100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it …. ” Gene Spafford—Director, Computer Operations, Audit, and Security Technology (COAST), Purdue University
The Internet Challenge E-Commerce Workforce Optimization Internet Business Value Customer Care Supply Chain Management E-Learning Internet Presence Expansion of E-Business!! E-Business Challenge is how to put mission critical applications & business functions on–line how to expand access beyond the enterprise To telecommuters To mobile workers To provide access in hotels, airports, & even here and to provide access beyond the enterprise to new constituencies to Customers,suppliers and partners In short - how to take advantage of the productivity and competitive advantages that e-business offers without being vulnerable to the increased security risks it involves Not getting easier as publicly available penetration tools can make anyone a sophisticated hacker Successful e-business requires heightened security Corporate Intranet Internet Access Expanded Access Heightened Network Security Risks
Threat Capabilities: More Dangerous & Easier To Use Internet Worms Packet Forging/ Spoofing High Stealth Diagnostics Technical Knowledge Required DDOS Back Doors Sweepers Sophistication of Hacker Tools Exploiting Known Vulnerabilities Sniffers Disabling Audits Self Replicating Code Password Cracking When most people read about Internet hacking incidents, they get the impression that these are highly complex, technical attacks that takes a genius to create. Reality is that the really smart people first come up with these highly complex, technical attacks, but they share the information and the tools required to pull off the attack on the Internet. The “open sharing” of hacking information and tools allows individuals with minimal technical knowledge to duplicate the attack. Often, it is as easy as downloading the attack tool from the Internet and launching it against targets. You don’t need to know anything other than how to run the attack tool. The bottom line is that it doesn’t take a genius to successfully attack systems and networks, it just takes someone downloading attack tools. Password Guessing Low 1980 1990 2000
Examples
Distributed Denial of Service (DDoS) First attack to consider is DDoS. February hit public consciousness when Yahoo, CNN, Amazon, Ebay all went down. Tools have been around longer than that. Many different names, including: Stacheldraht - “barbed wire” (spend some time on this one) Trinoo Tribe Flood Network (TFN) and TFN2000 Shaft DDoS is no different than DoS in that you send lots of traffic to a target, though you have 100s or 1000s of machines doing it at the same time. Ding Dong is akin to DoS with every kid in the neighborhood lined up to ring your door bell. Your dinner guests will never make it cause they’ll have to stand in line too. DDoS is like all the kids of the city getting their parents to drive them to your house to do Ding Dong. Not only will you have a long line, but you’ll wind up with clogged roads too. DDoS attacks are designed to saturate network links with spurious data. This data can overwhelm a business’ Internet link, causing legitimate traffic to be dropped. DDoS prevention hard cause already to late at the FW. Can try to prevent being a source of DDoS attacks. Stacheldraht - “barbed wire” Trinoo Tribe Flood Network (TFN) and TFN2000 Shaft
Attacks Keep Getting Easier Connected to www.test.com www.test.com
l0PHT Crack Dumps All Passwords from the NT Registry Specify a Computer:
l0PHT Crack Dumps the Password Files
The Intruder Opens a Word Dictionary
and Runs the Crack
A new generation of attacks: The Internet Worms
The Code Red & NIMDA Worms What Happened?? - July 19-20/2001 - 359,104 Hosts in 13 hours - $2.6 Billion in Damages! Estimates from Computer Economics (Carlsbad, CA) NIMDA September 18, 2001 Fastest spreading virus 300K+ Hosts, 2.2M devices Damage still being assessed The Code Red worm was one of the most damaging and quickly spreading threats to the internet. Over the course of just 2 days over 300,000 hosts were infected – with damages totaling in the hundreds of millions of dollars.
July 19, Midnight – 159 hosts infected Code Red Spreads July 19, Midnight – 159 hosts infected
July 19, 11:40 am – 4,920 hosts infected Code Red Spreads July 19, 11:40 am – 4,920 hosts infected
July 20, Midnight – 341,015 hosts infected Code Red Spreads July 20, Midnight – 341,015 hosts infected
The Code Red Worm How It Works Conceals itself in HTTP Packets. Firewalls alone cannot safeguard against the virus The worm exploits vulnerabilities found in Microsoft’s Internet Information Server (IIS) v4&5 via a buffer overflow attack It then exploits arbitrary code and installs a copy of itself into the infected computer’s memory – which infects other hosts. Worms are self-propagating pieces of code that take advantage of flaws in computer software. In this case, the Code-Red worm took advantage of a remotely exploitable vulnerability in Microsoft’s Internet Information Server (IIS) Versions 4 and 5. The worm would send a Universal Resource Locator (URL) to a host that would overflow a buffer in Microsoft’s Index Server, a part of IIS. This buffer overflow allowed the worm to execute arbitrary code. Code-Red would install a copy of itself into memory on the infected computer, and attempt to infect additional hosts.
The NIMDA Worm How It Works Hybrid of Worm & Virus Spread by: E-mail attachment (virus) - Network Shares (worm) - Javascript by browsing compromised web site (virus) - Infected hosts scanning for exploitable hosts (worm) - Infected hosts scanning for backdoors created by Code-Red and sadmind/IIS worms (worm) The Nimda worm is actually a hybrid, containing both worm characteristics and virus characteristics. Both worms and viruses spread and infect multiple systems. The differentiator between the two is that viruses require some form of human intervention to spread. Nimda spreads via the following mechanisms through: Email as an attachment (virus) Network shares (worm) JavaScript by browsing compromised web sites (virus) Infected hosts actively scanning for additional exploitable hosts (worm) Infected hosts actively scanning for backdoors created by the Code-Red and sadmind/IIS worms (worm)
Anatomy Of A Worm 1 - The Enabling Vulnerability 2 - Propagation Mechanism Three stages to how the worm operates and propagates itself. It’s important to understand that worms are self propagating. They are indiscriminate in who they attack and where they attack and when they attack. 3 - Payload
The Enabling Vulnerability IIS 1 IIS Internet IIS The enabling vulnerability is an inherent weakness in unpatched versions of Microsoft’s IIS web server. IIS IIS Using the Index Server buffer overflow attack, the worm attempts to install itself on IIS Web servers.
Propagation GO IIS IIS IIS 2 The most dangerous aspect of the worm is it’s ability to self-replicate and automatically infect new targets in an indiscriminate manner. After gaining access to the servers, the worm replicates itself and selects new targets for infection.
Payload 3 STEAL DEFACE BACK DOOR ROOTKIT Once infected, the server is vulnerable to a number of exploitations. The information contained on the server is open to the hacker, and the infected server can be used to exploit other devices on the network. 3 When the server is infected with a worm, the attacker has administrator-level access to the server. Not only can the attacker deface Web pages, but they also have the power to reformat the hard drive, install a rootkit, steal credit card numbers, etc.
Additional Information Compulsory Reading "Hacking Exposed". Security Links (vulnerabilities, tips, exploits, tools) http://www.securityfocus.com http://packetstorm.securify.org http://www.insecure.org