1 / 28

ISForum2

Act as POC for outside complaints about security events at MIT ... Bob Mahoney, MIT Network Security Team. 6. Contact Procedures. All security-related mail is ...

mike_john
Download Presentation

ISForum2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    Slide 1:Windows Security: Recent Threats and Responses (and whatever else comes up :-)

    Information Systems Fall Forum

    Slide 2:Who are we?

    2 full-time IS staff Various IS staff who contribute occasional time upon request (begging works wonders) 6 student staff who give 1-10 hrs/week 2 voucher employees, 60-70 hrs/week total 12 departmental computing staff, mostly focused on local incidents We had the equivalent of 4.6 FTE over the Summer (something like “Full Staff”)

    Slide 3:Team Operations

    Scanning for known vulnerabilities and indications of compromise Advising users of vulnerable machines what steps to take Detecting and removing compromised hosts Advising IS and the community about security issues Act as POC for outside complaints about security events at MIT

    Slide 4:Rules of Engagement

    Any host that is known to be compromised is administratively removed from the network, and remains disconnected until investigation and/or recovery is complete. The system contact for a host that exhibits a known vulnerability is contacted and advised on steps to be taken to resolve the vulnerability. A date is given at this point after which unpatched systems will be disconnected.

    Slide 5:RoE & Windows

    Due to the virulence of recent Windows worms, and the wide publicity of the problem, response policies are firmer: Any Windows system that is vulnerable to a known IIS exploit will be disabled upon detection. Any Windows system with missing or inadequate Administrative password will be disabled upon detection.

    Slide 6:Contact Procedures

    All security-related mail is sent to the current Moira contact for the machine. This contact info can be updated by users at: https://nic.mit.edu/bin/hostupdate • In non-urgent scenarios, advisories are sent w/o deadline. • Depending upon urgency, various response deadlines are set.

    Slide 7:What are we seeing?

    More clueful attackers, generally targeting Windows machines. Cracking passwords, rather than guessing/stealing Attackers being much more stealthy. Attackers are operating somewhat more ‘manually’, as opposed to using dumber, wider scan/attacking probes. Attackers are keeping track of machines that they have probed, presumably for later misuse.

    Slide 8:How much of this goes on?

    1895 security cases in the last 90 days (65% Windows, down from 78% last month) 264 cases currently open 212 cases were due to Windows worm activity 285 machines were disabled in the last 90 days 85 are currently disabled as of this morning (7 for non-security issues) 57 of those were “Pubstro” warez sites

    Slide 9:What Can You Do?

    Apply all security updates ASAP. Make sure ALL machines in your area have correct contact information. Make sure all machines in your area have STRONG passwords. Review all machines for appropriate file-sharing configuration.

    Slide 10:How to make this less painful:

    Don’t move compromised machines Don’t use “slush” addresses Don’t use hubs/repeaters/switches Don’t take shortcuts Don’t run services you don’t need Use your vendor’s “Update Service” Subscribe to security-fyi and netusers lists Backups, Backups, Backups!

    Slide 11:Less painful, continued…

    Please reply/all to the mail we send you Don’t call the Help Desk because you have received mail from us We do not have a number where you can call us Don’t run IIS (Really) Look out for specialized machines with embedded Windows Please don’t cry. We’re already a little depressed.

    Slide 12:Final thoughts on Pain…

    We know your system is important to you We aren’t doing this to be annoying We cannot send someone out to help you recover (but can refer to paid consultants) Plan ahead: how much work will it take for you to recover your critical systems RIGHT NOW?

    Slide 13:Mailing Lists

    netusers@mit.edu = (public) Notification of maintenance events, CERT Advisories security-fyi@mit.edu = (public) Local security news, and threat updates security@mit.edu = Working list for security team. Questions or problems go here Mail to “-request” to join public lists

    Slide 14:Cracking passwords, and how to make it harder

    Jon Hunt, Software Release Team and Security Team jmhunt@mit.edu

    Slide 15:Cracking Passwords

    Active vs. Passive – Both Use Guess (user name, machine name, blank, “test”, “help”, “student”, “password”) Dictionary (high powered guessing) Brute Force (try everything) Tools GetAcct Null Sessions with SecDump L0pht Crack Scripts Italics = Specific Hacker (white or black) Tool As Bob mentioned earlier, we have seen hackers compromising Windows machines on campus by cracking the passwords. There are two types of password attacks commonly used today: Active and Passive. Both use a similar philosophy, try the easy ones first and move onto harder passwords. The main difference is in how they check if a password is valid.As Bob mentioned earlier, we have seen hackers compromising Windows machines on campus by cracking the passwords. There are two types of password attacks commonly used today: Active and Passive. Both use a similar philosophy, try the easy ones first and move onto harder passwords. The main difference is in how they check if a password is valid.

    Slide 16:Active Password Attack

    Hacker will try to get account information GetAcct or NULL Sessions If that fails, tries standard accounts Administrator, Guest, Backup, Test, IIS… Repeatedly attempts to logon to computer remotely using a script and series of passwords The hacker will try determine active administrative accounts and if that fails, use the defaults. This is why it is good to disable the Guest account, rename the Administrator account and any other standard accounts. While it won’t protect against tools like GetAccount, it will fool the dumber scripts that we see attacking machines at MIT. They then try to login in with as many passwords as they can to the accounts they found.The hacker will try determine active administrative accounts and if that fails, use the defaults. This is why it is good to disable the Guest account, rename the Administrator account and any other standard accounts. While it won’t protect against tools like GetAccount, it will fool the dumber scripts that we see attacking machines at MIT. They then try to login in with as many passwords as they can to the accounts they found.

