INTEGRITY

1
INTEGRITY POLICY

• Leticia Nisbett
• Lauren Walters
• Andrew Yao

2
Overview

• Leticia Basic Integrity and Writing Policies to
  ensure integrity
• Lauren Access controls Security Models, and
  Integrity Tools
• Andrew Applications to Case Study and Examples

3
What is Integrity?

• Integrity is a VERY important security
  requirement
• Protecting your information is highest priority
• protecting integrity of your network is critical
  in ability to protect the information it
  contains.
• Can be defined in a number of ways..

4
How would you define Integrity?
5
Definitions of Integrity

• Integrity requires that computer system assets
  and transmitted information be capable of
  modification only by authorized parties.
• not modified by unauthorized persons
• not created by unauthorized persons

6
Integrity

• In cryptography and information security
• integrity refers to the validity of data.
• Integrity can be compromised in two main ways
• Malicious altering
• Attacker alters account number in a bank
  transaction
• Forging an identity document
• Accidental altering
• Transmission errors my name Leticia and u have
  a car
• Harddisk crash
• According to Wikipedia

7
Integrity 2

• In telecommunication, the term data integrity has
  the following meanings
• The condition in which data are identically
  maintained during any operation, such as
  transfer, storage, and retrieval.
• The preservation of data for their intended use.
• Specifically, data integrity in a relational
  database is concerned with three aspects of the
  data in a database
• Accuracy
• Correctness
• Validity
• according to Wikipedia

8
What happens if integrity is compromised?

• Modification is an attack on integrity
• Modification the data is changed, delayed or
  reordered to produce an unauthorized, undesired
  effect.
• A breach in the integrity of your network can be
  extremely costly in time and effort, and it can
  open multiple avenues for continued attacks.

9
Network Considerations

• When considering what to protect within your
  network, you are concerned with maintaining the
  integrity of
• the physical network
• your network software
• any other network resources
• your reputation
• This Integrity involves
• the verifiable identity of computers and users
• proper operation of the services that your
  network provides
• and optimal network performance
• all these concerns are important in maintaining a
  productive network environment.

10
Common Methods of Attack on Integrity

• The four methods of attack that are commonly used
  to compromise the integrity of a network
• Network packet sniffers
• IP spoofing
• Password attacks
• Application layer attacks

11
Network Packet Sniffers

• Network packet sniffers can yield critical system
  information, such as user account information and
  passwords.
• When an attacker obtains the correct account
  information, he or she has the run of your
  network.
• Worst-case scenario
• an attacker gains access to a system-level user
  account
• creates a new account that can be used at any
  time as a back door
• can modify system-critical files such as
• the password for the system administrator
  account
• the list of services and permissions on file
  servers
• the login details for other computers that
  contain confidential information.

12
Network Packet Sniffers 2

• Packet sniffers provide information about the
  topology of your network that many attackers find
  useful. such as
• what computers run which services
• how many computers are on your network
• which computers have access to others
• A network packet sniffer can be modified
• to interject new information
• change existing information in a packet.
• Attack can cause network connections to shut down
  prematurely, as well as change critical
  information within the packet.
• Imagine modification to the accounting system

13
IP Spoofing

• IP spoofing can yield access to user accounts and
  passwords, and it can also be used in other ways.
  
• Attacker emulates one of your internal users in
  ways that prove embarrassing for your
  organization
• Such attacks are easier when an attacker has a
  user account and password
• Are possible by combining simple spoofing attacks
  with knowledge of messaging protocols.
• Telnetting directly to the SMTP port on a system
  allows the attacker to insert bogus sender
  information.

14
Password Attacks

• A brute-force password attack can provide access
  to accounts that can be used to modify critical
  network files and services.
• Can compromise network's integrity
• Once an attacker gets the password and gains
  access to the system
• he can modify the routing tables for the network.
  
