Awareness of Security Exploits and Their Causes
Prabhaker MatetiWright State University
Aug – Dec 2014 On Sabbatical at Amrita Viswa Vidyapeetham
Security Awareness 2014
2
Prabhaker Mateti
Some Numbers
Security Awareness 2014 3
Amazon.com book search
2003 2014Network security 813 31564Internet security 1009 18995Computer security 2871 39812System security 1521 107303Homeland security 80 24629Security 32000 194118
Prabhaker Mateti
Security Awareness 2014 4
Security Incidents / CERT
2013: 100000+ “CERT uses the word "incident" as an
administrative term … A single "incident" can involve anything
from a single host computer to a very large number of host computers, at a single site or at hundreds of thousands of sites.”
Prabhaker Mateti
Security Awareness 2014 5
Number of Hosts in the DNS
2003171,638,297 2000 72,398,092
Prabhaker Mateti
Security Awareness 2014 6
Sizes of Some Software
MLOC
1993 Windows NT 3.1 6
1996 Windows NT 4.0 11
2001 Windows XP 45
2000 Linux Debian 2.2 55
2012 Linux Debian 7.0 419
2005 Mac OS X 10.4 86
2001 Linux Kernel 2.4.2 2
2012 Linux Kernel 3.6 16
Prabhaker Mateti
Security Awareness 2014 7
Bu
gs p
er T
hou
san
d L
OC
Table from “Code Complete” book Not to be taken as too authentic Don’t believe the 0 at the low end
Prabhaker Mateti
Terms …
Security Awareness 2014 9
“So you got r00ted.’’
Your machine has been compromised. root = administrator = super-user An unauthorized user has obtained root
privileges. A rootkit may have been installed. Forensic analyses made with tools
existing on that system are unreliable.
Prabhaker Mateti
Security Awareness 2014 10
Denial of Service (DoS)
We think of computer systems as providing services to authorized users.
When a system is deliberately made to crash, or made to run legitimate users' programs so very slowly that it is unusable, we refer to it as a "denial of service attack."
The attacker accomplishes this by running certain cleverly composed programs, and is pre-aware of the consequences.
Prabhaker Mateti
Security Awareness 2014 11
Black Hats v. White Hats
Black hats are the "bad" guys in that they use their knowledge to unauthorizedly break into even more systems, and pass their knowledge to other insiders.
White hats are the "good" guys: they are mostly into forensics and prevention of attacks.
Prabhaker Mateti
Security Awareness 2014 12
Vulnerability, …
Vulnerability: A weakness that can be exploited to cause damage.
Attack: A method of exploiting a vulnerability.
Threat: A motivated, capable adversary that mounts attacks.
Prabhaker Mateti
Security Awareness 2014 13
Hacker v. Attacker v. Intruder
Hacker = One who programs enthusiastically, even obsessively.
An expert at a particular program, as in ‘a Unix hacker’.
A hacker enjoys exploring the details of programmable systems and how to stretch their capabilities.
A hacker has ethics.
Prabhaker Mateti
Security Awareness 2014 14
Malware
Any “program” that has a “malicious” intent …
Viruses + Worms + Trojans + …
Prabhaker Mateti
Security Awareness 2014 15
Viruses
Viruses are "programs" that modify other programs on a computer, inserting copies of themselves.
Viruses are not officially programs:› They cannot run on their own.› Need to have some host program.› When the host program is run, the virus runs.
Prabhaker Mateti
Security Awareness 2014 16
Worms
Worms are programs that propagate from computer to computer on a network.
Worms can run independently. Worms may have (different) portions of
themselves running on many different machines.
Worms do not change other programs, although they may carry other code that does.
Prabhaker Mateti
Security Awareness 2014 17
Trojans
A Trojan mimics the functionality of its namesake legitimate program.
But has a hidden “agenda.” Ex: wu-ftpd Trojan - Login with specific
user/password gives a root shell.
Prabhaker Mateti
Security Awareness 2014 18
Backdoors
Also called trap doors. Allow unauthorized access to a system. The absence of backdoors cannot be
established.
Prabhaker Mateti
Security Awareness 2014 19
System Security
“System Security” = Computer Security + Network Security
Trojan Horses, Viruses and Worms Privacy and Authentication TCP/IP exploits Firewalls Secure Configuration of Personal Machines Buffer Overflow and Other Bug Exploitation Writing Bug-free and Secure Software Secure e-Commerce Transactions …
Prabhaker Mateti
Current practices
and their problems
Security Awareness 2014 21
Improper Configuration
Out of the box installations are rarely properly configured.
Standard user accounts with standard passwords.
Running unneeded services. Leaving sensitive files read/write-open.
Prabhaker Mateti
Security Awareness 2014 22
Fortification
Start with a properly configured system.
Delete weak or unneeded components. Add protective layers. Keep detailed logs.
