1.64k likes | 1.97k Vues
Networks and Security. How Real is the Threat?. 88% of IT staff polled in the US recently said their organizations had been affected by Internet viruses or worms in the past year even though 90% of firms have an IT security system in place. Information Security Magazine, 2001. Worm Threats.
E N D
How Real is the Threat? 88% of IT staff polled in the US recently said their organizations had been affected by Internet viruses or worms in the past year even though 90% of firms have an IT security system in place. Information Security Magazine, 2001
Worm Threats • NIMDA and Code Red generated the majority of attack activity accounting for 63% of recorded attacks • Each worm attacked known problems with available patches • New zero-day worms that hit vulnerabilities not posted • Future worms will morph
Trends • 39% seemed to be targeted to breech a specific system or company • 61% seemed opportunistic with the attacker scanning and looking to exploit what was found • 42% of the attacks were aimed at large corporations of 1,000 or more employees • This suggests, higher profile corporations are bigger targets than lower profile
Majority of Attacks Are Launched From a Small Number of Countries • Ten countries account for 70% of attacks • 30% United States • 9% South Korea • 8% China • The largest number of attacks per IP address was Israel
Most Probed Ports Windows service for conversion Of IP addresses to names in file sharing apps First step in a scan to hit file shares Open when a web server installed Used by MS-SQL server for remote Clients to query for network connections
Trends • The industries with the highest attacks rates are: • Education • High Tech • Financial Services • Media/Entertainment • Power and energy companies • Each averaged more than 700 attacks per company in the last six months • Power and energy companies suffered attacks from the Mid East at twice the mean of other companies • High Tech and Financial companies suffered attacks from Asia at a rate that was 50% higher than the mean for other companies
Top Ten Attacks • 47.8% M.S. IIS Server ISAPI overflow • 25.1% (Code Red) Generic Root Request Attack of root.exe in /scripts directory. • 23.5% M.S. IIS Server Traversal Attack • 17% M.S. IIS Server Arbitrary Code Attack (code URL twice) • 16.5% (Code Red) "cmd.exe" Attack • 5% Scan for 27374 port for SubSeven (2600 Magazine) • 3.8% Scan for vulnerable or mis-configured FTP servers. • 2.8% Scans for RPC enabled • 1.3% Scans for ssh (Exploit) • 1.2% Scans for LPD (Exploit) (Source RipTech)
General Types of Hackers • Kiddie Scripters • Black hats • Network-savvy employees • Government Entities
Kiddie Scripters • Run scripts from hacker sites • Rarely recompile to change ports or affect attack signatures • Poor resources ‑ usually tied to an ISP • Usually want a quick “hit” or break‑in and are largely indiscriminate about targets • Leave behind lots of evidence
Know Your Enemy--Places to Visit • http://www.hacktech.org/ • http://surf.to/damage_inc • http://www.oninet.es/usuarios/darknode/ • http://b0iler.eyeonsecurity.org/tutorials/index.html • http://ist‑it‑true.org/pt • http://hackersplayground • http://packetstorm.widexs.nl/exploits20.shtm • http://astalavista.box.sk.
Black Hats • Re‑compile code of others to change attack signatures • Write programs that may or may not be shared • Moderate resources ‑ usually tied to an ISP but can have own domains and domain servers • Much more cautious and attacks may be spread over weeks • Mafia organizational models: key talented hackers with high skills are generally isolated by layers of “kiddie scripters” for protection
Reconnaissance Look for a file that Doesn’t exist on a web Server: 404 error will Reveal server and version
Network-Savvy Employees • Never share or use code of others unless it is an intentional deception • Inside knowledge of infrastructure enables more sophisticated approach
Governments • Attacks and coordinated probes may stretch over a period of months or years and are calculated to bypass the best IDS’ • Launched as part of policy • Has direct access to tier 1 Internet service providers (ISP) or uses government resources • Able to manipulate domain, WHOIS databases, and root server and Internet routing paths • May be recruited from Black hats or federal agencies
Nuisance Threats • These individuals may evolve from online trespass and vandalism to more criminal activity such as theft of information, extortion, and credit card fraud • In addition, this group is a pool of potential resources for more traditional criminal elements to exploit either directly or indirectly
Low Level Threats • On‑line Trespass • Vandalism • Script Kiddies – compile existing hacker code • Existing vulnerabilities
Malicious Threats • Launch virus’ or self-propagating “bots” that harvest e-mail addresses, credit card numbers, or other valuable data • Identity theft is big business
Doomsday Threats • After key financial information that can be leveraged for money • Scan likely unfriendly nations for critical infrastructure weak points • Characterized by long term stealth (not noisy) scans and probes • Access to resources • Undetectable
Criminal Activity Categories • Extortion • Organized Crime • Political Groups (Terrorists) • Industrial Espionage and Sabotage • International Intrusions
