Lecture 10 intruders


Published on

Network Security Course (ET1318, ET2437) at Blekinge Institute of Technology, Karlskrona, Sweden

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lecture 10 intruders

  1. 1. IntrudersRaja Khurram Shahzad
  2. 2. Outline• Intruders – Intruder Behaviour Patterns – Intrusion Techniques• Intrusion Detection – Audit Records – Detection• Password Management• Covering Tracks
  3. 3. Security Problem• Unwanted trespass – By user: • Unauthorized login • Authorized user but unauthorized actions – By software: • Virus • Worms • Trojan Horse
  4. 4. Intruders• Masquerader (impersonation) (Outsider): An individual who is not authorized to use the computer and who penetrates a systems access controls to exploit legitimate user’s account.• Misfeasor (insider): A legitimate user who accesses data, programs, or resources for which such access is not authorize, or who is authorized for such but misuses previlages• Clandestine User (Both insider and outsider): An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection
  5. 5. Intruder Behaviour Patterns• Constantly shifting – Exploit newly discovered weaknesses• Three broad examples – Hackers: hack into computers for thrill or for status • May or may not be malign (dangerous) • Intrusion detection systems (IDS) and Intrusion prevention systems (IPS) can counter it. – Criminals • Organized group of hackers (e.g. Lulz Boat) • Loosely affiliated, met in underground forums to trade tips, data and coordinate attacks • Common target: Root access, credit card files at e-commerce site
  6. 6. Intruder Behaviour Patterns • Quick in and out in nature • IDS and IPS: less effective– Inside Attacks • Most difficult to detect and prevent • Can be motivated by revenge or feeling of entitelment • IDS and IPS may be useful up to some extent
  7. 7. Intrusion Techniques• Objective: Gain access or increase access previlages• Vulnerabilities: – System vulnerabilities – Software vulnerabilities: allows user to executre code to open back door (http://www.telegraph.co.uk/technology/facebook/8938 725/Facebook-privacy-flaw-exposes-Mark-Zuckerberg- photos.html)• Acquire Secure Information: – System maintain a file that associates a password with each authorised user. • Passwords / Passwords File
  8. 8. Intrusion Techniques:Passwords• Password file is protected in two ways – One-way Function: • System stores only the value of a function based on the user’s password • User enters password • System transform entered password and compare with saved value – Access Control: • Access is limited to one or very few accounts.
  9. 9. Password Cracking1. Try default passwords.2. Try all short words, 1 to 3 characters long.3. Try all the words in an electronic dictionary (60,000).4. Collect information about the user’s hobbies, family names, birthday, etc.5. Try user’s phone number, social security number, street address, etc.6. Try all license plate numbers (MUP103).7. Use a Trojan horse8. Tap the line between a remote user and the host system.
  10. 10. Password Cracking• 1 – 6 : Various ways of Guessing passwords – Feasible and highly effective – Automatic guessing and verification• 7: Difficult to counter• 8: Physical Security
  11. 11. Stages of Network Intrusion• Scan the network to: – locate which IP addresses are in use, – what operating system is in use, – what TCP or UDP ports are “open” (being listened to by Servers).• Run “Exploit” scripts against open ports• Get access to Shell program which is “suid” (has “root” privileges).• Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.• Use IRC (Internet Relay Chat) to invite friends to the feast.
  12. 12. Intrusion Detection• Detection: concerned with learning of an attack, either before or after its success• Prevention: security goal• The intruder can be identified and ejected from the system.• An effective intrusion detection can prevent intrusions.• Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.
  13. 13. Intrusion DetectionBased on assumption that behaviour differs Profiles of Behavior of Intruders and Authorized Users
  14. 14. Intrusion Detection• Statistical anomaly detection – Threshold detection: define threshold, independent of user, for the frequency of occurrence of various events. – Profile based: A profile of activity of each user is developed and used to detect changes in the behavior of individual user.• Rule based detection – Anomaly detection: Rules are developed to detect deviation from the previous usage patterns. – Penetration identification: An expert system approach that searches for suspicious behavior. A system may have both
  15. 15. Audit Records• Fundamental tool• Native Audit Records: – Accounting software that collects information on user activity – Advantage: No additional collection software required – Disadvantage: May not contain needed information or may not contain needed information in convenient format
  16. 16. Audit Records• Detection Specific Audit Records – A collection facility to generate audit records containing required information used by IDS – Advantage: Can be made vendor independent & portable – Disadvantage: Extra overhead
  17. 17. Audit Records : Example• Subject: Initiators of actions• Action: Operation Performed• Object: Receptors of actions• Exception-Condition: which, if any, exception condition is raised on return• Resource Usage: A list of quantitative elements about usage of resource• Time-Stamp: Unique time and date stamp
  18. 18. Statistical Anomaly Detection• Attempt to define normal or expected behaviour• Collect data related to behaviour over a period of time• Statistical tests are applied• Two broad categories – Threshold detection: define threshold, independent of user, for the frequency of occurance of various events
  19. 19. Statistical Anomaly Detection – Profile based: Profile of the activity of user or group is developed and then used to detect changes in behaviour. May consists of set of parameters. • Analysis of audit records is foundation• Effective against masqueraders• May not deal with misfeasors• Statistical tests – Mean and Standard Deviation Multivariate – Markov Process Time Series – Operational
