Professional Documents
Culture Documents
html
1.0 Abstract
As the world moves more and more towards becoming a networked environment, where almost every activity
finds an electronic parallel, it becomes increasingly important to realize the need for security of information.
1 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
The aim of this paper is to present a clear picture of how exactly security breaches occur, what are the methods
used by crackers today to harm systems, and how even the most basic user of a computer is at risk.
This paper deals primarily with the various types of attacks perpetrated against the IT community by malicious
crackers. It attempts to explain the three most popular attacks, i.e. Denial of Service, Trojan and Virus/Worm
attacks, and their effect on non corporate users.
It also touches upon the possible methods of protection against these attacks.
Finally the paper concludes that information security is no longer only a corporate issue, and that all users of
computers, whether at home or at work must consciously secure themselves against such attacks.
3.0 Vulnerabilities
Vulnerabilities are the tricks-of-the-trade for hackers, giving an intruder the ability to heighten one’s access by
exploiting a flawed piece of logic inside the code of a computer. Like the hackers that seek them out,
vulnerabilities are usually quite mysterious and hard to prove they even exist.
As security experts get acquainted with vulnerabilities and how they are exploited, the methods of exploitation
appear random and chaotic – each and every one with seemingly unpredictable results. It has been theorized
that this comes from the fact that logic flaws are mistakes, and does not follow the course of intelligent reason.
However, vulnerabilities can be categorized in ways that make more sense to the person investigating the
problems at hand.
2 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
Affects Affects
Person Computer
Instantaneous Social Engineering Logic Error
Requires a duration of Policy Oversight Weakness
time
Logic error is a short cut directly to a security altering effect, usually considered a basic bug. These types
of problem occur due to a special circumstance (usually poorly written code) that allows heightened access.
This is the type of vulnerability usually thought of first.
Weakness is a security measure that was put into place, but has a flaw in its design that could lead to a
security breach. They usually involve security that may or may not be distinctly solid, but is possible for
people to bypass. The term “Security through Obscurity” fits in this arena, being that a system is secure
because nobody can see or understand the hidden elements.
Social Engineering is a nebulous area of attacking associated with a directed attack against policy of
working followed by an individual or user. Policy is being used in a high level sense, because it could be an
internal worker committing sabotage, a telephone scam directed at a naive employee, or digging for
information that was thrown away in dumpsters.
Policy oversight is a flaw in the planning to avoid a situation, which would be such conditions as not
producing adequate software backups, not having proper contact numbers, not having working protection
equipment and so forth.
4.0 Attacks
As described in section 3.2 there are a number of ways, or tactics that a malicious user can employ to take
advantage of the vulnerabilities of a system. Some of the ways that such tactics can be implemented are
described here.
3 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
since distributed computing has provided an enhanced version of the attack to evolve. This
enhanced version of DoS is called Distributed Denial of Service (DDoS) and is one of the
most feared attacks of modern times.
4.1.2 How DoS works:
DoS attacks are generally brought about by exploiting a programming flaw in the server
software and by writing specialized programs to perform attacks. DoS attacks usually use
one of the following strategies
· Bandwidth Consumption
· Resource Saturation
· System and Application Crash
Bandwidth Consumption refers to the complete use of available network bandwidth by an
attacking computer. This makes network response slow or stops the server completely
while the attack is ongoing. The “Smurf” attack (see section 6.1) is a good example of this
approach.
Resource Saturation makes use of the fact that each computer has only a finite amount of
resources such as memory, storage and processing power. The strategy of resource
saturation is to target one or more of these resources and use it up completely so that
there is none left for allocation to other programs. The SYN flood attack (section 6.2) uses
this strategy
System and Application Crashes are fast and easy approaches wherein an exploitable
programming flaw is used to crash the system or a running application, thereby stopping
service. A well known implementation is the Ping of Death attack (Section 6.3)
4 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
intervention.
4.2.2 How do Viruses/Worms Spread?
A virus/worm is deemed to be “in the wild” once it has escaped or been released into the
general public. The general public refers to computing environments outside the
development area where the virus was created and tested.
Almost all viruses work along these lines:
· A user calls a legitimate program
· The virus code, having infected the program and being in the chain of
command, executes
· The virus code terminates and hands over control to the host
When the virus code executes it finds more infectable files and proceeds to infect them. As
these files are called more and more copies are created. The virus source may also contain
damaging instructions, which over time affect performance of a system or may even crash it
abruptly.
Viruses are characterized by two major features:
· Stealth
· Polymorphism
Stealth is a feature which conceals the virus from the user, so that the virus remains
undetected for a long period.
Polymorphism means that every time a virus infects a new file, it evolves in some manner.
