ECE-6612 http www csc gatech edu copeland jac 6612 Prof John

ECE-6612 http: //www. csc. gatech. edu/copeland/jac/6612/ Prof. John A. Copeland john. copeland@ece. gatech. edu 404 894 -5177 fax 404 894 -0035 Office: Klaus 3362 email or call for office visit, 404 894 -5177 Network Security Utilities and Organizations 3/29/2011

Network Security Utilities It’s difficult for a network manager to frequently physically visit every workstation and check all the configuration files. A number of network security utilities have been developed to let network manager scan a network to look for security holes. Surprisingly many of these are free. The most versatile for port scanning is “nmap. ” Other actually run known exploits against your systems to detect weaknesses (“Saint’ and “Satan’). Some should be studied so that you know what crackers can easily do (e. g. , dsnif). For intrusion detection, their are some expensive commercial services that come with 24 -hour-a-day, 7 -day-a-week monitoring services ( “ ISS / IBM” ). Only download “free” utilities in source format, and read the ‘C’ code before you compile and use them. Some of these, like software from Red. Hat, come with a PGP (or GPG) certificates that you should check. Many developers now provide at least a CRC checksum or secure hash for their original (unaltered) binaries. 2

Tripwire - compares hash’s of system files Tripwire HQ Connector Bundle The HQ Connector bundle is comprised of Tripwire's award-winning file integrity software, Tripwire version 2. 2. 1, and a communications agent that allows the software engine to "talk" to the Tripwire HQ Manager. Tripwire provides support for multiple platforms, including Windows NT, Solaris, Linux, HP-UX, IBM-AIX and others. With the Tripwire HQ Connector bundle, you can unequivocally answer the question: is my data the same today as it was yesterday? This information will help you keep your system in optimal working order and manage any changes - malicious or inadvertent - giving you complete control over data integrity. Tripwire HQ Manager is a software console with a graphical user interface that allows you to control hundreds of installations of HQ Connector. Named HQ Manager because it's designed to operate as your information integrity headquarters, this product provides you with the very best way to manage data integrity across an enterprise network from a single, centralized location. Tripwire 2. 2. 1 for Linux With all the same great features as Tripwire 2. 2. 1 for other operating systems, Tripwire for Linux is available as a free download (without the agent that communicates with HQ Manager). In support of the open source community, Tripwire plans to release an open source version of this product this fall. For more information and future announcements about the open source release, check out www. tripwire. org. Tripwire Academic Source Release 1. 3. 1 With only slight changes, the Tripwire Academic Source Release (ASR) version 1. 3. 1 is the same as the original Tripwire software that was developed in 1992 by Dr. Eugene Spafford and Tripwire CTO Gene Kim. Tripwire offers this version as a free download, but does not provide product support for it. www. tripwire. com {commercial} 3

Saint (and Satan) "Indispendable for checking system vulnerabilities" (Information Security, February, 2000). The Security Administrator's Integrated Network Tool (SAINT™), an updated and enhanced version of SATAN, is designed to assess the security of computer networks. New with this release: Check for vulnerability in wu-ftpd 2. 6. 0 Check for innd control-cancel vulnerability Check for possible vulnerabilities in HP Openview Network Node Manager and Omni. Back server Check for two vulnerabilities in HP Jet. Admin Check for vulnerability in Cmail server Several bug fixes in Netbios checks Improvements in sadmind, tooltalk, and Calendar Manager checks to reduce false alarms. Fixed compilation problems in dds. c affecting Sun. OS 4, thanks to Jim Houser. Saint - http: //www. wwdsi. com/saint/ [gone commercial] http: //www. saintcorporation. com/products/saint_engine. html 4

