D0004E

Datorsäkerhet och drift

Computer System Security and Management

Introduction

Administrative details

Course page: http://www.sm.luth.se/csee/courses/d0004e/(including link to on-line schedule)

Examiner: Jingsen Chen

Lab instructor:Rumen Kyusakov- Office: A2316 - Email: rumen.kyusakov@ltu.se

Course credits- Written exam (3 hp) - Laboratory work (4,5 hp)

Course Syllabus

Course AimAfter completing the course the student should be able to

•demonstrate knowledge of proven experiences and principles of security within computer systems and computer communication•demonstrate abilities (based on limited information) to critically, independently, and creatively identify, formulate, and handle security vulnerabilities•demonstrate abilities to apply and critically evaluate different strategies and techniques used in computer and communication securities•demonstrate abilities to perform basic security risk analyses, with respect to security policy and analyze implications on users andprotected assets•demonstrate abilities to plan and execute basics tasks of installing an operating system and maintaining its integrity and security •show practical skills in independently solving system administration problems and performing common system administration tasks•demonstrate abilities to judge scientific, societal and ethical aspects of system administration and security

Main textbook

Dieter GollmannComputer Security.John Wiley And Sons Ltd; latest edition.ISBN: 9780470741153.

Additional readingEvi Nemeth, Garth Snyder, Trent R Hein, Ben WhaleyUnix and Linux System Administration Handbook.PRENTICE-HALL; 4th edition.ISBN: 9780131480056.

Course evaluation (2012)

Comments to Course evaluation

The course has a focus on laboratory workSome lectures are needed for the labs others are broadening the area

Changes 2013Not one single lecturer through the whole course

Course outline

Updates on course webpage http://www.sm.luth.se/csee/courses/d0004e/

Lectures (first two weeks):Today: System administration (Andreas Nilsson) 6/9Unix security (Rumen Kyusakov) 9/9Introduction in IT/Information security (Dan Harnesk)

Laboratory work:5/9 Lab intro (Rumen Kyusakov)

Later:Windows security, Authentication/access control, Database security, Cryptography, Communication security, Hacking session…Visit at LTU IT Service

What does System Administrator do?

The system administrator

• ”You are there for the user”• ”You are best when your services are invisible for the users – everything

should just work.”• “All transitions should be seamless for the user”In large systems: • “your work hours are for free – compared to the work hours of all users.”• “take advantage of the hints multiple clients give”• ”Your goal when working is to make yourself obsolete – think ahead, and

solve problems that are repeating – once and for all.”

One computer many computers

One computer• Make setup it simple – unnecessary, you will learn.• You will get the optimal configuration.• If the computer misbehaves it might be hard to find the error• New version of the software – no problem, you will learn• If the computer has to be reinstalled – the entire procedure has to be redoneMany computers• Use a lot of time with the setup – otherwise you will have to teach all others,

hepdesk will be familiar to all systems• You will have to really learn how the users want their setup.• The optimal setting that fit everybody does not exist.• The fact that you can see if it is a common problem might help you if

computers starts to misbehave• New version of software – Is it really necessary? compatibility, learning,

bugs…• If the computer has to be reinstalled – it is easy to get a fresh start again.

Two philosophies regarding setup

Simple(For the user it is just to sit down and start to use)+ Saves time for the user.- Users does not have to learn all features in their system.- The environment is not the optimal for them.

Torgny way (The setup is so hopeless that the users are forced to learn how to tweak

before they can use it)+ The users will learn.- Does not save time for the users initially.- As a sysadm, you will not get many friends the first time – BOFH.

Different ways to install

• Manual installation• Scripted installation• Cloning• Distributed installation, with a shared set of software

Or a combination of all of them above

Windows vs Linux

• UNIX – “heavy” servers not for users• Traditionally UNIX is nothing for sissies• When an application is installed and it starts you are done.• When it is good enough for “root”, you are done

• Windows – mostly clients, directly for users• Windows is for users not only for enthusiasts• When the application is installed your work has just began• When the setup is so simple that you will not get any

questions from the users you are done.

Reinstallation

• Easy for the system administrator, the answer to all questions:“Let us try to reinstall the system”

Installation of a computer should be easy, reinstallation hard.

