01 threat

50 %
50 %
Information about 01 threat

Published on November 19, 2007

Author: Breezy

Source: authorstream.com

The threat we face:  The threat we face What is security? We want computers to Do what they are supposed to do When we want them to do it With restrictions on who can read/modify data/programs Schneier - "enforcing a policy that describes rules for accessing resources" Security can be measured by compliance with that policy Computers and crime:  Computers and crime Computers are often involved in crime in one of two ways: They can be used as an "agent" of a crime They can be the "victim" of a crime Computers used as an agent of the crime:  Computers used as an agent of the crime Communication about drug deals, murder Exchange of copyrighted material Sharing, storing child porn Identity theft Harassment, death threats Fraud Computers as the victim of the crime:  Computers as the victim of the crime Destruction of data Programs subverted, replaced "Malware" installed Denial of service attacks To compromise other computers Share files Hide tracks Who would do this?:  Who would do this? Someone who is out to get you Disgruntled employee Disgruntled patron Someone who is after something you have "Miscreants" "Random acts of violence" Might not be targetting you Most attacks are like muggings - wrong place and time Who would do this?:  Who would do this? Activists (“hacktivists”) Espionage Terrorists Terrorists Hackers/crackers?:  Hackers/crackers? Hackers traditionally were *not* crooks Originally meant someone who is skilled, clever "Taken over" by the popular press Some use "crackers" (myself included at times) This can be confusing Miscreant is a pretty descriptive term Why do they do this?:  Why do they do this? Curiosity, “learning” Computer underground "economy" A means to an ends (file sharing, warez sites) Hacktivism (web defacements, denial of service attacks) A little about the miscreants...:  A little about the miscreants... There's a small number of "clueful" people They write most of the exploit scripts, rootkits and backdoors These tools are "enabling technologies" There's a larger number of potential miscreants They couldn't commit these attacks w/o the tools The tools are *easy* to use How do they do this?:  How do they do this? Scan for computers, services, vulnerabilities Gather information (accounts, operating system, software) Exploit vulnerabilities to gain access (or leverage access) Install back doors, possibly rootkits Use the computers for [fill in the blank] Scanning:  Scanning Host There are typically many unused addresses Which ones have computers listening on them? Ports Determine which network services each computer runs May only be interested in specific services (e.g. IIS) Information Gathering:  Information Gathering O/S Fingerprinting Typically done through TCP/IP stack "fingerprinting" Banner grabbing Helps determine software type, version Account enumeration Through null sessions, finger, whois, ldap, mailing lists, etc. Exploits:  Exploits Typically automated May try multiple exploits Exploits take advantage of bugs, misconfigured systems, human error, design flaws to give the intruder access Exploits:  Exploits Bugs (buffer overflows, race conditions) Misconfigured systems (no admin password) Human gullibility (many viruses) Design flaws (other viruses, attacks against weak passwords) Exploits:  Exploits Most common exploits have patches (or workarounds) available Most people don't install patches 0-day exploits are new, unknown, typically no patches available Exploits:  Exploits The exploit often installs a simple backdoor Root shell via inetd on TCP/1524 on Unix Dameware on Windows Intruder may scan for the backdoor to find successfully compromised systems In some cases (Netbus or Back Orifice installed via email) the intruder needs to search for the infected computers In other cases the backdoor “phones home” (Nethief) Backdoors:  Backdoors On success, intruder will often use the simple backdoor to gain access to the system and: Install a better backdoor Install a rootkit Cleanup traces of their intrusion on the system Remove services or install patches to keep others from gaining access Backdoors:  Backdoors These vary in sophistication Simple: Root shell on special TCP port Extra ssh on a special port Cmd.exe copied to a new location in the web tree Backdoors:  Backdoors Complex: Back Orifice, Netbus DDOS agents Botnets Nethief Seteri Case study: Nethief:  Case study: Nethief Attacker creates a special “agent” with the console, infects one or more victims with it. Console updates a web site with its current IP address (encrypted) Agents check the web site once a minute, send “here I am” traffic to console on udp/8102 Case study: Nethief:  Case study: Nethief Console displays list of agents Attacker picks an agent, console puts instructions for that agent on the web Agent gets instructions, contacts console on TCP/80 Console now has access to all files (read, write, delete, create, execute…) Greenstuffsoft.com (warning: Chinese) Rootkits:  Rootkits Set of tools that the intruder installs on the system when it has been successfully compromised Typically includes backdoor, install scripts, tools for breaking into other systems, tools for hiding their tracks Rootkits - Hiding:  Rootkits - Hiding Replacements for common applications ps modified to not show certain processes netstat modified to not show certain network connections ls, du, find modified to not show certain files etc. Kernel modules If the O/S doesn't report X, there's little that you can do except image the disk and analyze it Normal Software Hierarchy:  Operating System (kernel) Kernel modules Dynamic Libraries Statically Linked Programs Dynamically Linked Progs Normal Software Hierarchy Compromised Hierarchy:  Compromised Hierarchy Operating System (kernel) Kernel modules Dynamic Libraries Statically Linked Programs Dynamically Linked Progs Intruder replaces “good” programs with “bad” copies intended to hide their activity or provide a back door. E.g. ls, find, du might hide directories, ps might hide some processes, netstat might hide network activity, login might allow root access with a special password Compromised Hierarchy:  Compromised Hierarchy Operating System (kernel) Kernel modules Dynamic Libraries Statically Linked Programs Dynamically Linked Progs Intruder installs a new kernel module that changes how the system behaves. This affects ALL programs running on the system. Case study: Knark:  Case study: Knark Knark – a loadable kernel module rootkit for Linux Hides files, directories, net connections Hides processes – inherited Exec redirection – run sshd.bad when they ask for sshd Hides modules, execute programs as root And so on… Response to kernel rootkits:  Response to kernel rootkits Good argument for prevention  Examine the disk contents (portable forensics) Log reconciliation Compare logs from host against external logs (e.g. network traffic logs), look for differences E.g. telnet connection, but no login session Distributed Attack Tools:  Distributed Attack Tools Basic idea is to split phases of the attack, or pieces of a denial of service mechanism, across multiple hosts Harder to detect – easier to drop below intrusion detection