February 1993 Computer Audit Update

1987. It was cancelled in July 1989 and court proceedings begun in February 1990. The court found that the software house, CAP Financial Services (nowthe Sema Group) had used people without relevant expertise. Although the Salvage Association have won damages and costs they are still losers. The court damages and costs are the tip of the iceberg. In addition, there is management time, secretarial time, research, the ef fect of publ ic i ty on the o rgan iza t ions concerned. There is also loss of profits/potential profits and loss of competitive advantage from not having the right computer system installed at the right time. And finally there is the trauma of having a computer system that does not work sapping confidence in any future replacement and the need to start all over again.

These costs are as nothing, however, when compared to two other lawsuits on failed development projects. The failure of Confirm, an integrated reservation system being developed by a consortium of companies has led to a subsidiary of American Air l ines suing for unspecified damages from its partners for their allegedly assigning personnel to the project who did not have dec is ion-mak ing author i ty , withholding funds due for its work on the project and fa i l ing to approve the func t iona l specifications in a timely manner. Marriott has countersued for $64 million claiming that the management of American and its subsidiary had falsified information of financial aspects of the project and concealed information about defects in its design.

In the UK, Standard Chartered is suing Scicon with an £80 million damages claim for neg l i gence , b reach ing of con t rac t and misrepresentation. The claim dates back to 1986 when Scicon was contracted to install a group message switching system on a product solution basis, i.e. an existing system which would be tailored to satisfy current and future needs. The contract was terminated in January 1990 because it appeared no longer viable and because Scicon allegedly failed to provide a system that was operable; failed to produce a quality plan until two years into the project; failed to manage the project adequately; failed to inform

the Bank that the project was 'high risk'; underestimated the scale of the changes which would be needed; and cut corners in unit, system and installation testing of software.

I would question who had failed to manage the project adequately. The contract may state that project management rests with the software house, but the computer system is being developed for the organization and it is the o r g a n i z a t i o n ' s sen io r m a n a g e m e n t ' s responsibility to ensure that the project is properly managed. You cannot abrogate responsibility by contracting it to others. Not when the future of the organization may depend upon the computer system being successfully and timely installed.

IT SECURITY TESTING, A PRACTICAL GUIDE PART 4

INTERCEPTION AND MODIFICATION OF COMMUNICATION CHANNELS

Bernard Robertson and David Pullen PA Consulting Group

Introduction

C o m m u n i c a t i o n s n e t w o r k s are key c o m p o n e n t s in many IT sys tems . Communications networks exist in many different forms (e.g. WANs, LANs, MANs) using different protocols, and different types of transport media (e.g. copper, optical fibre, etc.). Much of the information processed by an organization will pass across some part of a communications network at some time. When the information is in transit it is vulnerable to many threats which do not exist when the information is held on storage media in a secure environment. The three security issues that need to be considered are confidentiality, integrity and availability of data.

©1993 Elsevier Science Publishers Ltd 3

Computer Audit Update February 1993

This article is about the interception and modification of communication channels - - a form of security testing of communications ne tworks which is in tended to ident i fy vulnerabilities in the networks which may be exploited by realistic threats. It is not covered by contingency and disaster plans (e.g. accidental damage to a communications line or loss or power to a network device).

As with all types of security testing it is important to identify the likely threats to the communications network and to consider them in relation to the threats to the entire system. There is little point in spending time and effort on small, d i f f icu l t to explo i t loopholes in the communications network if a much greater vulnerability exists in the system as a whole.

ATTACK OBJECTIVES

The objective of an attack employed by security testing will be to bring about a loss of availability, confidentiality or integrity to the communication system and the data in transit.

Loss of availability

The loss of availability may be brought about by disrupting all or part of the communications network either from physical threats (e.g. fire, power failure etc.) or logical threats (e.g. changing routing tables so that authentic recipients do not receive the information they require, by flooding the network with messages or by introducing unrecoverable protocol errors).

Loss of confidentiality

Confidentiality of data on the network may be breached by passive tapping, i.e. monitoring information as it flows across the network without making any changes. Passive tapping is most likely to involve eavesdropping on confidential data (e.g. financial results, personal data or proprietary design information), or passwords and user identifiers which would enable the attacker to execute an authorized Iogon to an application.

Loss of integrity

The integrity of data may be breached by an active tap, i.e. actively changing data as it is transmitted across the network. Active taps also involve a loss of confidentiality. Active tapping is most likely to involve modification of financial data to the advantage of the attacker.

A'I-rACK TECHNIQUES

There are f ive types of at tack communications networks:

o n

• Modification of static configuration informa- tion (e.g. routing information in a LAN bridge).

• Passive tapping.

• Active tapping.

• Blocking or jamming.

• Flooding.

Each of these types of attack are described below along with examples of attack techniques. Table I at the end of this section lists each of the attack techniques and indicates whether the attack is likely to lead to loss of confidentiality, integrity or availability.

