Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2001 Marchany, SANS Institute

Published byJeffery Freeman Modified over 5 years ago

Similar presentations

Presentation on theme: "Copyright 2001 Marchany, SANS Institute"— Presentation transcript:

1 Copyright 2001 Marchany, SANS Institute
Is The Threat Real? Randy Marchany Network Appliance Testing Lab VA Tech Computing Center Blacksburg, VA nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

2 Copyright 2001 Marchany, SANS Institute
The above screenshot is an actual hacker attack on a personal computer system. This college student had a mini-cam attached to his PC. You can see the furniture in his room and you can see his girlfriend lying on the bed. He’s reading a message that popped up on his desktop……. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

3 Copyright 2001 Marchany, SANS Institute
This is what he’s reading. The Yahoo Instant Messenger note appeared on his screen: “Hi. I know we haven’t talked before. This is your computer. Since I see everything in your room, I thought I’d throw you a few pointers. First, put on a shirt. PLEASE. Second…” Note that the hacker sees this desktop as well and could easily run any program on the student’s computer. Notice the icons that have been blacked out….the hacker could move the cursor to any of those icons, run a program on this machine as if the hacker were sitting at the console. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

4 Copyright 2001 Marchany, SANS Institute
Need to go to a hacker site to get these tools? Nope. The above slide is a screen dump taken from my Unix workstation. All of the windows in the background are Unix. However, the one in the foreground is displays the desktop of a Macintosh in my office. If I move my cursor into this window, I can look at anything running on the Mac. If someone were sitting at the Mac, I would see everything being done on that machine. The good side of the force is that this makes an excellent help desk tool. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

5 Copyright 2001 Marchany, SANS Institute
The consequences of not having adequate training in place result in heavy negative publicity for a site. Here, the hackers destroyed the data on a computer in an effort to cover their tracks. This was from the Washington Post circa 1998 nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

6 Copyright 2001 Marchany, SANS Institute
If you try to prosecute the offenders but don’t have established procedures in place, the case usually gets thrown out in court. Once this happens, the site is vulnerable to lawsuits. This Washington Post article appeared a few months after the previous one. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

7 Copyright 2001 Marchany, SANS Institute
Sometime the fact that you’re one of many victims of a publicized event can make it appear as if your site was guilty of the attack. This was the Yankees.com hack that occurred right after the 2000 World Series. When people went to the Yankees www site, they saw a porno picture with the caption “Yankees Suck”. It turns out the Tech computer had been compromised and the porno picture was left there. It took a while to convince the Yankees that Tech wasn’t involved launching the attack. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

8 Copyright 2001 Marchany, SANS Institute
This is an example of the latest threat to Internet Security. Network appliance boxes (black boxes) are being built with more “intelligence”  and network compatible. Most of these boxes have limited security features enabled. These devices can be used in a DDOS attack. A recent DOS attack in New Mexico was launched from 4 networked laserjet printers that had easy to guess admin passwords. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

9 Copyright 2001 Marchany, SANS Institute
is a good site to see what www sites have been broken by hackers. The interesting thing to note in the slide is the OS of the www server. This field is the 2nd from the left. Most of these attacks could have been prevented by standard system maintenance. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

10 Copyright 2001 Marchany, SANS Institute
Those of you who believe that firewalls prevent illegal traffic from entering the internal network should look at this site. Tunnel programs allow someone to run programs through whatever ports the firewall allow. They do require that a program reside on the inside. How do you get that program inside? attachments! nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

11 Copyright 2001 Marchany, SANS Institute
There are sites on the net where you can get all sorts of information that can scare any sysadmin. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

12 Copyright 2001 Marchany, SANS Institute
This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

13 Copyright 2001 Marchany, SANS Institute
This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

14 Copyright 2001 Marchany, SANS Institute
is another site that likes to advertise sites that have had their www pages modified. Look at the Dairy Queen entry. There’s just something about the phrase “Again!” that make you go hmmm…….. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

15 Copyright 2001 Marchany, SANS Institute
This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

16 Copyright 2001 Marchany, SANS Institute
This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

17 Copyright 2001 Marchany, SANS Institute
This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

18 Copyright 2001 Marchany, SANS Institute
I entered “NT hacking” on a popular search engine and got 438 hits. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

19 Copyright 2001 Marchany, SANS Institute
This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

20 Copyright 2001 Marchany, SANS Institute
This is a sample BackOrifice screen shot. You select the target host in the upper left corner of the view. You select the command to run on it in the upper right window. Of course, it’s password protected to prevent someone else from using your tool.  BackOrifice is the oldest of the tools and most anti-virus scanners are programmed to search for it. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

21 Copyright 2001 Marchany, SANS Institute
This is a Netbus screen shot. The function keys are shown in the center part of the figure. Simply press the function button to run that command on the remote computer. You can read keystrokes, turn on the microphone to eavesdrop on conversations, examine files, run programs, etc. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