• attacker ensures that all network packets are
  routed to him or her before they are transmitted
  to their final destination

15
Application Layer Attacks

• Application Layer attacks can be implemented
  using several different methods.
• A common method is exploiting well-known
  weaknesses in software commonly found on servers,
  such as sendmail, PostScript, and FTP.
• By exploiting these weaknesses, attackers can
  gain access to a computer with the permissions of
  the account running the application
• usually a privileged system-level account

16
Application Layer Attacks

• Trojan horse attacks
• implemented using bogus programs that attacker
  substitutes for common programs.
• programs provide all functionality of a normal
  application or service
• also include other features that are known to
  the attacker
• programs can capture sensitive information and
  distribute it back to the attacker

17
Network considerations when defining security
policies

• Three main types of networks must be considered
  when defining a security policy
• Trusted
• Un-trusted
• Unknown.

18
Trusted Networks

• Networks inside your network security perimeter.
• Networks that you are trying to protect.
• Someone in the organization administers the
  computers that comprise these networks (most
  times)
• Organization controls their security measures.
• Usually, trusted networks are within the security
  perimeter.
• To set up firewall server
• explicitly identify the type of networks that are
  attached to the firewall server through network
  adapter cards
• After the initial configuration, the trusted
  networks include the firewall server and all
  networks behind it.
• One exception to this general rule is the
  inclusion of virtual private networks (VPNs)

19
Un-trusted Networks

• Networks known to be outside your security
  perimeter.
• Un-trusted because they are outside your control
• No control over the administration or security
  policies for these sites
• Private, shared networks from which you are
  trying to protect your network
• Still need and want to communicate with these
  networks although they are un-trusted.
• To set up the firewall server
• explicitly identify the un-trusted networks from
  which that firewall can accept requests

20
Unknown Networks

• Networks that are neither trusted nor un-trusted.
  
• Unknown quantities to the firewall because you
  cannot explicitly tell the firewall server that
  the network is a trusted or un-trusted
• Unknown networks exist outside your security
  perimeter
• By default, all non-trusted networks are
  considered unknown networks, and the firewall
  applies the security policy that is applied to
  the Internet node in the user interface, which
  represents all unknown networks.

21
Establishing a Security Perimeter

• When you define a network security policy, you
  must define procedures to safeguard your network
  and its contents and users against loss and
  damage.
• A network security policy plays a role in
  enforcing the overall security policy defined by
  an organization.

22
Establishing a Security Perimeter

• A critical part of an overall security solution
  is a network firewall
• monitors traffic crossing network perimeters
• imposes restrictions according to security
  policy.
• Perimeter routers are found at any network
  boundary
• between private networks, intranets, extranets,
  or the Internet.
• Firewalls most commonly separate internal
  (private) and external (public) networks.
• A network security policy focuses on controlling
  the network traffic and usage
• identifies a network's resources and threats
• defines network use and responsibilities
• details action plans for when the security policy
  is violated
• When a network security policy is deployed it
  should be strategically enforced at defensible
  boundaries within your network. These strategic
  boundaries are called perimeter networks.

23
Three Types of Perimeter Networks Exist
Outermost, Internal, and Innermost
24
Example Two-Perimeter Network Security Design
25
Developing Your Security Design

• The design of the perimeter network and security
  policies require certain subjects to be
  addressed.

26
Important considerations for defining a security
policy

• 1. Know your enemy
• 2. Count the cost
• 3. Identify any assumptions
• 4. Control your secrets
• 5. Human factors
• 6. Know your weakness
• 7. Limit the scope of access
• 8. Understand your environment
• 9. Limit your trust
• 10. Remember physical security
• 11. Make security pervasive

27
Know Your Enemy

• Know attackers or intruders.
• Consider who might want to circumvent your
  security measures
• Identify their motivations.
• Determine what they might want to do and the
  damage that they could cause to your network.
• Security measures can never make it impossible
  for a user to perform unauthorized tasks with a
  computer system they can only make it harder.
• The goal is to make sure that the network
  security controls are beyond the attacker's
  ability or motivation.

28
Count the Cost

• Security measures usually reduce convenience,
  especially for sophisticated users.
• Security can delay work and can create expensive
  administrative and educational overhead.
• Security can use significant computing resources
  and require dedicated hardware.
• When you design your security measures,
  understand their costs and weigh those costs
  against the potential benefits.
• To do that, you must understand the costs of the
  measures themselves and the costs and likelihood
  of security breaches. If you incur security costs
  out of proportion to the actual dangers, you have
  done yourself a disservice.

