1 / 50

CSCD 303 Essential Computer Security Winter 2014

CSCD 303 Essential Computer Security Winter 2014. Lecture 7 - Desktop Security Vulnerabilities Reading: References at end of Slides. Security Hole. Overview. Learning Objectives Introduce OS Vulnerabilities What are they Why do they happen Study Access Control Vulnerabilities

george
Download Presentation

CSCD 303 Essential Computer Security Winter 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCD 303Essential Computer SecurityWinter 2014 Lecture 7 - Desktop Security Vulnerabilities Reading: References at end of Slides Security Hole

  2. Overview • Learning Objectives • Introduce OS Vulnerabilities • What are they • Why do they happen • Study Access Control Vulnerabilities • Users - Passwords

  3. Security and Vulnerabilities • According to Merriam-Webster, Vulnerable Defined Vulnerable means “exposed to possibility of being attacked or harmed, either physically or emotionally: ‘we were in a vulnerable position’.” • Computer Security, Vulnerability Defined Security Vulnerability refers to system flaw that can leave it open to attack A vulnerability may also refer to any type of weakness in a 1. Computer system itself, 2. Set of procedures, or 3. Anything that leaves information security exposed to a threat

  4. OS Vulnerabilities • What are some vulnerabilities common to all OS's?

  5. OS Vulnerabilities Look Common OS Vulnerabilities 1. Buffer Overflow 2. Unvalidated input 3. Race conditions 4. Access-control problems 5. Weaknesses in authentication

  6. Buffer Overflow • Every program that allows input • Needs to store input in memory until it can use for its intended purpose • Examples: Web form, enter your name Saving a file, enter file name, Search engine, enter search string What is the definition of a buffer?

  7. Buffer Defined • A temporary storage area, usually in RAM • Purpose of most buffers is to act as holding area, enabling CPU to manipulate data before transferring it to a device • Because processes of reading and writing data to a disk are relatively slow, many programs keep track of data changes in a buffer and then copy the buffer to a disk • For example, word processors employ a buffer to keep track of changes to files

  8. Buffer overflow • Program should check user input to make sure its correct length • Frequently programmer does not bother to check length of input Programmer assumes user will not do anything unreasonable • Language allows him/her to overwrite buffer • For example • Form asks you to enter your first name Has room for 12 characters First Name • User's first name is really long, 15 characters Francessca-Ally Overflow Chars F r a n c e s s c a - A lly

  9. Buffer Overflows • How are buffer overflows used to compromise your computer? • As part of long data input, attacker will include some of his own code • Then, manipulates flow of program in memory to execute his code ...more on this later • If program that is overflowing is running with administrator privileges, attacker code has administrator privileges • Then, they can do anything to your computer !!!

  10. Microsoft Vulnerabilities • Does anyone know about the vulnerability described in Microsoft Security Bulletin MS08-067 ?

  11. Buffer Overflow MS08-067 • Buffer overflow vulnerability in Windows Server Service • For systems running Windows 2000, XP, Windows 7 and Server 2003, remote, unauthenticated attacker could exploit this vulnerability • In Vista, attacker would need to be authenticated • Since Server service runs with Administrator privileges, an attacker could take complete control of a vulnerable system • This IS the vulnerability that Conficker exploited!

  12. Details of MS08-067 • Specifically, this vulnerability is a buffer overflow in an unauthenticated Windows SMB file sharing session • SMB = Server Message Block, protocol for sharing server resources like files and printers • Malicious client can bind to service and issue a request with an overly long argument • Overflowing a buffer and possibly executing arbitrary code on the vulnerable server • This is one way malware is getting onto systems http://asert.arbornetworks.com/2008/10/ms08-067-server-service-vulnerabilities-redux-and-wormability/

  13. What is the Server Message Block? • Operates as an application-layer network protocol • Provides shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network • Also provides an authenticated inter-process communication mechanism

  14. Linux Buffer Overflow Vulnerabilities • Is Linux or Mac OS X immune to buffer overflows? • No. They have these too … • Google search of “buffer overflow vulnerabilities in linux 2013” • Came back with 286,000 hits • Among the problems • Stack based X-Windows vulnerability • Affects all linux distributions • Adobe flash player – Linux • Re-ran the search “buffer overflow vulnerabilities in linux kernel 2013” • Came back with 74,000 hits

  15. Unvalidated Input Attacks • Any input received by a program from an untrusted source is a potential target for attack • Hackers look at every source of input • Try to inject their own code or script to be run by the system accepting the input • May allow them unauthorized access

