Applied IT Security. System Security. Dr. Stephan Spitz 5 Security Threads. Applied IT Security, Dr.

Transcription

1 Applied IT Security System Security Dr. Stephan Spitz

2 Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System Security Security Threats on Networks Firewalls and Intrusion Detection Systems Applied Cryptography Device Security Public Key Infrastructures Authentication Protocols Encryption and digital Signatures in topical Applications Smart Cards, Secure µprocessors and Crypto Libraries Security Certification The Future of IT Security

3 Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System Security Today Security Threats on Networks Firewalls and Intrusion Detection Systems Applied Cryptography Device Security Public Key Infrastructures Authentication Protocols Encryption and digital Signatures in topical Applications Smart Cards, Secure µprocessors and Crypto Libraries Security Certification The Future of IT Security

4

5

6 Overview Security Threats on Networks Overview System Hacking General kinds of attacks: Spoofing, Sniffing and DoS Progression of an Attack Network Analysis, System Identification and Exploitation of Security Holes Tools supporting Network Security Administrators Examples of Network Level Attacks Fragmentation Attack, SYN/TCP Connect Flooding TCP Hijacking Examples of Application Level Attacks Scripting Attacks and SQL Injection Cookie Poisoning and other Application Level Attacks Countermeasures

7 Sniffing Sniffing: reading of unprotected Information in open networks e.g. setting your network adapter in promiscuous mode Sniffing is very efficient on Application Level (e.g. SMTP, FTP, SOAP), because data, especially passwords, is transmitted as plain ASCI characters Sniffing in a switched network is difficult, because IP packets are routed by a switch, but ARP spoofing (duplicate the MAC address of the attacked system) ARP flooding of switch => switch acts as hub (broadcast mode) Switch protocol spoofing (Imitate the switch protocol) Encryption is the only efficient way to avoid sniffing

8 Spoofing Spoofing is the active manipulation of transmitted data on different network layers IP Spoofing is the modification of IP packet headers to make them appear to have originated from a certain source DNS Spoofing: confusing a DNS server into giving out bad information with a recursive query to the victim's server, using the victim's server to resolve the query. The answer to the query (authoritative record) is in a zone the attacker controls and is FALSE. The victim's server caches the bogus record. Web Spoofing: modifying all web pages sent to a victim's machine, and observing all information entered. The faked window created on the victim's machine replaces some of the normal information, because the attacker causes all Web pages destined for the victim's machine to be routed through his server.

9 Denial of Service Denial of Service (DoS) is to cause a system to be deprived of the services or resources it would normally expect to have The most common DoS attack is simply to send more traffic to a network address than the programmers who planned its data buffers expected that someone might send Buffer Overflow DoS encomprises a wide variety of attacks (Fragmentation Attacks e.g. Ping of Death, Teardorp or Viruses or even physical damages) Distributed DoS (DDoS) is a DoS in which a multitude of compromised systems attack a single target

10 Progression of an Attack Network Scan i.e. find out which IP addresses are active Network Topology Mapping works out how the network is organized and identifies possible target computers Service Identification is a closer look to target computers with the aim to find out on which ports server processes are active Configuration Identification is to identify operating system, version, patch level and version, Exploitation of DNS, FTP, HTTP services security holes (e.g. Buffer Overflows)

11 Network Scans Alive Checks with the IP protocol, with error injection in the IP header (wrong version, incorrect length, etc.) Scan with the ICMP (Internet Control Message Protocol) protocol (netmask, timestamp or information requests) Use of TCP ports with TCP protocol error injection (SYN flag, ACK flag or TCP header without a flag) Requests with use of the UDP protocol can be also used for alive checks

12 Network Topology Mapping IP Time to Live can be used to determine the reach of an IP packet IP Record Route notes the systems which are passed by the IP packet (only 9 system IPs can be recorded) IP Strict Source Routing defines the systems which have to be passed by the IP packet (also only 9 hops ) ICMP Netmask Request returns the configured addresses and netmasks

13 Tools for Network Scans and Topology Mapping Alive Checks can be executed via a simple ping (ICMP echo request), if the ICMP protocol is active (echo on TCP port 7) Network Topology Mapping can be also done via hping with TCP SYN [-S] and a faked sender IP [-a] or the traceroute command (both on port 25): hping a p 25 S traceroute -p Network Topology Mapping is also possible with the TCP-ACK signal by use of the Nmap security scanner (SYN firewalled!): Nmap -sa /24

14 Service and Configuration Identification A simple port scan makes it possible to detect active services and servers on the target computer Further interesting information is OS version, patchlevel, configuration of services, contactperson, etc. DNS server can hold a lot more information beside the name resolution (hostinfo, host description, responsible person in HINFO, TXT, RP records) SNMP (Simple Network Management Protocol) or Routing Protocol Requests are possibilities to determine the topology on Application level RPC (Remote Procedure Call) service and port assignment analysis with the portmap service on port 111, e.g. for detection of an NFS (Network File System)

15 Tools for Configuration and Service Identification Port scans can be executed with Nmap, netcat, strope e.g. Nmap RPC scan with XML output: Nmap sr ox output.xml System identification is done with different network scanners e.g. Nessus or tcp_scan. Another way is again the Nmap command e.g. OS version with -O or network services with -ss Information about target computers (contact person, last update, DNS nameserver location, services) can be gained via the whois command e.g. whois example.org or with the host command e.g. host t * example.or NetBIOS scanner (NAT, Legion, SharesFinder) can be used to scan inside Win networks for shared resources

