Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
The Internet allows an attacker to attack from anywhere in the world from their home desk.
They just need to find one vulnerability: a security analyst need to close every vulnerability.
Crackers Cracker: Computer-savvy programmer creates attack software Script Kiddies : Know how to execute programs Hacker Bulletin Board Sql Injection Buffer overflow Password Crackers Password Dictionaries Successful attacks! Crazyman broke into … CoolCat penetrated… Criminals: Create & sell botnets -> spam Sell credit card numbers,… System Administrators Some scripts are useful to protect networks… Malware package=$1K-2K 1 M Email addresses = $8 10,000 PCs = $1000
Hacking Networks Phase 1: Reconnaissance
Google, Newsgroups, Web sites
WhoIs Database & Sam Spade
Domain Name Server Interrogations
One Microsoft Way
Redmond, WA 98052
Domain name: MICROSOFT.COM
Administrator, Domain [email_address]
One Microsoft Way
Redmond, WA 98052
Hostmaster, MSN [email_address]
One Microsoft Way
Redmond, WA 98052 US
Registration Service Provider:
DBMS VeriSign, email@example.com
Please contact DBMS VeriSign for domain updates, DNS/Nameserver
changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 27-Aug-2006.
Record expires on 03-May-2014.
Record created on 02-May-1991.
Domain servers in listed order:
Social Engineering I need a password reset. What is the passwd set to? This is John, the System Admin. What is your password? Email: ABC Bank has noticed a problem with your account… I have come to repair your machine… and have some software patches What ethnicity are you? Your mother’s maiden name?
Logic Bomb = Malware has malicious purpose in addition to functional purpose
Software which will malfunction if maintenance fee is not paid
+ Social Engineering: “Try this game…it is so cool”
Game also emails password file.
Phishing = Fake Email ABC BANK Your bank account password is about to expire. Please login… The bank has found problems with your account. Please contact …”
Pharming = Fake web pages
A fake web page may lead to a real web page
The fake web page looks like the real thing
Extracts account information
Login Passwd Welcome To ABC Bank www.abc.com www.abcBank.com
Hacking Networks Phase 2: Scanning
War Driving : Can I find a wireless network?
War Dialing : Can I find a modem to connect to?
Network Mapping : What IP addresses exist, and what ports are open on them?
Vulnerability-Scanning Tools : What versions of software are implemented on devices?
Eavesdropping : Listen to packets from other parties = Sniffing
Traffic Analysis : Learn about network from observing traffic patterns
Footprinting : Test to determine software installed on system = Network Mapping
B Packet A C Bob Jennie Carl
Hacking Networks: Phase 3: Gaining Access
IP Address Spoofing
Web Protocol Abuse
Denial of Service
Login: Ginger Password: Snap
Some Active Attacks
Denial of Service: Message did not make it; or service could not run
Masquerading or Spoofing : The actual sender is not the claimed sender
Message Modification : The message was modified in transmission
Packet Replay : A past packet is transmitted again in order to gain access or otherwise cause damage
Denial of Service Joe Ann Bill Spoofing Joe (Actually Bill) Ann Bill Message Modification Joe Ann Packet Replay Joe Ann Bill Bill
Man-In-The-Middle Attack Real AP Trojan AP or Rogue Access Point Victim Login Login Also implements SPOOFING
A virus attaches itself to a program, file, or disk
When the program is executed, the virus too is executed
When the program is given away (floppy/email) the virus spreads
The virus may be benign or malignant but executes its load pay at some point (often upon contact)
CoughCough! Don’t come close! Program A Extra Code Program A infects
Worm : Independent program which replicates itself and sends copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate.
To Joe To Ann To Jill Email List: [email_address] [email_address] [email_address]
Password Cracking: Dictionary Attack & Brute Force 500 years 2x10 22 72 12 12 chars: alphanumeric + 10 12 min. 7x10 14 72 8 8 chars alphanumeric +10 5x10 5 26 4 4 chars: lower case alpha 2x10 11 26 8 8 chars: lower case alpha 5x10 13 52 8 8 chars: alpha 3.4 min. 2x10 14 62 8 8 chars: alphanumeric 2 hours 7x10 15 95 8 8 chars: all keyboard Pattern Calculation Result Time to Guess (2.6x10 18 /month) Personal Info: interests, relatives 20 Manual 5 minutes Social Engineering 1 Manual 2 minutes American Dictionary 80,000 < 1 second 12 chars: alphanumeric 62 12 3x10 21 96 years 12 chars: all keyboard 95 12 5x10 23 16 chars: alphanumeric 62 16 5x10 28
Hacking Networks: Phase 4: Exploit/Maintain Access Backdoor Trojan Horse Spyware Bots User-Level Rootkit Kernel-Level Rootkit Replaces system executables: e.g. Login, ls, du Replaces OS kernel: e.g. process or file control to hide Control system: system commands, log keystrokes, pswd Useful utility actually creates a backdoor. Slave forwards/performs commands; spreads, list email addrs, DOS attacks Collect info: keystroke logger, collect credit card #s, insert ads, filter search results
Upon penetrating a computer, a hacker installs a root kit
Easy entrance for the hacker (and others)
Eliminates evidence of break-in
Modifies the operating system
Backdoor entry Keystroke Logger Hidden user
Botnets Attacker Handler Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain China Hungary Botnets: Bots Zombies
Distributed Denial of Service Zombies Victim Attacker Handler Can barrage a victim server with requests, causing the network to fail to respond to anyone China Hungary United States Zombies
Attacking the Network The Internet De-Militarized Zone Private Network Border Router/Firewall Commercial Network Private Network
Content Filter : Scans contents of packets and discards if ruleset failed (e.g., Intrusion Prevention System or firewall)
Packet Filter : Scans headers of packets and discards if ruleset failed (e.g., Firewall or router)
Route Filter : Verifies sources and destination of IP addresses
The good, the bad & the ugly… Filter The bad & the ugly The Good
Firewall Configurations A A terminal firewall host Router Packet Filtering : Packet header is inspected Single packet attacks caught Very little overhead in firewall: very quick High volume filter A A terminal firewall host A Stateful Inspection State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick
Firewall Configurations A B terminal firewall host Circuit-Level Firewall : Packet session terminated and recreated via a Proxy Server All multi-packet attacks caught Packet header completely inspected High overhead in firewall: slow A B terminal firewall host A Application-Level Firewall Packet session terminated and recreated via a Proxy Server Packet header completely inspected Most or all of application inspected Highest overhead: slow & low volume A B B
Path of Logical Access How many logical access checks are required? The Internet De-Militarized Zone Private Network Border Router/Firewall Router/Firewall WLAN How could access control be improved?