Prabhaker Mateti
Security Awareness 2014 23
Hardened OS
Often “equated” with fortification. Rebuilding an OS from the same source
code but by using a more rigorous compiler.
Redesigning portions of an OS. Statically v. dynamically configured.
Prabhaker Mateti
Security Awareness 2014 24
Rootkits
“A rootkit is a collection of tools and utilities that attackers use to hide their presence and gather data to help them infiltrate further across the network. Rootkits insert backdoors, install Trojans, and patch existing programs.”
Installed after the attacker gains access. Cannot be detected by firewalls or anti-virus
scanners. 200+ results for search “rootkit’’ on
www.packetstormsecurity.org Prabhaker Mateti
Security Awareness 2014 25
Windows Rootkit Examples
null.sys HE4Hook Hacker Defender Slanret He4Hook Vanquish Fu …
Prabhaker Mateti
Security Awareness 2014 26
Linux Rootkit Examples
Linux Rootkit (LRK) TeLeKit Adore Knark t0rnkit Kernel Intrusion System (KIS) …
Prabhaker Mateti
Security Awareness 2014 27
Booting Up
BIOS OS Kernel Initialization User logins
Prabhaker Mateti
Security Awareness 2014 28
boot.ini
Prabhaker Mateti
[boot loader]timeout=30default=multi(0)disk(0)rdisk(0)partition(9)\WINDOWS[operating systems]C:\bootsect\hdc3grub.bin="Booting From FAT32on120GB" multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Windows XP Pro r0 p3" /fastdetectmulti(0)disk(0)rdisk(0)partition(9)\WINDOWS="Windows XP Pro r0 p9" /fastdetectmulti(0)disk(0)rdisk(0)partition(14)\WINDOWS="Windows XP Pro r0 p14" /fastdetectC:\bootsect\hdc3grub.bin="Linux via Grub"
Security Awareness 2014 29
/boot/grub/menu.lst
timeout 10default 1
title failsafekernel (hd0,6)/boot/vmlinuz root=/dev/hda7 failsafe devfs=nomount
hdc=ide-scsi acpi=offinitrd (hd0,6)/boot/initrd.img
title linux-smpkernel (hd0,6)/boot/vmlinuz-smp root=/dev/hda7 devfs=mount
hdc=ide-scsi acpi=offinitrd (hd0,6)/boot/initrd-smp.img
title windowsroot (hd0,0)chainloader +1
Prabhaker Mateti
Security Awareness 2014 30
Human User Authentication
Something you know (e.g., a password or other secret);
Something you have (e.g., smart card, credit card);
Something you are (e.g., fingerprints, retinal scan, voice print).
Prabhaker Mateti
Security Awareness 2014 31
Passwords
Weak passwords; social engineering. telnet, ftp, … passwords travel the
network in the clear; can be sniffed. One Time Passwords
Prabhaker Mateti
Security Awareness 2014 32
Cryptography
"Computationally Infeasible” N = 2^a * 3^b * 5^c * 7^d * ...
One way hash function› takes a variable-length input sequence of
bytes and converts it into a fixed-length sequence.
› designed to be computationally infeasible to reverse the process
Prabhaker Mateti
Security Awareness 2014 33
Symmetric Keys
sender and receiver of a message share a single, common key.
If ct = encryption (pt, key), then pt = decryption (ct, key).
DES IDEA Blowfish
Prabhaker Mateti
Security Awareness 2014 34
Public and Private Keys
a public key known to everyone, and a private or secret key known only to the recipient of the message
The two keys are mathematically related, yet it is computationally infeasible to deduce one from the other.
A global registry of public keys is needed RSA
Prabhaker Mateti
Security Awareness 2014 35
Man-in-the-Middle Attack
The public key-based communication between say Alice and Bob is vulnerable.
Let us assume that Mallory, a cracker, not only can listen to the traffic between Alice and Bob, but also can modify, delete, and substitute Alice's and Bob's messages, as well as introduce new ones. Mallory can impersonate Alice when talking to Bob and impersonate Bob when talking to Alice. Here is how the attack works.
Bob sends Alice his public key. Mallory intercepts the key and sends her own public key to Alice.
Alice generates a random session key, encrypts it with "Bob’s" public key (which is really Mallory's), and sends it to Bob.
Mallory intercepts the message. He decrypts the session key with his private key, encrypts it with Bob's public key, and sends it to Bob.
Bob receives the message thinking it came from Alice. He decrypts it with his private key and obtains the session key.
Alice and Bob start exchanging messages using the session key. Mallory, who also has that key, can now decipher the entire conversation.
Prabhaker Mateti
Security Awareness 2014 36
Buffer Overflow
“Quick: What's the computer vulnerability of the decade? It's not the Y2K bug, according to computer science and security analysts, but a security weakness known as the buffer overflow .”
