to stop a hacker is to think like one!

8/14/2019 To Stop a Hacker is to Think Like One!

1/53

Hacking &

Security Policies

Presented by:

Balram Sahu

Electrical Engg.IInd Year

G.B.P.E.C. Pauri

To Stop a Hacker is to Think Like One!


2/53

Background

Seminar Objectives

Provide insight into current efforts and future plansfor network security.

Provide helpful perspective on nature of todaysInternet security risk

Provide guidelines to achieving goals.

Demonstrations of tools used by hackers


3/53

Presentation Outline

Part 1: Threats to Security

Part 2: Performing a Risk Assessment

Part 3: Hacker Technologies

Part 4: Buffer Overflow Exploits

Part 5: Firewalls

Part 6: Denial of Service and Trojans

Part 7: Security Policy

Part 8: How to Handle an Attack?

Part 9: Educational Resources


4/53

Why Security

96% of large companies & govt. agencies had

computer security breaches in 2005

Three-quarters suffered financial losses

Most frequent problems Computer viruses (85%)

Abuse of Internet access (79%)

Web-site vandalism (64%)

Source: 2005 CSI/FBI Computer Crime and Security Survey


5/53

External threats, suchas social engineeringor viruses

Internal threats, such asinternal attacks or codevulnerabilities

Threats to Security


6/53

Addressing Internal Threats

Failure to update hotfixes and security patches

Blank or weak passwords

Default installation with unnecessary services

Internal attacks

Restricted Areaof Network


7/53

External Threats

Organizational

Attacks

Acquire confidentialinformation to gain a business

or competitive advantage

OrganizationalAttacks

Bypasses Technology togain network access

SocialEngineeringOrganizationalAttacks

Social

Engineering AutomatedAttacks

Uses software to gainnetwork access


Social

Engineering AutomatedAttacks

Denial ofService (DoS)User

Connection Fails

Blocks access to dataor services

DoSDoS


Social

Engineering

Denial ofService (DoS)

AutomatedAttacks

Viruses,Trojan Horses,

and Worms

Harmful code, maliciousprograms, self replicating


Social

Engineering


AutomatedAttacks

Viruses, Trojan Horses,and Worms

Improper permissions canresult in access to restricted

data

Accidental BreachesIn Security

RestrictedData

FCFC


Social

Engineering

Viruses, Trojan Horses,and Worms


AutomatedAttacks

Accidental Breachesin Security


8/53

General Prevention

Test and apply service packs and hotfixes

Run and maintain antivirus software

Run an intrusion detection system at the perimeter

to your network Block all messages containing Readme.exe or

Admin.dll attachments

Reinstall infected systems


9/53

Microsoft Outlook e-mail security update Blocks common script and executable extensions

Disables active scripting

Warns users about attempts to accessthe Outlook address book or send e-mail

Internet Explorer service packs for Microsoft Outlook Express Internet Explorer 5.01 SP2

Internet Explorer 5.5 SP2

Internet Explorer 6 (full installation required on upgrades)

Protecting E-Mail


10/53

Protecting Web Servers

Apply the latest hotfixes

Install the latest service pack

Install the security roll-up packages Remove unnecessary IIS components

Install UrlScan with the default rule set

InternetInformation ServiceInternetInformation Service


11/53

Protecting File Servers

Remove unnecessary file shares

Use an AGDLP or AGUDLP Strategy

Assign the minimum required permissions Enforce complex passwords


12/53

Microsoft Strategic TechnologyProtection Program

Two-phase program that integrates Microsoftproducts, services, and support

Phase 1: Get Secure

Phase 2: Stay Secure


13/53

Phase 1: Get Secure

The Microsoft Security Tool Kit

Contains tools that provide a baseline level of security for

servers that are connected to the Internet. Provides support for Windows NT 4.0 and Windows 2003.