Nessus The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port - that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs. Test the security of your network http: //www. nessus. org/ {commercial: Tenable Network Security} 5

dsniff Overview I [Dug Song] wrote these tools with honest intentions - to audit my own network, and to demonstrate the insecurity of cleartext network protocols. Please do not abuse this software. Description arpredirect: intercept packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. this is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a userland program which accomplishes the same, e. g. fragrouter : -) must be turned on ahead of time. macof: flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). a straight C port of the original Perl Net: : Raw. IP macof program. tcpkill: kill specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3 whs for TCB creation). tcpnice: slow down specified in-progress TCP connections via "active" traffic shaping (useful for sniffing fast networks). forges tiny TCP window advertisements, and optionally ICMP source quench replies. dsniff: password sniffer. handles FTP, Telnet, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, NFS, YP, SOCKS, X 11, CVS, IRC, AIM, ICQ, Napster, Postgre. SQL, Meeting Maker, Citrix ICA, Symantec pc. Anywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL auth info. (more) 6

dsniff - 2 dsniff automatically detects and minimally parses each application protocol, only saving the interesting bits, and uses Berkeley DB as its output file format, only logging unique authentication attempts. full TCP/IP reassembly is provided by libnids(3) (likewise for the following tools as well). filesnarf: saves selected files sniffed from network file system traffic in the current working directory. mailsnarf: a fast and easy way to violate the Electronic Communications Privacy Act of 1986 (18 USC 2701 -2711), be careful. Outputs selected messages sniffed from SMTP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail -f, pine, etc. ). urlsnarf: output all requested URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favorite web log analysis tool (analog, wwwstat, etc. ). webspy: sends URLs sniffed from a client to your local Netscape browser for display, updated in realtime (as the target surfs, your browser surfs along with them, automagically). a fun party trick. : -) (more) http: //monkey. org/~dugsong/ There is not a good index. Try adding application name to URL, like http: //monkey. org/~dugsong/dsniff/ or google the application name 7

“wireshark” - A Network Protocol Analyzer (Sniffer) “wireshark” (was ethereal) is a free network protocol analyzer interactively browse the capture data, viewing summary and detail information for each packet. Wire. Shark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. Wireshark's powerful features make it the tool of choice for network troubleshooting, protocol development, and education worldwide. Wireshark was written by an international group of networking experts, and is an example of the power of open source. It runs on Windows, Linux, UNIX, and other platforms. www. wireshark. org 8

Knoppix-STD is a Security Tool. Actually it is a collection of hundreds if not thousands of open source security tools. It's a Live Linux Distro (i. e. it runs from a bootable CD in memory without changing the native operating system of your PC). It's sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can. STD is designed to assist network administrators and professionals alike secure their networks. The STD community is without exception White Hat. This means we will not entertain discussions on ANY illegal or unethical activities. www. knoppix. org and http: //www. s-t-d. org/ List of tools: http: //s-t-d. org/tools. html 9

Overview of Net. Set Tools: http: //sectools. com (insecure. org) 10

The Metasploit Project Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only. Metasploit is a community project managed by Rapid 7 [http: //www. rapid 7. com/]. http: //www. metasploit. com/ 11

2011 -03 -07: Metasploit 3. 6. 0 Released! We are excited to announce that version 3. 6. 0 of Metasploit Pro, Metasploit Express, and the Metasploit Framework have been released! This release adds 15 new exploits for a total of 64 new modules since version 3. 5. 1. All editions of Metasploit now include Post Exploitation modules that provide local exploits and additional data gathering capabilities. Metasploit Express and Metasploit Pro users benefit from the Project Activity Report and Global Search capabilities now available in the user interface. Metasploit Pro users now have access to the new Pro Console, PCI Report, and Asset Tagging features. The full release notes for the open source framework can be found online. For more information on the updates to the commercial products, please see the official press release and the release notes. http: //www. metasploit. com/ 12

Internet Security Systems, Inc - Atlanta (now a division of IBM) IBM helps you reduce the cost and complexity of securing your infrastructure with a comprehensive portfolio of world-class managed security services and consulting services powered by IBM X-Force. Managed security services Award-winning managed services help protect your information assets from attack. Professional security services Build comprehensive and effective information security policies and practices for your business. Solutions for mid-market organizations Security solutions designed specifically to help mid-sized businesses stay up and running. Payment Card Industry (PCI) compliance solutions We can help you assess compliance and meet all 12 requirements of the PCI standard. Virtualization security solutions Manage the risk of virtualization and realize the cost savings. www. iss. net Excellent News Source: http: //blogs. iss. net/ 13

Network Security Organizations There a number or organizations that provide good advice about network security programs. The Computer Emergency Response Team (US-CERT) encourages reports about cracking activities and releases an annual summary of cracking incidents. CERT is operated by Carnegie-Mellon University for the U. S. government (www. us-cert. gov). SANS, which appears to be “for profit, ” offers a number free services. Reports on newly discovered exploits (without implementation code) and patched exploits are available by email. The Global Incident Analysis Center in available on the Web (www. sans. org). The FBI investigates cyber crimes and provides data from an ongoing survey (http: //www. fbi. gov/cyberinvest/cyberhome. htm). The Secret Service also investigates cyber crimes, particularly those involving child pornography and bank fraud. 14

CERT®/CC Contact Information Email: cert@cert. org Encrypting sensitive information: When sending sensitive information by email, please encrypt it. You can find details about our PGP key in Sending Sensitive Information. Phone - CERT Hotline 1 412 -268 -7090 (24 -hour hotline) CERT/CC personnel answer 8: 00 a. m. - 8: 00 p. m. EST(GMT-5) / EDT(GMT-4) on working days; they are on call for emergencies during other hours and on weekends and holidays. CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 -3890 Subscribe to the CERT mailing list if you want to receive their advisories and summaries in email. www. cert. org (Carnegie Mellon U. ) and www. us-cert. gov (US DHS) 15

CERT - 2 www. cert. org and www. us-cert. gov 16

SANS Global Incident Analysis Center Welcome to GIAC, our mission is to provide up-to-date reports of malicious activity on the net submitted by your international community of system administrators and intrusion detection analysts. We welcome detects of intrusions, odd log file entries, encryption failures, or other security related information. Three gifts SANS gives to the community are the weekly digest of patches and summaries of traces, the monthly Windows NT Digest of new security holes, patches, and other administrative imperatives, and the weekly digest of the 25 top news stories in secret. We'd be happy to send you any or all, just send an email to info@sans. org with one or more of the following in the subject: Network Security Digest, NT Digest, or Newsbites. GIAC has posted a guide to defensive steps against DDOS attacks in a document based on the Consensus Roadmap developed by the Partnership for Critical Infrastructure Security. Since the DDOS threat will be with us for the long haul we need to take appropriate countermeasures to reduce the impact of the threat. GIAC is committed to train and assist security professional and with your help we can get control of this problem. Thank you! http: //isc. sans. org/reports. html 17

National Infrastructure Protection Center (NIPC) Located in the FBI's headquarters building in Washington, D. C. , the NIPC brings together representatives from the FBI, other U. S. government agencies, state and local governments, and the private sector in a partnership to protect our nation's critical infrastructures. Established in February 1998, the NIPC's mission is to serve as the U. S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against our critical infrastructures. These infrastructures, which include telecommunications, energy, banking and finance, water systems, government operations, and emergency services, are the foundation upon which our industrialized society is based. Our society is increasingly relying on new information technologies and the Internet to conduct business, manage industrial activities, engage in personal communications, and perform scientific research. While these technologies allow for enormous gains in efficiency, productivity, and communications, they also create new vulnerabilities to those who would do us harm. The same interconnectivity that allows us to transmit information around the globe at the click of a mouse or push of a button also creates unprecedented opportunities for criminals, terrorists, and hostile foreign nation-states who might seek to steal money or proprietary data, invade private records, conduct industrial espionage, cause a vital infrastructure to cease operations, or engage in Information Warfare. Protecting our critical infrastructures in the Information Age raises new challenges for all of us. Above all, it requires a partnership between the government and private industry to reduce our vulnerability to attack and increase our capabilities to respond to new threats. The NIPC provides an important vehicle for carrying that partnership forward. Disbanded, see CIP and Homeland Security, Nat. Cyber Sec. Div. : http: //www. dhs. gov/xabout/structure/editorial_0839. shtm 18

