Sanjay Goel, School of Business,University at Albany
1
Security Threats:Network Based Attacks
Lecture 2
George Berg/Sanjay Goel
University at Albany
Sanjay Goel, School of Business,University at Albany
2
Administrivia
• Starting next week, we will met in BA 349.– A conference room, in keeping with the topics
of the next 3 classes.
Sanjay Goel, School of Business,University at Albany
3
Administrivia
• I have to be away on Tuesday the 16th.– I propose we have that week’s class on
Thursday the 18th.
– That would make the schedule• Tuesday, March 9th
• Thursday, March 18th
• Tuesday, March 23rd.
Sanjay Goel, School of Business,University at Albany
4
• Self-Propagating Programs• Spoofing• Session Hijacking• Buffer Overflow
Network Based AttacksTypes
Sanjay Goel, School of Business,University at Albany
6
• Behavior: Self-replicate and propagatethrough the network.
• Basic Types:– Virus– Worm– Trojan Horse
• Many variants of the basic types exist.
Self-Propagating ProgramsTypes
Sanjay Goel, School of Business,University at Albany
7
• Self-replicating programs attach themselvesparasitically to existing programs to propagate
• Consists of two parts– Viral Portion– Payload
• The program spreads by creating replicas ofitself and attaching itself to other executableprograms to which it has write access.
Self-Propagating ProgramsTypes
Sanjay Goel, School of Business,University at Albany
8
• Viral Portion: When a user executes an infectedprogram (e.g. runs an executable file or insertsa disk with an infected boot sector), the viralportion of the code typically executes first andthen the control returns to the original program,which executes normally.
Self-Propagating ProgramsTypes
Sanjay Goel, School of Business,University at Albany
9
• Payload: The action that a self-replicatingprogram performs.– It may be benign such as printing a weird
message, playing music or malicious suchas destroying data or corrupting the harddisk.
– Unless there is a visible payload that theuser observes s/he is not likely to notice themalicious program.
Self-Propagating ProgramsTypes
Sanjay Goel, School of Business,University at Albany
10
• Polymorphic Viruses: Viruses that modifythemselves prior to replicating.– These are hard to detect since they are constantly
changing their signature.
Self-Propagating ProgramsTypes
Sanjay Goel, School of Business,University at Albany
11
• Worms are another form of self-replicatingprograms that can automatically spread.– They do not need a carrier program.– Replicate by spawning copies of themselves.
• They find an exploit software vulnerabilities in order tospread.
• Mail servers, database servers, etc.– More complex and are much harder to write than
virus programs.
Self-Propagating ProgramsTypes
Sanjay Goel, School of Business,University at Albany
12
• Definition: Malicious software thatattaches itself to other software.
• Typical Behavior:– Replicates within a computer system,
potentially attaching itself to every otherprogram.
– Behavior categories: e.g. Innocuous,Humorous, Data altering, Catastrophic.
VirusBasics
Sanjay Goel, School of Business,University at Albany
13
• Vulnerabilities: All computers• Common Categories:
– Boot sector Terminate and Stay Resident (TSR)– Application software Stealth (or Chameleon)
• Prevention– Limit connectivity– Limit downloads– Use only authorized media for loading data and
software– Enforce mandatory access controls.
• Viruses generally cannot run unless the host application isrunning.
VirusTargets & Prevention
Sanjay Goel, School of Business,University at Albany
14
• Detection– Changes in file sizes or date/time stamps– Computer is slow starting or slow running– Unexpected or frequent system failures– Change of system date/time– Increased computer memory usage– Increased bad blocks on disks.
VirusProtection
Sanjay Goel, School of Business,University at Albany
15
• Countermeasures:– Overall strategy: contain, identify and
recover.– Anti-virus scanners: look for known viruses.– Anti-virus monitors: look for virus-related
application behaviors.– Attempt to determine the source of infection
and issue an alert.
VirusProtection
Sanjay Goel, School of Business,University at Albany
16
• Definition: Malicious software which is astand-alone application (i.e. can runwithout a host application)
• Typical Behavior: Often designed topropagate through a network, rather thanjust a single computer
• Vulnerabilities: Multitasking computers,especially those employing open networkstandards.
WormBasics
Sanjay Goel, School of Business,University at Albany
17
• Prevention:– Limit connectivity– Employ Firewalls– Maintain software in a secure state– Watch for alerts.
• Detection:– Computer is slow starting or slow running– Unexpected or frequent system failures
• Countermeasures– Overall methodology: Contain, identify and recover– Attempt to determine the source of the infection and
issue an alert.
WormPrevention & Detection
Sanjay Goel, School of Business,University at Albany
18
• In November of 1988, a self propagatingworm known as the Internet Worm wasreleased onto the ARPANET by RobertMorris Jr.
• It ‘attached’ itself to the computer systemrather than a single program.
WormExample
Sanjay Goel, School of Business,University at Albany
19
• Process:– The worm obtained a new target machine name
from the host it had just infected and thenattempted to get a shell program running on thetarget machine.
– The virus used several means to get the shellprogram running.
– It primarily exploited errors in two networkconnected server programs on computers:
• the sendmail routine (a debug option left enabled in theprogram release), and
• the 'finger' routine.– It also attacked weak passwords.
WormExample
Sanjay Goel, School of Business,University at Albany
20
– The shell program served as a beachhead and wasused to download several binary executables thatwere used to crack passwords
– A common password dictionary and the systemdictionary were used for password cracking
– The virus then attacked a new set of target hostsusing any cracked accounts it may have obtainedfrom the current host.
WormExample
Sanjay Goel, School of Business,University at Albany
21
• The worm was also designed to be stealthy.• If the beachhead program was unable to fully
infect a machine, it deleted itself and all otherfiles.
• The worm ran in memory, leaving no trace ondisk.
• The worm changed its name and process IDfrequently, so as to avoid showing longruntimes or large CPU usage.
WormExample
Sanjay Goel, School of Business,University at Albany
22
• The virus was (supposedly) not intended to bemalicious and did not harm any data on thesystems it infected.
• A bug prevented the worm from alwayschecking to tell if a host was infected causingthe worm to overload the host computers itinfected.
WormExample
Sanjay Goel, School of Business,University at Albany
23
• Definition: a worm which pretends to be auseful program or a virus which is purposelyattached to a useful program prior todistribution
• Typical Behaviors: Same as Virus or Worm, butalso sometimes used to send information backto or make information available to perpetrator
• Vulnerabilities:– Unlike Worms, which self-propagate, Trojan Horses
require user cooperation– Untrained users are vulnerable
Trojan HorseBasics
Sanjay Goel, School of Business,University at Albany
24
• Prevention:– User cooperation allows Trojan Horses to
bypass automated controls.– User training is best prevention
• Detection: Same as Virus and Worm• Countermeasures:
– Same as Virus and Worm– Alert must be issued, not only to other
system administrators, but to all networkusers.
Trojan HorsePrevention and Detection
Sanjay Goel, School of Business,University at Albany
25
• Definition: A Virus or Worm designed toactivate at a certain date/time
• Typical Behaviors: Same as Virus orWorm, but widespread throughoutorganization upon trigger date
• Vulnerabilities:– Same as Virus and Worm– Time Bombs are usually found before the
trigger date
Time BombBasics
Sanjay Goel, School of Business,University at Albany
26
• Prevention:– Run associated anti-viral software
immediately as available• Detection:
– Correlate user problem reports to findpatterns indicating a possible Time Bomb
• Countermeasures:– Contain, identify and recover– Attempt to determine the source of infection
and issue an alert
Time BombPrevention and Detection
Sanjay Goel, School of Business,University at Albany
27
• Definition: A Virus or Worm designed toactivate under certain conditions
• Typical Behaviors: Same as Virus or Worm• Vulnerabilities: Same as Virus and Worm• Prevention: Same as Virus and Worm• Detection: Correlate user problem reports
indicating possible Logic Bomb• Countermeasures:
– Contain, identify and recover– Determine the source and issue an alert
Logic BombBasics
Sanjay Goel, School of Business,University at Albany
28
• Definition: A worm designed to replicateto the point of exhausting computerresources
• Typical Behaviors: A rabbit consumes allCPU cycles, disk space or networkresources, etc.
• Vulnerabilities: Multitasking computers,especially those on a network
RabbitBasics
Sanjay Goel, School of Business,University at Albany
29
• Prevention:– Limit connectivity– Employ Firewalls
• Detection:– Computer is slow starting or running– Frequent system failures
• Countermeasures:– Contain, identify and recover– Determine the source and issue an alert
RabbitPrevention & Detection
Sanjay Goel, School of Business,University at Albany
30
• Definition: A virus designed to attach itself tothe OS in particular (rather than any applicationprogram) and exhaust computer resources,especially CPU cycles
• Typical Behaviors: Operating Systemconsumes more and more CPU cycles,resulting eventually in noticeable delay in usertransactions
• Vulnerabilities: Older versions of operatingsystems are more vulnerable than newerversions since hackers have had more time towrite Bacteria.
BacteriumBasics
Sanjay Goel, School of Business,University at Albany
31
• Prevention:– Limit write privileges and opportunities to OS files– System administrators should work from non-admin
accounts whenever possible.• Detection:
– Changes in OS file sizes, date/time stamps– Computer is slow in running– Unexpected or frequent system failures
• Countermeasures– Anti-virus scanners: look for known viruses– Anti-virus monitors: look for virus-related system
behaviors
BacteriumPrevention and Detection
Sanjay Goel, School of Business,University at Albany
33
• Definition: A computer on a networkpretends to have the identity of anothercomputer, usually one with special accessprivileges, so as to obtain access to theother computers on the network.
SpoofingBasics
Sanjay Goel, School of Business,University at Albany
34
• Typical Behaviors: The spoofing computer oftendoesn’t have access to user-level commands soattempts to use automation-level services, such asemail or message handlers, are employed toimplement its attack.
• Vulnerabilities: Automation services designed fornetwork interoperability are especially vulnerable,especially those adhering to open standards.
SpoofingBasics
Sanjay Goel, School of Business,University at Albany
35
• IP Spoofing: Typically involves sending packets withspoofed IP-addresses to machines to fool the machineinto processing the packets.
• Types of IP-spoofing– Basic Address Change– Use of source routing to intercept packets.– Exploiting of trust relationships on Unix machines
• Email Spoofing: Attacker sends messagesmasquerading as some one else
• Techniques for email spoofing– Fake email accounts– Changing email configuration– Telnet to mail port
SpoofingTypes
Sanjay Goel, School of Business,University at Albany
36
• Web Spoofing: Assume the web identity andcontrol traffic to and from the web server
• Several types of attacks– Basic: Setting up fake sites– Man-in-the-Middle Attack– URL Rewriting– Tracking State
SpoofingTypes
Sanjay Goel, School of Business,University at Albany
37
• Prevention:– Limit system privileges of automation services to
the absolute minimum necessary– Upgrade via security patches as they become
available• Detection:
– Monitor transaction logs of automation services,scanning for unusual behaviors
• Countermeasures:– Disconnect automation services until patched– Monitor automation access points, such as network
sockets, scanning for next spoof, in attempt to trackperpetrator
SpoofingPrevention and Detection
Sanjay Goel, School of Business,University at Albany
38
• Definition: Accessing a computer by pretendingto have an authorized user identity
• Typical Behaviors: Masquerading user oftenemploys network or administrator commandfunctions to access even more of the system,e.g., by attempting to download password,routing tables
• Vulnerabilities: Placing false or modified loginprompts on a computer is a common way toobtain user IDs, as are Snooping, Scanningand Scavenging.
MasqueradeBasics
Sanjay Goel, School of Business,University at Albany
39
• Prevention:– Limit user access to network or administrator
command functions– Implement multiple levels of administrators, with
different, restricted privileges for each.• Detection:
– Correlate user identification with shift times orincreased frequency of access
– Correlate user command logs with administratorcommand functions
• Countermeasures:– Change user password or use standard
administrator functions to determine access point,then trace back to perpetrator
MasqueradePrevention and Detection
Sanjay Goel, School of Business,University at Albany
41
• Definition: The attacker takes over anexisting active session and exploits theexisting trust relationship.
Session HijackingBasics
Sanjay Goel, School of Business,University at Albany
42
• Process:– The user makes a connection to the server by
authenticating using his user ID and password.– After the users authenticate, they have access to
the server as long as the session lasts.– Hacker takes the user offline (e.g. by denial of
service)– Hacker gains access to the server by impersonating
the user.• Typical Behaviors: Attacker usually monitors the
session, periodically injects commands intosession and can launch passive and active attacksfrom the session.
Session HijackingBasics
Sanjay Goel, School of Business,University at Albany
43
Session HijackingProcess
Bob telnets to Server
Bob authenticates to Server
Bob
Attacker
Server
Die! Hi! I am Bob
• Protection:– Use Encryption– Use a secure protocol– Limit incoming connections– Minimize remote access– Have strong authentication
Sanjay Goel, School of Business,University at Albany
44
• Juggernaut– Network sniffer that that can also be used for hijacking– Get from http://packetstorm.securify.com
• Hunt– Can be use to listen, intercept and hijack active sessions on a
network– http://lin.fsid.cvut.cz/~kra/index.html
• TTY Watcher– Freeware program to monitor and hijack sessions on a single
host– http://www.cerias.purdue.edu
• IP Watcher– Commercial session hijacking tool based on TTY Watcher– http://www.engrade.com
Session HijackingPopular Programs
Sanjay Goel, School of Business,University at Albany
46
• Definition: Attacker tries to store moreinformation on the stack than the size of thebuffer. This causes a malfunction in thecomputer program which the attacker exploitsto execute malicious code.
Buffer Overflow AttacksBasics
Sanjay Goel, School of Business,University at Albany
47
• Typical Behaviors: Can be used against manynetwork services. Can be used for denial-of-service (easier to do) or to obtain privileges ona machine (harder).
• Vulnerabilities: Takes advantage of the way inwhich information is stored by computerprograms. Programs which do not do not havea rigorous memory check in their code arevulnerable to this attack.
Buffer Overflow AttacksBasics
Sanjay Goel, School of Business,University at Albany
48
• Scenario: If memory allocated for name is 50characters, someone can break the system by sendinga fictitious name of more than 50 characters
• Impact: Can be used for espionage, denial of service orcompromising the integrity of the data
• Some vulnerable software:– NetMeeting Buffer Overflow– Outlook Buffer Overflow– AOL Instant Messenger Buffer Overflow– SQL Server 2000 Extended Stored Procedure Buffer Overflow
Buffer Overflow AttacksBasics
Sanjay Goel, School of Business,University at Albany
49
• Definition: Attack through which a person canrender a system unusable or significantly slowdown the system for legitimate users byoverloading the system so that no one else canuse it.
Denial of ServiceBasics
Sanjay Goel, School of Business,University at Albany
50
• Typical Behaviors:– Crashing the system or network: Send the victim
data or packets which will cause system to crashor reboot.
– Exhausting the resources by flooding the system ornetwork with information. Since all resources areexhausted others are denied access to theresources
– Distributed DOS attacks are coordinated denial ofservice attacks involving several people and/ormachines to launch attacks
Denial of ServiceBasics
Sanjay Goel, School of Business,University at Albany
51
• Ping of Death • SSPing• Land• Smurf• SYN Flood• CPU Hog• Win Nuke• RPC Locator• Jolt2• Bubonic• Microsoft Incomplete TCP/IP Packet Vulnerability• HP Openview Node Manager SNMP DOS Vulnerability• Netscreen Firewall DOS Vulnerability• Checkpoint Firewall DOS Vulnerability
Denial of ServicePopular Programs
Sanjay Goel, School of Business,University at Albany
52
• Definition: Attempts to get “under” asecurity system by accessing very low-level system functions (e.g., devicedrivers, OS kernels).
TunnelingBasics
Sanjay Goel, School of Business,University at Albany
53
• Typical Behaviors: Behaviors such asunexpected disk accesses, unexplained devicefailure, halted security software, etc.
