csce 815 network security lecture 19 intruders april 1, 2003
TRANSCRIPT
CSCE 815 Network Security CSCE 815 Network Security Lecture 19 Lecture 19CSCE 815 Network Security CSCE 815 Network Security Lecture 19 Lecture 19
IntrudersIntruders
April 1, 2003
– 2 – CSCE 815 Sp 03
Security Software Installed on SUNsSecurity Software Installed on SUNs
man cryptman crypt man –s 2 crypt, man –s 3 crypt both fail
man –k crypt man –k crypt Generates pages Blowfish RSA DES OpenSSL EVP
– 3 – CSCE 815 Sp 03
OpenSSL on SUNsOpenSSL on SUNsman desman des
OpenSSL des(3)OpenSSL des(3)
NAMENAME
des_random_key, des_set_key, des_key_sched,des_random_key, des_set_key, des_key_sched,
des_set_key_checked, des_set_key_unchecked,des_set_key_checked, des_set_key_unchecked,
des_set_odd_parity, des_is_weak_key, des_ecb_encrypt,des_set_odd_parity, des_is_weak_key, des_ecb_encrypt,
des_ecb2_encrypt, des_ecb3_encrypt, des_ncbc_encrypt,des_ecb2_encrypt, des_ecb3_encrypt, des_ncbc_encrypt,
des_cfb_encrypt, des_ofb_encrypt, des_pcbc_encrypt,des_cfb_encrypt, des_ofb_encrypt, des_pcbc_encrypt,
des_cfb64_encrypt, des_ofb64_encrypt, des_xcbc_encrypt,des_cfb64_encrypt, des_ofb64_encrypt, des_xcbc_encrypt,
des_ede2_cbc_encrypt, des_ede2_cfb64_encrypt,des_ede2_cbc_encrypt, des_ede2_cfb64_encrypt,
des_ede2_ofb64_encrypt, des_ede3_cbc_encrypt,des_ede2_ofb64_encrypt, des_ede3_cbc_encrypt,
des_ede3_cbcm_encrypt, des_ede3_cfb64_encrypt,des_ede3_cbcm_encrypt, des_ede3_cfb64_encrypt,
des_ede3_ofb64_encrypt, des_read_password,des_ede3_ofb64_encrypt, des_read_password,
des_read_2passwords, des_read_pw_string, des_cbc_cksum,des_read_2passwords, des_read_pw_string, des_cbc_cksum,
des_quad_cksum, des_string_to_key, des_string_to_2keys,des_quad_cksum, des_string_to_key, des_string_to_2keys,
des_fcrypt, des_crypt, des_enc_read, des_enc_write - DESdes_fcrypt, des_crypt, des_enc_read, des_enc_write - DES
encryptionencryption
SYNOPSISSYNOPSIS
#include <openssl/des.h>#include <openssl/des.h>
– 4 – CSCE 815 Sp 03
IntrudersIntruders
Three classes of intruders (hackers or crackers):Three classes of intruders (hackers or crackers): Masquerader Misfeasor Clandestine user
– 5 – CSCE 815 Sp 03
Intrusion TechniquesIntrusion Techniques
System maintain a file that associates a password with System maintain a file that associates a password with each authorized user.each authorized user.
Password file can be protected with:Password file can be protected with: One-way encryption Access Control
Brute Force attacks if you can get access to passwordsBrute Force attacks if you can get access to passwords Guess the password, encrypt and check How long would it take?
Larger character set more timeLonger more time
– 6 – CSCE 815 Sp 03
Password GuessingPassword Guessing
In 1978 16% of passwords (in one study) were 3 In 1978 16% of passwords (in one study) were 3 characters or less.characters or less.
In a more recent study login name, login name in In a more recent study login name, login name in reverse, and the two concatenated, would obtain reverse, and the two concatenated, would obtain access to 8 - 30% of the accounts on a typical access to 8 - 30% of the accounts on a typical system. system.
In the CSE department what would you guess?In the CSE department what would you guess?
