1 / 54

Cryptography and Network Security: Types of Attacks, Intruders, and Impersonation Methods

This article discusses the different types of attacks in cryptography and network security, including interruption, interception, modification, and fabrication. It also covers the various types of intruders and impersonation methods used by hackers.

fmonroe
Download Presentation

Cryptography and Network Security: Types of Attacks, Intruders, and Impersonation Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. G. Pullaiah College of Engineering and Technology Cryptography and Network Security Department of Computer Science & Engineering

  2. Security Attacks/Threats • These are actions that compromise the security of information owned or transferred by an entity. Attacks can be one of 4 forms: • Interruption • Interception • Modification • Fabrication

  3. Type Of Attacks/Threats Information Information source Destination (a) Normal Flow I I (b) Interruption (d) Fabrication I I (c) Modification (e) Interception

  4. Attack/threats Active threats Passive threats Interception Interruption Modification Fabrication (Availability) (Integrity) (authentication) Release of message Traffic analysis contents Figure 2: Threats/Attacks Active and Passive Attacks

  5. Active Attacks • A Passive attack can only observe communications or data. Example: Interception ( also called eavesdropping or passive wiretapping) • An Active attack can actively modify communications or data • Often difficult to perform, but very powerful – Mail forgery/modification – TCP session hijacking /IP spoofing Examples:Interruption, Modification ( also called active wiretapping), Fabrication Types of Active Attacks: masquerade, replay, modification and denial of service.

  6. Types of Intruders: • Intrusion by a • Masquerader: One, who is not authorized to use a computer system, but who penetrates and uses a legitimate user’s account • Misfeasor: A legitimate user who accesses data, programs or resources, for which he is not authorized; or A legitimate user who misuses his access privileges; • Clandestine User: One who seizes supervisory control and uses it to evade access and audit controls or to suppress audit trail. A masquerader is an outsider, a misfeasor is an insider and the clandestine user can be either an insider or an outsider.

  7. Why do they attack? The attacker may attack - taking it as an intellectual challenge - to have thrills by seeing reports of his exploits in public media. But a large majority of attacks are by foot-soldiers, called script kiddies, who use attacks discovered, designed and implemented by someone else. The script kiddies, simply download the script and launch the attack, without understanding anything. Or - they may be indulging in espionage for financial gain.

  8. Survey: Type of attacks FBI/CSI Survey of 2002: - 80% of respondents acknowledged financial loss due to intrusion - Only 34% reported the intrusions to police - 74% found misfeasors - 40% detected DOS attacks Reference: Annual FBI/Computer Security Institute Survey: http://www.gocsi.com/press/20020407.html

  9. Hacker’s METHODS • Port Scan to find, for the target, - which ports/services are running - the O/S nmap - scans all the ports - guesses the operating system (Please refer to the paper by Fyodor to understand the methods used. These methods depend upon the special features that each OS has.) Reference: 1.Fyodor,’ Remote OS detection via TCP/IP Stack FingerPrinting’ June, 2002, available at http://www.insecure.org/nmap/nmap-fingerprinting-article.html 2.Stephen Northcutt and Judy Novak, ‘Network Intrusion Detection: An Analyst’s Handbook’, pp 81-85

  10. Hacker’s Methods cont. 2. Toolkits provided by manufacturers to make products compatible with their products. These may be used to discover the vulnerabilities of the product. 3. Wireless Nets: * ‘AirMagnet’ from AirMagnet Inc. * ‘Observer’ from Network Instruments * ‘Wireless Security Analyzer’ from IBM can check whether a wireless network can be accessed by outsiders. (www.guerilla.net/freenets.html contains a list of access points, by city, that can be accessed by anyone. In 2002 Chris O’Ferrel, a security consultant, was able to connect to the Pentagon wireless net, from outside the building.)

  11. Impersonation Methods Guess the ID and password of an authorized user: - by guessing passwords - by using default passwords given with a system by its manufacturer (Many administrators fail to disable the defaults) Example: SNMP uses a ‘community string’ as a password for the community of devices, that can interact with one another. Many administrators forget to change the default ‘community string’ installed on a (new) router/switch. - by overflow - in some ill designed systems, authentication may be foiled by ‘overflow’ of password (if the password overflows, the system may assume authentication) -

  12. Impersonation Methods continued by non-existent authentication. In Unix, the file -rhosts lists the trusted hosts -rlogin lists trusted users, who can access without authentication A user may login one system as a guest- to access public information and through this host, he may connect to a trusted host.

