Right Now, at This Very Moment, Your
advertisement
Right Now, At this Very Moment, Your Computer is Infected November 8 | Froms Bits to RSA Dongles: An Introduction to IT Security start with bits and bytes • bit: (binary digit) bit • The basic unit of information in computing, the amount of information stored by a digital device in one of two possible distinct states, not 1 and 2, off/on • digital value of 1 = positive voltage, up to 5 volts • digital value of 0 = 0 volts • 8 bits = 1 byte, usually, but depends on hardware • byte: the number of bits needed to encode a single character of text in a computer from binary # to letters 01110000 = p 01101001 = i 01111010 = z 01111010 = z 01100001 = a data and packets data: binary files, 01010010010010010 … etc. packet: a unit of data from binary to text or image packet: control information and payload control information: data the network needs to deliver the payload, ex. address, error control • payload: the content of your “digital letter” • From files to programs and applications • • • • • OSI model OSI model computer virus • A program that can replicate itself and spread • With reproductive ability • Must attach itself to an existing program • Will typically corrupt or modify files on targeted computer • Malware, a more general term to include: viruses, computer worms (causing network harm), Trojan horses (appear benign), rootkits, spyware, adware, etc. A Windows-based, backdoor Trojan horse virus transmission • • • • • • • • • • Viruses have targeted various types of transmission media or hosts. This list is not exhaustive: Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, the Mach-O format in OSX, and ELF files inLinux) Volume Boot Records of floppy disks and hard disk partitions The master boot record (MBR) of a hard disk General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms). Application-specific script files (such as Telix-scripts) System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run software stored on USB Memory Storage Devices). Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files) Cross-site scripting vulnerabilities in web applications (see XSS Worm) Arbitrary computer files. An exploitable buffer overflow, format string, race condition or other exploitable bug in a program which reads the file could be used to trigger the execution of code hidden within it. Most bugs of this type can be made more difficult to exploit in computer architectures with protection features such as an execute disable bit and/or address space layout randomization. from binary to decimal 16 2 0 65535 ports • A port is an application–specific or process-specific software construct serving as a communications endpoint in a computer’s host operating system, part of the Internet Protocol suite system • Example: HTTP:80 | SMTP:25 | DHCP:68 (client) • Ports are numbered from 0 to 65535 • Equivalent to 65536 ways into your computer • Introducing netstat what your computer is doing with ports • netstat –a active connections • netstat –help switches and [interval] common ports • • • • • • • • • • • 21: File Transfer Protocol (FTP) 22: Secure Shell (SSH) 23: Telnet remote login service 25: Simple Mail Transfer Protocol (SMTP) 53: Domain Name System (DNS) service 80: Hypertext Transfer Protocol (HTTP) World Wide Web 110: Post Office Protocol (POP) 119: Network News Transfer Protocol (NNTP) 143: Internet Message Access Protocol (IMAP) 161: Simple Network Management Protocol (SNMP) 443: HTTP Secure (HTTPS) the “brangelina” of ports • • • • internet: network of networks, millions of networks web: system of interlinked hypertext documents port: 80 Try it: http://www.techcomfort.com:81 • Try it: http://www.techcomfort.com:80 • Port scan your computer using an on-line tool. • http://viewdns.info/portscan • Port scan your computer using an on-line tool. • http://viewdns.info ports • Dean Brady has just instructed us via secure e-mail? to construct a device to combat the “port” menace and make GSPP computers safe for policy analysis. What can we do? firewalls • A device or set of devices designed to permit or deny network transmissions • Based on a set of rules • Allowing legitimate communications • Blocking unauthorized access • Network address translation, (NAT) to hide real IP address • Datacenter rules private networks • Private addresses are commonly used in corporate networks, which for security reasons, are not connected directly to the Internet • Private addresses are seen as enhancing network security for the internal network, since it is difficult for an Internet host to connect directly to an internal system. anti-virus software • A program used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worms, trojan horses, spyware and adware • Many viruses have a signature; detection of a virus involves searching for known patterns • But what about viruses for which no signature currently exists? • Current anti-virus software is not good enough to stop the bad guys malware • Viruses have gone into stealth-mode • Malwarebytes’ AntiMalware • Download, install and run • What do you find? • Not enough… ex. RSA attacked • The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.” • The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls. • The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-20110609). • The next step in a typical Advanced Persistent Threat (APT) is to install some sort of a remote administration tool that allows the attacker to control the machine. In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around. RSA, not the only ones • The information suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list. • • • • RSA, not the only ones 302-DIRECT-MEDIA-ASN 8e6 Technologies, Inc. 302-DIRECT-MEDIA-ASN AAPT Limited 8e6 AAPT Technologies, Inc. Abbot Labs AAPTABBOTT AAPT Limited ABOVENET-CUSTOMER – Abovenet Communications, Inc ABBOTT Abbot Labs ACCNETWORKS – Advanced Computer Connections ABOVENET-CUSTOMER – Abovenet Communications, Inc ACEDATACENTERS-AS-1 Ace Data Connections Centers, Inc. ACCNETWORKS – Advanced–Computer ACSEAST – ACS Inc. – Ace Data Centers, Inc. ACEDATACENTERS-AS-1 ACS-INTERNET – Affiliated Computer Services ACSEAST – ACS Inc. ACS-INTERNET – Armstrong CableServices Services ACS-INTERNET – Affiliated Computer ADELPHIA-AS – Road Runner ACS-INTERNET – Armstrong CableHoldCo ServicesLLC Administracion Nacional de Telecomunicaciones ADELPHIA-AS – Road Runner HoldCo LLC AERO-NET –Nacional The Aerospace Corporation Administracion de Telecomunicaciones AHP – WYETH-AYERST/AMERICAN HOME PRODUCTS AERO-NET – The Aerospace Corporation – Digital Magicians,HOME Inc. PRODUCTS AHP AIRLOGIC – WYETH-AYERST/AMERICAN AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AIRLOGIC – Digital Magicians, Inc. AIS-WEST – American Internet Services, AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., LLC. Telemedia Services AKADO-STOLITSA-AS _AKADO-Stolitsa_ AIS-WEST – American Internet Services, LLC.JSC ALCANET Corporate ALCANET Access AKADO-STOLITSA-AS _AKADO-Stolitsa_ JSC ALCANET-DE-AS Deutschland GmbH ALCANET Corporate Alcanet ALCANETInternational Access ALCATEL-NAAlcanet – Alcanet International NA ALCANET-DE-AS International Deutschland GmbH ALCHEMYNET – Alchemy Communications, Inc. ALCATEL-NA – Alcanet International NA Alestra, S. –de R.L. de C.V. ALCHEMYNET Alchemy Communications, Inc. ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd.,Alliance Gateway Alestra, S. de R.L. de C.V. AS,Broadband Services Alliance Provider,Kolkata,India ALLIANCE-GATEWAY-AS-AP Broadband Services Pvt. Ltd.,Alliance Gateway ALMAZAYAServices Almazaya gateway L.L.C AS,Broadband Provider,Kolkata,India AMAZON-AES – Amazon.com, Inc. ALMAZAYA Almazaya gateway L.L.C AMERITECH-AS – AT&T Services, AMAZON-AES – Amazon.com, Inc. Inc. AMNET-AU-AP Amnet IT Services AMERITECH-AS – AT&T Services, Inc. Pty Ltd ANITEX-AS Amnet Anitex Autonomus System AMNET-AU-AP IT Services Pty Ltd AOL-ATDN – AOL Transit Data Network ANITEX-AS Anitex Autonomus System API-DIGITAL API Digital Group, LLC AOL-ATDN – AOL– Transit DataCommunications Network APOLLO-AS API-DIGITAL – APILATTELEKOM-APOLLO Digital Communications Group, LLC APOLLO-GROUP-INC – University of Phoenix APOLLO-AS LATTELEKOM-APOLLO APT-AP AS APOLLO-GROUP-INC – University of Phoenix ARLINGTONVA – Arlington County Government APT-AP AS ARLINGTONVA – Arlington County Government