Computer Security

,.3
Crisis
Computer Crimes
Hacker Attacks
Modes of Computer Security
Password Security
Network Security
Web Security
Distributed Systems Security
Database Security
%opics
3ter3et has grow3 very fast a3d security has
lagged behi3d.
Mass of hackers have emerged as impeda3ce to
e3teri3g the hackers club is low.
t is hard to trace the culprit of cyber attacks si3ce
the real ide3tities are masked.
t is very hard to track dow3 people because of the
complexity of the 3etwork.
Large scale failures of i3ter3et ca3 have a
catastrophic impact o3 the eco3omy which relies
heavily o3 electro3ic tra3sactio3s
Crisis
3 1988 a "worm program" writte3 by a
college stude3t shut dow3 about 10 perce3t
of computers co33ected to the 3ter3et.
This was the begi33i3g of the era of cyber
attacks.
Today we have about 10,000 i3cide3ts of
cyber attacks which are reported a3d the
3umber grows.
Computer Crime - %e Beginning
A 16-year-old music stude3t called Richard Pryce,
better k3ow3 by the hacker alias Datastream
Cowboy, is arrested a3d charged with breaki3g i3to
hu3dreds of computers i3cludi3g those at the
Griffiths Air Force base, Nasa a3d the Korea3 Atomic
Research 3stitute. His o3li3e me3tor, "Kuji", is
3ever fou3d.
Also this year, a group directed by Russia3 hackers
broke i3to the computers of Citiba3k a3d
tra3sferred more tha3 $10 millio3 from customers'
accou3ts. Eve3tually, Citiba3k recovered all but
$400,000 of the pilfered mo3ey.
Computer Crime - 1994
3 February, Kevi3 Mit3ick is arrested for a seco3d
time. He is charged with steali3g 20,000 credit card
3umbers. He eve3tually spe3ds four years i3 jail
a3d o3 his release his parole co3ditio3s dema3d
that he avoid co3tact with computers a3d mobile
pho3es.
O3 November 15, Christopher Pile becomes the first
perso3 to be jailed for writi3g a3d distributi3g a
computer virus. Mr Pile, who called himself the
Black Baro3, was se3te3ced to 18 mo3ths i3 jail.
The US Ge3eral Accou3ti3g Office reveals that US
Defe3se Departme3t computers sustai3ed 250,000
attacks i3 1995.
Computer Crime - 1995
3 March, the Melissa virus goes o3 the rampage
a3d causes disaster with computers worldwide. After
a short i3vestigatio3, the FB tracks dow3 a3d
arrests the writer of the virus, a 29-year-old New
Jersey computer programmer, David L Smith.
More tha3 90 perce3t of large corporatio3s a3d
gover3me3t age3cies were the victims of computer
security breaches i3 1999
Computer Crime - 1999
3 February, some of the most popular websites i3
the world such as Amazo3 a3d Yahoo are almost
overcome by bei3g flooded with bogus requests for
data.
3 May, the LOVEYOU virus is u3leashed a3d blocks
computers worldwide. Over the comi3g mo3ths,
varia3ts of the virus are released that ma3age to
catch out compa3ies that did3't do e3ough to
protect themselves.
3 October, Microsoft admits that its corporate
3etwork has bee3 hacked a3d source code for future
Wi3dows products has bee3 see3.
Computer Crime - 2000
Some of the sItes whIch have been compromIsed
U.S. 0epartment of Commerce
NASA
CA
Creenpeace
|otorola
UNCEF
Church of ChrIst .
Some sItes whIch have been rendered IneffectIve
Yahoo
|Icrosoft
Amazon .
y Security?
Because they can
A large Iraction oI hacker attacks have been pranks
Financial Gain
Intelligence
Emitting anger at a company or organization
Terrorism
y do Hackers Attack?
ActIve Attacks
0enIal of ServIce
8reakIng Into a sIte
ntellIgence CatherIng
Fesource Usage
Fraud
PassIve Attacks
SnIffIng
Passwords
Network TraffIc
SensItIve nformatIon
nformatIon CatherIng
%ypes of Hacker Attack
ver the nternet
ver LAN
Locally
fflIne
Theft
Fraud
odes of Hacker Attack
0efInItIon:
An attacker alters hIs IdentIty so that some one thInks he
Is some one else
EmaIl, User 0, P Address, .
Attacker exploIts trust relatIon between user and
networked machInes to gaIn access to machInes
Types of SpoofIng:
1. P SpoofIng:
2. EmaIl SpoofIng
J. Web SpoofIng
Spoofing
0efInItIon:
Attacker uses P address of another computer to acquIre
InformatIon or gaIn access
! Spoofing - FIying-BIind
Attack
Replies sent back to 10.10.20.30
Spoofed Address
10.10.20.30
Attacker
10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30
To Address: 10.10.5.5
W Attacker changes hIs own P address
to spoofed address
W Attacker can send messages to a
machIne masked as spoofed machIne
W Attacker can not receIve messages
from that machIne
0efInItIon:
Attacker spoofs the address of another machIne and
Inserts Itself between the attacked machIne and the
spoofed machIne to Intercept replIes
! Spoofing - Source Routing
Replies sent back
to 10.10.20.30
Spoofed Address
10.10.20.30
Attacker
10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30
To Address: 10.10.5.5
W The path a packet may change can vary over tIme
W To ensure that he stays In the loop the attacker uses source routIng
to ensure that the packet passes through certaIn nodes on the
network
Attacker intercepts packets
as they go to 10.10.20.30
0efInItIon:
Attacker sends messages maskIng as some one else
What can be the Impacts:
Types of EmaIl SpoofIng:
1. Create an account wIth sImIlar emaIl address
- Sanjaygoel@yahoo.com: A message from thIs account can
perplex the students
2. |odIfy a maIl clIent
- Attacker can put In any return address he wants to In the maIl
he sends
J. Telnet to port 25
- |ost maIl servers use port 25 for S|TP. Attacker logs on to thIs
port and composes a message for the user.
maiI Spoofing
8asIc
Attacker regIsters a web address matchIng an entIty e.g.
votebush.com, geproducts.com, gesucks.com
|anInthe|Iddle Attack
Attacker acts as a proxy between the web server and the clIent
Attacker has to compromIse the router or a node through whIch
the relevant traffIc flows
UFL FewrItIng
Attacker redIrects web traffIc to another sIte that Is controlled by
the attacker
Attacker wrItes hIs own web sIte address before the legItImate
lInk
TrackIng State
When a user logs on to a sIte a persIstent authentIcatIon Is
maIntaIned
ThIs authentIcatIon can be stolen for masqueradIng as the user
eb Spoofing
0efInItIon:
Process of takIng over an exIstIng actIve sessIon
method of operatIon
1. User makes a connectIon to the server by
authentIcatIng usIng hIs user 0 and password.
2. After the users authentIcate, they have access to the
server as long as the sessIon lasts.
J. Hacker takes the user offlIne by denIal of servIce
4. Hacker gaIns access to the user by copyIng the user
Session Hijacking
Attackers exploIt sequence numbers to hIjack sessIons
FeceIver and Sender have theIr own sequence numbers
When two partIes communIcate the followIng are needed:
P addresses
Port Numbers
Sequence Number
P addresses and port numbers are easIly avaIlable so once
the attacker gets the server to accept hIs guesses
sequence number he can hIjack the sessIon.
Session Hijacking - How Does it
ork?
0efInItIon:
Attack through whIch a person can reduce a system unusable or
sIgnIfIcantly slow down the system for valId users by overloadIng
the system so that no one else can use It.
Types:
1. CrashIng the system or network
- Send the vIctIm data or packets whIch wIll cause system to crash or
reboot.
2. ExhaustIng the resources by floodIng the system or network wIth
InformatIon
- SInce all resources are exhausted others are denIed access to the
resources
J. 0IstrIbuted 0S attacks are coordInated denIal of servIce attacks
InvolvIng several people and/or machInes to launch attacks
DeniaI of Service (DOS)
Attack
ThIs attack takes advantage oI the way in which
inIormation is stored by computer programs
An attacker trIes to store more InformatIon on the stack
than the sIze of the buffer
Buffer OverfIow Attacks
Programs whIch do not do not have a rIgorous memory
check In the code are vulnerable to thIs attack
SImple weaknesses can be exploIted
f memory allocated for name Is 50 characters, someone can
break the system by sendIng a fIctItIous name of more than 50
characters
Can be used for IntellIgence, denIal of servIce or
compromIsIng the IntegrIty of the data
Examples
Net|eetIng 8uffer verflow
utlook 8uffer verflow
AL nstant |essenger 8uffer verflow
SQL Server 2000 Extended Stored Procedure 8uffer verflow
Buffer OverfIow Attacks
A hacker can exploit a weak passwords & uncontrolled
network modems easily
Steps
Hacker gets the phone number oI a company
Hacker runs war dialer program
II original number is 555-5532 he runs all numbers in the 555-55xx
range
When modem answers he records the phone number oI modem
Hacker now needs a user id and password to enter company
network
Companies oIten have deIault accounts e.g. temp, unnamed with no
password
OIten the root account uses company name as the password
For strong passwords password cracking techniques exist
!assword Attacks
!assword hashed and stored
Salt added to randomize password & stored on system
!assword attacks launched to crack encrypted password
!assword Security
Hash
Function
Hashed
!assword
Salt
Compare
!assword
CIient
!assword
Server
Stored !assword
Hashed
!assword
Allow/Deny Access
Find a valid user ID
Create a list oI possible passwords
Rank the passwords Irom high probability to low
Type in each password
II the system allows you in success !