threshold, hard to correlate seemingly pointless traffic from multiple sources. Sample Distributed Attack:  Sample Distributed Attack Probe Sources Victims Attack Hosts Compromised Hosts D of S Sources Denial of Service Victims Probed Hosts 1 2 3 3 Viruses and Worms:  Viruses and Worms The terminology is often misused Virus Malicious software installed into another, otherwise "normal" program "Infection part" looks for other files/programs to infect "Payload part" does something (sends email, deletes files, etc.) Frequently requires human intervention to spread (e.g. execute attachment) Viruses and Worms:  Viruses and Worms Worm Stand-alone program - not attached to another Typically spreads automatically Case study: SQL/Slammer (Saphire) Worm:  Case study: SQL/Slammer (Saphire) Worm How does SQL/Slammer Infect a Computer?:  How does SQL/Slammer Infect a Computer? Through the SQL Locater Service Microsoft SQL is a network database server SQL Locater Service is a network service for finding SQL databases Some versions of the SQL locater service have a bug SQL/Slammer was written to take advantage of this bug More Specifically...:  More Specifically... The bug that SQL/Slammer used is a type of "buffer overflow" attack A buffer overflow attack is when the attack, um, overflows the buffer This can enable the attacker to insert their program into the program receiving the data and execute it If it works the good program is replaced with a copy of the worm Slide36:  SQL Locater Service Buffer SQL/Slammer Slide37:  SQL Locater Service Buffer SQL/Slammer Slide38:  Computer Computer Computer Computer Computer Computer Slide39:  Computer Computer Computer Computer Computer Computer Slide40:  Computer Computer Computer Computer Computer Computer Slide41:  Computer Computer Computer Computer Computer Computer Slide42:  Computer Computer Computer Computer Computer Computer Slide43:  Computer Computer Computer Computer Computer Computer SQL/Slammer Growth:  SQL/Slammer Growth Stats from “The Spread of the Sapphire/Slammer Worm” (www.caida.org) The doubling time in the first minute was 8.5 seconds Reached its full scanning rate after 3 minutes (55 million/second) Most computers were infected within 10 minutes 100 Mb/s link == 30,000 scans/second! More Statistics:  More Statistics 34 OSU computers were infected at the peak “Took out” our network for several hours Peak traffic: 1.4 million/hour in, 26.6 million/hour out 1 computer sourced ~80Mb/s of traffic We are still seeing slammer traffic, infected computers at OSU Macro Viruses:  Macro Viruses The "virus" is code (e.g. VBscript) in a document of some sort Could be called worms We frequently refer to all malicious software as "malware" Denial Of Service (DOS) attacks:  Denial Of Service (DOS) attacks Goal is to undermine the availability of a computer or service Attacks on Dalai Lama web sites Escalating arguments from miscreants on chat rooms Can be done various ways Send *large* amounts of traffic at a target Send traffic that triggers a bug that causes the network server to hang, or causes the computer to crash Distributed Denial of Service (DDOS) attacks:  Distributed Denial of Service (DDOS) attacks Attacker installs an agent program Agents are controlled through a master program Attacker sends commands to the agents through the master: Scan Various types of DOS attacks Update Uninstall DDOS attacks:  DDOS attacks Frequently uses encryption Imagine 1000 agents sending large amounts of traffic at a target! Example: TFN, Stacheldraht Slide50:  Attacker Master Master Master Master Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Victim Botnets:  Botnets Agent programs that communicate through messaging services (typically IRC) Similar to DDOS networks No master More generic uses: file sharing, scanning, DOS 10,000-50,000 botnets, biggest with 18,000 computers Backdoors in the bots Hacker tools:  Hacker tools Typically automate task of scan, data collection, exploit, and rootkit installation Increasingly sophisticated Easy to use GUI, interactive help, 800 numbers for support... Enabling technology Neptune Network sniffing:  Network sniffing Old school: plain old promiscuous sniffing Switches “fixed” that New school: “directed” sniffing (“dsniff”) Switch learn table overloading ARP redirection DHCP hijacking Wireless attacks:  Wireless attacks Wardriving, stumbling, chalking (kismet, netstumbler) Blackhat 2002 - Mike Lynn and Robert Baird WLAN-jack - kick everyone off ESSID-jack - get essid Monkey-jack - create fake AP, force people to assign to it, facilitates "man in the middle" attacks Router Attacks:  Router Attacks Cisco IOS exploits Boxes with default or no password Exploring BGP 17,000 owned Cisco's, 2 running BGP 15,000 Caymen 64,000 “smurf” networks Anti-forensics:  Anti-forensics Defiler's toolkit - inode, deleted file scrubbing Evidence-eliminator.com Software Distribution Woes:  Software Distribution Woes *Not* just a problem for the open-source community Sendmail FTP scam Intruders apparently modified the FTP server Every ~10th caller gets modified sendmail distribution Distribution installs a backdoor as part of the installation process Software Distribution (continued):  Software Distribution (continued) Trojaned OpenSSH distribution Intruders gained access to the FTP server, replaced the distribution with their own Answer: Download software with care! Always check distribution signatures with PGP, MD5, etc. Compile/install software with least privileges Disabling Local Security Measures:  Disabling Local Security Measures Bugbear disables local firewall, anti-virus services On the other hand, it is increasingly common for exploit scripts to install patches or disable services Not altruism!  An attempt to keep other miscreants from “owning” this computer Increased Use of Spyware:  Increased Use of Spyware Increasingly common for malware to use keystroke loggers (bugbear) There are various plug-ins, peer to peer file sharing programs that “share” personal information with other parties Syscall Proxies:  Syscall Proxies Blackhat 2002 – Maximiliano Caceres Old school: use buffer overflow to execute a shell where you execute commands remotely New school: set up a simple RPC syscall proxy. Applications on the attacking end can then “run” on the victim end transparently Spike, Other Vulnerability Discovery Tools:  Spike, Other Vulnerability Discovery Tools Blackhat 2002 – Dave Aitel Toolkit to reproduce a protocol and automate the process of finding buffer overflows Doesn’t automate the whole process, but takes much of the tedium out of it Some trends:  Some trends Faster Code Red took several hours to infect "everything" "Research" on so-called "Warhol Worms" Slammer took 10 minutes Stealthier Use of encryption, authentication Kernel modules Some trends:  Some trends Firewall-aware Nethief, Seteri DC Phone Home (Blackhat Briefings, US, August 2002) Multi-exploit, multi-platform Sadmind worm Increasing automation Some trends:  Some trends Dynamic updates Imagine if they can add exploits, platforms "on the fly" Distributed, cooperative “New” communications channels ICMP, IM, web sites and proxies Increasing use of cryptography Some trends:  Some trends Remote file sharing (NFS, SMB) For tools, logs As exploit avenue

