ppt - department of computer science, purdue university

25
Computer Security CS 426 Lecture 27 SANS Top-20 Internet Security Attack Targets

Upload: catharine24

Post on 29-Nov-2014

2.152 views

Category:

Documents


6 download

DESCRIPTION

 

TRANSCRIPT

Page 1: PPT - Department of Computer Science, Purdue University

Computer Security CS 426

Lecture 27

SANS Top-20 Internet Security Attack Targets

Page 2: PPT - Department of Computer Science, Purdue University

Operating Systems

• W1. Internet Explorer• W2. Windows Libraries• W3. Microsoft Office• W4. Windows Services• W5. Windows Configuration Weaknesses• M1. Mac OS X• U1. UNIX Configuration Weaknesses

Page 3: PPT - Department of Computer Science, Purdue University

Cross-Platform Applications

• C1 Web Applications• C2. Database Software• C3. P2P File Sharing Applications• C4 Instant Messaging• C5. Media Players• C6. DNS Servers• C7. Backup Software• C8. Security, Enterprise, and Directory

Management Servers

Page 4: PPT - Department of Computer Science, Purdue University

Others

• Network Devices– N1. VoIP Servers and Phones– N2. Network and Other Devices Common

Configuration Weaknesses

• Security Policy and Personnel– H1. Excessive User Rights and Unauthorized Devices– H2. Users (Phishing/Spear Phishing)

• Special Section– Z1. Zero Day Attacks and Prevention Strategies

Page 5: PPT - Department of Computer Science, Purdue University

W1. Internet Explorer

• Unpatched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious webpage or reads an email.

• These flaws have been widely exploited to install spyware, adware and other malware on users' systems.

• The VML zero-day vulnerability fixed by Microsoft patch MS06-055 was widely exploited by malicious websites before the patch was available.

Page 6: PPT - Department of Computer Science, Purdue University

W2: Windows Libraries

• These libraries usually have the file extension DLL or OCX (for libraries containing ActiveX controls).

• During the past year, several windows libraries were reported to have critical vulnerabilities. In a number of cases, exploit codes were discovered before patches were available (zero-day).

• In December 2005, a vulnerability (CVE-2005-4560) was reported in the Graphics Rendering Engine: when handling specially crafted Windows Metafile (WMF) images, it could cause arbitrary code to be executed. A patch was not available until early January 2006 .

Page 7: PPT - Department of Computer Science, Purdue University

W3. Microsoft Office

• Vulnerabilities in these products can be exploited via the following attack vectors:– malicious Office document in an email message. – hosts the document on a web server or shared folder. Note that

IE automatically opens Office documents. Hence, browsing the malicious webpage or folder is sufficient for the vulnerability exploitation.

– runs a news server or hijacks a RSS feed that sends malicious documents to email clients.

• A large number critical flaws were reported last year in MS Office applications. A few of them were exploited at a zero-day.

Page 8: PPT - Department of Computer Science, Purdue University

W4. Windows Services

• Several of the core system services are exposed through named pipe endpoints accessible through the Common Internet File System (CIFS) protocol, well known TCP/UDP ports and in certain cases ephemeral TCP/UDP ports.

• When exploited, these vulnerabilities afford the attacker the same privileges that the service had on the host.

• Critical vulnerabilities reported within the past year: – Server Service (MS06-040, MS06-035) – iRouting and Remote Access Service (MS06-025) – Exchange Service (MS06-019)

Page 9: PPT - Department of Computer Science, Purdue University

W5 Windows Configuration Weaknesses

• 1. User Configured Password Weaknesses• 2. Service Account Passwords

– Non-system Service accounts need passwords in Windows.

• 3. Null Log-on– null sessions have allowed anonymous users to

enumerate systems, shares, and user accounts.

Page 10: PPT - Department of Computer Science, Purdue University

M1. Mac OS X

• The majority of the critical flaws discovered in the past year fall into six different categories:– Safari – ImageIO - Vulnerabilities in this framework could potentially affect

many different applications. – Unix – Wireless - A critical vulnerability in Mac OS X's wireless network

subsystem allows physically-proximate attackers to gain complete control. Attack can occur even if that system was not part of the same logical network as the attacker. Additional flaws were discovered in the Bluetooth wireless interface subsystem, with similar results.

– Virus/Trojan - The first viruses and trojans for the Mac OS X platform were discovered in the past year.

– Other

Page 11: PPT - Department of Computer Science, Purdue University

U1. UNIX Configuration Weaknesses

• Most Unix/Linux systems include a number of standard services in their default installation.– These services, even if fully patched, can be the

cause of unintended compromises.

• Of particular interest are brute-force attacks against command line access such as SSH, FTP, and telnet. – It is important to remember that brute forcing

passwords can be a used as a technique to compromise even a fully patched system.

Page 12: PPT - Department of Computer Science, Purdue University

C1 Web Applications

• Applications such as Content Management Systems (CMS), Wikis, Portals, Bulletin Boards,

• Every week hundreds of vulnerabilities are being reported in these web applications, and are being actively exploited.

