security threats: network based attacksberg/risk_analysis/lectures/security_threats.pdf · used to...

Sanjay Goel, School of Business,University at Albany

1

Security Threats:Network Based Attacks

Lecture 2

George Berg/Sanjay Goel

University at Albany


2

Administrivia

• Starting next week, we will met in BA 349.– A conference room, in keeping with the topics

of the next 3 classes.


3

Administrivia

• I have to be away on Tuesday the 16th.– I propose we have that week’s class on

Thursday the 18th.

– That would make the schedule• Tuesday, March 9th

• Thursday, March 18th

• Tuesday, March 23rd.


4

• Self-Propagating Programs• Spoofing• Session Hijacking• Buffer Overflow

Network Based AttacksTypes


5

Self-Propagating Programs


6

• Behavior: Self-replicate and propagatethrough the network.

• Basic Types:– Virus– Worm– Trojan Horse

• Many variants of the basic types exist.

Self-Propagating ProgramsTypes


7

• Self-replicating programs attach themselvesparasitically to existing programs to propagate

• Consists of two parts– Viral Portion– Payload

• The program spreads by creating replicas ofitself and attaching itself to other executableprograms to which it has write access.



8

• Viral Portion: When a user executes an infectedprogram (e.g. runs an executable file or insertsa disk with an infected boot sector), the viralportion of the code typically executes first andthen the control returns to the original program,which executes normally.



9

• Payload: The action that a self-replicatingprogram performs.– It may be benign such as printing a weird

message, playing music or malicious suchas destroying data or corrupting the harddisk.

– Unless there is a visible payload that theuser observes s/he is not likely to notice themalicious program.



10

• Polymorphic Viruses: Viruses that modifythemselves prior to replicating.– These are hard to detect since they are constantly

changing their signature.



11

• Worms are another form of self-replicatingprograms that can automatically spread.– They do not need a carrier program.– Replicate by spawning copies of themselves.

• They find an exploit software vulnerabilities in order tospread.

• Mail servers, database servers, etc.– More complex and are much harder to write than

virus programs.



12

• Definition: Malicious software thatattaches itself to other software.

• Typical Behavior:– Replicates within a computer system,

potentially attaching itself to every otherprogram.

– Behavior categories: e.g. Innocuous,Humorous, Data altering, Catastrophic.

VirusBasics


13

• Vulnerabilities: All computers• Common Categories:

– Boot sector Terminate and Stay Resident (TSR)– Application software Stealth (or Chameleon)

• Prevention– Limit connectivity– Limit downloads– Use only authorized media for loading data and

software– Enforce mandatory access controls.

• Viruses generally cannot run unless the host application isrunning.

VirusTargets & Prevention


14

• Detection– Changes in file sizes or date/time stamps– Computer is slow starting or slow running– Unexpected or frequent system failures– Change of system date/time– Increased computer memory usage– Increased bad blocks on disks.

VirusProtection


15

• Countermeasures:– Overall strategy: contain, identify and

recover.– Anti-virus scanners: look for known viruses.– Anti-virus monitors: look for virus-related

application behaviors.– Attempt to determine the source of infection

and issue an alert.

VirusProtection


16

• Definition: Malicious software which is astand-alone application (i.e. can runwithout a host application)

• Typical Behavior: Often designed topropagate through a network, rather thanjust a single computer

• Vulnerabilities: Multitasking computers,especially those employing open networkstandards.

WormBasics


17

• Prevention:– Limit connectivity– Employ Firewalls– Maintain software in a secure state– Watch for alerts.

• Detection:– Computer is slow starting or slow running– Unexpected or frequent system failures

• Countermeasures– Overall methodology: Contain, identify and recover– Attempt to determine the source of the infection and

issue an alert.

WormPrevention & Detection


18

• In November of 1988, a self propagatingworm known as the Internet Worm wasreleased onto the ARPANET by RobertMorris Jr.

• It ‘attached’ itself to the computer systemrather than a single program.

WormExample


19

• Process:– The worm obtained a new target machine name

from the host it had just infected and thenattempted to get a shell program running on thetarget machine.

– The virus used several means to get the shellprogram running.

– It primarily exploited errors in two networkconnected server programs on computers:

• the sendmail routine (a debug option left enabled in theprogram release), and

• the 'finger' routine.– It also attacked weak passwords.

