data and network security

7/29/2019 Data and Network Security

1/74

Data And Network Security

GSM 522 Session 13

September 22, 2011G Krishnamurthy


2/74

Agenda

Introduction To Data Security

Introduction To Network Security

ICMP (Ping) Abuse

Smurfing

Fragmentation Attacks

OS Vulnerabilities

Firewall Failures


3/74

DATA SECURITY


4/74

4

Cryptography

Involves coding a message to ensure data

security

Can be characterized by: type of encryption operations used

substitution / transposition / product

number of keys used

single-key or private / two-key or public way in which plaintext is processed

block / stream


5/74

Types of Cryptanalytic Attacks

Select plaintext and obtain ciphertext to attackcipher chosen ciphertext

select ciphertext and obtain plaintext to attackcipher

Choose text select either plaintext or ciphertext to encrypt/decrypt to

attack cipher


6/74

6

Caesar Cipher

Earliest known substitution cipher by JuliusCaesar

First attested use in military affairs

Replaces each letter by 3rd letter on Example:

Text: meet me after the toga party

Cipher: PHHW PH DIWHU WKH WRJD SDUWB


7/74

Encryption Exercises

Please go to www.cryptoclub.org

This is a site where work is in progress

However, we can try to encrypt and decrypt text

Form unique groups and we will assign numbersto each group
http://www.cryptoclub.org/http://www.cryptoclub.org/


8/74

Encryption Exercises

Please encrypt the following sentence usingCaesar ciphers The quick brown fox jumps over the lazy dog

India has won one bronze medal at the 2012 London

Olympics Use the following values of the key Group : n; e.g Group 1 1, Group 2 2, Group 3 3 and

so on

Check how the text gets encrypted

What are the changes in the encrypted text bychanging the key?


9/74

9

Cryptanalysis of Caesar Cipher

Characteristics Only have 26 possible ciphers

A maps to A,B,..Z

Could simply try each in turn How would cryptanalysis be done

a brute force search

given ciphertext, just try all shifts of letters

need to recognize when we have plaintext


10/74

NETWORK SECURITY


11/74

11

Security Services

X.800 defines it as: a service provided by a protocollayer of communicating open systems, which ensuresadequate security of the systems or of datatransfers

RFC 2828 defines it as: a processing orcommunication service provided by a system to give aspecific kind of protection to system resources

X.800 defines it in 5 major categories


12/74

12

Security Services (X.800)

Authentication - assurance that the communicating entity is theone claimed

Access Control - prevention of the unauthorized use of aresource

Data Confidentialityprotection of data from unauthorized

disclosure Data Integrity - assurance that data received is as sent by anauthorized entity

Non-Repudiation - protection against denial by one of theparties in a communication


13/74

Security Mechanisms (X.800)

Specific security mechanisms: encipherment, digital signatures, access controls, data

integrity, authentication exchange, traffic padding, routingcontrol, notarization

Pervasive security mechanisms: trusted functionality, security labels, event detection,security audit trails, security recovery

13


14/74

14

Classify Security Attacks

passive attacks - eavesdropping on, or monitoring of,transmissions to: obtain message contents, or monitor traffic flows

active attacks modification of data stream to: masquerade of one entity as some other replay previous messages modify messages in transit denial of service


15/74

15

Types of Attacks


16/74

Scans and Recon

If an attacker wants to map your network, the

trivial way is to ping all the IP addresses in

your network...

Therefore, if you allow pings, your network is

exposed.