29
Identify Any Assumptions

• Every security system has underlying assumptions.
• For example, you might assume that your network
  is not tapped, that attackers know less than you
  do, that they are using standard software, or
  that a locked room is safe. Be sure to examine
  and justify your assumptions. Any hidden
  assumption is a potential security hole.

30
Control Your Secrets

• Most security is based on secrets.
• Eg. Passwords and encryption keys
• Too often, the secrets are not all that secret.
  The most important part of keeping secrets is in
  knowing the areas that you need to protect.
• What knowledge would enable someone to circumvent
  your system?
• You should jealously guard that knowledge and
  assume that everything else is known to your
  adversaries.
• The more secrets you have, the harder it will be
  to keep them all. Security systems should be
  designed so that only a limited number of secrets
  need to be kept.

31
Human Factors

• Many security procedures fail because their
  designers do not consider how users will react to
  them.
• Automatically generated nonsense passwords often
  written on the undersides of keyboards- difficult
  to remember
• A secure door that leads to the system's only
  tape drive is sometimes propped open- for
  convenience
• Unauthorized modems are often connected to a
  network to avoid onerous dial-in security
  measures- for expediency
• If security measures interfere with essential use
  of the system they will be resisted and perhaps
  circumvented.
• To get compliance, make sure users can get their
  work done, and must emphasize (sell) security
  measures to users. Users must understand and
  accept the need for security.

32
Human Factors 2

• Users can compromise system security, at least to
  some degree
• Passwords can be found out simply by calling
  legitimate users on the telephone claiming to be
  a system administrator, and asking for them.
• If your users understand security issues, and if
  they understand the reasons for your security
  measures, they are far less likely to make an
  intruder's life easier.
• At minimum
• Users should be taught never to release passwords
  or other secrets over unsecured telephone lines
  or e-mail
• Users should be wary of people who call them on
  the telephone and ask questions
• Some companies have implemented formalized
  network security training so that employees are
  not allowed access to the Internet until they
  have completed a formal training program

33
Know Your Weaknesses

• Every security system has vulnerabilities.
• You should understand your system's weak points
  and know how they could be exploited.
• You should also know the areas that present the
  greatest danger and should prevent access to them
  immediately.
• Understanding the weak points is the first step
  toward turning them into secure areas.

34
Limit the Scope of Access

• You should create appropriate barriers in your
  system so that if intruders access one part of
  the system, they do not automatically have access
  to the rest of the system.
• The security of a system is only as good as the
  weakest security level of any single host in the
  system.

35
Understand Your Environment

• Understanding how your system normally functions,
  knowing what is expected and what is unexpected,
  and being familiar with how devices are usually
  used will help you detect security problems.
• Noticing unusual events can help you catch
  intruders before they can damage the system.
  Auditing tools can help you detect those unusual
  events.

36
Limit Your Trust

• You should know exactly which software you rely
  on, and your security system should not have to
  rely on the assumption that all software is
  bug-free.

37
Remember Physical Security

• Physical access to a computer (or a router)
  usually gives a sufficiently sophisticated user
  total control over that computer.
• Physical access to a network link usually allows
  a person to tap that link, jam it, or inject
  traffic into it. It makes no sense to install
  complicated software security measures when
  access to the hardware is not controlled.

38
Make Security Pervasive

• Administrators, programmers, and users should
  consider the security implications of every
  change they make.
• Understanding the security implications of a
  change takes practice it requires lateral
  thinking and a willingness to explore every way
  that a service could potentially be manipulated.

39

• Ten suggested ways to improve the security of
  your computer!!!
• http//web.mit.edu/ist/topics/security/pamphle
  ts/tensteps.pdf

40
1. patch, Patch, PATCH!

