Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 815 Network Security Lecture 19 Intruders April 1, 2003.

Published byAmberlynn Fox Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCE 815 Network Security Lecture 19 Intruders April 1, 2003."— Presentation transcript:

1 CSCE 815 Network Security Lecture 19 Intruders April 1, 2003

2 – 2 – CSCE 815 Sp 03 Security Software Installed on SUNs man crypt man –s 2 crypt, man –s 3 crypt both fail man –k crypt Generates pages Blowfish RSA DES OpenSSL EVP

3 – 3 – CSCE 815 Sp 03 OpenSSL on SUNs man des OpenSSL des(3) NAME des_random_key, des_set_key, des_key_sched, des_random_key, des_set_key, des_key_sched, des_set_key_checked, des_set_key_unchecked, des_set_key_checked, des_set_key_unchecked, des_set_odd_parity, des_is_weak_key, des_ecb_encrypt, des_set_odd_parity, des_is_weak_key, des_ecb_encrypt, des_ecb2_encrypt, des_ecb3_encrypt, des_ncbc_encrypt, des_ecb2_encrypt, des_ecb3_encrypt, des_ncbc_encrypt, des_cfb_encrypt, des_ofb_encrypt, des_pcbc_encrypt, des_cfb_encrypt, des_ofb_encrypt, des_pcbc_encrypt, des_cfb64_encrypt, des_ofb64_encrypt, des_xcbc_encrypt, des_cfb64_encrypt, des_ofb64_encrypt, des_xcbc_encrypt, des_ede2_cbc_encrypt, des_ede2_cfb64_encrypt, des_ede2_cbc_encrypt, des_ede2_cfb64_encrypt, des_ede2_ofb64_encrypt, des_ede3_cbc_encrypt, des_ede2_ofb64_encrypt, des_ede3_cbc_encrypt, des_ede3_cbcm_encrypt, des_ede3_cfb64_encrypt, des_ede3_cbcm_encrypt, des_ede3_cfb64_encrypt, des_ede3_ofb64_encrypt, des_read_password, des_ede3_ofb64_encrypt, des_read_password, des_read_2passwords, des_read_pw_string, des_cbc_cksum, des_read_2passwords, des_read_pw_string, des_cbc_cksum, des_quad_cksum, des_string_to_key, des_string_to_2keys, des_quad_cksum, des_string_to_key, des_string_to_2keys, des_fcrypt, des_crypt, des_enc_read, des_enc_write - DES des_fcrypt, des_crypt, des_enc_read, des_enc_write - DES encryption encryptionSYNOPSIS #include #include

4 – 4 – CSCE 815 Sp 03 Intruders Three classes of intruders (hackers or crackers): Masquerader Misfeasor Clandestine user

5 – 5 – CSCE 815 Sp 03 Intrusion Techniques System maintain a file that associates a password with each authorized user. Password file can be protected with: One-way encryption Access Control Brute Force attacks if you can get access to passwords Guess the password, encrypt and check How long would it take? Larger character set  more time Longer  more time

6 – 6 – CSCE 815 Sp 03 Password Guessing In 1978 16% of passwords (in one study) were 3 characters or less. In a more recent study login name, login name in reverse, and the two concatenated, would obtain access to 8 - 30% of the accounts on a typical system. In the CSE department what would you guess?

7 – 7 – CSCE 815 Sp 03 Klein’s Password Guessing Experiment Online article containing Table 9.4 -http://wks.uts.ohio- state.edu/sysadm_course/html/sysadm-528.html From 14,000 24% of passwords were cracked Klien Guessed  User name, initials, login 130 permutation of such were tried for each user  Dictionary 60,000 (man –k dictionary)  Various permutations of “step 2 words,” e.g., change “o” to “0”, …  Try capitalization permuations ftp://www-wls.acs.ohio- state.edu:/pub/security/Dan_Klein_password_security.ps.Z

8 – 8 – CSCE 815 Sp 03 Intrusion Techniques Techniques for guessing passwords: Try default passwords. Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary(60,000). Collect information about the user’s hobbies, family names, birthday, etc. Try user’s phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse Tap the line between a remote user and the host system. Ideas? Prevention: Enforce good password selection (Ij4Gf4Se%f#)

