Title: Hans Hedbom
1Attacks on Computer Systems
2Attacks
- Non-Technical attacks
- Example
- Social engineering
- Phishing
- Cause
- Low user awareness or missing policies/routines
- Technical attacks
- Example
- See following slides
- Cause
- Transitive trust
- Bugs and configuration errors in apps and OS
- Vulnerabilities in protocols and Network
Infrastructure
3Threats to confidentiality
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
4Network attacks
5SYN-Attacks
- The attacker sends a large amount of SYN-packets
to the server - fills-up the SYN-buffer server is unable to
accept more connections Denial of Service
Client
Server
SYN
Timeout 4 min.
SYN,ACK
ACK
TCP event diagram
6IP Fragmentation Attack
- Intentional fragmentation of IP-packets may
confuse routers, firewalls and servers
IP-packet
Data
Original
Header
Fragment 1
Fragment 2
Fragmented
Data
Header
Data
H
Offset 0
Offset 16
Offset 20
IP-packet
Data
Header
Assembled
Overlap!
7Sniffer Attacks
- Eavesdropping on a network segment.
Telnet (password in the clear)
IP Network
Telnet Client
Telnet Server
Telnet
Attacker
8Passwords over the Net
Telnet FTP Rlogin Rexec POP SNMP NFS SMB H
TTP
9IP-Spoofing
- Counterfeiting of IP-sender-addresses when using
UDP and TCP
NFS-request
IP Network
NFS Client
NFS Server
NFS-response
SYN-attack
Attacker
10Session Hijacking
- Attacker hijacks a session between a client and a
server - it could for example be an administrator using
telnet for remote login
Telnet traffic
IP Network
Telnet client
Telnet server
SYN-attack
IP-Spoofing
Attacker
11DNS Cache Poisoning
- DNS Domain Name Service
- is primarily used to translate names into
IP-addresses - e.g. www.sunet.se to 192.36.125.18
- data injection into the DNS server
- cross checking an address might help
12OS (Software) attacks
13Race Condition Attacks
- Explores software that performs operations in an
improper sequence. e.g. psrace (Solaris 2.x).
Application
Create file
/tmp/sh
Store data
/usr/bin/ps
Create link
Set SUID
/tmp/ps_data
Use data
Remove file
14Buffer overflows
- Buffer overflow accounts for 50 of the security
bugs (Viega and McGraw) - Data is stored in allocated memory called buffer.
If too much data need to be stored the additional
bytes have to go somewhere.? The buffer
overflows and data are written past the bounds.
15Web Attacks
16Browser Vulnerabillities
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
17Window of Exposure
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
18Phishing
Phishing (only works with predictable or time
invariant values) Trick the user to access a
forged web page.
Forged Web Page
SSL/TLS
1. Username
2. Ask for login credentials
3. Give login credentials
4.Ok alt Deny (error code)
19Phishing
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
20Phishing
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
21Pharming
5.Chalange
6. Responce
9.Ok alt Deny
4.Chalange
7 .Responce
1.Username
2.Username
3.Chalange
8.Responce
9.Ok alt Deny
22XSS
23What is SQL Injection?
- name HTTP_POST_VARS"name"
- passwd HTTP_POST_VARSpasswd"
- query select name from users where name
.name. and passwd .passwd. - result mysql_query(query)
24What is SQL Injection?
25BOT-NETS
26Bot-nets
- A bot-net is a large collection of compromised
computers under the control of a command and
control server. - A bot-net consists of bots (the malicious
program), drones (the hijacked computers) and
(one or more) CC server. - A bot is usually a combination of a worm and a
backdoor. - IRC and HTTP are the primary communication
protocols in today's bot-nets. - Bots are usually self spreding and modular.
27Uses of bot-nets
- Bot-nets could be used for the following
- Click Fraud
- Making drones click on specific advertisements on
the web. - DDoS
- For financial gain or blackmail.
- Keyloging
- For financial gain and identity theft.
- Warez
- Collecting, spreading and storing
- Spam
- For financial gain.
- And of course as a private communication network.
28Detecting and preventing bot-nets
- Detection is all about finding the CC server.
- Look for suspicious traffic patterns in firewall
logs and other logs. - Take note of servers whit a high number of
incoming connections. - Monitor the suspicious CC and inform the owner
and the authorities when you are sure that it is
a bot-net controller. - Prevention
- All the usual rules apply patch and protect. Do
egress filtering in firewalls as well as ingress.
This will stop infections from spreading and
could block outgoing traffic from drones within
the intranet. - Problems
- Some bot-nets are encrypted.
- Tracking the CC to the real bot-net owner can be
hard.
29Bot activity
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010