– 7 – CSCE 815 Sp 03
Klein’s Password Guessing ExperimentKlein’s Password Guessing Experiment
Online article containing Table 9.4 -http://wks.uts.ohio-Online article containing Table 9.4 -http://wks.uts.ohio-state.edu/sysadm_course/html/sysadm-528.htmlstate.edu/sysadm_course/html/sysadm-528.html
From 14,000 24% of passwords were crackedFrom 14,000 24% of passwords were cracked
Klien GuessedKlien Guessed
1.1. User name, initials, login 130 permutation of such User name, initials, login 130 permutation of such were tried for each userwere tried for each user
2.2. Dictionary 60,000 (man –k dictionary)Dictionary 60,000 (man –k dictionary)
3.3. Various permutations of “step 2 words,” e.g., Various permutations of “step 2 words,” e.g., change “o” to “0”, …change “o” to “0”, …
4.4. Try capitalization permuationsTry capitalization permuations
ftp://www-wls.acs.ohio-state.edu:/pub/security/ftp://www-wls.acs.ohio-state.edu:/pub/security/Dan_Klein_password_security.ps.Z Dan_Klein_password_security.ps.Z
– 8 – CSCE 815 Sp 03
Intrusion TechniquesIntrusion Techniques
Techniques for guessing passwords:Techniques for guessing passwords:• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic dictionary(60,000).• Collect information about the user’s hobbies, family
names, birthday, etc.• Try user’s phone number, social security number,
street address, etc.• Try all license plate numbers (MUP103).• Use a Trojan horse• Tap the line between a remote user and the host
system.• Ideas?
PreventionPrevention: Enforce good password selection (Ij4Gf4Se%f#): Enforce good password selection (Ij4Gf4Se%f#)
– 9 – CSCE 815 Sp 03
UNIX Password SchemeUNIX Password Scheme
Loading a new password
– 10 – CSCE 815 Sp 03
UNIX Password SchemeUNIX Password Scheme
Verifying a password file
– 11 – CSCE 815 Sp 03
Storing UNIX PasswordsStoring UNIX PasswordsUNIX passwords UNIX passwords were keptwere kept in in a publicly readable file, in in a publicly readable file,
etc/passwords. etc/passwords.
more /etc/passwdmore /etc/passwd
Format login-name:encrypted_password:uid:gid:Name:home:shellFormat login-name:encrypted_password:uid:gid:Name:home:shell
root:x:0:1:Super-User:/:/sbin/shroot:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:daemon:x:1:1::/:
bin:x:2:2::/usr/bin:bin:x:2:2::/usr/bin:
……
nobody:x:60001:60001:Nobody:/:nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/: nobody4:x:65534:65534:SunOS 4.x Nobody:/:
Commands finger, who, … use this info. But so could crackersCommands finger, who, … use this info. But so could crackers
Now they are kept in a “shadow” directory and only visible by Now they are kept in a “shadow” directory and only visible by “root”.“root”.
– 12 – CSCE 815 Sp 03
”Salt””Salt”
The salt serves three purposes:The salt serves three purposes: Prevents duplicate passwords. Effectively increases the length of the password. Prevents the use of hardware implementations of DES
– 13 – CSCE 815 Sp 03
Access ControlAccess Control
/etc/password in old Unix was readable by everybody to /etc/password in old Unix was readable by everybody to support finger, who etc. This is a bad ideasupport finger, who etc. This is a bad idea
/etc/shadow readable only by root/etc/shadow readable only by root
Setuid bit in permissionsSetuid bit in permissions Bit set in permissions Process changes to owner of the file in execution For the passwd command, the owner is root, thus it changes
to root and then can read /etc/shadow
Getpwname – function that returns the password Getpwname – function that returns the password entry ? excluding password ?entry ? excluding password ?
