Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security Update Bob Cowles, SLAC stanford.edu Presented at RAL 09 Dec 2002 Work supported by U. S. Department of Energy contract.

Published byBlaise Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security Update Bob Cowles, SLAC stanford.edu Presented at RAL 09 Dec 2002 Work supported by U. S. Department of Energy contract."— Presentation transcript:

1 Computer Security Update Bob Cowles, SLAC bob.cowles @ stanford.edu Presented at RAL 09 Dec 2002 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515

2 09 Deceber 2002RAL – Bob Cowles – SLAC2 Areas Solaris Cisco Linux IIS Internet Explorer Windows Web Applications Misc Virus & Worm Conclusions News

3 09 Deceber 2002RAL – Bob Cowles – SLAC3 Solaris ssh & OpenSSH in.talkd cachefsd xdr_array bo (affects OpenAFS too) ttdbserver TTYPROMPT Java priocntl XFS

4 09 Deceber 2002RAL – Bob Cowles – SLAC4 Cisco et al ssh Aironet wireless APs (telnet) ntp daemon httpd default passwords DSL router vulnerabilities

5 09 Deceber 2002RAL – Bob Cowles – SLAC5 Linux wu-ftp glibc ssh & OpenSSH glibc (reboot required) Bugzilla OpenSSL TCPDUMP and libcap Mozilla 1.2 KDE

6 09 Deceber 2002RAL – Bob Cowles – SLAC6 Apache Transfer chunking mod_ssl off-by-one shared memory scoreboard - scripting

7 09 Deceber 2002RAL – Bob Cowles – SLAC7 IIS Cookie handling error (cross domains).htr heap overflow Office Web components SmartHTML interpreter.htr transfer chunking XSS vulnerabilities MDAC

8 09 Deceber 2002RAL – Bob Cowles – SLAC8 Internet Explorer file name spoofing VBScript read local files jpeg scripting Gopher protocol error SSL cert checking error (Outlook, too) Cached objects MDAC

9 09 Deceber 2002RAL – Bob Cowles – SLAC9 Windows MS SQL Server & Media Player XMLHTTP JVM Debugger MS Office document grabbing Network Connection Manager Windows XP SP1

10 09 Deceber 2002RAL – Bob Cowles – SLAC10 Web Applications (little progress) OS cmd or SQL injection by forms & URL parms File traversal “../” in file uploads Leaving inappropriate permissions on folders Errors that reveal source code & passwords Failure to perform validation of ALL input Using non-expiring cookies for login Cross Site Scripting (XSS) Depending on client-side security

11 09 Deceber 2002RAL – Bob Cowles – SLAC11 Misc Add’l files indexed by Google AOL AIM & Yahoo Messenger snmp PGP buffer overflow zlib libbind resolver buffer overflow MIME send by reference (RFC 2046) TCP/IP ambiguity Realplayer bind out-of-office

12 09 Deceber 2002RAL – Bob Cowles – SLAC12 Virus & Worm Magistr badtrans Goner Myparty: www.myparty.yahoo.comwww.myparty.yahoo.com Frethem (your password) Klez Bugbear e-card spam Winevar (uses auto-opening of html attachments)

13 09 Deceber 2002RAL – Bob Cowles – SLAC13 Conclusions Poor administration is still a major problem Firewalls cannot substitute for patches Multiple levels of virus/worm protection are necessary Clue is more important than open source

14 09 Deceber 2002RAL – Bob Cowles – SLAC14 News OpenSSH trojaned http://www.cert.org/advisories/CA-2002-24.html 20 things to make systems safe and secure http://www.sans.org/top20/ http://www.sans.org/top20/ New PGP.. incl. version 8.0 for Windows http://www.pgp.com/beta80.php http://www.pgp.com/beta80.php SMTP trojaned http://www.cert.org/advisories/CA-2002-28.html http://www.cert.org/advisories/CA-2002-28.html Flash & Warhol worms http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html Attack on root DNS servers http://www.washingtonpost.com/wp-dyn/articles/A828- 2002Oct22.html http://www.washingtonpost.com/wp-dyn/articles/A828- 2002Oct22.html The Art of Deception by Kevin Mitnick Mind of the Miscreant http://www.geocities.com/packetting/http://www.geocities.com/packetting/ System maintenance is lacking http://www.rtfm.com/upgrade.pdfhttp://www.rtfm.com/upgrade.pdf MS ftp server reveals all http://www.theregister.co.uk/content/55/28252.htmlhttp://www.theregister.co.uk/content/55/28252.html

Download ppt "Computer Security Update Bob Cowles, SLAC stanford.edu Presented at RAL 09 Dec 2002 Work supported by U. S. Department of Energy contract."

Similar presentations

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how e-mail server and client software work Use FTP to transfer files Initiate.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
Web Server Administration

Web Server Administration
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Computer Security Update Bob Cowles, SLAC stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy.

Computer Security Update Bob Cowles, SLAC stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy.

Similar presentations

Ads by Google