1

Through The Eye of The

Hacker: A Look At

Security And The Future

Krizi Trivisani,Chief Security Officer

Amy Hennings, Assistant Director

November 6, 2003

Copyright Krizi Trivisani, Amy Hennings 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2

Agenda

•The Security Landscape – The Violation Situation

•Worm Damage and Trends

•Attacker Strategies

•Security Awareness

3

The Security Landscape – The Violation Situation 2001

Total Violations went from 354 to 5526 – an increase of 1,560%

Security Metrics Comparison 2001

0

2000

4000

6000

8000

10000

Total Minor Violations Total Severe Violations Total Violations by Month

Month and Total Violations

Num

ber o

f Vio

latio

ns

JanuaryFebruaryMarchAprilMayJuneJulyAugustSeptemberOctoberNovemberDecember

4

The Security Landscape – The Violation Situation 2002

Security Metrics Comparison 2002

010002000300040005000600070008000

Total MinorViolations

Total SevereViolations

Total Violations byMonth

Month and Total Violations

Nu

mb

er

of

Vio

lati

on

s

November

December

January '02

February '02

March '02

April '02

May '02

June '02

July '02

August '02

September '02

October '02

November '02

Average number of violations per month in 2002 is 7197

5

The Violation Situation ContinuedEmail Viruses Filtered

Trend Virus Filter Monthly Comparison

0

50,000

100,000

150,000

200,000

Month and Total Viruses

Nu

mb

er

of

Vio

lati

on

s

December

January '02

February '02

March '02

April '02

May '02

June '02

July '02

August '02

September '02

October '02

November '02

22,271 in December of 2001 increased to 150,936 in November of 2002

6

The Violation Situation ContinuedEmail Viruses Filtered

150,936 in November of 2002 increased to 1,629,194 in August of 2003

Trend Virus Filter Monthly Comparison

0

500,000

1,000,000

1,500,000

2,000,000

Month and Total Viruses

Nu

mb

er

of

Vio

lati

on

s

September '02

October '02

November '02

December '02

January '03

February '03

March '03

April '03

May '03

June '03

July '03

August '03

7

The Security Landscape – The Violation Situation 2003

Violations per month in 2003 have increased so dramatically we had to change what we were tracking!

•Incidents just to abuse@gwu.edu August = 2073

•Correspondence = 138•Incident notices = 100•Random/User errors = 19•SPAM = 423•Virus = 1287•Virus Complaints = 106

•Blaster infections – 800•Minor scans, Minor hacks, Incidents of suspicious activity, External Attempted Hacks – tens of thousands per month!

8

History of Security at GW

InformationSecurityOffice Created

May2000

Nov2002

Sep2000

NISTLevelsEnvisioned

Jan2001

Jul2001

BaselineSecurity AssessmentGrade C

Aug2001

Sep2001

Nov2001

FormalScanningLabCreated &1st SecurityForum

Jan2002

Dec2001

Jul2002

Aug2002

Oct2002

1st Month of RecordedViolations – 354

Trend VirusFilter AddedTo Email39,329 FilteredIn 1st Month

TotalViolationsFor 200146,378VirusesFiltered August - December206,410

PolicyCenter&NISTLevel 1 Achieved

Web pages&AwarenessProgram

SecurityArchitecture

NovemberONLYSecurityViolations = 7,200VirusesFiltered = 155,032

Throughout 2001 and 2002, the network has not been brought down by a security incident.

Viola

tions

354

7,200

Viruse

s

Filtered

155,032

9

History of Security at GW

Nov2002

Wirelesswith VPN

Jan2003

Application LevelSecurity Assessment

Mar2003

May2003

ContinuedScanningenhancements

July2003

Aug2003

Sep2003

RecordedViolations reach over 30,000

Workstation management tools

Aggressiveawareness of patches, anti-virus

6000 ResNetStudents return

1,629,194 Viruses Filtered

800 Blaster Infections

Throughout 2003, the network has not been brought down by a security incident.

Viola

tions

10’s ofthousands

Viruse

s

Filtered

1,629,194

SecurityCommitteeFormed

FTC and GLB

NetworkMonitoringUpgrades

AshburnData CenterCreated

10

Vulnerabilities on the RiseNew Vulnerabilities per Week

10

2530

50

70

0

10

20

30

40

50

60

70

'99 '00 '01 '02 '03 Proj.Source: Symantec

11

What Attacks??

•A worm is a program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down.

•A worm is a special type of virus that can replicate itself and use memory, but does not attach itself to other programs.

12

Worm In Action

13

Worldwide Impact of Slammer

• Telecommunications services failed throughout South Korea

• Airlines were impacted, several had to resort to manual backup procedures which slowed service

• Thousands of ATMs and related transactions halted• Bank of America • Canadian Imperial Bank of Commerce in Toronto• Publix supermarket cash back functions unavailable

• US Dept of State, Agriculture, Commerce, and units of Defense were hit especially hard.

• Analysts blame dip in Asian stock market on the worm • Many news agencies were crippled:

– Associated Press– The Philadelphia Inquirer– The Atlanta Journal-Constitution

14

Blaster, Welchia, And Others

A recent survey including 882 respondents determined that the MS Blaster worm: – Remediation cost $475,000 per company (median

average - including hard, soft and productivity costs) with larger node-count companies reporting losses up to $4,228,000 

– Entered company networks most often through infected laptops, then through VPNs, and finally through mis-configured firewalls or routers

– From TruSecure / ICSA Labs

15

Blaster, Welchia, And Others

• Slower moving• Who was affected?

– Blaster infected over 500,000 IPs worldwide– Maryland MVA– BMW, 3M– AirCanada cancelled flights– Federal Reserve Bank of Atlanta– Philadelphia’s City Hall– Airports, Amtrak– State Department (Welchia)– Northeastern power grid ?

16

17

•

18

Who’s Vulnerable?

• "75% of all web servers running MS IIS 5.0 are vulnerable to exploitation." 

– Security News Portal

19

What Are They Attacking?

• 31 new vulnerabilities announced by MS as of yesterday since the end of the summer

• Exploits are developed much sooner

• Patches are quickly and narrowly developed

• Awareness is limited

• People don’t care– I won’t do anything until my computer stops

working.

20

Decentralized Attack Trends

• Why take the chance to rob a bank when its much easier to rob the people as they leave the bank with money?

Why attack the server when users’ desktops are much easier to get to?

21

The Increase of Perimeter Security

• Core system security increase– Firewalls, IDS, IPS– Still new exploits (Cisco, etc) arise

• How to circumvent?– Attack areas that still lack adequate perimeter security

(universities)– Get someone to do it for you– Attacking the systems people don’t know are

computers – Attacking the tools security professionals use

22

Exploiting Weaknesses in User Education

• Get someone to do it for you– Trojaned user downloads – Bundled games, music, movies– P2P examples– Spyware– Social engineering

23

Exploiting Weaknesses in User Education

• Get someone to do it for you– AIM username and password stealing

• www.haxr.org

– Fun code execution• http://www.malware.com/badnews.html

24

Embedded Systems

• Computer system enclosed in an electronic device– Protection is poor or nonexistent– Increased power of new devices– Standardization– No real scanning/assessment ability

• Real Examples: 3 GW printer cases

25

•http://www.bluestumbler.org

Cell Phone Hacking•Cyber-stalking with GPS

•Keep your phone firmware up to date

                      

•Bluetooth enabled device vulnerabilities:

•Allows anonymous access to Data, Phonebook, Calendar, Media files, Pictures, Text messages

26

Internet Appliances

• Built-in PC is a 300MHz National Semiconductor Geode processor

• 128MB of RAM and a 17GB hard disk• Windows 98

                                           

27

Radio Frequency Devices

• Building Access Cards

• Mobile speedpass, toll tags

• Cell phones, pagers

• Wireless cams

28

Attacking The Tools Security Professionals Use

• Trojaned sendmail and openssh programs

• Trojaned tcpdump and libpcap

• Snort attacks/DOS

• Anti-virus gateway DOS attacks

• Anti-forensics tools

29

What to do?

• Do what you know, knowing they know what you’ll do

• Absolutely keep up to date on new vulnerabilities and exploits– Even if you can’t stay a step ahead, at least keep up

to date on what the new attacks/exploits are

• Keep in mind that these trends – attacks will not continue to primarily be traditional attacks from the outside against core systems

30

Still A Critical Element: People Access

• People are our greatest asset and our weakest security link

• Security processes and technologies are developed to reduce the burden on people

• But, almost every security measure can be beaten by social engineering – “Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.” The Art of Deception

31

Process

People

Technology

Systems must be built to technically

adhere to policy

People must understand their responsibilities

regarding policy

Policies must be developed,

communicated, maintained and

enforced

Processes mustbe developed thatshow how policies

will be implemented

Security ImplementationRelies On:

32

What Is Security Awareness?

Security awareness is knowledge of potential threats. It is the advantage of knowing what types of security issues and incidents members of our organization may face in the day-to-day routine of their University functions.

Technology alone cannot provide adequate information security. People, awareness and personal responsibility are critical to the success of any information security program.

33

Poor Awareness and Preparation

“It’s a frightening fact, but nine out of ten employees would unwittingly open or execute a dangerous virus-carrying email attachment”

“Two-thirds of security managers felt that the overall level of security awareness is either inadequate or dangerously inadequate”

“Nine out of ten employees revealed their password on request in exchange for a free pen”

These things don’t happen as a result of malicious intent, but rather a lack of

awareness of security risks.

34

GW’s Security Awareness Program - Materials

Program materials Monthly posters focusing on a specific awareness topic Monthly article in GW Technology Today Brochures available for:

New students (Colonial Inauguration) New employees (Orientation) Training programs Free security screen saver

Online security tutorial – S.T.A.R.T. Sample password tester Animated security awareness banners Next phase – “Protect IT” Security Awareness Workshop Next phase – Online quizzes

35

Our Challenge

To reduce risk by To reduce risk by implementing best implementing best

practice practice information information

security practices security practices while balancing while balancing

academic freedomacademic freedom

36

Thanks!Special thanks and resources:

• www.securityawareness.com• http://www.phenoelit.de• Exploitlabs.com• Zone-h.org• Gary Golomb• http://www.esg.de/media/embedded_systems.jpg• www.symantec.com• www.teledesignsecurity.com• www.securitystats.com

37

Contacts

To contact the GWU security department email infosec@gwu.edu