• Vulnerabilities: Tunneling attacks often occurby creating system emergencies to causesystem re-loading or initialization.
TunnelingBasics
Sanjay Goel, School of Business,University at Albany
54
• Prevention: Design security and auditcapabilities into even the lowest level software,such as device drivers, shared libraries, etc.
• Detection: Changes in date/time stamps forlow-level system files or changes insector/block counts for device drivers
• Countermeasures:– Patch or replace compromised drivers to prevent
access– Monitor suspected access points to attempt trace
back.
TunnelingBasics
Sanjay Goel, School of Business,University at Albany
55
• Definition: System access for developersinadvertently left available after softwaredelivery. Sometimes installed bymalicious software.
Trap DoorBasics
Sanjay Goel, School of Business,University at Albany
56
• Typical Behaviors– Unauthorized system access enables viewing,
alteration or destruction of data or software
• Vulnerabilities– Software developed outside organizational policies
and formal methods
Trap DoorBasics
Sanjay Goel, School of Business,University at Albany
57
• Prevention:– Enforce defined development policies– Limit network and physical access
• Detection– Audit trails of system usage especially user
identification logs• Countermeasures
– Close trap door or monitor ongoing access to tracepack to perpetrator
– Virus and worm countermeasures.
Trap DoorBasics
Sanjay Goel, School of Business,University at Albany
59
• Definition:– Sequentially testing passwords/authentication
codes until one is successful• Typical Behaviors: Multiple users attempting
network or administrator command functions,indicating multiple Masquerades
• Vulnerabilities: Prompts have a time-delay builtin to foil automated scanning, accessing theencoded password table and testing it off-line isa common technique.
Sequential ScanningBasics
Sanjay Goel, School of Business,University at Albany
60
• Prevention:– Enforce organizational secure password policies.– Make system administrator access to password
files secure.• Detection:
– Correlate user identification with shift times.– Correlate user problem reports relevant to possible
Masquerades.• Countermeasures:
– Change entire password file or use baiting tactics totrace back to perpetrator
Sequential ScanningBasics
Sanjay Goel, School of Business,University at Albany
61
• Definition: Scanning through a dictionary ofcommonly used passwords/authenticationcodes until one is successful.
• Typical Behaviors: Multiple users attemptingnetwork or administrator command functions,indicating multiple Masquerades.
• Vulnerabilities: Use of common words andnames as passwords or authentication codes(so-called “Joe Accounts”, e.g. guest, test)
Dictionary ScanningBasics
Sanjay Goel, School of Business,University at Albany
62
• Prevention: Enforce organizationalpassword policies
• Detection:– Correlate user identification with shift times– Correlate user problem reports relevant to
possible Masquerades• Countermeasures:
– Change entire password file or use baitingtactics to trace back to perpetrator
Dictionary ScanningBasics
Sanjay Goel, School of Business,University at Albany
63
• Definition: Electronic monitoring of digitalnetworks to uncover passwords or other data
• Typical Behaviors:– System administrators found on-line at unusual or
off-shift hours– Changes in behavior of network transport layer
• Vulnerabilities:– Example of how COMSEC (communications
security) affects COMPUSEC (computer security)– Links can be more vulnerable to snooping than
nodes
Digital SnoopingBasics
Sanjay Goel, School of Business,University at Albany
64
• Prevention:– Employ data encryption– Limit physical access to network nodes and links
• Detection:– Correlate user identification with shift times– Correlate user problem reports. Monitor network
performance• Countermeasures:
– Change encryption schemes or employ networkmonitoring tools to attempt trace back to perpetrator
Digital SnoopingBasics
Sanjay Goel, School of Business,University at Albany
65
• Definition: Direct visual observation of monitordisplays to obtain access.
