1

• The advanced exploration of computer systems
  is commonly referred to as hacking.
• -- from Hackers a Canadian police
  perspective
• 
  Part I
• Reference http//www.rcmp-grc.gc.ca/crim_int/inde
  x_e.htm
•  

2
Security Attacks/Threats

• These are actions that compromise the security of
  information owned or transferred by an entity.
  Attacks can be one of 4 forms
• Interruption
• Interception
• Modification
• Fabrication

3
Type Of Attacks/Threats
Information
Information
source
Destination
(a) Normal Flow
I
I
(b) Interruption
(d) Fabrication
I
I
(c) Modification
(e) Interception
4
Active and Passive Attacks
 
5
Active Attacks

• A Passive attack can only observe communications
  or data. Example Interception ( also called
  eavesdropping or passive wiretapping)
• An Active attack can actively modify
  communications or data
• Often difficult to perform, but very
  powerful
• Mail forgery/modification
• TCP session hijacking /IP spoofing
• Examples Interruption, Modification ( also
  called active wiretapping), Fabrication
• Types of Active Attacks masquerade, replay,
  modification and denial of service.

6
Types of Intruders

• Intrusion by a
• Masquerader One, who is not authorized to use a
  computer system, but who penetrates and uses a
  legitimate users account
• Misfeasor A legitimate user who accesses data,
  programs or resources, for which he is not
  authorized or
• A legitimate user who misuses his access
  privileges
• Clandestine User One who seizes supervisory
  control and uses it to evade access and audit
  controls or to suppress audit trail.
• A masquerader is an outsider,
• a misfeasor is an insider and
• the clandestine user can be either an insider or
  an outsider.

7
Why do they attack?

• The attacker may attack
• - taking it as an intellectual challenge
• - to have thrills by seeing reports of his
  exploits in public media.
• But a large majority of attacks are by
  foot-soldiers, called
• script kiddies, who use attacks
  discovered, designed and
• implemented by someone else. The script
  kiddies, simply
• download the script and launch the
  attack, without
• understanding anything.
• Or - they may be indulging in espionage for
  financial gain.

8
Survey Type of attacks

• FBI/CSI Survey of 2002
• - 80 of respondents acknowledged financial loss
  due to intrusion
• - Only 34 reported the intrusions to police
• - 74 found misfeasors
• - 40 detected DOS attacks
• Reference Annual FBI/Computer Security Institute
  Survey http//www.gocsi.com/press/20020407.html

9
Hackers METHODS

• Port Scan to find, for the target,
• - which ports/services are running
• - the O/S
• nmap
• - scans all the ports
• - guesses the operating system (Please refer to
  the paper by Fyodor to understand the methods
  used. These methods depend upon the special
  features that each OS has.)
• Reference 1.Fyodor, Remote OS detection via
  TCP/IP Stack FingerPrinting June, 2002,
  available at http//www.insecure.org/nmap/nmap-fin
  gerprinting-article.html
• 2.Stephen Northcutt and Judy Novak, Network
  Intrusion Detection An Analysts Handbook, pp
  81-85

10
Hackers Methods cont.

• 2. Toolkits provided by manufacturers to make
  products compatible with their products. These
  may be used to discover the vulnerabilities of
  the product.
• 3. Wireless Nets AirMagnet from
  AirMagnet Inc. Observer from Network
  Instruments Wireless Security Analyzer
  from IBM
• can check whether a wireless network can
  be accessed by outsiders.
• (www.guerilla.net/freenets.html contains
  a list of access points, by city, that can be
  accessed by anyone.
• In 2002 Chris OFerrel, a security consultant,
  was able to connect to the Pentagon wireless net,
  from outside the building.)