Executable code is injected on to the runtime stack.
The return address that was on the stack is modified to point to the beginning of this code.
The executable code chosen produces a shell. A root-privileged program is so exploited; so, you
are r00ted.
Prabhaker Mateti
Security Awareness 2014 37
Buffer Overflow
Many of the Top 20 vulnerabilities are buffer overflow problems.
Caused by a simple class of programming errors.
C and its promiscuous style.
Prabhaker Mateti
Security Awareness 2014
38
Prabhaker Mateti
Network Security
Ethernet is a broadcast medium.So is: wifiPacket switching.
Security Awareness 2014 39
Security of the Connection
Least secure: Wireless networking Second least secure: Always-on wired
connections Second most secure: Intermittent wired
connections (dial-up) Most secure: Never connected.
Prabhaker Mateti
Security Awareness 2014 40
TCP/IP Design Problems
Designed with too little concern for security.
All data, including various fields in the protocol headers, are sent in the clear.
Sender and Receiver in the packet can be spoofed.
Prabhaker Mateti
Security Awareness 2014 41
IP4 Spoofing
IP address: a.b.c.d, 4-bytes. IP packet contains the IP addresses of
sender and receiver. Everything in the clear. IP spoofing replaces the IP address of
(usually) the sender or (in rare cases) the destination with a different address.
Services that authenticate based on the IP addresses are vulnerable.
RPC, NFS, r-commands (rlogin, rsh, rcp, etc.), X windows, …
Prabhaker Mateti
Security Awareness 2014 42
IP Fragment Attacks
When packets are too large to be sent in a single IP packet, due to interface hardware limitations for example, they can be split up by an intermediate router.
The final destination will reassemble all the fragments of an IP packet.
Attackers create artificially fragmented packets in order to circumvent firewalls that do not perform packet reassembly.
In the IP layer implementations of nearly all OS, there are bugs in the reassembly code.
Attackers create fragments that trigger these bugs.
Prabhaker Mateti
Security Awareness 2014 43
TCP Exploits
The SYN Flood Connection Killing by RST Closing a Connection by FIN Connection Hijacking
Prabhaker Mateti
Security Awareness 2014 44
Covert Channels
Sending of “data” not in the payload, but via other “places.”
Headers. Sequence numbers.
Prabhaker Mateti
Security Awareness 2014 45
Probing
Port Scanning is one of the most popular among the reconnaissance techniques.
Find open ports Fingerprint the OS
Stealth scan, Bounce scan, … nmap
Prabhaker Mateti
Security Awareness 2014 46
Sniffers
A packet sniffer is a program that eavesdrops on the network traffic.
It copies packets as they pass the NIC. An NIC in the normal mode reads packets
destined to its specific MAC address, and all other packets are ignored.
An NIC in promiscuous mode, receives all packets regardless of the MAC address.
Prabhaker Mateti
Security Awareness 2014 47
Distributed Denial of Service (DDoS)
Several machines participate in a DoS attack of a victim.
These participants are often compromised innocent machines serving the “attacks.”
A remote client triggers the attack servers.
Prabhaker Mateti
Security Awareness 2014 48
DNS Attacks
Domain Name Service protocol is inherently vulnerable.
DNS cache poisoning. BIND 8 is the most popular DNS server. DNS servers running BIND are not up to
date with security patches and software updates.
On October 21, 2002, 9 of the 13 root name servers were the target of a DDoS attack.
Prabhaker Mateti
Security Awareness 2014
49
Prabhaker Mateti
Mobile Computing
Security Awareness 2014 50
Smart Phones
Highly capable networked computer systems› Quad-core 1.2 GHz CPUs› 1 GB RAM› 16 GB persistent storage
Standard : GSM, Wi-Fi, GPS, Bluetooth, camera, microphone, various sensors
Used by millions of computer-illiterates Constrained by battery capacity
Prabhaker Mateti
Security Awareness 2014 51
Android Devices 2014
Android’s global market share 78.4
Number of daily activations of Android devices 1,500,000
Global shipments of Android smartphones 1,133Mn
Number of Android smartphone users in the U.S. 76Mn
Number of apps downloaded from the Play store 50Bn
Average unique monthly users of Facebook app 42.38Mn
http://www.statista.com/topics/876/android/
Prabhaker Mateti
Security Awareness 2014 52
Android Security
Soon to match PCs in malware Kaspersky reports attacks per month
› Aug 2013: 69,000› Mar 2014: 650,000
Pocket Spy? Hot Research Topic
› 1000+ papers› Permissions: 500+› Privacy improvements: 50+
Prabhaker Mateti
Protecting Our Systems
Security Awareness 2014 54
Security Software
Secure Shell, PGP, … Firewall Kits Tools
› Top 50 Security Tools survey from www.nmap.org› http://www.packetfactory.net› nmap, SAINT, …› tcpdump, ethereal, snort, …› Password cracking› Tcpwrapper
Prabhaker Mateti
Security Awareness 2014 55
SSH (Secure Shell)
telnet, rlogin, … do not authenticate the remote machine; SSH does.
