IT Security Issues and PolyU Cases

advertisement

ITS Offsite Workshop 2002

IT Security

ITS Offsite Workshop 2002

Agenda:

Security Issues and PolyU Cases

PolyU Computer Systems Security Policy

(SSP)

ITS/CLO Partnership In IT Security

Implementation

Security Issues

Security Issues and

PolyU cases

By

Chan Ping Fong

Senior Computer Officer

Information Technology Services office

Security Issues

Universities are known to be vulnerable spots !

Why?

Security Issues

Typical University IT Environment ...

10,000+ networked devices

Very high-speed, high-capacity networks with fast connections to the

Internet

Hardware and software deployed are significantly diverse

Security Issues

Typical University IT Environment ...

Usually first to implement new technologies, sometimes even before they are matured

Residence Halls networked

Networked systems are being probed continually for vulnerabilities

Security Issues

Typical University IT Environment…

Computer locations vary widely, from under a someone's desk to professional data centers

Departments control own technology and mostly act independently

Non-existent or under-staffed technical/security staff

Security Issues

Typical University IT Environment

Hundreds of people authorized to access confidential information from central databases

User can extract data to any networked device, to use local manipulation tools

Once extracted, no one knows on which of the thousands of networked devices sensitive data is hosted

Security Issues

Typical Security Threats

Virus Attacks

Hacking and Cracking

User Abuses

Spam Mails

Denial of Service (DoS) Attacks

Cases reported and complaints received almost everyday

Security Issues

Virus Attacks

Melissa

I Love You

SirCam

Code Red and Code Red II

Nimda

Goner

Security Issues

Multiple attack mechanisms

 Spreads via email ( not an attachment )

 Spreads via visiting infected web page

 Targeting 16 vulnerabilities !! ( some IIS, but not all )

Nimda also threatened internal networks

 Unlike CodeRed, which was only attacking IIS servers

 Windows 9x and NT vulnerable via ‘open share attack’

 Attacks IIS via Web Folder Transversal ( malformed ‘get’ )

 And also via an incorrect MIME header

Security Issues

Any PC on the NET communicate by using

TCP/IP

Any one could knock on your doors

There are 65535 ports

Your machine may serve any of 65536 ports

• Port scanning by hackers

– Find out the weakest link

• Force you busy, can’t do any useful job

– Denial of Service (DoS attack)

Security Issues

• Member of HARNET

Another cyber community on the Internet

• More web applications on campus network

More expose & risk

• Restricted access from outside

By PolyU firewall, proxy server & VPN

• Limited restriction on access PCs within campus

Protected by switches and routers

Protected by departmental or personal firewall

– Rest, limited restriction

Security Issues

Hacking and Cracking (Before)

Only really good hackers could crack

• Difficult to write programs to affect

Operating Systems

• Cracking was “expensive” – learning curve and time

Most cracking had specific purposes – e.g., financial gain, espionage, sabotage

Security Issues and Problems at PolyU

Hacking and Cracking

(Now) …

• Veteran crackers are “publishing” code for neophyte crackers: e.g., log-wipe utilities

Operating system and application APIs are easy to use: e.g., Microsoft VBS

More complicated operating systems and software cause more bugs

Automated vulnerability scanning

Security Issues

Hacking and Cracking

(Now)

Cracking for profit: e.g., credit card theft, industrial espionage

• Cracking for fun: e.g., “script kiddies”

Cracking for political reasons: e.g.,

PRC Government webpage defacements

Cracking as part of cyber-warfare

Security Issues

Cracker Mentoring

Veteran crackers writing and publishing tools

Cracker tools exist for cellular, voice, data communications

Cracker FAQs exist for almost all systems

Security Issues

Typical Hacking and Cracking

Unauthorized access

Cracking password

Trojan horse

Tapping

• Remote capture of someone’s workstation

Security Issues

Typical User Abuses

Download huge files

Send out unsolicited massive emails

Steal and sell email addresses

Steal and leak out passwords to others

Security Issues

Typical User Abuses

Put unlicensed software/films/songs for others to download

Conduct commercial activities using

PolyU IT facilities and resources

Security Issues

Spam Mails

Chain letters

Spreading large number of e-mails to many different users

Mail relay

Security Issues

Denial of Service Attacks

Port Scanning

Ping Flooding

Mail bomb

Re-broadcasting of unwanted packets

Quote

From

Richard A. Clarke

“The Internet was built without a government or master plan.

It was also built without security as part of the central design. Our entire infrastructure is vulnerable because security was not designed in from the ground up.”

Richard A. Clarke,

National Coordinator for Security,

Infrastructure Protection, and Counter-Terrorism, speaking at the Washington D.C. Summit, 18 April 2000

Quote from

Computer Economics

“It is estimated that the worldwide impact of malicious code was 13.2 Billion Dollars in the year 2001 alone, with the largest contributors being SirCam at $1.15 Billion, Code

Red (all variants) at $2.62 Billion, and NIMDA at $635

Million.”

Computer Economics,

2001 Economic Impact of Malicious Code Attacks,

02 Jan 2002

It’s a wild world

• Every week we see new break-ins, new attack tools, new vulnerabilities

• 2002 CSI/FBI Computer Crime and Security Survey (503 respondents):

– 90% of respondents detected “unauthorized use of computer systems” in the last 12 months;

– The combined losses from just 223 respondents total $445 million

– $170 million from “theft of proprietary info” and $19 million from “system penetration”

Top 10 Attack Source by Country

35%

30%

25%

20%

15%

10%

5%

0%

2.0% 2.5%

2.5%

2.6%

3.9%

4.5%

5.9%

7.8%

8.8%

Ja pa n re

G at

B ri ta in

It al y ai

T w an

C an ad a ra

F e nc er

G m an y

29.6%

C hi na

So h ut

K or ea

U ni d te

St es at

Top 10 Attack Sources per Internet Capita “ in terms of number of attacks per 10,000 Internet Users”

30

25

26.16

20

14.50

15

10

7.07

5

0

D en m k ar

7.10

7.52

Ta iw an

Po la nd

7.74

M al ay si a

Tu rk ey

7.85

8.60

10.03

11.57

F ra e nc

So ut

K h or ea

Th ai la nd

H on g

K on g

Is ra el

Some Security News …

• Bugbear-Worm tries to steal credit cards and passwords.