11
Impersonation Methods

• Guess the ID and password of an authorized user
• - by guessing passwords
• - by using default passwords given with a system
  by its manufacturer
• (Many administrators fail to disable the
  defaults)
• Example SNMP uses a community string as
  a password for the community of devices, that can
  interact with one another. Many administrators
  forget to change the default community string
  installed on a (new) router/switch.
• - by overflow - in some ill designed systems,
  authentication may be foiled by overflow of
  password (if the password overflows, the system
  may assume authentication)
• -

12
Impersonation Methods continued

• by non-existent authentication. In Unix, the
  file
• -rhosts lists the trusted hosts
• -rlogin lists trusted users, who can access
  without authentication
• A user may login one system as a guest- to access
  public information and through this host, he may
  connect to a trusted host.

13
Impersonation A
few Definitions

• Impersonation vs. Spoofing
• Impersonation (mis)represents an authorized
  entity during communication on a net.
• Spoofing A hacker spoofs when he falsely
  carries on one side of the exchange between two
  parties.
• Masquerade of a site An example
• Thus xxx.com bank may be the official site.
• A hacker registers x_xx.com and asks clients
  to visit the site. Thus passwords and pin
  numbers may be collected for misuse.

14
Impersonation A few Definitions
cont.

• Session Hijacking An example
• A customer may select books on Amazon.com.
• When it comes to taking the order and making
  the payment, Amazon.org may hijack the session.
• Man-in-the-middle Attack vs. Session Hijacking
• Man-in-the-middle is wire-tapping actively from
  the beginning,
• whereas a session-hijacker takes over after
  part of the session is over.

15
Examples of Attacks

• Buffer Overflow
• Dot-Dot and constrained environment
• Server-side include problem
• Incomplete Mediation
• Time-of-check to Time-of use
• DoS and DDoS
• Misuse of Active Code

16
Buffer Overflow

• All programming languages set aside a specific
  area in memory for every variable.
• For example
• char addr10
• sets aside 10 bytes for the array.
• If someone were to give an input to addr, which
  is larger, it may overflow into some other area.
  This area may have been allocated to
• -User data
• -Users program code
• -System date
• -System program code

17
Buffer Overflow cont.

• Overwriting User Data may affect program result.
  But will not affect any other program.
• Overwriting Users Program If an instruction
  that has already been executed(and is not to be
  executed again) as overwritten -gt no effect.
• -Otherwise if the character that has been
  overwritten is not a valid instruction, the
  system halts (Illegal instruction exception)
• -Otherwise the user program gives wrong output
• Overwriting System data/program Results similar
  to the ones for user data/program. But it may
  affect all the users since system data and
  programs are used by every user on the machine

18
Buffer Overflow Usual Buffer Overflow
Attacks

• The attacker may use the data input, close to
  system code. Thus he may be able to go into the
  O.S. which has the highest privileges.
• He may use the Stack Pointer to return to a part
  of the hackers code, which may have been placed
  earlier.
• Passing parameters through a URL
• Consider http//www.website.com/xxx/userinput
• parm1(519)253-3000parm22003Mar20
• If instead of parm1 and parm2, a 500 or 100
  digit value is introduced, it could cause a
  problem in the web system.
• Reference IIS 4.0 remote overflow exploit.
  http//spisa.act.uji.es/spi/progs/codigo/ftp.techn
  otronic.com/microsoft/iishack.asm

19
Buffer Overflow An Example
U.S. Army Web Server Attacked

• Buffer Overflow Attack A Web server was attacked
  using a URL that was 4KB in length.
• ( Reference eWeek, March 18, 2003 )
• The machine was compromised.
• It began mapping the network around it, looking
  for other vulnerable machines.
• It then started sending the results of its
  mapping to a remote machine through TCP port 3389
  using terminal services

20
Dot-Dot and constrained environment

• To prevent an attack, external users, who
  approach through the Internet, may be put in a
  constrained environment.
• A constrained environment where a user is
  allowed to use only specified and limited system
  resources.
• Accordingly the server may begin processing a
  users program in a particular directory sub-tree
  which contains everything the server needs.

