Deconstructing Windows 2000 Hacks


Published on

  • Be the first to comment

  • Be the first to like this

Deconstructing Windows 2000 Hacks

  1. 1. Proactive Network Security: Do You Speak CVE? Gary S. Miliefsky, CISSP®, FMDHS President & CEO, PredatorWatch, Inc. E-mail: [email_address] November 23, 2004 PredatorWatch, Inc. is a DoD Contractor
  2. 2. About Me Gary S. Miliefsky <ul><li>20+ Security Veteran </li></ul><ul><li>Computer Scientist </li></ul><ul><li>CISSP® </li></ul><ul><li>DHS is funding CVE® at MITRE </li></ul><ul><li>(I am a founding member) </li></ul>
  3. 3. Behind the firewall…a gift from a friend?
  4. 4. It Doesn’t Take a Rocket-Scientist                     
  5. 5. Hackers Cause Risk of Non-compliance <ul><li>Government (Executive Order 13231) </li></ul><ul><li>Legal (HIPAA, GLBA, E-SIGN) </li></ul><ul><li>Health Care & Pharmaceutical (HIPAA and CFR FDA 21 - 11) </li></ul><ul><li>Banking and Finance (E-SIGN, GLBA, FDIC Audits) </li></ul><ul><li>Higher Education (Due Care and Tort Law) </li></ul><ul><li>These markets are being heavily attacked by Hackers on a daily basis. </li></ul>
  6. 6. If You Currently Have… <ul><li>Anti-Virus Software and a Solid Firewall </li></ul><ul><li>Access through Virtual Private Network (VPN) </li></ul><ul><li>Internet Service Provider (ISP) Spam Protection </li></ul><ul><li>Local Browser/Email/JavaScript Protection </li></ul><ul><li>Passwords for Email on Your Network </li></ul><ul><li>Encryption Servers (IPSEC, SSL/TLS, HTTPS) </li></ul><ul><li>Public Key Infrastructure (PKI)—Encryption </li></ul><ul><li>Content Proxy (for filtering, Internet acceleration) </li></ul><ul><li>Intrusion Detection or Prevention Systems (IDS or IPS) </li></ul>
  7. 7. …Is Your Network Safe? <ul><li>In short, NO. These “solutions” don’t stop Hackers. </li></ul><ul><li>Hackers take advantage of common vulnerabilities and exposures in your network. </li></ul><ul><li>Firewalls can be hard to manage, so they may not protect you. And they don’t protect you from internal threats. </li></ul><ul><li>Intrusion Detection Systems require human intervention and generate false results. </li></ul><ul><li>Intrusion Prevention Systems may block legitimate access. </li></ul>
  8. 8. Are You Stopping the Hackers? <ul><li>Anti-virus software can only protect against know viruses—it cannot stop hacker access! </li></ul><ul><li>Passwords often don’t stop clever hackers, who use readily downloadable tools that crack them. </li></ul><ul><li>Turning off JavaScript doesn’t stop a hacker from running other types of code on your system. </li></ul><ul><li>Hackers can break into Virtual Private Networks (VPNs)—they aren’t always private! </li></ul><ul><li>Firewalls can be points of entry for hackers. </li></ul>
  9. 9. What Damage Can Hackers Cause? <ul><li>Denial of Service (DoS) </li></ul><ul><li>Destruction of Data </li></ul><ul><li>Theft of Data </li></ul><ul><li>Damage to Your Reputation </li></ul><ul><li>Put Your at Risk of Legal Liability </li></ul>
  10. 10. Hackers Can Deny You Access <ul><li>Stop services—Vital programs you need to have running </li></ul><ul><li>Kill the server—Bringing it down, forcing your network, even your company, to a halt </li></ul><ul><li>Change the administrator password, locking out your system administrator and letting themselves in to key systems and files </li></ul>
  11. 11. Hackers Can Destroy Data <ul><li>Crash your system or a node on the network, causing productivity issues and data loss </li></ul><ul><li>Send garbage data to the system </li></ul><ul><li>Defeat protocols that use date/time of day to gain access to the system </li></ul><ul><li>Execute PHP code existing on the system </li></ul><ul><li>Execute commands as administrator—erasing data, altering access—Creating havoc </li></ul>
  12. 12. Hackers Can Steal Private Data <ul><li>Enter your network and retrieve system info </li></ul><ul><li>Read sensitive files on the system </li></ul><ul><li>Get version numbers of installed software and attack using that information </li></ul><ul><li>Obtain access to accounts and private data </li></ul>
  13. 13. Serious Network Protection —How Do You Keep out the Hackers? <ul><li>Analyzes Your Network’s Vulnerabilities on a Regular Basis (CVEs) </li></ul><ul><li>Regularly Review Those Vulnerabilities (CVEs) </li></ul><ul><li>Tune your Firewall against CVE exploits </li></ul><ul><li>Harden your Assets by Removing CVEs </li></ul><ul><li>Make Sure Your Methods are “Tamper-proof” </li></ul><ul><ul><li>Optimized Model Automation of this process is patent-pending by PredatorWatch, Inc. </li></ul></ul>
