Your SlideShare is downloading. ×
Fall 2012 Badolato Presentation: When Bad Things Happen to Computer Networks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Fall 2012 Badolato Presentation: When Bad Things Happen to Computer Networks

378
views

Published on

Dr. Mike O'Leary's presentation, "When Bad Things Happen to Computer Networks", presented on September 7, 2012 as part of the Badolato Distinguished Speaker Series.

Dr. Mike O'Leary's presentation, "When Bad Things Happen to Computer Networks", presented on September 7, 2012 as part of the Badolato Distinguished Speaker Series.

Published in: Spiritual

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
378
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. When Bad Things Happen to Computer Networks A demonstration of how hackers break into systems, and what we can all do to reduce our risks Mike O’Leary School of Emerging Technologies Towson University Edward V. Badolato Distinguished Speaker Series September 7, 2012Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 1 / 81
  • 2. Physical Attacks Suppose you have physical access to a fully patched Windows 7 machine, but don’t have the password. Can you log on? Sure! What happens when you press the blue and white button on the bottom left of a Windows logon screen? What happens if you change that program? Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 2 / 81
  • 3. Physical Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 3 / 81
  • 4. Physical Attacks- Demo Rather than boot to the hard drive, we will boot to a CD-ROM; say Backtrack 5. BIOS passwords can prevent this, but physical access also lets me reset BIOS passwords, usually via jumper settings on the motherboard. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 4 / 81
  • 5. Physical Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 5 / 81
  • 6. Physical Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 6 / 81
  • 7. Physical Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 7 / 81
  • 8. Physical Attacks- Others The “Sticky Keys” feature can be attacked in the same fashion; the program is c:WindowsSystem32sethc.exe To log in as a particular user (rather than as System), one can use a hex editor to modify c:WindowsSystem32msv1 0.dll. Changing two bytes in that file allows you to log on to any account without a password. Kon-Boot. Boot to the CD, and let the tool do the work for you. The tool is picked up as a virus by many anti-virus tools, so careful downloading! Bart’s PE Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 8 / 81
  • 9. Physical Attacks- Countermeasures Protect the phyisical device Encrypt important data. Bitlocker Windows 7 component, but required Windows 7 Enterprise or Windows 7 Ultimate. TrueCrypt: http://www.truecrypt.org/ Free software Let’s you encrypt a volume of files; the volume is treated as a separate hard drive in Windows. Encrypted volumes can take on any name, and can be nested. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 9 / 81
  • 10. Physical Attacks- Countermeasures Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 10 / 81
  • 11. Passwords Why attack passwords? They give authenticated access, meaning that they will not trip intrusion detection systems. How are passwords stored? Plain text (disaster!) Hashed (terrible!) Salted & Hashed (Might be OK) How can you attack a stored password? Brute force attacks Word lists Rainbow tables Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 11 / 81
  • 12. Passwords The speed of a brute force attack depends on the underlying hashing algorithm. A PC with a high end graphics card using an older algorighm (SHA1) can try roughly one billion password guesses per second. Amazon’s cloud service would let a user try roughly 100,000 passwords on 400,000 accounts each day, for a cost of roughly $3501 m3g9tr0n claims to have cracked 122 million passwords (MD5, SHA1) in five months2 1 http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/ 2 http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-passwords Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 12 / 81
  • 13. Password Attacks In 2009, RockYou.com was compromised, leading to the loss of 32 million passwords. These passwords were in plain text. Attackers have used this as starting point to generate word lists. In 2010, Gawker lost 1.5 million unsalted hashed passwords On June 6, LinkedIn lost 6.46 million unsalted password hashes LinkedIn has 160 million accounts. More than 90% of these hashes have been cracked. On June 6, eHarmony lost 1.5 million unsalted password hashes. On July 12, Yahoo! voices lost 400,000 plain text passwords and email addresses. On July 23, Gamigo (a German gaming company) lost 11 million hashed passwords. They also lost 8.2 million email addresses On August 10, Blizzard lost an unknown number of password hashes, including all of the accounts from their North American servers. The number of Blizzard accounts runs well into the millions, just in North America. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 13 / 81
  • 14. Password Attacks Do you re-use your passwords? Could an attacker guess your account name? What would happen? Ask Mat Honan. After an hour-long attack on August 3, he discovered that3 His Google account was taken over, then wiped. His Twitter account was compromised and used to spread vitriol His AppleID account was hacked All of the data on his iPhone, iPad, and MacBook was wiped. Why? They wanted to use his Twitter account. 3 http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 14 / 81
  • 15. Password Attacks- Demo We can perform a live attack on a password protected service by simply trying various combinations. This is often noticeable to intrusion detection systems, but if it is spread across multiple attacker machines, it is difficult to stop. In this first example, we attack a simple e-commerce site. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 15 / 81
  • 16. Password Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 16 / 81
  • 17. Password Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 17 / 81
  • 18. Password Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 18 / 81