21
Dot-Dot and constrained environment (cont..)

• But both in unix and windows,
• .. is the directory indicator
  for the predecessor.
• Cereberus discovered in MS Index Server the
  following fault
• Passing the following url to the web-server
• http//url/null.htw? CiWebHits File
  /../../../.. /../winnt/system32/autoexec.nt
• a user is able to get the autoexec.bat file of
  the server.
• Now the hacker may modify it!

22
Dot-Dot and constrained environment (cont..)

• Solution Webserver should have no editors,
  telnet programs or any utilities.
• But the code and data, for web applications, will
  have to be transferred manually to the server or
  may have to be pushed as a raw image. The
  webmaster may not like it.

23
Server-side include problem

• EXAMPLE contact us part on web-pages includes
  commands, which are supposed to be given by the
  server.
• Hence such commands may be accepted by the system
  without any scrutiny. These commands may be
  placed in HTML.
• A hacker may use this facility to modify the
  command to telnet to gain access rights, which
  he should not have.

24

• Good judgment is the result of experience
• and experience is the result of poor judgment.

25
Examples of Attacks
Slide 15 again

• Buffer Overflow
• Dot-Dot and constrained environment
• Server-side include problem
• Incomplete Mediation
• Time-of-check to Time-of use
• DoS and DDoS
• Misuse of Active Code

26
Incomplete Mediation

• ACCEPTING DATA FROM A USER IN A WEB FORM The
  system could put checks of valid data to screen
  out erroneous data.
• However after taking the values from the user,
  the program generates the URL line, based on the
  validated data.
• But the hacker can edit the URL generated by the
  program, and resend it. The web server cannot
  differentiate between an edited URL and a
  system-generated URL.
• Such a system is said to have
• incomplete mediation.

27
Application code Errors Example of wrong code

• Assume that a client selects book1 from page4 of
  the web-site of books.com and then moves to
  another page. Assume that the book cost 69.
• The webserver may pass the following string to
  the client
• http//www.books.com/page4isbn1
• 0849308887pl6900
• Then the client selects book 2 from page 7. It
  costs 129.
• The webserver passes to the client
• http//www.books.com/page7isbn1
  0849308887p16900isbn23540002235p2 12900

28
Application code Errors Example
of wrong code (cont)

• The malicious client may change the string to
  1900 for both p1 and p2, before clicking order.
  He may get both the books at 38 only.

29
Time-of-check to Time-of use (TOCT TOU)

• Every OS has access control. A file may be
  presented with a valid user, who can be
  authenticated and a valid job to be done.
• While the OS is checking for authentication, the
  file remains in the users area. So the user may
  modify the file, with malicious commands. The
  OS comes back after checking authentication and
  allows the file to be processed.
• And the malicious commands may be executed!

30
Denial of Service Attacks

• ECHO CHARGEN chargen is a protocol that
  generates a stream of echo packets. (Refer to
  ICMP)
• If a hacker continuously generates such
  packets for a server, the server would be busy in
  continuously responding to these packets.
• Ping of Death an attacker, on a wide bandwidth
  net, can overwhelm a victim machine on a smaller
  BW net through sending a large number of ping
  messages.
• SMURF spoofs a message ( which would generate an
  ICMP error message) as if it is coming from the
  victim. The spoofer broadcasts it on a large net.
  All hosts on the net respond to the victim.

31
SYN FLOOd

• SYN_RECV queue
• usually designed to have only 10-20 entries
• the usual time-out for deleting an entry is of
  many minutes
• So a SYN packet every few second can keep the
  host from accepting a new connection.
• To avoid detection, every new SYN packet is
  spoofed from a new IP address. (ICMP dest
  unreachable, sent by the host of the spoofed
  address back to the victim, goes to ICMP module
  of the victim and not to the TCP module of the
  victim)

32
DDoS

• Distributed Denial of Service attack
• use trojan horses sent through an exe file thro
  e-mail or by buffer overflow-to a large number of
  machines.
• All the machines are triggered at the same time
  to jointly attack the victim
• Example Tribal flood Network of 1999.