  16. Validating Input • Input needs to meet programmer expectations For whatever input required: • HTML, email, userid or valid database request • Compare input to what is known to be acceptable Commonly use regular expressions, which are patterns of characters describe allowable input • Bad input is either rejected or altered

  17. Race Condition • A race condition exists when two events can occur out of sequence … unexpected • If correct sequence is required for proper functioning of program, potential vulnerability can be exploited • If attacker can cause correct sequence not to happen and insert malicious code, change a filename, or otherwise interfere with normal operation • Race condition is a security vulnerability • Attackers can sometimes take advantage of small time gaps in processing of code • Interfere with sequence of operations • Which they then exploit

  18. Race Conditions • There are two basic types of race condition that can be exploited • 1. Time of check/time of use • 2. Interprocess communication

  19. Race Condition: Time of Check/Time of Use • Application checks some condition before undertaking an action • For example, it might check to see if file exists before writing to it • Attacker, by continuously running program that creates new temporary file can create file in gap between when application checked to make sure temporary file didn't exist and when it opens it for writing • Application then opens attacker's file and writes to it ... • System routine opens an existing file if there is one, and creates a new file only if there is no existing file

  20. Race Condition:Interprocess Communication • Separate processes—either within a single program or in two different programs—sometimes have to share information • For example, if two processes share same data, potential attacker to alter data after one process sets it but before other reads it • Solution to race conditions of this type is to use some locking mechanism to prevent one process from changing a variable until another is finished with it

  21. Access Control • Many OS security vulnerabilities are created by careless or improper use of access controls, or by failure to use them at all • Exploits involve an attacker somehow gaining more privileges than they should have • Privileges, also called permissions, are access rights granted by the operating system • Controls who is allowed to read and write files, see directories, execute a program

  22. Access ControlsOperating Systems • Access controls provided with an operating system typically authenticate users using some mechanism such as passwords or Kerberos, then mediate their access to files, communications ports, and other system resources • Their effect can often be modelled by a matrix of access permissions, with columns for files and rows for users. • Following Example ... • We’ll write r for permission to read, w for permission to write, x for permission to execute a program, and (–) for no access at all

  23. Access ControlsOperating Systems • Alice, the manager, needs to execute the operating system and application, she mustn’t have the ability to tamper with them, She also needs to read and write the data. • Bob, the auditor, can read everything, and execute OS • Sam, the Accountant needs read, write and execute OS, Prog

  24. Access ControlOperating Systems • Individual and Group Access Control • So far, talked about individual Access Control • Group Access Control is another level of security • Typical to have several groups • Users vs Administrators • Could also be distinctive roles • Accountants • Managers • Sales Staff

  25. Access Control Lists • Groups Implemented via Access Control Lists • Formally, can specify individual and group access with Access Control Lists • Store ownership and access along with resource • Example – Accounting Data Sam and Alice can read and write – rw Bob can only read - r

  26. Access Control • Of particular interest to attackers is gaining of root or administrator privileges • Unrestricted permission to perform any operation on system • Application running with root privileges can access everything and change anything • Many security vulnerabilities involve programming errors that allow an attacker to obtain root privileges • Some involve taking advantage of buffer overflows or race conditions ...

  27. Authentication and Authorization • Access control enforced by applications, requires users to authenticate before granting authorization to perform an operation • Authentication can involve requesting a users credentials 1. User name and password 2. Digital certificates 3. Biometrics – Fingerprints, Iris/retina scan 4. Dynamic biometrics – signature, voice recognition

  28. Authentication as Security Mechanism • What is authentication? • Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be • How do we do this in the real world?

  29. Digital Authentication • How do computers use authentication ? • Grant access to resources • Typically, information, but also access to hardware, printers, other systems • Also, access to being able to run certain programs

  30. Users as Vulnerabilities • Often weakest link in chain of security features protecting a user's data and software is the user himself • Attackers increasingly concentrate on fooling users into executing malicious code, handing over passwords, credit-card numbers, and other private information • Default Passwords, no passwords or weak passwords contribute to users as vulnerabilities

  31. Passwords as Authentication Mechanisms

  32. Users and Passwords • Fortunately or unfortunately ... • Users must be entrusted with security of their own systems • Passwords still used extensively as way to authenticate people • Why are they still used? • Easy to use, know how to use them, people are familiar with them, cheap!! • Can be used both locally and remotely • On your home PC and over the Internet

  33. Passwords • While we may find them annoying, and even take them for granted, • Important to remember why passwords are important • Passwords are often first and possibly only defense against intrusion

