Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networks Lecture 12.

Published byNicholas Stafford Modified over 6 years ago

Similar presentations

Presentation on theme: "Networks Lecture 12."— Presentation transcript:

1 Networks Lecture 12

2 Computer Crimes Network Attacks What should we do?
Review – Last Lecture Computer Crimes Network Attacks What should we do?

3 Review - Network Weaknesses
Why are networks vulnerable? Reason 1: All software including security software and patches are insecure Reason 2: Almost all users, managers, programmers, and system administrators are not aware of Reason 1. “We wouldn’t have to spend so much time, money, and effort on network security if we didn’t have such bad software security.” [Viega, 2002]

4 Review - First Step Understand that Network Security is a journey not a destination View security as a critical business process to address the ever-changing risk environment. It is not be a program, but a process. Use a combinations of Techniques, Tools and Products.

5 Typical Vulnerabilities Typical Attack Protocols
Outline Computer Crimes Typical Vulnerabilities Typical Attack Protocols

6 Computer Crimes

7 Crimes 1 Matthew G. Devost, president of the Terrorism Research Center of Burke, Va. said his security consulting work has revealed an increase in insider attacks at companies by employees who appear to have sought their jobs specifically for that purpose So-called insider placement only becomes apparent when illegal or disruptive systems activity is noticed, Devost said, and a sleeper agent in a sensitive position probably could not be detected beforehand.

8 Crimes 2 Once 'ExploreZip.E' gets onto a PC it s itself out as an attachment in a reply to all read and unread s in Microsoft Outlook with the following message: 'Hi I have received your and I shall send you a reply ASAP. Till then take a look at the attached zipped docs. bye.' A file called ZIPPED_FILES.EXE is attached which contains the worm. Once the mails are sent the worm overwrites all Microsoft Word, Excel and PowerPoint files on a PC and reduces their size to 0KB. This makes recovery of the information without back-ups very difficult, more so than if the files were simply deleted.

9 Crimes 3 Telephone hackers in Saudi Arabia broke into Texas A&M University's phone system and left voice mail messages that enabled them to make international calls charged to the school It is not yet known how many calls were made or how much was fraudulently charged to the university, but at least five of A&M's 25,000 lines were hit The hackers guessed the passwords to the voice mail boxes because the mail box owners had used the phone numbers as their passwords, a practice that is discouraged the hackers then rerecorded the voice mail messages to say "Hello" when picked up. After a pause long enough for an operator to ask, "Will you accept the charges?," the message said "yes." Once the operator connected the call, the hackers could transfer it wherever they wished, all at A&M's expense

10 Typical Vulnerabilities

11 Top 10 Lists There are a variety of top 10 lists of vulnerabilities or exploits put out by several different organizations For the most part they contain similar items but they do change from month to month as new vulnerabilities and exploits are discovered This is a summary of one of the SANS Institutes lists early this year

12 1. BIND All Internet systems have a hostname and an IP address.
Every home is known by its address “Randy’s house” = hostname “24 Main St.” = IP address BIND (Berkeley Internet Domain) maps hostnames to IP addresses. It’s the set of “phone books” of the Internet. Every network needs a couple of systems that run BIND. They’re called nameservers. Old versions of BIND have security holes. The nameservers aren’t always up-to-date. The Danger: Hackers get full control of the nameserver and can use it for anything they want. A Solution Make sure your version is higher than BIND patch level 5

13 2. CGI Scripts CGI = Common Gateway Interface It’s the language that programmers use to display and read your input to a WWW based form. Not everyone knows how to use it so WWW server vendors supply examples. The examples have security holes in them. The Danger Your WWW pages could be changed a la DOJ, CIA, FBI, Valujet. Your WWW server could be used to attack other sites A Solution Remove unsafe CGI scripts from the WWW server

