acknowledgments giovanni vigna (ucsb) chris kruegel (ucsb) engin kirda (eurecom) paolo milani (tuv)
TRANSCRIPT
Acknowledgments
• Giovanni Vigna (UCSB)
• Chris Kruegel (UCSB)
• Engin Kirda (Eurecom)
• Paolo Milani (TUV)
Reading
• Hackers, Heroes of the Computer Revolution by Steven Levyhttp://www.gutenberg.org/etext/729
• The Hacker Crackdown: Law and Disorder on the Electronic Frontier by Bruce Sterlinghttp://www.mit.edu:8001/hacker/hacker.html
• The Jargon File, version 4.4.7 by Eric S. Raymond http://www.catb.org/jargon/oldversions/jarg447.txt
References
• SecurityFocus.com– Bugtraq– Focus-ids– …
• Phrack.org• Milw0rm.com• Packetstormsecurity.org• Zone-h.org• Many other security sites…
Intro
Errors, bugs, and failures
• Networks: composed of hardware whose behavior is determined by software (roughly...)
network:
Errors, bugs, and failures
• Networks: composed of hardware whose behavior is determined by software (roughly...)
network:
software
software
software
Errors, bugs, and failures
• Networks: composed of hardware whose behavior is determined by software (roughly...)• Applications run on operating systems
network:
OS
OS
OS
Errors, bugs, and failures
• Networks: composed of hardware whose behavior is determined by software (roughly...)• Applications run on operating systems• interoperate through protocols
network:
OS
OS
OS
protocolsprotocols
Errors, bugs, and failures
• Networks: composed of hardware whose behavior is determined by software (roughly...)• Applications run on operating systems• interoperate through protocols
Designed by humans Not perfect!
network:
OS
OS
OS
protocolsprotocols
Errors, bugs, and failures
• Networks: composed of hardware whose behavior is determined by software (roughly...)• Applications run on operating systems• interoperate through protocols
Designed by humans Not perfect!
network:
OS
OS
OS
protocolsprotocols
A human error may introduce a bug (or fault)The IEEE Standard Glossary of Software Engineering Terminology defines “fault” as “an incorrect step, process, or data definition in a computer program”
When a fault gets triggered, it might generate a failure...
Security BugsErrorsFailures
• A security error is made by a human• As a consequence, a security bug is introduced– A security bug is also called a “vulnerability”– When the bug is triggered (or “exploited”)
it generates a security failure– The security of a system is compromised...
Security
Other security problems
• There is an overall concept of “system security” in terms of– Privacy/Confidentiality– Integrity/Consistency– Availability
• Some applications work as designed but contain vulnerabilities– When installed in systems with a conflicting security policy
• “We thought it was a good idea to let allow students to have PHP applications in their web home directories...”
– When configured insecurely• “Our secure remote terminal service is protected by a 16 character
password, which is currently set to ‘AAAAAAAAAAAAAAAA’...”
There is nothing to worry about , because…
• No one will do that!• Why would anyone do that?• We’ve never been attacked• We’re secure: we use
cryptography• We’re secure: we use ACLs• We’re secure: we use a
firewall• We’ve reviewed the code,
and there are no security bugs
• We know it’s the default, but the administration can turn it off
• If we don’t run as administrator, stuff breaks
• But we’ll slip the schedule• It’s not exploitable• But that’s the way we’ve
always done it• If we only had better
tools...
Meanwhile in the real world…
Source: http://web.nvd.nist.gov/view/vuln/statistics
Soft
war
e vu
lner
abili
ties
Security Analysis
• Security analysis is the process of determining the security of a system– With respect to a set of known design guidelines– With respect to a set of known security problems– With respect to its environment
• It answers questions like:– Is it designed securely?– Is it implemented securely?– Is it deployed and configured securely?
• The security analysis process is difficult to automate and requires experience and skills
Goals and skills
• Learn how to identify design and implementation vulnerabilities in operating systems, network protocols, and applications
• Learn by example: vulnerabilities and how to exploit them– The Devil Is In The Details– Lesson learned, attack patterns, design patterns
• Learn about protection/detection mechanisms and techniques• Skills:
– Ability to understand and assess the security implications of networked systems
– Ability to perform the security analysis of a system– Ability to understand and contribute to the research on this topic
History
• Crypto is old (Caesar Cipher)• Even hacking has a bit of a history
Brief history of hacking
• 1876. Alexander Graham Bell invents telephone. • 1878. First teenage males flung off phone system
by enraged authorities.
But also in other fields…
• In 1961, students from Caltech (California Institute of Technology, in Pasadena) hacked the Rose Bowl football game.
• 1982, MIT hacked the Harvard-Yale football game. Balloon with ‘MIT’ popped out of the ground.