Toll-free virus support


14/53

Phase 2: Stay Secure

Worldwide security-readiness events

Tools, updates, and patches

Enterprise security tools

Windows Update auto-update functionality

Bimonthly product roll-up patches

Consulting engagements


15/53

Part 2: Performing a Risk Assessment


16/53

Strategies to Manage Risk

AvoidanceAvoidance

MitigationMitigation

ContingencyPlans

ContingencyPlans

AcceptanceAcceptance

RiskRisk


17/53

Analyzing Risk

1. IdentifyResources


5. ReviewPlan

5. ReviewPlan

4. ImplementSecurityMeasures

4. ImplementSecurityMeasures

3. CalculateExposure

3. CalculateExposure

2. IdentifyThreats

2. IdentifyThreats


18/53

Identifying the Resources to Protect

HardwareHardware

SoftwareSoftware

DataData

PeoplePeople

DocumentationDocumentation




19/53

Identifying the Threats toResources

Viruses, TrojanHorses,

and Worms

SocialEngineering

AutomatedAttacks

AccidentalBreaches in

Security Denial ofService (DoS)


RestrictedData

2. IdentifyThreats

2. IdentifyThreats


20/53

Calculating Exposure

Example

A security risk to data valued at $500,000 hasa 75% probability of occurring

Multiply 75% x $500,000 to calculate a $375,000exposure value.

Rank risks to an organization based onexposure value

Exposure = Probability x ImpactExposure = Probability x Impact

3. CalculatingExposure

3. CalculatingExposure


21/53

External Attacks Most Frequent

Greater use ofInternet

Tools & techniquesevolve to enablenew opportunitiesfor attack

Source: 2000 CSI/FBI Computer Crime and Security Survey

Frequent Points of Attack

38

59

0 20 40 60 80

Internalsystems

Internetconnection

Percent of respondents


22/53

password

guessing

self-replicating

code

password

cracking

exploiting

known

vulnerabilities

disabling

audits

back

doors

hijacking

sessions

sniffer /

sweepers

stealth

diagnostics

packet forging /

spoofing

GUI

Hacking

Tools

Average

Intruder

1980 1985 1990 1995

Relativ

eTechnica

lC

omple

xity

Source: GAO Report to Congress, 1996

20-Year Trend: Stronger Attack Tools


23/53

Trend Has Continued

Windows

Remote

Control

Stacheldraht

Trinoo

Melissa

PrettyPark

1998 1999 2000

?

DDoS

Insertion

Tools

Hacking

Tools

Kiddie

Scripter

2001

Rela

tiv

eTechnicalC

omplexity


24/53

Part 3: Hacker Technologies


25/53

The Threats

Hacker Technologies Internet Engineering

System Administration

Network Management

Reverse Engineering

Distributing Computing

Cryptography

Social Engineering


26/53

The Threats

Hacking Tools become more and moresophisticated and powerful in term of Efficiency

Distributing Stealth

Automation

User friendliness

These hacking tools could be easilydownload from the Internet


27/53

The Threats

Your host does not need to be as famous as yahooor ebay to be targeted

They need a place to hide their trace

They need your host as a stepping stone to hack other sites

They need your host resource to carry out their activities

Your host security weakness can be identified by scan tool

Security of any network on the Internet depends on the securityof every other networks

No network is really secure


28/53

The Threats

The Trends From Jan to April 2000 (before we fully deploy our IE firewall

for RLAB segment) , our site has received the followingsecurity warning

Web page defacement

Unauthorized system access

Port scanning

Ping broadcast scanning

Telnet probe scanning


29/53

Part 4: Buffer Overflow Exploits


30/53

How they Hack in?

General Steps

Locate the victim host by some scanning program

Identify the victim host vulnerability

Attack the victim host via this vulnerability Establish backdoors for later access

Some hacking tools can automate the above

steps into a single command.


31/53

How they Hack in?

Buffer Overflow Exploit

stuffing more data into a buffer than it canhandle

it overwrites the return address of a function

it switches the execution flow to the hacker code


32/53

How they Hack in?


Text Region

(program code)

Data Region

(initialization/unintialization)

Stack Region

(subroutine local variable

and return address)

Low Memory

Address

High Memory

Address

Process Memory Region


33/53

How they Hack in?


void function(char *str) {

char buffer[16];

strcpy(buffer,str);}

void main() {

char large_string[256];

int i;

for( i = 0; i < 255; i++)

large_string[i] = 'A';

function(large_string);

}Bottom of stack

Top of Stack

Str*

ret

sfp

Function

localvariable

buffer

Return address

Save Frame Pointer


34/53

How they Hack in?

Real Case Study I Hackers first located the victim hosts by sunrpc scan of

137.189 network

Break-in the victim hosts via amd (Berkeley AutomounterDaemon) buffer overflow vulnerability

Created backdoor on port 2222 by starting a second instanceof inetd daemon

Used the victim hosts to scan other networks


35/53

How they Hack in?