  14. 14. What is the CVE Standard? <ul><li>Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. Using a common name makes it easier to share data across separate databases and tools that until now were not easily integrated. This makes CVE the key to information sharing. If a report from one of your security tools incorporates CVE names , you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem. </li></ul><ul><li>CVE is: </li></ul><ul><ul><li>One name for one vulnerability or exposure </li></ul></ul><ul><ul><li>One standardized description for each vulnerability or exposure </li></ul></ul><ul><ul><li>A dictionary rather than a database </li></ul></ul><ul><ul><li>How disparate databases and tools can &quot;speak&quot; the same language </li></ul></ul><ul><ul><li>The way to interoperability and better security coverage </li></ul></ul><ul><ul><li>A basis for evaluation among tools and databases </li></ul></ul><ul><ul><li>Accessible for review or download from the Internet </li></ul></ul><ul><ul><li>Industry-endorsed via the CVE Editorial Board </li></ul></ul>
  15. 15. PredatorWatch is CVE Compatible Left to right: Lawrence C. Hale, U.S. Department of Homeland Security, Deputy Director, US-CERT delivers 3 CVE Mitre Compliance Certificates to PredatorWatch, Inc. at CSI, Nov 8, 2004, Washington, D.C. Gary S. Miliefsky, CISSP, FMDHS, CEO, PredatorWatch, Inc. Doug Eames, VP of Sales, PredatorWatch, Inc.
  16. 16. Keep Up to Date on CVEs <ul><li>Visit </li></ul><ul><li>Keep an eye on the SANS/FBI top 20 CVE list </li></ul><ul><li>Test for the latest CVEs on a daily basis </li></ul><ul><li>Report on your CVEs on a daily, weekly or monthly basis (DUE DILIGENCE) </li></ul><ul><li>Remove all CVEs that you possibly can (DUE CARE) </li></ul><ul><li>Block at the Firewall (INCREASE UPTIME) </li></ul>
  17. 17. E-commerce Real World Scenario: <ul><li>What if you were the CEO, CFO, CIO or CSO of an E-commerce Merchant or a Brick & Mortar Retailer using an Internet Payment Gateway System? </li></ul><ul><li>What if you had only one CVE in your system? </li></ul><ul><li>What if anyone could exploit it in 5 minutes? </li></ul>
  18. 18. CVEs in e-Commerce <ul><li>VISA Announces vulnerability audit requirements (CISP) </li></ul><ul><ul><li>Over 21,000-member financial institutions, VisaNet processes over 2,700 transactions/sec during peak season. </li></ul></ul><ul><li>MasterCard requires Quarterly CVE Audits beginning 6/2004 (SDP) </li></ul><ul><ul><li>7% of all of MasterCard's $921.6 billion annual card purchases take place on web </li></ul></ul><ul><li>Now AMEX (DSS) and Discover (DISC) have launched Audit requirement programs. </li></ul><ul><li>Soon, all e-Commerce Merchants must detect/remove critical CVEs to do business on line (see page 49 of MasterCard SDP PDF for example) </li></ul>SOURCE: COMPUTERWORLD, April 14, 2004
  19. 19. What You Should Do To Comply <ul><li>Build Corporate Security Policies that are ISO17799 compliant: </li></ul><ul><ul><li>American Express DSS </li></ul></ul><ul><ul><li>DiscoverCard DISC </li></ul></ul><ul><ul><li>MasterCard SCP </li></ul></ul><ul><ul><li>VISA CISP </li></ul></ul><ul><li>Audit and Report on CVEs </li></ul><ul><ul><li>Required by all Credit Card Companies </li></ul></ul>
  20. 20. What Is The ISO 17799 Standard? <ul><li>10 Sections </li></ul><ul><ul><li>Security Policy – To provide management direction & support for information security </li></ul></ul><ul><ul><li>Organizational Security – Manage information security within the organization </li></ul></ul><ul><ul><li>Asset Classification and Control – To maintain appropriate protection of organizational assets </li></ul></ul><ul><ul><li>Personnel Security – To reduce the risk of human error, theft, fraud or misuse of facilities </li></ul></ul><ul><ul><li>Physical & Environmental Security – To prevent unauthorized access, damage and interference to business premises and information </li></ul></ul><ul><ul><li>Communications and Operations Management – To ensure the correct and secure operations of information processing facilities </li></ul></ul><ul><ul><li>Access Control – Control access to information </li></ul></ul><ul><ul><li>System Development and Maintenance – To ensure security is built into information systems </li></ul></ul><ul><ul><li>Business Continuity Management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters </li></ul></ul><ul><ul><li>Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual </li></ul></ul>