• Set up your machine for automatic updates.
• For Windows
• Start MenugtControl PanelgtServicesgtWindows Update
  set to automatic
• For Macs
• System PreferencesgtSoftware Update set to
• daily or weekly.
• For Red Hat Linux, refer to
• http//mit.edu/ist/topics/Linux/rhn.html

41
2. Install anti-virus software.

• Install the appropriate version of the antivirus
  software for your computer.
• Set it to scan your files on a regular basis.
• software is available on ISTs Getting
  Started CD or at http//web.mit.edu/software

42
3. Choose strong passwords.

• Some suggestions for choosing strong passwords!!??

43
3. Choose strong passwords.

• Choose strong passwords by picking letter,
  number, and special characters to create a mental
  image or an acronym that is easy for you to
  remember.
• Change passwords regularly.
• Do not reuse your password among different
  accounts. Its bad if your email account is
  hacked, its even worse if its your email
  account AND your bank account.
• http//web.mit.edu/network/passwords.html

44
DEMO

• MAC Password Helper

45
4. backup, Backup, BACKUP!

• Backing up your data on a regular basis helps
  protect you from the unexpected.
• Ask yourself how many days of work you are
  willing to lose if your computer is compromised
  and the hackers decide to overwrite your disk
  space with their favorite movies and music.
• http//web.mit.edu/net-security/www/faq.htmlba
  ckup

46
5. Control access to your machine.

• Dont leave your machine unattended and logged
  on.
• Dont leave your PDA unattended in public places.
• Disable guest accounts, and delete unused
  accounts in a timely manner.
• More information on securing your Windows
  machine can be found at http//web.mit.edu/ist/top
  ics/windows

47
6. Use email safely.

• Filter your spam e-mail.
• Check with the sender when receiving unexpected
  attachments from people you know.
• Never open attachments from people you dont
  know.
• Always use your virus scanner on any attachment
  before opening it.
• MIT Spam Screening is described at
  http//web.mit.edu/ist/services/email/nospam

48
7. Use secure connections.

• Using a secure connection is essential. On the
  Internet your data is vulnerable unless you do
  something to protect it.
• For Linux, SSH and SCP are best for secure logins
  and secure file transfers.
• For Windows, use Filezilla and SecureFX for file
  transfers, Host Explorer and SecureCRT for secure
  remote logins.
• http//web.mit.edu/net-security/www/faq.htmlse
  cure-connections

49
8. Encrypt sensitive files.

• Sensitive data is frequently stored on your
  hard drives. Protecting the data can protect you
  from identity theft.
• Encrypt sensitive files.
• Have password-protected documents.

50
9. Use desktop firewalls.

• Apple Mac OS X and Microsoft Windows XP have
  basic desktop firewalls as part of their
  operating systems. It is recommended that users
  activate these firewalls unless there are known
  software conflicts.

51
10.Stay informed.

• To stay current with the latest developments
  for Windows, Macs, and nix systems, subscribe to
  the security-fyi mailing list by visiting
• http//mailman.mit.edu/mailman/listinfo/security-f
  yi

52
Access Controls

• Mandatory Access Control
• Discretionary Access Control
• Role-Based Access Control

53
Mandatory Access Control

• The MAC technique protects and contains computer
  processes, data, and system devices from being
  misused.

54
Mandatory Access Control

• Four modes of security operation
• Dedicated Security Mode
• All users can access ALL data.
• System-High Security Mode
• All users can access SOME data, based on their
  need to know.
• Compartmented Security Model
• All users can access SOME data, based on their
  need to know and formal access approval.
• Multilevel Security Mode
• All users can access SOME data, based on their
  need to know, clearance and formal access
  approval.

55
Discretionary Access Control

• DAC defines basic access control policies to
  objects at the discretion of the objects owner.
• MAC and DAC can be applied
• to the same file

56
Role-Based Access Control

• RBAC is an new alternative approach to MAC and
  DAC
• Access Control is determined by the job function,
  not the individual staff member.

