1 / 49

ITS Offsite Workshop 2002

ITS Offsite Workshop 2002. IT Security. ITS Offsite Workshop 2002. Agenda: Security Issues and PolyU Cases PolyU Computer Systems Security Policy (SSP) ITS/CLO Partnership In IT Security Implementation. Security Issues. Security Issues and PolyU cases By Chan Ping Fong

dawson
Download Presentation

ITS Offsite Workshop 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITS Offsite Workshop 2002 IT Security

  2. ITS Offsite Workshop 2002 Agenda: • Security Issues and PolyU Cases • PolyU Computer Systems Security Policy (SSP) • ITS/CLO Partnership In IT Security Implementation

  3. Security Issues Security Issues and PolyU cases By Chan Ping Fong Senior Computer Officer Information Technology Services office

  4. Security Issues Universities are known to be vulnerable spots ! Why?

  5. Security Issues Typical University IT Environment ... • 10,000+ networked devices • Very high-speed, high-capacity networks with fast connections to the Internet • Hardware and software deployed are significantly diverse

  6. Security Issues Typical University IT Environment ... • Usually first to implement new technologies, sometimes even before they are matured • Residence Halls networked • Networked systems are being probed continually for vulnerabilities

  7. Security Issues Typical University IT Environment… • Computer locations vary widely, from under a someone's desk to professional data centers • Departments control own technology and mostly act independently • Non-existent or under-staffed technical/security staff

  8. Security Issues Typical University IT Environment • Hundreds of people authorized to access confidential information from central databases • User can extract data to any networked device, to use local manipulation tools • Once extracted, no one knows on which of the thousands of networked devices sensitive data is hosted

  9. Security Issues Typical Security Threats • Virus Attacks • Hacking and Cracking • User Abuses • Spam Mails • Denial of Service (DoS) Attacks Cases reported and complaints received almost everyday

  10. Security Issues Virus Attacks • Melissa • I Love You • SirCam • Code Red and Code Red II • Nimda • Goner

  11. Security Issues • Multiple attack mechanisms • Spreads via email ( not an attachment ) • Spreads via visiting infected web page • Targeting 16 vulnerabilities !! ( some IIS, but not all ) • Nimda also threatened internal networks • Unlike CodeRed, which was only attacking IIS servers • Windows 9x and NT vulnerable via ‘open share attack’ • Attacks IIS via Web Folder Transversal ( malformed ‘get’ ) • And also via an incorrect MIME header

  12. Security Issues • Any PC on the NET communicate by using TCP/IP • Any one could knock on your doors • There are 65535 ports • Your machine may serve any of 65536 ports • Port scanning by hackers • Find out the weakest link • Force you busy, can’t do any useful job • Denial of Service (DoS attack)

  13. Security Issues • Member of HARNET • Another cyber community on the Internet • More web applications on campus network • More expose & risk • Restricted access from outside • By PolyU firewall, proxy server & VPN • Limited restriction on access PCs within campus • Protected by switches and routers • Protected by departmental or personal firewall • Rest, limited restriction

  14. Security Issues Hacking and Cracking(Before) • Only really good hackers could crack • Difficult to write programs to affect Operating Systems • Cracking was “expensive” – learning curve and time • Most cracking had specific purposes – e.g., financial gain, espionage, sabotage

  15. Security Issues and Problems at PolyU Hacking and Cracking(Now) … • Veteran crackers are “publishing” code for neophyte crackers: e.g., log-wipe utilities • Operating system and application APIs are easy to use: e.g., Microsoft VBS • More complicated operating systems and software cause more bugs • Automated vulnerability scanning

  16. Security Issues Hacking and Cracking(Now) • Cracking for profit: e.g., credit card theft, industrial espionage • Cracking for fun: e.g., “script kiddies” • Cracking for political reasons: e.g., PRC Government webpage defacements • Cracking as part of cyber-warfare

  17. Security Issues Cracker Mentoring • Veteran crackers writing and publishing tools • Cracker tools exist for cellular, voice, data communications • Cracker FAQs exist for almost all systems

  18. Security Issues Typical Hacking and Cracking • Unauthorized access • Cracking password • Trojan horse • Tapping • Remote capture of someone’s workstation

  19. Security Issues Typical User Abuses • Download huge files • Send out unsolicited massive emails • Steal and sell email addresses • Steal and leak out passwords to others

  20. Security Issues Typical User Abuses • Put unlicensed software/films/songs for others to download • Conduct commercial activities using PolyU IT facilities and resources

  21. Security Issues Spam Mails • Chain letters • Spreading large number of e-mails to many different users • Mail relay

  22. Security Issues Denial of Service Attacks • Port Scanning • Ping Flooding • Mail bomb • Re-broadcasting of unwanted packets

  23. Quote From Richard A. Clarke “The Internet was built without a government or master plan. It was also built without security as part of the central design. Our entire infrastructure is vulnerable because security was not designed in from the ground up.” Richard A. Clarke, National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, speaking at the Washington D.C. Summit, 18 April 2000

  24. Quote from Computer Economics “It is estimated that the worldwide impact of malicious code was 13.2 Billion Dollars in the year 2001 alone, with the largest contributors being SirCam at $1.15 Billion, Code Red (all variants) at $2.62 Billion, and NIMDA at $635 Million.” Computer Economics, 2001 Economic Impact of Malicious Code Attacks, 02 Jan 2002

  25. It’s a wild world • Every week we see new break-ins, new attack tools, new vulnerabilities • 2002 CSI/FBI Computer Crime and Security Survey (503 respondents): • 90% of respondents detected “unauthorized use of computer systems” in the last 12 months; • The combined losses from just 223 respondents total $445 million • $170 million from “theft of proprietary info” and $19 million from “system penetration”

  26. Top 10 Attack Source by Country

  27. Top 10 Attack Sources per Internet Capita “ in terms of number of attacks per 10,000 Internet Users”

  28. Some Security News … • Bugbear-Worm tries to steal credit cards and passwords. 10 Oct 02 • CERT Advisory Trojan Horse Sendmail Distribution. 08 Oct 02 • W32/Bugbear-A continues to cause problems. 07 Oct 02. • Cyberattacks against energy firms rise, 09 Jul 02. • Hacker swipes $35,000 from Singapore Bank, 05 Jul 02.

