Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications...
-
date post
21-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications...
![Page 1: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/1.jpg)
Looking at Vulnerabilities
Dave Dittrich The Information School /Computing &
CommunicationsUniversity of Washington
Microsoft campus 8/25/03
![Page 2: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/2.jpg)
Overview Background concepts Your typical look at
Vulnerabilities, Risk vs. Cost A (real!) complex attack scenario A different view of vulnerabilities
Trust relationships Attack trees Atypical/uncommon vulnerabilities
![Page 3: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/3.jpg)
Stepping Stones
![Page 4: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/4.jpg)
Internet Relay Chat (IRC)
![Page 5: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/5.jpg)
IRC w/Bots&BNCs
![Page 6: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/6.jpg)
Distributed Denial of Service (DDoS) Networks
![Page 7: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/7.jpg)
Typical DDoS attack
![Page 8: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/8.jpg)
DDoS Attack Traffic (1)
One Day Traffic Graph
![Page 9: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/9.jpg)
DDoS Attack Traffic (2)
One Week Traffic Graph
![Page 10: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/10.jpg)
DDoS Attack Traffic (3)
One Year Traffic Graph
![Page 11: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/11.jpg)
SANS Top 20 Vulnerabilities
Windows Top 101. Internet Information Server (IIS)2. Microsoft Data Access Server
(MDAC)3. SQL Server4. NETBIOS5. Anonymous login/null session6. LAN Manager Authentication
(Weak LM hash)7. General Windows Authentication
(Accounts w/o pwd, bad pwd)8. Internet Explorer9. Remote Registry Access10. Windows Scripting Host
Unix Top 101. Remote Procedure Call (RPC)
services2. Apache Web Server3. Secure Shell (SSH)4. Simple Network Management
Protocol (SNMP)5. File Transfer Protocol (FTP)6. Berkeley “r” utilities
(trust relationships)7. Line Printer Daemon (LPD)8. Sendmail9. BIND/DNS10. General Unix Authentication
(accounts w/o pwd, bad pwd)
http://www.sans.org/top20/
![Page 12: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/12.jpg)
High
Low
1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC (used w/o permission & modified “Can you say ‘fair use?’ Sure, I knew you could.” IHO Fred Rogers)
Attack sophistication vs. Intruder Technical Knowledge
![Page 13: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/13.jpg)
Cost vs. Risk 101
![Page 14: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/14.jpg)
Another view of Cost vs. Risk
![Page 15: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/15.jpg)
UW Medical Center “Kane” Incident Goal: How hard to obtain patient records? Windows 98 desktop w/trojan or no pwd Sniffer
Linux server -> Windows NT PDC/F&P server Unix email server
Windows PDCs, BDCs Windows Terminal Server (>400 users) Access database file (>4000 patient records:
Name, SSN, Home number, treatment, date…) SecurityFocus -> ABC News
![Page 16: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/16.jpg)
Trust relationships
Client<->Server IP based ACLs Shared password/symmetric key Shared network infrastructure Sensitive data in email Sensitive files on servers
![Page 17: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/17.jpg)
Attack Trees
“Secrets and Lies,” Bruce Schneier, ISBN 0-471-25311-1, chapter 21
Goal is root node: Sub-goals are lower nodes/leaves
And/Or relationship between nodes Attributes: Likelihood, equipment
required, cost of attack, skill required, legality, etc.
![Page 18: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/18.jpg)
Attack Tree Example 1
http://www.counterpane.com/attacktrees-fig1.html
![Page 19: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/19.jpg)
Attack Tree Example 2
http://www.counterpane.com/attacktrees-fig6.html
![Page 20: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/20.jpg)
Attack Tree Example 3Survivability Compromise: Monitor network trafficOR: 1. Install sniffer on desktop. OR: 1. Use email trojan horse. 2. Use remote exploit. 3. Use Windows remote login service. OR: 1. Use passwordless Administrator account. 2. Brute force passwords on all listed accounts. 3. Brute force passwords on common accounts. 2. Install sniffer on Unix/Windows server OR: 1. Use remote exploit. 2. Steal/sniff password to root/Administrator account. 3. Guess password to root/Administrator account. 3. Man-in-the-middle attack on SSL/SSH. …
![Page 21: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/21.jpg)
Attack Tree Example 4 (Nested)
Survivability Compromise: Disclosure of Patient RecordsOR: 1. Attack Med Center network using connections to the Internet OR: 1. Compromise central patient records database (PRDB). AND: 1. Identify central PRDB. OR: 1. Scan to identify PRDB. 2. Monitor network traffic to identify PRDB. 2. Compromise central PRDB. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff pwd to account. 3. Guess password to account. 2. Obtain file(s) containing patient records. OR: 1. Monitor network traffic to capture patient records. 2. Compromise file server or terminal server. OR: 1. Use Remote Exploit. 2. Monitor network traffic to sniff Administrator pwd. 3. Guess password to User/Administrator account.
