Introduction to Systems Security January 11 2012

Introduction to Systems Security (January 11, 2012) © Abdou Illia – Spring 2012

Learning Objectives n Discuss main security threats n Discuss types of systems’ attacks n Discuss types of defense systems 2

2010 Computer Crime and Security Survey (2010 CSI Security Report) Survey Summary online n Survey conducted by the Computer Security Institute (http: //www. gocsi. com). n Copy of Survey report on course web site n Based on replies from 494 U. S. Computer Security Professionals. 3

2009 CSI Report: Types of attacks or Misuse in last 12 months 4

CSI Survey: financial loss 2007: $66, 930, 950 reported by 194 respondents 5

Attack Trends n Growing Incident Frequency until 2001 n Incidents reported to the Computer Emergency Response Team/Coordination Center 1998 1999 2000 2001 - Present 3, 474 9, 859 21, 756 52, 658 Decline in # of attacks n Growing Malevolence since 2000 n Most early attacks were not malicious n Malicious attacks are the norm today 6

CSI Survey: Security monitoring 7

CSI Survey: Defense Technology 8

2011 Sophos Security Threat Report n Report focused on Sophos’ security software n General discovery * 9 * Infected USB drives take advantage of computers that have auto-run enabled, which allow the automated execution of code contained on the flash drive.

2011 Sophos Security Threat Report n Malware* hosted on websites * Malicious software 10

2011 Sophos Security Threat Report n Malware hosting countries 11

2011 Sophos Security Threat Report n Spam-relaying countries Climbing the list year after year 12

2011 Sophos Security Threat Report n Web server’s software affected Web server software Apache IIS Sun. ONE Operating System Computer hardware RAM chip HD Processor Web server computer n As of March 2010 Apache served 58% of all web servers n Apache available for Microsoft Windows, Novell Net. Ware and Unix-like OS 13

Other Empirical Attack Data n Security. Focus n Data from 10, 000 firms in 2010 n Attack Targets n 31 million Windows-specific attacks n 22 million UNIX/LINUX attacks n 7 million Cisco IOS attacks n All operating systems are attacked! 14

Summary Questions (Part 1) 1. What does malware refer to? 2. Systems running Microsoft operating systems are more likely to be attacked than others. T F 3. With Windows OS, you can use IIS or another web server software like Apache. T F 4. What web server software is most affected by web threats today? 5. What types of email-attached file could/could not hide a malware? 6. Could USB drives be used as means for infecting a system with malware? How? 15

Attackers Elite Hackers Systems attackers Script Kiddies Virus writers & releasers Corporate employees Cyber vandals Cyber terrorists n Hacking n intentional access without authorization or in excess of authorization n Elite Hackers n Characterized by technical expertise and dogged persistence, not just a bag of tools n n Use attack scripts to automate actions, but this is not the essence of what they do Could hack to steal info, to do damage, or just to prove their status 16

Systems attackers n Elite Hackers (cont. ) n n Black hat hackers break in for their own purposes White hat hackers can mean multiple things n n n Strictest: Hack only by invitation as part of vulnerability testing Some hack without permission but report vulnerabilities (not for pay) Ethical hackers n Hired by organizations to perform hacking activities in order to § Test the performance of systems’ security § Develop/propose solutions 17

Attackers Elite Hackers Systems attackers Script Kiddies Virus writers & releasers Corporate employees n Script Kiddies Cyber vandals Cyber terrorists n “Kids” that use pre-written attack scripts (kiddie scripts) n Called “lamers” by elite hackers n Their large number makes them dangerous n Noise of kiddie script attacks masks more sophisticated attacks 18

Attackers Elite Hackers Systems attackers Script Kiddies Virus writers & releasers Corporate employees n Virus Writers and Releasers n Writing virus code is not a crime n Cyber terrorists Virus writers versus virus releasers n Cyber vandals Only releasing viruses is punishable 19

Attackers Elite Hackers Systems attackers Script Kiddies Virus writers & releasers Corporate employees n Cyber vandals Cyber terrorists n Use networks to harm companies’ IT infrastructure n Could shut down servers, slowdown e. Business systems n Cyber warriors n Massive attacks* by governments on a country’s IT infrastructure n Cyber terrorists n Massive attacks* by nongovernmental groups on a country’s IT infrastructure n Hackivists n Hacking for political motivation * Multi-pronged attacks: release virus, active hacking, attacking Internet routers, etc. 20

Summary Questions (Part 2) 1. What is meant by elite hacker, white hat hacker, ethical hacker? 2. What is the difference between script kiddies and elite hackers? 3. Is releasing a virus a crime in the U. S. ? 4. What is the difference between cyber war and cyber terrorism? 21

