Network Security           Intruders and Viruses                 Hofstra University – Network05/01/06                     ...
Password Management Part Two - Cracking           Hofstra University – Network05/01/06                                  2 ...
Intrusion TechniquesObjective: Gain access to a systemFrequent Goal: Acquiring a userpasswordMost systems have a file that...
Password Learning              Techniquesg    1. Try default passwords used with standardu       accounts shipped with the...
Password ProtectionUnix password scheme threats:  Gain access through a guest  account and run a password cracker  Obtain ...
Password Cracking            Hofstra University – Network05/01/06                                   6             Security...
Password CrackingUnix Password File (/etc/passwd): daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: nobody:x:60001:6000...
Password Crackers                Hofstra University – Network05/01/06                                       8             ...
Virus and Related                Threats                 Hofstra University – Network05/01/06                             ...
Malicious Programs       Two categories:         Those that need a host program         – fragments of programs -         ...
Taxonomy of Malicious        Programs           Hofstra University – Network05/01/06                                  11  ...
Malicious Programs  Logic Bombs: logic embedded in a  program that checks for a set of  conditions to arise and executes  ...
Trojan Horse              Hofstra University – Network05/01/06                                     13               Securi...
Malicious Programs  Trojan Horse: secret undocumented  routine embedded within a useful  program, execution of the program...
Malicious Programs       Zombie: a program that secretly       takes over an Internet attached       computer and then use...
Viruses           Hofstra University – Network05/01/06                                  16            Security Course, CSC...
VirusesA virus is asubmicroscopic parasiticparticle that infects cellsin biological organisms.Viruses are non-livingpartic...
Viruses   Viruses: code embedded within a   program that causes a copy of   itself to be inserted in other   programs and ...
Worms           Hofstra University – Network05/01/06                                  19            Security Course, CSC290A
Worms Worms: program that can replicate itself and send copies to computers across the network and performs some unwanted ...
Bacteria    Bacteria: consume resources by    replicating themselves    Do not explicitly damage any files    Sole purpose...
Nature of VirusesFour stages of virus lifetime Dormant phase: virus idle Propagation phase: cloning of virus Triggering ph...
Virus Structure     program V:=     {goto main:         1234567;           special marker determines if infected          ...
Avoiding Detection   Infected version of program is   longer than the corresponding   uninfected one   Solution: compress ...
Avoiding Detection                 Hofstra University – Network05/01/06                                        25         ...
Compression Programinfected   uninfected                        Hofstra University – Network05/01/06                      ...
Types of Viruses  Parasitic Virus: attached to  executables, replicates when  program is executed  Memory-resident virus: ...
Types of Viruses  Stealth virus: virus designed to  hide itself from detection by  antivirus software (compression,  inter...
Macro Viruses    2/3s of all viruses    Mainly Microsoft products –    platform independent    Affect documents not execut...
Worms     Uses network connections to     spread from system to system     Similar to a virus – has same     phases: dorma...
Buffer Overflow Program attempts to write more data into buffer than that buffer can hold… …Starts overwriting area of sta...
Mechanics of stack-based buffer           overflow Stack is like a pile of plates                                         ...
Mechanics of stack-based buffer           overflow When function copies                                       0X0692 too m...
Antivirus Approaches       Detection – determine that it has       occurred and locate the virus       Identification – id...
Generations of Antivirus       Software       First: simple scanners (record of       program lengths)       Second: heuri...
Advanced Techniques     Generic Decryption     Digital Immune System     Behavior-Blocking Software               Hofstra ...
Generic Decryption  Easily detects even most complex  polymorphic virus  No damage to the personal  computer  Contains fol...
Digital Immune System  Pioneered by IBM  Response to rate of virus  propagation       Integrated mail systems - Outlook   ...
Digital Immune System           Hofstra University – Network05/01/06                                  39            Securi...
Behavior-Blocking               Software  Monitors program behavior in real-time  for malicious actions – part of OS  Look...
Malicious Code Protection     Types of ProductsScanners - identify known malicious code -search for signature stringsInteg...
Important URLshttp://www.cert.org/Originally DARPA’s computer emergencyresponse team. An essential security sitehttp://www...
