network threat review. page 2 agenda in this section network threats worms hackers security holes...
TRANSCRIPT
NETWORK THREAT REVIEW
Page 2
Agenda
In this section
• Network threats
• Worms
• Hackers
• Security holes
• Social engineering
NETWORK THREATS
Page 4
Threats
Threats
• Network worms
• Hackers, crackers
• Security holes and vulnerabilities
• User-installed uncontrolled programs
Threats can be divided to external and internal ones based on where
they originate from
Page 5
Worm
WORM is a computer program that
replicates independently by
sending itself to other systems
• E-mail worms
• Spread using email in attachments
• Network worms
• Very fast at spreading
• Network worms connect directly over the network
• Bluetooth worm
Page 6
Network Worms
Network worms use hacker techniques to automatically sneak in from
the Internet
• For example Nimda, Slammer, Lovsan, Slapper, Sasser
• Connect directly over the network (extremely fast spreading)
• Traditional antivirus response times are not enough to stop these worms from spreading, personal firewalls are needed
• In a way, network worms are automated hacker attacks
Page 7
Example: Sasser (2004)
Malware type: Network worm
Replication mechanism:
• Exploits an LSASS security hole in Win 2000 and XP
Payload:
• Installs a backdoor and launches an DDoS attack
Effect:
• Caused unpatched machines to start to reboot
• Created problems in at least three large banks; rail traffic was halted in Australia on Saturday, leaving 300,000 travellers stranded, etc.
Writer Sven Jaschen arrested 6 days
after seeding
Page 8
Case: Sasser
Attack failedTCP 445 openLSASS patched
Attack successfulTCP 445 openLSASS unpatched
Page 9
Virulence vs. Payload
Damage caused by worms can be measured by two key components
• VIRULENCE measures how fast a worm spreads, how well the replication mechanism works
• Aggressive spreading typically affects resources such as network bandwidth
• Extremely virulent worms can cause system overload or failure
• PAYLOAD measures what the worm does
• May be carried by the worm or distributed later
• Doesn’t have to be harmful
• Not all worms have payloads, some only exist to propagate
Page 10
Common Payloads
E-Mail proxies
• Installed in stealth
• Used as relays for spam distribution
Trojan backdoors
• Used by the attacker to control the infected computers
Distributed Denial of Service (D-DoS)
Page 11
D-DoS
Distributed Denial of Service
• Overloading a service by misusing its resources
• Very effective way to take someone down, not much one can do about it
Most famous incidents
• February 2000: Yahoo, Amazon, CNN, eBay
• Attacks done by a teenager “Mafiaboy”
• January 2001: Microsoft
• March 2003: www.aljazeera.net
• August 2004: Gambling sites blackmail during Olympics
Page 12
D-DoS Example
Slave
Master
Page 13
Hacking
CRACKING (also HACKING) is gaining direct access to a target system
• Wide range of methods available (stolen access information, finding open ports, known security holes, etc.)
• Attacks can be divided to external attacks and internal attacks
EXPLOIT is a common term for software that takes advantage of a
bug, glitch, security hole or vulnerability
• Vulnerability types include buffer overflow, format string attacks, race condition, cross-site scripting, and cross-site request forgery
Page 14
Security Holes and Vulnerabilities
As all operating systems have security holes, the question is how fast the vulnerabilities are patched
• Mostly hackers rely on patches to develop exploits
• Full disclosure vs. security through obscurity
The average time between a vulnerability made public and the first exploit is getting shorter
• Nimda, 365 days (2001)
• Sasser, 18 days (2004)
• Witty, 1 day (2004)
Product ships
Vulnerability found
Hole publicied,patch issued
Patch implemented
Exploitsappear
Page 15
Linux vs. Windows
Average expectancy to compromise for an unpatched Linux system
has increased from 72 hours to 3 months in two years
• Windows has an average life expectancy of a few minutes
• Still, Microsoft usually is faster at releasing fixes to security holes
• Also, Microsoft is becoming more security-conscious (SP2 for XP centres around security features only, anti-spyware tool)
Most direct intrusions are performed against Windows hosts
• Lower level of basic protection, especially if not updated regularly
• Windows dominates the market, which makes it an attractive target
• Monoculture, homogenous environments
Page 16
Linux and OSX is 2004
There were no major incidents in
Linux operating system
• Linux users were targeted with a spam message that claimed a security vulnerability has been found in Fedora and the fix is available at fedora-redhat.com. The fake update file turned out to be a rootkit.
• Some bugs were found and SuSE dispatched three local security holes to prevent a local user from hacking the computer
Opener, the first real malware for
Apple Macintosh OS X was found
• Bash script containing a keylogger, a backdoor etc.
Security holes were found (and
patched in silence) in Samba,
Squid, PHP and others
Page 17
Social Engineering and Users
Users have the possibility to install software which can leak out information – either by themselves or because they have been fooled in doing so
• The line between ’good’ and ’bad’ programs is blurry (spyware, peer-to-peer software, etc.)
• Worms and viruses are looking for non-protected entry points, such as Instant Messaging, peer-to-peer networks, Internet Relay Chat (IRC)
• Companies typically do not have any means to prevent employees from using software that is not allowed
PHISHING means luring sensitive information (like passwords) from a victim by masquerading as someone trustworthy with a real need for such information
Page 18
Company Visitors
Unsafe devices (laptops, PDAs, mobile
phones) that visitors connect to the
corporate network are a big threat
• These devices might be infected with a fast spreading network worm
• These may then try to infect not just internal but also external targets
• Damage to the company reputation!
Page 19
Other Attack Types
A wealth of other methods are available as well
• Hacking
• Exploiting a known weakness (vulnerabilities) of the operating system or application
• Spoofing
• IP spoofing: Changing the packet source address to falsify the actual source
• DNS spoofing (poisoning): Changing DNS records
• E-Mail spoofing: Changing the source e-mail address (e.g used in spam or phishing attacks)
• URL / Web spoofing: Sites that look the same as the real ones, but are in fact plagiates (for example using extended domain names)
• Scanning
• Systematic scanning to find open ports or operating system
Page 20
Uninvited Guests
Why? Who?
• National interest (spies)
• Personal gain (thiefs)
• Personal fame (trespassers)
• Curiosity (vandals, script kiddies)
Page 21
Other Malware
MALWARE is a common name for all kinds of
unwanted software such as viruses, worms,
spyware and trojans
TROJAN HORSE (or trojan) is a program with
hidden destructive functionality
SPAM means unsolicited bulk email, something
the recipient did not ask for it and that is sent in
large volumes
Page 22
Viruses and Spyware
VIRUS is a computer program that replicates
by attaching itself to another object
• Boot sector virus
• File virus
• Macro virus
SPYWARE is software that aids in gathering
information about a person or organization
without their knowledge, and can relay this
information back to an unauthorized third party
File virus ”Funlove”
Page 23
Summary
In this section
• Network threats
• Worms
• Hackers
• Security holes
• Social engineering