Security + Certification - Chapper 3: Attacks and Malicious Code Part 2- Athena

Chapter 3 :Attacks and Malicious Code (Part 2) Man in the Middle  Class of attacks in which the attacker places himself between two communicating hosts and listens in on their session  Both of the other hosts think they are communicating with each other ATHENA Man-in-the-Middle Attacks ATHENA Man-in-the-Middle Applications Web spoofing  TCP session hijacking  Information theft  Other attacks (denial-of-service attacks, corruption of transmitted data, traffic analysis to gain information about victim’s network) ATHENA Man-in-the-Middle Methods  ARP poisoning (Hunt)  ICMP redirects – Router sends redirect packet to host, saying a better route exists for certain traffic. See: redirects-are-bad.pdf  DNS server cache poisoning. See: ATHENA Replay Attacks  Attempts to circumvent authentication mechanisms by: • Recording authentication messaghies from a legitimate user • Reissuing those messages in order to impersonate the user and gain access to systems ATHENA TCP Session Hijacking  Attacker uses techniques to make the victim believe he or she is connected to a trusted host, when in fact the victim is communicating with the attacker Well-known tool • Hunt (Linux) ATHENA ATHENA Attacker Using Victim’s TCP Connection ATHENA Social Engineering  Class of attacks that uses trickery on people instead of computers  Exploits trusts between people instead of machines  Often the first thing a blackhat will try  Can circumvent the most elaborate and expensive security system ATHENA Social Engineering Goals  Goals • Fraud • Network intrusion • Industrial espionage • Equipment theft • Identity theft • Desire to disrupt the system or network ATHENA Social Engineering Examples  Calling the help desk or the IT department and pretending to be a “boss” having trouble with logging in  Calling the help desk or the IT department and pretending to be a “consultant” just hired and needing access quickly  See: 4/1062548967124.html ATHENA Social Engineering Remedies  Training/education  Have clearly defined policies and procedures  Rewards for good behavior  Fire/reprimand people who don’t follow proper procedures  Hire penetration testers to probe your defenses ATHENA Dumpster Diving ATHENA Online Attacks  Use chat and e-mails venues to exploit trust relationships  Users often do things before they think about it  The immediacy of the medium often leads to quick decisions  If you must use IRC, use your own servers ATHENA Attacks Against Encrypted Data Weak keys Mathematical attacks  Birthday attack  Password guessing  Brute force  Dictionary ATHENA Weak Keys  Secret keys used in encryption that exhibit regularities in encryption, or even a poor level of encryption  Some algorithms have a number (usually a small number) of weak keys  The Wired Equivalent Privacy (WEP) mechanism used in wireless networks suffers from weak keys ATHENA Mathematical Attack  Attempts to decrypt encrypted data using mathematics to find weaknesses in the encryption algorithm  Is much faster than just guessing (brute-force attack)  The more examples of encrypted data you have, and the more you know about the original data, the better your attack can be ATHENA Categories of cryptanalysis  Cyphertext-only analysis uses only the encrypted form of the data with no information about the cleartext content.  Known plaintext attack uses some number of messages in both encrypted and cleartext form.  Chosen plaintext attack uses a known, chosen message to generate the cyphertext ATHENA Birthday Attack  Class of brute-force mathematical attacks that exploits mathematical weaknesses of hash algorithms and one-way hash functions  For k inputs, the same output should appear after 1.2*k^(1/2) inputs (you are trying to “guess” a previous input for which you know the output)  This is much faster than a brute force attack ATHENA Password Guessing  Determines a user’s password using techniques such as brute force or dictionary attacks  A password is “guessed” by inputting a string into the hash function. If the resulting hash is the same as that stored by the OS, the input is the password, or at least generates the same hash value ATHENA Brute Force Method of breaking passwords that involves computation of every possible combination of characters for a password of a given character length Will eventually find the correct password  Very computationally intensive  Longer passwords require longer to guess ATHENA Dictionary Method of breaking passwords by using a predetermined list of words as input to the password hash  Only works against poorly chosen passwords  Dictionary lists are available on the Internet  *Use the user’s wife’s name, child’s name, dog’s name, etc. first (if you know them) ATHENA Password Cracking Programs  L0phtcrack (now LC4) – costs money  John the Ripper – free  Ideally, you run these off-line against a captured password file (or SAM file in Windows) ATHENA Software Exploitation  Utilizes software vulnerabilities to gain access and compromise systems  Example • Buffer overflow attack • SQL Injection  To stop software exploits • Stay appraised of latest security patches provided by software vendors • Filter traffic at the firewall when you can • Disable/remove unneeded applications ATHENA Buffer Overflow Attacks Work by inputting more characters than the program was written to accept  Extra characters contain instructions and a new value to be loaded into the microprocessor’s Instruction Pointer register  The microprocessor loads in the new Instruction Pointer value, then executes the attack code ATHENA Buffer Overflow Attacks  The attack code typically downloads the real exploit, or installs a backdoor program  If you need the application, you can’t filter traffic to the TCP or UDP port at the firewall  If you don’t need the application, filter the traffic and remove the application ATHENA SQL Injection Many web pages are connected to back-end databases  Databases uses a language called Structured Query Language (SQL)  SQL injection is the process of adding SQL code to the end of a legitimate entry in a text box  The code is then run against the backend database, displaying database information to the attacker ATHENA Malicious Software ATHENA Viruses  Self-replicating programs that spread by “infecting” other programs  Require some action to trigger (run)  Damaging and costly ATHENA ATHENA Virus Databases ATHENA Evolution of Virus Propagation Techniques ATHENA Protecting Against Viruses  Enterprise virus protection solutions • Desktop antivirus programs • Virus filters for e-mail servers • Network appliances that detect and remove viruses  Instill good behaviors in users and system administrators • Keep security patches and virus signature databases up to date • Train users to not open unsolicited attachments • Unhide file extensions ATHENA Backdoors (Programs)  Remote access program surreptitiously installed on user computers that allows attacker to control behavior of victim’s computer  Also known as remote access Trojans  Examples • Back Orifice 2000 (BO2K) • NetBus  Detection and elimination • Up-to-date antivirus software • Intrusion detection systems (IDS) ATHENA ATHENA ATHENA Trojan Horses  Class of malware that uses social engineering to spread  Appears to be one thing, but contains something else  Some viruses are classified as Trojans – example “vacation pictures.jpg.vbs”  A lot of “free” software contains other programs – gator, etc. ATHENA Logic Bombs  Set of computer instructions that lie dormant until triggered by a specific event  Once triggered, the logic bomb performs a malicious task  Almost impossible to detect until after triggered  Often the work of former employees  For example: macro virus • Uses auto-execution feature of specific applications ATHENA Worms  Self-contained program that uses security flaws such as buffer overflows to remotely compromise a victim and replicate itself to that system  Do not infect other executable programs  Account for 80% of all malicious activity on Internet  Examples: Code Red, Code Red II, Nimda ATHENA Defense Against Worms  Latest security updates for all computers and network devices  Filter all the traffic you can at the firewall  Remove unneeded services/applications  Network and host-based Intrusion Detection Systems  Antivirus programs ATHENA Summary Mechanisms, countermeasures, and best practices for: • Malicious software • Denial-of-service attacks • Software exploits • Social engineering • Attacks on encrypted data ATHENA Labs/Assignments  Do Project 3-1 on Page 90 of the textbook. Don’t do step number 9.  Do Project 3-5 on Page 93 of the textbook.  Assignment: Pick out one of the tools we have been using and write a short paper about what type of tool it is, why you like it, what you can do with it, etc. Not a step-by-step, just a short review. ATHENA