17/74

Smurf Attack

Ping a broadcast address, with the (spoofed) IP of avictim as source address

All hosts on the network respond to the victim

The victim is overwhelmed

Keys: Amplification and IP spoofing Protocol vulnerability; implementation can be

patched by violating the protocol specification, toignore pings to broadcast addresses

ICMP echo just used for convenience All ICMP messages can be abused this way

"Fraggle" is the equivalent, using UDP instead of ICMP


18/74

Defending Against IP spoofing

Ingress filtering Forbid inbound broadcasts from the internet into your

networks

Forbid inbound packets from non-routable networks

Egress filtering Prevent stations in networks you control from

spoofing IPs from other networks by dropping theiroutbound packets

Make your network a less attractive and useful target forattackers that want to launch other attacks

Be a good internet citizen (reputation is important)

Drop outbound broadcasts


19/74

References

RFC 2267 - "Network Ingress Filtering:

Defeating Denial of Service Attacks whichEmploy IP Source Address Spoofing".


20/74

What is a Firewall?

A choke point of control and monitoring

Interconnects networks with differing trust

Imposes restrictions on network services

only authorized traffic is allowed

Auditing and controlling access

can implement alarms for abnormal behavior

Itself immune to penetration Provides perimeter defence


21/74

Firewalls Packet Filters


22/74

Firewalls Packet Filters

Simplest of components Uses transport-layer information only

IP Source Address, Destination Address

Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports

TCP Flags (SYN, ACK, FIN, RST, PSH, etc)

ICMP message type Examples

DNS uses port 53

No incoming port 53 packets except known trusted servers


23/74

Usage of Packet Filters

Filtering with incoming or outgoinginterfaces

E.g., Ingress filtering of spoofed IP addresses

Egress filtering

Permits or denies certain services

Requires intimate knowledge of TCP and UDP portutilization on a number of operating systems


24/74

How to Configure a Packet Filter

Start with a security policy

Specify allowable packets in terms of logical

expressions on packet fields

Rewrite expressions in syntax supported by

your vendor

General rules - least privilege

All that is not expressly permitted is prohibited

If you do not need it, eliminate it


25/74

Every ruleset is followed by an implicit

rule reading like this.


26/74

Firewall Rules - Example 1

We wish to allow inbound mail (SMTP, port

25) but only to the gateway machine GW. Also,

mail from site SPIGOT is to be dropped.


27/74

Solution 1:


28/74

Firewall Rules - Example 2

Now suppose that we want to implement

the policy any inside host can send mail to

the outside.


29/74

Solution 2:

This solution allows calls to come from

any port on an inside machine, and will

direect them to port 25 on the outside.

Simple enough


30/74

Firewall Ruleset Review

action ourhost port theirhost port Flags Remarks

Block * * * * Default

Block * * SPIGOT * Do not

trust

SPIGOT

Allow GW * * 25

Allow * 25 * * ACK Mar 09

Allow * * NET-2 * ACK Mar 09

Allow * * NET-3 * ACK Mar 09

Block * * NET-4 * ACK Jan 12



Allow * * * * Sep 12


31/74

Firewall Ruleset Review

How would you rate the firewall ruleset?

What do you feel would happen if I send a

mail from NET-5?

X sends a mail from NIIT University (NU).

Will it reach?


32/74

Spoofing


33/74

IP Spoofing

Any station can send packets pretending to be fromany IP address

Replies will be routed to the appropriate subnet Route asymmetry

So, attacker might not get replies if spoofing a host on adifferent subnet

For some attacks this is not important

Analogy Nothing prevents you from physically mailing a letter with

an invalid return address, or someone elses, or your own. Likewise, packets can be inserted in the network with

invalid or other IP addresses.


34/74

IP Spoofing with Amplification

Use broadcasts pretending to originate from victim

All replies go back to victim

Class B broadcast: 253^2 = 64 009 replies

Assuming class C subnetting This may use any IP protocol (ICMP, TCP, UDP)

Any application or service that replies using theseprotocols

Famous attack: Smurf (using ICMP) DoS CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks Many others

Smurf Amplifier Registry: http://www.powertech.no/smurf/


35/74

BotNets


36/74

Agenda

Intro To Botnets What Are They?

How Does A BotNet Operate?

How Is A BotNet Organized?

How Do BotNets Hide?

What is the function of Botnets?


