• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Download It
 

Download It

on

  • 717 views

 

Statistics

Views

Total Views
717
Views on SlideShare
717
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Download It Download It Presentation Transcript

    • Network Security German Research Center for Artificial Intelligence
    • Malware - Summary • Virus: – program which is included in other programs and can reproduce itself • Worm: – program that distributes itself via the network • Trojan horse: – program that hides additional functionality useful for an adversary • Rootkit: – faked OS providing additional functionality (for an attacker) but simulating original OS (almost) perfectly: e.g. faked versions of ls, ps, nstat, etc. German Research Center for Artificial Intelligence
    • Vulnerabilities all over the time • see http://nvd.nist.gov Recent CVE Vulnerabilities CVE-2006-3349 Publish Date: 7/3/2006 Multiple SQL injection vulnerabilities in SmS Script allow remote attackers to execute arbitrary SQL commands via the CatID parameter in (1) cat.php and (2) add.php. CVE-2006-3348 Publish Date: 7/3/2006 Multiple SQL injection vulnerabilities in HSPcomplete 3.2.2 and 3.3 Beta and earlier allow remote attackers to execute arbitrary SQL commands via the (1) type parameter in report.php and (2) level parameter in custom_buttons.php. CVE-2006-3347 Publish Date: 7/3/2006 SQL injection vulnerability in index.php in deV!Lz Clanportal DZCP 1.3.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. CVE-2006-3346 Publish Date: 7/3/2006 SQL injection vulnerability in tree.php in MyNewsGroups 0.6 allows remote attackers to execute arbitrary SQL commands via the grp_id parameter. CVE-2006-3345 Publish Date: 7/3/2006 Cross-site scripting (XSS) vulnerability in AliPAGER, possibly 1.5 and earlier, allows remote attackers to inject arbitrary web script or HTML via a chat line. CVE-2006-3344 Publish Date: 7/3/2006 Siemens Speedstream Wireless Router 2624 allows local users to bypass authentication and access protected files by using the UPnP (Universal Plug and Play)/1.0 component. CVE-2006-3343 Publish Date: 7/3/2006 PHP remote file inclusion vulnerability in recipe/cookbook.php in CrisoftRicette 1.0pre15b allows remote attackers to execute arbitrary PHP code via a URL in the crisoftricette^parameter. CVE-2006-3342 Publish Date: 7/3/2006 Cross-site scripting (XSS) vulnerability in index.php in Arctic 1.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search cmd. CVE-2006-3341 Publish Date: 7/3/2006 SQL injection vulnerability in annonces-p-f.php in MyAds module 2.04jp for Xoops allows remote attackers to execute arbitrary SQL commands via the lid parameter. CVE-2006-3340 Publish Date: 7/3/2006 Multiple PHP remote file inclusion vulnerabilities in Pearl For Mambo module 1.6 for Mambo, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via the (1) phpbb_root_path parameter in (a) includes/functions_cms.php and the (2) GlobalSettings[templatesDirectory] parameter in multiple files in the "includes" directory including (b) adminSensored.php, (c) adminBoards.php, (d) adminAttachments.php, (e) adminAvatars.php, (f) adminBackupdatabase.php, (g) adminBanned.php, (h) adminForums.php, (i) adminPolls.php, (j) adminSmileys.php, (k) poll.php, and (l) move.php. CVE-2006-3339 Publish Date: 7/3/2006 secure/ConfigureReleaseNote.jspa in Atlassian JIRA 3.6.2-#156 allows remote attackers to obtain sensitive information via unspecified manipulations of the projectId parameter, which displays the installation path and other system information in an error message. CVE-2006-3338 Publish Date: 7/3/2006 Cross-site scripting (XSS) vulnerability in Atlassian JIRA 3.6.2-#156 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a direct request to secure/ConfigureReleaseNote.jspa, which are not sanitized before being returned in an error page. CVE-2006-3337 (cPanel) Publish Date: 7/3/2006 CVSS Severity: 4.7 (Medium) Cross-site scripting (XSS) vulnerability in frontend/x/files/select.html in cPanel 10.8.2-CURRENT 118 and earlier allows remote attackers to inject arbitrary web script or HTML via the file parameter. German Research Center for Artificial Intelligence
