Post on 22-Dec-2015
Simson L. Garfinkel
Web Security & Commerce(With Gene Spafford)
O’Reilly & Associates, 1997
Practical UNIX and Internet SecurityGarfinkel & Spafford
O’Reilly & Associates, 1997
Vineyard.NET, Inc.July 1, 1995-
Internet Security Today 1/3
What are the main security-related problems on the Internet Today?Hijacked web serversDenial-of-Service AttacksUnsolicited Commercial E-MailOperator Error, Natural DisastersMicrosoft...
Internet Security Today 2/3
What are not the major security-related problems?Eavesdropped electronic mail.
• (Misdirected email is a problem.)• (Email swiped from backup tapes is a problem.)
Sniffed credit card numbers.• (Credit card numbers stolen from databases is a
problem.)
Hostile Java & ActiveX applets.
Internet Security Today 3/3
So why does the press focus on the non-problems?The real problems are old problems.
(see Practical UNIX Security, 1991)The real problems are hard to solve
(I’m not here to sell you anything.)Netscape IPO
(Netscape sells a product, not a service.)
Hijacked Web Servers
FBIAugust 17, 1996 - Attacks on the
Communications Decency Act.
CIASeptember 18, 1996 - “Central Stupidity
Agency”
NetGuide Live“CMP Sucks.”
Hijacked Web Servers
Attacker gains access and changes contents of web server.
Usually stunts. Can be very bad:
Attacker can plant hostile applets.Attacker can plant data sniffersAttacker can use compromised machine to take
over internal system.
Hijacked Web Servers
Usually outsiders. (Could be insiders masquerading as
outsiders.) Nearly impossible to trace.
How do they do it?
Administrative passwords captured by a password sniffer.
Utilize known vulnerability:sendmail bug.Buffer overflow.
Use web server CGI script to steal /etc/passwd file, then crack passwords.
Mount the web server’s filesystem.
How do you defend against it?
Patch known bugs. Don’t run unnecessary services on the web
server. Don’t run sendmail
Use smap if possible.Large sites may just after to suffer.
How do you defend? (2)
Never use telnet or ftp to access web server.ssh/scpstelSecurity Dynamics’ SecureIDDigital Pathways’s SecureNet Key(S/Key, Kerberos)
How do you defend? (3)
Practice good host security.Don’t run SunOS.Use tools like SATAN, ISS, COPS, Tiger...
Monitor system for unauthorized changes.Tripwire
Monitor system for signs of penetrationIntrusion detection systems
How do you defend? (3)
Make frequent backups. Have a hot spare ready. Monitor your system frequently.
Denial-of-Service
Publicity is almost as good as changing somebody’s web server.Attack on PANIXAttack on CyberPromotions
Costs real moneyLost SalesDamage to reputation
Kinds of Denial-of-Service Attacks
Direct attack: attack the machine itself. Indirect attack: attack something that points
to the machine. Reputation attack: attack has nothing to do
with the machine, but references it in some way.
Direct Denial-Of-Service Attack
Send a lot of requests (HTTP, finger, SMTP)Easy to trace.Relatively easy to defend against with TCP/IP
blocking at router.
Direct Denial-Of-Service Attack 2
SYN FloodingSubverts the TCP/IP 3-way handshake
• SYN / ACK / ACK
Hard to trace• Each SYN has a different return address.
Defenses now well understood• Ignore SYNs from impossible addresses.• Large buffer pools (10 1024)• Random drop, Oldest drop.
Indirect Denial-Of-Service Attack
Attack DNShttp://www.vineyard.net/ 204.17.195.200
DNS spoofing (hard) Upstream DNS server (easier) InterNIC (easy!)
Indirect Denial-Of-Service Attack
Attack Routing Attack routers (hard) Inject bogus routes on BGP4 peering
sessions (easy)Accidents have been widely reported.Expect to see an actual BGP4 attack sometime
this year.
Reputation-based Denial-Of-Service Attack
Spoofed e-mailTo: everybody@AOL.COMFrom: astrology@mail.vineyard.netSubject: Call Now!
Hello. My name is Jean Dixon …
We got 3.9MB of angry responses.
Unsolicited Commercial E-Mail
Pits freedom-of-speech against right of privacy.
Consumes vast amounts of management time.
Drain on system resources.
Who are the bulk-mailers?
Advertising for Internet neophytes. Advertising for sexually-oriented services. Advertising get-rich-quick schemes. Advertising bulk-mail service.
How do they send out messages?
Send directly from their site. Send through an innocent third party. Coming soon:
Sent with a computer virus or ActiveX applet
How did they get my e-mail addresses?
Usenet & Mailing list archives. Collected from online address book.
AOL registry.University directory.
GuessedSequential CompuServe addresses.
Break into machine & steal usernames.
Operator Error & Natural Disasters
Still a major source of data loss. Hard to get management to take seriously.
Not sexy.Preparation is expensive.If nothing happens, money seems misspent.
Operator Error
Accidentally delete a file. Accidentally install a bad service. Accidentally break a CGI script. Psychotic break.
Solutions
Frequent BackupsBackup to high-speed tape.Real-time backup to spare machines.Make sure some backups are off-site.
Recovery plans. Recovery center. Test your backups & plans!