– 14 – CSCE 815 Sp 03
Password Selecting StrategiesPassword Selecting Strategies
User educationUser education
Computer-generated passwordsComputer-generated passwords FIPS PUB 181
Reactive password checkingReactive password checking Peridocially run a password cracker and shoot the violators Resource intensive
Proactive password checkingProactive password checking Allow the user to select but at the time of selection analyze
the choice
Enforcing RulesEnforcing Rules PINS can be no more than 4 decimal digits ?!! Must have at least x characters, from several standard sets,
i.e., letters, digits, punctuation, uppercase, lowercase …
– 15 – CSCE 815 Sp 03
Password Selecting Strategies (cont)Password Selecting Strategies (cont)
Build dictionary of bad passwordsBuild dictionary of bad passwords Problems: space and Time
Two techniques for proactive password checking based Two techniques for proactive password checking based on a rejection list:on a rejection list:1. Markov model for generation of guessable passwords
[DAVI93]
2. Bloom Filters [Spaf92b]
– 16 – CSCE 815 Sp 03
Markov Model Markov Model
Figure 9.5 is simplified Markov model (next slide)Figure 9.5 is simplified Markov model (next slide) Alphabet only three characters State is the identity of most recent character The value on the arc(transition) is the probability that one
character follows another in the list
Markov Model M = (m, A, T, k)Markov Model M = (m, A, T, k) M = number of states A = state space T = Transition matrix k = order of the model – for a k order model probability of
making a transition depends on k previous characters
– 17 – CSCE 815 Sp 03
Markov ModelMarkov Model
– 18 – CSCE 815 Sp 03
Markov Model Technique Details Markov Model Technique Details
Markov Model M = (m, A, T, 2) Markov Model M = (m, A, T, 2) note k = 2 2nd order model M = ?? A
Construction of transition Matrix T (next slide)Construction of transition Matrix T (next slide)
Transforms “Is this a bad password?” to “was this Transforms “Is this a bad password?” to “was this password generated by the Markov model?”password generated by the Markov model?”
From a proposed new password generate trigrams and From a proposed new password generate trigrams and check frequencies then see how likely?check frequencies then see how likely?
– 19 – CSCE 815 Sp 03
Transition MatrixTransition Matrix
Determine the frequency matrix f, where f(Determine the frequency matrix f, where f(i,j,ki,j,k) is the number of ) is the number of occurrences of the trigram consisting of the occurrences of the trigram consisting of the iith, th, jjth and th and kkth th character.character.
For each bigramFor each bigram ij ij, calculate f(, calculate f(i,ji,j, ) as the total number of trigrams , ) as the total number of trigrams beginning with beginning with ij.ij.
Compute the entries of T as follows:Compute the entries of T as follows:
),,(),,(
),,( jifkjif
kjiT
– 20 – CSCE 815 Sp 03
Spafford (Bloom Filter)Spafford (Bloom Filter)
wherewhere
10;1;1)( NyDjkiyXH ii
dictionarypasswordinwordofnumberD
dictionarypasswordinwordjthX i
The following procedure is then applied to the dictionary:
1. A hash table of N bits is defined, with all bits initially set to 0.
2. For each password, its k hash values are calculated, and the corresponding bits in the hash table are set to 1
3. If the bit is already set it remains set.
Bloom filter consists of k independent hash functionsBloom filter consists of k independent hash functions
– 21 – CSCE 815 Sp 03
Spafford’s use of Bloom Filters (cont)Spafford’s use of Bloom Filters (cont)
When a new password is enteredWhen a new password is entered
1.1. the k hash values are computedthe k hash values are computed
2.2. If all corresponding bits of the hash table are 1 the If all corresponding bits of the hash table are 1 the password is rejectedpassword is rejected
Example: Example: dictionary contains “undertaker” and “hulkhogan” by not
“xG%#jj98” And suppose that H1(undertaker)= 25, H1(hulkhogan) = 83 H2(undertaker)= 917, H2(hulkhogan) = 432 And also that when “xG%#jj98” is entered we calculate H1(“xG%#jj98”)= 917, H2(“xG%#jj98”) = 432 The we reject “xG%#jj98” -- a false positive
– 22 – CSCE 815 Sp 03
Spafford (Bloom Filter)Spafford (Bloom Filter)Design the hash scheme to minimize false Design the hash scheme to minimize false
positives. Why?positives. Why?
Probability of false positive:Probability of false positive:
)()(,/
)1ln(
,,
)1()1(
/1
//
wordssizedictionarytobitssizetablehashofratioDNR
dictionaryinwordsofnumberD
tablehashinbitsofnumberN
functionhashofnumberk
where
P
kR
lyequivalentor
eeP
k
kRkkNkD
– 23 – CSCE 815 Sp 03
Performance of Bloom FilterPerformance of Bloom Filter
– 24 – CSCE 815 Sp 03
The Stages of a Network IntrusionThe Stages of a Network Intrusion1. 1. Scan the network to:Scan the network to:
• • locate which IP addresses are in use, locate which IP addresses are in use, • • what operating system is in use, what operating system is in use, • • what TCP or UDP ports are “open” (being what TCP or UDP ports are “open” (being listened to by Servers).listened to by Servers).