16 Fragmentation Attack (DoS) Firewalls (with static filter rules) check only the first IP datagram So do the following: 1. Send a well formed first IP datagram to the server 2. Send a second malicious datagram to the server with a TCP fragment offset of zero 3. Overwrite with the second IP datagramm information which otherwise wouldn t bypass the Firewall e.g. forbidden TCP ports Example attacks: Ping of Death: Create a buffer overflow with a large second IP datagram Teardrop: Wrong TCP fragment offset causes an overlay of IP datagrams which results in a general server break down

17 LAND Attack (DoS) Heise Newsticker : Acht Jahre, nachdem der Angriff zum ersten Mal aufgetaucht ist, ist der Microsoft-Windows-TCP/IP-Stack erneut angreifbar für diese historische DoS-Attacke. A SYN package is sent with a faked source IP address (x.x.x.x) which is the same address as the target address e.g. with: netstat -a (check first the available port for the attack)-> 80 hping -V -c 100 -d 40 -S -k -s 80 -p 80 -a x.x.x.x x.x.x.x Result: The wrong designed TCP/IP stack runs in an endless loop Counter Measurement: Configure router or firewall with a "Ingress Filter" which blocks the LAND package

18 Tamper TCP with ICMP (DoS) A lot of network component and software vendors are affected by the attacks based on forged ICMP messages (published in heise security news ticker ) Goal of the attack is to limit the bandwidth of TCP/IP connections and to tamper memory and CPU resources on the target system with ICMP Forged ICMP packages can be used in three different ways to abort a third party s network connection ICMP -"hard error report send to target host ICMP -"fragmentation needed and Don't Fragment (DF) bit set error report ICMP-"source quench"- error send to target host Guess Guess the the four-tuple four-tuple that that identifies identifies the the communication Counter Measurement: Perform further checks communication instance on recieved instance to to be ICMP be attacked, attacked, he error he can can use use ICMP ICMP to to perform perform a a variety variety of of attacks. attacks. messages ( see 03.txt) When When the the transport transport protocol protocol is is notified notified of of the the error error condition, condition, it it will will perform perform a a fault fault recovery recovery function. function. That That is, is, it it will will try try to to survive survive the the network network failure. failure. ICMP ICMP error error messages messages reporting reporting hard hard errors errors with with connection connection abort: abort: 2 2 (protocol (protocol unreachable), unreachable), 3 3 (port (port or or destination destination unreachable) unreachable) 4 4 (fragmentation (fragmentation needed needed and and DF DF bit bit set) set)

19 SYN/TCP Connect Flooding TCP is a connection oriented protocol with a handshake. The session-establishing packets include a SYN field that identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer so that other, legitimate connection requests can't be accommodated. Although the packet in the buffer is dropped after a certain period of time without a reply, the effect of many of these bogus connection requests is to make it difficult for legitimate requests for a session to get established. Solution: Tune thesizeof thebufferand thetimeout period in the network connection settings of the server

20 TCP Hijacking A TCP connection can be hijacked by the interception of a TCP connection The attack starts with sniffing on a network e.g. promiscuous mode of network adapter or setting up raw sockets The connection orientation is attacked e.g. by changing the sequence numbers in the TCP header a new connection has to be negotiated The attacker switches the new connection via his/her system Necessary tools are a network sniffer (ethereal) and a packet generator (ippacket) and optionally a SYN-Flooder Authenticated connections are the only efficient way to avoid TCP hijacking

21 TCP Hijacking Cont. CLIENT SYN ATTACKER SERVER SYN SYN, ACK SYN, ACK ACK ACK DATA MODIFIED DATA MODIFIED DATA DATA

22 Scripting Attacks Scripting attacks generally place the attacker s script code on web pages sent by another server The aim of scripting attacks is to compromise confidential information, manipulate or steal cookies or execute malicious code Cross site scripting (XSS or CSS) occurs when dynamically generated web pages display improperly validated input. The attacker tries to set a trap via a modified URL with injected code which can be placed on a malicious web page or sent by Web developer: Check user-submitted content in your application Web user: Safeguard your Internet Browser

23 SQL Injection SQL injection is a special kind of scripting attack where a hacker tries to place unauthorized SQL code on a web page executing SQL queries in a database (multi tier architecture) SQL injection can easily be done via URL strings with embedded SQL code which are modified by a hacker to broaden access to data Dynamic Web Content in a Web Browser HTML Get/Post Middleware Application on Server SQL Query HTML Response SQL Response Relational Database Web developer: Check user-submitted SQL queries in advance before executing them on the database

24 Cookie Poisoning A cookie is a flag or user information placed by a web application in your browser to store information for the next time you visit the web page (mainly for identification purposes) Cookie poisoning is the malicious modification of data in a cookie with the aim to return unauthorized information Main target of cookie poisoning is to gain access to user identification data for hacking password protected accounts Web developer: Encrypt persistent cookies, limit cookies to a session ID Web user: Limit the acceptance of cookies in your browser

25 Other Application Level Attacks Forceful/Direct access browsing is trying to bypass an authentication by directly accessing URLs because of improper server configuration Web developer: Disallow bookmarks after authentication Use encryption after authentication System commands can be executed by manipulating input in HTML forms processed by a Common Gateway Interface (CGI) Web developer: Don t use CGI anymore

26 General Counter Measures On the Network Layer: Only use the really necessary protocols and services in your network Limit the services which are available in the Internet Prevent Internet access to network management and routing protocols available in the intranet Use Encryption and Authentication Protocols (IPSec) On the Application Layer Tailor and safeguard your operating systems, servers and internet browsers (e.g. install topical security patches and remove unnecessary services) Use Encryption (Encrypted File System) and Authentication Protocols (SSL, TLS, HTTPS)