Presentation is loading. Please wait.

Presentation is loading. Please wait.

October 8, 2002Bob Mahoney, MIT Network Security Team 1 Windows Security: Recent Threats and Responses (and whatever else comes up :-) Information Systems.

Published byBritney Harrison Modified over 8 years ago

Similar presentations

Presentation on theme: "October 8, 2002Bob Mahoney, MIT Network Security Team 1 Windows Security: Recent Threats and Responses (and whatever else comes up :-) Information Systems."— Presentation transcript:

1 October 8, 2002Bob Mahoney, MIT Network Security Team 1 Windows Security: Recent Threats and Responses (and whatever else comes up :-) Information Systems Fall Forum

2 October 8, 2002Bob Mahoney, MIT Network Security Team 2 Who are we? 2 full-time IS staff Various IS staff who contribute occasional time upon request (begging works wonders) 6 student staff who give 1-10 hrs/week 2 voucher employees, 60-70 hrs/week total 12 departmental computing staff, mostly focused on local incidents We had the equivalent of 4.6 FTE over the Summer (something like “Full Staff”)

3 October 8, 2002Bob Mahoney, MIT Network Security Team 3 Team Operations Scanning for known vulnerabilities and indications of compromise Advising users of vulnerable machines what steps to take Detecting and removing compromised hosts Advising IS and the community about security issues Act as POC for outside complaints about security events at MIT

4 October 8, 2002Bob Mahoney, MIT Network Security Team 4 Rules of Engagement Any host that is known to be compromised is administratively removed from the network, and remains disconnected until investigation and/or recovery is complete. The system contact for a host that exhibits a known vulnerability is contacted and advised on steps to be taken to resolve the vulnerability. A date is given at this point after which unpatched systems will be disconnected.

5 October 8, 2002Bob Mahoney, MIT Network Security Team 5 RoE & Windows Due to the virulence of recent Windows worms, and the wide publicity of the problem, response policies are firmer: Any Windows system that is vulnerable to a known IIS exploit will be disabled upon detection. Any Windows system with missing or inadequate Administrative password will be disabled upon detection.

6 October 8, 2002Bob Mahoney, MIT Network Security Team 6 Contact Procedures All security-related mail is sent to the current Moira contact for the machine. This contact info can be updated by users at: https://nic.mit.edu/bin/hostupdate In non-urgent scenarios, advisories are sent w/o deadline. Depending upon urgency, various response deadlines are set.

7 October 8, 2002Bob Mahoney, MIT Network Security Team 7 What are we seeing? More clueful attackers, generally targeting Windows machines. Cracking passwords, rather than guessing/stealing Attackers being much more stealthy. Attackers are operating somewhat more ‘manually’, as opposed to using dumber, wider scan/attacking probes. Attackers are keeping track of machines that they have probed, presumably for later misuse.

8 October 8, 2002Bob Mahoney, MIT Network Security Team 8 How much of this goes on? 1895 security cases in the last 90 days (65% Windows, down from 78% last month) 264 cases currently open 212 cases were due to Windows worm activity 285 machines were disabled in the last 90 days 85 are currently disabled as of this morning (7 for non-security issues) 57 of those were “Pubstro” warez sites

9 October 8, 2002Bob Mahoney, MIT Network Security Team 9 What Can You Do? Apply all security updates ASAP. Make sure ALL machines in your area have correct contact information. Make sure all machines in your area have STRONG passwords. Review all machines for appropriate file- sharing configuration.

10 October 8, 2002Bob Mahoney, MIT Network Security Team 10 How to make this less painful: Don’t move compromised machines Don’t use “slush” addresses Don’t use hubs/repeaters/switches Don’t take shortcuts Don’t run services you don’t need Use your vendor’s “Update Service” Subscribe to security-fyi and netusers lists Backups, Backups, Backups!

11 October 8, 2002Bob Mahoney, MIT Network Security Team 11 Less painful, continued… Please reply/all to the mail we send you Don’t call the Help Desk because you have received mail from us We do not have a number where you can call us Don’t run IIS (Really) Look out for specialized machines with embedded Windows Please don’t cry. We’re already a little depressed.

12 October 8, 2002Bob Mahoney, MIT Network Security Team 12 Final thoughts on Pain… We know your system is important to you We aren’t doing this to be annoying We cannot send someone out to help you recover (but can refer to paid consultants) Plan ahead: how much work will it take for you to recover your critical systems RIGHT NOW?