10 Oct 02

• CERT Advisory Trojan Horse Sendmail Distribution. 08

Oct 02

• W32/Bugbear-A continues to cause problems. 07 Oct 02.

• Cyberattacks against energy firms rise, 09 Jul 02.

• Hacker swipes $35,000 from Singapore Bank, 05 Jul 02.

Security Issues and Problems at PolyU

Intrusion Purposes/Consequences …

Unauthorized access to data

Installation of malicious code to collect passwords, keystrokes, or other data in transit

Huge consumption of network resources, leading to slow to no response on campus network

Security Issues

Intrusion Purposes/Consequences

Loss of machine power for intended purposes

Defacement for political reasons

Installation of programs to support attacks on internal or external systems, e.g. DDoS zombies

Security Issues

• URL of incident

– http://www.attrition.org/mirror/attrition/2000/09/19/www.banking.hsbc.

co.uk/mirror.html

Note to the administrator: You should really enforce stronger passwords. I cracked 75% of your NT accounts in 16 seconds on my SMP Linux box.

Please note the only thing changed on this server is your index page, which has been backed up. Nothing else has been altered.

IT Security Stories

Should it take an incident to wake us up?

Indiana U Office of the Bursar (2001)

IU Faculty Research Information

Database (1997)

University of Michigan patient records

University of Washington patient records

Stolen passwords at Berkeley, UCLA,

Harvard

Many other cases not publicized

Recent Case at our Sister University

A student hacked into the PCs of 4 other students

Accessed the homework of other students

Obtained the password of another student

Impersonate and withdrew the classmate from university

The PolyU Real Cases

PolyU

Real Case

The PolyU Real Cases

PolyU Real Case 1

E-Mails sent to staff in the same department framing senior members of sexual abuses

ITS investigated and located the source being another institution in HK

Case reported to police and a member in that institution identified

Police decided not to pursue due to ‘public interest’

The PolyU Real Cases

PolyU Real Case 2 …

Departments (and some students) sent out surveys and promotional e-mails to large number of recipients

Recipients regarded that mail spamming and filed complaints to PolyU

Some recipients (ISP) blacklisted PolyU and barred PolyU e-mails

The PolyU Real Cases

PolyU Real Case 2

Some Departments requested ITS to help but disregarded ITS’s advice and kept on sending

Case reported to the Human Subject

Ethics Subcommittee

The PolyU Real Cases

PolyU Real Case 3

Millions of short enquiry packets (pings) sent out to Internet by a Department

Ate up over 80% of PolyU’s Internet bandwidth for 2 hours

ITS traced two machines in the department’s lab and 100s of hours wasted

Nobody was identified due to no log kept in lab

Many more similar cases detected in the same department

The PolyU Real Cases

PolyU Real Case 4 …

A graduate student sent out large volume of e-mails on the Internet to solicit money to help his sick wife

Over 200 complaints were received by

ITS from all over the world

Some recipients reported to their police and activated investigation by HK and

PRC police

The PolyU Real Cases

PolyU Real Case 4

During the investigation, it was also found that the student had also used the

PolyU IP address to register and host a commercial website for business activities

Case reported to the Head

The PolyU Real Cases

PolyU Real Case 5

A graduate student sent out more than once obscene e-mails to over 200 selected recipients in the media and the HK higher education community to attack a senior staff in his department

Vast amount of time spent in the investigation. More than 200 man-hours just in ITS plus that of the senior management

The PolyU Real Cases

PolyU Real Case 6

The lab instructor of a training course mistakenly generated an infinite loop among the campus Netware servers

Paralyzed the whole campus network which finally had to be shut down and restarted

ITS spent over 100 man-hours to trace the problem and the instructor and fixed the network

The PolyU Real Cases

PolyU Real Case 7 …

Code Red, Code Red II and Nimda Viruses attacks

ITS sent out alerts and patches to all users

ITS called urgent meetings with departments

ITS identified and isolated infected ports to contain the impact

Over 300 PolyU PCs affected by Nimda

The PolyU Real Cases

PolyU Real Case 7

Affected machines in turn degraded performance of the campus network and Internet

Damage considered small compared to two other HK institutions which had to shut down the entire campus network to ‘stop the bleeding’

The PolyU Real Cases

PolyU Real Case 8

Some Linux machines in some departments were attacked

They became the ‘launch pad’ of port scanning to other machines on campus and the Internet

ITS received many complaints

The department refused to take action and ITS had to disable their ports from the network

The PolyU Real Cases

Other PolyU Real Abuses

Theft of passwords

Use PolyU IT resources to solicit money

Use PolyU IT resources to run business

Give computer accounts to other persons

Insult other users on Internet with foul languages

Mail bombs

The PolyU Real Cases

Institutional Risks

Reputation of the institution tarnished

Increases the risk of suits filed by students and others and associated liability

Wastes of resources

The PolyU IT Security

Prevention is better than cure

Users cooperate and follow ITS advices

Must be secure to sustain the future

The cooperation of CLO is essential

IT Security

Thank you

Download