Users

Beware:• Users can do anything and has – if you check the logs• Users have not done anything – if you ask them• Users newer know the meaning of the word “backup”• Users can newer verify that a backup is up to date• There is a reason why phishing is used• Do or Don’t is impossible to tell apart in the context of “Don’t click on links in

mail messages”• If the user with computer problems at work does not know the difference

between the “desktop” and the table on which the monitor is placed – use the addidas

• If the user, with computer problems at home, does not know the difference between the “mouse” and the four legged cheese eaters, ask the user to hand over the phone to the son or daughter aged 5 or above.

Case #1

User 1 calls support – network down – technician 1 fails to reinstallUser 2 calls support – network down – technician 2 fails to reinstallUser 3 calls support – network down – technician 3 fails to reinstallUser 4-20 calls support – network down – support address MAJOR problem

and hit the panic button.Computers are carried to support center which has net in order to reinstall

them.Everybody is running like chickensThe fault:Network Technician was working with the uplink to the switch serving that

hallway..The consequence:5 reinstalled computers… because network was gone.

Case #1 - Lesson

All users were neighbors, connected to the same switch. Knowledge regarding the physical world is necessary.

One user making a complaint might indicate client failure.Two and more making the same complaint at the same time – is

rarely client failure look for common factors.

Case #2

User 1 complains – backup non functional, not all files in backupUser 2-40 complains – different problems with backupUser 1 complains – login takes too long time, after power failure…Support, let us reinstall.Are you running the backup system?User 1: YesImportant data?User 1: YesThe computer was reinstalled, data from backup was transferred back.User 1: Almost everything is missingWindows recover was attempted – no resultHDD was sent to IBAS – no result to recover

Case #2 - Lesson

A backup software which fails for one user must be considered as a severe failure.

Support can never trust an user that states he/she is running backup – a user can never say that the backup is OK or not.

Reinstall – the last resortClone – before reinstallIf fail – stop trying, hand it to the pros

2004-10-13 14:09 1 044 winlisa.cpp2003-03-03 18:13 28 160 virusförklari2009-03-06 10:10 123 904 Vision.doc2002-04-30 13:13 19 456 VNC.doc2003-04-15 16:04 34 816 vnc-theresei.2008-02-06 11:13 202 752 VPN-Trådlöst-2006-11-08 15:02 74 234 368 Vägbeskrivnin2006-11-08 15:25 30 725 152 Vägbeskrivnin1997-05-13 22:09 12 277 xampl.bib2005-01-19 16:00 0 Xerox6250_eti2001-10-19 16:24 0 yasdi.doc2002-04-22 17:21 0 Yasdi2.doc2009-05-18 14:39 0 YASDIFY2.BAK2009-05-18 14:42 0 YASDIFY2.EXE2009-05-18 14:42 0 YASDIFY2.PASTotal Files Listed:

27944 File(s) 1 002 590 563 bytes

History pre 1970 and 1970’s

• Few and large computers, generally not connected to each other.

• Threats: • Physical access – spy on technology.• Information theft• Access control

• Countermeasures• Locks and thick walls• Encryption• Access control lists

History 1980’s

The era of personal computersSmall computers but in business started to be connected into networksNow user control in levels had to be usedThe networks was slow phone modem so no real internetWorms and viruses was introduced – as well as antivirus softwareInternet – was email, FTP, telnet and gopherSCA – 1987 The first virus for the Commodore Amiga platform:Something wonderful has happenedYour AMIGA is alive !!! and, even better... Some of your disks are infected by a VIRUS !!! Another masterpiece of The Mega-Mighty SCA !!

History 1990 – Internet was born

WWW – 1991Mosaic – 1993JavaDenial – of – service attackFirewalls was introducedIDS – Intrusion detection systemsNow: You should not send anything on the network that you does

not accept to see on the tabloids on the way home.

History 2000

Everything is on the web; refrigerators, phones, wall outlets, water pumps, power plants (Stuxnet) – Trudy can cause real damage and hardware is hard to maintain. Trudy can be a state/organization

Everything is to be found on the internet; “Truth”, banking, airplane tickets, merchant, drugs – Trudy have motivation.

One password, username on each site…

Development/Progress?

