differentiate among various systems’ security threats ... · 8/2/2010 · surviving malicious...

�

Dang Thanh Binh

� Differentiate among various systems’ security threats:

� Privilege escalation

� Virus

� Worm

� Trojan

� Spyware

� Spam

� Adware

� Rootkits

� Botnets

� Logic bomb

� Implement security applications.

� Differentiate between the different ports and protocols, theirrespective threats and mitigation techniques.

� Antiquated protocols

� TCP/IP hijacking

� Null sessions

� Spoofing

� Man-in-the-middle

� Replay

� DoS

� DDoS

� Domain Name Kiting

� DNS poisoning

� Explain the vulnerabilities and mitigations associated

with network devices.

� Privilege escalation

� Weak passwords

� Back doors

� DoS

� Carry out vulnerability assessments using common tools.

� Vulnerability scanners

� Password crackers

� Attack Strategies

� Recognizing Common Attacks

� Identifying TCP/IP Security Concerns

� Understanding Software Exploitation

� Surviving Malicious Code

� Other Attacks and Frauds

� Access attack, someone who should not be able to

wants to access your resources. Its purpose is to gain

access to information that the attacker isn’t authorized to

have

� Modification and repudiation attack, someone wants

to modify information in your systems

� Denial-of-service (DoS) attack

� Eavesdropping

� Eavesdropping is the process of listening in on or overhearing

parts of a conversation, including listening in on your network

traffic

� This type of attack is generally passive

� Snooping

� Occurs when someone looks through your files hoping to find

something interesting

� The files may be either electronic or on paper

� Interception can be either an active or a passive

process

� Intercept (v): to stop something or someone that is going from

one place to another before they get there

� In a networked environment, a passive interception would

involve someone who routinely monitors network traffic.

� Active interception might include putting a computer system

between the sender and receiver to capture information as it’s

sent. The process is usually covert.

� Intercept missions can occur for years without the knowledge of

the parties being monitored.

� Modification attacks involve the deletion, insertion, or

alteration of information in an unauthorized manner that

is intended to appear genuine to the user

� They’re similar to access attacks in that the attacker

must first get to the data on the servers, but they differ

from that point on.

� The motivation for this type of attack may be to plant

information, change grades in a class, fraudulently

alter credit card records, or something similar.

� Website defacements are a common form of

modification attack.

� Repudiation attack is a variation of modification attacks

� repudiate / rɪpjudieɪt /

� to refuse to accept or continue with something

� to state or show that something is not true or correct

� Repudiation attacks make data or information appear to

be invalid or misleading.

� Repudiation attacks are fairly easy to accomplish

because most e-mail systems don’t check outbound mail

for validity.

� Repudiation attacks, like modification attacks, usually

begin as access attacks.

� Denial-of-Service

� DoS attacks prevent access to resources by users

authorized to use those resources

� Most simple DoS attacks occur from a single system

� Types of DoS attacks:

� ping of death

� buffer overflow

� Requires a powerful transmitter � Distributed Denial-of-Service Attacks

� Multiple computer systems used to conduct the attack

� Zombies

� Botnet: the malicious software running on a zombie

� How to face with Denial attacks?

� Attack Strategies

� Recognizing Common Attacks

� Identifying TCP/IP Security Concerns

� Understanding Software Exploitation

� Surviving Malicious Code

� Other Attacks and Frauds

� Back doors?

� A spoofing attack is an attempt by someone or

something to masquerade as someone else.

� IP spoofing and DNS spoofing

� This type of attack is also an access attack, but it can be

used as the starting point for a modification attack

� Places a piece of software between a server and the

user.

� The attacker captures the information and replay it later.

� The information can be username, passwords,

certificates from authentication systems such as

Kerboros.

Captured passwords

projected on the wall

at DEFCON

� Solutions: Certificates usually contain a unique session

identifier and a time stamp.