  • 19. Password Attacks- Demo Looking at the source, we see that the request to log in is A request made via SSL Target page is http://shop.index.php GET parameters include main page = login action = process zenid = 65dsqnj1qs9hn8h57ij6dkk22veopsul POST parameters include password, specified by the user securityToken = d597db5e25bda24bb43c65307d9c21ca as a hidden field. We build a corresponding request using Hydra. We specify a list of user names (-L) We specify a list of passwords (-P) We specify what we expect to see in an error page (the text “Error”) We specify the number of threads (-t) We specify the timeout (-w) We specify where we dump the resulrs (-o) We use verbose output (-vV) Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 19 / 81
  • 20. Password Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 20 / 81
  • 21. Password Attacks- Demo These attacks can also be performed against domain controllers. Suppose that the domain UNSEEN has the domain controller ephebe.unseen.disc.tu located at the address 192.168.1.30. We again use hydra The method is now smb The address is specified as well Other parameters are chosen as in the previous example. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 21 / 81
  • 22. Password Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 22 / 81
  • 23. Passwords Attacks- Countermeasures Lots of folks have given you lots of advice on passwords Use an uncommon word Inlude some captial letters Make some substitutions- say replace an “a” with an “4” Include a number Include a symbol Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 23 / 81
  • 24. Password Attacks- CountermeasuresSource: http://xkcd.com/936/ Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 24 / 81
  • 25. Password Attacks- Countermeasures There is no substitute for length in your passwords. If you are using random symbols & characters, then at least 12 characters. If you use word(s), then double this. Attackers already know the common tricks for making passwords more “complex”; they use wordlists and then permute them with all of these common tricks. Use different passwords for different accounts How can I manage different passwords? Use PasswordSafe, a free program available at http://passwordsafe.sourceforge.net/ Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 25 / 81
  • 26. Password Attacks- Countermeasures Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 26 / 81
  • 27. Password Attacks- Countermeasures Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 27 / 81
  • 28. Password Attacks- Countermeasures Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 28 / 81
  • 29. Password Attacks- Countermeasures Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 29 / 81
  • 30. Application Attacks Most computer attacks rely on software vulnerabilities These are mistakes in a program that can be exploited to violate a security policy When found, these are classified and given a common CVE name & number (http://cve.mitre.org) Some vulnerabilities allow a third-party access to a system Others allow a user a greater level of access to a system than intented (privilege escalation) Some vulnerabilities do not require user action Vulnerabilities in the core operating system can be particularly problematic. Microsoft patches are numbered by year and patch number. MS08-067 (CVE 2008-4250)- Microsoft Server Service Vulnerability Windows 2000, 2003, XP MS03-026 (CVE 2003-0352)- Microsoft RPC DCOM. Affects Windows NT, 2000, 2003. Root cause of Blaster worm, Nachi worm. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 30 / 81
  • 31. Application Attacks Attackers have turned their attention to application level atacks These focus on Web browsers Active content for web browsers Java Flash Documents Microsoft Word Microsoft Excel Adobe Reader Browser attacks require the user to visit a web page hosting the malicious content Document attacks require the user to open the malicious document Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 31 / 81
  • 32. Application Attacks Suppose you knew that the target was running Adobe Reader. 1/2012 CVE 2011-2462 Adobe Reader U3D Memory Corruption 9.4.6, 10.1.1 9/2010 CVE 2010-2883 Adobe CoolType SING Table uniqueName 8.2.4, 9.3.4 Stack Buffer Overflow 3/2010 CVE 2010-0188 Adobe Acrobat Bundled LibTIFF Integer 8.2, 9.3 Overflow 12/2009 CVE 2009-4324 Adobe Doc.media.newPlayer Use After 9.2 Free Vulnerability 12/2009 CVE 2009-3459 Adobe FlateDecode Stream Predictor 02 9.2 Integer Overflow 11/2009 CVE 2009-2990 Adobe U3D CLODProgressiveMeshDecla- 7.1.4, 8.1.7, 9.2 ration Array Overrun 3/2009 CVE 2009-0927 Adobe Collab.getIcon() Buffer Overflow 7.1.1, 8.1.3, 9.1 3/2009 CVE 2009-0658 Adobe JBIG2Decode Heap Corruption 9.0 12/2008 CVE 2008-2992 Adobe util.printf() Buffer Overflow 8.1.3 Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 32 / 81
  • 33. Application Attacks Suppose you knew that the target was running Microsoft Office: 6/2012 CVE 2012-0013 MS12-005 Microsoft Office ClickOnce Un- Word 07, 10 safe Object Package Handling Vulnerability 4/2012 CVE 2012-0158 MS12-027 MSCOMCTL ActiveX Buffer Word 07, 10 Overflow 12/2011 CVE 2010-3333 MS10-087 Microsoft Word RTF pFrag- Word 03, 07, 10 ments Stack Buffer Overflow 11/2011 CVE 2010-0822 MS11-038 Excel Malformed OBJ Record Excel 02 Handling Overflow 11/2011 CVE 2011-0105 MS11-021 Excel .xlb Buffer Overflow Excel 07 5/2010 CVE 2010-0033 MS10-004 PowerPoint Viewer TextByte- PowerPoint Viewer 03 sAtom Stack Buffer Overflow 2/2010 CVE 2009-3129 MS09-067 Excel Malformed FEATHEADER Excel 02, 03, 07 Record Vulnerability Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 33 / 81
  • 34. Application Attacks Suppose you knew that the target was running Adobe Flash Player: 8/20/2012 CVE 2012-1535 Adobe Flash Player 11.3 Font 11.3.300.271 (8/14/2012) Parsing Code Execution 6/25/2012 CVE 2012-0779 Adobe Flash Player Object Type 11.2.202.235 (5/3/2012) Confusion 6/20/2012 CVE 2011-2110 Adobe Flash Player AVM Ver- 10.3.181.23 (11/11/2011) ification Logic Array Indexing Code & Execution 4/20/2012 CVE 2008-5499 Adobe Flash Player ActionScript 10.0.12.36 (10/4/2008) Launch Command Execution Vulnerability 3/8/2012 CVE 2012-0754 Adobe Flash Player .mp4 ’cprt’ 11.1.102.55 (11/11/2011) Overflow Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 34 / 81