Services to be closed in Windows XP1. Messenger service2. Remote registry service3. Computer browser service4. The server service5. SSDP Discovery service6. IIS Services (FTP Publishing, IIS Admin, NNTP,

SMTP, WWW publishing)7. SNMP service

Services to be closed in Windows 71. Application Experience2. Computer Browser3. Desktop window manager session manager4. Diagnostic Policy Service5. Distributed Link Tracking Client6. IP Helper7. Offline Files8. Portable Device Enumerator Service9. Print Spooler10.Protected Storage11.Remote Registry12.Secondary Logon13.Security Center14.Server15.Tablet PC Input Service16.TCP/IP Net BIOS Helper17.Themes18.Windows Error Reporting Service19.Windows Media Center Service Launcher20.Windows Serarch21.Windows Time

Meet “Trudy”

•Trudy is the name of a fictive adversary for security people. Trudy is the short for “Intruder”.•The good people are often called “Alice” and “Bob”

Malware – Malicious software, computer contaminant

• Virus – malware that can replicates it self and inserting copies to parts of the computer (software, files, hard drive sectors…)

• Ransomware – (Scareware) Encrypt part of the computer and the user have to pay a ransom in order to get control of the data again.

• Worms – mass spreading virus• Trojan horses – appears to be something but is something else• Hack Tools/remote access/root kit – want information or recourses• Keyloggers – want information, credentials• Dialers – modem hijackers• Adware – web monitoring, web advertising• Hoax – not a virus, but the behavior of users may became as a virus• Jokeprograms – disturbs the behavior• Spyware – passwords, recourses or behavior• Trackware – log behavior and relay to third party• (Malicious) BHO – Browser ”helper” object

The computer administrators worst nightmare – is not

Trudy – meet the user

The ideal user knows:• Critical thinking• Things on the Internet that are too good to be true - are • To be aware of phishing, social engineering, ”Nigeria letters”

etc• To have no special interests that are more appealing than

others.• To be extremely strict when using the net

Man in the middle (SSL)

Where to do the attack?Assume Credit card money transfer

Exploit

• Trudy takes advantage of a bug/glitch or vulnerability to cause unintended behavior to occur.

Vulnerabilities

• Physical environment around the system• The staff• Management of the system• Administrative procedures and organization measures• Service delivery• Hardware• Software• Communication equipmentand combinations of all of them above.

Buffer overrun

• Was first understood and published 1972• Most likely to occur in systems based on C or C++ systems which does not

have built in protection against accessing any part of the memory.Example:char A[6];

unsigned short B=1972;

strcpy(A,”Andreas”);

ValueHex 0 0 0 0 0 0 7 B4

[Null string]A B

1972

Value 'A' 'n' 'd' 'r' 'e' 'a'Hex 41 6E 64 72 65 61 73 B4

A B29620

Denial-of-service (DoS)

Goal to prevent system to provide its ordinary service• Trudy can ask for 10 G connection/s and Bob’s server only can serve 1000

Connections/s. Alice which want 1 connection is denied service from Bobs server.

• “Ping of Death” was the classic • Nowadays Trudy most likely has to use an exploit in order to succeed.

Distributed Denial-of-service (DDoS)

• Trudy has access over several BOT’s or Smurfs that each are instructed to open/make connections/requests/files.

• Bobs server/net is not powerful enough to handle all requests and cant serve Alice

Privilege elevation

• Trudy has gained some access to the system, then exploits additional bug to gain more privileges.

• In Windows – go from Local User to Administrator(UAC User Account Control)

• In Unix – go from user to “root”

• “Elevation” is also used if Trudy has access but can change user to Bob who also have the same privilege level (but perhaps another banking account...)

Limit the Attack Surface

• Close Open ports• Closed Services• Location of remote access• Firewalls• Updates• User credentials• Password

Security by obscurity

SSH port is 22Lets put SSH on port 28Trudy can not scan130.240.x.y: 22 in order to find SSH servers, Trudy has to scan all

ports on all servers.

This is debated as a real security measure.

The level below

Physical access:• Recovery tools – read directly from the HDD, mainly physical access • Unix devices – if there is a flaw in permissions, you might use unix devices to

read files of your choice.• Object reuse (release of memory) – read allocated memory before it is

written in that part of the memory.• Buffer overrun – write long input so that some part of the “string” will become

software• Backup – backup is good, but who has access to the backup, and the old

media?• Core dump – cause the software to crash, read what's in the dump, and

being lucky.

Passwords – how to crack

Tools• Brute force – test everything start by A, AA, AB, AC and so on• Dictionary attack – test acai, acaizeiro,aight,agame,...