Modification of static information

Many network components contain configuration information which is only normally modified when a change needs to be made to the network. The information may include port allocations, routing information, component addresses etc. Unauthorized modification of the information may disrupt the network immediately or at a later date (i.e. when an authorized change is made and the configuration information is found to be incorrect). Attack techniques may include rerouting, modification of general configuration information and corruption of configuration information.

Conf igura t ion changes are usual ly

4 ©1993 Elsevier Science Publishers Ltd

February 1993 Computer Audit Update

a c c o m p l i s h e d by send ing a ne twork management message to a network device. The message could be sent via a directly connected terminal or from a remote device (e.g. a user terminal on the network or the network management centre (NMC)).

Rerouting

Rerouting involves the changing of routing information in network components such that data is directed to the wrong destination and thus made unavailable to the legitimate recipient or available to an unauthorized recipient!

Modification or corruption of configuration information

Configuration information may be modified to disrupt the network either immediately (e.g. messages being routed to invalid addresses) or when maintenance changes are required. If the configuration information is found to be incorrect when a network change is made then all the configuration records would need to be checked before the change can be properly completed.

Corruption of the configuration information could be achieved in the same way as the other configuration changes, or by attempting to cor rup t the in fo rmat ion via some other mechanism (e.g. sudden removal of power or disruption of the storage media used for the configuration information).

Passive tapping

Passive tapping involves the monitoring of information as it flows across the network without making any changes. Passive tapping is most likely to involve eavesdropping on confidential data (e.g. sensitive records), or passwords and user identifiers which would enable the attacker to execute an authorized Iogon to an application.

The attack may be carried out using a monitoring device such as a protocol analyser or a bespoke application running on an intelligent terminal connected to the communications line. This form of attack is virtually impossible to detect

as it does not involve any loss or corruption of data.

Active tapping

Active tapping involves intercepting and modifying data flowing across a communications channel. The attack may be carried out using a protocol analyser or a bespoke application running on an intelligent terminal. The attacks will usually require detailed information on the communication protocol used, the format and type of messages, and methods used for calculating the integrity checks. Specific types of active tapping include:

Introduction of protocol errors

Protocol errors may be introduced by changing, adding or deleting one or more bits in a communication stream such that the protocol between the communicating entities is violated. An attack of this type would normally aim to disrupt or 'crash' the network. Randomly introduced protocol errors which cause severe disruption of the communications network will be very difficult to identify and could disrupt the network for an extended period.

Modification of integrity checksums

Many communications protocols contain integrity checks (e.g. parity checks). Modification of the checksums in transit can seriously disrupt or even 'crash' the network because of the large number of repeated retransmissions. This attack may also be required by other attacks which change message data since it will usually be necessary to recalculate the integrity checksums if the attacker intends the changes to reach the application level without detection.

Modification of message or transaction sequence numbers

Information exchanges between applications often involve sequences of messages or t ransact ions. The appl icat ions and/or the communications processes may keep track of the exchanges by using sequence numbersto clearly

©1993 Elsevier Science Publishers Ltd 5

Computer Audit Update February 1993

identify the position of the message or transaction in the entire information exchange.

Modification of addressing information

Messages transmitted across a network often have addressing information to indicate the source and dest inat ion of the message. Changing the destination address will cause a message to either be delivered to the wrong recipient or not delivered at all (if the message is invalidly addressed).

Masquerade

A masquerade attack will normally be undertaken in one of two ways:

An attacker may wish to communicate with an application but may not be in possession of an authorized network device. The attacker would therefore need to masquerade as an authentic device.

An attacker may wish to masquerade as a validly connected mainframe processor and attempt to record valid Iogon information from authorized users. The recorded information maythen be used to perform an unauthorized but legitimate access.

Both forms of the attack may be executed by intercepting the link to a valid network connected device and simulating its operation.

Modification of message data

This type of attack involves changing message data usually to benefit the attacker in some way (e.g. changing an amount field to increase a payment made to the attacker, or changing the name and address information to redirect a payment). The attack requires detailed information on the protocols used. If the message is to be accepted then all the checksums will need to be recalculated.

Replay

This attack involves the recording of messages on the network. At a later stage, the

recorded copy of the message is retransmitted. The attack may be perpetrated by using a recording device (e.g. a protocol analyser).

Blocking of transmissions

The blocking of transmissions involves interfering with a transmission in such a way that it cannot be received or understood by the authorized recipient. The two primary techniques for such an at tack are cut t ing of the communicat ions channel or jamming of transmissions. The former attack will not be considered here as it should be covered by contingency or disaster planning measures.

Jamming of transmissions

This attack involves interfering with a communications channel by emitting signals of a similar wavelength such that the valid signals cannot be understood. The attack could be attempted on microwave links which are often employed between core nodes of a network and which transmit large amounts of data at high speed.

Flooding

This technique involves flooding a network with messages to the extent that the service falls below an acceptable level or even fails completely. Flooding a network is often very easy to achieve particularly on something like an Ethernet LAN where the generation of a large number of broadcast messages can quickly bring the network to a standstill.

