut down defense– CERT was created to respond to attacks

Melissa (1999)

What: just copied itself; did not touch data When date=time, “Twenty-two points, plus triple word

score, plus fifty points for using all my letters. Game’s over. I’m outta here.”

Exploited:– MS Word Macros (VB)– MS Outlook Address Book (Fanout = 50)

“Important message from <user name> …”

Melissa (1999)

Lessons Learned:– Homogeneity is bad.– Users will click on anything.– Separation of applications is good.– Users “trusted” the message since it came from

someone they knew.– Don’t open attachments unless they are expected.

Other Viruses / Worms

CIH Chernobyl Virus, 1998, Taiwan:– Time bomb: April 26, or 26th of each month– Writes random garbage to disk start at sector 0– attempts to trash FLASH BIOS– Hides itself in unused spaces

Worm.ExploreZip, 1999: Melissa + zeroed out files BubbleBoy, 1999: Melissa-like except doesn’t require

opening an attachment (ActiveX) Love Bug, 2000: “I LOVE YOU” (like Melissa)

Code Red (2001)

Runs on WinNT 4.0 or Windows 2000 Scans port 80 on up to 100 random IP addresses Resides only in RAM; no files Exploits buffer overflow in Microsoft IIS 4.0/5.0

(Virus appeared one month after advisory went out) Two flavors:

– Code Red I: high traffic, web defacements, DDOS on whitehouse.gov, crash systems

– Code Red II: high traffic, backdoor install, crash systems Three phases: propagation (1-19), flood (20-27), termination (28-

31) Other victims: Cisco 600 Routers, HP JetDirect Printers

Code Red (2001)

Lessons Learned:– Don’t use IIS! ;)– Always keep software up-to-date– Proof-of-concept to hide other attacks?

Nimda (2001)

Multiple methods of spreading(email, client-to-server, server-to-client, network sharing)

– Server-to-client: IE auto-executes readme.eml (that is attached to all HTML files the server sends back to the client)

– Client-to-server: “burrows”: scanning is local 75% of time– Email: readme.exe is auto executed upon viewing HTML email

on IE 5.1 or earlier

Nimda (2001)

Lessons Learned:– Install latest web server and browser patches (or

upgrade version altogether)– Don’t use MIME auto-execution– Disable JavaScript– Reject using applications that are routinely

exploited???

Just this week… BadTrans Worm

Spread via email; attacks Windows systems Records (once per second) keystrokes,

usernames, & passwords into windows with titles: LOG, PAS, REM, CON, TER, NET

Sends to – one of 20+ email addresses– one of 15+ from addresses– one of 15+ attachment names w/ 2 extensions

({.doc/.mp3/.zip},{.pif/.scr})

Firewalls

Two major technologies:– Packet Filters– Proxies

Related technologies– Network Address Translation (NAT)– Virtual Private Networks (VPN)

Packet Filtering Routers

Filter on: – IP Source, IP Dest, Protocol (TCP, UDP, ICMP)– TCP/UDP Source & Dest Ports– ICMP Message Type (req,reply,time exceed)– Packet Size– NICs

Stateful vs. Stateless Inspection– i.e., UDP DA/DP checking

Simple Protocol Checking– i.e., Format Checking, Disconnect “anonymous” FTP x-fers

Packet Filtering

Advantages– One router can protect entire network– Simple filtering is efficient– Widely available

Disadvantages– Hard to configure & test– Reduces router performance– Can’t enforce some policies (i.e., user-level)

Proxies

Security vs. Caching Proxies SOCKS: proxy construction toolkit Trusted Information Systems Firewall Toolkit

(TIS FWTK: Telnet, FTP, HTTP, rlogin, X11) Most used to control use of outbound services Can also be used to control inbound services

(reverse proxying)

Proxies

Advantages– Logging, Caching, Intelligent Filtering– User-level authentication– Guards against weak IP implementations

Disadvantages– Lag behind nonproxied services– Requires different servers for each service– Usually requires modifications to client applications

Firewall Architectures

Dual-Homed Host– Services can only be proxied

Screening Router w/ Bastion Host– Security by packet filtering– Bastion host is single point of failure

Screened Subnet– Ext Router, Perimeter, Bastion Host, Interior Router– Internal ethernet packets protected from perimeter

Example Attacks

IP Spoofing TCP SYN Flood SMURF Attack

– ICMP Ping w/ max payload to broadcast address

D-DOS Attack– Infiltrate, set up sleepers, attack at once

References

White-Hat Security Arsenal, A. Rubin Security Engineering, R. Anderson www.webtorials.com, Gary Kessler Building Internet Firewalls, E. Zwicky, et. Al. Counter Hack, E. Skoudis

Network Address Translation (NAT)

Translates network addresses & ports Does not provide additional “security” Possibilities:

– One external address per internal address– Dynamically assign external address– Map multiple internal to one external (port sharing)– Dynamically assign external addresses and ports

Network Address Translation (NAT)

Advantages– Helps enforce control over outbound connections– Helps restrict incoming traffic– Helps conceal internal network configuration

Disadvantages– Not good for UDP (guess session lifetimes)– Doesn’t deal with embedded IP addresses– Interferes with authentication & encryption– Interferes with logging & packet filtering

Virtual Private Networks

Advantages:– Provides overall encryption– Allows use of protocols that are hard to secure any

other way

Disadvantages:– Involves “dangerous” network connections– Extends the network that must be protected