33
DDOS
T
T
Attacker
Victim
T
T
34
DDOS (cont)

• The attacker plants a Trojan horse on a large
  number of machines.
• He then triggers the attack, from all these
  machines (called zombies, now) on the victim.
• CERT has advised that now a single tool, which
  does the following, is available
• Identifies the zombies
• Installs the Trojans horse in Zombies
• Activates the zombies to wait for a trigger
  signal
• ReferenceKevin J. Houle and George M. Weaver,
  CERT
• Coordination Center Trends in Denial of Service
  Attack Technology
• October 2001 at  http//www.cert.org/archive/pdf/
  DoS_trends.pdf

35
Active or Mobile Code

• Definition Active or Mobile Code Code sent by a
  server to a client for execution on the client
  machine.
• The Objective of having the facility of Active or
  Mobile Code
• Server is not over-loaded.
• The under loaded work station may be used for
  processing.
• Bandwidth use is reduced.
• Disadvantage Without the knowledge or permission
  of the owner of the client machine, a remote
  machine causes a program to be executed on the
  client machine.

36
Examples of Active Code, that can be misused
1. Cookies

• Definition Cookies Data files caused to be
  stored on client machine by web-server
• Information
• - about the client
• - kept on client machine but encrypted
  by a key known only to
• web-server.
• A cookie may be
• A per-session Cookie or
• A Persistent Cookie

37
Examples of Active Code, that can be misused
2. Executing Scripts on Server

• Web Server cannot differentiate between
• Commands legitimately generated by the browser,
  as the client fills up a web page.
• A hand-crafted set of commands generated by a
  malicious user.

38
Examples of Active Code, that can be misused
3. Escape Character attack on Server

• CGI (common Gateway Interface)
• Commonly used on web servers for scripting.
• It Uses..
• nn to represent ASCII special characters.
• 0a to instruct interpreter to accept characters
  after 0a, as new command.

39
Escape Character attack on Server
continued

• The following command requests a copy of the
  password file
• http//www.test.com/cgi-bin/query?0a/bin/cat20/e
  tc/password
• Another Example A CGI script of the form..
• lt!-action arg1value arg2value..gt
• is followed by a command.
• If someone gives the following string
  immediately after the above..
• lt!- exec cmd rm gt
• it would delete all the files in the current
  directory of the web-server.

40
Escape Character attack on Server
continued

• MS uses ASP for scripting..
• These pages instruct the browser on
• how to display files
• how to maintain context and Interact with the
  server.
• These pages can be seen at the browser and any
  weaknesses in the ASP code may be exploited by a
  malicious user.

41
Active Code Comments

• Java Script
• Java 1.1 sandbox very restrictive.
• Java 1.2 opened the sandbox to permit stored disk
  files and executable procedures. This makes v1.2
  more convenient to use at the cost of increase in
  security vunerability.
• Java 1.4 supposed to correct these
  problems??
• Active X Using it, objects of arbitrary type can
  be downloaded to a client.
• The Object may lead to an automatic
  download of the handler required for a file type.

42
Active Code Comments
Active X

• MS uses authentication certificates which certify
  the origins validity.
• But Proof of origin does not mean safety of
  code.
• Auto Exec by file-type
• Besides the files extension, a file contains its
  type information inside the file also.
• So even if a file does not have an extension, it
  may be opened automatically, if one clicks on it.

43
Active Code Comments Java
vs. Active X

• You can put only partial trust in a program,
  while ActiveX requires either full trust or no
  trust at all.
• A Java-enabled browser could keep a record of
  which dangerous operations are carried out by
  each trusted program, so it would be easier to
  reconstruct what happened if anything went wrong.
• Java offers better protection against accidental
  damage caused by buggy programs.
• Referencehttp//www.cs.princeton.edu/sip/faq/java
  -vs
• activex.html SIP Secure
  Internet Programming

44
Procedures for secure active code

• 1. System must control applets access to
  sensitive system resources, such as
• File system
• Processor
• Network
• Users Delay
• Internal State Variables.

