Looking at Vulnerabilities

Looking at Vulnerabilities Dave DittrichThe Information School /Computing & CommunicationsUniversity of Washington Microsoft campus 8/25/03

Overview • Background concepts • Your typical look at • Vulnerabilities, Risk vs. Cost • A (real!) complex attack scenario • A different view of vulnerabilities • Trust relationships • Attack trees • Atypical/uncommon vulnerabilities

Stepping Stones

Internet Relay Chat (IRC)

IRC w/Bots&BNCs

Distributed Denial of Service (DDoS) Networks

Typical DDoS attack

DDoS Attack Traffic (1) One Day Traffic Graph

DDoS Attack Traffic (2) One Week Traffic Graph

DDoS Attack Traffic (3) One Year Traffic Graph

Windows Top 10 Internet Information Server (IIS) Microsoft Data Access Server (MDAC) SQL Server NETBIOS Anonymous login/null session LAN Manager Authentication(Weak LM hash) General Windows Authentication (Accounts w/o pwd, bad pwd) Internet Explorer Remote Registry Access Windows Scripting Host Unix Top 10 Remote Procedure Call (RPC) services Apache Web Server Secure Shell (SSH) Simple Network Management Protocol (SNMP) File Transfer Protocol (FTP) Berkeley “r” utilities(trust relationships) Line Printer Daemon (LPD) Sendmail BIND/DNS General Unix Authentication (accounts w/o pwd, bad pwd) SANS Top 20 Vulnerabilities http://www.sans.org/top20/

Attack sophistication vs. Intruder Technical Knowledge binary encryption Tools “stealth” / advanced scanning techniques High denial of service packet spoofing distributed attack tools sniffers Intruder Knowledge www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking Attackers password guessing Low 2001 1980 1985 1990 1995 Source: CERT/CC (used w/o permission & modified “Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers)

Cost vs. Risk 101

Another view of Cost vs. Risk

UW Medical Center “Kane” Incident • Goal: How hard to obtain patient records? • Windows 98 desktop w/trojan or no pwd • Sniffer • Linux server -> Windows NT PDC/F&P server • Unix email server • Windows PDCs, BDCs • Windows Terminal Server (>400 users) • Access database file (>4000 patient records: Name, SSN, Home number, treatment, date…) • SecurityFocus -> ABC News

Trust relationships • Client<->Server • IP based ACLs • Shared password/symmetric key • Shared network infrastructure • Sensitive data in email • Sensitive files on servers

Attack Trees • “Secrets and Lies,” Bruce Schneier, ISBN 0-471-25311-1, chapter 21 • Goal is root node: Sub-goals are lower nodes/leaves • And/Or relationship between nodes • Attributes: Likelihood, equipment required, cost of attack, skill required, legality, etc.

Attack Tree Example 1 http://www.counterpane.com/attacktrees-fig1.html

Attack Tree Example 2 http://www.counterpane.com/attacktrees-fig6.html

Attack Tree Example 3 Survivability Compromise: Monitor network traffic OR: 1. Install sniffer on desktop. OR: 1. Use email trojan horse. 2. Use remote exploit. 3. Use Windows remote login service. OR: 1. Use passwordless Administrator account. 2. Brute force passwords on all listed accounts. 3. Brute force passwords on common accounts. 2. Install sniffer on Unix/Windows server OR: 1. Use remote exploit. 2. Steal/sniff password to root/Administrator account. 3. Guess password to root/Administrator account. 3. Man-in-the-middle attack on SSL/SSH. …

Attack Tree Example 4 (Nested) Survivability Compromise: Disclosure of Patient Records OR: 1. Attack Med Center network using connections to the Internet OR: 1. Compromise central patient records database (PRDB). AND: 1. Identify central PRDB. OR: 1. Scan to identify PRDB. 2. Monitor network traffic to identify PRDB. 2. Compromise central PRDB. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff pwd to account. 3. Guess password to account. 2. Obtain file(s) containing patient records. OR: 1. Monitor network traffic to capture patient records. 2. Compromise file server or terminal server. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff Administrator pwd. 3. Guess password to User/Administrator account.

