Security (Part 1)

School of BusinessEastern Illinois University

© Abdou Illia, Spring 2007

(Week 13, Tuesday 4/3/2007)

2Learning Objectives

Discuss types of system attacks– Scanning process– Types of attacks

Discuss system defense tools & techniques– Security goals– Defense tools and techniques

3Received: from hotmail.com (bay103-f21.bay103.hotmail.com [65.54.174.31])     by barracuda1.eiu.edu (Spam Firewall) with ESMTP id B10BA1F52DC     for <aillia@eiu.edu>; Wed, 8 Feb 2006 18:14:59 -0600 (CST)Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;     Wed, 8 Feb 2006 16:14:58 -0800Message-ID: <BAY103-F2195A2F82610991D56FEC0B1030@phx.gbl>Received: from 65.54.174.200 by by103fd.bay103.hotmail.msn.com with HTTP;     Thu, 09 Feb 2006 00:14:58 GMTX-Originating-IP: [192.30.202.14]X-Originating-Email: [macolas@hotmail.com]X-Sender: macolas@hotmail.comIn-Reply-To: <10E30E5174081747AF9452F4411465410C5BB560@excma01.cmamdm.enterprise.corp>X-PH: V4.4@ux1From: <macolas@hotmail.com>To: aillia@eiu.eduX-ASG-Orig-Subj: RE: FW: Same cell#Subject: RE: FW: Same cell#Date: Thu, 09 Feb 2006 00:14:58 +0000Mime-Version: 1.0Content-Type: text/plain; format=flowedX-OriginalArrivalTime: 09 Feb 2006 00:14:58.0614 (UTC) FILETIME=[DCA31D60:01C62D0D]X-Virus-Scanned: by Barracuda Spam Firewall at eiu.eduX-Barracuda-Spam-Score: 0.00

4Identifying security attacks’ targets

Scanning (Probing)– Ping messages (To know if a potential victim exist)

Firewalls usually configured to prevent pinging by outsiders – Supervisory messages (To know if victim available)– Tracert, Traceroute (To know how to get to target)

http://www.netscantools.com/nstpro_netscanner.html

5Identifying security attacks’ targets

Examining scanning results reveal IP addresses of potential victims What services victims are running. Different services have

different weaknesses Host’s operating system, version number, etc.

Whois database at NetworkSolutions also used when ping scans fail

Social engineering– Tricking employees into giving out passwords and keys

Guessing passwords and Dictionary attacks (Using Password Recovery software and other tools)

6Review Questions 1

What do ping messages allow? Why are ping scans often not effective?

What does social engineering mean?

An organization has a DNS server with IP address 128.171.3.1. What IP address range would an attacker search to find hosts to attack?

7Types of system attacks

Attacks

Physical Access Attacks-Wiretapping - Vandalism - Drive-by-hacking

Denial-of-Service- Flooding - Smurf - Ping of death - LAND - DDoS

Intercepting messages- Eavesdropping - Message alteration

Malware-Virus – Worms - Trojan horse - Logic bomb

8Denial of Service (DoS) attacks

Types of DoS attacks:Flooding DoS

Smurf Flooding DoS

Ping of Death attacks

LAND attacks

Distributed Denial of Service attacks

9Flooding DoS

Send a stream of request messages to the target

Makes the target run very slowly or crash

Objective is to have the target deny service to legitimate users

DoS requests

Server Attacker

http://www.netscantools.com/nstpro_netscanner.html

Legitimate user

Legitimate user

Legitimate request

Legitimate request

10Smurf Flooding DoS

Attacker uses IP spoofing (false source IP address in outgoing messages)

Attacker sends ping / echo messages to third party computers on behalf of the target

All third party computers respond to target

11Ping of Death attacks

Take advantage of– Fact that TCP/IP allows large packets to be fragmented – Some operating systems’ inability to handle packets larger than

65536 bytes

Attacker sends a request message that are larger than 65,536 bytes

Ping of Death are usually single-message DoS attacks

Ping of death attacks are rare today as most operating systems have been fixed to prevent this type of attack from occurring

http://insecure.org/sploits/ping-o-death.html

12LAND attacks First, appeared in 1997 Attacker uses IP spoofing (false source IP address in outgoing messages) Attacker sends IP packets where the source and destination address refer to

target itself. LAND attacks are usually single-message DoS attacks Back in time, OS and routers were not designed to deal with loopback Problem resurfaces recently with Windows XP and Windows 2003 Server

13Distributed DoS (DDoS) Attack

Server

DoS Messages

DoS MessagesComputer with

Zombie

Computer with

Zombie

Attacker

AttackCommand

AttackCommand

Attacker hacks into multiple clients and plants Zombie programs on them

Attacker sends commands to Zombie programs which execute the attacks

First appeared in 2000 with Mafiaboy attack against cnn.com, ebay.com, etrade.com, dell.com, etc.

14Review Question 2

All DoS messages are requests that require a response message from the target

T F

DDoS can be seen as a way to launch a denial of service attack rather than a type of attack

T F

Single-message DoS attacks send unusual messages for which the software designer on the target device did not plan.

T F

Why don’t all DoS attacks use IP address spoofing to maintain anonymity?

15Intercepting messages

Eavesdropping: Intercepting confidential messages

Attacker (Eve) Taps into the Conversation:Tries to Read Messages

Client PC(Allex’s)

Server(Steve’s)

What is account #?

Account number 111-2233444

Message Exchange

Eavesdropping is also called Person-in-the-middle attack

16Intercepting messages

Message alteration

Attacker intercepts the message,alters it and, then, forwards it

Client PC Server

Balance = $1.00 Balance = $1000.00

Message Exchange

Balance = $1.00 Balance = $1000.00

What is the balance?

17Malware attacks

Types of malware:Viruses

Worms

Trojan horses

Logic bombs

18Virus

Program (script, macro) that:– Attaches to files– Performs annoying actions when they are executed– Performs destructive actions when they are executed– Spreads by user actions (floppy disk, flash drive,

opening email attachment, IRC, etc), not by themselves.

Could be– Boot sector virus: attaches itself to files in boot sector of

HD– File infector virus: attaches itself to program files and

user files– Polymorphic virus: mutates with every infection,

making them hard to locate

19Worm

Does not attach to files

A self-replicating computer program that propagate across a system

Uses a host computer’s resources and network connections to transfer a copy of itself to another computer

Harms the host computer by consuming processing time and memory

Harms the network by consuming the bandwidth

Q: Distinguish between viruses and worms

20Trojan horse

A computer program– That appears as a useful program like a game, a screen

saver, etc.– But, is really a program designed to damage or take

control of the host computer

When executed, a Trojan horse could– Format disks– Delete files– Open some TCP ports to allow a remote computer to

take control of the host computer

NetBus and SubSeven used to be attackers’ favorite programs for target remote control

21Trojan horse

NetBus Interface

22Logic bomb

Piece of malicious code intentionally inserted into a software system

The bomb is set to run when a certain condition is met– Passing of specified date/time– Deletion of a specific record in a database

Example: a programmer could insert a logic bomb that will function as follow:

– Scan the payroll records each day. – If the programmer’s name is removed from payroll, then the logic

bomb will destroy vital files weeks or months after the name removal.

23Review Questions 3

What kind of malware is a malicious program that could allow an attacker to take control of a target computer?

What kind of malware could harm a host computer by consuming processor time and random access memory?