Important URLshttp://www.ciac.org/ciac/Computer Incident Advisory Capability -anotherbookmark-able site to visit regularly...
… enough!             Hofstra University – Network05/01/06                                    44              Security Cou...
...coming to the end!Take Home Final Exam – OnWebsiteDue Next ClassReturn PapersAny Problems, Please Email Or CallGood Luc...
Upcoming SlideShare
Loading in...5
×

Csc290 ch10

251

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
251
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Csc290 ch10

  1. 1. Network Security Intruders and Viruses Hofstra University – Network05/01/06 1 Security Course, CSC290A
  2. 2. Password Management Part Two - Cracking Hofstra University – Network05/01/06 2 Security Course, CSC290A
  3. 3. Intrusion TechniquesObjective: Gain access to a systemFrequent Goal: Acquiring a userpasswordMost systems have a file that mapsa password to each userPassword file protection: one-way encryption access control Hofstra University – Network05/01/06 3 Security Course, CSC290A
  4. 4. Password Learning Techniquesg 1. Try default passwords used with standardu accounts shipped with the systeme 2. Exhaustive try of all short passwordss 3. Try words in system’s dictionary or list ofs likely passwords (hacker bulletin boards)a 4. Collect information about users (full names,t names of spouses and children, pictures andt books in their office, related hobbies)a 5. Try users’ phone numbers, social securityc numbers, room numbersk 6. Try all legitimate license plate numbers 7. Use a trojan horse 8. Tap the line between a remote user and the system Hofstra University – Network 05/01/06 4 Security Course, CSC290A
  5. 5. Password ProtectionUnix password scheme threats: Gain access through a guest account and run a password cracker Obtain a copy of the password file and run a password crackerGoal: Run a password cracker Rely on people choosing easily guessable passwords! Hofstra University – Network 05/01/06 5 Security Course, CSC290A
  6. 6. Password Cracking Hofstra University – Network05/01/06 6 Security Course, CSC290A
  7. 7. Password CrackingUnix Password File (/etc/passwd): daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: nobody:x:60001:60001:Nobody:/: eric:GmTFg0AavFA0U:1001:10:Eric Schwartz:/export/home/eric:/bin/ksh temp:kRWegG5iTZP5o:1002:10:IP Administration:/export/home/ipadmin:/bin/ksh jfr:kyzKROryhFDE2:506:506::/home/jfr:/bin/csh Results of the password cracker: $ john passwd Loaded 3 passwords with 3 different salts (Standard DES [24/32 4K]) temp (temp) jenny (eric) solaris1 (jfr) Hofstra University – Network 05/01/06 7 Security Course, CSC290A
  8. 8. Password Crackers Hofstra University – Network05/01/06 8 Security Course, CSC290A
  9. 9. Virus and Related Threats Hofstra University – Network05/01/06 9 Security Course, CSC290A
  10. 10. Malicious Programs Two categories: Those that need a host program – fragments of programs - parasitic Those that are independent – self contained Some replicate – used as a differentiator Hofstra University – Network05/01/06 10 Security Course, CSC290A
  11. 11. Taxonomy of Malicious Programs Hofstra University – Network05/01/06 11 Security Course, CSC290A
  12. 12. Malicious Programs Logic Bombs: logic embedded in a program that checks for a set of conditions to arise and executes some function resulting in unauthorized actions Trapdoors: secret undocumented entry point into a program, used to grant access without normal methods of access authentication (e.g.,War Games) Hofstra University – Network05/01/06 12 Security Course, CSC290A
  13. 13. Trojan Horse Hofstra University – Network05/01/06 13 Security Course, CSC290A
  14. 14. Malicious Programs Trojan Horse: secret undocumented routine embedded within a useful program, execution of the program results in execution of the routine Common motivation is data destruction Hofstra University – Network05/01/06 14 Security Course, CSC290A
  15. 15. Malicious Programs Zombie: a program that secretly takes over an Internet attached computer and then uses it to launch an untraceable attack Very common in Distributed Denial-Of-Service attacks Hofstra University – Network05/01/06 15 Security Course, CSC290A
  16. 16. Viruses Hofstra University – Network05/01/06 16 Security Course, CSC290A