57
Access Control

• In your opinion, which is the better method for
  access control?
• MAC,
• DAC,
• and/or RBAC

58
Security Models

• Security models are an important concept in the
  design and analysis of secure computer systems
• Examples of security models
• Information Flow Model
• Biba Security Model
• Clark-Wilson Model
• Chinese Wall Model
• The Bell-LaPadula Model

59
Information Flow Model

• The Information flow model is a variation of the
  access control model
• This model attempts to control the transfer of
  information from one object to another which is
  constrained by the two objects security
  attributes
• Information can flow to the same or higher level
  of security

60
The Biba Model

• The Biba Integrity Model describes read and write
  restrictions based on integrity classes of
  subject and objects
• Two main principles
• A subject can write to an object only if the
  integrity access class of the subject is larger
  than the integrity class of the object
• A subject can read an object only if the
  integrity access class of the subject is less
  than that of the integrity class of the object

61
The Biba Model
Layer of Higher Secrecy
Contaminated
Read
Write
Get Contaminated
Layer of Lower Secrecy
Simple Integrity Property
Integrity Star Property
Official (isc)2 Guide to the CISSP Exam
62
The Clark-Wilson Model

• The model address integrity requirements which
  are based on process and data integrity
• The model identifies three rules of integrity
• Unauthorized users should not make changes
• Authorized users should not make unauthorized
  changes
• The system should maintain internal and external
  consistency
• Enforce policies by
• Well-formed transactions
• Separation of duties

63
The Clark-Wilson Model

• Data
• Constrained data items (CDI)
• Unconstrained data items (UDI)
• Procedures
• Integrity verification procedure (IVP)
• Transformation procedure (TP)

64
Example of CW Model

1. Purchasing clerk creates an order for a supply,
   sending copies to the supplier and the receiving
   department.
2. Upon receiving the items, a receiving clerk
   checks the delivery and, if all is well, signs a
   delivery form. Then the delivery form and
   original order form will go to the accounting
   department.
3. Supplier sends an invoice to the accounting
   department. The accounting clerk will compare
   the invoice with the original order and delivery
   form and issues a check to the supplier.

65
Example of CW Model

• Users?
• Purchasing clerk
• Receiving clerk
• Supplier
• Accounting clerk
• Constrained Data?
• Order
• Delivery form
• Invoice
• check
• Transformation Procedures?
• Create order, Send order
• Create delivery form, Send delivery form, Sign
  delivery form
• Create invoice, Send invoice
• Compare invoice to order
• And so on

66
Tools

• Integrity Management Software
• Anti-Virus Software

67
Integrity Management Software

• Encryption is most commonly used for secrecy but
  it can also be used for integrity.
• Check for integrity by specifically utilizing
• Hash functions
• Digital Signatures
• File Size
• Example
• Tripwire Enterprise

68
Hash Functions

• A public function that maps a plaintext message
  of any length to a fixed length hash value
• Are used as an authenticator
• Pros
• Offers integrity
• Cons
• No confidentiality
• Examples
• CRC
• MD5
• SHA-1

69
Cyclic Redundancy Check

• CRC is a type of hash function that is utilized
  to create a checksum
• Useful for error detection, CRC cannot be relied
  upon to verify data integrity
• Example of Tools solely use CRC
• Crckit

70
Message-Digest Algorithm 5

• MD5 is a popular cryptographic function with a
  128-bit hash value
• Utilized in a variety of security applications
• Also commonly used for checking the integrity of
  files
• It is computationally unrealistic to find two
  messages that have the same message digest

71
Secure Hash Algorithm

• SHA is a set of related cryptographic hash
  functions
• SHA-1 is the most commonly used for a large
  variety of security applications and protocols
• SHA-1 is considered the successor to MD5

72
Digital Signatures

• Digital signatures also known as public-key
  digital signature is an encryption scheme
  utilizing public key cryptography
• This method has two complementary algorithms, one
  for signing and the other for verification, and
  the output of this process is a digital signature

73
Tripwire Enterprise

• http//www.tripwire.com/
• Captures a baseline of server file systems,
  desktop file systems, directory servers and
  network device configurations in a known good
  state, and then automatically performs integrity
  checks that compare current states against
  baselines to detect changes.
• Tripwire Demo