2. Run “Exploit” scripts against open ports2. Run “Exploit” scripts against open ports3. Get access to Shell program which is “suid” (has 3. Get access to Shell program which is “suid” (has
“root” privileges).“root” privileges).4. Download from Hacker Web site special versions 4. Download from Hacker Web site special versions
of systems files that will let Cracker have free of systems files that will let Cracker have free access in the future without his cpu time or disk access in the future without his cpu time or disk storage space being noticed by auditing storage space being noticed by auditing programs.programs.
5. Use IRC (Internet Relay Chat) to invite friends to 5. Use IRC (Internet Relay Chat) to invite friends to the feast.the feast.
24
– 25 – CSCE 815 Sp 03
Intrusion DetectionIntrusion Detection
The intruder can be identified and ejected from the The intruder can be identified and ejected from the system.system.
An effective intrusion detection can prevent intrusions.An effective intrusion detection can prevent intrusions.
Intrusion detection enables the collection of Intrusion detection enables the collection of information about intrusion techniques that can be information about intrusion techniques that can be used to strengthen the intrusion prevention facility.used to strengthen the intrusion prevention facility.
– 26 – CSCE 815 Sp 03
Profiles of Behavior of Intruders and Authorized UsersProfiles of Behavior of Intruders and Authorized Users
– 27 – CSCE 815 Sp 03
Intrusion DetectionIntrusion Detection
Statistical anomaly detectionStatistical anomaly detection Treshold detection Profile based
Rule based detectionRule based detection Anomaly detection Penetration identidication
– 28 – CSCE 815 Sp 03
Measures used for Intrusion Detection Measures used for Intrusion Detection
Login frequency by day and time.Login frequency by day and time.
Frequency of login at different locations.Frequency of login at different locations.
Time since last login.Time since last login.
Password failures at login.Password failures at login.
Execution frequency.Execution frequency.
Execution denials.Execution denials.
Read, write, create, delete frequency.Read, write, create, delete frequency.
Failure count for read, write, create and delete.Failure count for read, write, create and delete.
– 29 – CSCE 815 Sp 03
Distributed Intrusion Detection Distributed Intrusion Detection
Developed at University of California at Davis
– 30 – CSCE 815 Sp 03
Distributed Intrusion Detection Distributed Intrusion Detection
– 31 – CSCE 815 Sp 03
Viruses and ”Malicious Programs”Viruses and ”Malicious Programs”
Computer “VirusesComputer “Viruses” and related programs have the ” and related programs have the ability to replicate themselves on an ever increasing ability to replicate themselves on an ever increasing number of computers. They originally spread by number of computers. They originally spread by people sharing floppy disks. Now they spread people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).primarily over the Internet (a “Worm”).
Other “Other “Malicious ProgramsMalicious Programs” may be installed by hand ” may be installed by hand on a single machine. They may also be built into on a single machine. They may also be built into widely distributed commercial software packages. widely distributed commercial software packages. These are very hard to detect before the payload These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic activates (Trojan Horses, Trap Doors, and Logic Bombs).Bombs).
– 32 – CSCE 815 Sp 03
Taxanomy of Malicious ProgramsTaxanomy of Malicious Programs
Need Host Program
Independent
Trapdoors Logic Bombs
TrojanHorses
Viruses Bacteria Worms
Malicious Programs
– 33 – CSCE 815 Sp 03
DefinitionsDefinitions
VirusVirus - code that copies itself into other - code that copies itself into other programs.programs.
A “A “BacteriaBacteria” replicates until it fills all disk ” replicates until it fills all disk space, or CPU cycles.space, or CPU cycles.
PayloadPayload - harmful things the malicious program - harmful things the malicious program does, after it has had time to spread. does, after it has had time to spread.
WormWorm - a program that replicates itself across - a program that replicates itself across the network (usually riding on email the network (usually riding on email messages or attached documents (e.g., messages or attached documents (e.g., macro viruses). macro viruses).
– 34 – CSCE 815 Sp 03
DefinitionsDefinitions
Trojan HorseTrojan Horse - instructions in an otherwise good - instructions in an otherwise good program that cause bad things to happen (sending program that cause bad things to happen (sending your data or password to an attacker over the net). your data or password to an attacker over the net).