  20. 20. Measures Used• Login frequency by day and time.• Frequency of login at different locations.• Time since last login.• Password failures at login.• Execution frequency.• Execution denials.• Read, write, create, delete frequency.• Failure count for read, write, create and delete.
  21. 21. Rule-Based Intrusion Detection• Define a set of rules to decide about behaviour• Two broad categories – Anomaly Detection: Historical audit records are analyzed to generate rules to describe patterns. • Rules May represent past behaviour patterns of users, previlagese, programs, time slots, terminals • Current behaviour is obsereved and matched with set of rules – Penetration Identification: Set of rules for identifying known penetrations or penetrations that would exploit known weaknesses. • Rules can be defined to identify suspecious behaviour • Analyze attack tools and scripts to generate rules.
  22. 22. Distributed Intrusion Detection• Single System stand alone IDS vs Distributed IDS• More effective defense – Coordination and cooperation among IDS across network – Different audit record formats – Different collection and analysis points – Confidentiality and Integrity of collected data during transmission – Centralized architecture (one collection point) or decentralized (more than one collection points coordinating and exchanging information)
  23. 23. Distributed Intrusion Detection• Host Agent Module – Audit collection module operating at background – Collect data on security related event – Transmits to the central manager• LAN monitor agent module – Operates like agent module – Analyze LAN traffic• Central manager module – Recieves reports – Processes and correlates these reports to detect intrusion
  24. 24. Distributed Intrusion Detection• Agent Architecture • Agent captures each record from native audit collection system • Filter is applied to retain only security records • Records are transmitted in Host Audit Record (HAR) format • Template driven logic module analyze the records • Agent protocol Machine • Lowest level – scans for notable events • Highest level – look for sequence of events (signature) • Also look for anomalous behaviour based on profile • If suspecious, Alert is sent to Central Manager (expert system) • May also query agents for copies of HARS Henric Johnson 24
  25. 25. Passwords• Most common weaknesses in a company – Weak passwords – uncontrolled devices on the network• Most systems and software have default passwords!• Characteristics of a strong password – Changes every 45 days – Minimum length of 10 characters – Contain at leas one alpha, one number and one special character – Cannot contain dictionary words – Cannot reuse the previous five passwords – Minimum password age of 10 days – After 5 failed logon attempts, password is locked for serveral hours
  26. 26. UNIX passwords• Stored in a publicly readable file /etc/passwd, (any user who was on the system had access to read the file i.e. more /etc/passwd ) usernamen:password:UID:GID:full name:home directory:shell sch:OZFGkH258h8yg:1013:10:Stefan Chevul:/home/sch/:/bin/csh• Latest UNIX versions split the passwd file into 2 files. The /etc/passwd file still exists, it contains everything except the encrypted passwords. This is stored in the /etc/shadow file and only visible by “root”. usernamen:password:last:min:max:warning:expire:disable sch:OZFGkH258h8yg:::::::
  27. 27. cat passwdroot:x:0:0:Super-User:/:/sbin/shdaemon:x:1:1::/:bin:x:2:2::/usr/bin:sys:x:3:3::/:adm:x:4:4:Admin:/var/adm:lp:x:71:8:Line Printer Admin:/usr/spool/lp:uucp:x:5:5:uucp Admin:/usr/lib/uucp:smmsp:x:25:25:SendMail Message Submission Program:/:nobody:x:60001:60001:Nobody:/:noaccess:x:60002:60002:No Access User:/:
  28. 28. ypcat passwd• Ypcat: list all the users and groups / networkwide password map gymsjo:PgiEmZuEHpmY2:3227:3200:STEFAN JOHANSSON:/home/ dogmatix/gym/gymsjo:/usr/local/bin/tcsh frpe03:EoFPa/t0McqN6:470078:20031:FREDRIK PERSSON:/home/ dogmatix/students/20031/frpe03:/usr/local/bin/tcsh etmf01:Ck34HVjHPI3gQ:740030:20011:Etienne Mfoumou:/home/ dogmatix/students/20011/etmf01:/usr/local/bin/tcsh rope05:i/mTnW1jL7vmM:490146:20051:ROBIN PERSSON:/home/ obelix/students/20051/rope05:/usr/local/bin/tcsh nasc04:HfcXJTuIB7Bh2:500001:20041:Nadzida Saric:/home/obelix/ students/20041/nasc04:/usr/local/bin/tcsh
  29. 29. Salt• The salt serves three purposes: – Prevents duplicate passwords. – Effectively increases the length of the password. – Prevents the use of hardware implementations of DES Henric Johnson 29
  30. 30. UNIX Password Scheme Loading a new password
  31. 31. UNIX Password Scheme Verifying a password
  32. 32. Password Selection Strategies• User education – Unlikely to succeed – Many users ignore guidelines• Computer-generated passwords – Random in nature, problem in memorizing Henric Johnson 32
  33. 33. Password Selection Strategies• Reactive password checking – System periodically runs password cracker to find guessable passwords – Cancel guessed passwords and notify users – Resource intensive job• Proactive password checking – User is allowed to choose password – System checks , password is allowable or not
  34. 34. Password Cracking : Importance• From a security standpoint, password cracking can help you build and maintain a more secure system.• Reasons why password cracking is useful – To audit the strength of passwords – To recover forgotten / unknown passwords – To migrate users – To use as a checks and balance system• Main types of password cracking attacks: – Dictionary attacks – Brute force attacks – Hybrid attacks
  35. 35. Password Cracking: Attacks Dictionary Brute Force Hybrid attack attack attackSpeed of the attack Fast Slow MediumAmount of passwords Finds only Finds every Finds onlycracked words password passwords that have a Dictionary word as the base
  36. 36. Password Cracking: Programs• NT password cracking programs: – L0phtcrack – NTSweep – NTCrack – PWDump2• UNIX password crackers: – Crack – John the Ripper – XIT – Slurpie
  37. 37. Covering the Tracks• After an attacker has gained access and accomplished what he wanted to do, one of the last steps he performs is covering his tracks, hiding evidence that he was ever there.• To do this there are 4 main areas an attacker is concerned with: 1. Log files 2. File information 3. Additional files 4. Network traffic