  17. 17. VirusesA virus is asubmicroscopic parasiticparticle that infects cellsin biological organisms.Viruses are non-livingparticles that can onlyreplicate when anorganism reproducesthe viral RNA or DNA. Viruses are considerednon-living by themajority of virologistswww.virology.net Hofstra University – Network 05/01/06 17 Security Course, CSC290A
  18. 18. Viruses Viruses: code embedded within a program that causes a copy of itself to be inserted in other programs and performs some unwanted function Infects other programs Code is the DNA of the virus Hofstra University – Network05/01/06 18 Security Course, CSC290A
  19. 19. Worms Hofstra University – Network05/01/06 19 Security Course, CSC290A
  20. 20. Worms Worms: program that can replicate itself and send copies to computers across the network and performs some unwanted function Uses network connections to spread from system to system Hofstra University – Network05/01/06 20 Security Course, CSC290A
  21. 21. Bacteria Bacteria: consume resources by replicating themselves Do not explicitly damage any files Sole purpose is to replicate themselves Reproduce exponentially Eventually taking up all processors, memory or disk space Hofstra University – Network05/01/06 21 Security Course, CSC290A
  22. 22. Nature of VirusesFour stages of virus lifetime Dormant phase: virus idle Propagation phase: cloning of virus Triggering phase: virus activation Execution phase: unwanted function performed Hofstra University – Network05/01/06 22 Security Course, CSC290A
  23. 23. Virus Structure program V:= {goto main: 1234567; special marker determines if infected subroutine infect-executable := {loop: file:= get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file;} subroutine do–damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: transfer control to the original program } Hofstra University – Network05/01/06 23 Security Course, CSC290A
  24. 24. Avoiding Detection Infected version of program is longer than the corresponding uninfected one Solution: compress the executable file so infected and uninfected versions are identical in length Hofstra University – Network05/01/06 24 Security Course, CSC290A
  25. 25. Avoiding Detection Hofstra University – Network05/01/06 25 Security Course, CSC290A
  26. 26. Compression Programinfected uninfected Hofstra University – Network05/01/06 26 Security Course, CSC290A
  27. 27. Types of Viruses Parasitic Virus: attached to executables, replicates when program is executed Memory-resident virus: part of a resident system program, affects every program executed Boot sector virus: infects a master boot record and spreads when system is booted from infected disk Hofstra University – Network05/01/06 27 Security Course, CSC290A
  28. 28. Types of Viruses Stealth virus: virus designed to hide itself from detection by antivirus software (compression, interception of I/O logic) Polymorphic virus: mutates with every infection making detection by “signature” impossible (mutation engine) Macro virus: infects Microsoft Word docs; 2/3’s of all viruses Hofstra University – Network05/01/06 28 Security Course, CSC290A
  29. 29. Macro Viruses 2/3s of all viruses Mainly Microsoft products – platform independent Affect documents not executables Easily spread by e-mail Autoexecuting macro is the culprit Hofstra University – Network05/01/06 29 Security Course, CSC290A
  30. 30. Worms Uses network connections to spread from system to system Similar to a virus – has same phases: dormant, propagation, trigger and execution Morris Worm – most famous Recent: OSX.Leap.A, Kama Sutra,Code Red Hofstra University – Network05/01/06 30 Security Course, CSC290A
  31. 31. Buffer Overflow Program attempts to write more data into buffer than that buffer can hold… …Starts overwriting area of stack memory Can be used maliciously to cause a program to execute code of attackers choose Overwrites stack point Hofstra University – Network05/01/06 31 Security Course, CSC290A
  32. 32. Mechanics of stack-based buffer overflow Stack is like a pile of plates 0X0692 When a function is 0X0691 called, the return return 0X0123 0X0690 address is pushed on function the stack 0 0X0689 In a function, local local s 0X0688 variables are written on stack the stack memory y 0X0687 Memory is written on s 0X0686 stack 0X0685 char username[4] reserved 4 bytes of 0X0684 space on stack Hofstra University – Network 05/01/06 32 Security Course, CSC290A