WormExample


20

– The shell program served as a beachhead and wasused to download several binary executables thatwere used to crack passwords

– A common password dictionary and the systemdictionary were used for password cracking

– The virus then attacked a new set of target hostsusing any cracked accounts it may have obtainedfrom the current host.

WormExample


21

• The worm was also designed to be stealthy.• If the beachhead program was unable to fully

infect a machine, it deleted itself and all otherfiles.

• The worm ran in memory, leaving no trace ondisk.

• The worm changed its name and process IDfrequently, so as to avoid showing longruntimes or large CPU usage.

WormExample


22

• The virus was (supposedly) not intended to bemalicious and did not harm any data on thesystems it infected.

• A bug prevented the worm from alwayschecking to tell if a host was infected causingthe worm to overload the host computers itinfected.

WormExample


23

• Definition: a worm which pretends to be auseful program or a virus which is purposelyattached to a useful program prior todistribution

• Typical Behaviors: Same as Virus or Worm, butalso sometimes used to send information backto or make information available to perpetrator

• Vulnerabilities:– Unlike Worms, which self-propagate, Trojan Horses

require user cooperation– Untrained users are vulnerable

Trojan HorseBasics


24

• Prevention:– User cooperation allows Trojan Horses to

bypass automated controls.– User training is best prevention

• Detection: Same as Virus and Worm• Countermeasures:

– Same as Virus and Worm– Alert must be issued, not only to other

system administrators, but to all networkusers.

Trojan HorsePrevention and Detection


25

• Definition: A Virus or Worm designed toactivate at a certain date/time

• Typical Behaviors: Same as Virus orWorm, but widespread throughoutorganization upon trigger date

• Vulnerabilities:– Same as Virus and Worm– Time Bombs are usually found before the

trigger date

Time BombBasics


26

• Prevention:– Run associated anti-viral software

immediately as available• Detection:

– Correlate user problem reports to findpatterns indicating a possible Time Bomb

• Countermeasures:– Contain, identify and recover– Attempt to determine the source of infection

and issue an alert

Time BombPrevention and Detection


27

• Definition: A Virus or Worm designed toactivate under certain conditions

• Typical Behaviors: Same as Virus or Worm• Vulnerabilities: Same as Virus and Worm• Prevention: Same as Virus and Worm• Detection: Correlate user problem reports

indicating possible Logic Bomb• Countermeasures:

– Contain, identify and recover– Determine the source and issue an alert

Logic BombBasics


28

• Definition: A worm designed to replicateto the point of exhausting computerresources

• Typical Behaviors: A rabbit consumes allCPU cycles, disk space or networkresources, etc.

• Vulnerabilities: Multitasking computers,especially those on a network

RabbitBasics


29

• Prevention:– Limit connectivity– Employ Firewalls

• Detection:– Computer is slow starting or running– Frequent system failures

• Countermeasures:– Contain, identify and recover– Determine the source and issue an alert

RabbitPrevention & Detection


30

• Definition: A virus designed to attach itself tothe OS in particular (rather than any applicationprogram) and exhaust computer resources,especially CPU cycles

• Typical Behaviors: Operating Systemconsumes more and more CPU cycles,resulting eventually in noticeable delay in usertransactions

• Vulnerabilities: Older versions of operatingsystems are more vulnerable than newerversions since hackers have had more time towrite Bacteria.

BacteriumBasics


31

• Prevention:– Limit write privileges and opportunities to OS files– System administrators should work from non-admin

accounts whenever possible.• Detection:

– Changes in OS file sizes, date/time stamps– Computer is slow in running– Unexpected or frequent system failures

• Countermeasures– Anti-virus scanners: look for known viruses– Anti-virus monitors: look for virus-related system

behaviors

BacteriumPrevention and Detection


32

Spoofing


33

• Definition: A computer on a networkpretends to have the identity of anothercomputer, usually one with special accessprivileges, so as to obtain access to theother computers on the network.

SpoofingBasics


34

• Typical Behaviors: The spoofing computer oftendoesn’t have access to user-level commands soattempts to use automation-level services, such asemail or message handlers, are employed toimplement its attack.

• Vulnerabilities: Automation services designed fornetwork interoperability are especially vulnerable,especially those adhering to open standards.

