Dealing With Attackers - PowerPoint PPT Presentation

About This Presentation
Title:

Dealing With Attackers

Description:

Dealing With Attackers Keeping Attackers Out Fixing It When They Get In Dealing With Attackers Dr. Randy Appleton Northern Michigan University rappleto_at_nmu.edu Denial ... – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 33
Provided by: euclidNm
Learn more at: http://euclid.nmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Dealing With Attackers


1
Dealing With Attackers
  • Keeping Attackers Out
  • Fixing It When They Get In

2
Dealing With Attackers
  • Dr. Randy Appleton
  • Northern Michigan University
  • rappleto_at_nmu.edu

3
Denial of Service
  • Definition Any attack that temporarily stops
    others from using the service.
  • Difficulty Rating Not too hard generally this
    can be done.

4
Why?
  • You're mad at the owner of the service.
  • You're a competitor of the service.
  • You're testing your technical abilities.
  • You're a jerk.

5
Destruction
  • Definition Any attack that destroys data.
  • Difficulty Rating Easy for random target.
    Difficult if you have a particular victim.

6
Why?
  • You want to make them forget about you.
  • To cause them significant pain.
  • You're testing your technical abilities.
  • You're a jerk.

7
Embarrass
  • Definition Any attack that gives makes the
    other person look like an idiot. Generally this
    means you change his web site for him.
  • Difficulty Rating Highest.

8
Why?
  • Political reasons (Chinese human rights)?
  • Free someone from jail (New York Times)?
  • You're testing your technical abilities.
  • You're a rude jerk

9
Steal Information
  • Definition Any attack that gives you data.
  • Difficulty Rating Doable if you don't have a
    specific target. Very difficult if you have a
    particular victim you want to attack.

10
Why?
  • You enjoy having a collection of credit card
    numbers.
  • You want to snoop on your professors personal
    life.
  • You're a nosy jerk.

11
Who Are The Enemies
  • Outsiders
  • Random Attackers from the Internet
  • Insiders
  • Employees, Customers and People You Trust
  • Smart People
  • Script Kiddies

12
Script Kiddies
  • Script Kiddie Script Kiddies are inexperienced
    hackers, in that they do not have much technical
    expertise in the field of hacking. Many times
    they download software from the Internet which
    does the hacking automatically. (Wikipedia.org)?
  • Sometimes its a local user
  • Upgrading to root
  • Causing damage
  • Sometimes its a remote user

13
How to Be a Script Kiddie
  • Find an exploit script
  • Go to the Redhat Errata page.
  • Look up every bug using yahoo, google, or google
    groups.
  • Find a good-looking script.
  • Run the script
  • Have Fun
  • Get caught
  • Go to Jail.

14
Stopping Script Kiddies
  • Read the RedHat Errata page
  • Install every security update mentioned
  • Sleep Happily
  • Go to step one

15
Example Scripts
  • http//packetstorm.linuxsecurity.com/exploits100.h
    tml

16
Example Script
  • ping -I 'chmod ow .'
  • Worked before modutils-2-3-19
  • Works because the kernel issues /sbin/modprobe
    -s -k chmod ow .
  • Also http//euclid.nmu.edu/randy/Classes/CS426/
    Notes/sendmail-bug.html

17
Net Attack 1
  • Military Intelligence Asks When They Can Arrest
    My Fellow Prof
  • We Panic!
  • We Find Lots!
  • Some Log Entries
  • Some Modified Executables
  • One New Password Entries

18
What Happened
  • Students Went Wild!
  • We Talked To Attacker
  • Gave Everything to Military
  • Military Knew Nothing
  • They Wont Comment ?

