1 / 32

DePaul University

DePaul University. Security Forum February 27, 2002. Presentations. Bill Eaheart Network Security – Network & Telecom Current Threats Eric Pancer Systems Security – ISS The Audience is listening John Kristoff Manager R&D - Network & Telecom Data Leaks Rob Thomas

rpenny
Download Presentation

DePaul University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DePaul University Security Forum February 27, 2002

  2. Presentations • Bill Eaheart • Network Security – Network & Telecom • Current Threats • Eric Pancer • Systems Security – ISS • The Audience is listening • John Kristoff • Manager R&D - Network & Telecom • Data Leaks • Rob Thomas • Guest Speaker - Life in the Underground

  3. Information Security at DePaul • Information Security Team (INFOSEC) • Eric Pancer – System Security • Bill Eaheart – Network Security • Role at the University • Promote awareness • Assist with computer security • Provide guidance and resources to DePaul community • Contact • infosec@infosec.depaul.edu • abuse@depaul.edu • http://networks.depaul.edu/security/

  4. Security Principles • Defense in depth • Physical Security • Intrusion Detection Systems • Firewalls • Auditing • Virtual Private Networks • Encryption • Strong Passwords • Access control Lists • Logging • Prevention is ideal – Detection is a must • Security through obscurity

  5. Who are the threats? Hackers A person who enjoys exploring the details of programmable systems and how to stretch their capabilities Crackers One who breaks security on a system Script Kiddies Do mischief with scripts and programs written by others, often without understanding the exploit they are using.

  6. Are you safe? Hacker/Cracker Skills vs. Availability of sophisticated tools

  7. Show me the numbers! 2001 CSI/FBI Computer Crime and Security Survey

  8. 80% of problems are due to …. • Is this changing?

  9. CERT Web Site www.cert.org

  10. CERT Statistics 1996 - 2001 Incidents Reported Vulnerabilities Reported

  11. Why do they do it? • Information • Corporate • Source Code • Resources • Storage • Access • Bandwidth • Launching point • Challenge • Activism • Political - Hacktivism

  12. How do they get in? • Ports • Services • Third-party software • Passwords • Social Engineering • Back Doors • Trojan Horses

  13. Information Gathering • The Company • Find Initial Information • Available information • Whois • Nslookup - Host

  14. Host Look up [user@test /]# host www.company.com Server: host.atthome.com Address: 192.168.10.10 Name: test.company.com Address: 10.10.81.10 Aliases: www.company.com

  15. Information Gathering • Address Range of the Network • American Registry for Internet numbers www.arin.net • Asia Pacific Network Information www.apnic.net • Reseaux IP Europeens www.ripe.net • Cyberabuse – www.cyberabuse.org • Traceroute

  16. ARIN whois The Company (NET-COMPANY) 100 South State Street Avenue Chicago, IL 60612 US Netname: COMPANY Netblock: 10.10.0.0 - 10.10.255.255 Coordinator: Company Administrator (ZD12-ARIN) abuse@company.com (312) 323-1234 Domain System inverse mapping provided by: DNS1.COMPANY.COM 10.10.120.120 DNS2.COMPANY.COM 10.10.240.120 Record last updated on 26-Mar-2001. Database last updated on 25-Feb-2002 20:01:06 EDT.

  17. Traceroute user@test /]# Tracing route to DNS1.company.com [10.10.80.10] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms badguy.home.com [192.20.40.50] 2 <1 ms <1 ms <1 ms rtr-isp.com [192.10.30.30] 3 <1 ms <1 ms <1 ms rtr-isp.com [192.10.20.20] 4 <1 ms <1 ms <1 ms 192.10.10.10 5 1 ms 1 ms 1 ms isp.location.net [16.6.9.33] 6 1 ms 1 ms 1 ms 16.6.9.122 7 15 ms 14 ms 11 ms 16.6.9.218 8 8 ms 10 ms 5 ms 10.10.1.1. 9 48 ms 84 ms 59 ms test.company.com [10.10.120.120] Trace complete.

  18. Information Gathering • Find Active Machines • Ping • Ping Sweep

  19. Ping Sweep [user@test /]# nmap –sP 10.10.82.11-30 Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Host d8211.company.com (10.10.82.11) appears to be up. Host d8212.company.com (10.10.82.12) appears to be up. Host d8213.company.com (10.10.82.13) appears to be up. Host d8214.company.com (10.10.82.14) appears to be up. Host d8215.company.com (10.10.82.15) appears to be up. Host d8216.company.com (10.10.82.16) appears to be up. Host d8217.company.com (10.10.82.17) appears to be up. Host d8218.company.com (10.10.82.18) appears to be up. Host d8220.company.com (10.10.82.20) appears to be up. Host d8221.company.com (10.10.82.21) appears to be up. Nmap run completed -- 21 IP addresses (18 hosts up) scanned in 2 seconds

  20. Information Gathering • Find open ports • Port scanners • Scanport for Windows • Nmap for *nix • Modems – War dialing • Figure out the operating system • Nmap

  21. Nmap [user@test /]# nmap -O 10.10.82.11 Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports on test.company.com (10.10.1.1): (The 1520 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 37/tcp open time 6112/tcp open dtspc Remote OS guesses: Windows ME or Windows 2000 RC1 through final release Uptime 20.028 days (since Wed Feb 6 11:05:16 2002) Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds

  22. Information Gathering • Figure out which services are running • Assumptions • Telnet • Vulnerability scanners • Commercial • ISS – Internet Scanner • CyberCop • Secure Scanner • Shareware • SARA • Nessus • SAINT

  23. Nessus Nessus Scan Report ------------------ SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 4 - Number of security warnings found : 18 - Number of security notes found : 4 TESTED HOSTS test.company.com (Security holes found) DETAILS - List of open ports : . Information found on port telnet (23/tcp) Remote telnet banner : HP-UX test B.11.00 U 9000/800 (tc) login: ÿüÿüÿþÿþ!ÿþ . Vulnerability found on port snmp (161/udp) : SNMP community name: public CVE : CAN-1999-0517 CVE : CVE-1999-0018 ------------------------------------------------------ This file was generated by the Nessus Security Scanner

  24. Information Gathering • Exploiting the system • Clear map of the network • Active Machines • Types of Machines • Ports and Services • Potential vulnerabilities • Look for known vulnerabilities and run exploits

  25. Security Tools • Port Scanner – Nmap • Anti Virus – Norton’s, McAfee, Inoculate IT • Vulnerability Scanner – Nessus • Firewall – ZoneAlarm, PortSentry • IDS - Snort • Encryption Software – PGP, GNU PG • SSH • OpenSSH • PuTTY – ssh client • MD5

  26. Encryption -secure communication and data storage • Pretty Good Privacy – PGP • Develop by Philip Zimmerman • Restricted use • GNU PG • Complete and free replacement for PGP • Can be used without restriction • Public/Private Key

  27. Encryption Plain Text This is a test message. Encrypted -----BEGIN PGP MESSAGE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> qANQR1DBwU4DSTJMC1F2PksQCACdcf2IVYDlAr76yd5HF25PA3Qh6CCGBucLxgbt KQ5DfRqHduaU7BiCFbbbf188PM2iJraUsYUTz7kZAJ8DNx7JsJZcmo1gvs8UGUuP 7jkSBEGSv59C3sXOMq9Zvzcd0uReWzzsZv+cjqZNBkKlueC88sYZvaFM4DAfbpkf gXK2XWRVbgymilclY3drHiyBVAk+EGmmQ2gZ4sNLZmoFlPD1G2SOuQhp63n2XgHT ce/DpZ+rjDvF0dpDkv30G609cC82E0mVnzV9Ca6qNmxB2LY5P94ido2mfPp55T8h 5VBGL2k3pQOblpjE0fN8un8vHzM6fab5pCALDnUI06v5YVzZB/4yFGXOqUvd3fgf 1o/ayYkKZ+Cb6eKkUz4EmXASBmQNM9VBgXTjaizEHC4WCj3Crm7R1InDO9c47/9i YZZ6sHLJ0h5TU8SM1KfFRuJat438B2DElc9AECDQsqEM64BEOmqTKRkZ8OGdV0aE GcUpwcaif7WbrOlA8c/8kiNOOGGP/SqjnEesxjNfloKkhuy3Ck+j+D6jGu8B/96c YsKcKKk6GQwzopSmivhCZHOmDOdA4LIHzY+KTma+ASJGDlO1RTCECvQncn1G77Ll ktbBo5AtgeHi1uvk4qj1ZFr7fyVhwRdGP2wbxq8JupZ8h5DPyT4wM7TpgtlEjeSJ l4vuObkzyS4QPOiAADW3IxHheN/8ZAnW9V1M7B26ZXK0v15htVNwUPFuKghw4kOP epYVa+8f =WOpm -----END PGP MESSAGE-----

  28. Telnet • Telnet • Plain Text!! • SSH • Secure Shell program to log into another computer over a network, • secure communications over insecure channels. • Encrypted text

  29. I smell a password… Telnet session: Frame 30 (61 on wire, 61 captured) Telnet Data: login: Frame 32 (55 0n wire, 55 captured) Telnet Data: f Frame 36 (55 on wire, 55 captured) Telnet Data: r Frame 48 (55 on wire, 55 captured) Telnet Data: e Frame 51 (55 on wire, 55 captured) Telnet Data: d Frame 53 (54 on wire, 54 captured) Telnet Data: Password: Frame 60 (55 on wire, 55 captured) Telnet Data: f Frame 62 (55 on wire, 55 captured) Telnet Data: r Frame 65 (55 on wire, 55 captured) Telnet Data: e Frame 66 (55 on wire, 55 captured) Telnet Data: d Frame 68 (55 on wire, 55 captured) Telnet Data: f Frame 69 (60 on wire, 60 captured) Telnet Data: o Frame 72 (55 on wire, 55 captured) Telnet Data: o

  30. MD5 • MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. [user@test /]# md5sum test.txt 2d282102fa671256327d4767ec23bc6b test.txt [user@test /]# md5sum test.txt 2bc4fd1e721de48ca6dfd992b2e88712 test.txt

  31. Security Sites • www.cert.org • www.ciac.org/ciac • www.incidents.org • www.securityfocus.com • http://csrc.ncsl.nist.gov/ • Vendor sites for patches

  32. References • Network Security, Private Communication in a PUBLIC World, by Charlie Kaufman, Radia Perlman and Mike Speciner • Computer Security Issues and Trends, Vol. VII No. 1 by Richard Power • Hackers Beware by Eric Cole • www.webopedia.com • www.nessus.org • www.nmap.org • www.cert.org

More Related