Add a comment

Related presentations

Related pages

Intuitive Surgical Investors: Prepare for This Threat 01 ...

Um die Übersicht zu verbessern, haben Sie die Möglichkeit, die Analysen für Intuitive Surgical Inc nach folgenden Kriterien zu filtern. Alle: Alle ...
Read more

FM 2-01.3 MCRP 2-3A Intelligence Preparation of the ...

FM 2-01.3 MCRP 2-3A Intelligence Preparation of the Battlefield/Battlespace ... Describe the Environmental Effects on Operations and Threat and Friendly
Read more

Sicherheitsbericht zu Netzkriminalität: Raffinierte ...

15. Auflage des Internet Security Threat Reports von Symantec dokumentiert neue Qualität der Internetgefahren / Deutschland ist Botnetz-Land Nummer eins ...
Read more

01-Forefront Threat Management Gateway 2010 (TMG ...

Want to watch this again later? Sign in to add this video to a playlist. 01-Forefront Threat Management Gateway 2010 (TMG) (Introduction to TMG ...
Read more

Dell SonicWALL Capt Adv Threat Protect f NSA 3600 1Yr (01 ...

Produktvorstellung Dell SonicWALL Capt Adv Threat Protect f NSA 3600 1Yr (01-SSC-1485), Dell SonicWALL Capt Adv Threat Protect f NSA 3600 1Yr (01-SSC-1485 ...
Read more

Advanced persistent threat - Wikipedia, the free encyclopedia

An advanced persistent threat is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity.
Read more

Bedrohung durch Stereotype – Wikipedia

Bedrohung durch Stereotype (engl. stereotype threat) ist die Angst von Mitgliedern einer sozialen Gruppe, ihr Verhalten könnte ein negatives Stereotyp ...
Read more

TV-Programm Online - Das Sat.1 Fernsehprogramm

Das TV Programm in SAT.1 - hier verpasst du nie wieder deine Lieblingssendung! Schau nach, was jetzt oder in den nächsten Tagen läuft.
Read more

The Biggest Security Threats We’ll Face in 2016 | WIRED

This year was a busy one for security and hackers. We expect more of the same in 2016, with a few new twists.
Read more

Sent Mail

Hier sollte eine Beschreibung angezeigt werden, diese Seite lässt dies jedoch nicht zu.
Read more