Coen 252
1 / 44

COEN 252 - PowerPoint PPT Presentation

  • Uploaded on

COEN 252. Security Threats. Hacking. Untargeted attacks Motivation is Fun (I can do it) prevalent until ~2000 Financial Gain Selling access to compute resources Creation of botnets for spamming, computation (distributed decryption, phishing, pharming …) Selling data

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'COEN 252' - ziven

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Coen 252 l.jpg

COEN 252

Security Threats

Hacking l.jpg

  • Untargeted attacks

    • Motivation is

      • Fun (I can do it)

        • prevalent until ~2000

      • Financial Gain

        • Selling access to compute resources

          • Creation of botnets for spamming, computation (distributed decryption, phishing, pharming …)

        • Selling data

          • Credit Card Information

          • E-mails

        • Targeted Denial of Service Attacks

          • Cloud Nine, a British ISP failed after suffering attacks

      • Cyber-warfare, terrorism

Hacking3 l.jpg

  • Targeted Attacks

    • Theft of information

    • Incapacitation of an organization to fulfill its purpose by destroying / impeding its use of computing resources

Hacking4 l.jpg

Phases of a Targeted Attack

  • Reconnaissance

  • Scanning

  • Gaining Access

  • Expanding Access

  • Covering Tracks

Reconnaissance l.jpg

  • Social Engineering

    • Incite a human to act imprudently, furthering the goals of the attacker:

      • “I cannot access my email. What do I do?”

      • Countermeasures:

        • Identify security issues

        • Develop policies

          • Need to prevent leakage of information

          • Need buy-in by users and agents

          • Need to maintain user-friendliness of IT

  • Physical Reconnaissance

    • Dumpster Diving

      • Especially bountiful when people move

    • Installation of scanning devices

Reconnaissance6 l.jpg

  • Finding publicly available information

    • Contact information of internet registration

      • WhoIs, ARIN, RIPE, …

    • Internal documents made publicly available:

      • Use search engines

      • Check Internet Archive, …

      • Identify naming conventions and guess file names

      • Scrutinize publications

        • A word document might contain the revision history with old versions of file

        • A PDF file had confidential information obscured by a black box, that could be removed

    • Email, Usenet, Blog postings that identify names of internal machines, …

Reconnaissance scanning l.jpg
Reconnaissance: Scanning

Once we have a target, we need to get to know it better.


  • War Dialing (to find out modem access)

  • War Driving

  • Network Mapping

    • Largely obsolete due to better firewall rules

  • Vulnerability Scanning

Scanning war dialing l.jpg
Scanning: War Dialing

Purpose: Find a modem connection.

  • Many users in a company install remote PC software such as PCAnywhere without setting the software up correctly.

  • War Dialer finds these numbers by going through a range of phone numbers listening for a modem.

  • Demon Dialer tries a brute force password attack on a found connection.

  • Typically: war dialing will find an unsecured connection.

Scanning network mapping l.jpg
Scanning: Network Mapping


  • ping is implemented using the Internet Control Message Protocol (ICMP) Echo Request.

  • A receiving station answers back to the sender.

  • Used by system administrators to check status of machines and connections.

Scanning network mapping10 l.jpg
Scanning: Network Mapping


  • Pings a system with ICMP echo requests with varying life spans (= # of hops allowed).

  • A system that receives a package with expired numbers of hops sends an error message back to sender.

  • Traceroute uses this to find the route to a given system.

  • Useful for System Administration

Scanning network mapping11 l.jpg
Scanning: Network Mapping


Network Scanner

(UNIX based)

(Uses traceroute and other tools to map a network.)

Cheops et Co. are the reason that firewalls intercept pings.

Reconnaissance port scans l.jpg
Reconnaissance: Port Scans

  • Applications on a system use ports to listen for network traffic or send it out.

  • 216 ports available, some for known services such as http (80), ftp, ...

  • Port scans send various type of IP packages to target on different ports.

