1 / 29

Attacks on Computer Systems

Attacks on Computer Systems. Hans Hedbom. Attacks. “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines Technical attacks Example See following slides Cause Transitive trust Bugs and configuration errors in apps and OS

piera
Télécharger la présentation

Attacks on Computer Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attacks on Computer Systems Hans Hedbom

  2. Attacks • “Non-Technical” attacks • Example • Social engineering • Phishing • Cause • Low user awareness or missing policies/routines • Technical attacks • Example • See following slides • Cause • Transitive trust • Bugs and configuration errors in apps and OS • Vulnerabilities in protocols and Network Infrastructure

  3. Threats to confidentiality Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010

  4. Network attacks

  5. SYN-Attacks Client Server SYN Timeout ~4 min. SYN,ACK ACK TCP event diagram • The attacker sends a large amount of SYN-packets to the server fills-up the SYN-buffer server is unable to accept more connections Denial of Service

  6. IP Fragmentation Attack IP-packet Data Original Header Fragment 1 Fragment 2 Fragmented Data Header H Data Offset 16 Offset 0 Offset 20 IP-packet Data Header Assembled Overlap! Intentional fragmentation of IP-packets may confuse routers, firewalls and servers

  7. Sniffer Attacks Telnet (password in the clear) IP Network Telnet Client Telnet Server Telnet Attacker Eavesdropping on a network segment.

  8. Passwords over the Net Telnet FTP Rlogin Rexec POP SNMP NFS SMB HTTP

  9. IP-Spoofing NFS-request IP Network NFS Client NFS Server NFS-response SYN-attack Attacker Counterfeiting of IP-sender-addresses when using UDP and TCP

  10. Session Hijacking Telnet traffic IP Network Telnet client Telnet server SYN-attack IP-Spoofing Attacker • Attacker hijacks a session between a client and a server it could for example be an administrator using telnet for remote login

  11. DNS Cache Poisoning • DNS = Domain Name Service • is primarily used to translate names into IP-addresses • e.g. ”www.sunet.se” to ”192.36.125.18” • data injection into the DNS server • cross checking an address might help

  12. OS (Software) attacks

  13. Race Condition Attacks Application Create file /tmp/sh Store data /usr/bin/ps Create link Set SUID /tmp/ps_data Use data Remove file Explores software that performs operations in an improper sequence. e.g. psrace (Solaris 2.x).

  14. Buffer overflows Buffer overflow accounts for 50 % of the security bugs (Viega and McGraw) Data is stored in allocated memory called buffer. If too much data need to be stored the additional bytes have to go somewhere. The buffer overflows and data are written past the bounds.

  15. Web Attacks

  16. Browser Vulnerabillities Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010

  17. Window of Exposure Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010

  18. Phishing Phishing (only works with predictable or time invariant values) Trick the user to access a forged web page. Forged Web Page SSL/TLS 1. Username 2. Ask for login credentials 3. Give login credentials 4.Ok alt Deny (error code)

  19. Phishing Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010

  20. Phishing Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010

  21. Pharming 5.Chalange 6. Responce 9.Ok alt Deny 4.Chalange 7 .Responce 1.Username 2.Username 3.Chalange 8.Responce 9.Ok alt Deny

  22. XSS

  23. What is SQL Injection? $name = $HTTP_POST_VARS["name"]; $passwd = $HTTP_POST_VARS[“passwd"]; $query = “select name from users where name = ‘”.$name.”’ and passwd = ‘”.$passwd.”’” ; $result = mysql_query($query);

  24. What is SQL Injection?

  25. BOT-NETS

  26. Bot-nets A bot-net is a large collection of compromised computers under the control of a command and control server. A bot-net consists of bots (the malicious program), drones (the hijacked computers) and (one or more) C&C server. A bot is usually a combination of a worm and a backdoor. IRC and HTTP are the primary communication protocols in today's bot-nets. Bots are usually self spreding and modular.

  27. Uses of bot-nets • Bot-nets could be used for the following: • Click Fraud • Making drones click on specific advertisements on the web. • DDoS • For financial gain or blackmail. • Keyloging • For financial gain and identity theft. • Warez • Collecting, spreading and storing • Spam • For financial gain. • And of course as a private communication network.

  28. Detecting and preventing bot-nets • Detection is all about finding the C&C server. • Look for suspicious traffic patterns in firewall logs and other logs. • Take note of servers whit a high number of incoming connections. • Monitor the suspicious C&C and inform the owner and the authorities when you are sure that it is a bot-net controller. • Prevention • All the usual rules apply: patch and protect. Do egress filtering in firewalls as well as ingress. This will stop infections from spreading and could block outgoing traffic from drones within the intranet. • Problems • Some bot-nets are encrypted. • Tracking the C&C to the real bot-net owner can be hard.

  29. Bot activity Table from: Symantec Global Internet Security Threat Report Trends for 2009 Volume XV, Published April 2010

More Related