22 Copyright 2001 Marchany, SANS Institute
This is a screen shot of BO2K, the newest version of the trojans. Source code is provided with the kit so you can easily change the signature of the trojan in order to evade antiviral tools. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

23 Pay Me Now or Pay Me Later
E = D + R E = amount of time you’re exposed D = amount of time it takes to detect an attack R = amount of time it takes to react to an attack Easiest way to calculate the cost of an Incident Multiply average hourly wage * Time * People This page intentionally left blank. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

24 Copyright 2001 Marchany, SANS Institute
Percent Vulnerability Top 10 # .77% Webdist #2, #4 15.5% IMAP #9 12.4% Qpopper .52% Innd 26.1% Tooltalk #3, #6 10.8% RPC_mountd 18.1% BIND #1 12.2% WWW #2 735065 Hosts scanned TOTAL A group called the Internet Audit Project scanned a huge number of sites in late 1998 for common vulnerabilities. The figures they cite are scary, phenomenal and typical. The SANS Top 10 threats number is shown in the right column. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

25 Copyright 2001 Marchany, SANS Institute
How Easy Is It? % set term=cterm100 % telnet victim.com Trying Connected to victim.com. Escape character is '^]'. UNIX(r) System V Release 4.0 (victim.com) This slide shows one of the more common trojan backdoors for Unix systems. The victim system has been previously compromised by some form of exploit, usually a buffer overflow attack. The hackers replaced some system binaries with modified versions that will allow them to return to the system with full access. The first thing the hacker does at his site is set his termtype to “cterm100”. He then telnets to the victim machine. The trojan telnetd or login programs examine the TERMTYPE of the incoming request and since it’s “cterm100’, the login programs bypass the password authentication step and give the hacker immediate root access. The whole sequence above takes about 15 seconds at most. # id uid=0(root) gid=0(root) # nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

26 Copyright 2001 Marchany, SANS Institute
Response Strategies From RFC 2196 Protect and Proceed assets are not well protected continued penetration could result in financial risk willingness to prosecute is not present unsophisticated users and their work is vulnerable Pursue and Prosecute allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies but is the most difficult. Willingness to prosecute!! Your organization needs to decide ahead of time how to respond to an internal or external incident. The real decision is whether or not to prosecute. More precisely, should the organization take steps that will allow it prosecute a violator should it decide to do so. You need to establish this ground first asap since this will dictate how effort you need to spend on Incident Response. If you’re not going to prosecute then you don’t have to ensure the safety of the computer logs. If you are going to prosecute, then you need to take adequate steps to preserve the chain of evidence. RFC 2196 is an excellent resource for guidelines on developing all the components of your site’s security policy. It’s a must read. nyiia 2/2002 Copyright 2001 Marchany, SANS Institute

Download ppt "Copyright 2001 Marchany, SANS Institute"

Similar presentations

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
RollCall is a feature recently added to ControlSoft It allows you to have groups of devices checked periodically to see if they are working. The results.

RollCall is a feature recently added to ControlSoft It allows you to have groups of devices checked periodically to see if they are working. The results.
A tour of new features introducing Peak Inside Windows 8.

A tour of new features introducing Peak Inside Windows 8.
New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.

New trends on cyber security - Cyber Espionage & Identity theft By K S Yash, CRO 1.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
HCare access on an iPad hCare access is the remote access to PGH. The steps for installing vary from the Mac somewhat. This will guide you. Installation.

HCare access on an iPad hCare access is the remote access to PGH. The steps for installing vary from the Mac somewhat. This will guide you. Installation.
Welcome to My Tabor Groupwise & My Tabor (LMS) training Student Orientation Fall 2008.

Welcome to My Tabor Groupwise & My Tabor (LMS) training Student Orientation Fall 2008.
Viruses.

Viruses.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Using the “Setup Assistant” to configure your new Mac Personalizing your new Mac.

Using the “Setup Assistant” to configure your new Mac Personalizing your new Mac.
Washington Campus Compact New Time Log Database Note to users: You should use Internet Explorer to use this database. In other programs (i.e. Firefox)

Washington Campus Compact New Time Log Database Note to users: You should use Internet Explorer to use this database. In other programs (i.e. Firefox)
Introduction to the WebBoard Terry Dennis. The WebBoard - Our Connection The WebBoard URL is www.courses.dsu.edu:8080/~infs601.

Introduction to the WebBoard Terry Dennis. The WebBoard - Our Connection The WebBoard URL is
1 State Records Center Entering New Inventory  Versatile web address:  Look for any new ‘Special Updates’ each.

1 State Records Center Entering New Inventory  Versatile web address:  Look for any new ‘Special Updates’ each.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.

0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Orphaned Servers and Broken Processes 2007 Security Professionals Conference April 12, 2007.

Orphaned Servers and Broken Processes 2007 Security Professionals Conference April 12, 2007.
1 The Top 10/20 Internet Security Vulnerabilities – A Primer This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.

1 The Top 10/20 Internet Security Vulnerabilities – A Primer This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.

Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.

Similar presentations

Ads by Google