  • Reaction tells them whether the port is open (an application listens).

Reconnaissance nmap l.jpg
Reconnaissance: Nmap

  • Uses different types of packets to check for open ports.

    • Xmas tree, NULL, Syn, … Scans

  • Can tell from the reaction what OS is running, including patch levels.

  • Can run in stealth mode, in which it is not detected by many firewalls.

Reconnaissance prevention l.jpg
Reconnaissance Prevention

  • Firewalls can make it very difficult to scan from the outside.

    • Drop scan packets.

  • Patched OS do not have idiosyncratic behavior that allows OS determination.

  • IDS can detect internal scans and warn against them.

  • Example: Detect traceroute by not allowing in packets with very small TDL values

Gaining access l.jpg
Gaining Access

  • Fault in Policy

    • Weak or no authentication, unwarranted trust relationships, …

  • Fault in Implementation

    • Typical triggered by intentionally malformed input

  • Extension of a security breach

    • Sniffing malware, …

Security policy software defects flaws vulnerabilities l.jpg
Security Policy, Software defects, flaws, vulnerabilities

  • A Security Policy is a set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources [Internet Society 00].

  • Software Defects:

    • A software defect is the encoding of a human error into the software, including omissions.

  • Security Flaw:

    • A security flaw is a software defect that poses a potential security risk.

    • Eliminating software defects eliminate security flaws.

  • Vulnerability

    • set of conditions that allows an attacker to violate an explicit or implicit security policy.

    • Not all security flaws lead to vulnerabilities.

    • Not all vulnerabilities are based on a security flaw.

Software vulnerabilities l.jpg
Software Vulnerabilities

  • Attacker needs

    • to control the environment of the application

    • or craft input

      in order to trigger a vulnerability.

Software vulnerabilities18 l.jpg
Software Vulnerabilities

  • In a typical environment, attacker needs to be able to set a single value at a single address in order to execute arbitrary code.

  • Typical Targets

    • Global Offset Table in Unix

      • Used to link to library functions

    • .dtors

      • Used by gcc to link to destructors that run at termination of program

    • Virtual Function Tables

    • Exception Handling Table in Windows

Software vulnerabilities19 l.jpg
Software Vulnerabilities

  • Typical Vulnerabilities

    • Buffer Overruns:

      • Input string is stored on a buffer, but buffer is too small

      • Input located outside of buffer has overwritten data

      • Stack based buffer overflow: Overwrite the return address of a function

    • Format String Vulnerability: (Specific to C)

      • Arises by not specifying a format string

      • The %n construct allows attacker to control a random memory location

    • Integer Overflow

    • Race Conditions

      • Especially when accessing files

Software vulnerabilities20 l.jpg
Software Vulnerabilities

  • Typical Vulnerabilities

    • Injection Attacks

      • Input (e.g. user input to web server) is used to generate arguments for a command to be executed: Command Injection

      • Input (e.g. user input to web server) is used to generate arguments for a sql query to be executed and displayed: SQL Injection

    • Name Resolution Attacks

      • Different modules use different ways to canonicalize / resolve names of resources such as files

        • HFS2 file names are not case sensitive, but Apache configuration is

        • Homonyms (e.g. kyrillic vs. regular o)

Software vulnerabilities21 l.jpg
Software Vulnerabilities

  • Use of magic names

    • Instance of security by obfuscation

      • Magic URL

      • Hidden Form Fields

Software vulnerabilities22 l.jpg
Software Vulnerabilities

  • False amount of security information results in poor usability

    • Too many warnings: Users are confused and trained to ignore warnings

    • Too few warnings: Users are not made aware of risks

  • Bad networking protocols

    • Unauthenticated key exchange

    • Trusting network name resolution

Gaining access through network attacks sniffing l.jpg
Gaining Access through Network Attacks: Sniffing

  • Sniffer: Gathers traffic from a LAN.