SpoofingBasics


35

• IP Spoofing: Typically involves sending packets withspoofed IP-addresses to machines to fool the machineinto processing the packets.

• Types of IP-spoofing– Basic Address Change– Use of source routing to intercept packets.– Exploiting of trust relationships on Unix machines

• Email Spoofing: Attacker sends messagesmasquerading as some one else

• Techniques for email spoofing– Fake email accounts– Changing email configuration– Telnet to mail port

SpoofingTypes


36

• Web Spoofing: Assume the web identity andcontrol traffic to and from the web server

• Several types of attacks– Basic: Setting up fake sites– Man-in-the-Middle Attack– URL Rewriting– Tracking State

SpoofingTypes


37

• Prevention:– Limit system privileges of automation services to

the absolute minimum necessary– Upgrade via security patches as they become

available• Detection:

– Monitor transaction logs of automation services,scanning for unusual behaviors

• Countermeasures:– Disconnect automation services until patched– Monitor automation access points, such as network

sockets, scanning for next spoof, in attempt to trackperpetrator

SpoofingPrevention and Detection


38

• Definition: Accessing a computer by pretendingto have an authorized user identity

• Typical Behaviors: Masquerading user oftenemploys network or administrator commandfunctions to access even more of the system,e.g., by attempting to download password,routing tables

• Vulnerabilities: Placing false or modified loginprompts on a computer is a common way toobtain user IDs, as are Snooping, Scanningand Scavenging.

MasqueradeBasics


39

• Prevention:– Limit user access to network or administrator

command functions– Implement multiple levels of administrators, with

different, restricted privileges for each.• Detection:

– Correlate user identification with shift times orincreased frequency of access

– Correlate user command logs with administratorcommand functions

• Countermeasures:– Change user password or use standard

administrator functions to determine access point,then trace back to perpetrator

MasqueradePrevention and Detection


40

Session Hijacking


41

• Definition: The attacker takes over anexisting active session and exploits theexisting trust relationship.

Session HijackingBasics


42

• Process:– The user makes a connection to the server by

authenticating using his user ID and password.– After the users authenticate, they have access to

the server as long as the session lasts.– Hacker takes the user offline (e.g. by denial of

service)– Hacker gains access to the server by impersonating

the user.• Typical Behaviors: Attacker usually monitors the

session, periodically injects commands intosession and can launch passive and active attacksfrom the session.

Session HijackingBasics


43

Session HijackingProcess

Bob telnets to Server

Bob authenticates to Server

Bob

Attacker

Server

Die! Hi! I am Bob

• Protection:– Use Encryption– Use a secure protocol– Limit incoming connections– Minimize remote access– Have strong authentication


44

• Juggernaut– Network sniffer that that can also be used for hijacking– Get from http://packetstorm.securify.com

• Hunt– Can be use to listen, intercept and hijack active sessions on a

network– http://lin.fsid.cvut.cz/~kra/index.html

• TTY Watcher– Freeware program to monitor and hijack sessions on a single

host– http://www.cerias.purdue.edu

• IP Watcher– Commercial session hijacking tool based on TTY Watcher– http://www.engrade.com

Session HijackingPopular Programs


45

Buffer Overflow & Other Attacks


46

• Definition: Attacker tries to store moreinformation on the stack than the size of thebuffer. This causes a malfunction in thecomputer program which the attacker exploitsto execute malicious code.

Buffer Overflow AttacksBasics


47

• Typical Behaviors: Can be used against manynetwork services. Can be used for denial-of-service (easier to do) or to obtain privileges ona machine (harder).

• Vulnerabilities: Takes advantage of the way inwhich information is stored by computerprograms. Programs which do not do not havea rigorous memory check in their code arevulnerable to this attack.



48

• Scenario: If memory allocated for name is 50characters, someone can break the system by sendinga fictitious name of more than 50 characters

• Impact: Can be used for espionage, denial of service orcompromising the integrity of the data

• Some vulnerable software:– NetMeeting Buffer Overflow– Outlook Buffer Overflow– AOL Instant Messenger Buffer Overflow– SQL Server 2000 Extended Stored Procedure Buffer Overflow



49

• Definition: Attack through which a person canrender a system unusable or significantly slowdown the system for legitimate users byoverloading the system so that no one else canuse it.

Denial of ServiceBasics


50

• Typical Behaviors:– Crashing the system or network: Send the victim

data or packets which will cause system to crashor reboot.

– Exhausting the resources by flooding the system ornetwork with information. Since all resources areexhausted others are denied access to theresources

– Distributed DOS attacks are coordinated denial ofservice attacks involving several people and/ormachines to launch attacks

Denial of ServiceBasics


51

• Ping of Death • SSPing• Land• Smurf• SYN Flood• CPU Hog• Win Nuke• RPC Locator• Jolt2• Bubonic• Microsoft Incomplete TCP/IP Packet Vulnerability• HP Openview Node Manager SNMP DOS Vulnerability• Netscreen Firewall DOS Vulnerability• Checkpoint Firewall DOS Vulnerability

Denial of ServicePopular Programs


52

• Definition: Attempts to get “under” asecurity system by accessing very low-level system functions (e.g., devicedrivers, OS kernels).

TunnelingBasics


53

• Typical Behaviors: Behaviors such asunexpected disk accesses, unexplained devicefailure, halted security software, etc.

• Vulnerabilities: Tunneling attacks often occurby creating system emergencies to causesystem re-loading or initialization.

TunnelingBasics


54

• Prevention: Design security and auditcapabilities into even the lowest level software,such as device drivers, shared libraries, etc.

• Detection: Changes in date/time stamps forlow-level system files or changes insector/block counts for device drivers

• Countermeasures:– Patch or replace compromised drivers to prevent

access– Monitor suspected access points to attempt trace

back.

TunnelingBasics


55

• Definition: System access for developersinadvertently left available after softwaredelivery. Sometimes installed bymalicious software.

Trap DoorBasics


56

• Typical Behaviors– Unauthorized system access enables viewing,

alteration or destruction of data or software

• Vulnerabilities– Software developed outside organizational policies

and formal methods

Trap DoorBasics


57

• Prevention:– Enforce defined development policies– Limit network and physical access

• Detection– Audit trails of system usage especially user

identification logs• Countermeasures

– Close trap door or monitor ongoing access to tracepack to perpetrator

– Virus and worm countermeasures.

Trap DoorBasics


58

Identity Theft


59

• Definition:– Sequentially testing passwords/authentication

codes until one is successful• Typical Behaviors: Multiple users attempting

network or administrator command functions,indicating multiple Masquerades

• Vulnerabilities: Prompts have a time-delay builtin to foil automated scanning, accessing theencoded password table and testing it off-line isa common technique.

Sequential ScanningBasics


60

• Prevention:– Enforce organizational secure password policies.– Make system administrator access to password

files secure.• Detection:

– Correlate user identification with shift times.– Correlate user problem reports relevant to possible

Masquerades.• Countermeasures:

– Change entire password file or use baiting tactics totrace back to perpetrator

Sequential ScanningBasics


61

• Definition: Scanning through a dictionary ofcommonly used passwords/authenticationcodes until one is successful.

• Typical Behaviors: Multiple users attemptingnetwork or administrator command functions,indicating multiple Masquerades.

• Vulnerabilities: Use of common words andnames as passwords or authentication codes(so-called “Joe Accounts”, e.g. guest, test)

Dictionary ScanningBasics


62

• Prevention: Enforce organizationalpassword policies

• Detection:– Correlate user identification with shift times– Correlate user problem reports relevant to

possible Masquerades• Countermeasures:

– Change entire password file or use baitingtactics to trace back to perpetrator

Dictionary ScanningBasics


63

• Definition: Electronic monitoring of digitalnetworks to uncover passwords or other data

• Typical Behaviors:– System administrators found on-line at unusual or

off-shift hours– Changes in behavior of network transport layer

• Vulnerabilities:– Example of how COMSEC (communications

security) affects COMPUSEC (computer security)– Links can be more vulnerable to snooping than

nodes

Digital SnoopingBasics


64

• Prevention:– Employ data encryption– Limit physical access to network nodes and links

• Detection:– Correlate user identification with shift times– Correlate user problem reports. Monitor network

performance• Countermeasures:

– Change encryption schemes or employ networkmonitoring tools to attempt trace back to perpetrator

Digital SnoopingBasics


65

• Definition: Direct visual observation of monitordisplays to obtain access.

