3-Protecting Systems Dr. John P. Abraham Professor UTPA

Hardening Operating System 3 pronged approach: ◦ operating system updates, ◦ Protect against buffer overflows, ◦ configuring operating system protections

Operating System updates  Security Patch: Covers discovered Vulnerabilities  Turn on automatic updates  Hotfix – specific to a customer situation  Service Pack – Cumulative security patches and other software updates.  Designate one server within your organization as the patch update service

Buffer Overflow Protection Corrupts system memory and causes freezing May change the return address (from a routine) to a different one where the malware is residing. Programmers should write defensive programming. Show the textbook to the students. ◦ For windows based programming use: Data execution prevention(DEP) and Address Space Layout Randomization (ASLR)

Defensive programming Microsoft environment Data Execution Prevention (DEP) ◦ DEP is available in VISTA and beyond ◦ Designated memory only to hold data not code (No eXecute NX bit associated with the memory). Buffer overflow redirection would not work within a NX memory. ◦ Programmers can turn on this feature. Address Space Randomization (ASLR). ◦ Each time Vista.. Is rebooted.EXE and.DLL are loaded randomly into 256 possible locations. Attackers find it difficult to work with unpredictable code locations.

Configuring Operating System Protection Security Policy ◦ A document that clearly defines the defense mechanisms an organization will employ in order to keep information secure. ◦ Configuration baseline – permissions on files, registry permissions, logins, authentications, etc. You may want to create a Security template to handle it. ◦ Deployment – individually or by group policy

Preventing Attacks that Target Web browser Attacks through cookies, scripts, Java, ActiveX and cross-site scripting. Attacks through cookies, scripts, Java, ActiveX and cross-site scripting.

Cookies information about visits saved on user’s computer. First party cookie is created by the site that the user is currently viewing. Third- party cookies are cookies created by some one else is accessed in a current visit to a different site. information about visits saved on user’s computer. First party cookie is created by the site that the user is currently viewing. Third- party cookies are cookies created by some one else is accessed in a current visit to a different site. Cookies do not present a security threat, but is a privacy risk. Track browsing habits, etc. Also provides IP address. Cookies do not present a security threat, but is a privacy risk. Track browsing habits, etc. Also provides IP address.

Scripts (Java, VB, etc.) Web pages containing scripts download the scripts to the computer and is executed. The program can send information about the user to a host. Scripts can’t access files on the computer, so limited risk exists. Web pages containing scripts download the scripts to the computer and is executed. The program can send information about the user to a host. Scripts can’t access files on the computer, so limited risk exists.

Java Java can create applets that run on local computers. Defense against hostile jave applets is a Sandbox (a fence). Unsigned java applet does not come from a trusted source and must be run within the sandbox and gives warning to the users. If users do not read the message, or understand the risk, it can cause serious trouble. Sandbox warnings are given at the bottom left. Signed java applets are from trusted sources and have not been altered. Java can create applets that run on local computers. Defense against hostile jave applets is a Sandbox (a fence). Unsigned java applet does not come from a trusted source and must be run within the sandbox and gives warning to the users. If users do not read the message, or understand the risk, it can cause serious trouble. Sandbox warnings are given at the bottom left. Signed java applets are from trusted sources and have not been altered.

ActiveX – Add-ons framework for defining reusable software components (known as controls) that perform a particular function or a set of functions in Microsoft Windows in a way that is independent of the programming language. A software application can then be formed from one or more of these components in order to provide its functionality. They do not run in a sandbox. It can do anything on the computer such as creating, modifying and deleting files. A signed ActiveX control is generally safe. Unsigned is riskier. framework for defining reusable software components (known as controls) that perform a particular function or a set of functions in Microsoft Windows in a way that is independent of the programming language. A software application can then be formed from one or more of these components in order to provide its functionality. They do not run in a sandbox. It can do anything on the computer such as creating, modifying and deleting files. A signed ActiveX control is generally safe. Unsigned is riskier.

Cross Site Scripting (XSS) Scripts that extract information from victim and pass it to the attacker. Scripts that extract information from victim and pass it to the attacker. Changes contents of dynamic websites and injects a script into it that asks for personal information through input validation. Changes contents of dynamic websites and injects a script into it that asks for personal information through input validation. A web site that displays bad login screens with login name is a good one for these types of attacks. A web site that displays bad login screens with login name is a good one for these types of attacks. It could send a URL to click It could send a URL to click

SMTP Open Relays A user can set up a receiving address and a sending address. Usually they are the same like pop.dia.sbc.net and smtp.dia.sbc.net. Some smpt servers are configured to sned mail through other domains (known as relays). An attacker can send spam through such relays without getting caught. A user can set up a receiving address and a sending address. Usually they are the same like pop.dia.sbc.net and smtp.dia.sbc.net. Some smpt servers are configured to sned mail through other domains (known as relays). An attacker can send spam through such relays without getting caught.

Instant Messaging Once a user signs up with the instan message server, the client’s IP and port is sent to all buddies and communication can take place directly. With direct connection virus and worms can be spread. Attacker can also view contents of messages. Once a user signs up with the instan message server, the client’s IP and port is sent to all buddies and communication can take place directly. With direct connection virus and worms can be spread. Attacker can also view contents of messages.

Peer-to peer All types of attacks can take place through P2P networks. BitTorrent is more secure than P2P. However, both can be used to download illegal software or music. All types of attacks can take place through P2P networks. BitTorrent is more secure than P2P. However, both can be used to download illegal software or music.

Defenses Antivirus – always a step behind, update with definition files. Antivirus – always a step behind, update with definition files. Pop-up blockers. Now incorporated into the browser. Pop-up blockers. Now incorporated into the browser. Anti-spam. Spam filter with smtp server. Install spam filter with pop3 Anti-spam. Spam filter with smtp server. Install spam filter with pop3 Personal firewals. Personal firewals. Host Intrusion Detection systems (HIDS) monitoring files systems and logfiles. Host Intrusion Detection systems (HIDS) monitoring files systems and logfiles.