Quiz-2 Review ECE Prof. John A. Copeland fax Office: Klaus or call for office visit, or call March 25, 2015
Quiz-2 Topic Areas Security - PGP, S/MIME IP Security - IPsec (AH, ESP modes, VPN) Web Security - Secure Socket Layers (SSL, TLS) - Certificates, CA’s, Hashes (MD5) Intruders (and other Malicious Users) - Protection DNS - cache poisoning (Birthday Attack used) IDS - (Base-Rate Fallacy, False-Positive Rate) Viruses - Worms, Trojan Horses, Logic Bombs,... TCP-IP, Firewalls, Secure Electronic Transactions (SET), and Trusted Systems We have discussed: BotNets, DDos, SPAM, Phishing Slides 17 (1 -11): Buffer Overflows, Stack Frames Quiz-2 Topic Areas 2
3 Definitions Virus - code that copies itself into other programs. A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on messages or attached documents (e.g., macro viruses). “viruses” are technically “worms”. Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (time, trigger). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. “Vulnerability” - a program defect that permits “Intrusions”. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product. Bot, BotNet - Large P2P network (hundreds to millions) of compromised computers (Bots) that communicate to commit DDoS, SPAM, Phish.
1. Scan the network to: [RECONNAISANCE] locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are “ open ” (being listened to by Servers). 2. Run “ Exploit ” scripts against open ports. [ACCESS] 3. Elevate privileges to “ root ” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE] 4 The Stages of a Network Intrusion [RAERU] Flow-based* "CI", signature-based? Signature?, Flow-Based Port Profile* Signature?, "Port-Profile*", Forbidden Zones*, Host-based Host-based Vulnerability Scan * StealthWatch
5 Protection from a Network Intrusion Rule 2: Multiple Layers of Protection are needed to reach a high level of security at an affordable cost. Protection 1. Use a “ Firewall ” between the local area network and the world- wide Internet to limit access (Chapter 10). 2. On Microsoft PC ’ s, with XP and later, use the OS firewall that limits incoming and outgoing communications by Application (program), not just port number. For Mac, buy "Little Snitch" ($35). Detection 1. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or remove malware from a local host). 2. Use a program like TripWire* on each host to detect when systems files are altered, and an alert to Sys Admin. Reaction 1. Have a plan and means to implement it.
6 Anomaly-Based Intrusion Detection High statistical variation in most measurable network behavior parameters results in high false-alarm rate Detection Threshold Undetected Intrusions, False Negatives (FN) False Alarms, False Positives (FP) #False-Negatives = #Bad Events x FN-rate #False-Positives = #Normal Events x FP-rate Figure 9.1 # Normal Events = #TruePositves + #FalsePositives Detected as Positive, -> Alarm A Negative Event, True or False, is one that does not trigger an Alarm
If the “ behavior ” is a connection: For legitimate connections (total number = LC) True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1 Correctly handled connections (no alarms) = TNR * LC Incorrectly handled connections (false alarms) = FPR * LC For malicious connections (total number = MC) False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1 Correctly handled connections (real alarms) = TPR * MC Incorrectly handled connections (no alarms) = FNR * MC If LC >> MC then (FPR * LC) >> (TPR * MC) hence “ false alarms ” are much greater than “ real alarms ” when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1) See Slide Set 09A, #17 for example calculations. 7 "Base-Rate Fallacy" Calculations
Chapter 10a - Firewalls Network Firewall - economical, one point to manage. Host-based FW - can filter based on application, depends on user unless a central management system is used. Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set up inside or outside. NAT - Network Address Translation, Private Address ranges (10., , …). Inbound connections must match “ forwarding table ” Proxy Server - checks application header and data. Mail proxy may filter spam, viruses, and worms. Web may filter URLs, & domains. Attacks - how does Firewall protect against scanning, bad- fragments, bad TCP flags, Smuft attack,... Host-based Firewalls - xinetd (/etc/hosts.allow), iptables, Zone Alarm, Black Ice (now ISS Desktop Proventia), “ Little Snitch ” 8
