Hans Hedbom

1
Attacks on Computer Systems

• Hans Hedbom

2
Attacks

• Non-Technical attacks
• Example
• Social engineering
• Phishing
• Cause
• Low user awareness or missing policies/routines
• Technical attacks
• Example
• See following slides
• Cause
• Transitive trust
• Bugs and configuration errors in apps and OS
• Vulnerabilities in protocols and Network
  Infrastructure

3
Threats to confidentiality
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
4
Network attacks
5
SYN-Attacks

• The attacker sends a large amount of SYN-packets
  to the server
• fills-up the SYN-buffer server is unable to
  accept more connections Denial of Service

Client
Server
SYN
Timeout 4 min.
SYN,ACK
ACK
TCP event diagram
6
IP Fragmentation Attack

• Intentional fragmentation of IP-packets may
  confuse routers, firewalls and servers

IP-packet
Data
Original
Header
Fragment 1
Fragment 2
Fragmented
Data
Header
Data
H
Offset 0
Offset 16
Offset 20
IP-packet
Data
Header
Assembled
Overlap!
7
Sniffer Attacks

• Eavesdropping on a network segment.

Telnet (password in the clear)
IP Network
Telnet Client
Telnet Server
Telnet
Attacker
8
Passwords over the Net
Telnet FTP Rlogin Rexec POP SNMP NFS SMB H
TTP
9
IP-Spoofing

• Counterfeiting of IP-sender-addresses when using
  UDP and TCP

NFS-request
IP Network
NFS Client
NFS Server
NFS-response
SYN-attack
Attacker
10
Session Hijacking

• Attacker hijacks a session between a client and a
  server
• it could for example be an administrator using
  telnet for remote login

Telnet traffic
IP Network
Telnet client
Telnet server
SYN-attack
IP-Spoofing
Attacker
11
DNS Cache Poisoning

• DNS Domain Name Service
• is primarily used to translate names into
  IP-addresses
• e.g. www.sunet.se to 192.36.125.18
• data injection into the DNS server
• cross checking an address might help

12
OS (Software) attacks
13
Race Condition Attacks

• Explores software that performs operations in an
  improper sequence. e.g. psrace (Solaris 2.x).

Application
Create file
/tmp/sh
Store data
/usr/bin/ps
Create link
Set SUID
/tmp/ps_data
Use data
Remove file
14
Buffer overflows

• Buffer overflow accounts for 50 of the security
  bugs (Viega and McGraw)
• Data is stored in allocated memory called buffer.
  If too much data need to be stored the additional
  bytes have to go somewhere.? The buffer
  overflows and data are written past the bounds.

15
Web Attacks
16
Browser Vulnerabillities
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
17
Window of Exposure
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
18
Phishing
Phishing (only works with predictable or time
invariant values) Trick the user to access a
forged web page.
Forged Web Page
SSL/TLS
1. Username
2. Ask for login credentials
3. Give login credentials
4.Ok alt Deny (error code)
19
Phishing
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
20
Phishing
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010
21
Pharming
5.Chalange
6. Responce
9.Ok alt Deny
4.Chalange
7 .Responce
1.Username
2.Username
3.Chalange
8.Responce
9.Ok alt Deny
22
XSS
23
What is SQL Injection?

• name HTTP_POST_VARS"name"
• passwd HTTP_POST_VARSpasswd"
• query select name from users where name
  .name. and passwd .passwd.
• result mysql_query(query)

24
What is SQL Injection?
25
BOT-NETS
26
Bot-nets

• A bot-net is a large collection of compromised
  computers under the control of a command and
  control server.
• A bot-net consists of bots (the malicious
  program), drones (the hijacked computers) and
  (one or more) CC server.
• A bot is usually a combination of a worm and a
  backdoor.
• IRC and HTTP are the primary communication
  protocols in today's bot-nets.
• Bots are usually self spreding and modular.

27
Uses of bot-nets

• Bot-nets could be used for the following
• Click Fraud
• Making drones click on specific advertisements on
  the web.
• DDoS
• For financial gain or blackmail.
• Keyloging
• For financial gain and identity theft.
• Warez
• Collecting, spreading and storing
• Spam
• For financial gain.
• And of course as a private communication network.

28
Detecting and preventing bot-nets

• Detection is all about finding the CC server.
• Look for suspicious traffic patterns in firewall
  logs and other logs.
• Take note of servers whit a high number of
  incoming connections.
• Monitor the suspicious CC and inform the owner
  and the authorities when you are sure that it is
  a bot-net controller.
• Prevention
• All the usual rules apply patch and protect. Do
  egress filtering in firewalls as well as ingress.
  This will stop infections from spreading and
  could block outgoing traffic from drones within
  the intranet.
• Problems
• Some bot-nets are encrypted.
• Tracking the CC to the real bot-net owner can be
  hard.

29
Bot activity
Table from Symantec Global Internet Security
Threat Report Trends for 2009 Volume XV,
Published April 2010