  29. Security Issues and Problems at PolyU Intrusion Purposes/Consequences … • Unauthorized access to data • Installation of malicious code to collect passwords, keystrokes, or other data in transit • Huge consumption of network resources, leading to slow to no response on campus network

  30. Security Issues Intrusion Purposes/Consequences • Loss of machine power for intended purposes • Defacement for political reasons • Installation of programs to support attacks on internal or external systems, e.g. DDoS zombies

  31. Security Issues • URL of incident • http://www.attrition.org/mirror/attrition/2000/09/19/www.banking.hsbc.co.uk/mirror.html Note to the administrator: You should really enforce stronger passwords. I cracked 75% of your NT accounts in 16 seconds on my SMP Linux box. Please note the only thing changed on this server is your index page, which has been backed up. Nothing else has been altered.

  32. IT Security Stories Should it take an incident to wake us up? • IndianaU Office of the Bursar (2001) • IU Faculty Research Information Database (1997) • University of Michigan patient records • University of Washington patient records • Stolen passwords at Berkeley, UCLA, Harvard • Many other cases not publicized

  33. Recent Case at our Sister University A student hacked into the PCs of 4 other students • Accessed the homework of other students • Obtained the password of another student • Impersonate and withdrew the classmate from university

  34. The PolyU Real Cases PolyU Real Case

  35. The PolyU Real Cases PolyU Real Case 1 • E-Mails sent to staff in the same department framing senior members of sexual abuses • ITS investigated and located the source being another institution in HK • Case reported to police and a member in that institution identified • Police decided not to pursue due to ‘public interest’

  36. The PolyU Real Cases PolyU Real Case 2 … • Departments (and some students) sent out surveys and promotional e-mails to large number of recipients • Recipients regarded that mail spamming and filed complaints to PolyU • Some recipients (ISP) blacklisted PolyU and barred PolyU e-mails

  37. The PolyU Real Cases PolyU Real Case 2 • Some Departments requested ITS to help but disregarded ITS’s advice and kept on sending • Case reported to the Human Subject Ethics Subcommittee

  38. The PolyU Real Cases PolyU Real Case 3 • Millions of short enquiry packets (pings) sent out to Internet by a Department • Ate up over 80% of PolyU’s Internet bandwidth for 2 hours • ITS traced two machines in the department’s lab and 100s of hours wasted • Nobody was identified due to no log kept in lab • Many more similar cases detected in the same department

  39. The PolyU Real Cases PolyU Real Case 4 … • A graduate student sent out large volume of e-mails on the Internet to solicit money to help his sick wife • Over 200 complaints were received by ITS from all over the world • Some recipients reported to their police and activated investigation by HK and PRC police

  40. The PolyU Real Cases PolyU Real Case 4 • During the investigation, it was also found that the student had also used the PolyU IP address to register and host a commercial website for businessactivities • Case reported to the Head

  41. The PolyU Real Cases PolyU Real Case 5 • A graduate student sent out more than once obscene e-mails to over 200 selected recipients in the media and the HK higher education community to attack a senior staff in his department • Vast amount of time spent in the investigation. More than 200 man-hours just in ITS plus that of the senior management

  42. The PolyU Real Cases PolyU Real Case 6 • The lab instructor of a training course mistakenly generated an infinite loop among the campus Netware servers • Paralyzed the whole campus network which finally had to be shut down and restarted • ITS spent over 100 man-hours to trace the problem and the instructor and fixed the network

  43. The PolyU Real Cases PolyU Real Case 7 … • Code Red, Code Red II and Nimda Viruses attacks • ITS sent out alerts and patches to all users • ITS called urgent meetings with departments • ITS identified and isolated infected ports to contain the impact • Over 300 PolyU PCs affected by Nimda

  44. The PolyU Real Cases PolyU Real Case 7 • Affected machines in turn degraded performance of the campus network and Internet • Damage considered small compared to two other HK institutions which had to shut down the entire campus network to ‘stop the bleeding’

  45. The PolyU Real Cases PolyU Real Case 8 • Some Linux machines in some departments were attacked • They became the ‘launch pad’ of port scanning to other machines on campus and the Internet • ITS received many complaints • The department refused to take action and ITS had to disable their ports from the network

  46. The PolyU Real Cases Other PolyU Real Abuses • Theft of passwords • Use PolyU IT resources to solicit money • Use PolyU IT resources to run business • Give computer accounts to other persons • Insult other users on Internet with foul languages • Mail bombs

  47. The PolyU Real Cases Institutional Risks • Reputation of the institution tarnished • Increases the risk of suits filed by students and others and associated liability • Wastes of resources

  48. The PolyU IT Security • Prevention is better than cure • Users cooperate and follow ITS advices • Must be secure to sustain the future • The cooperation of CLO is essential

  49. IT Security Thank you

More Related