  21. 21. Online Banking Real World Scenario: <ul><li>What if you were the CEO, CFO, CIO or CSO of Fidelity Trust Bank with $1B under management? </li></ul><ul><li>What if you had only one CVE in your system? </li></ul><ul><li>What if anyone could exploit it in 5 minutes? </li></ul>
  22. 22. Welcome to
  23. 23. has CVEs
  24. 24. Objectives: Find and Remove CVEs <ul><li>“The most important step towards securing your network is to shrink the window of vulnerability as close to zero as possible. No vulnerabilities means no place to hack.” </li></ul><ul><li>If you don’t: </li></ul><ul><li>Hackers will take advantage of you. </li></ul>
  25. 25. Hacking an Online Bank – The Break In The break-in (excerpt from CNET ): “ One strategy is to attack the hardware itself, exploiting notoriously glitch-prone Web systems to gain access to the servers running the bank's online operations. &quot;Most banks run Unix Web servers or Microsoft IIS (Internet Information Server), and both are prone to remote attacks that can allow a hacker to take control of the server itself,&quot; said David Ahmad, the moderator of the Bugtraq mailing list, one of the leading e-mail lists dedicated to reports of software vulnerabilities. Companies including financial institutions subscribe to the list. In April, Microsoft issued a security patch to plug 10 new holes that could allow hackers to take full control of computers running the company's IIS program.” Do NOT try this at home. It’s Illegal.
  26. 26. The Break In (continued) “ In seizing control of a server, security experts say, a hacker can also modify any trusted applications to perform malicious operations. An attack that manipulates such internal applications is more likely to escape notice by the network's electronic guards. &quot;Intrusion-detection systems only spot known attacks or behaviors that indicate a certain class of attack,&quot; Ahmad said. &quot;Attacks against a server might be detected, but a complex application-based attack might look like normal behavior.&quot; Financial institutions do make it difficult for employees to move money, but their systems must be flexible enough to work with customers who are not subject to the same level of scrutiny. This could allow an insider to create a fake customer transaction and authorization to shepherd the money right out of a system. “ – CNET
  27. 27. Hacking Methodology – Exploit CVEs <ul><li>Footprint </li></ul><ul><li>Scan </li></ul><ul><li>Enumerate </li></ul><ul><li>Penetrate </li></ul><ul><li>Escalate </li></ul><ul><li>Pillage </li></ul><ul><li>Get Interactive </li></ul><ul><li>Expand influence </li></ul><ul><li>Cleanup </li></ul><ul><li>(Denial of Service) </li></ul>In this presentation, I will assume that the first two steps have been done by PredatorWatch Deface Website and Steal Database from simulated Bank Focus of this presentation, with only one specific example
  28. 28. Common IIS 5 Attacks Against CVEs <ul><li>Here are the most dangerous IIS 5 attacks currently: </li></ul><ul><li>Buffer overflows </li></ul><ul><li>File System Traversal </li></ul><ul><li>Script source revelation </li></ul>Hackers take advantage of this flaw in the online Bank
  29. 29. Buffer Overflow CVE in IIS v5.0 <ul><li>CVE-2001-0241 </li></ul><ul><li>CVE Version: 20040901 This is an entry on the CVE list , which standardizes names for security problems. It was reviewed and accepted by the CVE Editorial Board before it was added to CVE. </li></ul><ul><li>Name: CVE-2001-0241 </li></ul><ul><li>Description: Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0. </li></ul>
  30. 30. CVE In Detail: IIS Buffer Overflow: IPP <ul><li>Internet Printing Protocol (IPP) functionality is implemented in IIS 5 via an ISAPI filter (C:WINNTSystem32msw3prt.dll) </li></ul><ul><li>This functionality is enabled by default </li></ul><ul><li>Malformed requests for .printer files invoke this ISAPI and cause a buffer overflow, resulting in remote SYSTEM privileges </li></ul>
  31. 31. CVE Exploit: IIS Buffer Overflows: IPP <ul><li>Simple to exploit: </li></ul><ul><ul><li>GET /null.printer HTTP/1.0 </li></ul></ul><ul><ul><li>Host: [ > 420 char. buffer ] </li></ul></ul>