13 October 8, 2002Bob Mahoney, MIT Network Security Team 13 Mailing Lists netusers@mit.edu = (public) Notification of maintenance events, CERT Advisoriesnetusers@mit.edu security-fyi@mit.edu = (public) Local security news, and threat updatessecurity-fyi@mit.edu security@mit.edu = Working list for security team. Questions or problems go heresecurity@mit.edu Mail to “-request” to join public lists

14 October 8, 2002Jon Hunt, Software Release Team14 Cracking passwords, and how to make it harder Jon Hunt, Software Release Team and Security Team jmhunt@mit.edu

15 October 8, 2002Jon Hunt, Software Release Team15 Cracking Passwords Active vs. Passive – Both Use –Guess (user name, machine name, blank, “test”, “help”, “student”, “password”) –Dictionary (high powered guessing) –Brute Force (try everything) Tools –GetAcct –Null Sessions with SecDump –L0pht Crack –Scripts Italics = Specific Hacker (white or black) Tool

16 October 8, 2002Jon Hunt, Software Release Team16 Active Password Attack Hacker will try to get account information –GetAcct or NULL Sessions –If that fails, tries standard accounts Administrator, Guest, Backup, Test, IIS… Repeatedly attempts to logon to computer remotely using a script and series of passwords

17 October 8, 2002Jon Hunt, Software Release Team17 GetAcct & SecDump GetAcct –Enumerates all user information (except password) on NT 4 & 2000 out of box Groups, last logon, real name, password last changed, and much more Do NOT know how to lock down NT 4 to stop it –Enter machine name and the number of accounts you want the info for NULL Sessions & DumpSec –Similar thing, more configurable, harder to use –Login as a blank user C:\>net use \\machine\ipc$ /user:”” *\\machine\ipc$

18 October 8, 2002Jon Hunt, Software Release Team18

19 October 8, 2002Jon Hunt, Software Release Team19 If you have auditing setup, you will see something like this

20 Bob Mahoney, MIT Network Security Team 20

21 October 8, 2002Jon Hunt, Software Release Team21 Passive Password Attack Sniff clear text and hashed passwords Dump the SAM Database - pwdump Crack the passwords using L0pht Crack or other tools Grab from Remote Registry (requires admin rights)

22 October 8, 2002Jon Hunt, Software Release Team22 L0pht Crack from @stake 560,000 dictionary words in a minute –Unlimited dictionaries available on the web Slang, scifi, names, places, mythology, yiddish, kjb, Shakespeare, common_passwds, Chinese and many more. Brute Force on Pentium III 800MHz –A-Z, 0-9 in 13 hours –A-Z, 0-9 and !@#$%^&*()_-+= in 5 days –A-Z, 0-9 and !@#$%^&*()_-+=[]{}\|:;’”<>,.?/ in 48 days!@#$%^&*()_-+=[]{}\|:;’”<>,.?/ Full version only costs $350 – free 15 day trial Built in sniffer for LM & NTLM hashed passwords

23 23

24 October 8, 2002Jon Hunt, Software Release Team24 What can you do? Use and require strong passwords –MiXeD cAse –Special<>characters! (in the middle is better) –Longer the better, over 14 characters much harder (only works for Win2K and later) –Change them about every 42 days –Automatically lock accounts for 30 minutes after repeated failed attempts Enable Auditing and check the logs

25 October 8, 2002Jon Hunt, Software Release Team25 What else can you do? Use NTFS instead of FAT Apply patches –Windows Update – all critical updates * –Application Vendors release patches too Disable stuff you do not need –NULL Sessions –LM Hashes (require NTLMv2 if possible) Do NOT connect from Win95/98/ME * Wait for IS’s recommendation for Service Packs

26 October 8, 2002Jon Hunt, Software Release Team26 What further can you do? Run Anti-Virus Software and keep it up to date Do NOT open attachments from people you are not expecting to receive them from Have a BACKUP SOLUTION!!! Use your Backup Solution Check that you Backup Solution is working –We have seen hackers delete client data to make room for warez

27 October 8, 2002Jon Hunt, Software Release Team27 What are we (IS) doing to help? Working on Security Templates –Make it easier to apply policies –Have a first pass for Windows 2000 and XP that are currently in review Working on guidelines: –http://mit.edu/is/help/winxp/xpsecurity.htmlhttp://mit.edu/is/help/winxp/xpsecurity.html Scanning MITnet for basic vulnerabilities and compromises and informing the machine contact (update your machine contact info)

28 October 8, 2002Jon Hunt, Software Release Team28 Should I be testing my user’s passwords? It depends, but probably not More useful to setup a good policy –Require strong passwords –Set passwords to expire (e.g. 42 days) –Disable NULL Sessions –Require NTLMv2 (disable LANMAN and NTLM) –Run regularly updated virus scans –Lockout Accounts after repeated failed attempts

Download ppt "October 8, 2002Bob Mahoney, MIT Network Security Team 1 Windows Security: Recent Threats and Responses (and whatever else comes up :-) Information Systems."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.

Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.
Chapter 1: Fundamentals of Security JV Note: Images may not be relevant to information on slide.

Chapter 1: Fundamentals of Security JV Note: Images may not be relevant to information on slide.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.

F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.
Network security policy: best practices

Network security policy: best practices
1 Computer Security: Protect your PC and Protect Yourself.

1 Computer Security: Protect your PC and Protect Yourself.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.
Protect Your Computer from Viruses and Other Threats! 1. Use antivirus software. 2. Run Windows updates. 3. Use a strong password. 4. Only install reputable.

Protect Your Computer from Viruses and Other Threats! 1. Use antivirus software. 2. Run Windows updates. 3. Use a strong password. 4. Only install reputable.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Enforcing Concurrent Logon Policies with UserLock.

Enforcing Concurrent Logon Policies with UserLock.
User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.

User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.
Managing Network Security ref:www.microsoft.com. Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System

Similar presentations

Ads by Google