Embed Size (px)
Citation preview
SEC835
Major types of attacks
Application architecture
Components, or building blocks, that perform certain functionality
Business logic implementation
Persistent data store
Middleware
Communication interfaces (GUI, API)
Communication channels (Internet, LAN, WAN)
Communication protocols
Communication Protocol
Communication protocol – the set of standard rules for data representation (data structure, and data formats), signalling, authentication, and error handling, that are used to transport data over the network. Data usually is sent in packets, and each packet contains both service data and payload data.
Communication protocols (cont)Internet:
IP – internet level protocol used to establish connection between a sender and a receiver
TCPTransport level protocol used to transmit data over the network
TCP/IP uses the handshaking mechanism to establish a session
httpApplication level protocol used to present data for the browser
Communication protocolsUDP (user datagram protocol)
• Another transport level protocol used to transfer data
• UDP does not use a handshaking mechanism, it is simpler but less reliable
Use of UDP requires prior arrangement of sessions and error checking, normally provided by the application
Application level protocol is required to present data semantic, e.g. VoIP protocol
Target of attacksData
In memoryIn transitIn store
Exploit vulnerabilities of Interfaces Communication protocolsData storage Programs
As the result, technology components also become a target of attacks
Microsoft classification of methods of attacks
A well-known classification method for attacks is STRIDE*, which stands for:
S – Spoofing
T – Tampering
R – Repudiation
I – Information disclosure
D – Denial of service
E – Elevation of privileges* From Threat Modeling, by Frank Swiderski and Window Snyder.
Real life attacks
Each real life attack is a logical combination of different techniques and methodsThe most often and dangerous types of attacks:
Denial of Service (DoS)Impersonation Malicious code plantedSocial engineering
History of attacks
Classical attacks are network basedIt means they exploit network vulnerabilities
Later, attacks which are based on insecure coding were developed
The same attacks can be performed now by exploiting security holes in the code
Example:DoS
Impersonation
Attacks – Denial of Service (DoS), network based
Mechanism – to overload a specific computer (most often server) with data, so it cannot process it fast enough to keep it. Evidences – System crash or reboot, the amount of Internet bandwidth drop, drain on a specific resource, such as system’s processor
Attacks – Denial of Service (DoS)
ImplementationsPing flood – Exploits ICMP by sending enormous number of ping requests to the victim that cannot handle itSYN flood – exploits of the TCP three-way handshake. The source sends a flood of synch requests but never sends the final acknowledgement, thus creating a half-open TCP sessions. Connection to computer is getting blockedLand – exploits OS behavior in respect to TCP/IP stacks. The attacker spoofs a TCP/IP synch packet to the victim with the same source and destination IP address and ports. This confuses the system as it tries to respond
TCP Connection Handshake
DoS continuing
ImplementationsTeardrop – exploits a User Datagram Protocol (UDP) behavior in the TCP/IP stack. Attacker sends fragmented packets with odd offset values in subsequent packets. When the system attempts to rebuild the packet, fragments overwrite each other, causing confusion.
Network DoS Attack DefensesDefense has been provided mostly at the system (not application) level
System monitoring toolsFirewalls
Denial of service (cont)
Impact from the applicationResource may be incapacitated by exploiting the application security holes. E.g. DB is not available due to the ODBC parameters changed
Other application related issues have been described in the following article
Study the example
http://www.owasp.org/index.php/Denial_of_Service
Lab 2 starts – Task 1List and comment in your own words software weaknesses you have discovered
Store your results on your personal drive
Impersonation
With this attack a legitimate user has been replaced by an attacker
It also may apply to network or software components, e.g. legitimate web page is replaced with a fraudulent one.