Summary of attack techniques

The attacks outlined in this section may be used alone or in conjunction with other attacks. Table I lists all the attacks and indicates the type of attack involved.

THE TESTPROCESS

Per forming the secur i t y tes t ing of communications networks is a highly technical process. The testing will be most effective if the

6 ©1993 Elsevier Science Publishers Ltd

February 1993 Computer Audit Update

Attack technique

Modification of static information

Passive

Rerouting Modification or corruption of

configuration information Tapping

Eavesdroppinl~ Active Tapping

Blocking

Modification of integrity checksums Modification of message or transaction

sequence numbers Modification of addressing information Masquerade Modification of message data Replay,

Avail.

Jamming of transmissions Flooding

Yes Yes

Yes Yes

Yes

Yes

Conf .

Yes

Yes

Int.

Yes Yes

Yes

- Yes

Yes Yes Yes Yes

Table 1: Classification of attacks.

steps outlined in earlier articles in this series are followed.

The p r o c e s s s h o u l d beg in wi th the identification of business and security controls followed by the vulnerabil i t ies and threats, Attacks on the network should be considered alongside other system attacks which may be far simpler and easier to perpetrate. When the real threats and vulnerabilities have been defined and a risk analysis has been completed, the full attack scenarios may be developed.

Each part of an attack scenario should be examined to identify: those parts which need to be tested (i.e the sections of the attack for which the results are not known); and those parts for which the results are known without doubt. This approach will ensure that the amount of time and effort expended on the testing is kept to a minimum,

EXAMPLES OF ATTACK SCENARIOS

There will be many different options of attack scenarios. Four examples are given below in which the process of identifying the sections which need to be tested is demonstrated.

Obtaining and using passwords and user identifiers

Th is a t tack c o n s i s t s of two par ts : eavesdropping on a communications link to record user identifiers and passwords; and using user identifiers and passwords to gain access from a legitimate terminal or an unauthorized terminal masquerading as a legitimate terminal.

In most cases it will be clear whether or not it would be poss ib le to eavesdrop on a communications link and record user Iogon information. However it may be necessary to determine the difficulty of achieving this attack on

@1993 Elsevier Science Publishers Ltd 7

Computer Audit Update February 1993

different parts of the network. For example it is very easy to record and identify this information on a LAN but much more difficult on a multiplexed microwave link.

The second part of the attack is simple if it is possible to gain access to an authorized terminal. However if the attack is from outside the organization then the attacker may need to simulate a legitimate terminal. It will be this part of the attack scenario which will need to be tested to determine its feasibility.

Denying service to a large number of users

This attack may be perpetrated in a number of ways and could make use of any of the techniques outlined earlier which result in a loss of availability. Each attack technique should be considered on its own and in combination with other attacks. Many of these tests will be difficult to conduct since they are really only valid in the live environment. However, for practical reasons the tests should be conducted in a controlled test environment. The expected results in the live environment should be deduced from the test results.

As an example, protocol errors could be introduced on a line in the test environment using a protocol analyser running interactive software which modif ies data as it passes. If the introduction of random protocol errors eventually causes the transmission to terminate and re-establishment of the communications session is protracted, then it is likely that the introduction of random errors will significantly disrupt the live network.

Modifying amounts in messages

This attack relates to making an active tap to change the 'amount' details in a message, perhaps for the purposes of financial gain. The objective of the test will be to determine whether the change can be made without being detected by ei ther the IT systems or any manual procedures. Because changes will be made to the data area of the message it is likely that integrity checksums will have to be recalculated. The at tack there fo re makes use of the

'modif icat ion of integrity checksums' and 'modification of message data' techniques outlined earlier.

Although this type of attack scenario may be proved theoretically it is usually appropriate to demonstrate it in the test environment to provide convincing proof of its feasibility. In particular, proof of the ability to easily recalculate the integrity checksums will be required. This type of attack will be time consuming and complex to execute and should only be considered when simpler at tacks have been proven to be impossible.

Replay messages

This attack scenario involves the replaying of messages for direct financial gain (e.g. the repeated sending of a payment transaction) or to gain access to a system/appl icat ion. The messages could be recorded and played back using a protocol analyser or a PC. This attack will usual ly require the message/ t ransac t ion sequence number to be changed to fit in with the sequence numbers at the time of playback to ensure that the message is accepted. As above, this attack is fairly complicated and should only be attempted when the exploitation of simpler vulnerabilities has failed.

This article has described communications channel testing and given some examples of the types that may be performed. The next article in this series describes the testing of systems using stress/loading techniques.

Bernard Robertson is a Principal Consultant in the Security Consulting PA Consulting Group. He has extensive experience in performing a range of security testing programmes for public and financial sector clients. Bernard is a regular speaker on IT security issues and holds degrees in Economics and Business Administration. David Pullen is a Senior Consultant within the same Security Consulting Practice. Over the last five years he has conducted several security testing projects, including one lasting two years with a team of 15 security testers. David is a Physics graduate and a qualified teacher who has produced a wide range of educational material on security testing.

8 ©1993 Elsevier Science Publishers Ltd