74
Examples of Integrity Management Software

• Advanced CheckSum Verifier (ACSV)
• Advanced Intrusion Detection Environment (AIDE)
• Cambia CM
• Crckit
• FileCheckMD5
• FTimes
• Hashdig
• Integrit
• Intrusec CM
• Jacksum
• LANGuard Security Integrity Monitor
• MD5 Hashing Utilities
• Md5deep
• Nabou
• NIST_Crc

• Radmind
• Samhain
• Secure Hash Signature Generator
• Sentinel
• Sha_verify
• Spidernet
• SysCheck
• Sysdiff
• Tripwire - Commercial
• Tripwire OpenSource
• Veracity System Integrity Assurance
• ViperDB
• Yafic
• Winalysis
• WinInterrogate
• Xintegrity

75
Anti-virus Software

• The techniques for detecting a virus include
• Checking unexpected increases in file size
• Noting changes in timestamps
• Sudden decreases in free space
• Calculating checksums
• Saving images on the internal control tables and
  noting unexplained changes

76
Examples ofAnti-virus Software

• AntiVir PersonalEdition Classic
• AVAST 4 Home Edition
• AVG Free Edition
• Bullguard Antivirus Software, Firewall and Backup
  
• Command Antivirus
• F-Prot Antivirus for Windows
• F-Secure
• Kaspersky Anti-Virus
• McAfee VirusScan 2006

• NOD32 Antivirus System v2.0
• Norton AntiVirus 2002
• Panda Titanium Antivirus 2004
• PC-cillin Internet Security 2004
• Platinum Internet Security 2005
• Rising AntiVirus
• Virex
• Windows Live OneCare

77
Case Study - Integrity

• Hamlet
• Being thus be-netted round with villanies,--
• I sat me down,
• Devised a new commission, wrote it fair
• He should the bearers put to sudden death.
• I had my father's signet in my purse,
• Which was the model of that Danish seal
• Subscribed it, gave't the impression, placed
  it safely,
• The changeling never known.

78
Case study - Attacks

• Attacks on integrity
• alter teleprompter speeches/ presentation
  slides
• alter scheduling
• alter voting results
• alter outgoing media reports
• attacker could be other media or
• outsider

79
Attackers

• The cold passed reluctantly from the earth, and
  the retiring fogs revealed an army stretched out
  on the hills, resting.
• - The Red Badge of Courage

80
Case study - Outside attacker

• Henry is a member of a small revolutionary
  anarchist group
• Assigned to disrupt the event using information
  warfare tactics.
• Attacks from an open wireless network at a public
  library.

81

• How you gonna call yourself a revolutionary and
  you aint got no poems?
• -Dewey

82
Case study - Attacker 1 recon

• Scan port 0-65535 with an aggressive stealth scan
  with OS and application fingerprinting.
• nmap -sS -F -P0 -O -T4 -v A p0-65535 event
  network address
• Starting nmap 3.50 ( http//www.insecure.org/nmap/
  )
• ...
• Interesting ports on contractor2.event.net
  (XX.227.165.100)
• (The 65535 ports scanned but not shown below are
  in state filtered)
• PORT STATE SERVICE VERSION
• 22/tcp open ssh OpenSSH 3.7.1p1 (protocol
  1.99)
• Running Linux 2.4.X
• OS details Linux 2.4.18 (x86)
• Uptime 316.585 days
• ...

83
Preventing recon

• Only open service on the network
• contractor left an SSH server running.
• How can we prevent the attacker from finding it?

84
Preventing recon contd

• At the firewall, prevent all incoming
  connections
• Use NAT so internal boxes are not Internet
  addressable
• Put a firewall between Ops and Organization in
  case a contractor is compromised or malicious.
• Policy that no one may run listening servers
  without IT authorization.

85
Finding vulnerabilities

• Henry looks up OpenSSH 3.7.1p1 on various
  security websites such as SecurityFocus BID and
  OSVDB.org.
• http//www.kb.cert.org/vuls/id/602204
• When PAM and SSHv1 are enabled, OpenSSH 3.7.1p1
  has a vulnerability that allows an attacker to
  login to any account by using a null password.