Protecting the Network The Internet De-Militarized Zone Private Network Border Router: Packet Filter Bastion Hosts Proxy server firewall WLAN
Multi-Homed Firewall: Separate Zones Router External DNS IDS Web Server E-Commerce VPN Server Firewall IDS Protected Internal Network Zone IDS Database/File Servers Internet Demilitarized Zone With Proxy Interface Screened Host The router serves as a screen for the Firewall, preventing Denial of Service attacks to the Firewall. Screening Device
Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS)
Examines packets for attacks
Can find worms, viruses, org-defined attacks
Warns administrator of attack
IPS=Packets are routed through IPS
Examines actions or resources for attacks
Recognize unusual or inappropriate behavior
E.g., Detect modification or deletion of special files
Router Firewall IDS
IDS Intelligence Systems
Specific patterns are recognized as attacks
The expected behavior of the system is understood
If variations occur, they may be attacks (or maybe not)
Neural Networks :
Statistical-Based with self-learning (or artificial intelligence)
Attacks: NastyVirus BlastWorm NastyVirus NIDS: ALARM!!! Normal
Remote Access Security
Virtual Private Network (VPN) often implemented with IPSec
Can authenticate and encrypt data through Internet (red line)
Easy to use and inexpensive
Difficult to troubleshoot, less reliable than dedicated lines
Susceptible to malicious software and unauthorized actions
The Internet Firewall VPN Concentrator
Network Access Server
NAS: Network Access Server
Handles user authentication, access control and accounting
Calls back to pre-stored number based on user ID
Prone to hackers, DOS, misconfigured or insecure devices
RADIUS: Remote Access Dial-in User Service
TACACS: Terminal Access Control Access
1. Dial up and authenticate 2. Call back RADIUS or TACACS 3. Connect
Honeypot & Honeynet
Honeypot : A system with a special software application which appears easy to break into
Honeynet : A network which appears easy to break into
Purpose: Catch attackers
All traffic going to honeypot/net is suspicious
If successfully penetrated, can launch further attacks
Must be carefully monitored
External DNS IDS Web Server E-Commerce VPN Server Honey Pot Firewall
Confidentiality : Unauthorized parties cannot access information (->Secret Key Encryption
Authenticity : Ensuring that the actual sender is the claimed sender. (->Public Key Encryption)
Integrity : Ensuring that the message was not modified in transmission. (->Hashing)
Nonrepudiation : Ensuring that sender cannot deny sending a message at a later time. (->Digital Signature)
Confidentiality Joe Ann Bill Authenticity Joe (Actually Bill) Ann Bill Integrity Joe Ann Non-Repudiation Joe Ann Bill
Secure Hash Functions Examples: SHA1, SHA2, MD2, MD4, MD5 Message H H E Message H Message H D H H H Compare Message Authentication Code Message H Message Message H H H H H Compare One Way Hash K K K K Ensures the message was not modified during transmission NIST Recommended: SHA-1, SHA-2 2011: SHA-2
Encryption – Secret Key Examples: DES, AES Encrypt K secret Decrypt K secret plaintext ciphertext plaintext P = D(K secret , E(K secret ,P)) NIST Recommended: 3DES w. CBC AES 128 Bit
Public Key Encryption Examples: RSA, ECC, Quantum P = D(k PRIV , E(k PUB ,P)) P = D(k PUB , E(k PRIV ,P)) NIST Recommended: RSA 1024 bit 2011: RSA 2048 bit Encrypt (public) Decrypt (private) Key owner Joe Encryption (e.g., RCS) Decrypt (public) Encrypt (private) Message, private key Digital Signature Key owner Authentication, Non-repudiation Joe
Uses public key algorithm
Verifies integrity of data
Verifies identity of sender: non-repudiation
Encrypted K(Sender’s Private) Message Msg Digest
Public Key Infrastructure (PKI) Digital Certificate User: Sue Public Key: 2456 1. Sue registers with CA through RA Certificate Authority (CA) Register(Owner, Public Key) 2. Registration Authority (RA) verifies owners 3. Send approved Digital Certificates 5. Tom requests Sue’s DC 6. CA sends Sue’s DC Sue Tom 4. Sue sends Tom message signed with Digital Signature 7. Tom confirms Sue’s DS
Web Page Security
SQL Filtering: Filtering of web input for SQL Injection