Seriously now…
• 1972, John Draper builds the blue box and starts phone phreaking
• Dec 1973, Bob Metcalfe, “The Stockings Were Hung by the Chimney with Care,” Request for Comments no. 602
• August 1986: German hackers penetrate Lawrence Berkeley Laboratory systems and try to obtain secrets to be sold to the KGB
• November 1988: The Internet worm brings down the Internet (Robert Morris Jr.)
• December 1994: Kevin Mitnick attacks the Supercomputer Center in San Diego using a TCP spoofing attack
• 2010: Stuxnet attack uranium enrichment facilities in Iran
Cap’n Crunch
• In 1972 John Draper finds that the whistle that comes with the Cap’n Crunch cereal produces a sound at 2600 Hz
• The 2600 frequency was used by AT&T to authorize long-distance calls
Phone Phreaking
• John Draper became “Captain Crunch” and built a blue box – produced a number of different tones that could
be used for in-band signaling– Draper was eventually sentenced to five years’
probation for toll fraud– His story became an integral part of hacker culture
Who else? Steve Wozniak
Metcalfe’s story
• Inventor of Ethernet• “The Stockings Were Hung by the Chimney
with Care,” Request for Comments no. 602• Identifies vulnerabilities in the ARPAnet• Says we should worry
The German Hackers Incident
Cliff Stoll was a system administrator at LBL in August 1986• On his first day, he started investigating a 75 cent
accounting discrepancy for CPU time• He found out that an account had been created with no
billing address• More investigation identified the presence of an intruder• Instead of cutting out the intruder, Cliff Stoll decided to
monitor the intruder in order to find out who he/she was and how he/she was able to gain privileged access
The German Hackers Incident
• The intruder was using a configuration problem in the Emacs editor– Emacs can work as a mailer and it used the
“movemail” program to move a user’s inbox from /var/spool/mail to the home directory using interlocking
– The LBL configuration of /var/spool/mail didn’t allow the program to work as an uprivileged process
– Therefore the “movemail” program was installed setuid root
The German Hackers Incident
• In this configuration, movemail allowed anybody to move files to any directory of the system
• The intruder used the bug to substitute his own copy of the “atrun” program, which is executed every 5 minutes to perform scheduled jobs and housecleaning tasks
• The program ran with administrative privileges• After the execution of the operation the legitimate
copy would be copied back to hide tracks
The German Hackers Incident
• The intruder gained administrative privileges and started creating accounts and backdoor programs
• The intruder was using the LBL hosts to connect to military systems in the MILNET
• Military sites and databases were searched for keywords such as “SDI” (Strategic Defense Initiative), “stealth”, “SAC” (Strategic Air Command), “nuclear”, “NORAD”
• Cliff Stoll, at this point, called the FBI
The German Hacker Incident
• With the help of the FBI and of the Bundeskriminalamt (BKA) he was able to trace the intruder to Hanover
• 1989: the investigation ends with the arrest of Markus Hess in Germany, who apparently worked for the Eastern Bloc
• Markus was sentenced to a year and eight months and a 10,000 DM fineHe was put on probation
• Other “hackers” were involved in the break-in and received similar sentences
1988 The Internet Falls Over• November 2, 1988: The “Internet worm”, developed by Robert T.
Morris, was injected in the Internet• A mistake in the replication procedure led to unexpected
proliferation• The Internet had to be “turned off”• Damages were estimated in the order of several hundred
thousand dollars• RTM was sentenced to three years’ probation, a $10,000 fine,
and 400 hours of community service• The CERT (Computer Emergency
Response Team) was created as a reaction to this incident
heh-heh
The Internet Worm
• A worm is a self-replicating program that spreads across a network of computers
• The worm worked only on Sun 3 systems and VAX computers running BSD UNIX
• The worm consisted of two parts:– A main program– A bootstrap program
The Internet Worm
• First step: Remote privileged access– fingerd buffer overflow
char line[512];line[0] = ‘\0’;gets(line);
– sendmail (the DEBUG option allows one to specify a number of commands to be executed)
• The bootstrap program (99 lines of C code) was transferred using a connection from the infecting machine
• The bootstrap program was compiled and run, causing the transfer of a precompiled version of the main program on the infected host
Kevin Mitnick• One of the most well-known “hackers” in the
community• 1982: One-year probation for breaking into PacBell’s
offices• 1982: Enrolls at University of Southern California and
uses campus machines to perform illegal activities: 6 months of juvenile prison in Stockton, California
• 1987: Mitnick breaks into SCO. Sentence: three-year probation
• 1988: Enrolls at Pierce and misuses campus systems. Expelled, appealed unsuccessfully
• 1988: Mitnick breaks into DEC and steals software. Caught by FBI. One-year sentence at Lompoc, California
Kevin Mitnick
• 1992: Mitnick violates probation and goes into hiding
• 1994: California Department of Motor Vehicles issues $1-million warrant for Mitnick's arrest on charges of fraudulently trying to acquire driver identification
• Christmas 1994: Mitnick accused of invading San Diego Supercomputer Center
Kevin Mitnick against SDSC
• A very sophisticated TCP spoofing attack• The attack exploits the trust between hosts:
– X-terminal: diskless SPARCstation running Solaris 1
– server: host providing boot image to x-terminal
– X-terminal allows unauthenticated logins (and command execution requests) coming from server
– Denial-of-service attack against server– Impersonation of server with respect to the x-
terminal when executing:
rsh x-terminal "echo + + >>/.rhosts"
Kevin Mitnick
• February 1995: FBI arrests Mitnick in Raleigh, North Carolina.Sentenced to 46 months in prison (concurrently with a 22-month sentence)
• January 2000: Mitnick released from prison after almost 5 years (probation forbade him from connecting to the Internet or sending e-mail)
• January 2003: Mitnick can surf the Internet after 8 years
Other Stories
Other Stories
2010 Stuxnet: attacking Iran’s nuclear program
Stuxnet
• four zero days• 1 known exploit• 2 stolen certificates• 2 rootkits (one in PLC!)• 2 Siemens security issues
• 1 target
Is this a course on hacking?