  • Examples: Snort, Sniffit

  • To gain access to packages, use spoofed ARP (Address Resolution Protocol) to reroute traffic.

Gaining access through network attacks sniffing24 l.jpg
Gaining Access through Network Attacks: Sniffing

  • Sniffing through a hub:

    • MAC flooding:

      • Switches store MAC addresses in a cache.

      • Switches accept MAC advertising.

      • Attacker sends a flood of MAC advertisings.

      • Switch’s cache fills up.

      • Switch moves into promiscuous mode.

    • Spoofed ARP messages

Gaining access through network attacks sniffing25 l.jpg
Gaining Access through Network Attacks: Sniffing

  • Sniffing through a hub:

    • Spoofed ARP messages:

      • ARP resolves between IP addresses and MAC addresses.

      • Step 1: Attacker sets up IP Forwarding to the default router on LAN.

      • Step 2: Send a faked ARP reply to victims machine to reroute default router IP to attackers MAC address.

      • Step 3: Victim sends out a message to the outside world. This is routed to the default router IP, i.e. to the attackers machine.

      • Step 4: Attacker reads traffic.

      • Step 5: Because of forwarding, packet is forwarded to actual default router.

Gaining access through network attacks sniffing26 l.jpg
Gaining Access through Network Attacks: Sniffing

  • Man in the Middle Attack with DSniff:

    • Step 1: Send fake DNS response with IP address for the web site to be attacked to the victim.

    • Step 2: Victim connects to website.

    • Step 3: DNS resolves to the attacker’s machine, request send there.

    • Step 4: Attacker’s site receives request, acts as proxy, forwards it to real website.

    • Step 5: Real website answers, attackers site forwards to victim.

Gaining access session hijacking l.jpg
Gaining Access: Session Hijacking

  • IP Address Spoofing: Send out IP packages with false IP addresses.

  • If an attacker sits on a link through which traffic between two sites flows, the attacker can inject spoofed packages to “hijack the session”.

  • Attacker inserts commands into the connection.

  • Details omitted.

Exploiting and maintaining address l.jpg
Exploiting and Maintaining Address

After successful intrusion, an attacker should:

  • Attack privileged programs to gain root or administrator privileges.

  • Erase traces (e.g. change log entries).

  • Take measures to maintain access.

  • Erase security holes so that no-one else can gain illicit access and do something stupid to wake up the sys. ad.

Maintaining access trojans l.jpg
Maintaining Access: Trojans

  • A program with an additional, evil payload.

    • Running MS Word also reinstalls a backdoor.

    • ps does not display the installed sniffer.

Maintaining access backdoors l.jpg
Maintaining Access: Backdoors

  • Bypass normal security measures.

    Example: netcat

  • Install netcat on victim with the GAPING_SECURITY_HOLE option.

    C:\ nc -1 –p 12345 –e

  • In the future: connect to port 12345 and start typing commands.

Maintaining access backdoors31 l.jpg
Maintaining Access: Backdoors

  • BO2K (Back Orifice 2000) runs in stealth mode (you cannot discover it by looking at the processes tab in the TASK MANAGER.

  • Otherwise, it is a remote control program like pcAnyWhere, that allows accessing a computer over the net.

Maintaining access backdoors32 l.jpg
Maintaining Access: Backdoors

  • RootKit:

    A backdoor built as a Trojan of system executables such as ipconfig.

  • Kernel-Level RootKit:

    Changes the OS, not only system executables.

Covering tracks l.jpg
Covering Tracks:

  • Altering logs.

  • Create difficult to find files and directories.

  • Covert Channels through Networks:

    • Loki uses ICMP messages as the carrier.

    • Use WWW traffic.

    • Use unused fields in TCP/IP headers.

  • Use antiforensics

    • Change registry values to delete traces of installed programs

    • Change Date-Time stamps

Hacker profile l.jpg
Hacker Profile

  • Internal Hacker

    • Disgruntled employee

    • Contracted employee

      • Targets for corporate espionage.