Practical implementations come in diferrent flavours
Masquerading (impersonation)
Spoofing
Session hijacking
Man-in-the-middle
Replay
Spoofing
Mechanism – spoofing network address of the source by changing a packet header. It can mimic even internal IP address. Destination computer is confused. Trusted relationships on Unix can be easy exploitedEvidences – incoming external packets with internal IPsSamples – often used by hackers to hide the identity Mitigating – firewalls or router filtering
TCP/IP session HijackingGoal – to hijack TCP session after authenticationMechanism – built to intercept communication and direct it to spoofed addressEvidences – practically none. Can be just short interruption in communication Sample - complex tool involving traffic monitoring, spoofing and DoS. Monitoring the traffic, an attacker determines IP address of a participant. Then, through DoS, communication will be interrupted and then resumed by spoofing the IP address of disconnected user. The other user is tricked into thinking they are still communicating to the right addressMitigating – strong encryption
Man-in-the-MiddleMechanism – a form of hijack attack. A person interfere into communication, listening to the information. Needs some tools to implement – sniffer, special programs capable to intercept packetsDifferent from sniffing because this is not only sniffing, but also acting as a communication partnerEvidences – noneSamples – often used in Telnet and wireless communication Mitigating – sophisticated encryption mechanisms. Protect access to routers, wiring closets, switches, DNS server
Replay
Mechanism – unauthorized user captures an encrypted and password protected communication, breaks it, and later starts acting as the original sender.
Evidences – none
Samples – often happen with authentication systems that issue authentication tickets, such as Kerberos.
Mitigating – implement time stamps or sequence numbers checked by authenticating system
Masquerading attacks defence
Defences must be provided at both system and application level
System level – IDS
Application level:Strong authentication
Strong session management
Encryption
Sniffing
Attacker gains access to the network using a utility or device that intercept network packets
Practically no evidence of attack
Both traditional and wireless networks are vulnerable
Mitigating – strong encryption
Password AttacksMechanisms
Brute force – simply trying to guess through repeating attempts
Dictionary – using words from a dictionary
Social engineering – an attacker tricks a victim to tell the password
Protection – the minimum is to setup password protection policy to specify at least password length (not less than 6 characters), required complexity, periodical changes, locking the account after 3-5 unsuccessful attempts. More complex authentication systems also apply
Lab 2 continuing
http://webappsec.pbworks.com/Credential-and-Session-Prediction
http://webappsec.pbworks.com/Content-Spoofing
Malicious code planting
Malicious Softwareprograms exploiting system vulnerabilities
known as malicious software or malwareprogram fragments that need a host program
• e.g. viruses, logic bombs, and backdoors
independent self-contained programs• e.g. worms, bots
replicating or not
sophisticated threat to computer systems
Malware TypesVirusWormLogic bombTrojan horseBackdoor (trapdoor)Mobile codeAuto-rooter Kit (virus generator)Spammer and Flooder programsKeyloggersRootkitZombie, bot
Malicious Code - Viruses
Viruses – computer programs that replicate themselves by attaching themselves to other files. The virus activates itself when the file is opened or executedTypes of viruses
Boot Sector, infects boot sector. Ways of infecting – boot a computer from the disk containing virus. Repairing – boot from clean floppy and run anti-virus softwareCompanion, disguises themselves as a program with some valid name but different extension, e.g. replace program.exe with program.com. Typically runs the real program after virus, so the system seems performing normally File Infectors, generally have the extensions .com or .exe. Sometime overwrite original code that results in its complete destruction Macro – typically attached to MS Office files and is executed by MS Office applications. Can perform malicious operations. Infect other files and standard templates
Viruses continuing
Types of virusesMemory resident, attached to a program, reveals itself in runtime and infects all other program and files that are in memory at the same timePolymorphic, capable to recompile itself into a new form, thus the code is different for each infection. It is difficult to detectStealth, hides itself by encrypting its code, making it difficult to detect. When a stealth virus infects it takes over system functions that read files. Later, upon the attempt to read file, stealth virus reports the original file is there. In reality the original data is gone. Metamorphic, As with a polymorphic virus ,a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance.
Viruses Program File Types
.bat, contains a series of commands to execute
.com, MS DOS command file
.doc, extension of MS Word
.dll, a library of executable functions or data
.exe, executable file
.html, html code that can be read by web browser
.mdb, MS Access database extension
.scr, Windows screen savers
.vbs, extension of MS Visual Basic scripting
.xls, extension of MS Excel spreasheet
.zip, extension used to compress files
Virus Countermeasures
Antivirus software installedprevention - ideal solution but difficultrealistically need:
detectionidentificationremoval
if detect but can’t identify or remove, must discard and replace infected program
Wormsreplicating program that propagates over net
using email, remote exec, remote login
has phases like a virus:dormant, propagation, triggering, execution
propagation phase: searches for other systems, connects to it, copies self to it and runs
may disguise itself as a system process
implemented by Xerox Palo Alto labs in 1980’s
Famous Worm Attacks
Code RedJuly 2001 exploiting MS IIS bugprobes random IP address, does DDoS attackconsumes significant net capacity when active
Code Red II variant includes backdoorSQL Slammer
early 2003, attacks MS SQL Servercompact and very rapid spread
Mydoommass-mailing e-mail worm that appeared in 2004installed remote access backdoor in infected systems
Worm TechnologyMultiplatform
Newer worms are not limited to Windows machines but can attack a variety of platforms, especially the popular varieties of UNIX
multi-exploitNew worms penetrate systems in a variety of ways, using exploits against Web servers, browsers, e-mail, file sharing, and other network-based applications.
ultrafast spreadingpolymorphicmetamorphictransport vehicles
Because worms can rapidly compromise a large number of systems, they are ideal for spreading other distributed attack tools, such as distributed denial of service bots.
zero-day exploit To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched.
Worm CountermeasuresOverlaps with anti-virus techniques
Rootkits
set of programs installed for admin accessmalicious and stealthy changes to host O/Smay hide its existence
subverting report mechanisms on processes, files, registry entries etc
may be:persisitent or memory-baseduser or kernel mode
installed by user via trojan or intruder on systemrange of countermeasures needed
Trojan HorsesProgram that hides on a computer system until called to perform a certain task. Masks itself as a normal program. Usually can be downloaded from Internet or extracted from email attachment
The Trojan is secretly installed on the computer to capture data or provide unauthorized access for remote user
Example – NetBus, take control over computer
Protection – firewall can detect suspicious traffic that belongs to Trojan
Logic Bombs
Has been hiding in the system until some particular event happens.
Usually appears as the result of malicious actions of software developers
Can make serious damage to the system or data
Protection – examine source code
Back DoorMechanism – coded by the programmer during development, so at a later time, they can break into the system without authentication. Often runs as a service and uses a specific port. Typically installed as a Trojan horse as a part of other software package
Evidences – nothing visible immediately. Can be detected by specialized tools only, such as port scanning, firewall, anti-virus
Samples – Simpsons (delete files from the computer), NetBus (takes control over infected computer)
Mitigating – any tools capable to discover malicious code or identify suspicious behavior, scanning tools, firewalls.
Evidences of being infectedAbnormal behavior of well known systems
Unknown registry entries
Memory has been quickly eaten by some program
Data files cannot be opened
Slow communication
Malware protection
Both system and application level
Study the examplesConnect to http://www.owasp.org/index.php/Man-in-the-browser_attack
Read the article
Write a short essay that explains the role of a Trojan horse code in implementing the attack
Read the article http://www.owasp.org/index.php/Trojan_Horse
Give the example of how a Trojan horse may be injected into your computer. Upon your opinion, what is the most common way to inject the code?
Social engineering
Attack that plays on human behavior Crafted specifically to mislead users and make them disclose confidential dataExamples - phishing emails, telephone callsProtection
Educate usersNon-repudiation acts (secure phrases, words, etc.)
Summary of protection mechanisms against attacks
To protect you needPolicy of system usage (email, Internet)
Strong password policy
Firewalls
Routers and other technical controls
Physical security
But still, you cannot rest assured that your messages are not intercepted
That’s why you need them encrypted
Security advisors The list of companies who advise new vulnerabilities or new types of attacks. They also advise ways of protection or work around
Cert Advisory www.cert.org
X-Force http://xforce.iss.net
SANS www.sans.org
Anti-phishing service has been provided by www.cyveillance.com
They will monitor if your brand name is used to organize phishing attack
