1. 1 Part 2: Attacks and Countermeasures u Vulnerabilities u System Attacks  Virus, Trojan, Worm  Buffer overflow  Rootkit  Zombies  Web based attacks u Network Attacks  Eavesdropping  Man-in-the-middle  Denial of service  Authentication attacks  Pharming, RATS u Social Engineering Attacks

2. 2 The Attackers u Script kiddies u Hackers u Would-be hackers u Crackers u Industrial espionage u Elite Blackhat  A whitehat attacks too, but for the purpose of securing systems

3. 3 Vulnerabilities u Vulnerabilities are weak spots  Hard to spot, hard to predict u Can exist in any complex system u Human vulnerabilities:  Greed, friendship, attraction, guilt….. much more u System Infrastructure Vulnerabilities  “process has holes”, “laws have loopholes” u Software Vulnerabilities  Bad code, bad design, unforeseen problems u Hardware Vulnerabilities  Failures, faulty design

4. 4 Vulnerability Origins u Too many to reason about u “Bad design” u Use of shared secrets u Human’s do not comprehend large systems  Permutation is not what we do best u A set of ways to do things + some thinking on the part of a miscreant…..  The Windows Vista Audio Attack

5. 5 Examples u Coke machine hack  http://youtube.com/watch?v=TBgHH8ZmB_s http://youtube.com/watch?v=TBgHH8ZmB_s u ATM hack  The video disappeared  “security via obscurity” u SQL Injection  http://youtube.com/watch?v=MJNJjh4jORY http://youtube.com/watch?v=MJNJjh4jORY u WiFi range extender?  http://youtube.com/watch?v=LY8Wi7XRXCA http://youtube.com/watch?v=LY8Wi7XRXCA

6. 6 More Problems u Lack of transparency to humans  Windows registry u Feature Creep u Lack of adequate “Idiot Proofing”  Counterintuitive? u Ease of use is paramount  Now we know, but its too late. u Lack of end-user understanding of vulnerable operations and situations

7. 7 Malware u “Malware” is just one problem, but a major problem u How does it work? u How does it get there? u What can it do? u The OS is supposed to prevent such external attacks  Does not work  Not in our lifetimes, will these problems get fixed

8. 8 Virus-Trojans-Worms u “Malware” – software that causes harm  All software is capable of causing harm u Can perform any computations on a computer u Can reproduce u BUT: How did it get to the host machine u Easy Methods:  Social engineering  Trojans u Harder methods  Vulnerability exploits  Buffer overflows

9. 9 The Ultimate Trojan u “Reflections on Trusting Trust” -- Ken Thompson, Turing Award Lecture 1984 u How to break into Unix? u Write custom “login” program u Write custom compiler u Write even more custom compiler u Now the goose is cooked u A trojan that lives forever and can never be disabled?

10. 10 Nothing can be trusted u From login programs to compilers to bootstraps – maybe extending to microcode “The moral is obvious. You can't trust code that you did not totally create yourself…. “No amount of source-level verification or scrutiny will protect you from using untrusted code….. “A well installed microcode bug will be almost impossible to detect…. –KEN THOMPSON u Since 1984, we know “Software cannot be trusted”.  Yet we do!

11. 11 Trusted Software u We have to trust software  No choice u We have to acquire software from “reliable sources”  Insider attacks happen u We have to check the software regularly  Virus detectors are not the answer u All software have “vulnerabilities”  Operating systems, applications, servers, compilers and so on u Vulnerabilities can be exploited by attackers  “Buffer overflow” is the major attack, there are many more

12. 12 Buffer Overflow u Reading input data causes overwriting of some data already on the system  Stack smashing  Heap smashing  Data changing  Calling existing routines with different parameters u Can be installed form network communications or from a data file u Result: Easy to install viruses without intervention from the user.

13. 13 Details of Buffer Overflow foo() Int a[3]; { read n; i = 0; do n times read(a[i]); i++; } a[2] Return address a[1] a[0]

14. 14 What is vulnerable to Buffer Overflow? u Network connections u Structured files u User inputs u Scripts u All software contain vulnerabilities (just have not been discovered yet)

15. 15 After a Buffer Overflow… u Goal is too install a virus u Buffer overflow allows: 1.an attacker to introduce malicious code into a process OR 2.An attacked to call an existing routine in the application process, with doctored arguments u It is a powerful technique to start the compromise a computer process

16. 16 Rootkits, the Grand Finale u Buffer overflows, open the door, the real deal is the “rootkit”. u Operating system patch u Hides all evidence of the compromise u Impossible to detect from within the system  Need external detectors u Can be designed to be very difficult, if not impossible to clean up u Reinstall is the only sure way to stop a rootkit

17. 17 What can rootkits do? u Run any software as “root” or administrator u Update itself as well as implant newer attacks later u “Very Stealthy” u Install keyboard sniffers u Access any data stored on the computer  If the data is encrypted, the rootkit can find where the key is located

18. 18 Zombies u A virus u A process that listens to commands from “home” u Can download another programs u Can start attacks on other systems u Can do spamming without being easily detected u Advantage: Upgradeable, reprogrammable!

19. 19 Sniffers u Record keystrokes typed by a user u Can see all data entered by a user, including secret data  Passwords, credit card numbers, personal information  Can see data that is encrypted (as it can access it before encryption, or after decryption) u Would you use a computer that does not belong you?

20. 20 Web Attacks u A variance of the buffer overflow and virus attack u Use web software to attack a browser u Utilize vulnerabilities in a browser  Java script vulnerabilities  Active X vulnerabilities  Install “browser helper objects”  Can be hidden in web popups u Often used to install  Adware  Spyware u Web-beacons  Single pixel images, that detect a user reading a web page (or email, or any HTML content)

21. 21 Cross Site Scripting u Fun with Javascript and browsers and servers u Type 0  Run a script on the users machine when visiting a malicious site. The local script has higher privileges u Type 1  Inject a client side script into a server. A crafted URL followed while logged into a good site can make the good site do what the attacker wants u Type 2  A message board contains crafter URLs that can send cookies to the attacker u Many attacks, including the recent gmail attack were done via XSS

22. 22 Gmail Attack [from a blog] Haochi Chen discovered what looks like a Gmail XSS (cross-site scripting) security problem. Using a small piece of JavaScript you can put on any server, the user’s contact names & email addresses are revealed (provided you’re logged in to your Google account). I was able to reproduce this using Firefox, and an updated version of the original snippet. With Haochi’s code, a malicious website would be able to grab your contact list and transmit it to their server behind the scenes, storing this data for other purposes – like spamming, or finding out more about you. If you’re worried about this Google vulnerability, the best thing until it’s fixed is to only visit sites you know and trust, or to turn off your browser’s JavaScript, or to log out of Gmail.

23. 23 Password Attacks u Find password by brute force, or by guessing, or by dictionary attacks u Hardy ever used any more, even simple passwords are hard to crack!  So many easier ways, why bother! u Phishing is hard? Phishing is easy?  Sniffing too

24. 24 Network Eavesdropping u Ethernet and broadcast networks  “promiscuous mode”  Get every packet  Password sniffing  MAC sniffing  WEP cracking u Network eavesdropping can lead to loss of privacy is data is being sent un-encrypted  Not a common attack

25. 25 Man in the Middle u Insert a malicious relay between sender and receiver of a network connection u Change data packets, or replay them  Need to sniff and then inject  Or need to establish to connections (redirect traffic) u Causes confusion u Gain information, use authentication surreptitiously u Not effective against modern cryptographic protocols (encryption and digital signatures)

26. 26 Denial of Service u Flood the network with fake traffic u Overwhelm servers with large numbers of queries u Distributed DoS uses Zombies  Very difficult to contain u Attacking the network stack  Use malformed packets to cause TCP-IP software to block/crash u Does not cause any loss of privacy, or system compromises

27. 27 Authentication Attacks u Steal authentication information  Phishing is the most common method  Man in the middle, eavesdropping can do it too u Steal keys and other shared secrets  Physical theft  Viruses  Brute force (for bad cryptographic algorithms)

28. 28 Pharming u Corrupt a DNS server  Man in the middle  System attack u A host translates a DNS name to a attackers IP address  E.g. “mybank.com” leads to a hacker site, set up to look like the mybank.com site u Then a standard phishing attack can be performed on the user-name and password

29. 29 RATS u Remote Access Trojans u New! Improved!! More efficient!!! These new remote-access Trojans are designed specifically to lurk in the background, waiting until the unsuspecting user types the name of a well-known bank into a Web browser. Then, the program springs into action, copying every keystroke. The data is sent back to the criminal, who now can raid the online bank.

30. 30 Social Engineering u Phishing, via spam or web sites u Sending pictures or other interesting things, with compelling reasons to “open it” u Download interesting programs, with Trojans u Giving up personal information using baits of various kinds u If we figure out all the tricks, more will be invented

31. 31 Countermeasures u Patches and security fixes u Virus Scanners u Intrusion Detectors / Firewalls u Integrity Checking and Virtual Machines u Cryptography  Digital Signatures and PKI systems u Smartcards / RFID u Awareness and Education u Out of band notifications u Simple yet effective (vs. Complex and breakable) u Proper administration, configuration

32. 32 Patches and Fixes u Software updates  To fix buffer overflow and such attacks  Doublespeak: “attacker can gain complete control over a computer.”  Also fixes bugs and other vulnerabilities  “Hardens” software u Updates can be dangerous  Introduces more bugs and vulnerabilities  Can be fake  Target for attackers who distribute malicious patches

33. 33 Password Managers u Stops users from using the same user-id and password u Creates strong passwords u Sometimes a pain to use u Password managers built into browsers – not a good idea u Have to transport data between computers, if using multiple computers (or run from USB stick) u Master password can be sniffed