Logic BombLogic Bomb - malicious code that activates on an event - malicious code that activates on an event (e.g., date). (e.g., date).
Trap DoorTrap Door (or Back Door) - undocumented entry point (or Back Door) - undocumented entry point written into code for debugging that can allow written into code for debugging that can allow unwanted users. unwanted users.
Easter EggEaster Egg - extraneous code that does something - extraneous code that does something “cool.” A way for programmers to show that they “cool.” A way for programmers to show that they control the product.control the product.
– 35 – CSCE 815 Sp 03
Virus PhasesVirus Phases
Dormant phaseDormant phase - the virus is idle - the virus is idle
Propagation phasePropagation phase - the virus places an identical copy of itself into - the virus places an identical copy of itself into other programsother programs
Triggering phase – Triggering phase – the virus is activated to perform the function for the virus is activated to perform the function for which it was intendedwhich it was intended
Execution phaseExecution phase – the function is performed – the function is performed
– 36 – CSCE 815 Sp 03
Virus ProtectionVirus Protection
Have a well-known virus protection program, configured to
scan disks and downloads automatically for known viruses.
Do not execute programs (or "macro's") from unknown
sources (e.g., PS files, Hypercard files, MS Office documents,
Avoid the most common operating systems and email
programs, if possible.
– 37 – CSCE 815 Sp 03
Virus StructureVirus Structure
– 38 – CSCE 815 Sp 03
A Compression VirusA Compression Virus
– 39 – CSCE 815 Sp 03
Types of VirusesTypes of VirusesParasitic VirusParasitic Virus - attaches itself to executable files as part of their code. Runs - attaches itself to executable files as part of their code. Runs
whenever the host program runs.whenever the host program runs.
Memory-resident VirusMemory-resident Virus - Lodges in main memory as part of the residual operating - Lodges in main memory as part of the residual operating system.system.
Boot Sector VirusBoot Sector Virus - infects the boot sector of a disk, and spreads when the operating - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).system boots up (original DOS viruses).
Stealth VirusStealth Virus - explicitly designed to hide from Virus Scanning programs. - explicitly designed to hide from Virus Scanning programs.
Polymorphic VirusPolymorphic Virus - mutates with every new host to prevent signature detection. - mutates with every new host to prevent signature detection.
– 40 – CSCE 815 Sp 03
Macro VirusesMacro Viruses
Microsoft Office applications allow “macros” to be part of the Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is document. The macro could run whenever the document is opened, or when a certain command is selected (Save File). opened, or when a certain command is selected (Save File).
Platform independent.Platform independent.
Infect documents, delete files, generate email and edit letters.Infect documents, delete files, generate email and edit letters.
– 41 – CSCE 815 Sp 03
Antivirus ApproachesAntivirus Approaches1st Generation, Scanners: searched files for any of a library of known 1st Generation, Scanners: searched files for any of a library of known
virus “signatures.” Checked executable files for length changes.virus “signatures.” Checked executable files for length changes.
2nd Generation, Heuristic Scanners: looks for more general signs 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes.viruses). Checked files for checksum or hash changes.
3rd Generation, Activity Traps: stay resident in memory and look for 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).certain patterns of software behavior (e.g., scanning files).
4th Generation, Full Featured: combine the best of the techniques 4th Generation, Full Featured: combine the best of the techniques above.above.
– 42 – CSCE 815 Sp 03
Advanced Antivirus TechniquesAdvanced Antivirus Techniques
Generic Decryption (GD)Generic Decryption (GD) CPU Emulator Virus Signature Scanner Emulation Control Module
For how long should a GD scanner run each For how long should a GD scanner run each interpretation?interpretation?
– 43 – CSCE 815 Sp 03
Advanced Antivirus TechniquesAdvanced Antivirus Techniques
– 44 – CSCE 815 Sp 03
Recommended Reading and WEB SitesRecommended Reading and WEB Sites
Denning, P. Denning, P. Computers Under Attack: Intruders, Computers Under Attack: Intruders, Worms, and Viruses.Worms, and Viruses. Addison-Wesley, 1990 Addison-Wesley, 1990
CERT Coordination Center (WEB Site)CERT Coordination Center (WEB Site)
AntiVirus Online (IBM’s site)AntiVirus Online (IBM’s site)