19
Did They Catch Him?
20
Example 2
  • Apache Log Files Showed Attack
  • strauss.udel.edu - - 19/Mar/2000215821 -0500
    "POST /cgi-bin/test-cgi HTTP/1.0" 404 210 "-" "-"
    strauss.udel.edu - - 21/Mar/2000004158
    -0500 "POST /cgi-bin/sh HTTP/1.0" 404 204 "-"
    "-" strauss.udel.edu - - 21/Mar/2000012613
    -0500 "GET /cgi-bin/query?x3C212D2D236578
    656320636D643D222F7573722F62696E2
    F6964222D2D3E HTTP/1.0" 404 207 "-" "-"
    strauss.udel.edu - - 21/Mar/2000024156
    -0500 "GET /3C212D2D236578656320636D
    643D222F7573722F62696E2F6964222D2D
    3E/index.html HTTP/1.0" 404 241 "-" "-"

21
What Happened
  • What We Knew
  • Which Computer
  • What Time/Date
  • Which Attacks
  • What We Did
  • Tell University of Delaware
  • Didnt Follow Up

22
Net Attack 3
  • Our Web Page ChangedThis Side Owned By Idiots
  • Log Files Showed Nothing!
  • Yes, we looked.
  • Yes, we looked A LOT.
  • Solutions?

23
What Happened
  • We Reinstalled Everything.
  • The Whole OS
  • All the User Accounts
  • And Thats No Fun
  • Destroyed a Week of My Life
  • Annoyed Users
  • Cost Me Some Reputation
  • We Got to Upgrade ?

24
The Letter
  • To whom it may concern,
  • I send you this e-mail because "whois
    198.110.193.129" reports that the IP address
    belongs to Northern Michigan University.
  • One of the IP addresses in your authority domain
    has attempted to gain
  • access to our server. Times are in PST. Please
    take appropriate action.
  • Excerpt from log file follows.
  • Kind regards,
  • Remco Douma
  • Cygno Solutions

25
The Log File
  • secureMar 30 053810 merlin sshd24281
    Illegal user jordan from
  • ffff198.110.193.129
  • secureMar 30 053810 merlin sshd24283
    Illegal user michael from
  • ffff198.110.193.129
  • secureMar 30 053811 merlin sshd24279 Failed
    password for illegal
  • user jordan from ffff198.110.193.129 port 3251
    ssh2
  • secureMar 30 053811 merlin sshd24285
    Illegal user michael from
  • ffff198.110.193.129
  • secureMar 30 053812 merlin sshd24281 Failed
    password for illegal
  • user jordan from ffff198.110.193.129 port 3267
    ssh2
  • secureMar 30 053812 merlin sshd24283 Failed
    password for illegal
  • user michael from ffff198.110.193.129 port
    3270 ssh2
  • secureMar 30 053813 merlin sshd24287
    Illegal user michael from
  • ffff198.110.193.129
  • secureMar 30 053813 merlin sshd24289
    Illegal user nicole from
  • ffff198.110.193.129

26
We Attack Someone
  • Remco Douma notices log entries
  • Looks up attacking IP number
  • Mails us the log files and a polite note
  • Didnt tell us IP of target machine.
  • We verify which machine
  • IP and MAC match
  • Student guilty .. Or victim

27
Internal Attacker 1
  • Employee is angry with an e-company
  • He sets up a ping-flood
  • Northerns net is slow for a whole weekend
  • They net-people find our IP , call lawyers
  • More lawyers
  • Solutions?

28
Internal Attacker 2
  • Student Angry with spammer.
  • He spams them through our server.
  • Our net guys notice a huge increase Summary

29
Internal Attacker 3
  • Student is admin for Physics
  • They only have some technical clues.
  • Student about to be fired
  • Student changes one char in /etc/passwduucpx10
    14uucp/var/spool/uucpuucpx014uucp/var/spo
    ol/uucpSolutions

30
Internal Attack 4
  • Inspection shows multiple simultaneous logins.
  • Inspections shows students sell dial-up
    access.
  • Solution?

31
Working With Police
  • Police not stupid
  • Typically have someone with a clue
  • A police clue, not a geek clue.
  • Focuses on specific damages.
  • Monetary damages best.
  • There is an actionable lower limit.
  • Police care about moral crimes.

32
Conclusions
  • Dont Panic
  • It doesnt help
  • When In Doubt, Reinstall
  • Its the best idea
  • You get a free upgrade
  • Police can help
  • But not much
  • Lawyers Dont Sue
  • At least in my experience
Write a Comment
User Comments (0)
About PowerShow.com