  33. 33. Mechanics of stack-based buffer overflow When function copies 0X0692 too much on the stack... 0X0691 ...the return pointer is overwritten return 0X0123 0X0689 0X0690 function Execution path of X 0X0689 function changed when function ends local X 0X0688 Local stack memory has stack X 0X0687 malicious code memory X 0X0686 0X0685 0X0684 Hofstra University – Network 05/01/06 33 Security Course, CSC290A
  34. 34. Antivirus Approaches Detection – determine that it has occurred and locate the virus Identification – identify the specific virus Removal – remove all traces and restore the program to its original state Hofstra University – Network05/01/06 34 Security Course, CSC290A
  35. 35. Generations of Antivirus Software First: simple scanners (record of program lengths) Second: heuristic scanners (integrity checking with checksums) Third: activity traps (memory resident, detect infected actions) Fourth: full-featured protection (suite of antivirus techniques, access control capability) Hofstra University – Network05/01/06 35 Security Course, CSC290A
  36. 36. Advanced Techniques Generic Decryption Digital Immune System Behavior-Blocking Software Hofstra University – Network05/01/06 36 Security Course, CSC290A
  37. 37. Generic Decryption Easily detects even most complex polymorphic virus No damage to the personal computer Contains following elements: CPU emulator – software based virtual computer Virus signature scanner – scans target code for known signatures Emulation control module – control execution of target code Hofstra University – Network05/01/06 37 Security Course, CSC290A
  38. 38. Digital Immune System Pioneered by IBM Response to rate of virus propagation Integrated mail systems - Outlook Mobile program systems – ActiveX, Java Expands the use of program emulation Depends on a central virus analysis machines Hofstra University – Network05/01/06 38 Security Course, CSC290A
  39. 39. Digital Immune System Hofstra University – Network05/01/06 39 Security Course, CSC290A
  40. 40. Behavior-Blocking Software Monitors program behavior in real-time for malicious actions – part of OS Look for well defined requests to the OS: modifications to files, disk formats, mods to scripts or macros, changes in config settings, open network connections, etc. IPS – Intrusion Prevention Systems Hofstra University – Network05/01/06 40 Security Course, CSC290A
  41. 41. Malicious Code Protection Types of ProductsScanners - identify known malicious code -search for signature stringsIntegrity Checkers – determine if code hasbeen altered or changed – checksum basedVulnerability Monitors - preventmodification or access to particularlysensitive parts of the system – user definedBehavior Blockers - list of rules that alegitimate program must follow – sandboxconcept Hofstra University – Network 05/01/06 41 Security Course, CSC290A
  42. 42. Important URLshttp://www.cert.org/Originally DARPA’s computer emergencyresponse team. An essential security sitehttp://www.research.ibm.com/antivirus/IBM’s site on virus information. Very goodpapers – a little outdatedhttp://www.afsa.org/fsj/sept00/Denning.cfmHacktivism: An Emerging Threat to Diplomacy,another Denning term along with InformationWarfarehttp://csrc.nist.gov/virus/Computer SecurityResources Center – Virus information and alerts Hofstra University – Network05/01/06 42 Security Course, CSC290A
  43. 43. Important URLshttp://www.ciac.org/ciac/Computer Incident Advisory Capability -anotherbookmark-able site to visit regularlyhttp://csrc.nist.gov/publications/nistpubs/800-42/NISTGuideline on Network Security Testing – coverspassword crackinghttp://www.openwall.com/john/Very good password cracker, “John the Ripper”http://csrc.nist.gov/publications/nistpubs/800-36/NISTGuide to Selecting Information SecurityProductshttp://www.xensource.com/Xen Source - Hottest Area In Virtualization Hofstra University – Network05/01/06 43 Security Course, CSC290A
  44. 44. … enough! Hofstra University – Network05/01/06 44 Security Course, CSC290A
  45. 45. ...coming to the end!Take Home Final Exam – OnWebsiteDue Next ClassReturn PapersAny Problems, Please Email Or CallGood Luck Hofstra University – Network05/01/06 45 Security Course, CSC290A
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×