    • A Closer Look – CVE-2006-3344 • Digital Armaments advisory is 05.02.2006 • http://www.digitalarmaments.com/2006290674551938.html • I. Background • The SpeedStream Wireless DSL/Cable Router is usually adopted for home and small business solutions. Together with an existing DSL or cable modem connection, this affordable, easy to use connection sharing solution brings the freedom of high-speed, wireless broadband connectivity to home and SOHO networks. Its comprehensive functionality provides vital firewall protection, IP sharing capabilities, and fundamental routing features that support popular protocols like NetMeeting and VPN. • For further information or detail about the software you can refer to the vendor's homepage: • http://subscriber.communications.siemens.com/ • II. Problem Description • Speedstream routers have UPnP/1.0 support. An attacker can access protected files and bypass the password protection without login using the UPnP part of the tree. • III. Detection • This problem has been detected on latest version of Siemens Speedstrem Router. It has been tested on the Speedstream 2624. • IV. Impact analysis • Successful exploitation allow an attacker to bypass the password protection. It also allow an attacker to access protected files without login. • V. Solution • First notification 05.02.2006. • Second notification 05.20.2006. • No answer from the vendor. • VI. Credit • Jaime Blasco - jaime.blasco (at) eazel (dot) es [email concealed] is credited with this discovery. German Research Center for Artificial Intelligence
    • Internet • Internet as „the“ network • Based on the early 70th ARPA-network (Advanced Research Projects Agency) • Internet protocols – IP: internet protocol – ICMP: internet control message protocol – TCP: transmission control protocol – ARP: address resolution protocols German Research Center for Artificial Intelligence
    • TCP/IP - Model (a la ISO/OSI) FTP, SMTP, HTTP FTP, SMTP, HTTP Application-layer Transport-layer Reliable protocol TCP, UDP TCP, UDP Packages, routing Network-layer IP IP frames Data link-layer bitstreams Physical-layer German Research Center for Artificial Intelligence
    • IP – Security Privacy If privacy is outlawed, only outlaws will have privacy Phil Zimmermann By 2010, driven by the improving capabilities of data analysis, privacy will become a meaningless concept in Western societies Gartner group German Research Center for Artificial Intelligence
    • Phishing • Social engineering (bank customers) • Faking web pages of bank – mismatch of real and visible URLs • Requesting PIN/TAN from customers German Research Center for Artificial Intelligence
    • Network Services - DNS • Domain Network Service provides translation of host names (www.uni-sb.de) to IP-addresses (e.g.134.96.7.73) • DNS-server provide two data bases: – IP-addresses -> host names (reverse lookup) – Host names -> IP-addresses (lookup) • No mechanisms to secure consistency of tables! • DNS-server are distributed German Research Center for Artificial Intelligence
    • Pharmining - DNS-Spoofing • Faking of the reverse -lookup table – Reverse lookup (e.g. for rlogin) provides Bobs host name instead of Eve‘s for Eve‘s IP-address – Access to Alice‘s host if Bob is member of /etc/hosts.equiv or in .rhosts – Countermeasure: forward and reverse lookup • Sending faked update messages to the cache of DNS- server • Manipulating C:windowssystem32driversetchosts German Research Center for Artificial Intelligence
    • Observations of Users in Networks eavesdropper staff X Switch Link-to-link encryption: staff X Switch German Research Center for Artificial Intelligence
    • Observation of Users in Switched Networks Link-to-link encryption End-to-end encryption of content staff X Switch Problem of traffic data: who communicates with whom, how long, where? German Research Center for Artificial Intelligence
    • Abilities of a Potential Attacker Worst case analysis: • Observation of all communication channels • Generation of new messages • Operating some network services (e.g. as an anonymity service, as a web server, etc) • No break of cryptographical systems • No attack on user‘s personal machine • Limited time and computing power German Research Center for Artificial Intelligence
    • Anonymity and Unobservability Anonymity: • Sender and/or receiver stay anonymous to each other Unobservability: • All parties cannot trace communication relations • Sending and receiving of messages is unobservable Pseudonym: • identity can only be revealed in special cases German Research Center for Artificial Intelligence
    • Anonymity and Unobservability Need for a group of users where all users behave similarily Events Anonymity group Everybody can be the originator of an event with equal possibility German Research Center for Artificial Intelligence