Criminal Activity 49% of information security professionals' companies have had personnel who have physically destroyed or stole computing equipment ‑‑ up from 42% in 2000. Industry Survey from Information Security Magazine, 2001. See http://www.vectec.org/researchcenter/stats.html?category=9
Hacker Pattern Reuse • Each hacker has a “signature” for attack methodologies • It is often possible to describe each separate attacker by their trademark styles and choice of tools and exploits • Once they find a sequence or type of attack that works they use the same choice of tools each time
Reconnaissance – gathering information on your organization Foot printing – get the network details. Port Scanning – find the actual services available. Enumeration - Promising targets are identified in more detail. Gaining Access - choose an informed hack/crack. Escalating Privileges - elevate to system access. Pilfering - Grab any interesting/profitable data. Covering Tracks - Hide interlopers machine romp Seven Step Attack Profile Overview
Objective Gathering information about the organization Technique Web searches, public documents, and legal databases Web browsers – most public or legally available information is now available on line Profiling
Sniffers Are Your Friend and Foe • Everything that touches your machine from a data network can be seen on a sniffer: Passwords, account names, social security numbers, birth dates, and other personal information • Hackers frequently use sniffers to ply their trade • Sniffers also help the good guys by catching issues that IDS’ and firewall logs will miss
Network Associates (NAI) Sniffer • Premier network diagnostic program available to network professionals • A great number of hacker sniffers tend to concentrate on capturing and logging targeted information such as user names, passwords and commands • dsniff is a package of password grabs including mailsnarf an e-mail grabber
Sniffer Exploits • Sniffers are programs that use “promiscuous” drivers • These specialized drivers allow network information to be “sniffed” off of the local network segment • In segments that utilize Ethernet hubs, as opposed to switches, the attacker can log every user’s information off the network
Dsniff – De-encrypting Password Sniffer • dsniff listens patiently for passwords to come along • It will decode NETBios-based Windows, IMAP, POP3, SNMP, and many other types of passwords • If you are using the network diagram programs like Visio, TGV (Computer Associates) and HP OpenView with the read/read-write SMP password – you are giving it away to attackers
Sniffer Defenses • Ethernet switches are not a security panacea • Flooding the switch with bogus MAC addresses can flood the bridge table and cause one of two of the following switch behaviors to users: • 30% of the time switch starts forwarding ALL packet to ALL ports (hub behavior) • 70% of the time the switch crashes
Sniffer Defense • Monitor your switch reboots with simple networking management protocol (SNMP) • Send SNMP “traps” to your central security monitoring console when switches reboot or have switch table “full” error events • It is also very valuable to centrally log switch and router SNMP AUTH events which send login authorization failures!
Sniffer Defense • @stake, makes a sniffer “detector” AntiSniff available for trial and sale • Promiscuous drivers take notably longer to process network requests • This detector makes detection available based on the noted delays in the surrounding IP client software on hosts
Foot Printing • Objective • Get address range, namespace details, contacts, and reverse domain info • Technique • Open source info, DNS, iterative reverse DNS or zone transfer • Tools • nslookup, dig, whois, ARIN whois, etc., • Plain old HTTP lookups on their favorite search engine, Google, Altavista
Foot printing • whois • nslookup • http://www.arin.net/whois/index.html • Department of Defense • RIPE • APNIC • Web Search Engines • Google
Domain Name Service (DNS) • Domain name services (DNS) map text strings by a hierarchical directory to a specific IP address that the computer application can use • Domain name servers are also called name servers
Domain Name Services (DNS) • DNS servers use forward and reverse zone text files that contain domain entries • Forward files include INFO records • INFO type “A” records for IP addresses • INFO HINFO records for software and platform information • INFO CNAME or canonical names for aliases • INFO MX or mail exchange records for email
Whois Domain Lookup http://www.arin.net/whois/index.html http://www.geektools.com/cgi-bin/proxy.cgi
DNS Exploit – Information Grabbing Programs like Sam Spade and whois reveal an enormous amount of information about your company Internet connections, managers, and administrative contacts.
DNS Exploit – Information Grabbing Defense • Use two DNS servers, one inside your network, and another outside. This is called the “split” domain name server architecture. • By blocking the inside name server that has all the network information from outside access – it is possible to hide inner host information from interlopers • Allow only the most essential information to be available to the general Internet. • Secure the servers the Internet “knows about.”