Understanding the Risks
Is Safe Computing Possible?
Bob Cowles
bob.cowles@slac.stanford.edu
TERENA Conference 2005 – Poznań, Poland
Work supported by U. S. Department of Energy contract DE-AC03-76SF00515
Final Thoughts (Spring 2004)
Attacks coming faster; attackers getting smarter
Complex attacks using multiple vulnerabilities
No simple solution works




Patching helps
Firewalls help
AV & attachment removal help
Encrypted passwords/tunnels help
You can’t be “secure”; only “more secure”
We must share information better
7 June 2005
TNC 2005
2
Passwords captured on WiFi
YM%lsd.512
severine
n0mad
cris1964
cms2wa97
luciole
n0811a
xxxx8769 & xxxx0255
7 June 2005
TNC 2005
3
Public Access
Insecure Protocols
Cleartext protocols





http – sometimes difficult to tell
smtp – visible emails as they are sent/received
pop – visible email and possible passwords
imap –visible email and possible passwords
ftp & telnet – visible sessions and passwords
Network file systems
Faked service providers
7 June 2005
TNC 2005
4
Public Access
Insecure Protocols
 Instant messaging




aim
yahoo messenger
ICQ
jabber
 Kiosks
 Vulnerable to worms on “local network”

Blaster vulnerability discovered by local LSD group
 Passwords for coffee
http://www.theregister.co.uk/2005/05/06/verisign_password_survey/
 Lists of recent compromises
http://www.emergentchaos.com/archives/cat_breaches.html
7 June 2005
TNC 2005
5
ssh and Other Compromises
Attacker installs trojaned ssh w/ keylogger
Later suspected tactics:


Scan for open X sessions (xhost +)
Windows compromises
• hacker defender rootkit installed

session hi-jacking
http://www.cnn.com/2005/TECH/05/10/govt.computer.hacker/
http://www.sfgate.com/cgibin/article.cgi?file=/c/a/2005/05/10/MNGSCCMIJ21.DTL
Replaced by ssh weak password scanning
http://www.frsirt.com/exploits/08202004.brutessh2.c.php
7 June 2005
TNC 2005
6
On the Increase
 Phishing
http://www.techworld.com/news/index.cfm?RSS&NewsID=3638

419 – Now job ads
http://www.theregister.co.uk/2005/05/09/419_job_ads/
 Pharming
http://www.channelregister.co.uk/2005/04/08/dns_attacks_attempt_to
_mislead_consumers/
 Spyware (p2p)
http://en.wikipedia.org/wiki/Spyware
 Google hacking
http://johnny.ihackstuff.com/index.php?module=prodreviews
7 June 2005
TNC 2005
7
7 June 2005
TNC 2005
8
Where It Really Goes …
http://scgi.ebay.com/verify_id=ebay &fraud alert id
code=00937614
<http://210.95.98.124:81/aw-cgi/SignIn.php?mail=osgint@opensciencegrid.org>
7 June 2005
TNC 2005
9
Postbank Phishing (04 June)
Courtesy of Vincent 'rastakid' van Scherpenseel
http://www.syn-ack.org/papers/postbank.html
Where it appears to go:
http://www.postbank.nl/gRK6QnraG6FTLfFmTNNbX68U7rj8Q2
2oyqyIKv8qBXCeGv0TJYa0w9g6c6wih2g3
Where it goes:
href="http://www.google.es/url?q=http://go.msn.com/HML/1/5.asp?target
=http://%68k%73chf%09%6f%2E%64%%09a%2ER%%09U/"
Where it REALLY goes:
http://hkschfo.da.RU/
Login popup in front of real Postbank page
7 June 2005
TNC 2005
10
7 June 2005
TNC 2005
11
New Technologies
 bluetooth
I 0wn your Lexus
http://www.cryptonomicon.net (site being rebuilt)

Hacking “secure” bluetooth devices

http://www.newscientist.com/article.ns?id=dn7461
 RFID
http://www.rfidbuzz.com/news/2004/rfdump.html
 VoIP
http://www.pcworld.com/resource/article/0,aid,120668,pg,1,RSS,RSS,00.asp
 0wned by iPod
http://md.hudora.de/presentations/firewire/PacSec2004.pdf
7 June 2005
TNC 2005
12
Collaborative Environments
 Organizations of resource consumers cross multiple
resource providers
 Resource consumer organization manages user base and
user not registered in advance with providers
 Authorization assertion from organization identifies valid
users
 Many security implications




Incident response
Credential theft
Adequacy / usability of audit information
Maintenance of persistent resource (e. g. storage) ownership
7 June 2005
TNC 2005
13
UN on Fighting Cybercrime
Create culture of cybersecurity



Prevention & prosecution of cybercrime
Address needs of developing countries too
Coordinated efforts to facilitate practical research
Global approaches to avert & mitigate impact on
Critical infrastructure
 Sustainable development
 Privacy protection
 eCommerce, banking and trade
http://www.crime-research.org/news/05.12.2005/1225/

7 June 2005
TNC 2005
14
Late Breaking News
 Numerous versions of Mytob (125 in 3 mos)


Turns off anti-virus
Opens backdoor for further compromise
 00 June 2005 – Apple Quicktime allows information theft


Invisible – while playing a Quicktime movie
Download version 7.0.1. (Macs only. Profile info only)
 01 June 2005 – Coordinated malware attack



Gleider – Eight variants. Opens backdoor
Fantibag – Disables antivirus & Windows Update
Mitglieder – Opens backdoor for control
 06 June 2005 – Spybot worm variant


Spreads through network shares or unpatched systems
Opens backdoors for further compromise
7 June 2005
TNC 2005
15
Final Thoughts (June 2005)
 All operating systems are vulnerable
http://www.theregister.co.uk/2005/05/05/apple_mega_patch/
 All browsers are vulnerable (firefox vulnerability)
http://www.theregister.co.uk/2005/05/09/firefox_0day_exploit/
 No simple solution – security still to complex




Patching helps
Firewalls help
AV & attachment removal & spam filters help
Encrypted passwords/tunnels help – if used!!
 You can’t be “secure”; only “more secure”
 We must share information (100 best security web sites)
http://www.uribe100.com/index100.htm
7 June 2005
TNC 2005
16