    • Simple Proxies • Proxy gets an URL on behalf of the user • Server has no information about the real originator of the request • Examples: – Anonymizer.com (Lance Cottrel) – Aixs.net – ProxyMate.com (Lucent, Bell Labs) User Proxy Server German Research Center for Artificial Intelligence
    • Problems with Simple Proxies • No protection against the operator • No protection against traffic analysis – Timing correlation of incoming and outgoing requests – Correlation by message length and coding User 1 GET page.html User 2 http ... proxy GET page.html User n German Research Center for Artificial Intelligence
    • Possible Attacks • Timing attacks: – Observe duration by linking possible endpoints of communication, wait for a correlation between events at endpoints • Message volume attacks: – Observe the amount of transmitted data • Flooding attacks: – Almost all messages except the message to be observed are created by the attacker • Linking attacks: – Observe intersections of anonymity groups due to on/off-line periods (profiles) German Research Center for Artificial Intelligence
    • Broadcast Message is sent to all participants But only one person is able to read it German Research Center for Artificial Intelligence
    • Mixes (David Chaum, 1981) • Collect messages in batches, change their coding and forward them at the same time but in different order • Use of various mixes • If one mix is not corrupt then perfect unlinkability of sender and receiver German Research Center for Artificial Intelligence
    • Internals of Mixes Mix Discard Store Wait for a Change Reorder message incoming Sufficient coding messages repeats messages Number Avoid replay attacks German Research Center for Artificial Intelligence
    • Encryption of Messages • ci encryption with public key of Mixi • Ai address of Mixi • M message to be sent • ri : random numbers (to ensure indeterminism) A1, c1(A2, c2(M, r2), r1) M A2, c2(M, r2), German Research Center for Artificial Intelligence
    • Real Time Aspects • Mixes are good for non-real time communication: E-mail • Problems with real-time applications like net-phone, ftp, www – Sampling messages yields high delay – Message length vary in a very large interval or no support of connection oriented services German Research Center for Artificial Intelligence
    • Traffic padding and Time Slices Waiting time Traffic padding Sending of random data to cover last message Traffic padding Waiting time German Research Center for Artificial Intelligence
    • Dummy Traffic • Users (not Mixes) send messages all the time • Nobody can distinguish between encrypted messages and faked ones (random numbers) • Increases amount of traffic if necessary • Avoiding high delay of messages German Research Center for Artificial Intelligence
    • Flooding and Attacks • Flooding Attacks: – Introduction of tickets to be processed by a Mix – Only one message of a user in one branch – Attacker needs help of other users • Long-time observation: – Intersection of anonymity groups – No good solution known for this attack German Research Center for Artificial Intelligence
    • IP – Security Availability, Integrity German Research Center for Artificial Intelligence
    • Internet Control Message Protocol • Transfer of error- and status- messages – destination unreachable: unreachable port (host) • Forged message may cause abortion of all traffic to this hosts – fragmentation needed • Continuing generation of faked message causes denial of service – Redirect : to change routing behaviour • Rerouting of all packets of a host via a malicous host – Source quench : to reduce traffic caused by a host • faked message causes denial of service German Research Center for Artificial Intelligence
    • Address Resolution Protocols (ARP) • Translating IP-names (e.g. 134.96.88.122) to real physical addresses (eg. 00:A0:C9:44.BA.20) inbuilt in the firmware of physical device • ARP address-table of the router – Updated via broadcast messages („Who is?“) • Masquerading: faked answers to broadcast messages • Denial-of-service: request for non-existing host is broadcasted through gateways. Malicious host may even redistribute requests coming back! German Research Center for Artificial Intelligence
    • TCP - Connections • Logical connections between ports • TCP-packet contains: – 32bit-addresses of sender and receiver – 32bit sequence number • Randomly generated • 3-phased handshake: – Client -> Server: Seqc – Server -> Client: SeqS, Ack = Seqc + 1 – Client -> Server: Ack = SeqS + 1 – Client -> Server: Data German Research Center for Artificial Intelligence