  32. 32. Deface Online Bank (Simulation) Before After C:> ftp [hacker-ip] C:> get hack-index.html C:> rename index.html
  33. 33. IIS5 Attack Countermeasures <ul><li>IIS5 Checklist ( </li></ul><ul><li>Visit on a regular basis </li></ul><ul><li>Install all necessary security and system patches as required </li></ul><ul><li>Repeat Steps 1-3 Religiously! </li></ul>
  34. 34. Recommends… THIS ONE IS CRITICAL
  35. 35. Get Computer Updates… …Means CVE Management <ul><li>Every day there is a new CVE (Common Vulnerability and Exposure) see </li></ul><ul><li>This website / is The homepage for helping you stop hackers and harden your assets. Why? </li></ul><ul><li>By knowing the CVEs, if you find a system with a CVE, then you can find a way to block an exploit that would impact this asset. </li></ul>
  36. 36. Protect Against CVE Exploiters <ul><li>Detect and Track Assets </li></ul><ul><ul><li>Policy – What to do if offline, I/O, VPN, etc. </li></ul></ul><ul><ul><li>Process – Equip I/O, Laptops, etc. </li></ul></ul><ul><li>Audit your Network for CVEs: </li></ul><ul><ul><li>Careful with free tools – may DoS yourself! </li></ul></ul><ul><li>Lock The Doors against CVE Exploits </li></ul><ul><ul><li>Manage your firewall, daily. </li></ul></ul><ul><li>Cleanup your CVEs </li></ul>
  37. 37. Protect Against CVE Exploiters <ul><li>Detect and Track Assets </li></ul><ul><ul><ul><li>Laptops in and out of the office </li></ul></ul></ul><ul><ul><ul><ul><li>Personal computer or Company asset? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Firewall, Antivirus, Antispyware, Patches up to date? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Inbound scan for CVEs – high risk? then quarantine. </li></ul></ul></ul></ul><ul><ul><ul><li>Wireless Routers/LANs </li></ul></ul></ul><ul><ul><ul><ul><li>How many in the building? Encrypted? Authenticated? </li></ul></ul></ul></ul><ul><ul><ul><li>Servers and other equipment </li></ul></ul></ul><ul><ul><ul><ul><li>Something new on the LAN? Who owns it? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Something offline repeatedly? Why? </li></ul></ul></ul></ul>
  38. 38. Protect Against CVE Exploiters <ul><li>Audit your Network for CVEs: </li></ul><ul><ul><li>Find a tool you like… </li></ul></ul><ul><ul><ul><li>Google “Laptop Auditor” or “Security Auditor” </li></ul></ul></ul><ul><ul><ul><li>Do an eval of Open Source vs Turnkey </li></ul></ul></ul><ul><ul><ul><ul><li>If you built your Firewall from scratch – go for Open Source, else, find a Company you can work with and trust. </li></ul></ul></ul></ul><ul><ul><ul><li>Pick a tool that doesn’t take any assets offline </li></ul></ul></ul><ul><ul><ul><li>Scans and reports on CVEs </li></ul></ul></ul>
  39. 39. Protect Against CVE Exploiters <ul><li>Lock The Doors against CVE Exploits </li></ul><ul><ul><li>Review logs – look for suspicious traffic </li></ul></ul><ul><ul><li>Make sure you setup the VPN interface properly and know who’s using it and if they are coming in through a secure tunnel on an insecure or ‘sick’ computer </li></ul></ul><ul><ul><li>Block ports for all inbound/outbound that you don’t use – 445 was exploited by MSBlast and Sasser. Do you need it open? </li></ul></ul><ul><ul><li>Look at the computers that have CVEs – how long to fix and what port is it on? Update your rules table until it is fixed. </li></ul></ul><ul><ul><li>Don’t trust all patches. Reinspect for same or new CVEs </li></ul></ul><ul><ul><li>Keep repeating this process, daily. </li></ul></ul>
  40. 40. Protect Against CVE Exploiters <ul><li>Cleanup your CVEs </li></ul><ul><ul><li>Remember the IIS 5.0 vulnerability? </li></ul></ul><ul><ul><ul><li>Did the patch fix it? Yes, good. No? Then, why not shut off the web-based print server feature of the IIS server – one quick configuration change and no CVE to exploit. </li></ul></ul></ul><ul><ul><li>Some CVEs can be patched </li></ul></ul><ul><ul><li>Others required intelligent reconfiguration </li></ul></ul><ul><ul><li>Security by Obscurity (usually a no-no) may actually delay a successful attack against a CVE until you have a chance to shut down the service, update the firewall rules table or fix the CVE. </li></ul></ul>
