Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC

Security+ Chapter 6 – Predicting and Mitigating Threats Brian E. Brzezicki

Malware (291) malware – mal (bad) ware (software) Software you would NEVER intentionally install or execute on your computer. Type of malware we will discuss Viruses Worms Trojans Logic Bombs Rootkits Spyware

Virus

Virus Characteristics (291) Code that attaches itself to other VALID software Harmful code gets run when you run the valid application When run viri generally replicates into other software on the system, infecting it with the virus. Virus usually also takes some unwanted actions when the host application is executed. Viruses have signatures (the bad code) that can be searched for and detected.

Virus replication Methods (292) Infected removable media – Floppies – USB drives – Even some published software on CDROM Downloaded software Network Shares

Virus Hoaxes What is a hoax? How can a hoax cause damage? What is the best countermeasure for hoaxes?

Worms (295) Worms – work differently than viruses Self-propagate Do damage Counter measures Remove un-necessary services Patch OS and applications Beware of code sent in

Trojan Horses

Trojan (296) Like the Trojan Horse of greek Mythology a Trojan program seems like a “gift”. Disguised as a useful program. It might even might do something useful to keep up the disguise. But will cause you harm. Countermeasures User Education Don’t run software that you are not familiar with and that you don’t have “real distribution” media for. Software Digital Signing Anti-virus software to detect known Trojans

Logic Bombs (296) Logic Bomb – Code or applications embedded into a system that waits for a specific time or event then goes off doing some type of damage. Countermeasures Inventory all software and keep checksums. Tripwire is a popular program that provides file integrity verification.

Rootkits (297) Software installed on a system to hide the presence of an attacker. Can consist of Replaced system software Loadable kernel modules

Adware and Spyware (298) Adware - Software put on a system that tracks a users usage, may cause pop ups to occur. Spyware – Dangerous software that is install on a system to have much more malicious impact. keystroke loggers are a very dangerous type of spyware.

Protection against Malware User Education File Integrity Verification Software Signing Anti-Virus software – Signature Based – Heuristic Anti Spyware software – Lavasoft’s Ad-aware – Windows Defender – Spybot – Spybot Search and Destroy

Attacks

Privilege Escalation (n/b) Once you have “user” access to a system trying to use system tools and programs in ways that allow you to raise your privileges beyond your normal access levels. Buffer Overflows

Denial of Service Attacks

Ping of Death (n/b) Old bug in Microsoft TCP/IP stack that caused a computer to “blue screen” / crash when an oversized ping packet was received. Even though the bug was fixed in re-appeared on later versions of Windows.

SYN Flood

SYN Flood (302) Attack – Forge IP SYN packet from downed system – Server responds to fake downed address, which never responds – Connections are “half-open” and use up limited listen queue slots – Stops real new connections from establishing

SYN Flood (302) Countermeasures Stop forged packets at ingress/egress routers Patch OS Decrease 3 way handshake timeout values Increase 3 way handshake max connections Use a firewall as a middleman Set registry settings \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\SynAttack Protect = 1 \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\TcpMaxCo nnectResponseRetransmissions >= 2 Mor information regarding SYN flood registry settings at

Smurf Attack (303)

How would a Smurf attack someone? (see next slide) 1.Find site to attack, say 2.Forge Ping packet from to a BROADCAST network addresswww.ebay.com 3.Watch as the computers on the network all start pinging back Countermeasures Drop forged packets at routers Drop directed broadcasts Drop pings to broadcast addresses

Smurf Attack (303)

Tear Drop (n/b)

Distributed Denial of Service

DDoS (304) Distributed Denial of Service – Overwhelm the victim by sheer numbers. Take over computers (bots/zombies) Build a command and control network using masters and slaves. – Often using IRC or other pubic services Control hundreds or thousands of computers and attack another.

DDoS (304)

Spoofing (304) One entity pretends to be another IP spoofing spoofing

Man in the Middle (307)

Replay Attacks (308) Capturing authentication or session credentials and resending them to gain access. Countermeasures Do not allow credentials to be reused – Time stamps – Counters

TCP/IP Hijacking (309) When you cannot steal someone elses passwords or break into a system, steal someone elses connection. 1.Wait for a user to authenticate 2.Determine sequence numbers 3.Knock valid user off network 4.Steal their authenticated connection

ARP poisoning (309) ARP poisoning is an attack against a network, where one computer sends a fake ARP reply, in the attempt to trick another computer on the same network to communicate with it instead of the real machine. This can be used as a man in the middle attack, or a straight hijacking attack.

DNS Poisoning (n/b) Faking DNS responses in order to trick a computer into going to an attackers site rather than a real site. Example. If I can “poison” your DNS cache and redirect to my IP address, I could put up a fake site and steal your banking information! (or setup a MiM attack)

Reconnaissance (310) Learning as much as you can about your target you plan on attacking. This is the first step in the hacking process. IP address identification DNS probing PING scanning OS fingerprinting Port Scanning Vulnerability identification

Null Sessions (311) In early versions of Windows, un-authenticated users could “browse” the network to see what resources existed on the network. This browsing made use of “Null Sessions” which are network connections allowed without any type of authentication. Hackers can use Null Sessions and browsing to learn about the network and Null sessions should be disabled or limited in their functionality. To fight NULL sessions on windows HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous = 1 See

Domain Name Tasting and Kiting Tasting – registering a domain for 5 days for “free” Kiting – deleting the domain in the 5 day grace period then re-registering it

Social Engineering (314 – 318) Trying to trick people into giving you access to a system. Phishing Piggybacking/tailgating Impersonation Dumpster Diving Shoulder Surfing

Importance of User Education (318) No security program can be successful if the users are not properly trained on security issues and procedures. Some attacks such as social engineering attacks are best defended by education rather than technical means. Some methods of user education are Training Classes Login banners Centralized /information dispersal Policies and procedures