looking at vulnerabilities n.
Skip this Video
Loading SlideShow in 5 Seconds..
Looking at Vulnerabilities PowerPoint Presentation
Download Presentation
Looking at Vulnerabilities

Loading in 2 Seconds...

play fullscreen
1 / 40

Looking at Vulnerabilities - PowerPoint PPT Presentation

  • Uploaded on

Looking at Vulnerabilities. Dave Dittrich The Information School /Computing & Communications University of Washington. Microsoft campus 8/25/03. Overview. Background concepts Your typical look at Vulnerabilities, Risk vs. Cost A (real!) complex attack scenario

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Looking at Vulnerabilities' - gitel

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
looking at vulnerabilities

Looking at Vulnerabilities

Dave DittrichThe Information School /Computing & CommunicationsUniversity of Washington

Microsoft campus 8/25/03

  • Background concepts
  • Your typical look at
    • Vulnerabilities, Risk vs. Cost
  • A (real!) complex attack scenario
  • A different view of vulnerabilities
    • Trust relationships
    • Attack trees
    • Atypical/uncommon vulnerabilities
ddos attack traffic 1
DDoS Attack Traffic (1)

One Day Traffic Graph

ddos attack traffic 2
DDoS Attack Traffic (2)

One Week Traffic Graph

ddos attack traffic 3
DDoS Attack Traffic (3)

One Year Traffic Graph

sans top 20 vulnerabilities
Windows Top 10

Internet Information Server (IIS)

Microsoft Data Access Server (MDAC)

SQL Server


Anonymous login/null session

LAN Manager Authentication(Weak LM hash)

General Windows Authentication (Accounts w/o pwd, bad pwd)

Internet Explorer

Remote Registry Access

Windows Scripting Host

Unix Top 10

Remote Procedure Call (RPC) services

Apache Web Server

Secure Shell (SSH)

Simple Network Management Protocol (SNMP)

File Transfer Protocol (FTP)

Berkeley “r” utilities(trust relationships)

Line Printer Daemon (LPD)



General Unix Authentication (accounts w/o pwd, bad pwd)

SANS Top 20 Vulnerabilities


attack sophistication vs intruder technical knowledge
Attack sophistication vs. Intruder Technical Knowledge

binary encryption


“stealth” / advanced scanning techniques


denial of service

packet spoofing


attack tools




www attacks

automated probes/scans


back doors

network mgmt. diagnostics

disabling audits






exploiting known vulnerabilities

password cracking


password guessing







Source: CERT/CC (used w/o permission & modified “Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers)

uw medical center kane incident
UW Medical Center “Kane” Incident
  • Goal: How hard to obtain patient records?
  • Windows 98 desktop w/trojan or no pwd
  • Sniffer
    • Linux server -> Windows NT PDC/F&P server
    • Unix email server
  • Windows PDCs, BDCs
  • Windows Terminal Server (>400 users)
  • Access database file (>4000 patient records: Name, SSN, Home number, treatment, date…)
  • SecurityFocus -> ABC News
trust relationships
Trust relationships
  • Client<->Server
  • IP based ACLs
  • Shared password/symmetric key
  • Shared network infrastructure
  • Sensitive data in email
  • Sensitive files on servers
attack trees
Attack Trees
  • “Secrets and Lies,” Bruce Schneier, ISBN 0-471-25311-1, chapter 21
  • Goal is root node: Sub-goals are lower nodes/leaves
  • And/Or relationship between nodes
  • Attributes: Likelihood, equipment required, cost of attack, skill required, legality, etc.
attack tree example 1
Attack Tree Example 1


attack tree example 2
Attack Tree Example 2


attack tree example 3
Attack Tree Example 3

Survivability Compromise: Monitor network traffic

OR: 1. Install sniffer on desktop.

OR: 1. Use email trojan horse.

2. Use remote exploit.

3. Use Windows remote login service.

OR: 1. Use passwordless Administrator account.

2. Brute force passwords on all listed accounts.

3. Brute force passwords on common accounts.

2. Install sniffer on Unix/Windows server

OR: 1. Use remote exploit.

2. Steal/sniff password to root/Administrator account.

3. Guess password to root/Administrator account.

3. Man-in-the-middle attack on SSL/SSH.

attack tree example 4 nested
Attack Tree Example 4 (Nested)

Survivability Compromise: Disclosure of Patient Records

OR: 1. Attack Med Center network using connections to the Internet

OR: 1. Compromise central patient records database (PRDB).

AND: 1. Identify central PRDB.

OR: 1. Scan to identify PRDB.

2. Monitor network traffic to identify PRDB.

2. Compromise central PRDB.

OR: 1. Use Remote Exploit.

2. Monitor network traffic to sniff pwd to account.

3. Guess password to account.

2. Obtain file(s) containing patient records.

OR: 1. Monitor network traffic to capture patient records.

2. Compromise file server or terminal server.

OR: 1. Use Remote Exploit.