14 3. Remote Procedure Calls
RPC allows a computer to run a program on another computer. It’s used by computers that share files between them. Many client – server systems depend on the use of RPC calls. Unix systems were primarily affected but any computer that uses the RPC subsystem is vulnerable The Danger: Older versions of RPC have security weaknesses that allow hackers to gain full control of your computer(s). A Solution Disable the RPC services if you don’t use them Install the latest vendor patches

15 4. Microsoft Internet Information Server
Windows NT and Windows 2000 Web servers use IIS to support web services. IIS has a component called Remote Data Services (RDS) that could allow a hacker to run remote commands with administrator privileges. The Danger: A hacker can run commands on another system without having to access it directly. A Solution: Read the Microsoft technical bulletins that describe how to fix the problem

16 5. Sendmail Sendmail is one of the original Internet email programs.
It was a graduate programming project that was never designed to work in a “production” environment. It became the defacto standard. Pre-version 8.10 had security problems Some vendors still ship Sendmail v5.65! The 1988 Internet Worm exploited a problem in sendmail. There are a lot of systems that still run that version of sendmail. Why? It works! The Danger: Hackers can run commands on your systems without ever logging into your system. Hackers can take over your machine. A Solution: Update to the latest version of sendmail

17 6. Sadmind & mountd Sadmind is used by Solaris applications to run distributed sysadmin operations. It executes the request on the server from a client program. Mountd controls file sharing across the network using NFS. This is the program that “attaches” a remote disk to your computer. The Danger: Hackers can cause these programs to give them access to root. They can take over your machine. This was one of the primary ways hackers used to set up the systems used in the recent DDOS attacks against Yahoo, CNN and other sites. A Solution: Install the latest vendor patches for sadmind and mountd.

18 7. Global File Sharing You can share files between computers using tools like Network Neighborhood (Windows), AppleShare(Macintosh) or NFS(Unix). By default, the access is read-write. Anyone on the same network could access your files. In the old days, the network was small but now the network is the Internet so anyone anywhere in the world could access your files if you let them. The problem is that you don’t always know that you’re letting them. This is a real danger to homes that have direct connect modems. The Danger: People can get access to your personal data, for example, your checking account data (if you use MSMoney), your , etc. A Solution: Make sure you know what you’re sharing. Make sure you know who’s sharing the data with you.

19 8. User Accounts without Passwords
Some systems come with demo or guest accounts with no passwords or well known passwords. The initial/default password for VMS system manager account, SYSTEM was MANAGER. The initial password for the Field Service account, FIELD, was SERVICE. People forgot to change these passwords. The first thing hackers do is check to see if the defaults passwords were changed. Why waste a lot of effort if the door is unlocked? The Danger: Someone can get complete control of your system. Someone can get access to your system via a general accounts and then run exploit tools on your systems to get full control of your system. A Solution: Change your root, administrator passwords before the systems goes into production. Run a password checking program to discover who has weak passwords on your system. Do it before the hackers do!

20 9. IMAP and POP IMAP and POP are two common protocols that provide additional features to users. They allow users to access their accounts from anywhere on the Internet. Firewalls usually allow using these services to pass through the firewall. Quality control of the software is inconsistent most of the time. The Danger: Hackers can gain access to your internal network if they can subvert IMAP or POP mail server systems. If successful, they gain complete control of your system. A Solution: Make sure you’ve installed the latest patches. Run the services on your mail servers only.

21 10. SNMP The Danger: A Solution:
Hackers can gain control of network devices such as routers. They could shut them down. They can map your network w/o your knowledge. A Solution: Pick strong community strings (passwords) for your SNMP devices.

22 Another Top 10 List the Open Web Application Security Project's (OWASP) latest report (Feb 2003) details the top 10 Web application vulnerabilities Unvalidated Parameters Many Web applications ask users to enter information, but then the Web application doesn’t check what’s entered to make sure it isn’t malicious code designed to overload the buffer Developers should make sure that applications check all values—that a user-entered date really looks like a date, for example. Broken Access Control Access control is how you “keep one user's information away from other users' information,” Many Web applications don’t handle access control very well, so the threat is that once someone does break in, they have free access to all information. To address that, write the access control policy written down so that everyone knows what it is, and developers can implement it. Also, “don’t use any IDs that an attacker can manipulate,” such as storing identification information in cookies or HTTP headers. An attacker can simply change the ID and the Web application might return another user’s information.