86
Exploiting OpenSSH

• psychegt ssh -1 root_at_ contractor2.event.net
• The authenticity of host contractor2.event.net
  (XX.227.165.212)' can't be established.
• RSA1 key fingerprint is 2dfb27e0abaddeadca
  febabe53022838.
• Are you sure you want to continue connecting
  (yes/no)? yes
• root_at_contractor2.event.net's password
• whoami
• root
• How could we prevent this?

87
Preventing OpenSSH Exploit

• How could we prevent this?
• Keep on top of patch management
• automated scan when they connect to the network
• Use PermitRootLogin no in sshd_config to
  prevent root login

88
Dictionary attack on SSH

• Henry uses hydra to attempt to do a dictionary
  attack and guess a users password.
• hydra -L names.txt -P passwords.txt
  contractor2.event.net ssh2
• Hydra v5.2 (c) 2006 by van Hauser / THC - use
  allowed only for legal purposes.
• DATA 400000 tasks, 1 servers, 400000 login
  tries (l1/p2), 1 tries per task
• DATA attacking service ssh2 on port 22
• STATUS attack finished for contractor2.event.net
  (waiting for childs to finish)
• 22ssh2 host XX.227.165.212 login test
  password trustno1

89
Preventing Dictionary Attack

• Unable to guess a password for root, but did get
  user test with password trustno1 (Fox
  Mulders password on The X-Files)
• How to prevent this attack?

90
Preventing Dictionary Attack contd

• Choose strong passwords on all accounts, not
  just root
• Enforceable by having IT people run hydra?
• Ban an IP address for some length of time after
  a certain number of failed attempts.

91
Privilege Escalation

• Henry has a user level shell on the contractors
  box.
• Inside the firewall, uses same dictionary attack
  technique to get a user account on the podium
  server.
• Wants to alter the presentations, but cant with
  current privileges.

92
Privilege Escalation

• uname -a
• Linux podium.event.net 2.4.18 3-i686-UP (034)
  i686 i386 GNU/Linux
• This is a relatively old kernel version, and
  there is a privilege escalation vulnerability in
  versions below 2.4.22.
• http//www.kb.cert.org/vuls/id/301156
• An integer overflow vulnerability in the brk
  system call.

93
Privilege Escalation

• He downloads and uses a publicly available
  exploit to get root privileges.
• As root, he subtly modifies the saved
  presentations for several presenters in an
  embarrassing way.
• How to prevent this?

94
Preventing Privilege Escalation

• Again patch management, even on computers which
  are supposedly safe because theyre inside the
  firewall
• Use Tripwire or other integrity checking programs
  to detect modifications to sensitive files
• But?
• Minimize set of programs which are setuid or run
  as root
• Backups on removable media

95
Attacking the Media LAN attacks

• Media share a wired network.
• Many network attacks available when on the same
  network.
• ARP poisoning to sniff or do MITM
• Alter or forge media reports
• http//en.wikipedia.org/wiki/ARP_spoofing

96
LAN attacks

• SSL not foolproof if MITM possible.
• Animation at http//crimemachine.com/Tuts/Flash/SS
  LMITM.html

97
Preventing LAN attacks

• Static ARP/Port Security
• But?
• Detect ARP poisoning with arpwatch
• But?
• Train them not to click through SSL warnings
• Media connect to home base with VPN

98
Social Engineering

• There was much food for thought in the manner in
  which he replied. He came near to convincing
  them by disdaining to produce proofs.
• -The Red Badge of Courage

99
Social Engineering

• http//en.wikipedia.org/wiki/The_Yes_Men
• Set up a fake WTO website. Invited to speak on
  behalf of the WTO at events, including a CNBC
  news program.
• Successfully impersonated a Dow Chemical
  spokesman on BBC television, at a London banking
  conference, and at Dows annual shareholder
  meeting
• In this case study, attacker could speak at
  event, or could fool the media into printing
  lies.
• How to prevent this?

100
Preventing social engineering

• Educate staff to authenticate people and data
• Run live tests with fake conmen

101
Case study conclusion

• Its about quality, yall.
• And mad loot for yours truly.