45
Procedures for secure active code

continued

• 2.The Language must protect memory by preventing
• forged memory pointers and
• array(buffer) overflows.
• 3. The system must prevent object reuse by
  clearing memory contents for new objects.

46
Procedures for secure active code

continued

• The system must perform garbage collection to
  reclaim memory no longer in use.
• 4. The system must control
• inter applet communication as well as
• applets effects on the environment outside the
  Java System through system calls.
• Reference Dean, D. Felten, E.W. Wallach, D.S.,
  Java security from HotJava to Netscape and
  beyond Proceedings of IEEE Symposium on Security
  and Privacy, 1996, pp190-200

47
A Networked System More
Vulnerable?

• Attacker can be
• anonymous,
• safe behind an electronic shield,
• at a great distance, and
• can make his system hide behind a chain of other
  hosts.
• A large network has many points from which attack
  may be mounted and many targets.
• Sharing-Networks permit a number of users to
  share the services. ? a larger number of attacker
  entities-users/systems

48
A Networked System More Vulnerable?
cont.

• Complexity of a system Each operating system is
  complex. A network operating system, which may
  deal with multiple operating system, is even more
  complex.
• Even desktops have become powerful. So the user
  may not even know fully what his system is doing.
• Ill-defined perimeter since networks are
  interconnected in a variety of ways.
• Multiple paths may exist between two legitimate
  communicatorshosts/networks in each path may
  have different security policies.
• Reference Pfleeger and Pfleeger, Security in
  Computing
• Prentice Hall 3rd Ed., 2003, pp 387-389

49
Security Services

• Confidentiality Protection of the message
  from disclosure to unauthorized persons
• In addition the secrecy of the identity of the
  sender may also be required. Confidentiality may
  be compromised by
• -misdelivery, exposure in some part of the
  network, traffic flow analysis
• Integrity Maintaining data consistency
• message may not be altered during
  transmission.
• AUTHENTICATION Verifying a principals claimed
  identity.
• Principal a user logged on a remote system
  or
• - a local user logged on the
  server or
• - the server itself

50
Security Services Authentication
continued

• Authentication A two - step process
• -
  User Name
• - Password
• (check - something you know (common)
• - Something you have
• - Something you are
• - what you do (Exkey-stroke patterns)
• - where you are )

51
Security Services (continued )

• Distributed Authentication of users, processes,
  servers and services is even more difficult.
  Thus NT 4.0 had the concept of a single Primary
  Domain Controller.
• Windows 2000 has a Multi-master system. It
  makes the system more robust, but more vulnerable
• Non-repudiation Originator of communications
  cant deny it later
• Digital Signatures are used to relate an
  entity to information.

52
Security Services (continued )

• Availability
• Legitimate users have access when they need it
• Access control
• Unauthorized users are kept out
• Receipt
• Acknowledgement for received information
• Certificate
• Endorsement of information by a trusted
  party
• Anonymity
• Hiding the identity of an entity

53
Security Services (continued )

• Most Internet security problems are
• access control or
• authentication ones
• Denial of service is also popular, but mostly an
  annoyance
• Security services are often combined
• User authentication used for access control
  purposes
• Non-repudiation combined with
  authentication

54
CERT Coordination Center (CERT/CC)

• CERT/CC a part of Software Engineering Institute
  (SEI) Networked Systems Survivability Program,
  Carnegie Mellon University, Pittsburgh,
  Pennsylvania
• History
• 2nd November 1988 Morris worm incident, 1988,
  which brought 10 percent of Internet systems to a
  halt
• Defense Advanced Research Projects Agency (DARPA)
  charged the SEI with setting up a center
• to coordinate communication among experts during
  security emergencies and
• to help prevent future incidents.
• 17th November 1988 Computer Emergency Response
  Team was set up.
• Today CERT/CC a Center of Internet security
  expertise.