  13. Impersonation: A few Definitions Impersonation vs. Spoofing Impersonation (mis)represents an authorized entity during communication on a net. Spoofing: A hacker spoofs when he falsely carries on one side of the exchange between two parties. Masquerade of a site: An example: Thus xxx.com bank may be the official site. A hacker registers x_xx.com and asks clients to visit the site. Thus passwords and pin numbers may be collected for misuse.

  14. Impersonation: A few Definitions cont. Session Hijacking: An example: A customer may select books on Amazon.com. When it comes to taking the order and making the payment, Amazon.org may hijack the session. Man-in-the-middle Attack vs. Session Hijacking Man-in-the-middle is wire-tapping actively from the beginning, whereas a session-hijacker takes over after part of the session is over.

  15. Examples of Attacks • Buffer Overflow • Dot-Dot and constrained environment • “Server-side include” problem • Incomplete Mediation • Time-of-check to Time-of use • DoS and DDoS • Misuse of Active Code

  16. Buffer Overflow All programming languages set aside a specific area in memory for every variable. For example: char addr[10]; sets aside 10 bytes for the array. If someone were to give an input to addr, which is larger, it may overflow into some other area. This area may have been allocated to: -User data -User’s program code -System date -System program code

  17. Buffer Overflow cont. Overwriting User Data: may affect program result. But will not affect any other program. Overwriting User’s Program: If an instruction that has already been executed(and is not to be executed again) as overwritten -> no effect. -Otherwise if the character that has been overwritten is not a valid instruction, the system halts (Illegal instruction exception) -Otherwise the user program gives wrong output Overwriting System data/program: Results similar to the ones for user data/program. But it may affect all the users since system data and programs are used by every user on the machine

  18. Buffer Overflow:Usual Buffer Overflow Attacks • The attacker may use the data input, close to system code. Thus he may be able to go into the O.S. which has the highest privileges. • He may use the Stack Pointer to return to a part of the hackers code, which may have been placed earlier. • Passing parameters through a URL: Consider http://www.website.com/xxx/userinput &parm1=(519)253-3000&parm2=2003Mar20 If instead of parm1 and parm2, a 500 or 100 digit value is introduced, it could cause a problem in the web system. Reference: IIS 4.0 remote overflow exploit. http://spisa.act.uji.es/spi/progs/codigo/ftp.technotronic.com/microsoft/iishack.asm

  19. Buffer Overflow: An Example: U.S. Army Web Server Attacked Buffer Overflow Attack: A Web server was attacked using a URL that was 4KB in length. ( Reference: eWeek, March 18, 2003 ) The machine was compromised. It began mapping the network around it, looking for other vulnerable machines. It then started sending the results of its mapping to a remote machine through TCP port 3389 using terminal services

  20. Dot-Dot and constrained environment • To prevent an attack, external users, who approach through the Internet, may be put in a constrained environment. A constrained environment: where a user is allowed to use only specified and limited system resources. • Accordingly the server may begin processing a user’s program in a particular directory sub-tree which contains everything the server needs.

  21. Dot-Dot and constrained environment (cont..) But both in unix and windows, .. is the directory indicator for the predecessor. Cereberus discovered in MS Index Server the following fault: Passing the following url to the web-server: http://url/null.htw? CiWebHits File = /../../../.. /../winnt/system32/autoexec.nt a user is able to get the autoexec.bat file of the server. Now the hacker may modify it!

  22. Dot-Dot and constrained environment (cont..) Solution: Webserver should have no editors, telnet programs or any utilities. But the code and data, for web applications, will have to be transferred manually to the server or may have to be pushed as a raw image. The webmaster may not like it.

  23. “Server-side include” problem • EXAMPLE: ‘contact us’ part on web-pages includes commands, which are supposed to be given by the server. • Hence such commands may be accepted by the system without any scrutiny. These commands may be placed in HTML. • A hacker may use this facility to modify the command to ‘telnet’ to gain access rights, which he should not have.

  24. “Good judgment is the result of experience – and experience is the result of poor judgment.”