• The number of attempted attacks every day for some of the large web hosting farms range from hundreds of thousands to even millions. – PHP Remote File Include – SQL Injection – Cross-Site Scripting (XSS) – Cross-site request forgeries (CSRF) – Directory Traversal

Page 13: PPT - Department of Computer Science, Purdue University

C2. Database Software

• Use of default configurations with default user names and passwords.

• Buffer overflows in processes that listen on well known TCP/UDP ports.

• SQL Injection via the database's own tools or web front-ends added by users.

• Use of weak passwords for privileged accounts • 37 CVE entries on Oracle since October 2005

Page 14: PPT - Department of Computer Science, Purdue University

C3. P2P File Sharing Applications

• The P2P networks themselves may be attacked by modifying legitimate files with malware, seeding malware files into shared directories, exploiting vulnerabilities in the protocol or errors in coding, blocking (filtering) the protocol, denial of service by making the network function slowly, spamming and identity attacks that identify network users and harass them.

Page 15: PPT - Department of Computer Science, Purdue University

C4. Instant Messaging

• Recent attacks include new variations in the establishment and spread of botnets, and the use of compromised instant messaging accounts to lure users into revealing sensitive information. – Malware -- Worms, viruses, and Trojans transferred through the

use of instant messaging. – Information confidentiality -- Information transferred via instant

messaging can be subject to disclosure– Network -- Denial of service attacks; excessive network capacity

utilization, even through legitimate use.– Application vulnerabilities -- Instant messaging applications

contain vulnerabilities that can be exploited to compromise affected systems.

Page 16: PPT - Department of Computer Science, Purdue University

C5. Media Players

• Vulnerabilities allow a malicious webpage or a media file to completely compromise a user's system without requiring much user interaction. The user's system can be compromised simply upon visiting a malicious webpage.

• CVE entries over the past year– RealPlayer and Helix Player (7)– iTunes (3)– Winamp (3)– Quicktime (12) – Windows Media Player (3)– Macromedia Flash Player (2)

Page 17: PPT - Department of Computer Science, Purdue University

C6. DNS Servers

• During the past year, the following types of attacks have been carried out by botnets against DNS servers.– Recursion Denial of Service Attacks: A Botmaster publishes

a large DNS record in a compromised DNS server or in a DNS server set up for this purpose. The botmaster then directs the botnet to send small UDP/53 queries to public recursive name servers with a forged return address pointed at the targeted victim. This effect can be amplified further by making the DNS records larger than a typical UDP/53 response packet, thus forcing a TCP/53 transaction.

– Spoofing Authoritative zone Answers: The botmaster establishes a fake web site (phishing site) on a compromised web server. The botmaster then directs the botnet to listen for requests and spoof DNS replies for a particular zone with an answer pointing to the compromised web server.

Page 18: PPT - Department of Computer Science, Purdue University

C7. Backup Software

• During the last year a number of critical backup software vulnerabilities have been discovered. These vulnerabilities can be exploited to completely compromise systems running backup servers and/or backup clients. An attacker can leverage these flaws for an enterprise-wide compromise and obtain access to the sensitive backed-up data. Exploits have been publicly posted for some of these flaws, and these vulnerabilities are getting exploited in the wild.

Page 19: PPT - Department of Computer Science, Purdue University

C8. Security, Enterprise, and Directory Management Servers

• Directory Servers• Monitoring Systems• Configuration and Patch Systems• Spam and Virus Scanners

Page 20: PPT - Department of Computer Science, Purdue University

N1 VoIP Servers and Phones

• Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Page 21: PPT - Department of Computer Science, Purdue University

N2. Network and Other Devices Common Configuration Weaknesses

• N2.2.1 Default SNMP Community StringsDefault and often a hard-coded community string continues to be an issue with networking products.

• N2.2.2 Default Accounts, Passwords, Encryption Keys, and TokensN2.2.3 Unnecessary ServicesN2.2.4 Unencrypted and Unauthenticated Administration Protocols

Page 22: PPT - Department of Computer Science, Purdue University

H1. Excessive User Rights and Unauthorized Devices

• Unwary users can be enticed to do unsafe things. Clever users can find unsafe ways to get things done, unintentionally exposing the company to attack.

• H.1a Unauthorized and/or infected devices on network– A rogue wireless access point, a personal laptop, a router or PC

secretly connected to an open ethernet port by a visitor, a USB flash drive

• H.1b Excessive User Rights and Unauthorized software

Page 23: PPT - Department of Computer Science, Purdue University

H2. Users (Phishing/Spear Phishing)

• Password/PIN Phishing • VoIP phishing • Spear Phishing

– highly targeted – Spear phishing has become one of the most

damaging forms of attacks on military organizations in the US and other developed countries.

Page 24: PPT - Department of Computer Science, Purdue University

Z1: Special Section: Zero Day Attacks and Prevention Strategies

• While the risks of zero day vulnerabilities in popular applications and subsequent exploitation have been discussed for several years, zero day attacks saw a significant upward trend in 2006. A zero day vulnerability occurs when a flaw in software code has been discovered and exploits of the flaw appear before a fix or patch is available. If a working exploit of the vulnerability is released into the wild, users of the affected software are exposed to attacks until a software patch is available or some form of mitigation is taken by the user.

Page 25: PPT - Department of Computer Science, Purdue University

Coming Attractions …

• December 5: – Database Security, guest lecture by

Ji-Won Byun