David Gamez IUA and the Autumn 2007 Security

Transcription

1 Overview Computer Security Vast topic only space here to touch on some of the key issues. Extremely important sloppy computer security costs time, money and even lives. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Bad Computer Security Costs Loss of data - code, financial information, plans for new cars etc. Loss of information about employees - National Insurance numbers, bank details, etc. Loss of customer information - credit card numbers etc. Loss of reputation no one wants to use with a bank whose security has been compromised. Bad Computer Security Costs Loss of cash many electronic attempts to steal money from banks. Loss of service if the website is down it can t deliver services or sell goods. Customers will go elsewhere. Loss of work time if the computer network is compromised, employees cannot do their job. Clean up time network administrators have to spend a lot of time cleaning up the mess. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Costs Graph Taken from: David Gamez IUA Week 5 Autumn Costs Graph Shows that the most reported types of attacks are not the ones that cause the greatest losses. Theft of proprietary information (reported by 21%) and denial of service (reported by 42%) accounted for 67.3% of total money losses ($135.8 million out of $201.8 million). Companies estimates of losses due to cyberattacks should be interpreted with caution! David Gamez IUA Week 5 Autumn

2 Physical Access Vulnerabilities Often overlooked, but it is the easiest way to access an organization. Staff member holds door open for the person behind them. They plug their computer into the network or shoulder surf a password and steal the organization s information. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Phone The hacker phones someone in the organization and claims to be the network administrator. Requests username and password for a test. Many users will give this information, especially if the attacker is persuasive or threatening and knows the name of their boss. Sniffing Easy to listen on a network to access the information being sent across it. All unencrypted information can be read. Can access passwords, s, sensitive documents etc. Ethereal: David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Scanning Scanning software used to probe the network to find out: IP addresses of other machines. Ports open on other machines. Services running on these ports Vulnerabilities Network scanning discovers the machines on the network. Vulnerability scanning discovers vulnerabilities on a given machine. Network Access Company is running a program that is listening on a particular port, perhaps the DBMS, a webserver or something else. Malicious software on another computer sends packets containing a buffer overflow attack (for example). This starts a new application on the compromised computer, which may download other code and attack other machines in turn. Can be run from anywhere in the world. Easier when you have physical access to the company network. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

3 Wireless Access An organization s wireless networks can be accessed without physical access. With a suitable aerial, this can be over a long distance. Wireless security (or WEP) can be cracked easily once you have captured enough packets. Wireless networks should always be isolated from main networks. Or communications over wireless should themselves be encrypted, using virtual private networks (VPN), for example. Malicious Websites Exploit buffer overflow vulnerability or similar to execute arbitrary code on users computer. User just has to view site using a vulnerable browser for example Internet Explorer. One common response is to maintain a list of dangerous websites and automatically block access to them. Also worth using a better browser, such as Firefox (see Resources). David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn s can be sent to members of the organization containing malicious code. Sometimes these are very obvious, such as FILENAME.exe, and the user has to take action to run the file and install the virus. Other attachments can exploit vulnerabilities in Windows to automatically run the code when the is viewed. Sometimes the user is given a link to a website that breaks into the computer when the user clicks on it. Sometimes the user is tricked into entering their login details on a bogus website. s may also contain ActiveX or JavaScript code that can hack the system. s often use clever social engineering to make the user click on the link or install the code. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Buffer Overflow Attacks Common way for malicious software to access the system. Exploits a program that does not check the length of a piece of data. Provides a way for an attacker to execute arbitrary code on a remote computer. Often part of other methods of attack, such as or website. Buffer Overflow Attack Two requirements: Inject attack code The attacker provides an input string that is actually executable, binary code native to the machine being attacked. Typically this code is simple, and does something similar to exec("sh") to produce a root shell. Change return address There is a stack frame for a currently active function above the buffer being attacked on the stack. The buffer overflow changes the return address to point to the attack code. When the function returns, instead of jumping back to where it was called from, it jumps to the attack code. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

4 Buffer Overflow Attacks Protection Use safe C libraries that check the amount of data that is being copied. Stack smashing protection checks to see if stack has been altered before returning and throws error if it is has changed. Separate executable code from data on the stack supported by some CPUs. Address space randomization addresses are different in each copy of Windows Vista, for example. Scan packets for buffer overflow exploits using an intrusion detection system. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Format String Attack Exploits function in C that carries out string formatting, such as printf( ). Program is forced to overwrite the address of a library function or the return address on the stack with a pointer to some malicious code. The malicious code is executed and installs itself on the user s computer. SQL Injection SQL Injection takes advantage of the syntax of SQL to inject commands that read or modify a database, or compromise the meaning of the original query. Russian hackers broke into a Rhode Island government web site and allegedly stole 53,000 credit card numbers. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn UN Website Compromised by SQL Injection SQL Injection Example Breaks code that controls access to a website. Form has a user name and password field. Both are assumed to be an ordinary string. The following SQL is used to query database with user supplied information. If this returns 1 row, the user is given access. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

5 SQL Code SELECT UserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'Password' What if an unauthorized user types mypassword OR 1 = 1? SQL Code SELECT UserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'password' OR '1'= '1' Now the query will always return one row (assuming the username is correct) and the attacker will gain unauthorized access. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Worms Malicious Software Spread over networks by attacking vulnerable services. Generally are not malicious, but may provide a way in which other malicious software can spread. Main impact is consuming network resources so that websites etc. can no longer be reached. For example, Blaster and Slammer worms. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Viruses Malicious code that spreads through a variety of methods. Distributed through malicious websites. Sends s using addresses harvested from the user s computer Network attack Copies itself into shared folders and removable media. David Gamez IUA Week 5 Autumn Trojan Software that is often installed by a virus (although there is not a clear distinction between the two). May contain a key logger, which records all of the keystrokes on the computer. Can be used to control many other features of the computer. May block access to anti-virus websites. May stop user running the Task Manager. David Gamez IUA Week 5 Autumn

6 Trojan May stop installation of anti-virus programs. May delete all or some of the data on your computer. Often gathers credit card details and other information for identity theft. Often sends spam s. Attacks other computers, either by sending , copying files or via scanning + network attack. David Gamez IUA Week 5 Autumn Rootkit Piece of code that hides itself in the operating system. Often changes the behaviour of the operating system so the root kit is completely invisible to the user. Common way for malicious software to hide itself. Viruses and trojans can be removed relatively easily. May take a complete reinstall to get rid of rootkits. David Gamez IUA Week 5 Autumn Sony Rootkit Recent case in which Sony installed a rootkit as part of its copy-prevention software. Interfered with the normal way in which the Microsoft Windows operating system played CDs. Opened security holes that allowed viruses to break in, and caused other problems. Sony Rootkit More than half a million computers worldwide were infected with Sony rootkit. Lawsuit claimed that the rootkit had damaged users computers. Sony removed software from shelves and offered to replace the copy-protected CDs with non-copy-protected CDs. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Spyware Often installed as part of a free or cheap application. Sends back private information to companies, possibly about the user s browsing habits etc. Not always recognized by anti-virus software. Specialized anti-spyware software can be used to recognize and remove it (see Resources section). Human Attackers David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

7 Overview Have covered how different types of malicious software are distributed in different ways. Threat from human attackers who want to break into business systems to steal money, credit card details or information. Several different stages to a successful cyberattack. Some examples in the Resources section. Cyberattack Example 1 Wearing a blue boiler suit and fake ID the attacker gains physical access to the building. Carries something big so that an employee helpfully lets him through the door and he does not have to swipe his fake ID. Installs a wireless device that sniffs the network and allows him to communicate with it. Sits outside the organisation and gathers any information that he wants. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Cyberattack Example 1 The wireless device may allow him to penetrate other computers on the network. Could also have installed a rootkit on the computers to accomplish the same task. This would have been even easier if the attacker had gained a cleaning job at the organisation. Cyberattack Example 2 Laptop containing sensitive information with an unencrypted hard drive is left in a car by a stupid employee. Steal laptop. Job done! If laptop does not contain the required information, it may contain VPN passwords etc., which give the attacker remote access to the corporate network. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Cyberattack Example 3 Research on the companies website reveals a list of telephone numbers of employees. Could use Google to discover poorly secured information about employees (see article in Resources section). Phone employee and pretend to be a network administrator. Get their username and password and use this to access the system. Cyberattack Example 4 Attacker in Russia sends carefully targeted s to employees. These contain a game or amusing pictures and the employee has to open the attachment to play the game or view the amusing picture. Or they just have to follow a link. Malicious software is installed on the machine which the attacker uses to access it remotely from Russia. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

8 Cyberattack Example 4 This software sends all of the keystrokes on the worker s machine. It also allows the attacker to use other methods, such as buffer overflow exploits to attack other machines on the network. The attacker can also sniff all of the traffic on the network, including unsecured s, passwords, etc. Cyberattack Example 5 Attacker gathers as much information as he or she can about the computer infrastructure of the organization. This includes software, hardware, IP addresses etc. Company reports, software consultants, etc. can all be sources for this information. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Cyberattack Example 5 Cyberattack Example 5 Attacker selects target machines and runs a vulnerability scanner against them. This is a piece of software that reveals the vulnerable parts of the system, which services are running, etc. Attacker launches an exploit against a machine and installs malicious software. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Cyberattack Example 5 Once inside the corporate network he or she can run a network scanner. This reveals all of the machines on the network. He can then choose another machine to attack, steal sensitive information, or disable the network. Cyberterrorism? Most industrial systems are controlled by computers using standard technology, such as TCP/IP and Windows. Conceivable that an attacker could break into a nuclear or chemical plant s networks and disable safety systems, release dangerous substances or worse. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

9 Cyberterrorism - Examples An ex-employee broke into a sewage treatment plant computer system and released 250 million tonnes of raw sewage. Slammer worm compromised safety systems of an Ohio nuclear plant. Claims that Russian hackers controlled a gas pipeline for 24 hours. Denial of Service David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Botnets Poor home security practices enable attackers to compromise and control very large numbers of computers. Called bots or zombie computers. Generally communicate using Internet Relay Chat. Botnets Used to send spam and to host illegal websites. Attack other computers in order to increase the size of the botnet. Used for distributed denial of service attacks. Can be huge Storm Worm botnet probably has over half a million machines. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Denial of Service Brings a website or service down in different ways. Can exploit a flaw in the program to crash it. For example Ping of death crashed many operating systems by sending a malformed packet Or can use up the server s memory resources by sending lots of fraudulent requests. Denial of Service Can also bring down a website by flooding it with nonsense packets. For example, a large number of big packets is sent, which the webserver has to spend a lot of time filtering out. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

10 DDos Attack DDos Extortion Criminals controlling large botnets try to extort money from companies in exchange for not bringing their website down. First they launch a DDos attack on a website and then threaten to attack again unless paid $40,000, for example. Online gambling sites are often targeted. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn DDos Extortion One article claims that organisations are paying extortion demands. Resources section has a recent news item of man arrested for DDos extortion with 7000 remotely controlled machines. Defence David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Training! If your staff are not trained properly it will be easy to compromise your organization. Need to promote a culture of security in which everyone is aware of its importance. Staff should challenge people without id badges. Staff should never disclose their usernames or passwords to anyone. Updating Software manufacturers frequently release fixes for vulnerabilities in their code. Windows, Mac OS X and Linux, for example, all need to be updated regularly. Machines will be much more vulnerable without regular updating. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

11 Privileges Mac OS X and UNIX / Linux are more secure than Windows XP because the standard user lacks certain privileges. The user has a much more limited ability to change the system than a superuser or root user. Attacks generally compromise just the user space, not the whole computer. Privileges This approach can be implemented in XP (in the IUA lab the Student account has reduced privileges). However, most users of Windows run with administrator privileges. Windows Vista makes a more secure approach to privileges standard for all users. Delicate balance between security requirements and enabling users to efficiently carry out tasks. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Secure Passwords Many people and network administrators have insecure passwords or fail to change them from their default. Example of Herbless hacker who broke into hundreds of websites using the default Microsoft SQL administrator password. This password should have been changed on day 1 when they set up the server! Secure Coding Patching is used to fix sloppy coding on commercial software. Training and a culture of security is the only way to reduce security vulnerabilities in software written by your own company. Bad design, bad checking of inputs and insecure libraries are the major ways in which software security is compromised. All can be minimised by careful and responsible coding. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Operating Systems Linux and Mac OS X are more secure than Windows XP. This is largely because Windows is more popular, so more attackers target Windows Windows Vista has introduced a number of improvements to its security: Address space randomization. More sophisticated privileges Network access protection Better firewall Security Software Many different software applications exist to help to protect organisations against threats. Regular updates to this software especially to the intrusion detector and virus checker is essential to success. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

12 Signature Detection Most defences work by looking at the signature of the malicious code. This is accurate and has a low false positive rate. This means that it is unlikely that the software will report a virus when there is no virus. Signature Detection However, signature scanning offers no defence against a new virus. People have to wait for a signature to be written and tested by the anti-virus vendors. Possibility of viruses that change their signature. Does not work with encryption. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Anomaly Detection Another alternative is to monitor the normal state of the system and look for deviations from this normal state. This is called anomaly detection. Anomaly detection is an active research area. So far few products have made it to the market. Anomaly Detection Main problem is false positives the system reports an attack when there is no attack. This behaviour is unacceptable for consumer applications, but may be ok in a corporate environment where there are a large number of false alarms from other sources. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Anti-virus Software Based on signature detection. Deployed as standard on most Windows PCs. Should be deployed on the machines in the IUA lab! Scans files and s looking for the signature of a particular virus. Alerts the user when one is found. File Integrity Checkers A form of anomaly detection. A checksum is carried out on key system files. If this checksum changes an alarm is raised. For example: Tripwire: Afick: David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

13 Firewalls IPv4 Datagram Hardware or software that filters out packets directed to specific ports and other types of traffic. Critical method of defence for a computer and organization. Can block DDos attacks, but only if applied at the right place in the network. Should filter incoming and outgoing traffic. Windows XP firewall only blocks incoming David traffic. Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn TCP Header Firewall David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn DDos Attack Intrusion Detection Systems Scan packets sent through the network looking for viruses etc. Alert network administrator when problem is found. Need to know the signature of the malicious code. Can generate a lot of false alarms for example, when an employee is browsing security-related information. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

14 Penetration Testing Security professional attempts to break into system. Different amounts of information may be provided to the tester. Provide a report on the computer security to the company. Multi-level Security Nothing works perfectly! Pursue a multi-level approach that maximises security in each area of the organization. So training+physical security+updated systems+virus checkers+firewalls etc etc. must all be done as well as possible. David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Costs Questions? Taken from: David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Resources - General Resources Business-oriented handbook on computer security (PDF file): Online book on computer security: y Guide to home computer security: ecurity/ High quality articles and news on securityrelated issues: David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

15 Resources - General Cost of cyberattacks (PDF document): /CRS_Cyber_Attacks.pdf Sony rootkit: itymatters/2005/11/69601 Blaster worm: showpage&pid=159&page=1 Using Google to access sensitive information: Malicious websites: Resources Buffer Overflows Buffer overflow attacks: le.do?command=viewarticlebasic&articlei d=82920&intsrc=article_pots_side Buffer overflow attacks: y/6701 Defence against buffer overflow attacks: ecurity/boflo.html David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Resources Denial of Service Botnets: Wars-How-Botnets-Work.html Ping of death denial of service: Distributed denial of service attack (DDos): DDos extortion: ,00.htm Man arrested for DDos attacks: Resources - Attacks Poor password security: Keylogger scam: _scam.html Failed attempt to steal 220 million using keyloggers: ce Physical access: Stolen laptop contains sensitive information: theft/ David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn Resources - Cyberterrorism Roundtable discussion about the possibility of cyberterrorism: px?pack=rss.rtcyberterr Hackers target utility control systems: 0/18/206046/hackers-target-utilities-controlsystems.htm Slammer worm disables safety monitoring system at nuclear plant: Software Firefox web browser: Snort open source intrusion detection system: Ethereal sniffer: AVG free anti-virus software: Adaware anti-spyware: Spybot anti-spyware: David Gamez IUA Week 5 Autumn David Gamez IUA Week 5 Autumn

16 Software Windows rootkit revealer: nals/utilities/rootkitrevealer.mspx Afick file integrity checker: Top 100 Network security tools: David Gamez IUA Week 5 Autumn