  25. Examples of AttacksSlide 15 again • Buffer Overflow • Dot-Dot and constrained environment • “Server-side include” problem • Incomplete Mediation • Time-of-check to Time-of use • DoS and DDoS • Misuse of Active Code

  26. Incomplete Mediation ACCEPTING DATA FROM A USER IN A WEB FORM:The system could put checks of valid data to screen out erroneous data. However after taking the values from the user, the program generates the URL line, based on the validated data. But the hacker can edit the URL generated by the program, and resend it. The web server cannot differentiate between an edited URL and a system-generated URL. Such a system is said to have incomplete mediation.

  27. Application code Errors: Example of wrong code: Assume that a client selects book1 from page4 of the web-site of books.com and then moves to another page. Assume that the book cost $69. The webserver may pass the following string to the client: http://www.books.com/page4&isbn1 = 0849308887&pl=6900 Then the client selects book 2 from page 7. It costs $129. The webserver passes to the client: http://www.books.com/page7&isbn1 = 0849308887&p1=6900&isbn2=3540002235&p2 = 12900

  28. Application code Errors: Example of wrong code (cont…) • The malicious client may change the string to 1900 for both p1 and p2, before clicking ‘order’. He may get both the books at $38 only.

  29. Time-of-check to Time-of use (TOCT TOU) Every OS has access control. A file may be presented with a valid user, who can be authenticated and a valid job to be done. While the OS is checking for authentication, the file remains in the users area. So the user may modify the file, with malicious commands. The OS comes back after checking authentication and allows the file to be processed. And the malicious commands may be executed!

  30. Denial of Service Attacks: • ECHO CHARGEN: chargen is a protocol that generates a stream of echo packets. (Refer to ICMP) If a hacker continuously generates such packets for a server, the server would be busy in continuously responding to these packets. • Ping of Death: an attacker, on a wide bandwidth net, can overwhelm a victim machine on a smaller BW net through sending a large number of ping messages. • SMURF: spoofs a message ( which would generate an ICMP error message) as if it is coming from the victim. The spoofer broadcasts it on a large net. All hosts on the net respond to the victim.

  31. SYN FLOOd: • SYN_RECV queue: • usually designed to have only 10-20 entries • the usual time-out for deleting an entry is of many minutes So a SYN packet every few second can keep the host from accepting a new connection. • To avoid detection, every new SYN packet is spoofed from a new IP address. (ICMP dest unreachable, sent by the host of the spoofed address back to the victim, goes to ICMP module of the victim and not to the TCP module of the victim)

  32. DDoS Distributed Denial of Service attack: • use trojan horses sent through an exe file thro e-mail or by buffer overflow-to a large number of machines. • All the machines are triggered at the same time to jointly attack the victim • Example: Tribal flood Network of 1999.

  33. DDOS T T Attacker Victim T T

  34. DDOS (cont…) The attacker plants a Trojan horse on a large number of machines. He then triggers the attack, from all these machines (called zombies, now) on the victim. CERT has advised that now a single tool, which does the following, is available • Identifies the zombies • Installs the Trojans horse in Zombies • Activates the zombies to wait for a trigger signal Reference:Kevin J. Houle and George M. Weaver, “CERT Coordination Center Trends in Denial of Service Attack Technology” October 2001 at  http://www.cert.org/archive/pdf/DoS_trends.pdf

  35. Active or Mobile Code: Definition: Active or Mobile Code: Code sent by a server to a client for execution on the client machine. The Objective of having the facility of Active or Mobile Code: • Server is not over-loaded. • The under loaded work station may be used for processing. • Bandwidth use is reduced. Disadvantage: Without the knowledge or permission of the owner of the client machine, a remote machine causes a program to be executed on the client machine.

  36. Examples of Active Code, that can be misused: 1. Cookies • Definition: Cookies: Data files caused to be stored on client machine by web-server • Information - about the client - kept on client machine but encrypted by a key known only to web-server. • A cookie may be… • A per-session Cookie or • A Persistent Cookie

  37. Examples of Active Code, that can be misused:2. Executing Scripts on Server • Web Server cannot differentiate between … • Commands legitimately generated by the browser, as the client fills up a web page. • A hand-crafted set of commands generated by a malicious user.

