Security “Tidbits” Neil Daswani
Overview
The FLI Model Infiltrations:
– Viruses / Worms– Lessons Learned
Firewalls & Attacks– What is a firewall?– How do they work?– How to prevent attacks
Security Problems & Solutions
Failure (Process/Storage)
Lies Infiltration
Prevention Physical Security Uninterruptible Power
Firewalls
AuthenticationAuthorizationNon-RepudiationTime-StampingDigital Signatures
Hardware Protection
Firewalls
“Common Sense” Management Non-Stop ProcessesFault-ToleranceWatchdog ProcessorReplication, RAID Backups
Byzantine AgreementReputation Systems
Intrusion DetectionAnti-virus Software
Recovery Fail-OverHot SwappingKey Escrow
Fail-Stop Digital Signatures
Auditing
Certificate Revocation
Morris Worm (1988)
Damage: 6000 computers in just a few hours What: just copied itself; didn’t touch data Exploited:
– buffer overflow in fingerd (UNIX)– sendmail debug mode (exec arbitrary cmds)– dictionary of 432 frequently used passwords
Buffer Overflow Example
void sample_func (char *str) {
char buffer[16];
strcpy (buffer, str);
}
void main (int argc, char *argv) {
sample_func (argv[1]);
}
Morris Worm (1988)
Lessons Learned from Morris– Diversity is good.– Big programs have many exploitable bugs.– Choose good passwords.– Don’t shut down mail servers: did prevent worm
from spreading but also shut down defense– CERT was created to respond to attacks
Melissa (1999)
What: just copied itself; did not touch data When date=time, “Twenty-two points, plus triple word
score, plus fifty points for using all my letters. Game’s over. I’m outta here.”
Exploited:– MS Word Macros (VB)– MS Outlook Address Book (Fanout = 50)
“Important message from <user name> …”
Melissa (1999)
Lessons Learned:– Homogeneity is bad.– Users will click on anything.– Separation of applications is good.– Users “trusted” the message since it came from
someone they knew.– Don’t open attachments unless they are expected.
Other Viruses / Worms
CIH Chernobyl Virus, 1998, Taiwan:– Time bomb: April 26, or 26th of each month– Writes random garbage to disk start at sector 0– attempts to trash FLASH BIOS– Hides itself in unused spaces
Worm.ExploreZip, 1999: Melissa + zeroed out files BubbleBoy, 1999: Melissa-like except doesn’t require
opening an attachment (ActiveX) Love Bug, 2000: “I LOVE YOU” (like Melissa)
Code Red (2001)
Runs on WinNT 4.0 or Windows 2000 Scans port 80 on up to 100 random IP addresses Resides only in RAM; no files Exploits buffer overflow in Microsoft IIS 4.0/5.0
(Virus appeared one month after advisory went out) Two flavors:
– Code Red I: high traffic, web defacements, DDOS on whitehouse.gov, crash systems
– Code Red II: high traffic, backdoor install, crash systems Three phases: propagation (1-19), flood (20-27), termination (28-
31) Other victims: Cisco 600 Routers, HP JetDirect Printers
Code Red (2001)
Lessons Learned:– Don’t use IIS! ;)– Always keep software up-to-date– Proof-of-concept to hide other attacks?
Nimda (2001)
Multiple methods of spreading(email, client-to-server, server-to-client, network sharing)
– Server-to-client: IE auto-executes readme.eml (that is attached to all HTML files the server sends back to the client)
– Client-to-server: “burrows”: scanning is local 75% of time– Email: readme.exe is auto executed upon viewing HTML email
on IE 5.1 or earlier
Nimda (2001)
Lessons Learned:– Install latest web server and browser patches (or
upgrade version altogether)– Don’t use MIME auto-execution– Disable JavaScript– Reject using applications that are routinely
exploited???
Just this week… BadTrans Worm
Spread via email; attacks Windows systems Records (once per second) keystrokes,
usernames, & passwords into windows with titles: LOG, PAS, REM, CON, TER, NET
Sends to – one of 20+ email addresses– one of 15+ from addresses– one of 15+ attachment names w/ 2 extensions
({.doc/.mp3/.zip},{.pif/.scr})
Firewalls
Two major technologies:– Packet Filters– Proxies
Related technologies– Network Address Translation (NAT)– Virtual Private Networks (VPN)
Packet Filtering Routers
Filter on: – IP Source, IP Dest, Protocol (TCP, UDP, ICMP)– TCP/UDP Source & Dest Ports– ICMP Message Type (req,reply,time exceed)– Packet Size– NICs
Stateful vs. Stateless Inspection– i.e., UDP DA/DP checking
Simple Protocol Checking– i.e., Format Checking, Disconnect “anonymous” FTP x-fers
Packet Filtering
Advantages– One router can protect entire network– Simple filtering is efficient– Widely available
Disadvantages– Hard to configure & test– Reduces router performance– Can’t enforce some policies (i.e., user-level)
Proxies
Security vs. Caching Proxies SOCKS: proxy construction toolkit Trusted Information Systems Firewall Toolkit
(TIS FWTK: Telnet, FTP, HTTP, rlogin, X11) Most used to control use of outbound services Can also be used to control inbound services
(reverse proxying)
Proxies
Advantages– Logging, Caching, Intelligent Filtering– User-level authentication– Guards against weak IP implementations
Disadvantages– Lag behind nonproxied services– Requires different servers for each service– Usually requires modifications to client applications
Firewall Architectures
Dual-Homed Host– Services can only be proxied
Screening Router w/ Bastion Host– Security by packet filtering– Bastion host is single point of failure
Screened Subnet– Ext Router, Perimeter, Bastion Host, Interior Router– Internal ethernet packets protected from perimeter
Example Attacks
IP Spoofing TCP SYN Flood SMURF Attack
– ICMP Ping w/ max payload to broadcast address
D-DOS Attack– Infiltrate, set up sleepers, attack at once
References
White-Hat Security Arsenal, A. Rubin Security Engineering, R. Anderson www.webtorials.com, Gary Kessler Building Internet Firewalls, E. Zwicky, et. Al. Counter Hack, E. Skoudis
Network Address Translation (NAT)
Translates network addresses & ports Does not provide additional “security” Possibilities:
– One external address per internal address– Dynamically assign external address– Map multiple internal to one external (port sharing)– Dynamically assign external addresses and ports
Network Address Translation (NAT)
Advantages– Helps enforce control over outbound connections– Helps restrict incoming traffic– Helps conceal internal network configuration
Disadvantages– Not good for UDP (guess session lifetimes)– Doesn’t deal with embedded IP addresses– Interferes with authentication & encryption– Interferes with logging & packet filtering