Presentation is loading. Please wait.

Presentation is loading. Please wait.

Looking at Vulnerabilities Dave Dittrich University of Washington cac.washington.edu

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Looking at Vulnerabilities Dave Dittrich University of Washington cac.washington.edu"— Presentation transcript:

1 Looking at Vulnerabilities Dave Dittrich University of Washington dittrich @ cac.washington.edu http://staff.washington.edu/dittrich/ http://staff.washington.edu/dittrich/

2 Overview Background attack concepts Your typical look at Vulnerabilities, Risk vs. Cost A (real!) complex attack scenario A different view of vulnerabilities Trust relationships Attack trees Atypical/uncommon vulnerabilities

3 Stepping Stones

4 Internet Relay Chat (IRC)

5 IRC w/Bots&BNCs

6 Distributed Denial of Service (DDoS) Networks

7 Typical DDoS attack

8 DDoS Attack Traffic (1) One Day Traffic Graph

9 DDoS Attack Traffic (2) One Week Traffic Graph

10 DDoS Attack Traffic (3) One Year Traffic Graph

11 SANS Top 20 Vulnerabilities Windows Top 10 1. Internet Information Server (IIS) 2. Microsoft Data Access Server (MDAC) 3. SQL Server 4. NETBIOS 5. Anonymous login/null session 6. LAN Manager Authentication (Weak LM hash) 7. General Windows Authentication (Accounts w/o pwd, bad pwd) 8. Internet Explorer 9. Remote Registry Access 10. Windows Scripting Host Unix Top 10 1. Remote Procedure Call (RPC) services 2. Apache Web Server 3. Secure Shell (SSH) 4. Simple Network Management Protocol (SNMP) 5. File Transfer Protocol (FTP) 6. Berkeley “r” utilities (trust relationships) 7. Line Printer Daemon (LPD) 8. Sendmail 9. BIND/DNS 10. General Unix Authentication (accounts w/o pwd, bad pwd) http://www.sans.org/top20/

12 High Low 1980198519901995 2001 password guessing password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools binary encryption Source: CERT/CC (used w/o permission & modified “Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers ) Attack sophistication vs. Intruder Technical Knowledge

13 Cost vs. Risk 101

14 Another view of Cost vs. Risk

15 UW Medical Center “Kane” Incident Goal: How hard to obtain patient records? Windows 98 desktop w/trojan or no pwd Sniffer Linux server -> Windows NT PDC/F&P server Unix email server Windows PDCs, BDCs Windows Terminal Server (>400 users) Access database file (>4000 patient records: Name, SSN, Home number, treatment, date… ) SecurityFocus -> ABC News

16 Trust relationships Client Server IP based ACLs Shared password/symmetric key Shared network infrastructure Sensitive data in email Sensitive files on servers

17 Attack Trees “Secrets and Lies,” Bruce Schneier, ISBN 0-471-25311-1, chapter 21 Goal is root node: Sub-goals are lower nodes/leaves And/Or relationship between nodes Attributes: Likelihood, equipment required, cost of attack, skill required, legality, etc.

18 Attack Tree Example 1 http://www.counterpane.com/attacktrees-fig1.html

19 Attack Tree Example 2 http://www.counterpane.com/attacktrees-fig6.html

20 Attack Tree Example 3 Survivability Compromise: Monitor network traffic OR: 1. Install sniffer on desktop. OR: 1. Use email trojan horse. 2. Use remote exploit. 3. Use Windows remote login service. OR: 1. Use passwordless Administrator account. 2. Brute force passwords on all listed accounts. 3. Brute force passwords on common accounts. 2. Install sniffer on Unix/Windows server OR: 1. Use remote exploit. 2. Steal/sniff password to root/Administrator account. 3. Guess password to root/Administrator account. 3. Man-in-the-middle attack on SSL/SSH. …

21 Attack Tree Example 4 (Nested) Survivability Compromise: Disclosure of Patient Records OR: 1. Attack Med Center network using connections to the Internet OR: 1. Compromise central patient records database (PRDB). AND: 1. Identify central PRDB. OR: 1. Scan to identify PRDB. 2. Monitor network traffic to identify PRDB. 2. Compromise central PRDB. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff pwd to account. 3. Guess password to account. 2. Obtain file(s) containing patient records. OR: 1. Monitor network traffic to capture patient records. 2. Compromise file server or terminal server. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff Administrator pwd. 3. Guess password to User/Administrator account.

22 Atypical Vulnerabilities Network Infrastructure Special Devices Non-technical (Social) Issues

23 Border Routers BGP (route insertion/withdrawal) Address forgery Source routing Denial of Service Remote service exploit & “Root kits” Lack of visibility/access to traffic flows

24 Internal Routers/Switches OSPF, RIP & other protocols Address forgery ARP spoofing Sniffing (SNMP community string, pwd) Denial of Service Lack of visibility/access to traffic flows

25 Servers Gateways to legacy apps Web apps Insufficient logging/auditing Hiding in plain sight Control of software configuration

26 Network Printers Change “Ready” message FTP bounce scan, other scanning File cache SNMP/web admin front ends, back doors Disclosure of print jobs Passive monitoring Redirection of print jobs

27 Medical “devices”, photocopiers, printers Proprietary or OEM OS (e.g., Solaris, IRIX) Many (non-essential) services turned on Typically behind the curve on patches Remote management (HTTP, SNMP) Heavy use of unencrypted protocols (e.g., FTP, LPR, Berkeley “r” utilities) “What? The hackers are back?”

28 PBXs, voice services Monitoring Theft of Service Fraud/social engineering Denial of Service Malware Cache (PC based VM)

29 Social Issues Not recognizing threats Assuming attacks are simple Assuming things are what they seem (e.g., Slammer, Nimda) Assuming attacks/defenses are direct Assuming you have it handled

30 Summary Vulnerabilities exist in places you might not think Vulnerabilities are additive, interrelated Complex attacks call for complex defenses/response If you’re not learning something new every day, you’re falling behind your adversary Questions?

31 References UW Medical Center http://www.securityfocus.com/news/122/ http://www.hipaausa.com/hacker.html http://www.cio.com/archive/110102/rules_content.html http://www.cio.com/archive/031502/plan_content.html Attack trees http://www.counterpane.com/attacktrees-ddj-ft.html Networking http://www.e-secure-db.us/dscgi/ds.py/View/Collection-24 http://www.securite.org/presentations/secip/CSWcore02-SecIP-v1.ppt http://www.securityfocus.com/infocus/1594

32 References (cont) Routers http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-akin-cisco/bh- us-02-akin-cisco.ppt http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-akin-cisco/bh- us-02-akin-cisco.ppt http://philby.ucsd.edu/~bsy/ndss/2002/html/1997/slides/gudm_pnl.pdf http://www.net-tech.bbn.com/sbgp/IETF42.ppt http://www.cymru.com/Presentations/barry.pdf BGP, OSPF http://www.cs.ucsb.edu/~rsg/Routing/references/wang98vulnerability.pdf http://www.cse.ucsc.edu/research/ccrg/publications/brad.globalinternet96.p df http://www.cse.ucsc.edu/research/ccrg/publications/brad.globalinternet96.p df

33 References (cont) Switches, ARP, local network attacks http://www.comnews.com/stories/articles/c0103sfarea.htm http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01- Mike-Beekey.ppt http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01- Mike-Beekey.ppt Printers http://members.cox.net/ltw0lf/printers/ PBXs http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf DDoS, “root kits” http://www.cert.org/reports/dsit_workshop.pdf http://www.cert.org/archive/pdf/Managing_DoS.pdf http://staff.washington.edu/dittrich/misc/ddos/ http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq

Download ppt "Looking at Vulnerabilities Dave Dittrich University of Washington cac.washington.edu"

Similar presentations

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/7 2003.

DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Network Security Introduction Security technologies protect mission-critical networks from corruption and intrusion. Network security enables new business.

Network Security Introduction Security technologies protect mission-critical networks from corruption and intrusion. Network security enables new business.
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Network Administration Procedures Tools –Ping –SNMP –Ethereal –Graphs 10 commandments for PC security.

Network Administration Procedures Tools –Ping –SNMP –Ethereal –Graphs 10 commandments for PC security.
Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.

Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
DDos Distributed Denial of Service Attacks by Mark Schuchter.

DDos Distributed Denial of Service Attacks by Mark Schuchter.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
CHAPTER Introduction to LANs. MODULE Purpose and Use of a Network.

CHAPTER Introduction to LANs. MODULE Purpose and Use of a Network.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Similar presentations

Ads by Google