An Evening with Berferd Bill Cheswick, USENIX 1990 Presented by Chris Grier.

Slides:

Advertisements

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Advertisements

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Intrusion Detection Systems and Practices

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lecture 11 Intrusion Detection (cont)

Network security policy: best practices

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Introduction to Honeypot, Botnet, and Security Measurement

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

FORESEC Academy FORESEC Academy Security Essentials (II)

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.

Honeypot and Intrusion Detection System

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.

Eng. Hector M Lugo-Cordero, MS CIS4361 Department of Electrical Engineering and Computer Science February, 2012 University of Central Florida.

Security at NCAR David Mitchell February 20th, 2007.

HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’s in his book “The Cuckoo’s Egg” and by Bill Cheswick’s.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

Note1 (Admi1) Overview of administering security.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Security CS Introduction to Operating Systems.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

4061 Session 26 (4/19). Today Network security Sockets: building a server.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

The Internet Worm Incident Eugene H. Spafford  Attack Format –Worm vs. Virus  Attack Specifications –Worm operation –Infection and propagaion  Topics.

W elcome to our Presentation. Presentation Topic Virus.

Role Of Network IDS in Network Perimeter Defense.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Some Great Open Source Intrusion Detection Systems (IDSs)

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Malware and Computer Maintenance

Port Knocking Benjamin DiYanni.

Click to edit Master subtitle style

Backtracking Intrusions

By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.

Intrusion Detection system

Topic 5: Communication and the Internet

By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.

Marcial Quinones-Cardona

What is keystroke logging?

Presentation transcript:

An Evening with Berferd Bill Cheswick, USENIX 1990 Presented by Chris Grier

Outline General Paper and Attack Overview A Simple Honeypot Design Why do any of this? Forensics: Evasion Forensics: Detection

Paper Overview Cheswick and Berferd play out a game Cheswick monitors an AT&T internet gateway machine Berferd attempts an exploit –Old sendmail mis-configuration problem –One of the bugs exploited by the Morris worm –Reported in 1988 according to Securityfocus –Allows remote command execution as root Cheswick is alerted to the attempt, and instead of denying plays along –Sends a bogus copy of a password file (for cracking) –Traces and notifies Stanford  What’s necessary for this defense to work? –Infrastructure? Programs? Is Cheswick making some assumptions about the state of the system?

Attack Continues Berferd continues the attack, and attempts to connect via rlogin –Wants a shell, only has access to executing shell commands –Inserts an account into /etc/passwd and edits the.rhosts file accordingly Cheswick is at the other end watching the logs produced, and eventually gives Berferd a shell –Customized shell, written for this purpose –Could contain bugs? Everything is setup in such a way that Berferd has no permanent impact on the running system –Visible aspects, fingerd – s and output

Chroot Jails and Simple Honeypots Chroot changes the root directory Essentially provides a user with a limited view of the system System within a system type implementation, many programs won’t work –Devices don’t exist, some things need to be copied to the new environment –Easy to detect the chroot environment –Essentially a very simple honeypot  What are some problems with this type of honey pot?  A lot of effort to configure, what does Cheswick gain by doing this? The initial honeypot required Cheswick to respond to commands, and execute them on the attackers behalf Configured chroot system now handles the responses and logging for Berferd’s environment  Problems with this?

Tracing Berferd Cheswick has a limited view of Berferd –Last hop before entering the network –Any behavioral information, such as time patterns Notifies Stanford, the previous hop, and CERT CERT is an incident response team at CMU –Tools and evaluations –Security releases –Education Contacting system administrators at incoming / outgoing locations Ends up that Berferd was not in the U.S. very little they can do that point other than watch –Identify other systems he has broken into and repair

Why go through all this work? What information does Cheswick get out of fooling Berferd? –Other machines were compromised –Types of attacks were being performed 0-day attacks lead to security notices Configuration errors can be found and corrected Level of automation –Some information could have been stolen or compromised Particularly important for corporations and government

Forensics: Evasion All the information Cheswick saw came from logging –Are all attacks going to leave logs? Exploiting real machines –Find the vulnerability and exploit it –Use the vulnerability to get some type of backdoor, could be rlogin, creating a new account, installing a rootkit Code execution to spawn a shell, create a user Overwrite a file –Login via backdoor, squash any logs that contain evidence Syslog entries, remove or obscure Lastlog, wtmp, utmp Shell history Service specific logs What about Remote Logging? Network IDS?

Forensics: Network Evasion Proxies –Use a proxy to provide a layer of padding between the attacker’s computer and the victim –Pick proxies in other countries –Chain proxies together (this gets really slow) Anonymous networks –Tor is the main mix network used –Provides excellent resistance to end-to-end correlation based on watching connection information –Some services are intentionally blocked Blasting NIDS –Most have some pattern type recognition –Most are not automatic, notify an admin –Simply provide the admin with thousands of lines of logs to look through –NIDS typically won’t pick up an attack which is not violating the protocol and does not match a fixed signature

Forensics: Detection Software and Hardware problems –Crashing, slowdown other odd symptoms are often viruses or backdoors Inconsistencies –Tripwire alerts to some change –Notice some change in /etc/passwd or other config file NIDS picks up suspicious connections Once you know you have been exploited what's next? –Digging through logs for discrepancies –Un-deleting files –Open network sockets –Root-kit detectors Law Enforcement won’t help much Using the law to help can be hard –Usually need to prove that there was significant monetary loss

Conclusions Transition from getting a login to root access is relatively easy Interactive honeypots like what trapped Berferd aren’t worth the effort A chroot environment does simulate a real system accurately enough Somewhat necessary at some level to monitor security incidents without letting attacker know –Need to know what is involved –What services are being exploited –CERT and other advisory groups will disseminate Allows for studying and identifying security vulnerabilities, still is some risk to the system