II not, try again, being careIul not to exceed password
lockout (the number oI times you can guess a wrong
password beIore the system shuts down and won`t let
you try any more)
!assword Attacks - !rocess
Dictionary Attack
Hacker tries all words in dictionary to crack password
70 oI the people use dictionary words as passwords
Brute Force Attack
Try all permutations oI the letters & symbols in the alphabet
Hybrid Attack
Words Irom dictionary and their variations used in attack
Social Engineering
!eople write passwords in diIIerent places
!eople disclose passwords naively to others
Shoulder SurIing
Hackers artIully watch over peoples shoulders(assumes) to steal
passwords
Dumpster Diving
!eople dump their trash papers in garbage which may contain
inIormation to crack passwords
!assword Attacks - %ypes
!roxy Server
A proxy Server also known as a '!roxy ' or ' Application level
Gateway is a computer which acts as a gateway between a local
network (e.g. all the computers at one company or in one building) and
a large scale network such as the internet. !roxy server provides
increased perIormance and Security. In some cases, it monitors the
employees 'use oI outside resources.
A proxy server works by intercepting connection between senders and
receivers. All incoming data comes through one ports and is Iorwarded
to the rest oI the network through another port. By blocking direct
access between two networks ,proxy servers makes it much more
diIIicult Ior hackers to get internal addresses and details oI the private
networks.
ow !roxy Servers Work
Function as a soItware go-between, Iorwarding
data between internal and external hosts
Focus on the port each service uses
Screen all traIIic into and out oI each port
Decide whether to block or allow traIIic based on rules
Add time to communications, but in return, they:
Cover clients
Translate network addresses
Filter content
Steps nvolved in a !roxy
Transaction
. Internal host makes request to access a
Web site
2. Request goes to proxy server, which
examines header and data oI the packet
against rule base
3. !roxy server recreates packet in its
entirety with a diIIerent source I! address
continued
Steps nvolved in a !roxy
Transaction
. !roxy server sends packet to destination;
packet appears to come Irom proxy server
5. Returned packet is sent to proxy server,
which inspects it again and compares it
against its rule base
6. !roxy server rebuilds returned packet and
sends it to originating computer; packet
appears to come Irom external host
Steps nvolved in a !roxy
Transaction
!roxy Servers and !acket Filters
Are used together in a Iirewall to provide
multiple layers oI security
Both work at the Application layer, but they
inspect diIIerent parts oI I! packets and act
on them in diIIerent ways
ow !roxy Servers Differ from
!acket Filters
Scan entire data part oI I! packets and
create more detailed log Iile listings
Rebuild packet with new source I!
inIormation (shields internal users Irom
outside users)
Server on the Internet and an internal host
are never directly connected to one another
More critical to network communications
Dual-omed ost !roxy Server
Configuration
Screened ost !roxy Server
Configuration
oals of !roxy Servers
Conceal internal clients
Block URLs
Block and Iilter content
!rotect e-mail proxy
Improve perIormance
Ensure security
!rovide user authentication
Redirect URLs
Concealing nternal Clients
etwork appears as a single machine
II external users cannot detect hosts on your
internal network, they cannot initiate an
attack against these hosts
!roxy server receives requests as though it
were the destination server, then completely
regenerates a new request, which is sent to
its destination
Concealing nternal Clients
locking URLs
An attempt to keep employees Irom visiting
unsuitable Web sites
An unreliable practice; users can use the I!
address that corresponds to the URL
locking URLs
locking and Filtering Content
Can block and strip out Java applets or
ActiveX controls
Can delete executable Iiles attached to
e-mail messages
Can Iilter out content based on rules that
contain a variety oI parameters (eg, time, I!