Atypical Vulnerabilities • Network Infrastructure • Special Devices • Non-technical (Social) Issues

Border Routers • BGP (route insertion/withdrawal) • Address forgery • Source routing • Denial of Service • Remote service exploit & “Root kits” • Lack of visibility/access to traffic flows

Internal Routers/Switches • OSPF, RIP & other protocols • Address forgery • ARP spoofing • Sniffing (SNMP community string, pwd) • Denial of Service • Lack of visibility/access to traffic flows

Servers • Gateways to legacy apps • Web apps • Insufficient logging/auditing • Hiding in plain sight • Control of software configuration

Network Printers • Change “Ready” message • FTP bounce scan, other scanning • File cache • SNMP/web admin front ends, back doors • Disclosure of print jobs • Passive monitoring • Redirection of print jobs

Medical “devices”, photocopiers, printers • Proprietary or OEM OS (e.g., Solaris, IRIX) • Many (non-essential) services turned on • Typically behind the curve on patches • Remote management (HTTP, SNMP) • Heavy use of unencrypted protocols (e.g., FTP, LPR, Berkeley “r” utilities) • “What? The hackers are back?”

PBXs, voice services • Monitoring • Theft of Service • Fraud/social engineering • Denial of Service • Malware Cache (PC based VM)

Social Issues • Not recognizing threats & risks • Assuming attacks are simple • Assuming things are what they seem (e.g., Slammer, Nimda, SoBig) • Assuming attacks/defenses are direct • Assuming you have it handled

So how do we fix things? • Information Assurance • Education (start to finish) • Research • Practice (Corporations, government... everyone!)

Information Assurance • Information Assurance (IA) concerns information operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and nonrepudiation. • This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Source: National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999

NSA Centers of Excellence • Outreach program designed and operated by the National Security Agency (NSA) • Fulfills the spirit of Presidential Decision Directive 63 (PDD 63 - National Policy on Critical Infrastructure Protection, May 199) • Goal: To reduce vulnerability in our national information infrastructure by promoting higher education in IA, and producing a growing number of professionals with IA expertise in various disciplines

Where are they? • As of May 2003, 50 Centers nationwide • Mostly the East Coast • Closest to Seattle are Portland State, University of Idaho, Idaho State UniversityFor more info:http://www.nsa.gov/isso/programs/coeiae/index.htm

2002 NSA Centers of Excellence Seattle

Benefits to the nation • Meet national demand for professionals with IA expertise in various disciplines • Professionals enter the workforce better equipped to meet challenges facing our national information infrastructure • Centers act as focal points for recruiting individuals with IA expertise • Centers create a climate and foci to encourage independent research in critical IA areas

Summary • Vulnerabilities exist in places you might not think • Vulnerabilities are additive, interrelated • Complex attacks call for complex defenses/response • If you’re not learning something new every day, you’re falling behind your adversary

Questions? • dittrich @ u.washington.edu • http://staff.washington.edu/dittrich/

References • UW Medical Center • http://www.securityfocus.com/news/122/ • http://www.hipaausa.com/hacker.html • http://www.cio.com/archive/110102/rules_content.html • http://www.cio.com/archive/031502/plan_content.html • Attack trees • http://www.counterpane.com/attacktrees-ddj-ft.html • Networking • http://www.e-secure-db.us/dscgi/ds.py/View/Collection-24 • http://www.securite.org/presentations/secip/CSWcore02-SecIP-v1.ppt • http://www.securityfocus.com/infocus/1594

References (cont) • Routers • http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-akin-cisco/bh-us-02-akin-cisco.ppt • http://philby.ucsd.edu/~bsy/ndss/2002/html/1997/slides/gudm_pnl.pdf • http://www.net-tech.bbn.com/sbgp/IETF42.ppt • http://www.cymru.com/Presentations/barry.pdf • BGP, OSPF • http://www.cs.ucsb.edu/~rsg/Routing/references/wang98vulnerability.pdf • http://www.cse.ucsc.edu/research/ccrg/publications/brad.globalinternet96.pdf

References (cont) • Switches, ARP, local network attacks • http://www.comnews.com/stories/articles/c0103sfarea.htm • http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01-Mike-Beekey.ppt • Printers • http://members.cox.net/ltw0lf/printers/ • PBXs • http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf • DDoS, “root kits” • http://www.cert.org/reports/dsit_workshop.pdf • http://www.cert.org/archive/pdf/Managing_DoS.pdf • http://staff.washington.edu/dittrich/misc/ddos/ • http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq

Looking at Vulnerabilities

Looking at Vulnerabilities

Presentation Transcript

Looking at Logos

Looking at Data

Looking at Art

Looking at coursework

Looking at sources

Looking at:

Looking at Movies

Looking at Landforms

Looking at Danzón

Looking at Curriculum

Looking at rocks

Looking at Sound

Looking at EXODUS

Looking at Appliances

Looking at Art

Looking at Data

Looking at the big picture on vulnerabilities

Looking at Assignments

Looking at Data

”Scientific Looking, Looking at Science”

Looking at Regions

Looking at Toys