    • Security in TCP - Sequence numbers • Masquerading using sequence number attacks: – To incorporate a malicious packet into an ongoing communication the intruder has to know the sequent number – Implementations use 32bit counter to generate sequence number (instead random numbers) (counter is incremented every second by 1, new connections will increment counter by 64) – Sequence numbers can be guessed German Research Center for Artificial Intelligence
    • Security in TCP - Sequence numbers • Eve -> Alice: Port 25, SeqEve • Alice -> Eve: Ack: SeqEve + 1, SeqAlice Guessing seqAlice‘ : • Eve as Bob -> Alice: Port 513, SeqEve‘ • Alice -> Bob: Ack: SeqEve‘ + 1, SeqAlice‘ • Eve as Bob -> Alice: Ack: SeqAlice‘ + 1 Problem: answers of Bob are sent to Alice: Additional attack neccessary to flood Alice with requests to prevent Alice from sending reset- packets German Research Center for Artificial Intelligence
    • Security Problems in IP: Denial of Service Address spoofing – Examples of denial of service: – UDP-flood attack: • Eve sends UDP-packet with faked return-address • Target machine sends echo-packets to machine of return address which echos etc... – SYN-flood attack: • Eve sends SYN-packets with faked return addresses of non-available machines • Target sends SYN-Ack packets • Overflow of SYN-stack German Research Center for Artificial Intelligence
    • Distributed Denial of Service Attacker Stepping stones Handler Agent Attack German Research Center for Artificial Intelligence
    • Intrusion Detection Systems Intrusion Detection is the process of identifying and responding to malicious activity targeted at computing and network resources Edward Amoroso German Research Center for Artificial Intelligence
    • Intrusion Detection Systems • Monitoring: – Examine and process information about activities on the target system • Reporting: – Report information about monitored system into a system security infrastructure • Responding: – Respond to detected intrusion German Research Center for Artificial Intelligence
    • Dimensions of IDS • Analysis approach: – Attack signature detection identifies patterns corresponding to known attack – Types of attacks have to be known in advance • Anomaly detection: – Identifies unacceptable deviation form expected behaviour using profiles – Can respond to previously unknown types of attacks German Research Center for Artificial Intelligence
    • Methods of IDS • Audit trail processing: – Existing log-files are examined by IDS – Off-line – Auditable events, auditable information, audit basis – Example: Unix Syslog Audit Processing • On-the-fly processing („network intrusion detection“) – Monitoring of traffic in real-time – Suspicious string patterns „/etc/passwd“ – Signatures of abnormal behaviours – Warnings before damage can occur German Research Center for Artificial Intelligence
    • Methods of IDS (II) Anomality Detection • Profiles of normal behaviour Capturing expectations about user and system computing and networking activities – Estimation of initial profile – Fine-tuning of profiles – Profiling using all-source information German Research Center for Artificial Intelligence
    • Architecture of an IDS • Sensor: Provides necessary information about target • System management: maintain control over internal components, communication with over IDS • Processing engine: reduction of irrelevant data, identification of key intrusion evidence, decision-making of type of response • Knowledge base: profiles of user and data, attack signatures • Audit archive: storage of target system activities • Alarms • GUI German Research Center for Artificial Intelligence
    • Intrusion Response • Identification of the attacker – DNS ??? – Identification of intermediate hosts • Preventing damages – Closing ports and network connections – Counter attack by denial of service attack ??? • Repair of existing damages – Loss of integrity, accessability, authentication, privacy? German Research Center for Artificial Intelligence
    • Firewalls Intranet Firewall Open network (Internet) e.g. router • All traffic between intranet and open network is controlled by the firewall • Security strategy, access control, protocols, authentication German Research Center for Artificial Intelligence