Hacking• The term “hacker” was introduced at MIT in the 60s to describe
“computer wizards”• It has been eventually used to denote “malicious hackers” or
“crackers”, that is, people that perform intrusions and misuse computer systems
• We will use the term “hacker” with this last connotation keeping in mind that it is also used to describe
[…] someone who lives and breathes computers, who knows all about computers, who can get a computer to do anything. Equally important,
though, is the hacker's attitude. Computer programming must be a hobby,something done for fun, not out of a sense of duty or for the money. (Brian Harvey, University of Berkeley http://www.cs.berkeley.edu/~bh/hackers.html)
Other terms of the hackers’ jargon
Other terms of the hackers’ jargon
• 31337, l33t, eleet: Clueful. Plugged-in. One of the cognoscenti. Also used as a general positive adjective. This term is not actually native hacker slang; it is used primarily by crackers and warez d00dz, for which reason hackers use it only with heavy irony. The term used to refer to the folks allowed in to the “hidden” or “privileged” sections of BBSes in the early 1980s (which, typically, contained pirated software). A true hacker would be more likely to use “wizardly”. Oppose “lamer”
• haXOr• 0-day exploit
All your base are belong to us
Ethics• Is malicious hacking/cracking legal? NO!• Is it legal to discuss vulnerabilities and how they are actually
exploited? YES, and it is a good thing, provided that…– The goal is to educate and increase awareness– The goal is to teach how to build a more secure computing
environment• A full disclosure policy has been advocated by many respected
researchers, provided that…– The information disclosed has been already distributed to
the parties that may provide a solution (e.g., vendors)• See: Responsible vulnerability disclosure process (IETF Internet Draft)
– The ultimate goal is to prevent similar mistakes from being repeated
Legality
• In the Netherlands– Since 2006: all penetration in computer systems is
illegal, even if it does not involve “cracking the security”
– Destruction of computers, networks, and data, or rendering them unusable is against the law• This now includes DoS and DDoS attacks
– Spreading of malware is punishable by law (upto 4 years in prison)
Legal hacking: penetration testing
Would you hire a hacker?
• Depends…• Would you fire a hacker?
Case study
high-level: what are the steps?details of steps in remainder of the course
Penetration of a Bank System
• Bank X (millions of accounts, hundred thousands of online• accounts) asks for vulnerability analysis• Assumptions: “hacker-style”
– No previous knowledge about topology/services– No inside help
• Initial data– Small set of IP addresses– Access to one online account– Letter from the bank verifying that we were working for them
• Goal is to determine if there is a way to break the security of the system
Penetration of a Bank System
Process:• Network analysis– Target acquisition– Service scanning– Vulnerability exploitation
• Banking service analysis
IP Sweep
Starting nmap by Fyodor ([email protected], www.insecure.org/nmap/)
Host sales.bankx.com (192.168.20.1) appears to be up.
Host sales1.bankx.com (192.168.20.4) appears to be up.
Host sales4.bankx.com (192.168.20.5) appears to be up.
Host sales2.bankx.com (192.168.20.20) appears to be up.
Nmap run completed -- 256 IP addresses (4 hosts up) scanned in 1 second
Target acquisition
Target acquisition
traceroute
Target acquisition
Service scanning
Different types of scans– TCP half-open scan– TCP connect– TCP FIN scan– FTP bounce scan– UDP scan
TCP port sweep
UDP port sweep
FTP bounce attack
Allows one to open TCP connections bypassing the firewall protections
• Used to perform internal scanning• If upload is enabled can be used to attack
services filtered by the firewall
Later
Inside scan
Vulnerability Exploitation
Two-step process, based on available services– Checking for the presence of vulnerabilities
• Mail-based• DNS-based• FTP-based• WWW-based
– Exercising the vulnerabilities that could possibly be in place
When we are in…
• a new game begins– what do we want to use our bot for?
All of this stuff
• and more• will be detailed in the upcoming lectures