  • 35. Application Attacks How does an application attack work? Let’s demonstrate an attack based on CVE 2012-1889, MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption This is a vulnerability in how Windows handles XML, and is of critical importance for Internet Explorer. Code to exploit this vulnerability was publicly released on June 15 (via Metasploit); it is likely that this vulnerability was being exploited by others privately before this time. Microsoft did not patch this vulnerability until they released MS12-043, on July 10. Anyone using Internet Explorer prior to the release of the patch would have been vulnerable. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 35 / 81
  • 36. Application Attacks- Demo The attacking machine will be using Backtrack 5 R3. The victim machine will be a Windows 7 workstation, running Service Pack 1 (the latest), but not patched with MS12-043. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 36 / 81
  • 37. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 37 / 81
  • 38. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 38 / 81
  • 39. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 39 / 81
  • 40. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 40 / 81
  • 41. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 41 / 81
  • 42. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 42 / 81
  • 43. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 43 / 81
  • 44. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 44 / 81
  • 45. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 45 / 81
  • 46. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 46 / 81
  • 47. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 47 / 81
  • 48. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 48 / 81
  • 49. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 49 / 81
  • 50. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 50 / 81
  • 51. Application Attacks Another common attack target, especially lately has been Java. 8/27/2012 CVE 2012-4681 Java 7 Applet Remote Code Execution Java 7U6 7/9/2012 CVE 2012-1723 Java Applet Field Bytecode Verifier Java 6U32, Java 7U5 Cache Remote Code Execution 3/29/2012 CVE 2012-0507 Java AtomicReferenceArray Type Vio- Java 6U30, Java 7U2 lation Vulnerability 11/29/2011 CVE 2011-3544 Java Applet Rhino Script Engine Re- Java 6U27, Java 7 mote Code Execution Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 51 / 81
  • 52. Application Attacks We demonstrate the use of the July Java attack (CVE 2012-1723, Java Applet Field Bytecode Verifier Cache Remote Code Execution) on a system. The target will be a Windows 7 machine, but this time it will not be patched up to Service Pack 1. After compromising the target, we will use CVE 2010-3338, (MS10-092 Windows Escalate Task Scheduler XML Privilege Escalation) which is one of the vulnerabilties exploited by Stuxnet. This will allow us to gain full control over the system at the SYSTEM level. We will grab the password hashes and crack them. We will add a new administrator to the system (us!) We will ensure that the system connects back to us, even if the system is subsequently rebooted. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 52 / 81
  • 53. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 53 / 81
  • 54. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 54 / 81
  • 55. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 55 / 81
  • 56. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 56 / 81
  • 57. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 57 / 81
  • 58. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 58 / 81
  • 59. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 59 / 81
  • 60. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 60 / 81
  • 61. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 61 / 81
  • 62. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 62 / 81
  • 63. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 63 / 81
  • 64. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 64 / 81
  • 65. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 65 / 81
  • 66. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 66 / 81
  • 67. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 67 / 81
  • 68. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 68 / 81
  • 69. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 69 / 81
  • 70. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 70 / 81
  • 71. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 71 / 81
  • 72. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 72 / 81
  • 73. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 73 / 81
  • 74. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 74 / 81
  • 75. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 75 / 81
  • 76. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 76 / 81
  • 77. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 77 / 81
  • 78. Application Attacks- Demo Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 78 / 81
  • 79. Application Attacks- Countermeasures Be sure all of your software is up to date. Pay special attention to: Browsers (IE, Chrome, Firefox, Safari) MS Office Adobe Flash, Reader Java Don’t install software if you do not need it! The attacks on IE succeeded in part because we leveraged the existing Java install! Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 79 / 81
  • 80. Application Attacks- Countermeasures The final attack succeded because the user: Clicked on a malicious link Was running an outdated version of Java Was running an unpatched version of Windows This attack required multiple failures in multiple places! Don’t be fearful that your security posture is imperfect; instead make it difficult for an attacker to exploit you by being aware and resposive to the threats. Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 80 / 81
  • 81. Questions?Mike O’LearySchool of Emerging TechnologiesTowson Universitymoleary@towson.edu Mike O’Leary (Towson University) When Bad Things Happen... Badolato Speaker Series 81 / 81

×