• Typical Behaviors:– Authorized user found on-line at unusual or off-shift

hours, indicating a possible Masquerade.– Authorized user attempting administrator command

functions• Vulnerabilities:

– Sticky notes used to record account & passwordinformation

– Password entry screens that do not mask typed text– “Loitering” opportunities

Shoulder SurfingBasics


66

• Prevention:– Limit physical access to computer areas– Require frequent password changes by users

• Detection:– Correlate user identification with shift times or

increased frequency of access– Correlate use command logs with administrator

command functions• Countermeasures:

– Change user password or use standardadministrator functions to determine access point,then trace back to perpetrator

Shoulder SurfingBasics


67

• Definition: Accessing discarded trash to obtainpasswords and other data

• Typical Behaviors:– Multiple users attempting network or administrator

command functions, indicating multipleMasquerades.

• Vulnerabilities:– “Sticky” notes used to record account and password

information– System administrator printouts of user logs

Dumpster DivingBasics


68

• Prevention: Destroy discarded hardcopy• Detection:

– Correlate user identification with shift times– Correlate user problem reports relevant to

possible Masquerades.• Countermeasures:

– Change entire password file or use baitingtactics to trace back to perpetrator

Dumpster DivingBasics


69

• Definition: Automated scanning of largeunprotected data sets to obtain clues togain access– e.g. discarded media or on-line “finger”-type

commands• Typical Behaviors:

– Authorized user found on-line at unusual oroff-shift hours, indicating a possibleMasquerade

– Authorized user attempting admin commandfunctions.

BrowsingBasics


70

• Vulnerabilities:– Finger type services provide information to

any and all users– The information is usually assumed safe but

can give clues to passwords (e.g., spouse’sname)

BrowsingVulnerabilities


71

• Prevention:– Destroy discarded media– When on open networks especially, disable finger

type services• Detection:

– Correlate user identification with shift times orincreased frequency of access.

– Correlate user command logs with administratorcommand functions

• Countermeasures:– Change user password or use standard

administrator functions to determine access point,then trace back to perpetrator.

BrowsingPrevention & Detection


72

Other Security Risks


73

• Definition: Hardware operates in abnormal,unintended ways.

• Typical Behaviors: Immediate loss of data dueto abnormal shutdown. Continuing loss ofcapability until equipment is repaired

• Vulnerabilities: Vital peripheral equipment isoften more vulnerable that the computersthemselves

• Prevention: Replication of entire systemincluding all data and recent transaction

• Detention: Hardware diagnostic systems

Equipment MalfunctionBasics


74

• Definition: Software does not work in itsintended manner.

• Typical Behaviors:– Immediate loss of data due to abnormal end– Repeated failures when faulty data used again

• Vulnerabilities: Poor software developmentpractices

• Prevention:– Enforce strict software development practices– Comprehensive software testing procedures

• Detection: Use software diagnostic tools.

Software MalfunctionBasics


75

• Countermeasures– Backup software– Robust operating systems

Software MalfunctionBasics


76

• Definition: Inadvertent alteration,manipulation or destruction of programs,data files or hardware

• Typical Behaviors– Incorrect data entered into system or

incorrect behavior of system

• Vulnerabilities– Poor user documentation or training.

User ErrorBasics


77

• Prevention:– Enforcement of training policies and

separation of programmer/operator duties• Detection

– Audit trails of system transactions• Countermeasures

– Backup copies of software and data– On-site replication of hardware.

User ErrorBasics


78

• Definition: system with incoming message orother traffic to cause

• Typical Behaviors: crashes, eventually tracedto overfull buffer or swap space

• Vulnerabilities: Open source networksespecially vulnerable.

SpamBasics


79

• Prevention: Require authentication fieldsin message traffic

• Detection: partitions, network sockets, etc.for overfull conditions.

• Countermeasures:– Headers to attempt trace back to perpetrator

SpamBasics


80

• CERT & CERIAS Web Sites• Security by Pfleeger & Pfleeger• Hackers Beware by Eric Cole• NIST web site• Other web sources

ReferencesSources & Further Reading

security threats: network based attacksberg/risk_analysis/lectures/security_threats.pdf · used to...

Documents