Critical Infrastructure Protection From Wikipedia, the free encyclopedia (11 -20 -2006) The Critical Infrastructure Protection or CIP is a Presidential directive (PDD-63) that calls for a national effort to assure the security of the increasingly vulnerable and interconnected infrastructures of the United States. In July 1996, President Bill Clinton issued Executive Order Critical Infrastructure Protection. This order stated that certain national infrastructures are critical to the national and economic security of the United States and the well being of its citizenry. The critical infrastructure of the United States is comprised of the systems and networks that are so essential that if one or more is incapacitated or destroyed, an entire region, if not the defense or economic security of the nation, could be debilitated. 8 Areas, including: Information and Communications - Our economy and way of life rely heavily on telecommunications and information technology. http: //en. wikipedia. org/wiki/Critical_Infrastructure_Protection 19

WASHINGTON, D. C. -- The Department of Justice, in conjunction with the FBI, the Air Force Office of Special Investigation, the National Aeronautic and Space Administration and the Naval Criminal Investigative Service, announced today that the Israeli National Police arrested Ehud Tenebaum, an Israeli citizen, for illegally accessing computers belonging to the Israeli and United States governments, as well as hundreds of other commercial and educational systems in the U. S. and elsewhere. The arrest of Tenebaum culminates several weeks of investigation into a series of computer intrusions into United States military systems that occurred in February 1998. As part of this investigation, the Department of Justice formally requested legal assistance from the Israeli Ministry of Justice, and U. S. law enforcement agents traveled to Israel to present Israeli law enforcement officials with evidence of the magnitude and the source of the intrusions into United States computers. Attorney General Janet Reno said that the prompt arrest of the Israeli hacker demonstrates the effectiveness of international cooperation in cases involving transnational criminal conduct. She added that the U. S. government's efforts to investigate and prosecute computer crime are on the right track: "This arrest should send a message to would-be computer hackers all over the world that the United States will treat computer intrusions as serious crimes. We will work around the world and in the depths of cyberspace to investigate and prosecute those who attack computer networks, " she said. 20

The Rustock Takedown and Global Spam Volumes Posted by Ralf Iffert and Tom Cross on March 21, 2011 at 11: 50 PM EDT. Last week there was widespread media coverage of a successful effort by Microsoft and US Marshals to take down the command control capabilities of the Rustock botnet. At the time sources announced a significant drop in spam volumes related to that event. Although X-Force noticed a 35% drop in spam volume on March 16 th, spam volumes can fluctuate within a large range on a day to day basis and so this reduction in the volume did not initially appear to be outside of the normal amount of fluctuation that occurs. Now that several days have passed, this drop seems more significant, as the spam volume has stayed down between 35 and 40% versus its previous average volumes for several consecutive days. It appears that the Rustock takedown likely had a sustained impact on the total volume of spam. It is worth noting, however, that this reduction is only about half as big as the drop that occurred over Christmas, when spammers appeared to have gone on holiday. For more, see http: //blogs. iss. net/

What to Do if a System in Compromised Regain control 1. Disconnect compromised system(s) from the network To regain control, you will need to disconnect all compromised machines from your network including dial-in connections. After that you may wish to operate in single user mode in UNIX or as the local administrator in NT to ensure that you have complete control of the machine; however, by rebooting or changing to single user/local administrator mode, you may lose some useful information because all processes executing at the time of discovery will be killed. Therefore, you may wish to work through steps in section C. 5. Look for signs of a network sniffer to determine if the compromised system is currently running a network sniffer. Operating in single user mode on UNIX systems will prevent users, intruders, and intruder processes from accessing or changing state on the compromised machine while you are going through the recovery process. If you do not disconnect the compromised machine from the network, you run the risk that the intruder may be connected to your machine and may be undoing your steps as you try to recover the machine. 2. Copy an image of the compromised system(s). . . [UNIX utility "dd" is good for this] Excerpt from http: //www. cert. org/tech_tips/win-UNIX-system_compromise. html 22