This means that the virus code changes subtly or perceptibly at each new infection. The
utility of this feature to virus writers is that since the patterns are fewer, the virus is that
much harder to trace.
5.0 Defenses
5 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
We now proceed to some of the possible methods of defending against the attacks listed above.
While none of these methods provide foolproof security, their use deters malicious computer use to a large
extent.
5.1 Firewalls
5.1.1 What is a Firewall?
A firewall is any device used as a network level access control mechanism for a particular
network or set of networks. In most cases firewalls are used to prevent outside users from
accessing internal networks. However, firewalls can also be used within a network to
provide more secure pockets for highly sensitive functions, e.g. payroll management etc. A
fast upcoming application of firewall technology is in the field of personal firewalls. As high
speed internet makes its way into homes, it is common to find a home PC acting as a
server. Such users usually feel the need for a personal firewall.
Apart from access control firewalls may also provide some or all of the following services
· Content Filtering
· Virtual Private Networking
· Network Address Translation
· Load Balancing
· Fault Tolerance
· Intrusion Detection
6 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
A few years later, Dan Farmer and Wieste Venema authored a tool called SATAN (Security
Administrator Tool for Analyzing Networks)
After SATAN an number of scanners have hit the market.
The scanners help find and repair network level faults and errors.
5.2.2 How Vulnerability Assessment works
There are mainly two categories of entry points to a system. These are:
· Local exposure points
· Remote exposure points
Local exposure points are at the host level while remote exposure points are at the remote
level.
In order to exploit a remote exposure point an attacker can use a number of commonly
available tools. For example an attacker may port scan a system using nmap, identify the
running operating system, and then log all the listening ports.
This kind of scanner can also be used by system administrators to scan a system for
vulnerabilities.
Although implementation details differ, scanners generally reveal the following data about a
system:
· The vulnerability data:
· The scanning mechanism
· The reporting mechanism
While choosing a scanner the features to look for are:
· Completeness of vulnerability checks
· Accuracy of the vulnerability checks
· Scope of vulnerability checks
· Timely update
· Reporting capabilities
· Licensing and pricing
7 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
Anomaly-based IDS are usually more complex and are more conceptually oriented than
implementation oriented.
They look for deviations in the set patterns of network usage.
The most common models are host based and network based.
5.3.2 Working of an IDS
Network based IDS (NIDS): A network based IDs is designed to look for known patterns,
known as signatures, in incoming network traffic. It is passive in nature, and the rest of the
systems are seldom even aware that it is operational.
The drawback of NIDS is that it detects only known types of attacks. Thus if an attack
occurs for which the NIDS is not programmed, it will pass by unnoticed. Also in high
bandwidth environments with multiple switches, NIDS effectiveness is reduced.
Host-based IDS (HIDS): The host-based IDS varies from the NIDS on a number of fronts.
First and foremost HIDS is more intrusive. HIDS is an active process which requires agents
to be installed on all monitored systems. These work by monitoring the systems internal
working and searching for patterns. The higher end versions even prevent the installation of
Trojans and other malicious code. However the fundamental problem of looking for only
known patterns is still not eradicated. Also HIDS require a lot of computing power and
hence sometimes end up overloading the CPU
Fix: Microsoft has released a patch for this vulnerability. It can be obtained
from http://www.microsoft.com/Downloads
/Release.asp?ReleaseID=22753
Fix: MandrakeSoft, Gentoo and other Linux vendors are releasing patches for
the flaw.
Description: The problem could be exploited to cause a buffer overflow and execute
malicious code if a user viewed a graphic in any imlib-based application, for example a
8 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
Web browser
· LHA archive tool:
Discovered: September 2004
Affects: LHA versions up to and including 1.14
Fix: Fedora, Gentoo and other Linux vendors are releasing patches for the
flaw.
Description: The three LHA bugs are as serious as that in imlib, but are more difficult to
exploit, according to an advisory from Red Hat Inc. The first could take effect if a user
were tricked into extracting or testing a specially crafted archive. The second can only
be exploited if a user were tricked into passing a specially crafted command line to the
lha command. In the third, an attacker could create a directory with special characters
in its name, which could lead to the execution of malicious commands.
Fix: No specific fix. Varies from system to system. The rdisk command could
be blocked to normal users for example.
Description: RDISK is an NT utility which allows users to create emergency disks.
However it can be used by a malicious user since it can be used to dump all security
information in the c:\WINNT\REPAIR directory. From here the attacker can use a
password cracker to decrypt the passwords.
6.2 Attacks
6.2.1 Ping of Death
Filename: pingexploit.c, win95ping.c
Author: Bill Fenner (fenner@freebsd.org)
Build OS: BSD UNIX
Target OS: Windows 95, Windows NT 3.51
Description: Oversized ICMP echo requests (>64k) are sent to the target, which due to
inappropriate handling, crashes.