Real Case Study II Hackers first located the victim hosts by BIND port 53

scanning

Identify the victim OS (a telnet probe)

Set up a trap DNS daemon at the hacker DNS server

Kicked the victim hosts to query the hacker DNS server

Break-in victim hosts via BIND buffer overflow

Established back door accounts at the victim hosts

Distribute, built and operated the IRC Bot (eggdrop)


36/53

Part 5: Firewalls


37/53

Fighting Back

Get Your Security Profile

Set Your Security Policy Build the Firewall


38/53

Get Your Security Profile

Act as a hacker and try to break-in your host Port scan your host and see what network ports are open

Figure out if the version of your host OS and softwareapplications are vulnerable

Can you cover up your trace after break-in? (Does your host haveany monitoring or intrusion detection system)

Can you easily establish back door after break-ins? (Have youbuilt any firewall?)


39/53

Set Your Security Policy

There is always a trade off between security and convenience

Identify your host services

shutdown any unnecessary ports and build the kernel as

minimum as possible Identify your target users, trusted hosts and networks so that

you can formulate your host access lists

Set up your firewall

use private IP network

use proxy servers


40/53

Set Your Security Policy

Set up your monitoring and intrusion detection systems

COPS, tripewire, tcpdump, snmp

Set up you operation codes/rules such as

read only file system mounting

ssh login

sudo

restrict login shell

Set up your recovery plan

recovery procedure and backup scheme


41/53

Build Your Firewall and IDS

Control and monitor the traffic IN and OUT of yournetwork

Block any unnecessary network connection from

non-trusted hosts and networks Define your access rules according to your security

policy

Use packet filtering and Application Proxy

Build sniffer to monitor your internal network traffic


42/53

Firewall Architecture

Dual-home host architecture


43/53


Architecture using two routers


44/53


Architecture using a merged interior and exterior router


45/53

Build Your Firewall

How it protects your network

Prevents port scanning

Prevents DDOS attack and IP spoofing from your host

Blocks any unnecessary network port opening

Increases the difficulty of creating back door after break-in

Facilitates the network monitoring and network intrusiondetection


46/53

Firewall in IE Network

Set your own filter rules at your host

Here is the example how you use ipchains to block all non-IE network TCP andUDP connections to your host except 80 port

ipchains -A input -s 0.0.0.0./0.0.0.0 -d your_host_ip/255.255.255.255 80 -i eth0 -p 6 -j ACCEPT

ipchains -A input -s ! 137.189.96.0/255.255.252.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j DENY -y

ipchains -A input -s ! 137.189.96.0/255.255.252.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j DENY


47/53

Firewall Protection Services

Network address translation (NAT)

Packet filters Server publishing

Stateful inspection

LANLAN

FirewallInternet

Protecting the Internal Network


48/53

192.168.10.1

192.168.10.2

192.168.10.3

Network address translation

Source IP Source port Target IP Target port

192.168.10.1207.46.197.100

10331998

Any 80

Protecting the Internal NetworkAddressing Scheme

Firewall

Internet

NAT DNS zones

Private network addressing

207.46.197.100


49/53

Private Network

SMTP

POP3

IMAP

Public Network

Filtering Protocols

Filtering strategies Deny all filter Allow all filter

SMTP

POP3

IMAP

FTP

Telnet

FirewallFirewall RulesFirewall Rules

SMTP

POP3

IMAP

FTP

Telnet


50/53

Concealing an IP Address

Server publishingSource Destination Port

Any 207.46.197.100192.168.10.3

TCP 3389TCP 3389

Firewall

Internet

192.168.10.1

192.168.10.2

192.168.10.3

207.46.197.100

WebServer

Router


51/53

Private Network

Client: UDP:5555

Public Network

Firewall

Stateful Inspection

Client: UDP 4444

Client

Client sends a packet from UDP port 4444 Response to UDP port 4444 = Permitted Response to UDP port 5555 = Denied


52/53

References

http://www.research.ibm.com/journal/sj/403/palmer.html

http://www.research.ibm.com/journal/sj/403/palmer.html.

http://abcnews.go.com/Business/FinancialSecurity/story?id=501292&page=2

Introduction to Hacking written by D. M. Chess,


53/53

Thank You

to stop a hacker is to think like one!

Documents