      • Are not bound by employee policies and procedures.

    • Indirectly contracted employee

      • Perform shared or subcontracted services

Hacker profile35 l.jpg
Hacker Profile

  • External Hacker

    • Recreational Hacker

      • 85% 90% male.

      • Between 12 and 25.

      • Highly intelligent low-achiever.

      • Typically from dysfunctional families.

    • Professional Hacker

      • Hackers for hire.

      • Electronic warfare, corporate espionage.

      • So-called “Security Consultants” who look for blackmail or exploit for hire

      • Security Consultants

Hacker profile36 l.jpg
Hacker Profile

  • Virus writers1

    • Teenagers, College Students, Professionals

    • Drop out of the scene as adults or have social problems.

    • Intelligent, educated, male.

      Study by Sarah Gordon, IBM, in Beiser, Vince, “Inside the Virus Writer’s Mind”

Hacker profile37 l.jpg
Hacker Profile

  • Script Kiddy

    • Uses scripts of programs written by others to exploit known vulnerabilities

    • Goal is bragging rights, defacing web sites

    • Sweep IP addresses for vulnerability

    • Typically not explicitly malicious, but can cause damage inadvertently

Hacker profile38 l.jpg
Hacker Profile

  • Dedicated Hacker

    • Does research.

    • Knows in and outs of OS, system, auditing and security tools.

    • Writes or modifies programs and shell scripts

    • Reads security bulletins (CERT, NIST)

    • Searches the underground.

Hacker profile39 l.jpg
Hacker Profile

  • Skilled Hacker

    • Thorough understanding of system at the level of Sys Ad or above.

    • Can read OS source code.

    • Understands network protocols.

  • Superhacker

    • Does not brag or post.

    • Can enter or bring down any system.

Hacker motives l.jpg
Hacker Motives

  • Intellectually Motivated

    • Educational experimentation

      • 28 year old computer expert diverted 2585 US West computers to search for a new prime number.

      • Used 10.63 years of computer time.

      • Lengthened telephone number lookup to 5 minutes

      • Almost shut down the Phoenix Service Delivery Center

    • “Harmless Fun”

      • Web defacing

    • Wake-up Call

      • Free-lance security consultant (still illegal)

Hacker motives41 l.jpg
Hacker Motives

  • Personally motivated

    • Disgruntled employee.

    • Cyber-stalking

      • E.g. to show of superiority to someone they feel / are inferior to.

      • Danger of escalation to physical attack.

        • A 50-year old security guard used the internet to solicit the rape of a 28-year old woman who rejected him.

        • Impersonated her in chat rooms and online bulletins.

        • Impersonated rape fantasies.

        • At least six man knocked at her door at night offering to rape her.

        • Six years in prison.

Hacker motives42 l.jpg
Hacker Motives

  • Socially motivated

    • Cyber-activism

    • Politically motivated

      • Hacking KKK or NAACP websites

    • Cyber-Terrorism

      • Threatens serious disruption of the infrastructure

        • Power

        • Water

        • Transportation

        • Communication

      • 1988: Israeli Virus and logic bomb in Israeli government computers

    • Cyber-warfare

Hacker motives43 l.jpg
Hacker Motives

  • Financially Motivated

    • Personal profit.

      • Two Cisco Systems consultants issued almost $8 M Cisco stock to themselves.

      • Accessed a system used to manage stock option disbursals to find control numbers for forged authorization forms.

    • Damage to the organization.

      • British internet provider, Cloud Nine, went out of business after crippling series of DOS attacks.

  • Ego Motivated

Hacking damage l.jpg
Hacking Damage

  • Releasing Information

  • Releasing Software

    • By circumventing copying protection.

    • Through IP theft

  • Consuming Unused(?) Resources

  • Discover and Document Vulnerabilities

  • Compromise Systems and Increase their Vulnerabilities

  • Website Vandalism