2. Monitor network traffic to sniff Administrator pwd.

3. Guess password to User/Administrator account.

atypical vulnerabilities
Atypical Vulnerabilities
  • Network Infrastructure
  • Special Devices
  • Non-technical (Social) Issues
border routers
Border Routers
  • BGP (route insertion/withdrawal)
  • Address forgery
  • Source routing
  • Denial of Service
  • Remote service exploit & “Root kits”
  • Lack of visibility/access to traffic flows
internal routers switches
Internal Routers/Switches
  • OSPF, RIP & other protocols
  • Address forgery
  • ARP spoofing
  • Sniffing (SNMP community string, pwd)
  • Denial of Service
  • Lack of visibility/access to traffic flows
  • Gateways to legacy apps
  • Web apps
  • Insufficient logging/auditing
  • Hiding in plain sight
  • Control of software configuration
network printers
Network Printers
  • Change “Ready” message
  • FTP bounce scan, other scanning
  • File cache
  • SNMP/web admin front ends, back doors
  • Disclosure of print jobs
    • Passive monitoring
    • Redirection of print jobs
medical devices photocopiers printers
Medical “devices”, photocopiers, printers
  • Proprietary or OEM OS (e.g., Solaris, IRIX)
    • Many (non-essential) services turned on
    • Typically behind the curve on patches
  • Remote management (HTTP, SNMP)
  • Heavy use of unencrypted protocols (e.g., FTP, LPR, Berkeley “r” utilities)
  • “What? The hackers are back?”
pbxs voice services
PBXs, voice services
  • Monitoring
  • Theft of Service
  • Fraud/social engineering
  • Denial of Service
  • Malware Cache (PC based VM)
social issues
Social Issues
  • Not recognizing threats & risks
  • Assuming attacks are simple
  • Assuming things are what they seem (e.g., Slammer, Nimda, SoBig)
  • Assuming attacks/defenses are direct
  • Assuming you have it handled
so how do we fix things
So how do we fix things?
  • Information Assurance
    • Education (start to finish)
    • Research
    • Practice (Corporations, government... everyone!)
information assurance
Information Assurance
  • Information Assurance (IA) concerns information operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and nonrepudiation.
  • This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

Source: National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999

nsa centers of excellence
NSA Centers of Excellence
  • Outreach program designed and operated by the National Security Agency (NSA)
  • Fulfills the spirit of Presidential Decision Directive 63 (PDD 63 - National Policy on Critical Infrastructure Protection, May 199)
  • Goal: To reduce vulnerability in our national information infrastructure by promoting higher education in IA, and producing a growing number of professionals with IA expertise in various disciplines
where are they
Where are they?
  • As of May 2003, 50 Centers nationwide
  • Mostly the East Coast
  • Closest to Seattle are Portland State, University of Idaho, Idaho State UniversityFor more info:http://www.nsa.gov/isso/programs/coeiae/index.htm
benefits to the nation
Benefits to the nation
  • Meet national demand for professionals with IA expertise in various disciplines
  • Professionals enter the workforce better equipped to meet challenges facing our national information infrastructure
  • Centers act as focal points for recruiting individuals with IA expertise
  • Centers create a climate and foci to encourage independent research in critical IA areas
  • Vulnerabilities exist in places you might not think
  • Vulnerabilities are additive, interrelated
  • Complex attacks call for complex defenses/response
  • If you’re not learning something new every day, you’re falling behind your adversary
  • dittrich @ u.washington.edu
  • http://staff.washington.edu/dittrich/
  • UW Medical Center
    • http://www.securityfocus.com/news/122/
    • http://www.hipaausa.com/hacker.html
    • http://www.cio.com/archive/110102/rules_content.html
    • http://www.cio.com/archive/031502/plan_content.html
  • Attack trees
    • http://www.counterpane.com/attacktrees-ddj-ft.html
  • Networking
    • http://www.e-secure-db.us/dscgi/ds.py/View/Collection-24
    • http://www.securite.org/presentations/secip/CSWcore02-SecIP-v1.ppt
    • http://www.securityfocus.com/infocus/1594
references cont
References (cont)
  • Routers
    • http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-akin-cisco/bh-us-02-akin-cisco.ppt
    • http://philby.ucsd.edu/~bsy/ndss/2002/html/1997/slides/gudm_pnl.pdf
    • http://www.net-tech.bbn.com/sbgp/IETF42.ppt
    • http://www.cymru.com/Presentations/barry.pdf
    • http://www.cs.ucsb.edu/~rsg/Routing/references/wang98vulnerability.pdf
    • http://www.cse.ucsc.edu/research/ccrg/publications/brad.globalinternet96.pdf
references cont1
References (cont)
  • Switches, ARP, local network attacks
    • http://www.comnews.com/stories/articles/c0103sfarea.htm
    • http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-usa-01-Mike-Beekey.ppt
  • Printers
    • http://members.cox.net/ltw0lf/printers/
  • PBXs
    • http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf
  • DDoS, “root kits”
    • http://www.cert.org/reports/dsit_workshop.pdf
    • http://www.cert.org/archive/pdf/Managing_DoS.pdf
    • http://staff.washington.edu/dittrich/misc/ddos/
    • http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq