Internet - PowerPoint PPT Presentation

About This Presentation
Title:

Internet

Description:

Internet & Web Security Simson L. Garfinkel simsong_at_vineyard.net Simson L. Garfinkel Web Security & Commerce (With Gene Spafford) O Reilly & Associates, 1997 ... – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 38
Provided by: Simso2
Category:

less

Transcript and Presenter's Notes

Title: Internet


1
Internet Web Security
  • Simson L. Garfinkel
  • simsong_at_vineyard.net

2
Simson L. Garfinkel
  • Web Security Commerce
  • (With Gene Spafford) OReilly Associates, 1997
  • Practical UNIX and Internet Security
  • Garfinkel SpaffordOReilly Associates, 1997
  • Vineyard.NET, Inc.
  • July 1, 1995-

3
WARNING 1
  • Im not here to sell you anything. (No easy
    answers)

4
WARNING 2
  • I hate Power Point.

5
Internet Security Today 1/3
  • What are the main security-related problems on
    the Internet Today?
  • Hijacked web servers
  • Denial-of-Service Attacks
  • Unsolicited Commercial E-Mail
  • Operator Error, Natural Disasters
  • Microsoft...

6
Internet Security Today 2/3
  • What are not the major security-related problems?
  • Eavesdropped electronic mail.
  • (Misdirected email is a problem.)
  • (Email swiped from backup tapes is a problem.)
  • Sniffed credit card numbers.
  • (Credit card numbers stolen from databases is a
    problem.)
  • Hostile Java ActiveX applets.

7
Internet Security Today 3/3
  • So why does the press focus on the non-problems?
  • The real problems are old problems. (see
    Practical UNIX Security, 1991)
  • The real problems are hard to solve (Im not
    here to sell you anything.)
  • Netscape IPO (Netscape sells a product, not a
    service.)

8
Hijacked Web Servers

9
Hijacked Web Servers
  • FBI
  • August 17, 1996 - Attacks on the Communications
    Decency Act.
  • CIA
  • September 18, 1996 - Central Stupidity Agency
  • NetGuide Live
  • CMP Sucks.

10
Hijacked Web Servers
  • Attacker gains access and changes contents of web
    server.
  • Usually stunts.
  • Can be very bad
  • Attacker can plant hostile applets.
  • Attacker can plant data sniffers
  • Attacker can use compromised machine to take over
    internal system.

11
Hijacked Web Servers
  • Usually outsiders.
  • (Could be insiders masquerading as outsiders.)
  • Nearly impossible to trace.

12
How do they do it?
  • Administrative passwords captured by a password
    sniffer.
  • Utilize known vulnerability
  • sendmail bug.
  • Buffer overflow.
  • Use web server CGI script to steal /etc/passwd
    file, then crack passwords.
  • Mount the web servers filesystem.

13
How do you defend against it?
  • Patch known bugs.
  • Dont run unnecessary services on the web server.
  • Dont run sendmail
  • Use smap if possible.
  • Large sites may just after to suffer.

14
How do you defend? (2)
  • Never use telnet or ftp to access web server.
  • ssh/scp
  • stel
  • Security Dynamics SecureID
  • Digital Pathwayss SecureNet Key
  • (S/Key, Kerberos)

15
How do you defend? (3)
  • Practice good host security.
  • Dont run SunOS.
  • Use tools like SATAN, ISS, COPS, Tiger...
  • Monitor system for unauthorized changes.
  • Tripwire
  • Monitor system for signs of penetration
  • Intrusion detection systems

16
How do you defend? (3)
  • Make frequent backups.
  • Have a hot spare ready.
  • Monitor your system frequently.

17
Denial-of-Service Attacks

18
Denial-of-Service
  • Publicity is almost as good as changing
    somebodys web server.
  • Attack on PANIX
  • Attack on CyberPromotions
  • Costs real money
  • Lost Sales
  • Damage to reputation

19
Kinds of Denial-of-Service Attacks
  • Direct attack attack the machine itself.
  • Indirect attack attack something that points to
    the machine.
  • Reputation attack attack has nothing to do with
    the machine, but references it in some way.

20
Direct Denial-Of-Service Attack
  • Send a lot of requests (HTTP, finger, SMTP)
  • Easy to trace.
  • Relatively easy to defend against with TCP/IP
    blocking at router.

21
Direct Denial-Of-Service Attack 2
  • SYN Flooding
  • Subverts the TCP/IP 3-way handshake
  • SYN / ACK / ACK
  • Hard to trace
  • Each SYN has a different return address.
  • Defenses now well understood
  • Ignore SYNs from impossible addresses.
  • Large buffer pools (10 ? 1024)
  • Random drop, Oldest drop.

22
Direct Denial-Of-Service Attack 2
  • SYN Flooding 2
  • Most machines are not protected.

23
Indirect Denial-Of-Service Attack
  • Attack DNS
  • http//www.vineyard.net/ ? 204.17.195.200
  • DNS spoofing (hard)
  • Upstream DNS server (easier)
  • InterNIC (easy!)

24
Indirect Denial-Of-Service Attack
  • Attack Routing
  • Attack routers (hard)
  • Inject bogus routes on BGP4 peering sessions
    (easy)
  • Accidents have been widely reported.
  • Expect to see an actual BGP4 attack sometime this
    year.

25
Reputation-based Denial-Of-Service Attack
  • Spoofed e-mail To everybody_at_AOL.COM From
    astrology_at_mail.vineyard.net Subject Call
    Now! Hello. My name is Jean Dixon
  • We got 3.9MB of angry responses.

26
Unsolicited Commercial E-Mail

27
Unsolicited Commercial E-Mail
  • Pits freedom-of-speech against right of privacy.
  • Consumes vast amounts of management time.
  • Drain on system resources.

28
Who are the bulk-mailers?
  • Advertising for Internet neophytes.
  • Advertising for sexually-oriented services.
  • Advertising get-rich-quick schemes.
  • Advertising bulk-mail service.

29
How do they send out messages?
  • Send directly from their site.
  • Send through an innocent third party.
  • Coming soon
  • Sent with a computer virus or ActiveX applet

30
How did they get my e-mail addresses?
  • Usenet Mailing list archives.
  • Collected from online address book.
  • AOL registry.
  • University directory.
  • Guessed
  • Sequential CompuServe addresses.
  • Break into machine steal usernames.

31
Operator Error Natural Disasters

32
Operator Error Natural Disasters
  • Still a major source of data loss.
  • Hard to get management to take seriously.
  • Not sexy.
  • Preparation is expensive.
  • If nothing happens, money seems misspent.

33
Operator Error
  • Accidentally delete a file.
  • Accidentally install a bad service.
  • Accidentally break a CGI script.
  • Psychotic break.

34
Natural Disaster
  • Fire
  • Flood
  • Earthquake

35
Solutions
  • Frequent Backups
  • Backup to high-speed tape.
  • Real-time backup to spare machines.
  • Make sure some backups are off-site.
  • Recovery plans.
  • Recovery center.
  • Test your backups plans!

36
Microsoft

37
Microsoft
  • Danger of homogeneous environment.
  • No demonstrated commitment to computer security.
  • Windows 95 is not secure.
  • Word Macro Viruses.
  • ActiveX
  • SMB
  • Windows NT ?
Write a Comment
User Comments (0)
About PowerShow.com