37/74

Part 1: Intro to BotnetsWhat are they?


38/74

In the news

Sep 13 2012 Malware inserted on PC productionlines, says study

July 19 2012 Huge spam botnet Grum is taken outby security researchers

Mar 26 2012 - Microsoft moves to disable Zeus

botnet

Dec 5 2011 Botnets: Hi-tech crime in the UK

July 29 2010 - Multi-Purpose Botnet Used in Major

Check Counterfeiting Operation


39/74

IntroductionAttacker

(Botmaster)

Zombies

Malwareis currently the major

source of attacks and fraudulentactivities on the Internet.

Malware is used to infect computers.

Botnet is a network of zombies, i.e.compromised computers undercontrol of an attacker.

Bot is a program loaded on zombiecomputer that provides remotecontrol mechanisms to an attacker.

39


40/74

Bot

Bot - a small program to remotely control a computer

Characterized by

Remote control & communication (C&C) channels

to command a victim E.g. perform DOS attack, send spam

The implemented remote commands

E.g. update bot binary to a new version Spreading mechanisms to propagate it further

E.g. port scanning, email

40


41/74

htt : en.wiki edia.or wiki Botnet41


42/74

C&C channel

Means of receiving and sending commands andinformation between the botmaster and the zombies.

Typical protocols

Internet Relay Chat (IRC) protocol

HTTP

Overnet (Kademlia)

Protocols imply (to an extend) a botnetscommunication topology.

The topology provides trades-off in terms of bandwidth,effectiveness, stealth, and so forth.

42


43/74

Botnet Infection Stages - Centralized

43


44/74

Part 2How does a botnet

operate?


45/74

45

Popular Botnets Propagation MethodsSpammed Messages

Social Networking Websites

Malicious Websites

Install Malware

Become Bot

Removable Devices

Worm


46/74

46

Shift in the way that malware is distributed

Every 1.3 seconds a new web page is getting infected

Every month almost 2 million web pages across 210,000 websites are

infected with Malware

Malware attacks have grown by 600% since 2008


47/74

47

Sample subjects and attachments

Sample subjects:

A killer at 11, he's free at 21 and kill again!

British Muslims Genocide

Naked teens attack home director.

230 dead as storm batters Europe.

Re: Your text

Radical Muslim drinking enemies's blood.

Saddam Hussein alive!

Fidel Castro dead.

FBI vs. Facebook

Sample attachments:

Postcard.exe

ecard.jpg

FullVideo.exe

Full Story.exe

Video.exe

Read More.exe

FullClip.exeGreetingPostcard.exe

MoreHere.exe

FlashPostcard.exe

GreetingCard.exe

ClickHere.exe

ReadMore.exe

FlashPostcard.exeFullNews.exe

NflStatTracker.exe

ArcadeWorld.exe

Left-right-brain-test.gif


48/74

Part 3How is a botnet

organized?


49/74

Traditional botnetAttacker

Zombies

Commands &

controls

Attack

Victim

Your

home

computerInfect

Botnet topology

mainly refers to the

organization of C&C

channels betweenzombies and an

attacker.

49


50/74

Topology

Based on C&C channels, there are two typical botnet topologies: Centralized

Decentralized (P2P)

Traditional botnet metrics:

Resiliency A botnet ability to cope with a loss of members (zombies) or servers

Latency

Reliability in message transmission

Enumeration

An ability to accurately estimate a botnet size Difficuly for security analysis

Re-sale

A possibility to carve off sections of the botnet for lease or resale to otheroperators.

50


51/74

Centralized botnet

Communication between attacker

and zombies goes via centralized

server

Classical communication method

IRC (Internet Relay Chat)Centralized

server

51


52/74

Centralized botnet topologies

Centralized topology can be represented in different shapes.

The exact organization of botnet depends on the bot operator

nothing prevents a bot operator to come up with a new topology.

Often seen topologies:

HierarchicalMulti-serverStar

52


53/74

Star topology

Communication is directly between asingle centralized server and ALL

zombies.

When new machine is infected, it is

preconfigured to contact the server to

announce its membership.

Pros: Low latency

Each zombie is issued commands

directly from the server.

Cons: Low resilience

Only server needs to be blocked to

neutralize the whole botnet

53


54/74

Example

Koobface

Old variant employed start architecture:

Zombies connected to C&C server directly

54


55/74

Multi-server topology Similar to start topology

Instead of one server, multipleservers are used to provideinstructions to zombies.

Pros:

Better resilience No single point of failure Geographical distribution of

servers Communication speed up

More resistant to legal shut downs

Cons: Requires advance planning

55


56/74

Hierarchical topology

Zombies are generally not aware of theserver location

Pros:

Ease of re-sale A botnet operator can easily carve off

sections of their botnet for lease or resaleto other operators.

Hard to enumerate Hard to evaluate the size and complexity of

the botnet

Cons:

High latency makes some botnet attacks difficult.

56


57/74

Example - Gumblar

Gumblars architecture is notwell studied, fully built onzombies

Website visitors are infectedwith the Windows executable, itgrabs FTP credentials from thevictim machines. The FTPaccount is then used to infectevery webpage on new

webserver.

57


58/74

Hybrid topologies

High resilience

Low latency

Example, Hierarchical P2P

Centralized P2P

Centralized Peer-to-peer

58


59/74

Storm botnet

A three-level self-organizing hierarchy:

master servers

proxy bots

transfers traffic betweenworkers and master

servers.

worker bots

responsible for sending

the spam, proxy bots

Once a Storm binary is downloaded, an infectedhost might become a worker bot(if not reachable fromthe Internet) or aproxy

59


60/74

Part 4How do botnets hide?


61/74

61


62/74

62

Rootkit

A rootkit is a tool that is designed to hide itself and

other processes, data, and/or activity on a system

To hide what is taking place an attacker wants to:Survive system restart

Hide processes

Hide services

Hide listening TCP/UDP ports

Hide kernel modulesHide drivers


63/74

63

How Rootkit Works

Overwrite first few bytes of target function with a jump to rootkit code

Create trampoline function that first executes overwritten bytes from original function, then jumps

back to original function

When function is called, rootkit code executes

Rootkit code calls trampoline, which executes original function


64/74

64

Rootkit Usage Example Hide process

Process list BEFORE the rootkit is launched. Process list AFTER the rootkit is launched.


65/74

Part 5What is the function of

botnets?


66/74

Botnet Activities

The least damage caused by Botnets:Bandwidth Consumption

Other things:

DDOS attacks Spam

Click Fraud

Data Theft Phishing

Mistrustful services

66 / 4


67/74

DDOS attacks

e.g. Google.com

ChinaBrazilRussia US

Attacker

67http://en.wikipedia.org/wiki/Denial-of-service_attack


68/74

Click Fraud

Pay per Click (PPC) is an Internet advertising modelused on websites in which advertisers pay their hostonly when an ad is clicked.

Famous Bots: ClickBot(100k), Bahama Botnet (200k)

68


69/74

Click Fraud - FFSearcher

http://blog.trendmicro.com/click-fraud-takes-a-step-forward-with-troj_ffsearch/69


70/74

Data Theft

Accounts for a great deal of botnet activity.

Purpose: Harvesting user data

Screen captures

Typed data

Files

Anti-Spyware software

Highly controversial.

Has resulted in

Scareware.

70http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf


71/74

Data Theft-Mumba Zeus Botnet

http://avg.typepad.com/files/revised-mumba-botnet-whitepaper_approved_yi_fv-2.pdf71


72/74

Phishing

A deceptive email/website/etc. to harvestconfidential information.

72

http://library.thinkquest.org/06aug/00446/Phishing.html


73/74

73

http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf


74/74

Thank You

data and network security

Documents