Recent Security Threats & Vulnerabilities Computer security Bob Cowles HEPiX, Spring 2004 – Edinburgh, UK Work supported by U. S. Department of Energy contract DE-AC03-76SF00515
25 May 2004HEPiX - Spring Windows uWorms uWindows AD & SUS for patching uViruses uWeb exposures (IE) uLeaked code for WinNT & Win2K
25 May 2004HEPiX - Spring MSBlaster Released MSBlaster at SLAC
25 May 2004HEPiX - Spring Sasser Experience (MS ) uPatched Quickly l Servers within 10 hours l All workstations within 80 hours uVPN changes l No access to local drives of desktops l Firestorm of protest l Disappeared after dust settled (Citrix & RDP) uOngoing problems w/ unpatched systems
25 May 2004HEPiX - Spring AD & SUS for patching uProblematic patching l Office vs.Windows Update l Front Page DLLs l MDAC uMachine vs. User GPOs uSUS Update times uNew Installs uXP SP2 has many improvements (in 2005)
25 May 2004HEPiX - Spring Visitor BaBar Detector BSD Remote access HEP Accelerator SSRL BSD-Private SLAC Basic Internet The way we were …
25 May 2004HEPiX - Spring Visitor BaBar Detector Remote access HEP Accelerator SSRL SLAC Basic Internet The way we were … BSD BSD-Private
25 May 2004HEPiX - Spring Visitor BaBar Detector Remote access HEP Accelerator SSRL SLAC Basic Internet The way we were … BSD BSD-Private
25 May 2004HEPiX - Spring Visitor BaBar Detector Remote access HEP Accelerator SSRL SLAC Basic Internet The way we were … BSD BSD-Private
25 May 2004HEPiX - Spring Visitor BaBar Detector Remote access HEP Accelerator SSRL SLAC Basic Internet The way we were … BSD BSD-Private
25 May 2004HEPiX - Spring Visitor BaBar Detector BSD Remote access HEP Accelerator SSRL BSD-Private SLAC Basic Internet Servers The way we are now …
25 May 2004HEPiX - Spring Visitor BaBar Detector Remote access HEP Accelerator SSRL SLAC Basic Internet Servers The way we are now … BSD BSD-Private
25 May 2004HEPiX - Spring Visitor BaBar Detector Remote access HEP Accelerator SSRL SLAC Basic Internet Servers The way we are now … BSD BSD-Private
25 May 2004HEPiX - Spring Visitor BaBar Detector Remote access HEP Accelerator SSRL SLAC Basic Internet Servers The way we are now … BSD BSD-Private
25 May 2004HEPiX - Spring Viruses uMore sophistication (Bobax and Kibuv) uZip files uEncrypted zip files uFrom microsoft.com uFrom uRun automatically uLeave backdoors; smtp for spam
25 May 2004HEPiX - Spring IE Exposures uNumerous unpatched vulnerabilities uCannot escape IE (but can control) uUnclear how much XP SP2 will fix uThere is still problem of user knowledge
25 May 2004HEPiX - Spring Unix & Linux uLocal Exploits = Remote Exploits umremap (2 times) uASN.1 udo_brk uSolaris: vfs_getvfsws() uCDE dt….. uXfree86 uyp*
25 May 2004HEPiX - Spring Universities & Labs uExploits against Solaris, AIX, Linux uAttacker(s) seem sophisticated uInstall SK rootkit on Linux uInstall trojaned sshd l gets passwords from keyboard/tty entry l accesses RSA keys uCracks yp or kerberos password files uOne time password tokens are in your future
25 May 2004HEPiX - Spring Cisco uRouter uBGP (TCP problem) uWireless access points uPIX uStolen code for IOS
25 May 2004HEPiX - Spring Security Software uCheckpoint uBlack Ice uZone Alarm uISS RealSecure (IDS) uTCPDump / Ethereal uNorton anti-virus uPIX
25 May 2004HEPiX - Spring Macintosh uUSB Keyboard - ^C gives local root uApple File Server bo uQuicktime bo uURL processing in Terminal app uSafari – Help system bo uVolume URI handler registration (no fix)
25 May 2004HEPiX - Spring Other Software uGrid – Slashdot & 2600 uIM software – AIM & Yahoo Messenger uCVS uRealPlayer uWinzip uWeb HP JetAdmin uAcrobat Reader 5.1 uDameware & Serv-U
25 May 2004HEPiX - Spring DameWare How I spent my Christmas vacation
25 May 2004HEPiX - Spring DameWare (2) uOver 13 different Warez kits installed u30 compromised machine, half used for scanning other systems uftp speed tests were run to measure suitability for storing warez uServ-U ftp and Radmin installed at random port numbers. uLook at Hacker Defender – rootkit for Windows available in source to avoid AV scanners
25 May 2004HEPiX - Spring uEvils of HTML l Its big & it hides bad stuff uPhishing scams l Citibank, eBay, PayPal uOutlook 2003 setting (reg for Outlook XP) udidtheyreadit.com
25 May 2004HEPiX - Spring Outlook 2003 Tools -> Options -> Preferences
25 May 2004HEPiX - Spring didtheyreadit.com u tracking using transparent gif image uNot clear how they track time open uFollows forwarding of uTechnically easily defeated l but most dont know how
25 May 2004HEPiX - Spring Final Thoughts uAttacks coming faster; attackers getting smarter uComplex attacks using multiple vulnerabilities uNo simple solution works l Patching helps l Firewalls help l AV & attachment removal help l Encrypted passwords/tunnels help uYou cant be secure; only more secure uWe must share information better l HEPiX Security list – do we need a PGP encrypted r er?