DePaul University Computer Network Security

Spring 2000 John Kristoff 1

DePaul UniversityComputer Network Security

Are We Safe?


Internet 101

Telephone System central authority network in control billing records per

connection legal issues well

understood provisions for law

enforcement (wiretapping)

Internet no central authority end systems in

control no central knowledge

of connections no per-packet billing legal issues not well

understood anonymity is easy


Internet Security Stinks

Hosts are hard to secureBad defaultsPoor softwareFixes rarely appliedAverage user/administrator is cluelessAn overly secure system is not usefulIt’s difficult to coordinate among sites


Exploits Overview

Passwords hacking and sniffing

System specific NT, UNIX, NetWare, Linux

Application specific web browser, ftp, email, finger

Protocol specific spoofing, TCP hijacking, ICMP redirects, DNS

Denial of Service PING of death, trinoo, tribe flood


The Process

ReconnaissanceScanningExploit SystemsKeep access with backdoors/trojansUse system

Often as a springboardCover any tracks


The Problem is Real

Just over a year ago...ResNet/DPOcgi-bin/phfOracleCTIPlain text


Recently...

We receive hundreds of probes every day This weekend a single host sent at least 2000

scans to our address space for port 23.kr and .tw are popular sourcesDNS [email protected], aol.com are frequent flyersResNet students


Gotcha!


Password Hacking

Attackers can watch packets go byUsually part of the attacker’s plan

when compromising a hostOne of the most common problemsEncryption for remote access helpsNote: even encrypted password files

can be cracked


Denial of Service Attacks

A Very Difficult Problem to Solve!Real World Example

Everyone dials 911 at the same time How do you screen and more

importantly, stop the bad ones?Most effective when source address

is spoofed


Example Distributed Denial of Service Illustrated


Viruses and Worms

Programs written with the intent to spreadWorms are very common today

Usually email based (e.g. ILOVEYOU)Viruses infect other programs

Code copied to other programs (e.g. macros)Requires the code to be executed

Proves users continue to do dumb things Sometimes software is at fault too


Buffer Overflows and Weak Validation of Input

One of the most popular security issues

Popular exploits with CGI scriptsRegular users can gain root accessCan pass commands to be executed

e.g. Network Solutions easysteps.plSometimes root access can be gained


Network Mapping

PINGDNS mapping (don’t need zone transfer)

dig +pfset=0x2020 -x 10.x.x.x

rpcinfo -p <hostname>nmap <http://www.insecure.org/nmap/>

very nice!

Microsoft Windows is NOT immune nbtstat, net commands

Just look around the ‘net!


Firewall Solutions

They help, but not a panaceaA network response to a host

problem Packet by packet examination is tough

Don’t forget internal usersNeed well defined bordersCan be a false sense of security


Internal Security

Most often ignoredMost likely the problemDisgruntled (ex-)end userCurious, but dangerous end userClueless and dangerous end user


Security by Obscurity

Is no security at all.However

It’s often best not to advertise unnecessarily

It’s often the only layer used (e.g. passwords)

Probably need more security


Layered Defenses

The belt and suspenders approachMultiple layers make it harder to get

throughMultiple layers take longer to get throughBasic statistics and probability apply

If Defense A stops 90% of all attacks and Defense B stops 90% of all attacks, you might be able to stop up to 99% of all attacks

Trade-off in time, money and convenience


Physical Security

Trash binsSocial engineeringIt’s much easier to trust a face than

a packetProtect from the whoops

power spills the clumsy software really can kill hardware


If I Were You, I’d...

Keep up on your host patches/fixesBe very careful with email attachmentsDisable unnecessary servicesUse encryption (ssh) whenever possible

avoid telnet, ftp, pop-3 email, etc.Audit often

keep logs, keep backups


A Word About Network Address Translation

It has no place in this talkIt is misunderstood and misappliedIt is fundamentally bad for the

InternetJust say NO to RFC 1918


Food For Thought

http://networks.depaul.edu/security/dpu.securityDePaul FIRST TeamAny further interest in security

education and research?


References

bugtraq mailing list http://www.sans.org http://www.cert.org http://www.cerias.perdue.edu http://www.securityportal.com/lasg/ http://cale.cs.depaul.edu http://www.securityfocus.com http://www.denialinfo.com http://www.enteract.com/~lspitz/pubs.html http://www.robertgraham.com/pubs/ http://cm.bell-labs.com/who/ches/ http://www.research.att.com/~smb/ http://packetstorm.securify.com


My Information

Networks Group, DePaul Universityhttp://condor.depaul.edu/~jkristof/[email protected](312) 362-5878

Documents

DePaul University Computer Network Security