Recent Security Threats & Vulnerabilities Computer security Bob Cowles HEPiX, Fall 2004 – Brookhaven, NY, USA Work supported by U. S. Department of Energy contract DE-AC02-76SF00515
18 October 2004HEPiX - Fall Windows uRecent Windows Vulnerabilities uWindows patching uPhishing and viruses uWeb exposures (IE) uSpyware uXP SP2
18 October 2004HEPiX - Fall Recent Windows Vulnerabilities uASP.NET path vulnerability uGDI+ jpeg (can’t just block jpegs) uIE patches – lots; Outlook Express update uNetDDE (not enabled by default) uWindows shell (exploit thru web) uIIS (document footer javascript) uAllows code execution: NNTP; SMTP, zipped folders; Excel; WP converter; HTML Help; Task Scheduler; POSIX (old sys)
18 October 2004HEPiX - Fall Windows Patching uPatches do _NOT_ get ed to you! uWindows systems in Active Directory can be patched automatically (mostly) uOffsite users must do their own patching uMay investigate ”bigfix” as partial solution l Support for Linux / Macintosh l Non-Ad users l Non Microsoft software (winzip, realplayer, acrobat) l
18 October 2004HEPiX - Fall 20045
18 October 2004HEPiX - Fall Recent Phishing
18 October 2004HEPiX - Fall Attacks & Protection uPhishing = s (and phonecalls) engineered to get information from you or just to get you to click and download virus uNeed to have Multi-Level Protection l gateways strip attachments l Exchange/desktop AV detects & removes l Gateway tags as [SPAM:###] if a link in the e- mail would download malicious code
18 October 2004HEPiX - Fall Don’t Take the Bait
18 October 2004HEPiX - Fall Forged FDIC
18 October 2004HEPiX - Fall Fake FDIC Website
18 October 2004HEPiX - Fall Real FDIC Website
18 October 2004HEPiX - Fall With Virus Attached
18 October 2004HEPiX - Fall AD & SUS->WUS uProblematic patching l Office vs.Windows Update l Require product CD? uXP will have improvements (someday) l Who let them name it WUS? l But sites still must address non-MS software
18 October 2004HEPiX - Fall Viruses uMore sophistication uRun automatically uLeave backdoors; smtp for spam uKeyboard loggers uAlert Oct 18, 2004 – bypass AV for McAfee, CA, Sophos, Kaspersky, Eset, RAV zip file checking
18 October 2004HEPiX - Fall IE Exposures uUnpatched vulnerabilities uCannot escape IE (but can control) uXP SP2 has fixed some problems uThere is still problem of user knowledge
18 October 2004HEPiX - Fall Spyware uInvade privacy uKeyloggers compromise security uAllowed by some AV products l User agrees to software’s actions through license agreement uUS state and federal legislation will solve the problem (just like with SPAM) - NOT
18 October 2004HEPiX - Fall XP SP2 uProblem areas l Spyware causes bluescreen l Popup blocking causes problems w/ some sites l Multiple firewalls cause conflicts uNeed to allow vulnerability scanning l ICMP off by default (no ping response) l Open ports fo file / print sharing or l Run software agent that can be “contacted”
18 October 2004HEPiX - Fall Unix & Linux uLocal Exploits = Remote Exploits uSamba uLSF – rtok lsadmin eauth uPHP in web servers uchown udrivers (sparse code chking tool) usendmail usshd – scanning for weak passwords
18 October 2004HEPiX - Fall Fedora uSupports RH 7.3 and RH 9 uSecurity fixes can take several months after vulnerability is announced uLarge pkg of fixes released Oct 18, 2004 uISO9660, Soundblaster, file offset pointers, nfs group ID, drivers, several integer oveflows, other DOS, memory leaks, information leaks.
18 October 2004HEPiX - Fall Universities & Labs uExploits against Solaris, AIX, Linux uAttacker(s) are knowledgeable uInstall SK rootkit on Linux uInstall trojaned sshd l gets passwords from keyboard/tty entry l accesses RSA keys l CERN break-in (LXPLUS) recent example (LSF) uAre one time password tokens in your future?
18 October 2004HEPiX - Fall Universities and Labs (cont) uUser “klogd” scans for open X sessions uForwards captured passwds thru port 8181 uUsed on patched machines uJust notified sites in US (USC, UCSB, NYU, Princeton, PSU, etc) of problems. uAlso RAL, Fermilab, SLAC, Cornell, Bristol, INFN, Stanford
18 October 2004HEPiX - Fall Cisco uCatOS – Telnet, HTTP, SSH uBGP – another DOS
18 October 2004HEPiX - Fall Macintosh uSafari – open in browser; javascript uDisk image mounter ulibpng ukerberos ursync uOpenSSH uiChat uQuickTime
18 October 2004HEPiX - Fall Other Vulnerabilities uAXIS video camera and server uIM – gaim, AIM & Yahoo Messenger uCVS uRealPlayer uWinzip uWeb HP JetAdmin uAcrobat Reader 6.0 uFirewire (announced Nov 11)
18 October 2004HEPiX - Fall uEvils of HTML l It’s big & it hides bad stuff uPhishing scams l Citibank, eBay, PayPal, Wells Fargo uOutlook 2003 setting (reg for Outlook XP) uNew default for Outlook Express
18 October 2004HEPiX - Fall Outlook 2003 Tools -> Options -> Preferences
18 October 2004HEPiX - Fall Final Thoughts uAttacks coming faster; attackers getting smarter uNo simple solution works l Patching helps l Firewalls help l AV & attachment removal help l Encrypted passwords/tunnels help uYou can’t be “secure”; only “more secure” uWe must share information better
What is the Most Important Component of Computer Security? YOU!