![Page 22: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/22.jpg)
Atypical Vulnerabilities
Network Infrastructure Special Devices Non-technical (Social) Issues
![Page 23: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/23.jpg)
Border Routers
BGP (route insertion/withdrawal) Address forgery Source routing Denial of Service Remote service exploit & “Root kits” Lack of visibility/access to traffic
flows
![Page 24: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/24.jpg)
Internal Routers/Switches
OSPF, RIP & other protocols Address forgery ARP spoofing Sniffing (SNMP community string,
pwd) Denial of Service Lack of visibility/access to traffic
flows
![Page 25: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/25.jpg)
Servers
Gateways to legacy apps Web apps Insufficient logging/auditing Hiding in plain sight Control of software configuration
![Page 26: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/26.jpg)
Network Printers Change “Ready” message FTP bounce scan, other scanning File cache SNMP/web admin front ends, back
doors Disclosure of print jobs
Passive monitoring Redirection of print jobs
![Page 27: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/27.jpg)
Medical “devices”, photocopiers, printers
Proprietary or OEM OS (e.g., Solaris, IRIX) Many (non-essential) services turned
on Typically behind the curve on patches
Remote management (HTTP, SNMP) Heavy use of unencrypted protocols
(e.g., FTP, LPR, Berkeley “r” utilities) “What? The hackers are back?”
![Page 28: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/28.jpg)
PBXs, voice services
Monitoring Theft of Service Fraud/social engineering Denial of Service Malware Cache (PC based VM)
![Page 29: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/29.jpg)
Social Issues
Not recognizing threats & risks Assuming attacks are simple Assuming things are what they
seem (e.g., Slammer, Nimda, SoBig) Assuming attacks/defenses are
direct Assuming you have it handled
![Page 30: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/30.jpg)
So how do we fix things?
Information Assurance Education (start to finish) Research Practice (Corporations, government...
everyone!)
![Page 31: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/31.jpg)
Information Assurance Information Assurance (IA) concerns information
operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and nonrepudiation.
This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Source: National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 4009, January 1999
![Page 32: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/32.jpg)
NSA Centers of Excellence Outreach program designed and operated by the
National Security Agency (NSA) Fulfills the spirit of Presidential Decision
Directive 63 (PDD 63 - National Policy on Critical Infrastructure Protection, May 199)
Goal: To reduce vulnerability in our national information infrastructure by promoting higher education in IA, and producing a growing number of professionals with IA expertise in various disciplines
![Page 33: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/33.jpg)
Where are they?
As of May 2003, 50 Centers nationwide Mostly the East Coast Closest to Seattle are Portland State,
University of Idaho, Idaho State University
For more info:http://www.nsa.gov/isso/programs/coeiae/index.htm
![Page 34: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/34.jpg)
2002 NSA Centers of Excellence
![Page 35: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/35.jpg)
Benefits to the nation Meet national demand for professionals with IA
expertise in various disciplines Professionals enter the workforce better equipped
to meet challenges facing our national information infrastructure
Centers act as focal points for recruiting individuals with IA expertise
Centers create a climate and foci to encourage independent research in critical IA areas
![Page 36: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/36.jpg)
Summary Vulnerabilities exist in places you might
not think Vulnerabilities are additive, interrelated Complex attacks call for complex
defenses/response If you’re not learning something new
every day, you’re falling behind your adversary
![Page 37: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/37.jpg)
Questions? dittrich @ u.washington.edu http://staff.washington.edu/dittrich/
![Page 38: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/38.jpg)
References UW Medical Center
http://www.securityfocus.com/news/122/ http://www.hipaausa.com/hacker.html http://www.cio.com/archive/110102/rules_content.html http://www.cio.com/archive/031502/plan_content.html
Attack trees http://www.counterpane.com/attacktrees-ddj-ft.html
Networking http://www.e-secure-db.us/dscgi/ds.py/View/Collection-24 http://www.securite.org/presentations/secip/CSWcore02-SecIP-v1.p
pt http://www.securityfocus.com/infocus/1594
![Page 39: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/39.jpg)
References (cont) Routers
http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-akin-cisco/bh-us-02-akin-cisco.ppt
http://philby.ucsd.edu/~bsy/ndss/2002/html/1997/slides/gudm_pnl.pdf
http://www.net-tech.bbn.com/sbgp/IETF42.ppt http://www.cymru.com/Presentations/barry.pdf
BGP, OSPF http://www.cs.ucsb.edu/~rsg/Routing/references/wang98vulnerabil
ity.pdf http://www.cse.ucsc.edu/research/ccrg/publications/brad.globalinte
rnet96.pdf
![Page 40: Looking at Vulnerabilities Dave Dittrich The Information School /Computing & Communications University of Washington Microsoft campus 8/25/03.](https://reader034.fdocuments.us/reader034/viewer/2022042702/56649d615503460f94a431e2/html5/thumbnails/40.jpg)
References (cont) Switches, ARP, local network attacks
http://www.comnews.com/stories/articles/c0103sfarea.htm http://www.blackhat.com/presentations/bh-usa-01/MikeBeekey/bh-
usa-01-Mike-Beekey.ppt Printers
http://members.cox.net/ltw0lf/printers/ PBXs
http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf DDoS, “root kits”
http://www.cert.org/reports/dsit_workshop.pdf http://www.cert.org/archive/pdf/Managing_DoS.pdf http://staff.washington.edu/dittrich/misc/ddos/ http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq