Spring 2000 John Kristoff 2
Internet 101
Telephone System central authority network in control billing records per
connection legal issues well
understood provisions for law
enforcement (wiretapping)
Internet no central authority end systems in
control no central knowledge
of connections no per-packet billing legal issues not well
understood anonymity is easy
Spring 2000 John Kristoff 3
Internet Security Stinks
Hosts are hard to secureBad defaultsPoor softwareFixes rarely appliedAverage user/administrator is cluelessAn overly secure system is not usefulIt’s difficult to coordinate among sites
Spring 2000 John Kristoff 4
Exploits Overview
Passwords hacking and sniffing
System specific NT, UNIX, NetWare, Linux
Application specific web browser, ftp, email, finger
Protocol specific spoofing, TCP hijacking, ICMP redirects, DNS
Denial of Service PING of death, trinoo, tribe flood
Spring 2000 John Kristoff 5
The Process
ReconnaissanceScanningExploit SystemsKeep access with backdoors/trojansUse system
Often as a springboardCover any tracks
Spring 2000 John Kristoff 6
The Problem is Real
Just over a year ago...ResNet/DPOcgi-bin/phfOracleCTIPlain text
Spring 2000 John Kristoff 7
Recently...
We receive hundreds of probes every day This weekend a single host sent at least 2000
scans to our address space for port 23.kr and .tw are popular sourcesDNS [email protected], aol.com are frequent flyersResNet students
Spring 2000 John Kristoff 9
Password Hacking
Attackers can watch packets go byUsually part of the attacker’s plan
when compromising a hostOne of the most common problemsEncryption for remote access helpsNote: even encrypted password files
can be cracked
Spring 2000 John Kristoff 10
Denial of Service Attacks
A Very Difficult Problem to Solve!Real World Example
Everyone dials 911 at the same time How do you screen and more
importantly, stop the bad ones?Most effective when source address
is spoofed
Spring 2000 John Kristoff 12
Viruses and Worms
Programs written with the intent to spreadWorms are very common today
Usually email based (e.g. ILOVEYOU)Viruses infect other programs
Code copied to other programs (e.g. macros)Requires the code to be executed
Proves users continue to do dumb things Sometimes software is at fault too
Spring 2000 John Kristoff 13
Buffer Overflows and Weak Validation of Input
One of the most popular security issues
Popular exploits with CGI scriptsRegular users can gain root accessCan pass commands to be executed
e.g. Network Solutions easysteps.plSometimes root access can be gained
Spring 2000 John Kristoff 14
Network Mapping
PINGDNS mapping (don’t need zone transfer)
dig +pfset=0x2020 -x 10.x.x.x
rpcinfo -p <hostname>nmap <http://www.insecure.org/nmap/>
very nice!
Microsoft Windows is NOT immune nbtstat, net commands
Just look around the ‘net!
Spring 2000 John Kristoff 15
Firewall Solutions
They help, but not a panaceaA network response to a host
problem Packet by packet examination is tough
Don’t forget internal usersNeed well defined bordersCan be a false sense of security
Spring 2000 John Kristoff 16
Internal Security
Most often ignoredMost likely the problemDisgruntled (ex-)end userCurious, but dangerous end userClueless and dangerous end user
Spring 2000 John Kristoff 17
Security by Obscurity
Is no security at all.However
It’s often best not to advertise unnecessarily
It’s often the only layer used (e.g. passwords)
Probably need more security
Spring 2000 John Kristoff 18
Layered Defenses
The belt and suspenders approachMultiple layers make it harder to get
throughMultiple layers take longer to get throughBasic statistics and probability apply
If Defense A stops 90% of all attacks and Defense B stops 90% of all attacks, you might be able to stop up to 99% of all attacks
Trade-off in time, money and convenience
Spring 2000 John Kristoff 19
Physical Security
Trash binsSocial engineeringIt’s much easier to trust a face than
a packetProtect from the whoops
power spills the clumsy software really can kill hardware
Spring 2000 John Kristoff 20
If I Were You, I’d...
Keep up on your host patches/fixesBe very careful with email attachmentsDisable unnecessary servicesUse encryption (ssh) whenever possible
avoid telnet, ftp, pop-3 email, etc.Audit often
keep logs, keep backups
Spring 2000 John Kristoff 21
A Word About Network Address Translation
It has no place in this talkIt is misunderstood and misappliedIt is fundamentally bad for the
InternetJust say NO to RFC 1918
Spring 2000 John Kristoff 22
Food For Thought
http://networks.depaul.edu/security/dpu.securityDePaul FIRST TeamAny further interest in security
education and research?
Spring 2000 John Kristoff 23
References
bugtraq mailing list http://www.sans.org http://www.cert.org http://www.cerias.perdue.edu http://www.securityportal.com/lasg/ http://cale.cs.depaul.edu http://www.securityfocus.com http://www.denialinfo.com http://www.enteract.com/~lspitz/pubs.html http://www.robertgraham.com/pubs/ http://cm.bell-labs.com/who/ches/ http://www.research.att.com/~smb/ http://packetstorm.securify.com
Spring 2000 John Kristoff 24
My Information
Networks Group, DePaul Universityhttp://condor.depaul.edu/~jkristof/[email protected](312) 362-5878