    Slide 17:GetAcct & SecDump

    GetAcct Enumerates all user information (except password) on NT 4 & 2000 out of box Groups, last logon, real name, password last changed, and much more Do NOT know how to lock down NT 4 to stop it Enter machine name and the number of accounts you want the info for NULL Sessions & DumpSec Similar thing, more configurable, harder to use Login as a blank user C:\>net use \\machine\ipc$ /user:”” *

    If you have auditing setup, you will see something like this

    Slide 19:An active password attack will show up in the Security Log as a number of repeated failed attempts. Notice that in 23 seconds 15 passwords were attempt.An active password attack will show up in the Security Log as a number of repeated failed attempts. Notice that in 23 seconds 15 passwords were attempt.

    Slide 20:Notice the account name. This is not a real account on my machine, because I have NULL Sessions disabled, the hacker was not able to get my account listing and only tried bogus or trapped accounts. I have renamed my Administrator account to something other than root and have created a standard user with the user name Adminsitrator. While this wouldn’t fool a serious hacker trying to break into my system, it does prevent the scripts from getting in. One problem with the built-in Administrator account is that it does not get locked out, so the hackers can try as many passwords as they like on the best account.Notice the account name. This is not a real account on my machine, because I have NULL Sessions disabled, the hacker was not able to get my account listing and only tried bogus or trapped accounts. I have renamed my Administrator account to something other than root and have created a standard user with the user name Adminsitrator. While this wouldn’t fool a serious hacker trying to break into my system, it does prevent the scripts from getting in. One problem with the built-in Administrator account is that it does not get locked out, so the hackers can try as many passwords as they like on the best account.

    Slide 21:Passive Password Attack

    Sniff clear text and hashed passwords Dump the SAM Database - pwdump Crack the passwords using L0pht Crack or other tools Grab from Remote Registry (requires admin rights) Unlike the Active attack, you won’t see lots of failures for a passive attack. Typically, the only log will show a successful attempt at some weird hour from a weird machine. We assume that we have had machines compromised by passive attacks, but it is really hard to tell since a successful logon is the only trace of the attack typically. For a passive attack, the hacker gets a hash of the password and then tries to guess what password generated that hash. Tools such as L0pht Crack make this very easy and fast. A hash is a one way deterministic encryption of the password.Unlike the Active attack, you won’t see lots of failures for a passive attack. Typically, the only log will show a successful attempt at some weird hour from a weird machine. We assume that we have had machines compromised by passive attacks, but it is really hard to tell since a successful logon is the only trace of the attack typically. For a passive attack, the hacker gets a hash of the password and then tries to guess what password generated that hash. Tools such as L0pht Crack make this very easy and fast. A hash is a one way deterministic encryption of the password.

    Slide 22:L0pht Crack from @stake

    560,000 dictionary words in a minute Unlimited dictionaries available on the web Slang, scifi, names, places, mythology, yiddish, kjb, Shakespeare, common_passwds, Chinese and many more. Brute Force on Pentium III 800MHz A-Z, 0-9 in 13 hours A-Z, 0-9 and !@#$%^&*()_-+= in 5 days A-Z, 0-9 and !@#$%^&*()_-+=[]{}\|:;’”<>,.?/ in 48 days Full version only costs $350 – free 15 day trial Built in sniffer for LM & NTLM hashed passwords This is not a fast machine by today’s standards, with P4 2GHz machines available. With a faster machine, these times could be cut in half. Being clever and using a foreign language doesn’t help, since adding any number of dictionaries is trivial. I was able to check half a million words in under a minute on my laptop. This is not a fast machine by today’s standards, with P4 2GHz machines available. With a faster machine, these times could be cut in half. Being clever and using a foreign language doesn’t help, since adding any number of dictionaries is trivial. I was able to check half a million words in under a minute on my laptop.

    Slide 23:Here is what L0pht can do. Notice the dictionary attacks got about half the passwords. The longer and more complex the password the better. Here is what L0pht can do. Notice the dictionary attacks got about half the passwords. The longer and more complex the password the better.

    Slide 24:What can you do?

    Use and require strong passwords MiXeD cAse Special<>characters! (in the middle is better) Longer the better, over 14 characters much harder (only works for Win2K and later) Change them about every 42 days Automatically lock accounts for 30 minutes after repeated failed attempts Enable Auditing and check the logs The times listed before are based on 14 character maximums for passwords, longer passwords would increase these times greatly, but how many people are using 14+ character passwords. The times listed before are based on 14 character maximums for passwords, longer passwords would increase these times greatly, but how many people are using 14+ character passwords.

    Slide 25:What else can you do?

    Use NTFS instead of FAT Apply patches Windows Update – all critical updates * Application Vendors release patches too Disable stuff you do not need NULL Sessions LM Hashes (require NTLMv2 if possible) Do NOT connect from Win95/98/ME * Wait for IS’s recommendation for Service Packs

    Slide 26:What further can you do?

    Run Anti-Virus Software and keep it up to date Do NOT open attachments from people you are not expecting to receive them from Have a BACKUP SOLUTION!!! Use your Backup Solution Check that you Backup Solution is working We have seen hackers delete client data to make room for warez

    Slide 27:What are we (IS) doing to help?

    Working on Security Templates Make it easier to apply policies Have a first pass for Windows 2000 and XP that are currently in review Working on guidelines: http://mit.edu/is/help/winxp/xpsecurity.html Scanning MITnet for basic vulnerabilities and compromises and informing the machine contact (update your machine contact info)

    Slide 28:Should I be testing my user’s passwords?

    It depends, but probably not More useful to setup a good policy Require strong passwords Set passwords to expire (e.g. 42 days) Disable NULL Sessions Require NTLMv2 (disable LANMAN and NTLM) Run regularly updated virus scans Lockout Accounts after repeated failed attempts

More Related