Fix: Microsoft has included a fix in its subsequent applications.
6.2.2 Smurf
Filename: smurf.c
Author: TFreak
Build OS: UNIX
Target OS: Any system that responds to ICMP data
Description: Floods the target system with spoofed ICMP echo requests. This congests the
lines to the system and causes a denial of service. Smurf is an example of a bandwidth
consumption attack.
Fix: Disable IP directed broadcasts on the router and configure the OS not to respond to
packets sent to IP broadcast addresses.
6.2.3 Trin00
9 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
Filename: trin00.tgz
Author: Project DoS
Build OS: UNIX
Target OS: UNIX
Description: Floods the target system with spoofed ICMP echo requests. This congests the
lines to the system and causes a denial of service. Smurf is an example of a bandwidth
consumption attack.
Fix: Patch systems to prevent compromise, monitor UDP traffic for trinoo fingerprints and
run DDoS scanner tools like RID. Blocking UDP traffic on high numbered ports may prevent
the problem but this could cause other applications to function unpredictably.
6.2.4 Hare breed of Virus:
Virus name: Hare [x]
Infects: COM and EXE files
Size: 7610 bytes
Description: The Hare breed is a common strain of virus which memory resident and
supports full stealth. It is also encrypted and polymorphic, which makes it that much harder
to track down.
6.3 Defenses
6.3.1 Firewall Toolkit (FWTK):
The TIS Firewall Toolkit is a somewhat outdated but still completely feasible solution for
creating a firewall. The package which is free for noncommercial use includes proxies for
the following services:
· Telnet
· FTP
· Rlogin
· Sendmail
· HTTP
· X Window system
The service requires some rules to be specified. This is easily done by editing the following
files:
· /etc/services: This file specifies what services the machine will support and what
ports those services run on
· /etc/inetd.conf: This is the configuration file for inetd. It specifies what server is
activated when outsiders request a service.
· /usr/local/etc/netperm-table: This is an FWTK file. In it, you specify who can use
the services you provide.
You can choose two schemes for permissions: deny all services which are not expressly
allowed or allow all services which are not expressly prohibited.
Vendor: TIS
Platform: UNIX
6.3.2 The Open Source Nessus Project:
Nessus was written by Renaud Deraison, an open source author living in Paris. Nessus is
quickly becoming the Linux of the vulnerability scanning field. Nessus employ an extensible
plug-in model that enables the security community to add scanning modules at will. This
gives Nessus a development edge because any check that it does not have can be created
with some time and coding abilities on their hands. Nessus uses a console based engine, in
which the console may or may not reside on the same computer as the scanning engine.
This distributed architecture allows for some interesting flexibility.
Vendor: NONE (open source)
Platform: UNIX
6.3.3 Cisco Secure IDS:
Cisco acquired the NetRanger NIDS with its acquisition of the Texas based “Wheelgroup”
corporation in the late 1990’s. NetRanger served as the foundation of what is now the Cisco
Secure IDS suite. Cisco has multiple sensor offerings, ranging from the smallest x86 based
appliance to their more industrial strength appliance offering, to an intrusion detection ‘blade’
which fits into the Catalyst 6500 series of switches.
Vendor: Cisco Systems
Platform: Appliance
10 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html
7.0 Conclusion:
Information security is everyone’s business. All users of computer networks are responsible to themselves and
the entire community for the protection of individual and common resources. As more and more vulnerabilities
are discovered, better and better methods of security are being implemented.
However, it is important to remember that as better and better methods of computer security are invented, the
efforts and efficiency of crackers will also increase. Hence, in order to stay ahead in this electronic arms race,
one must keep abreast of the latest developments in both the attack as well as defense field.
8.0 References
rd
· Maximum Security, 3 Edition, Anonymous, Sams Techmedia Publishing 2001
· Unofficial Guide to Ethical Hacking, Ankit Fadia, Macmillan India, 2001
· Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner, Pearson
Education, 2002
· Computer Vulnerabilities, Eric Knight, C.I.S.S.P. Electronic Edition, 2000
· The Little Black Book of Computer Viruses, Mark Ludwig, Electronic Edition, 1996
· Understanding the Various Types of Denial of Service Attack, Technical Paper, Raja Azrina Raja
Othman
· US Government Information Centre: http://usgovinfo.about.com/
· The Pine-Mountain Group: http://www.pmg.com/index.htm
· Geek-Times.com: http://www.geek-times.com
· Slashdot security portal: http://slashdot.org/
· Infosyssec.net security portal: http://www.infosyssec.net/
· Windows Security portal: http://www.windowsecurity.com
· Eweek IT news portal: http://www.eweek.com
11 of 11 1/4/2010 1:26 AM