34. 34 Virus Scanners u Everyone should have them installed  Even though they are ineffective?  Slows down performance u Uses Black Lists u Polymorphism and other techniques are used by viruses to avoid detection u Can be disabled or tampered with u Problem with DLL, browser objects, active X, registry hacks, cookies u Adware different from spyware and viruses  Not true u A patch that works for now

35. 35 Firewalls u Software and hardware firewalls u “Network Address Translation” u Incoming filter is needed u Outgoing filter is effective but irritating u Software firewalls can be defeated  Hardware firewalls are incoming only

36. 36 Intrusion Detection Systems u A set of layered network-wide service for large computer installations  May just be a firewall u Typical configuration have  DMZ and honeypots  Bastion hosts  Signature based detection  Monitoring and logging u Attacks possible  Polymorphic attacks  Noise camouflaged attacks

37. 37 Virtual Private Networks u An authenticated, encrypted tunnel between a client and a host on a secure network u Not popular, but effective u Reverse attacks are possible  If the host is on an open network, the client does not have firewall protection u Corporate users are required to use VPNs

38. 38 File Integrity Checkers u Scan each “clean” file and store a signature (or hash) u Compare files to stored hashes whenever they are used u Easy to bypass or to store hash after file corruption occurs u Hash storage prone to attack u Sometimes irritating to use u A virus can fake user input and fool the integrity checker u E,g, Tripwire

39. 39 Single Sign on Systems u Sing on to a secure server and your credential will be forwarded to any site you need to sign on to u Most implementations are flawed u Need too much private information (or shared secrets) to float around u Kerberos is probably one of the best, but difficult to administer u Microsoft Passport and Liberty Alliance have products that are struggling (or dead) u Certificate based systems would be much better

40. 40 Sandboxing u Running applications with limited privileges u System calls from sandboxed applications can only acces some “harmless” functions and can cause no damage u The above statement is large untrue u Sandboxed applications may be able to  Fool the user  Send network packets, or spam  Run more sandboxed applications  Denial of service

41. 41 Virtual Machine Monitors u The ultimate sandbox u Multiple copies of the operating system runs on the same machine (guest operating systems) u The core of the system is the “Virtual Machine Monitor” u Everything is totally separate, each OS has a different file system, different network address u Isolation can be perfect, but isolation is not security u VMM based integrity checking has much promise

42. 42 Cryptography u Cryptography has a treasure chest of algorithms and protocols for handling security (or computation and data)  (Cryptographically Secure) Random Numbers  (One way) Hash functions  Symmetric Encryption (e.g. DES, AES, IDEA)  Asymmetric Encryption (RSA, Rabin, ECC) u Cryptography, if properly implemented can provide high degrees of data security and reliable authentication  Without using shared secret  “IF” keys are kept secret  Prone to viral attacks

43. 43 PKI Systems u PKI = Public Key Infrastructure  A set of protocols that use asymmetric encryption and hashing  Authentication Systems  Digital signatures for non-repudiable transactions  Digital Certificates for secure authentication u PKI based authentication stops the phishing problem and password leakage problem u Keyboard sniffers are not always effective with PKI systems u Microsoft Cardspace seems to be the first “consumer” targeted PKI based identity management system u PKI based smartcards are the best implementation  Not yet being deployed 

44. 44 Smartcards u Smartcard =  Stored secrets  Compute engine  Communication path  Non tamperable u Most smartcards are not very smart  Stored value cards, shared secret challenge response cards, GSM SIM cards u PKI based smartcards provide an excellent authentication solution  DoD CAC  Belgian ID card secrets processor

45. 45 RFID cards u More common, less secure u Contactless – Accessible via radio waves. u Can be read at large distances, with expensive equipment u Prone to the tracking vulnerability u Many attacks against RFID passport discovered u Challenge-response RFID cards are better  The current crop is tainted with bad algorithms  Stops cloning, but does not stop stealing  Room for improvement

46. 46 Out of band communications u A simple and yet powerful technique u Many scenarios possible for example:  Make a web transaction that involves a credit card payment  An automated phone call received  Confirm PIN using phone keypad  Confirm amount  Must be resilient against fake phone calls u Very hard for attacker to compromise credit card and cellphone and phone PIN

47. 47 Simple is Effective u Complex is breakable u All complicated solutions have vulnerabilities and features that can be exploited  Think of a complex piece of software…. –Web browser –Microsoft Office –Outlook –Many more examples u We need simple solutions  Easy to understand  Easy to detect anomalous behavior

48. 48 Awareness and Education u Education is the answer to many problems, but u Cannot educate the masses effectively  Computing and network infrastructure has very deep penetration  Consumers are getting educated, but more keep coming online u Learn by experience?  Bad idea u Smart people protect themselves  ….but the others create problems for everyone

49. 49 Administration and Configuration u Out of the box configurations of systems and gadgets are vulnerable  Default passwords  Security features disabled u “Proper Configuration” is of paramount important  e.g. 500 mile email radius  How? Very few smart administrators seem to know  Obscurity is used to defeat attackers (in a way, bad idea) Security policy of your organization Host system security Auditing Router security Firewalls Intrusion detection systems Incident response plan Checklist for organizational systems