address, port number)
-Mail !roxy !rotection
External e-mail users never interact directly
with internal hosts
-Mail !roxy !rotection
mproving !erformance
Speed up access to documents that have
been requested repeatedly
nsuring Security with Log Files
Log Iile
Text Iile set up to store inIormation about
access to networked resources
Can ensure eIIectiveness oI Iirewall
Detect intrusions
Uncover weaknesses
!rovide documentation
nsuring Security with Log Files
!roviding User Authentication
Enhances security
Most proxy servers can prompt users Ior
username and password
Redirecting URLs
!roxy can be conIigured to recognize two
types oI content and perIorm URL
redirection to send them to other locations
Files or directories requested by the client
Host name with which the client wants to
communicate (most popular)
!roxy Server Configuration
Considerations
Scalability issues
eed to conIigure each piece oI client soItware
that will use the proxy server
eed to have a separate proxy service available
Ior each network protocol
eed to create packet Iilter rules
Security vulnerabilities
Single point oI Iailure
BuIIer overIlow
!roviding for Scalability
Add multiple proxy servers to the same
network connection
Working with Client
Configurations
Working with Client
Configurations
Working with Service
Configurations
Creating Filter Rules
Allow certain hosts to bypass the proxy
Filter out URLs
Enable internal users to send outbound
requests only at certain times
Govern length oI time a session can last
Security Vulnerabilities:
Single !oint of Failure
Be sure to have other means oI enabling
traIIic to Ilow with some amount oI
protection (eg, packet Iiltering)
Create multiple proxies that are in use
simultaneously
Security Vulnerabilities:
uffer Overflow
Occur when proxy server attempts to store
more data in a buIIer than the buIIer can
hold
Render the program nonIunctional
Check Web site oI manuIacturer Ior
security patches
Choosing a !roxy Server
Some are commercial products Ior home and
small-business users
Some are designed to protect one type oI service
and to serve Web pages stored in cache
Most are part oI a hybrid Iirewall (combining
several diIIerent security technologies)
Some are true standalone proxy servers
Types of !roxy Servers
Transparent
ontransparent
SOCKS based
Transparent !roxies
Can be conIigured to be totally invisible to
end user
Sit between two networks like a router
Individual host does not know its traIIic is
being intercepted
Client soItware does not have to be
conIigured
ontransparent !roxies
Require client soItware to be conIigured to
use the proxy server
All target traIIic is Iorwarded to the proxy at
a single target port (typically use SOCKS
protocol)
More complicated to conIigure, but provide
greater security
Also called explicit proxies
ontransparent !roxies
SOCKS-ased !roxies
SOCKS protocol
Enables establishment oI generic proxy
applications
Flexible
Typically used to direct all traIIic Irom client to
the proxy using a target port oI TC!/080
SOCKS Features
Security-related advantages
Functions as a circuit-level gateway
Encrypts data passing between client and proxy
Uses a single protocol both to transIer data via
TC! and UD! and to authenticate users
Disadvantage
Does not examine data part oI a packet
SocksCap
!roxy Server-ased Firewalls
Compared
Firewalls based on proxy servers:
T.REX
Squid
WinGate
Symantec Enterprise Firewall
MicrosoIt Internet Security & Acceleration Server
Choice depends on your platIorm and the number
oI hosts and services you need to protect
T.R Open-Source Firewall
Free UIX-based solution
Handles URL blocking, encryption, and
authentication
Complex conIiguration; requires
proIiciency with proxy server conIiguration
Squid
High-perIormance, Iree open-source application
Acts as a proxy server and caches Iiles Ior Web
and FT! servers
ot Iull-Ieatured
!erIorms access control and Iiltering
Quickly serves Iiles that are held in cache
Runs on UIX-based systems
!opular; plug-ins available
Economical
Winate
Most popular proxy server Ior home and
small business environments
Well-documented Windows-based program
OIIers customer support and Irequent
upgrades
Symantec nterprise Firewall
Combines proxy services with encryption,
authentication, load balancing, and packet
Iiltering
ConIigured through a snap in to the MMC
Commercial Iirewall with built-in proxy
servers
More Iull-Ieatured than WinGate
Microsoft nternet Security &
Acceleration Server (SA)
Complex, Iull-Ieatured
Includes stateIul packet Iiltering, proxy
services, AT, and intrusion detection
Competes with high-perIormance Iirewall
products
Two ditions of SA
Standard Edition
Standalone
Supports up to Iour processors
Enterprise Edition
Multiserver product with centralized
management
o limit on number oI processors supported
Reverse !roxies
Monitor inbound traIIic
!revent direct, unmonitored access to
server`s data Irom outside the company
Advantages
!erIormance
!rivacy
Reverse !roxies
When a !roxy Service sn't the
Correct Choice
Can slow down traIIic excessively
The need to authenticate via the proxy
server can make connection impossible
II you don`t want to use your own proxy
server:
External users can connect to Iirewall directly
using Secure Sockets Layer (SSL) encryption
Use proxy server oI an IS!
Computer Security is a continuous battle
As computer security gets tighter hackers are getting smarter
Very high stakes
ConcIusions