Attacks preps: examining email headers Received: from hotmail. com (bay 103 -f 21. bay 103. hotmail. com [65. 54. 174. 31]) by barracuda 1. eiu. edu (Spam Firewall) with ESMTP id B 10 BA 1 F 52 DC for ; Wed, 8 Feb 2006 18: 14: 59 -0600 (CST) Received: from mail pickup service by hotmail. com with Microsoft SMTPSVC; Wed, 8 Feb 2006 16: 14: 58 -0800 Message-ID: Received: from 65. 54. 174. 200 by by 103 fd. bay 103. hotmail. msn. com with HTTP; Thu, 09 Feb 2006 00: 14: 58 GMT Source IP Address X-Originating-IP: [192. 30. 202. 14] X-Originating-Email: [macolas@hotmail. com] X-Sender: macolas@hotmail. com In-Reply-To: <10 E 30 E 5174081747 AF 9452 F 4411465410 C 5 BB 560@excma 01. cmamdm. enterprise. corp> X-PH: V 4. 4@ux 1 From: To: aillia@eiu. edu X-ASG-Orig-Subj: RE: FW: Same cell# Subject: RE: FW: Same cell# Date: Thu, 09 Feb 2006 00: 14: 58 +0000 Mime-Version: 1. 0 Content-Type: text/plain; format=flowed X-Original. Arrival. Time: 09 Feb 2006 00: 14: 58. 0614 (UTC) FILETIME=[DCA 31 D 60: 01 C 62 D 0 D] X-Virus-Scanned: by Barracuda Spam Firewall at eiu. edu X-Barracuda-Spam-Score: 0. 00 IP Address Locator: http: //www. geobytes. com/Ip. Locator. htm 22 Display email headers in Gmail, Yahoo!, Hotmail: http: //aruljohn. com/info/howtofindipaddress/

Attacks preps: examining email headers Sending computer’s domain Received: from Spyro 364 (12 -208 -4 -66. client. mchsi. com [12. 208. 4. 66]) name and IP Address. A proxy by fillmore. eiu. edu (Postfix) with ESMTP id AD 8 A 739 C 18 F 4; Fri, 29 Aug 2008 23: 31: 27 -0500 (CDT) server is used to hide the Return-Receipt-To: "Trevor Bartlett" sending computer’s real IP From: "Trevor Bartlett" address for security reason. To: "Laura Books" , "Brad Burget" , Could ping fillmore. eiu. edu to have "Jan Runion" , DNS convert the EIU’s receiving "Mandi Loverude" , "Joe Benney" , server’s name (i. e. fillmore. eiu. edu) "John Walczak" into the corresponding IP address of Cc: "Vicki Hampton" , "Abdou Illia" the server. Subject: AITP Networking With IT Professionals Date: Fri, 29 Aug 2008 23: 31: 27 -0500 Message-ID: !&!AAAYAAAAAAAHlvebng. HR 1 Ho 0 m. Bdl 39 GGi. Cg. AAAEAAAAIhh. C 6 mcc 1 ZGhpy. F 6 F 1 EIao. BAAAAAA==@eiu. edu MIME-Version: 1. 0 Content-Type: multipart/alternative; boundary="----=_Next. Part_0000_01 C 90 A 2 F. 5 CB 9 A 220" X-Mailer: Microsoft Office Outlook 12. 0 Thread-Index: Ack. KWTTHh. YKv. Gjo. UQf. SXzrj. BGue 7+g== Content-Language: en-us IP Address Locator: http: //www. geobytes. com/Ip. Locator. htm 23 Display email headers in Gmail, Yahoo!, Hotmail: http: //aruljohn. com/info/howtofindipaddress/

Attacks preps: examining email headers 193. 194. 158. 22 is the IP address Received: from barracuda. eiu. edu (barracuda 1. eiu. edu [139. 67. 8. 80]) of the sender’s email server. That by eureka. eiu. edu (Postfix) with ESMTP id D 355235 FF 8 D 8 server delivered the email to for ; Fri, 29 Aug 2008 23: 22: 04 -0500 (CDT) ismtp 1. eiu. edu X-ASG-Debug-ID: 1220070124 -092800670000 -Xywef. X X-Barracuda-URL: http: //139. 67. 8. 80: 8000/cgi-bin/mark. cgi Received: from ismtp 1. eiu. edu (localhost [127. 0. 0. 1]) by barracuda. eiu. edu (Spam Firewall) with ESMTP id 94 B 32111114 D for ; Fri, 29 Aug 2008 23: 22: 04 -0500 (CDT) Received: from ismtp 1. eiu. edu (ismtp 1. eiu. edu [139. 67. 9. 21]) by barracuda. eiu. edu with ESMTP id OHAHGov. HCx. VIj. Pwe X-Iron. Port-Anti-Spam-Filtered: true X-Iron. Port-Anti-Spam-Result: vk. AABNnu. Ej. Bwp 4 Wo 2 dsb 2 Jhb. ACROo. EPAQEBBw. UIBx. Ged. BUIA 4 Y 5 Yw. MIBHi. DLw Received: from exchange-zav 1. bvdep. com ([193. 194. 158. 22]) by ismtp 1. eiu. edu with ESMTP; 29 Aug 2008 23: 22 -0500 Received: from safaribo. bvdep. com ([172. 28. 32. 40]) by exchange-zav 1. bvdep. com with Microsoft SMTPSV(5. 0. 2195); Sat, 30 Aug 2008 06: 22: 01 +0200 Received: from mail pickup service by safaribo. bvdep. com with Microsoft SMTPSVC; Sat, 30 Aug 2008 00: 22: 01 -0400 172. 28. 32. 40 could be From: considered the source IP address. To: It’s actually the shown IP address X-ASG-Orig-Subj: Welcome to Course. Smart of the first computer in the chain Subject: Welcome to Course. Smart of devices involved in the Date: Sat, 30 Aug 2008 00: 22: 01 -0400 sending. It’s more likely the IP Message-ID: <000001 c 90 a 57$f 2 e 6 bc 10$28201 cac@be. bvd> address of a “pick up server”. MIME-Version: 1. 0 Content-Type: text/plain; IP Address Locator: http: //www. geobytes. com/Ip. Locator. htm 24 Display email headers in Gmail, Yahoo!, Hotmail: http: //aruljohn. com/info/howtofindipaddress/

Attacks preps: looking for targets n Scanning (Probing) n Ping messages (To know if a potential victim exist and is turned-on) à Firewalls usually configured to prevent pinging by outsiders n Supervisory messages (To know if victim available) n Tracert, Traceroute (To know how to get to target) http: //www. netscantools. com/nstpro_netscanner. html 25

Attacks preps: identifying targets n Examining scanning result reveals n n n IP addresses of potential victims What services victims are running. Different services have different weaknesses Host’s operating system, version number, etc. n Whois database at Network. Solutions. com also used when ping scans fail n Social engineering n Tricking employees into giving out info (passwords, keys, etc. ) n Deciding the type of attacks to launch given available info 26

Framework for Attacks Physical Access Attacks -Wiretapping Server Hacking Vandalism Dialog Attacks -Eavesdropping Impersonation Message Alteration Scanning (Probing) Penetration Attacks Break-in Social Engineering -Opening Attachments Password Theft Information Theft Denial of Service Malware -Viruses Worms 27

Dialog attack: Eavesdropping n Intercepting confidential message being transmitted over the network Dialog Hello Client PC Bob Server Alice Hello Attacker (Eve) intercepts and reads messages 28

Dialog attack: Message Alteration n Intercepting confidential messages and modifying their content Dialog Balance = $1 Client PC Bob Balance = $1, 000 Balance = $1 Server Alice Balance = $1, 000 Attacker (Eve) intercepts and alters messages 29

Dialog attack: Impersonation I’m Bob Hi! Let’s talk. Client PC Bob Attacker (Eve) Server Alice 30

Encryption: Protecting against eavesdropping and message alteration 2 Encryption software + Key Client PC 3 Encrypted Message >/? ? !@#% 5 Decryption software + Key 4 >/? ? !@#% Server 1 “Hello” Original Message “Hello” Attacker intercepts but cannot read Decrypted Message 31

Authentication: Protecting against Impersonation I’m Bob Client PC Bob Attacker (Eve) Prove it! (Authenticate Yourself) Server Alice 32

Secure Dialog System: Protecting against all dialog attacks Secure Dialog Client PC Bob Automatically Handles: Authentication Encryption Integrity Server Alice Attacker cannot read messages, alter messages, or impersonate 33

Break-in attack Attack Packet User: jdoe Password: brave 123 IP addr. : 12. 2. 10. 13 Client PC Internet User: admin Password: logon 123 IP addr. : 12. 2. 10. 13 Attacker Server Internal Corporate Network 34

Flooding Denial-of-Service (Do. S) attack Message Flood Server Overloaded By Message Flood Attacker 35

Firewalls: Protecting against breakins and Do. S Passed Packet Internet Firewall Hardened Client PC Packet Internet Dropped Packet Hardened Server Log File User Attack Packet Attacker Internal Corporate Network § Firewalls could be hardware or software-based § Firewalls need configuration to implement access policies § Security audits need to be performed to fix mis-configuration 36

Intrusion Detection System (IDS): Protecting against break-ins and Do. S n Software or hardware device that n Capture network activity data in log files n Analysis captured activities n Generate alarms in case of suspicious activities 37 Intrusion Detection System

Intrusion Detection System (IDS): Protecting against break-ins and Do. S 4. Alarm Network Administrator 2. Suspicious Packet Passed Intrusion Detection System 1. Suspicious Packet Internet Attacker 3. Log Packet Hardened Server Log File Corporate Network 38

Other defense measures n Good Access Control policies n Strong passwords n Good access rights implementation for resources (computer, folders, printers, etc. ) n Good group policies n Installing patches for n Operating systems n Most important Application software 39

Summary Questions (Part 3) 1. What do ping messages allow? Why are ping scans often not effective? 2. What does social engineering mean? 3. What is meant by eavesdropping? Message alteration? 4. What kind of techniques could be used to protect against eavesdropping? 5. What is meant by Do. S? 6. What kind of tools could be used to protect a system against Do. S? 40