9 – 9 – CSCE 815 Sp 03 UNIX Password Scheme Loading a new password

10 – 10 – CSCE 815 Sp 03 UNIX Password Scheme Verifying a password file

11 – 11 – CSCE 815 Sp 03 Storing UNIX Passwords UNIX passwords were kept in in a publicly readable file, etc/passwords. more /etc/passwd Format login-name:encrypted_password:uid:gid:Name:home:shell root:x:0:1:Super-User:/:/sbin/shdaemon:x:1:1::/:bin:x:2:2::/usr/bin:…nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x Nobody:/: Commands finger, who, … use this info. But so could crackers Now they are kept in a “shadow” directory and only visible by “root”.

12 – 12 – CSCE 815 Sp 03 ”Salt” The salt serves three purposes: Prevents duplicate passwords. Effectively increases the length of the password. Prevents the use of hardware implementations of DES

13 – 13 – CSCE 815 Sp 03 Access Control /etc/password in old Unix was readable by everybody to support finger, who etc. This is a bad idea /etc/shadow readable only by root Setuid bit in permissions Bit set in permissions Process changes to owner of the file in execution For the passwd command, the owner is root, thus it changes to root and then can read /etc/shadow Getpwname – function that returns the password entry ? excluding password ?

14 – 14 – CSCE 815 Sp 03 Password Selecting Strategies User education Computer-generated passwords FIPS PUB 181 Reactive password checking Peridocially run a password cracker and shoot the violators Resource intensive Proactive password checking Allow the user to select but at the time of selection analyze the choice Enforcing Rules PINS can be no more than 4 decimal digits ?!! Must have at least x characters, from several standard sets, i.e., letters, digits, punctuation, uppercase, lowercase …

15 – 15 – CSCE 815 Sp 03 Password Selecting Strategies (cont) Build dictionary of bad passwords Problems: space and Time Two techniques for proactive password checking based on a rejection list:  Markov model for generation of guessable passwords [DAVI93]  Bloom Filters [Spaf92b]

16 – 16 – CSCE 815 Sp 03 Markov Model Figure 9.5 is simplified Markov model (next slide) Alphabet only three characters State is the identity of most recent character The value on the arc(transition) is the probability that one character follows another in the list Markov Model M = (m, A, T, k) M = number of states A = state space T = Transition matrix k = order of the model – for a k order model probability of making a transition depends on k previous characters

17 – 17 – CSCE 815 Sp 03 Markov Model

18 – 18 – CSCE 815 Sp 03 Markov Model Technique Details Markov Model M = (m, A, T, 2) note k = 2  2 nd order model M = ?? A Construction of transition Matrix T (next slide) Transforms “Is this a bad password?” to “was this password generated by the Markov model?” From a proposed new password generate trigrams and check frequencies then see how likely?

19 – 19 – CSCE 815 Sp 03 Transition Matrix Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij. Compute the entries of T as follows:

20 – 20 – CSCE 815 Sp 03 Spafford (Bloom Filter) where The following procedure is then applied to the dictionary: 1.A hash table of N bits is defined, with all bits initially set to 0. 2.For each password, its k hash values are calculated, and the corresponding bits in the hash table are set to 1 3.If the bit is already set it remains set. Bloom filter consists of k independent hash functions

21 – 21 – CSCE 815 Sp 03 Spafford’s use of Bloom Filters (cont) When a new password is entered  the k hash values are computed  If all corresponding bits of the hash table are 1 the password is rejected Example: dictionary contains “undertaker” and “hulkhogan” by not “xG%#jj98” And suppose that H 1 (undertaker)= 25, H 1 (hulkhogan) = 83 H 2 (undertaker)= 917, H 2 (hulkhogan) = 432 And also that when “xG%#jj98” is entered we calculate H 1 (“xG%#jj98”)= 917, H 2 (“xG%#jj98”) = 432 The we reject “xG%#jj98” -- a false positive

22 – 22 – CSCE 815 Sp 03 Spafford (Bloom Filter) Design the hash scheme to minimize false positives. Why? Probability of false positive:

23 – 23 – CSCE 815 Sp 03 Performance of Bloom Filter

24 – 24 – CSCE 815 Sp 03 The Stages of a Network Intrusion 1. Scan the network to: locate which IP addresses are in use, locate which IP addresses are in use, what operating system is in use, what operating system is in use, what TCP or UDP ports are “open” (being listened to by Servers). what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. 24

25 – 25 – CSCE 815 Sp 03 Intrusion Detection The intruder can be identified and ejected from the system. An effective intrusion detection can prevent intrusions. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

26 – 26 – CSCE 815 Sp 03 Profiles of Behavior of Intruders and Authorized Users

27 – 27 – CSCE 815 Sp 03 Intrusion Detection Statistical anomaly detection Treshold detection Profile based Rule based detection Anomaly detection Penetration identidication

28 – 28 – CSCE 815 Sp 03 Measures used for Intrusion Detection Login frequency by day and time. Frequency of login at different locations. Time since last login. Password failures at login. Execution frequency. Execution denials. Read, write, create, delete frequency. Failure count for read, write, create and delete.

29 – 29 – CSCE 815 Sp 03 Distributed Intrusion Detection Developed at University of California at Davis

30 – 30 – CSCE 815 Sp 03 Distributed Intrusion Detection

31 – 31 – CSCE 815 Sp 03 Viruses and ”Malicious Programs” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).

32 – 32 – CSCE 815 Sp 03 Taxanomy of Malicious Programs Need Host Program Independent TrapdoorsLogic Bombs Trojan Horses VirusesBacteriaWorms Malicious Programs

33 – 33 – CSCE 815 Sp 03 Definitions Virus - code that copies itself into other programs. A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses).

34 – 34 – CSCE 815 Sp 03 Definitions Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.

35 – 35 – CSCE 815 Sp 03 Virus Phases Dormant phase - the virus is idle Propagation phase - the virus places an identical copy of itself into other programs Triggering phase – the virus is activated to perform the function for which it was intended Execution phase – the function is performed

36 – 36 – CSCE 815 Sp 03 Virus Protection Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses. Do not execute programs (or "macro's") from unknown sources (e.g., PS files, Hypercard files, MS Office documents, Avoid the most common operating systems and email programs, if possible.

37 – 37 – CSCE 815 Sp 03 Virus Structure

38 – 38 – CSCE 815 Sp 03 A Compression Virus

39 – 39 – CSCE 815 Sp 03 Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). Stealth Virus - explicitly designed to hide from Virus Scanning programs. Polymorphic Virus - mutates with every new host to prevent signature detection.

40 – 40 – CSCE 815 Sp 03 Macro Viruses Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File). Platform independent. Infect documents, delete files, generate email and edit letters.

41 – 41 – CSCE 815 Sp 03 Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above.

42 – 42 – CSCE 815 Sp 03 Advanced Antivirus Techniques Generic Decryption (GD) CPU Emulator Virus Signature Scanner Emulation Control Module For how long should a GD scanner run each interpretation?

43 – 43 – CSCE 815 Sp 03 Advanced Antivirus Techniques

44 – 44 – CSCE 815 Sp 03 Recommended Reading and WEB Sites Denning, P. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990 CERT Coordination Center (WEB Site) AntiVirus Online (IBM’s site)

Download ppt "CSCE 815 Network Security Lecture 19 Intruders April 1, 2003."

Similar presentations

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,

Computer Security Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Chapters 14 and 15 Operating Systems: Internals and Design Principles,
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Intruders.

1 Ola Flygt Växjö University, Sweden Intruders.
Computer Viruses.

Computer Viruses.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Security Chapter 15. Computer and Network Security Requirements Confidentiality –Requires information in a computer system only be accessible for reading.

Security Chapter 15. Computer and Network Security Requirements Confidentiality –Requires information in a computer system only be accessible for reading.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Henric Johnson1 Intruders and Viruses Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Intruders and Viruses Henric Johnson Blekinge Institute of Technology, Sweden
After this session, you should be able to:

After this session, you should be able to:
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.

CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 Malicious Software.

1 Ola Flygt Växjö University, Sweden Malicious Software.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Similar presentations

Ads by Google