    • Types of Firewalls • Packet filter – Controlling IP (TCP) packets • Circuit-level gateway – Operates on transport layer • Application-level gateway (proxy server) – Operates on application layer – Can analyse application data German Research Center for Artificial Intelligence
    • Packet Filters • Filters packets (TCP / IP) according to a security policy based on header information • No internal state • Accessable information: – Sender/receiver addresses, ports, options, ack-bit, type of protocol, ... Rules: sender receiv. port proto. action reason * * 53 UDP ok DNS-queries Extern intern 123 UDP ok NTP-access * * 69 UDP no no TFTP Extern * 513 TCP no no rlogin from outside German Research Center for Artificial Intelligence
    • Packet Filters - Pros and Cons • Easy and cheap to implement • Transparent for upper layers • Prevents some IP-spoofing and router attacks But: • Uses possibly faked IP-addresses and ports • No detailed filtering (e.g. according to users) • Error-pruned specification of filter table – Large, unreadable tables – Need for tools German Research Center for Artificial Intelligence
    • Circuit-level Gateway • Controls the transport layer • Operates as client for the server and as server for the client (proxy - server) • Provides generic proxy services • Has internal state and protocols activities • Example: SOCKS - gateway (Hummingbird) – Provides socket access via rconnect, rlisten and rbind through gateway with authentication German Research Center for Artificial Intelligence
    • Circuit-Layer Gateway - Pros and Cons • Independent of applications • Allows for filtering of existing connections • Authorization and logging • Filtering of UDP services possible But: • Do not consider application specific information – Cannot distinguish http-content • Modification of application necessary German Research Center for Artificial Intelligence
    • Application Filter • Operating on application layer • Proxies for telnet, ftp, smtp, http, ... • Provides application specific knowledge – E.g. ftp-proxy knows about ftp-commands – http-proxy about activeX, Javascript, JAVA... • Internal state and logging German Research Center for Artificial Intelligence
    • Application Filter - Pros and Cons • Allows for sophisticated authentication and controlling (e.g. generating profiles) • Accounting and logging of accesses – Intrusion Detection Systems • Fine granular rules possible But: • Individual fiter for each service - Automation ? • Based on unreliable lower layers German Research Center for Artificial Intelligence
    • Architecture of Firewalls Intranet NTP-server Packet filter Dual-Home Bastion Intranet Application filter Application filter Packet filter Internet Internet Dual-Home Firewall Screened-Host Firewall German Research Center for Artificial Intelligence
    • Architecture of Firewalls (II) Internal Application filter host Packet filter Internet Packet filter Internal www-server WWW server Internal DNS-server DNS server Screened-Subnet Firewall German Research Center for Artificial Intelligence
    • Firewalls - Summary • Security mechanisms concentrated at one point • Fine-granular policies can be implemented • Logging features to create profiles But: • Difficult to come up with consistent configuration • Continuous maintenance necessary • Problems with tunneling • Mobile devices: Laptops, Palms etc German Research Center for Artificial Intelligence
    • IP – Security Authentication German Research Center for Artificial Intelligence
    • Security Problems in IP - Authentication • Address - Spoofing: – Faking the sender address in IP-packets Eve.evil.org Alice.uni-sb.de (188.88.88.88) (134.96.12.102) IP /etc/hosts.equiv : From: 134.96.12.104 To: 134.96.12.102 Bob.uni-sb.de Bob.uni-sb.de (134.96.12.104) German Research Center for Artificial Intelligence
    • Secure Socket Layer (SSL) • SSL operates on top of the transportation layer • Developed by Netscape according the recommendations of the OSI - security architecture • Authentication of communication partners – Assymmetric encryption • Private communication – Symmetric session keys • Integrity of messages – Message Authentication Codes (MAC) • Encryption- and hashing algorithms are negotiated between communication partners German Research Center for Artificial Intelligence
    • SSL - Overview Telnet, Ftp, Telnet, Ftp, http, Smtp, http, Smtp, Authentication of partners Exchange of secrets SSL-Handshake SSL-Handshake SSL-Record SSL-Record Fragmentation of data, Compression, Computation of MACs TCP IP TCP IP and session-keys, Encryption of records German Research Center for Artificial Intelligence