(http://nws.merriam-webster.com/opendictionary/newword_display_alpha.php)• Find them in cache, memory, etc• Fool the user

Passwords – how to create

1. Change all default passwords immediately! The password of the admin user must not be “admin”

2. Newer use empty passwords, not even behind a firewall3. The longer password the better (for the safety manner) 4. Avoid obvious passwords, that can be looked up in a dicitionary5. Mix upper and lower passwords the bigger character space the betterUpper case only => |26|^8 = 208 827 064 576 combinations

Upper and lower case=> |52|^8 = 53 459 728 531 500 combinations

Upper, lower, digits and signs=>|100|^8= 10 000 000 000 000 000 combinations

Increase security(?)

1. Password checker (make sure the password is longer than X character, upper and lower case and with digits, simple dictionary attack is run on the password)

2. Password generated by random and checked and then the user has to learn the password.

3. Password ageing – the password is valid for X days, then the user have to change. Last Y passwords are remembered.

4. Limit login attempts

The ultimate safety for an office clerk?

• The password length is 20 characters• Upper signs, lower signs and digits have to be mixed• The password has to be changed every week• A dictionary attack is run on every password change• The system remembers 10 old passwords, but does only

authenticate on the last.

Ultimate? No

• The password which will be common will look like:• “passwordDEC13”• ”Qazxswedcvfr01”• ”Qwertyuio45”• And are hence easy to guess for Trudy

• The password will be found under the keyboard or on the screen.• The system administrators will have to change the passwords for users all

the time.• A lot of users will just be irritated to the system administrators and change

the password 10 times so that they can use their favorite password.• How are the 10 last passwords stored?

Single Sign on – or one system one password?

Single sign on • E.g. Kerberos, authenticate to one server and then the server authenticates

you towards other systems.+ Users remembers the password+ If Kerberos is safe – the authentication is safe even if a system is compromised.- If the password is out – Trudy has access to all systems!

One system one password+ If one password is out, only that system is compromised....or- Users have trouble to remember rarely used password- Users tend to have similar “pattern” to generate passwords to the different systems or choose simple passwords.

Phishing, Spoofing, Social Engineering

Social Engineering• Spoofing – example: Make a program look like a login screen and fool the

user to make a login in order to harvest the username and password combination. ssh ssh.lut.se

• Phishing – example: Send a mail stating that you are Swedbank Nordea AB stating that you want user credentials to retrieve some money back.

• Engineering – Trudy have to figure out who to fool to get what Trudy wants. Perhaps call, state you are working for Windows Update and ask you to log in to a particular web page and install some updates from there.... Or Trudy states that Trudy is the system administrator needing the password to....

Password Storage

• If the server operating system is providing password access protection that is safe, it is possible to store the passwords in plane text.

• If password access is not protecting, encryption necessary.• Most common is a combination of operating system providing access

protection to an encrypted database.• Preferable as a one way crypto

PaSSWord => 0ySWf5Pc but0ySWf5Pc can not be decrypted to PaSSWord

compare 6637639 mod 100 = 3939 * 100 =! 6637639

Early YP (unix)

/etc/password - -rw-r--r-- user root, group root

user1:Xop0FYH9:UID:GID:/home/user2::::

user2:agUDsm1J:UID:GID:/home/user1::::

Offline password attack1. encrypt “Password” to “agUDsm1J”

2. check if “agUDsm1J” exist in /etc/password

One password, many users password checked

YP (later approach, shadow and salt added)

/etc/password - -rw-r--r-- user root, group rootuser1:*:UID:GID:/home/user2::::user2:*:UID:GID:/home/user1::::

/etc/shadow - -rw-r----- user root, group shadow#username:[SALT][PasswordHash]:UID:GID:/home/user2::::user1:H1Xop0FYH9:UID:GID:/home/user2::::user2:jTagUDsm1J:UID:GID:/home/user1::::

Offline password attack1. Privilege escalation to root is required 2. encrypt “Password” use SALT from user1 to “BhFurs1J”3. check if user1 has “H1BhFurs1J” password /etc/shadowEach password has to be checked for every individual user

How can Authentication be done

What you know – the passwordSomething you hold – a keyWho you are – biometrics Who you are – motion, keystrokes phase, habitsWhere you are - location