  38. Examples of Active Code, that can be misused:3. Escape Character attack on Server • CGI (common Gateway Interface) • Commonly used on web servers for scripting. • It Uses.. • %nn to represent ASCII special characters. • %0a to instruct interpreter to accept characters after %0a, as new command.

  39. Escape Character attack on Server……continued • The following command requests a copy of the password file: • http://www.test.com/cgi-bin/query?%0a/bin/cat%20/etc/password • Another Example: A CGI script of the form.. • <!-#action arg1=value arg2=value…..> is followed by a command. If someone gives the following string immediately after the above….. • <!-# exec cmd = “rm *” > it would delete all the files in the current directory of the web-server.

  40. Escape Character attack on Server……continued • MS uses ASP for scripting.. • These pages instruct the browser on… • how to display files; • how to maintain context and Interact with the server. • These pages can be seen at the browser and any weaknesses in the ASP code may be exploited by a malicious user.

  41. Active Code: Comments • Java Script: • Java 1.1 sandbox very restrictive. • Java 1.2 opened the sandbox to permit stored disk files and executable procedures. This makes v1.2 more convenient to use at the cost of increase in security vunerability. • Java 1.4 supposed to correct these problems?? • Active X: Using it, objects of arbitrary type can be downloaded to a client. The Object may lead to an automatic download of the handler required for a file type.

  42. Active Code: Comments Active X • MS uses authentication certificates which certify the origin’s validity. But Proof of origin does not mean safety of code. • Auto Exec by file-type: • Besides the file’s extension, a file contains its type information inside the file also. • So even if a file does not have an extension, it may be opened automatically, if one clicks on it.

  43. Active Code: Comments Java vs. Active X • You can put only partial trust in a program, while ActiveX requires either full trust or no trust at all. • A Java-enabled browser could keep a record of which dangerous operations are carried out by each trusted program, so it would be easier to reconstruct what happened if anything went wrong. • Java offers better protection against accidental damage caused by buggy programs. Reference:http://www.cs.princeton.edu/sip/faq/java-vs activex.html SIP: Secure Internet Programming

  44. Procedures for secure active code: 1. System must control applets’ access to sensitive system resources, such as: • File system • Processor • Network • User’s Delay • Internal State Variables.

  45. Procedures for secure active code: continued 2.The Language must protect memory by preventing • forged memory pointers and • array(buffer) overflows. 3. The system must prevent object reuse by clearing memory contents for new objects.

  46. Procedures for secure active code: continued The system must perform garbage collection to reclaim memory no longer in use. 4. The system must control • inter –applet communication as well as • applet’s effects on the environment outside the Java System through system calls. • Reference: Dean, D.; Felten, E.W.; Wallach, D.S., ‘Java security: from HotJava to Netscape and beyond’ Proceedings of IEEE Symposium onSecurity and Privacy, 1996, pp190-200

  47. A Networked System: More Vulnerable? Attacker can be • anonymous, • safe behind an electronic shield, • at a great distance, and • can make his system hide behind a chain of other hosts. A large network has many points from which attack may be mounted and many targets. Sharing-Networks permit a number of users to share the services.  a larger number of attacker entities-users/systems

  48. A Networked System: More Vulnerable? cont. Complexity of a system: Each operating system is complex. A network operating system, which may deal with multiple operating system, is even more complex. Even desktops have become powerful. So the user may not even know fully what his system is doing. Ill-defined perimeter –since networks are interconnected in a variety of ways. Multiple paths may exist between two legitimate communicators;hosts/networks in each path may have different security policies. • Reference: Pfleeger and Pfleeger, ‘Security in Computing’ Prentice Hall 3rd Ed., 2003, pp 387-389

  49. Security Services • Confidentiality: Protection of the message from disclosure to unauthorized persons; In addition the secrecy of the identity of the sender may also be required. Confidentiality may be compromised by -misdelivery, exposure in some part of the network, traffic flow analysis • Integrity: Maintaining data consistency; message may not be altered during transmission. • AUTHENTICATION: Verifying a principal’s claimed identity. Principal: a user logged on a remote system or - a local user logged on the server or - the server itself

  50. Security Services: Authentication continued • Authentication: A two - step process: - User Name - Password (check: - something you know (common) - Something you have - Something you are - what you do (Ex:key-stroke patterns) - where you are )

More Related