    • SSL - Handshake Protocol • Agree in SSL-communication by using specific ports: 443 (https), 456 (ssmtp), 990 (ftps), 992 (telnets) Client Hallo ServerHello Certificate (optional) ServerKeyExchange (optional) Certificate Request (optional) ServerHelloDone Certificate (optional) Client Key Exchange Certificate Validate (optional) ChangeCipherSpec Finished ChangeCipherSpec Finished Use Data German Research Center for Artificial Intelligence
    • SSL - Handshake Protocol • ClientHello: timestamp (32bit), Nonce RC (28bit), SessionID, list of prefered encryption algorithms • ServerHello: timestamp(32bit), Nonce RS, list of prefered encryption algorithms of client • Certificates according X.509 • ServerKeyExchange: temporary public key PKS (RSA) • ClientKeyExchange: 48bit secret „pre“ encrypted with PKS (or public key of client in case of DiffieHellman) • Computing the master secret MD5(pre, SHA(„A“ . pre . RC . RS)) | MD5(pre, SHA(„BB“ . pre . RC . RS)) | MD5(pre, SHA(„CCC“ . pre . RC . RS)) to compute secret keys • Finished messages incorporate MAC/SHA of all previous message parts German Research Center for Artificial Intelligence
    • Security of SSL • SSL allows for an authenticated and private communication without manipulations • Finished messages prevent man-in-the-middle attack • Depends on used cryptographical algorithms (MD5? HMAC!) • No use with application filter • TLS (transport level security) as „internet standard“ based on SSL 3.1 German Research Center for Artificial Intelligence
    • IPSec „Suite“ of protocols to secure network connections • Allows for different encryption and authentication methods • Integrity (authentication) and secrecy (encryption) • Operates on the IP – level • IKE : Internet Key Exchange German Research Center for Artificial Intelligence
    • IPSec - Alternatives • AH („Authentication Header“): authentication vs. ESP (Encapsulating Security Payload): encryption + authentication • Tunnel mode (total IP-packet) vs. transport mode (payload only) • Different cryptographical choices MD5, SHA-1… 3DES, AES, Blowfish, … • IKE (Internet Key Exchange) protocol vs. manual setup German Research Center for Artificial Intelligence
    • Authentication Header – Transport Mode Version Hdr.len TOS Length (max. 64k) Identification Flags Fragment-Offset Original IP-packet Time to Live TCP Header checksum Address of receiver Address of sender IP-options Padding DATA IPSec-packet Version Hdr.len TOS Length (max. 64k) Identification Flags Fragment-Offset Time to Live IH Header checksum Address of receiver Protected by Address of sender IP-options Padding Authentication Data Version AH-len TCP Reserved Security Parameter Index Changed entries Sequence Number Authentication Data DATA German Research Center for Artificial Intelligence
    • Authentication Header – Tunnel Mode Version Hdr.len TOS Length (max. 64k) Identification Flags Fragment-Offset Time to Live AH Header checksum Address of receiver IPSec-packet Address of sender IP-options Padding Version AH-len IP Reserved Protected by Security Parameter Index Authentication Data Sequence Number Authentication Data Version Hdr.len TOS Length (max. 64k) Identification Flags Fragment-Offset Time to Live TCP Header checksum Address of receiver Address of sender IP-options Padding DATA German Research Center for Artificial Intelligence
    • ESP – Transport Mode Version Hdr.len TOS Length (max. 64k) Identification Flags Fragment-Offset Original IP-packet Time to Live TCP Header checksum Address of receiver Address of sender IP-options Padding DATA IPSec-packet Version Hdr.len TOS Length (max. 64k) Identification Flags Fragment-Offset Time to Live ESP Header checksum Address of receiver Encrypted Data Address of sender IP-options Padding Security Parameter Index Sequence Number Changed entries Data pad-len TCP Authentication Data German Research Center for Artificial Intelligence
    • ESP – Tunnel Mode: VPN Version Hdr.len TOS Length (max. 64k) Identification Flags Fragment-Offset Time to Live ESP Header checksum Address of receiver IPSec-packet Address of sender IP-options Padding Encrypted data Security Parameter Index Sequence Number Authenticated data Version Hdr.len TOS Length (max. 64k) Identification Flags Fragment-Offset Time to Live TCP Header checksum Address of receiver Changed entries Address of sender IP-options Padding DATA + Padding Authentication Data German Research Center for Artificial Intelligence