  34. Password Weaknesses • If password is sent in clear, can be intercepted • Password is encrypted, requires establishment of encryption key Where is key stored, can key be compromised? • People choose bad passwords • Passwords are easily observed • Passwords can be sniffed by spyware

  35. People Give away Passwords http://news.bbc.co.uk/2/hi/technology/3639679.stm • Security crumbles in the face of sweet bribes • More than 70% of people would reveal their computer password in exchange for a bar of chocolate, according to a survey • It also showed that 34% of respondents volunteered their password when asked without even needing to be bribed

  36. Disadvantages ofPasswords Note: Passwords are generally pretty weak • University of Michigan: 5% of passwords were goblue • Passwords often used in more than one place

  37. Disadvantages of Passwords Attacker can access the hashed password – Can guess and test passwords offline “password cracking” Lots of help • John the Ripper • Cain and Able • THC Hydra • You will get to see how easy it is to use Cain and Able

  38. How to Break Passwords • Three main ways programs “crack” passwords 1. Dictionary attack - tries thousands of words from dictionary files as possible passwords • Every word from dictionary is tested in a variety of modifications, cat – tac, cat1, cated • Encrypt words from list of English words, compare each encryption against stored encrypted version of users' passwords

  39. How to Break Passwords 2. Brute Force Attack • Finds passwords by checking all possible combinations of characters from the Symbol Set • You can make a big Brute-Force-Dictionary to implement Brute-Force attack • Actually, don't have to … these come with automated tools !!!

  40. How to Break Passwords 3. Guessing Attack– Guess based on something “known” • blank (none)‏ • words "password", "passcode", "admin" and their derivatives • a row of letters from the qwerty keyboard -- qwerty itself, asdf, or uiop • user's name or login name • name of their significant other, a friend, relative or pet • birthplace or date of birth, or a friend's, or a relative's • automobile license plate number, or a friend's, or a relative's • office number, residence number or most commonly, their mobile number

  41. Effectiveness of Password Guessing How well do these work? Guessing ... • September 2008, Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin • Accessed without authorization by someone who researched answers to two of her security questions • Zip code and date of birth and was able to guess the third, where she met her husband!

  42. Twitter Hacker Succeeded with Self-authored Tool • Weak Password Brings ‘Happiness’ to Twitter Hacker An 18-year-old hacker with a history of celebrity pranks has admitted to hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama’s, and the official feed for Fox News – 2009 http://www.wired.com/threatlevel/2009/01/professed-twitt/

  43. Effectiveness Password Guessing • Another Example • Gary McKinnon, accused of perpetrating "biggest military computer hack of all time", • Claimed that he was able to get into military's networks by using Perl script that searched for blank passwords • His report suggests that there were computers on these networks with no passwords at all!

  44. Effectiveness of Password Cracking Penn state CS Engineering Department • Ran John the Ripper on CSE authentications – 3500 in all • In first hour, 25% were recovered – About half of these due to dictionary attacks – But, half using other heuristics and brute force • Over 5 days, 35% were recovered – Steady state recovery due to brute force Top Password cracking software listed here http://sectools.org/crackers.html

  45. Password Cracking Stats

  46. Common Password Advice Cat or Dog – Bad Qvmerx49z! - Good Should be at least 8 characters Use characters from each of the following four classes: • English upper case letters • English lower case letters • Arabic numerals (0,1,2,…)‏ • Non-alphanumeric (special) characters such as punctuation symbols Don’t use a proper name or any word in dictionary without misspelling it in some way Don’t reuse password you have used before Don’t use the same password for different types of systems

  47. How Passwords are Used • Windows Files On Windows systems password hashes are stored in the SAM (Security Accounts Manager) database • Unix/Linux Files On Unix/Linux systems the password hashes are stored in the /etc/shadow file •Authentication Process • User enters password, Example: catdog • Hash is computed, Hash(catdog) = sMxYb7$og4uxH4oHXAVwf • The computed hash is compared to stored hash • Access granted or denied

  48. Summary • Vulnerabilities are in ALL current popular OS's • Hard to go beyond the “hype” to understand how vulnerable you are given a certain OS • Try to discover for yourself how secure OS is that you are using • Read bulletins, seek opinions of people you trust and try to protect yourself • Buy add-on security products, disable OS features, run with reduced privilege

  49. References and Reading Material Secure Coding in Linux – Free Book http://www.dwheeler.com/secure-programs/ Secure Coding Guide https://developer.apple.com/library/mac/#documentation/security/Conceptual/SecureCodingGuide/Articles/TypesSecVuln.html

  50. The End Next Time: Specifics Windows vs. Linux, go over Assignment

More Related