Recent Security Threats & Vulnerabilities Computer security Bob Cowles [email protected]...
-
Upload
victor-morris -
Category
Documents
-
view
217 -
download
0
Transcript of Recent Security Threats & Vulnerabilities Computer security Bob Cowles [email protected]...
Recent Security Threats & Vulnerabilities
Computer security
HEPiX, Fall 2004 – Brookhaven, NY, USA
Work supported by U. S. Department of Energy contract DE-AC02-76SF00515
18 October 2004 HEPiX - Fall 2004 2
Windows
Recent Windows Vulnerabilities Windows patching Phishing and viruses Web exposures (IE) Spyware XP SP2
18 October 2004 HEPiX - Fall 2004 3
Recent Windows Vulnerabilities
ASP.NET path vulnerability GDI+ jpeg (can’t just block jpegs) IE patches – lots; Outlook Express update NetDDE (not enabled by default) Windows shell (exploit thru web) IIS (document footer javascript) Allows code execution: NNTP; SMTP, zipped
folders; Excel; WP converter; HTML Help; Task Scheduler; POSIX (old sys)
18 October 2004 HEPiX - Fall 2004 4
Windows Patching
Patches do _NOT_ get e-mailed to you! Windows systems in Active Directory can be
patched automatically (mostly) Offsite users must do their own patching May investigate ”bigfix” as partial solution
Support for Linux / Macintosh Non-Ad users Non Microsoft software (winzip, realplayer, acrobat) http://www.bigfix.com/products/products_patch.html
18 October 2004 HEPiX - Fall 2004 7
E-Mail Attacks & Protection
Phishing = Emails (and phonecalls) engineered to get information from you or just to get you to click and download virus
Need to have Multi-Level Protection Email gateways strip attachments Exchange/desktop AV detects & removes Gateway tags as [SPAM:###] if a link in the e-
mail would download malicious code
18 October 2004 HEPiX - Fall 2004 13
AD & SUS->WUS
Problematic patching Office vs.Windows Update Require product CD?
XP will have improvements (someday) Who let them name it WUS?
http://www.wordsculpture.se/english_corner/slang.asp But sites still must address non-MS software
18 October 2004 HEPiX - Fall 2004 14
Viruses
More sophistication Run automatically Leave backdoors; smtp for spam Keyboard loggers Alert Oct 18, 2004 – bypass AV for
McAfee, CA, Sophos, Kaspersky, Eset, RAV zip file checking
18 October 2004 HEPiX - Fall 2004 15
IE Exposures
Unpatched vulnerabilities Cannot escape IE (but can control) XP SP2 has fixed some problems There is still problem of user knowledge
18 October 2004 HEPiX - Fall 2004 16
Spyware
Invade privacy Keyloggers compromise security Allowed by some AV products
User agrees to software’s actions through license agreement
US state and federal legislation will solve the problem (just like with SPAM) - NOT
18 October 2004 HEPiX - Fall 2004 17
XP SP2
Problem areas Spyware causes bluescreen Popup blocking causes problems w/ some sites Multiple firewalls cause conflicts
Need to allow vulnerability scanning ICMP off by default (no ping response) Open ports fo file / print sharing or Run software agent that can be “contacted”
18 October 2004 HEPiX - Fall 2004 18
Unix & Linux
Local Exploits = Remote Exploits Samba LSF – rtok lsadmin eauth PHP in web servers chown drivers (sparse code chking tool) sendmail sshd – scanning for weak passwords
18 October 2004 HEPiX - Fall 2004 19
Fedora
Supports RH 7.3 and RH 9 Security fixes can take several months after
vulnerability is announced Large pkg of fixes released Oct 18, 2004 ISO9660, Soundblaster, file offset pointers,
nfs group ID, drivers, several integer oveflows, other DOS, memory leaks, information leaks.
18 October 2004 HEPiX - Fall 2004 20
Universities & Labs
Exploits against Solaris, AIX, Linux Attacker(s) are knowledgeable Install SK rootkit on Linux Install trojaned sshd
gets passwords from keyboard/tty entry accesses RSA keys CERN break-in (LXPLUS) recent example (LSF)
Are one time password tokens in your future?
18 October 2004 HEPiX - Fall 2004 21
Universities and Labs (cont)
User “klogd” scans for open X sessions Forwards captured passwds thru port 8181 Used on patched machines Just notified sites in US (USC, UCSB,
NYU, Princeton, PSU, etc) of problems. Also RAL, Fermilab, SLAC, Cornell,
Bristol, INFN, Stanford
18 October 2004 HEPiX - Fall 2004 23
Macintosh
Safari – open in browser; javascript Disk image mounter libpng kerberos rsync OpenSSH iChat QuickTime
18 October 2004 HEPiX - Fall 2004 24
Other Vulnerabilities
AXIS video camera and server IM – gaim, AIM & Yahoo Messenger CVS RealPlayer Winzip Web HP JetAdmin Acrobat Reader 6.0 Firewire (announced Nov 11)
18 October 2004 HEPiX - Fall 2004 25
Evils of HTML email It’s big & it hides bad stuff
Phishing scams Citibank, eBay, PayPal, Wells Fargo
Outlook 2003 setting (reg for Outlook XP) New default for Outlook Express
18 October 2004 HEPiX - Fall 2004 27
Final Thoughts
Attacks coming faster; attackers getting smarter No simple solution works
Patching helps Firewalls help AV & attachment removal help Encrypted passwords/tunnels help
You can’t be “secure”; only “more secure” We must share information better