The password that the user types as part of the login ritual is sent as clear text by telnet and rlogin; SSH sends it encrypted.
The data being sent and received by the RTF is also sent as clear text; SSH sends and receives it in encrypted form.
Prabhaker Mateti
Security Awareness 2014 56
SSH (Secure Shell)
ssh1 v. ssh2 SSH exploits do exist. Susceptible to man in the middle attack Encryption and decryption consumes
computing and elapsed time. Can be a nuisance. If the remote system
has been legitimately reinstalled ...
Prabhaker Mateti
Security Awareness 2014 57
SSH client and servers
ssh putty ttermpro openssh
Prabhaker Mateti
Security Awareness 2014 58
VPN (Virtual Private Network)
Data travels over public networks, usually the Internet.
The information needed to allow the data packets to be routed between the source node and the destination node is available to the public medium as in ordinary TCP/IP traffic,
But, all other information is encrypted. PPTP, L2TP, IPsec
Prabhaker Mateti
Security Awareness 2014 59
File Integrity
“Is the file what I installed? Did it change?”
Time stamps, file size, … are not reliable. MD5 checksums.
The MD5 algorithm takes as input an arbitrary length byte sequence and produces a 16-byte "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given pre-specified target message digest.
Prabhaker Mateti
Security Awareness 2014 60
Scanning for “Viruses”
Scanners hook themselves in the read/write methods of the file sys.
Search for patterns in the file content. Search for specific file names, … Can yield false positives. Can miss identifying malware.
Prabhaker Mateti
Security Awareness 2014 61
Packet Filters
Drop packets based on matching certain parts: IP addresses, port numbers, protocols, flags.
Network Address Translation - NAT IP port forwarding iptables -A FORWARD -d ! 192.168.17.0/24 -i eth1 -j
prvt-extrn iptables -A FORWARD -s 130.108.17.0/24 -i eth2 -j dmz-extrn iptables -A FORWARD -d 130.108.17.0/24 -i eth0 -j extrn-dmz iptables -A FORWARD -j DROP -l
Prabhaker Mateti
Security Awareness 2014 62
Firewalls
Packet filters Bastion Host Proxy services Stateful Inspection Three Myths of Firewalls
Firewalls make the assumption that the only way in or out of a corporate network is through the firewalls; that there are no "back doors" to your network.
Firewalls make the assumption that all of the bad guys are on the outside of the firewall, and everyone on the inside of the can be considered trustworthy.
With macros, JavaScript, Java, … executable fragments can be embedded inside data.
Prabhaker Mateti
Security Awareness 2014 63
Intrusion Detection
Detect probes. Constantly check file integrity. Constantly check which ports are open
and why. Keep detailed logs of suspicious
activity on a separate system.
Prabhaker Mateti
Security Awareness 2014
64
Prabhaker Mateti
Causes
Security Awareness 2014 65
Bugs in Privileged Software
Many bugs are exploitable from a security perspective. › A simple array-index out of bounds bug
can lead to computer being owned by the attacker.
2014 State of the Art: Cannot produce bug-free software (unless tiny)
Prabhaker Mateti
Security Awareness 2014 66
Improper Configuration
Out of the box installations are rarely properly configured.
Standard user accounts with standard passwords.
Running unneeded services. Leaving sensitive files read/write-open.
Prabhaker Mateti
Security Awareness 2014 67
TCP/IP Design Problems
Designed with too little concern for security.
All data, including various fields in the protocol headers, are sent in the clear.
Sender and Receiver in the packet can be spoofed.
Prabhaker Mateti
Security Awareness 2014 68
OS Design
Too focused on performance Not enough on security Too much trust on components
› E.g., kernel trusts /sbin/init
Prabhaker Mateti
Security Awareness 2014
69
Prabhaker Mateti
Further Reading
Security Awareness 2014 70
Security Web Sites
“There is an oceanic amount of material on network security available over the Internet.”
-- A Web Page. 10000+ web sites Select list follows
Prabhaker Mateti
Security Awareness 2014 71
A Few Chosen Security Websites
www.incidents.org www.cert.org www.cerias.purdue.edu www.securityfocus.com lwn.net/security www.microsoft.com/security www.phrack.org
Prabhaker Mateti
Security Awareness 2014 72
Mateti/Security Links
CEG 4420 Cyber Security UG coursewww.cs.wright.edu/~pmateti/Courses/4420
Android Internals and Security at Amritawww.cs.wright.edu/~pmateti/Courses/7900
Prabhaker Mateti