• Typical Behaviors:– Authorized user found on-line at unusual or off-shift
hours, indicating a possible Masquerade.– Authorized user attempting administrator command
functions• Vulnerabilities:
– Sticky notes used to record account & passwordinformation
– Password entry screens that do not mask typed text– “Loitering” opportunities
Shoulder SurfingBasics
Sanjay Goel, School of Business,University at Albany
66
• Prevention:– Limit physical access to computer areas– Require frequent password changes by users
• Detection:– Correlate user identification with shift times or
increased frequency of access– Correlate use command logs with administrator
command functions• Countermeasures:
– Change user password or use standardadministrator functions to determine access point,then trace back to perpetrator
Shoulder SurfingBasics
Sanjay Goel, School of Business,University at Albany
67
• Definition: Accessing discarded trash to obtainpasswords and other data
• Typical Behaviors:– Multiple users attempting network or administrator
command functions, indicating multipleMasquerades.
• Vulnerabilities:– “Sticky” notes used to record account and password
information– System administrator printouts of user logs
Dumpster DivingBasics
Sanjay Goel, School of Business,University at Albany
68
• Prevention: Destroy discarded hardcopy• Detection:
– Correlate user identification with shift times– Correlate user problem reports relevant to
possible Masquerades.• Countermeasures:
– Change entire password file or use baitingtactics to trace back to perpetrator
Dumpster DivingBasics
Sanjay Goel, School of Business,University at Albany
69
• Definition: Automated scanning of largeunprotected data sets to obtain clues togain access– e.g. discarded media or on-line “finger”-type
commands• Typical Behaviors:
– Authorized user found on-line at unusual oroff-shift hours, indicating a possibleMasquerade
– Authorized user attempting admin commandfunctions.
BrowsingBasics
Sanjay Goel, School of Business,University at Albany
70
• Vulnerabilities:– Finger type services provide information to
any and all users– The information is usually assumed safe but
can give clues to passwords (e.g., spouse’sname)
BrowsingVulnerabilities
Sanjay Goel, School of Business,University at Albany
71
• Prevention:– Destroy discarded media– When on open networks especially, disable finger
type services• Detection:
– Correlate user identification with shift times orincreased frequency of access.
– Correlate user command logs with administratorcommand functions
• Countermeasures:– Change user password or use standard
administrator functions to determine access point,then trace back to perpetrator.
BrowsingPrevention & Detection
Sanjay Goel, School of Business,University at Albany
73
• Definition: Hardware operates in abnormal,unintended ways.
• Typical Behaviors: Immediate loss of data dueto abnormal shutdown. Continuing loss ofcapability until equipment is repaired
• Vulnerabilities: Vital peripheral equipment isoften more vulnerable that the computersthemselves
• Prevention: Replication of entire systemincluding all data and recent transaction
• Detention: Hardware diagnostic systems
Equipment MalfunctionBasics
Sanjay Goel, School of Business,University at Albany
74
• Definition: Software does not work in itsintended manner.
• Typical Behaviors:– Immediate loss of data due to abnormal end– Repeated failures when faulty data used again
• Vulnerabilities: Poor software developmentpractices
• Prevention:– Enforce strict software development practices– Comprehensive software testing procedures
• Detection: Use software diagnostic tools.
Software MalfunctionBasics
Sanjay Goel, School of Business,University at Albany
75
• Countermeasures– Backup software– Robust operating systems
Software MalfunctionBasics
Sanjay Goel, School of Business,University at Albany
76
• Definition: Inadvertent alteration,manipulation or destruction of programs,data files or hardware
• Typical Behaviors– Incorrect data entered into system or
incorrect behavior of system
• Vulnerabilities– Poor user documentation or training.
User ErrorBasics
Sanjay Goel, School of Business,University at Albany
77
• Prevention:– Enforcement of training policies and
separation of programmer/operator duties• Detection
– Audit trails of system transactions• Countermeasures
– Backup copies of software and data– On-site replication of hardware.
User ErrorBasics
Sanjay Goel, School of Business,University at Albany
78
• Definition: system with incoming message orother traffic to cause
• Typical Behaviors: crashes, eventually tracedto overfull buffer or swap space
• Vulnerabilities: Open source networksespecially vulnerable.
SpamBasics
Sanjay Goel, School of Business,University at Albany
79
• Prevention: Require authentication fieldsin message traffic
• Detection: partitions, network sockets, etc.for overfull conditions.
• Countermeasures:– Headers to attempt trace back to perpetrator
SpamBasics