  41. 41. AN INDUSTRY FIRST- CLIENTLESS QUARANTINE SYSTEM Auditor™ is the world’s first clientless quarantine system that drives firewalls to do a better job, while at the same time, enables IT Managers, Network Security Consultants and Managed Security Service Providers (MSSPs) to harden networks and show best practices for regulatory compliance. Introducing PredatorWatch Auditor™…
  42. 42. PredatorWatch Auditor™ Automates… <ul><li>Detection and Tracking of Assets </li></ul><ul><li>Auditing your Network for CVEs: </li></ul><ul><li>Locking The Doors against CVE Exploits </li></ul><ul><li>Cleanup your CVEs </li></ul>
  43. 43. Auditor™ Features <ul><li> World’s Fastest CVE® Vulnerability Assessment Engine </li></ul><ul><li> Secure Vulnerability Update Server </li></ul><ul><li> Dynamic Rogue Wireless and Laptop Detector </li></ul><ul><li> Immediate Audits and On Demand Audits </li></ul><ul><li> Patent-pending FirewallBooster™ for major firewalls </li></ul><ul><li> PatchBooster™ for Microsoft® SUS </li></ul><ul><li> Asset Tracker with built-in MAC/IP Tracker™ </li></ul><ul><li> Security Policy Builder with ISO®17799 Templates </li></ul><ul><li> Patent-pending Regulatory Compliance Reporter </li></ul>
  44. 44. Auditor™ Benefits <ul><li>Automatically detects, audits, quarantines and remediates against all your computers, servers, desktops, laptops, network equipment and wireless routers by tight integration with the firewall. </li></ul><ul><li>Protects your network behind the firewall from common vulnerabilities and exposures, through frequent, rapid and automated vulnerability assessment, patch management and remediation. </li></ul><ul><li>Extending the timetable to remediate , by automatically reconfiguring the firewall at port and IP level, allowing organizations to patch during normally scheduled maintenance windows, rather than during inconvenient and costly intervals. </li></ul><ul><li>Helps enforce policy and ensure regulatory compliance by constantly auditing corporate security standard configurations to reduce risk. </li></ul>
  45. 45. What Analysts Are Saying… Finally, a turnkey security solution that really works for the SME marketplace. – Jon Oltsik, Senior Analyst The laptop and wireless detection and quarantine feature is unique. – Chris Shipley, Executive Producer, DemoMobile It’s a streamlined vulnerability management solution with features of a CIO in a box. – Charles Kolodgy, Research Director, Security Products The missing link in network security, behind the firewall, for the small to medium size enterprise. – James Hurley, Vice President, Security & Privacy Research A powerful security solution that is simple to use, easy to deploy and requires little to no training. – Phebe Waterfield, Security Analyst
  46. 46. … And Partners ... a phenomenal technology/solution. Simply amazing! - David Trudeau, Director of Sales Auditor™ turns an IBM xSeries into a powerful security appliance. - Jim Stallings, Senior Vice President
  47. 47. …And Customers Banking/GLBA Insurance/HIPAA Education/E-Sign “ Inside our firewall, our Auditor™ security appliance detects and diagnoses potential security flaws that could cause our bank to be at risk of FDIC IT Security Audit and GLBA noncompliance…We are very pleased with the Auditor™.” - Steve Irish, CIO, Enterprise Bank & Trust Co. “ is quite common for faculty/staff/students to plug into computer system without my knowledge... Auditor™ gives me the ability to get a quick inventory of which systems are new to the network and automatically quarantine those that are at risk.” - Kenneth Kleiner, Systems & Network Manager, UMASS Lowell “ With Auditor™ on our network, we get regular validation that we are protected against attack and enjoy a significant increase in security.” - William Tyson, SVP, AGIA
  48. 48. We Are The Technology Leader… <ul><li>The only Vulnerability Management player to develop the patent-pending Firewall Booster™ technology to tie and unify Firewall and Vulnerability Management together. </li></ul><ul><li>The first to dynamically detect rogue and high risk assets (mobile & wireless) and intelligently quarantine at the Firewall. </li></ul><ul><li>The only Vulnerability Management player to expand into Enterprise Security Management with asset management, policy building, patch boosting and regulatory compliance reporting. </li></ul><ul><li>The first and only to fit on a Compact Flash, a 1U and the IBM BladeCenter. </li></ul>PredatorWatch, Inc.
  49. 49. Questions? Note: Click the logo (above) to visit our Company website.