1. Security (Part 1) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Tuesday 4/3/2007)

2. 2 Learning Objectives n Discuss types of system attacks – Scanning process – Types of attacks n Discuss system defense tools & techniques – Security goals – Defense tools and techniques

3. 3 Received: from hotmail.com (bay103-f21.bay103.hotmail.com [65.54.174.31]) by barracuda1.eiu.edu (Spam Firewall) with ESMTP id B10BA1F52DC for ; Wed, 8 Feb 2006 18:14:59 -0600 (CST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 8 Feb 2006 16:14:58 -0800 Message-ID: Received: from 65.54.174.200 by by103fd.bay103.hotmail.msn.com with HTTP; Thu, 09 Feb 2006 00:14:58 GMT X-Originating-IP: [192.30.202.14] X-Originating-Email: [macolas@hotmail.com] X-Sender: macolas@hotmail.com In-Reply-To: X-PH: V4.4@ux1 From: To: aillia@eiu.edu X-ASG-Orig-Subj: RE: FW: Same cell# Subject: RE: FW: Same cell# Date: Thu, 09 Feb 2006 00:14:58 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 09 Feb 2006 00:14:58.0614 (UTC) FILETIME=[DCA31D60:01C62D0D] X-Virus-Scanned: by Barracuda Spam Firewall at eiu.edu X-Barracuda-Spam-Score: 0.00aillia@eiu.edumacolas@hotmail.com aillia@eiu.edu

4. 4 Identifying security attacks’ targets n Scanning (Probing) – Ping messages (To know if a potential victim exist) à Firewalls usually configured to prevent pinging by outsiders – Supervisory messages (To know if victim available) – Tracert, Traceroute (To know how to get to target) http://www.netscantools.com/nstpro_netscanner.html

5. 5 Identifying security attacks’ targets n Examining scanning results reveal n IP addresses of potential victims n What services victims are running. Different services have different weaknesses n Host’s operating system, version number, etc. n Whois database at NetworkSolutions also used when ping scans failNetworkSolutions n Social engineering – Tricking employees into giving out passwords and keys n Guessing passwords and Dictionary attacks (Using Password Recovery software and other tools)

6. 6 Review Questions 1 n What do ping messages allow? Why are ping scans often not effective? n What does social engineering mean? n An organization has a DNS server with IP address 128.171.3.1. What IP address range would an attacker search to find hosts to attack?

7. 7 Types of system attacks Attacks Physical Access Attacks Wiretapping - Vandalism - Drive-by-hacking Denial-of-Service - Flooding - Smurf - Ping of death - LAND - DDoS Intercepting messages - Eavesdropping - Message alteration Malware Virus – Worms - Trojan horse - Logic bomb

8. 8 Denial of Service (DoS) attacks n Types of DoS attacks: Flooding DoS Smurf Flooding DoS Ping of Death attacks LAND attacks Distributed Denial of Service attacks

9. 9 Flooding DoS n Send a stream of request messages to the target n Makes the target run very slowly or crash n Objective is to have the target deny service to legitimate users DoS requests Server Attacker http://www.netscantools.com/nstpro_netscanner.html Legitimate user Legitimate request

10. 10 Smurf Flooding DoS n Attacker uses IP spoofing ( false source IP address in outgoing messages ) n Attacker sends ping / echo messages to third party computers on behalf of the target n All third party computers respond to target

11. 11 Ping of Death attacks n Take advantage of – Fact that TCP/IP allows large packets to be fragmented – Some operating systems’ inability to handle packets larger than 65536 bytes n Attacker sends a request message that are larger than 65,536 bytes n Ping of Death are usually single-message DoS attacks n Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring http://insecure.org/sploits/ping-o-death.html

12. 12 LAND attacks n First, appeared in 1997 n Attacker uses IP spoofing (false source IP address in outgoing messages) n Attacker sends IP packets where the source and destination address refer to target itself. n LAND attacks are usually single-message DoS attacks n Back in time, OS and routers were not designed to deal with loopback n Problem resurfaces recently with Windows XP and Windows 2003 Server

13. 13 Distributed DoS (DDoS) Attack Server DoS Messages Computer with Zombie Computer with Zombie Attacker Attack Command Attack Command n Attacker hacks into multiple clients and plants Zombie programs on them n Attacker sends commands to Zombie programs which execute the attacks n First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, dell.com, etc.

14. 14 Review Question 2 All DoS messages are requests that require a response message from the target TF DDoS can be seen as a way to launch a denial of service attack rather than a type of attack TF Single-message DoS attacks send unusual messages for which the software designer on the target device did not plan. TF Why don’t all DoS attacks use IP address spoofing to maintain anonymity?

15. 15 Intercepting messages n Eavesdropping: Intercepting confidential messages Attacker (Eve) Taps into the Conversation: Tries to Read Messages Client PC (Allex’s) Server (Steve’s) What is account #? Account number 111-2233444 Message Exchange Eavesdropping is also called Person-in-the-middle attack

16. 16 Intercepting messages n Message alteration Attacker intercepts the message, alters it and, then, forwards it Client PC Server Balance = $1.00 Balance = $1000.00 Message Exchange Balance = $1.00 Balance = $1000.00 What is the balance?

17. 17 Malware attacks n Types of malware: Viruses Worms Trojan horses Logic bombs

18. 18 Virus n Program (script, macro) that: – Attaches to files – Performs annoying actions when they are executed – Performs destructive actions when they are executed – Spreads by user actions (floppy disk, flash drive, opening email attachment, IRC, etc), not by themselves. n Could be – Boot sector virus: attaches itself to files in boot sector of HD – File infector virus: attaches itself to program files and user files – Polymorphic virus: mutates with every infection, making them hard to locate

19. 19 Worm n Does not attach to files n A self-replicating computer program that propagate across a system n Uses a host computer’s resources and network connections to transfer a copy of itself to another computer n Harms the host computer by consuming processing time and memory n Harms the network by consuming the bandwidth Q: Distinguish between viruses and worms

20. 20 Trojan horse n A computer program – That appears as a useful program like a game, a screen saver, etc. – But, is really a program designed to damage or take control of the host computer n When executed, a Trojan horse could – Format disks – Delete files – Open some TCP ports to allow a remote computer to take control of the host computer n NetBus and SubSeven used to be attackers’ favorite programs for target remote control

21. 21 Trojan horse NetBus Interface

22. 22 Logic bomb n Piece of malicious code intentionally inserted into a software system n The bomb is set to run when a certain condition is met – Passing of specified date/time – Deletion of a specific record in a database n Example: a programmer could insert a logic bomb that will function as follow: – Scan the payroll records each day. – If the programmer’s name is removed from payroll, then the logic bomb will destroy vital files weeks or months after the name removal.

23. 23 Review Questions 3 n What kind of malware is a malicious program that could allow an attacker to take control of a target computer? n What kind of malware could harm a host computer by consuming processor time and random access memory?