ARMENTEL Armenia Telephone Company AS INFONET ARMENTEL Armenia Telephone Company AS3215 France Telecom – Orange AS INFONET AS3602-RTI Rogers Cable Communications Inc. AS3215 France –Telecom – Orange AS4196––Rogers Wells Fargo Company AS3602-RTI Cable&Communications Inc. AS702 Verizon Business EMEA – Commercial IP service provider in Europe AS4196 – Wells Fargo & Company ASATTCA Global Network Services IP – AP AS702 VerizonAT&T Business EMEA – Commercial service provider in Europe ASC-NET – Alabama Supercomputer ASATTCA AT&T Global Network Services – Network AP ASDANIS DANIS SRL ASC-NET – Alabama Supercomputer Network ASGARR GARR ASDANIS DANIS SRL Italian academic and research network ASIAINFO-AS-AP INFONET Co.,Ltd./ TRUE INTERNET Co.,Ltd. ASGARR GARR ItalianASIA academic and research network ASIANDEVBANK Asian Development Bank ASIAINFO-AS-AP ASIA– INFONET Co.,Ltd./ TRUE INTERNET Co.,Ltd. ASN852 – Telus Advanced Communications ASIANDEVBANK – Asian Development Bank AS-NLAYER – nLayer Communications, ASN852 – Telus Advanced CommunicationsInc. ASTOUND-CABLE – Wave Broadband, AS-NLAYER – nLayer Communications, Inc.LLC AT&T Global Network Services – EMEA ASTOUND-CABLE – Wave Broadband, LLC US Network Services – EMEA AT&TAT&T Global ATMAN Autonomous System AT&TATMAN US ATOMNET SA ATMAN ATMANATOM Autonomous System ATOS-AS ATOS ATOMNET ATOM SAOrigin Infogerance Autonomous System ATT-INTERNET4 – AT&T Services, Autonomous Inc. ATOS-AS ATOS Origin Infogerance System AUGERE-AS-AP Augere Wireless ATT-INTERNET4 – AT&T Services, Inc. Broadband Bangladesh Limited AVAYA AVAYA AUGERE-AS-AP Augere Wireless Broadband Bangladesh Limited AVENUE-AS AVAYA AVAYA Physical person-businessman Kuprienko Victor Victorovich AXAUTSYS ARAX person-businessman I.S.P. AVENUE-AS Physical Kuprienko Victor Victorovich AXAUTSYS ARAX I.S.P. BACOM – Bell Canada BAHNHOF Bahnhof AB BALTKOM-AS SIA _Baltkom TV SIA_ BANGLALINK-AS an Orascom Telecom Company, providing GSM service in Bangladesh BANGLALION-WIMAX-BD Silver Tower (16 & 18th Floor) BANKINFORM-AS Ukraine BASEFARM-ASN Basefarm AS. Oslo – Norway BBIL-AP BHARTI Airtel Ltd. BBN Bredbaand Nord I/S BC-CLOUD-SERVICES BEAMTELE-AS-AP Beam Telecom Pvt Ltd BEE-AS JSC _VimpelCom_ BELINFONET Belinfonet Autonomus System, Minsk, Belarus BELLSOUTH-NET-BLK – BellSouth.net Inc. BELPAK-AS BELPAK BELWUE Landeshochschulnetz Baden-Wuerttemberg (BelWue) BENCHMARK-ELECTRONICS – Benchmark Electronics Inc. BEND-BROADBAND – Bend Cable Communications, LLC BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone BIGNET-AS-ID Elka Prakarsa Utama, PT BLUEWIN-AS Swisscom (Schweiz) AG BM-AS-ID PT. Broadband Multimedia, Tbk BN-AS Business network j.v. BNSF-AS – Burlington Northern Sante Fe Railway Corp BNT-NETWORK-ACCESS – Biz Net Technologies BORNET Boras Energi Nat AB BREEZE-NETWORK TOV TRK _Briz_ BSC-CORP – Boston Scientific Corporation BSKYB-BROADBAND-AS BSkyB Broadband BSNL-NIB National Internet Backbone BT BT European Backbone BT-ITALIA BT Italia S.p.A. BTN-ASN – Beyond The Network America, Inc. BTTB-AS-AP Telecom Operator & Internet Service Provider as well BT-UK-AS BTnet UK Regional network CABLECOM Cablecom GmbH CABLE-NET-1 – Cablevision Systems Corp. CABLEONE – CABLE ONE, INC. CABLEVISION S.A. CACHEFLOW-AS – Bluecoat Systems, Inc. CANET-ASN-4 – Bell Aliant Regional Communications, Inc. CANTV Servicios, Venezuela CAPEQUILOG – CapEquiLog CARAVAN CJSC Caravan-Telecom CARRIER-NET – Carrier Net CATCHCOM Ventelo CCCH-3 – Comcast Cable Communications Holdings, Inc CDAGOVN – Government Telecommunications and Informatics Services CDS-AS Cifrovye Dispetcherskie Sistemy command and control conclusions • Google and RSA aren’t safe, and you aren’t either • But there are lots of targets, so minimize your footprint, make yourself a more difficult target • Run anti-virus with real-time protections, whatever the vendor • Run anti-malware • Use a firewall, or multiple firewalls, hardware and software • Use network address translation (NAT) • Make backups, so you can rebuild, if necessary next time: SQL Quiz, IT Security (continued) and Final Projects Planning • Case Study: Distributed Denial: the Tech of Cyber Attack in the Russo-Georgian Conflict of August 2008
