1 / 31

Computer Security Update

Computer Security Update. Bob Cowles, SLAC bob.cowles @ stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003. Work supported by U. S. Department of Energy contract DE-AC03-76SF00515. SLAC Computer Security. Thinking evil thoughts. Protecting from evil deeds. Slammer Impact. India. China.

claus
Download Presentation

Computer Security Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security Update Bob Cowles, SLAC bob.cowles@stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515

  2. SLAC Computer Security Thinking evil thoughts Protecting from evil deeds HEPiX - TRIUMF

  3. Slammer Impact HEPiX - TRIUMF

  4. India China Japan Korea Australia HEPiX - TRIUMF

  5. http://www.microsoft.com/security/security_bulletins/ HEPiX - TRIUMF

  6. HEPiX - TRIUMF

  7. MSBlaster Released MSBlaster at SLAC HEPiX - TRIUMF

  8. FireWall Log – Infected Machines Sep 16 18:29:18 icmp 134.79.137.220 -> 134.79.72.98 (8/0) Sep 16 18:29:19 icmp 134.79.137.220 -> 134.79.72.198 (8/0) Sep 16 18:29:20 icmp 134.79.137.220 -> 134.79.73.42 (8/0) Sep 16 18:38:46 tcp 134.79.137.220(3325) -> 134.76.2.205(135) Sep 16 18:38:47 tcp 134.79.137.220(3169) -> 134.76.2.48(135) Sep 16 18:38:48 tcp 134.79.137.220(3249) -> 134.76.2.128(135) Sep 16 18:40:06 icmp 134.79.129.243 -> 134.79.72.0 (8/0) Sep 16 18:40:06 icmp 134.79.129.243 -> 134.79.72.64 (8/0) Sep 16 18:40:07 icmp 134.79.129.243 -> 134.79.72.128 (8/0) Sep 16 18:40:17 tcp 134.79.136.68(4107) -> 134.79.124.0(135) Sep 16 18:40:18 tcp 134.79.136.68(4194) -> 134.79.124.98(135) Sep 16 18:40:19 tcp 134.79.136.68(4292) -> 134.79.124.196(135) Sep 16 22:28:25 tcp 134.79.129.243(4413) -> 134.76.24.39(135) Sep 16 22:28:26 tcp 134.79.129.243(4377) -> 134.76.22.41(135) Sep 16 22:28:27 tcp 134.79.129.243(4383) -> 134.76.22.113(135) HEPiX - TRIUMF

  9. Infection Sources @ SLAC • 32% VPN • 22% DHCP (reg, internal network) • 20% Fixed IP On vacation, laptop infected outside, etc. • 14% Infected during build / patch • 12% Dialup HEPiX - TRIUMF

  10. Blaster - Easy to Get Infected 09/29/103 11:46:42 Host: 134.79.25.55 Port: 135 TCP Blocked 09/29/103 11:46:41 Host: 134.79.25.55 Port: 135 TCP Blocked email @ 12:21pm: Bob, is host "illusion" yours, as per my so-called memory? But the mac addr is registered to Richard Mount ... Sep 29 11:41:37 dhcp2 dhcpd: DHCPACK on 134.79.25.55 to 00:10:a4:e4:2a:b8 (illusion) host roam-rmount2 { hardware ethernet 00:10:a4:e4:2a:b8; }# 01/25/00 # PC54566, Richard Mount HEPiX - TRIUMF

  11. https://rhn.redhat.com/errata/rh73-errata-security.html HEPiX - TRIUMF

  12. HEPiX - TRIUMF

  13. HEPiX - TRIUMF

  14. HEPiX - TRIUMF

  15. http://docs.info.apple.com/article.html?artnum=61798 HEPiX - TRIUMF

  16. HEPiX - TRIUMF

  17. HEPiX - TRIUMF

  18. HEPiX - TRIUMF

  19. http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec HEPiX - TRIUMF

  20. HEPiX - TRIUMF

  21. http://www.cisco.com/warp/public/707/advisory.html HEPiX - TRIUMF

  22. HEPiX - TRIUMF

  23. It Sucks Not to Patch • Popular rookit in many variations • Hides files, directories, processes; precompiled password • With keyboard and/or ssh sniffers • Listens on *all* open ports for backdoor • Any port open inbound allows backdoor signal, sk thens opens outbound tcp for encrypted shell connection HEPiX - TRIUMF

  24. suckit (cont) • Home page http://hysteria.sk/sd/ • Latest versions not publicly available • Also find exploits for • ptrace • sendmail 8.11.x HEPiX - TRIUMF

  25. Virus Warning! http://www.trendmicro.com/map/ Last 24 Hours Last 30 Days HEPiX - TRIUMF

  26. Ballmer @ Gartner ITXpo • Windows has fewer vulnerabilities than RH Linux [RH6] • No roadmap for Linux. There’s nobody to hold accountable for security issues • The security of Microsoft products is our top priority. We have our best brains on it. • We understand this is an issue of customer satisfaction. http://www.theregister.co.uk/content/4/33522.html HEPiX - TRIUMF

  27. Microsoft @ Stanford • Universities tend to be a worst case • Diverse, unmanaged • Population • Hardware • Software • Unlikely to fit into AD model • Stanford had 8000 machines compromised by Blaster BEFORE students returned for classes HEPiX - TRIUMF

  28. Feedback to Microsoft • Clear & meaningful impact statements • Fix IE (30+ outstanding bugs) • Reduce the attack vector (profile services) • Don’t require license check for security patches (e. g. MS Office CD) • No tie-in to IE (no active scripting) HEPiX - TRIUMF

  29. Feedback to Microsoft (cont) • Open up patching tools and process • Understand 3rd party tools +/- • Allow other vendors to use same tools for their Windows products • Provide feedback on real patch status (local & remote) • Need general patch deployment tool not requiring AD HEPiX - TRIUMF

  30. Conclusions [Unchanged from last year] • Poor administration is still a major problem • Firewalls cannot substitute for patches • Multiple levels of virus/worm protection are necessary • Clue is more important than open source HEPiX - TRIUMF

  31. No Easy Solutions Questions? HEPiX - TRIUMF

More Related