Chapter 10b - Trusted Systems Subject, Object, Access Rights (permissions) Policy - Access matrix or ACL (access control list) Basic Security Rules: No read up (simple security property) No write down (do not widen accessibility) Need to Know. Reference Monitor, audit file, security kernel database. Requirements to be a “ Trusted System ” : Complete Mediation, Isolation, Verifiability “ Common Criteria ” Security Specifications are multi- national trust ratings. 9
Chapter 11 - TCP/IP Bad fragments can crash Operating System (OS): "Teardrop" ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3= Unreachable [Codes: 0= Network, 1=Host,3= Port]) "Ping of Death" - fragment extends beyond 2^16 bytes, "Smurf" (Pong multiplication, Ping to broadcast address). “ Spoofed ” addresses for Flood DoS attacks (Source IP in Smurf). TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN Flags - bad combinations to 1) map OS, 2) cause crashes. TCP - Highjacked connection. IP address of one host can change if sequence numbers and acknowledge numbers are consistent. Original host must be DoS'ed (silenced). DNS - UDP port 53 used for DNS lookups, reverse lookups. What is “ Fast Flux DNS ” and “ DNS Cache Poisoning ” ? ARP - Used by IP layer to find the MAC layer address to use. What is “ ARP Poisoning ” ? 10
Chapter 10a - Firewalls Network Firewall - economical, one point to manage. Host-based FW - can filter based on application, depends on user unless a central management system is used. Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set up inside or outside. NAT - Network Address Translation, Private Address ranges (10., , …). Inbound connections must match “ forwarding table ” Proxy Server - checks application header and data. Mail proxy may filter spam, viruses, and worms. Web may filter URLs, & domains. Attacks - how does Firewall protect against scanning, bad- fragments, bad TCP flags, Smuft attack,... Host-based Firewalls - xinetd (/etc/hosts.allow), iptables, Zone Alarm, Black Ice (now ISS Desktop Proventia), “ Little Snitch ” 11
Chapter 10b - Trusted Systems Subject, Object, Access Rights (permissions) Policy - Access matrix or ACL (access control list) Basic Security Rules: No read up (simple security property) No write down (do not widen accessibility) Need to Know. Reference Monitor, audit file, security kernel database. Requirements to be a “ Trusted System ” : Complete Mediation, Isolation, Verifiability “ Common Criteria ” Security Specifications are multi- national trust ratings. 12
Chapter 11 - TCP/IP Bad fragments can crash Operating System (OS): "Teardrop" ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3= Unreachable [Codes: 0= Network, 1=Host,3= Port]) "Ping of Death" - fragment extends beyond 2^16 bytes, "Smurf" (Pong multiplication, Ping to broadcast address). “ Spoofed ” addresses for Flood DoS attacks (Source IP in Smurf). TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN Flags - bad combinations to 1) map OS, 2) cause crashes. TCP - Highjacked connection. IP address of server can change if sequence numbers and acknowledge numbers are consistent. Original host must be DoS'ed (silenced). DNS - UDP port 53 used for DNS lookups, reverse lookups. What is “ Fast Flux DNS ” and “ DNS Cache Poisoning ” ? ARP - Used by IP layer to find the MAC layer address to use. What is “ ARP Poisoning ” ? 13
HW What was learned from homework problems? Outside Reading LenovoLenovo – Removing "Starfish" – https man-in-the-middle DellDell – "System Detect" vulnerability Apple Pay Apple Pay – Credit Card scams 7x higher than normal "Wipe the Drive" – what to do with a compromised PCWipe the Drive "Olympic Games" (Flame, Stuxnet, Iran)Olympic Games Crypto-Locker Crypto-Locker malware 14
15 The test will cover the slide sets 06-IP Networks.ppt, 07-SSL-SET, 08a Safer Downloading.ppt, 09a-Intrusion.ppt, 09b-Viruses, 10a-Firewalls.ppt, 10b- Trusted Systems, 11-TCP-IP.ppt, 13-Netsec Utilities.ppt, and 18-Shellcode.ppt (slides 1-11). It will not cover Simple Network Management Protocol (08-SNMP.ppt). You will be able to bring your Quiz-1 reference sheet. You should review areas you missed on Quiz-1. We discussed SSL/TLS in connection with Public-Private keys, and secure . We did cover SET (Secure Electronic Transactions) protocol this year. It has some interesting technology, like the "dual signature," but the standard has not gained traction after several years, but it, or something like it, may be necessary in the future.