� Records cookies and replays them

� This technique breaks into Gmail accounts

� Technical name: Cross Site Request Forgery

� Almost all social networking sites are vulnerable to this

attack

� Facebook, MySpace, Yahoo, etc.

� Brute-force attack.

� Dictionary attack

� Hybrids: mixing the two above techniques

� Privilege escalation can be the result of an error on an

administrator’s part in assigning too high a permission

set to a user, but it’s more often associated with bugs left

in software.

� Cheat codes in video games.

� Attack Strategies

� Recognizing Common Attacks

� Identifying TCP/IP Security Concerns

� Understanding Software Exploitation

� Surviving Malicious Code

� Other Attacks and Frauds

� Network Access = OSI layers 1 & 2, defines LAN

communication, what do I mean by that?

� Network = OSI layer 3 – defines addressing and routing

� Transport/Host to Host = OSI layer 4, 5 – defines a

communication session between two applications on one

or two hosts

� Application = OSI layers 6,7 the application data that is

being sent across a network

� Maps to Layer 1 and 2 of the OSI model

� The Level that a Network Interface Card Works on

� Source and Destination MAC addresses are used

defining communications endpoints

� Protocols include

� Ethernet

� Token Ring

� FDDI

� Routing, IP addressing, and packaging

� Internet Protocol (IP) is a routable protocol, and it’s

responsible for:

� IP addressing.

� fragments and reassembles message packets

� only routes information; doesn’t verify it for accuracy(Accuracy

checking is the responsibility of TCP)

� Maps to layer 4 and 5 of the OSI model

� Concerned with establishing sessions between two

applications

� Source and destination endpoints are defined by port

numbers

� The two transport protocols in TCP/IP are TCP and UDP

� Connection oriented “guaranteed” delivery.

� Advantages

� Easier to program with

� Truly implements a “session”

� Adds security

� Disadvantages

� More overhead / slower

� Connectionless, non-guaranteed delivery (best effort)

� Advantages

� Fast / low overhead

� Disadvantages

� Harder to program with

� No true sessions

� Less security

� A pain to firewall (due to no connections)

� Most programs, such as web browsers, interface with

TCP/IP at this level

� Protocols:

� Hypertext Transfer Protocol (HTTP)

� File Transfer Protocol (FTP)

� Simple Mail Transfer Protocol (SMTP)

� Telnet

� Domain Name Service (DNS)

� Routing Information Protocol (RIP)

� Post Office Protocol (POP3)

� Encapsulate

� to express or show something in a short way

� to completely cover something with something else, especially in

order to prevent a substance getting out

� Port Mirroring

� Sniffing the Network

� TCP Attacks

� A device that captures and displays network traffic

� The client and server exchange information in TCP

packets

� The TCP client sends an ACK packet to the server

� ACK packets tell the server that a connection is requested

� Server responds with an ACK packet

� The TCP Client sends another packet to open the

connection

� Instead of opening the connection, the TCP client

continues to send ACK packet to the server.

� TCP sequence number attacks occur when an attacker

takes control of one end of a TCP session

� Each time a TCP message is sent, either the client or the server

generates a sequence number

� The attacker intercepts and then responds with a sequence

number similar to the one used in the original session

� Disrupt or hijack a valid session

� Rogue access points

� Rogue: not behaving in the usual or accepted way and often

causing trouble

� Employees often set up home wireless routers for convenience

at work

� This allows attackers to bypass all of the network security and

opens the entire network and all users to direct attacks

� An attacker who can access the network through a rogue access

point is behind the company's firewall

�Can directly attack all devices on the network

� War driving

� Beaconing

�At regular intervals, a wireless AP sends a beacon frame to

announce its presence and to provide the necessary information for

devices that want to join the network

� Scanning

�Each wireless device looks for those beacon frames

� Unapproved wireless devices can likewise pick up the beaconing

RF transmission

� Formally known as wireless location mapping

� Bluetooth

� A wireless technology that uses short-range RF transmissions

� Provides for rapid “on the fly” and ad hoc connections between

devices

� Bluesnarfing

� Stealing data through a Bluetooth connection

� E-mails, calendars, contact lists, and cell phone pictures and

videos, …

� Attack Strategies

� Recognizing Common Attacks

� Identifying TCP/IP Security Concerns

� Understanding Software Exploitation

� Surviving Malicious Code

� Other Attacks and Frauds

� Database exploitation� If a client session can be hijacked or spoofed, the attacker can

formulate queries against the database that disclose unauthorizedinformation.

� Application exploitation

� E-mail exploitation

� Spyware

� Rather than self-replicating, like viruses and worms, spyware isspread to machines by users who inadvertently ask for it

� Rootkits� Enables continued privileged access to a computer, while actively

hiding its presence from administrators by subverting standardoperating system functionality or other applications

� Attack Strategies

� Recognizing Common Attacks

� Identifying TCP/IP Security Concerns

� Understanding Software Exploitation

� Surviving Malicious Code

� Other Attacks and Frauds

� Armored Virus

� designed to make itself difficult to detect or analyze

� Companion Virus

� A companion virus attaches itself to legitimate programs and

then creates a program with a different filename extension

� Macro Virus

� a set of programming instructions in a language such as

VBScript that commands an application to perform illicit actions

� Multipartite Virus: attacks the system in multiple ways

� Phage Virus

� Modifies and alters other programs and database

� The only way to remove this virus is to reinstall the programs that

are infected

� Polymorphic Virus

� Change form in order to avoid detection

� Frequently, the virus will encrypt parts of itself to avoid detection

� Stealth Virus

� Attempts to avoid detection by masking itself from applications

� Logic bombs are programs or snippets of code that

execute when a certain predefined event occurs.

� Attack Strategies

� Recognizing Common Attacks

� Identifying TCP/IP Security Concerns

� Understanding Software Exploitation

� Surviving Malicious Code

� Other Attacks and Frauds

� Connections to a Microsoft Windows 2000 or Windows

NT computer with a blank username and password

� Attacker can collect a lot of data from a vulnerable

system

� Cannot be fixed by patches to the operating systems

� Much less of a problem with modern Windows versions,

Win XP SP2, Vista, or Windows 7

� Check kiting

� A type of fraud that involves the unlawful use of checking

accounts to gain additional time before the fraud is detected

� Domain Name Kiting

� Registrars are organizations that are approved by ICANN to sell

and register Internet domain names

� A five-day Add Grade Period (AGP) permits registrars to delete

any newly registered Internet domain names and receive a full

refund of the registration fee

� Unscrupulous registrars register thousands of Internet

domain names and then delete them

� Recently expired domain names are indexed by search

engines

� Visitors are directed to a re-registered site

� Which is usually a single page Web with paid advertisement

links

� Visitors who click on these links generate money for the

registrar

� Used to manage switches, routers, and other network

devices

� Early versions did not encrypt passwords, and had other

security flaws

� But the old versions are still commonly used

� DNS is used to resolve domain names like www.ccsf.edu

to IP addresses like 147.144.1.254

� DNS has many vulnerabilities

� It was never designed to be secure

� Put false entries into the Hosts file

� C:\Windows\System32\Drivers\etc\hosts

� Attacker sends many spoofed DNS responses

� Target just accepts the first one it gets

� Intended to let a new DNS server copy the records from

an existing one

� Can be used by attackers to get a list of all the machines

in a company, like a network diagram

� Usually blocked by modern DNS servers

� Antispyware software will warn you when the hosts file is

modified

� Using updated versions of DNS server software prevents

older DNS attacks against the server

� But many DNS flaws cannot be patched

� Eventually: Switch to DNSSEC (Domain Name System

Security Extensions)

� But DNSSEC is not widely deployed yet, and it has its own

problems

� ARP is used to convert IP addresses like 147.144.1.254

into MAC addresses like 00-30-48-82-11-34

� Attacker sends many spoofed ARP responses

� Target just accepts the first one it gets