23 Review – Another Top 10 List (2)
Broken account and session management Handling credentials between a client and a server is tricky business Make sure to restrict what authenticated users can see. so many tools for creating sessions—something HTTP can’t do, so Web applications must do it themselves—introduce numerous security risks. Cross-site scripting (XSS) Flaws Web applications can be turned against users. Web browsers execute code that is sent from trusted Web sites, but what if an attacker could get a website to forward an attack? One possible way to do this is by entering malicious code into an online bulletin board that gets run when a user views the board. Successful attacks can reveal user session tokens to an attacker, or just attack the user’s PC. To combat it, validate as much as possible, and filter script output to remove potential problem characters

24 Review – Another Top 10 List (3)
Buffer Overflows In some Web application components, returning a string longer than the Web application can handle can overwrite the stack and, in some cases, take over the process. Vulnerable components include CGI, some libraries, drivers, and Web application server components. To combat overflows, choose a programming language not subject to this type of error, and test all library components used thoroughly Command Injection Flaws An attacker can create a malicious SQL query and then send it in like a normal request and the Web application may attempt to execute it. Error Handling Problems Errors occur in Web applications all the time Unfortunately, the error messages often contain a wealth of information for someone who wants to attack the site. In some cases when a Web application can’t handle the error, it will crash or return explicit information.

25 Review – Another Top 10 List (4)
Insecure Use of Cryptography Many Web applications use cryptography of some fashion to store sensitive information. The tricky part isn't the algorithms— they tend to be simple. The tricky part is building applications around them it's the storing of keys, certificates and passwords that turns out to be the Achilles heel. Remote Administration Flaws Remote administration tools are, of course, extremely powerful. Unfortunately, a lot of organizations may not even know that their Web site can be administered remotely Default settings may leave backdoors in Web applications that a knowledgeable attacker could exploit. Key points here are that if possible, you should eliminate administration over the Internet. Instead, enable access, if needed, via another network—perhaps internal—or at least use strong authentication, and possible a VPN, for administrators. Web and Application Server Mis-configurations Code Red and Slammer were two recent attacks that affected Web servers, preventable with proper server configuration. The basics of configuration still apply: remove default passwords, unused libraries, default SSL settings, default certificates, and verbose error messages. Look to free scanning tools to double-check that servers have all the latest patches.

26 Typical Attack Protocol

27 General Internet Attack Pattern
Somebody discovers an exploit (majority are due to software bugs) Exploit is seen in the wild, possibly to large effect Short-term workarounds; attack-specific detection/recovery Proper repairs to software or protocols are issued Over time, majority of sites implement repair mechanisms Remaining sites may be black-listed and outlawed by abiding sites. The last step happens in the most serious cases, especially where security flaws may be exploited to attack other, well-managed sites.

28 Vulnerability Exploit Cycle
Novice Intruders Use Crude Exploit Tools Automated Scanning/Exploit Tools Developed Crude Exploit Tools Distributed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits Advanced Intruders Discover Vulnerability

Download ppt "Networks Lecture 12."

Similar presentations

Chapter 12 Network Security.

Chapter 12 Network Security.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Security

Web Application Security
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Data Security.

Data Security.
Viruses.

Viruses.
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Software Security Testing Vinay Srinivasan cell: +91 9823104620.

Software Security Testing Vinay Srinivasan cell:
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Copyright 2001 Marchanyh1 Auditing Networks, Perimeters and Systems The SANS Top Ten Audit Checklists, Part 1.

Copyright 2001 Marchanyh1 Auditing Networks, Perimeters and Systems The SANS Top Ten Audit Checklists, Part 1.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim 09.11.2004.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

Similar presentations

Ads by Google