Escolar Documentos
Profissional Documentos
Cultura Documentos
Agenda
Introduction To Data Security Introduction To Network Security
ICMP (Ping) Abuse Smurfing Fragmentation Attacks OS Vulnerabilities Firewall Failures
DATA SECURITY
Cryptography
Involves coding a message to ensure data security Can be characterized by:
type of encryption operations used
block / stream
4
Choose text
select either plaintext or ciphertext to encrypt/decrypt to attack cipher
Caesar Cipher
Earliest known substitution cipher by Julius Caesar First attested use in military affairs Replaces each letter by 3rd letter on Example:
Text: meet me after the toga party Cipher: PHHW PH DIWHU WKH WRJD SDUWB
Encryption Exercises
Please go to www.cryptoclub.org This is a site where work is in progress However, we can try to encrypt and decrypt text Form unique groups and we will assign numbers to each group
Encryption Exercises
Please encrypt the following sentence using Caesar ciphers
The quick brown fox jumps over the lazy dog India has won one bronze medal at the 2012 London Olympics Use the following values of the key
Group <n>: n; e.g Group 1 1, Group 2 2, Group 3 3 and so on
Check how the text gets encrypted What are the changes in the encrypted text by changing the key?
NETWORK SECURITY
Security Services
X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources X.800 defines it in 5 major categories
11
12
13
14
Types of Attacks
15
Smurf Attack
Ping a broadcast address, with the (spoofed) IP of a victim as source address All hosts on the network respond to the victim The victim is overwhelmed Keys: Amplification and IP spoofing Protocol vulnerability; implementation can be patched by violating the protocol specification, to ignore pings to broadcast addresses ICMP echo just used for convenience
All ICMP messages can be abused this way "Fraggle" is the equivalent, using UDP instead of ICMP
Egress filtering
Prevent stations in networks you control from spoofing IPs from other networks by dropping their outbound packets
Make your network a less attractive and useful target for attackers that want to launch other attacks Be a good internet citizen (reputation is important)
References
RFC 2267 - "Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing".
What is a Firewall?
A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services
only authorized traffic is allowed
Examples
DNS uses port 53
No incoming port 53 packets except known trusted servers
Firewall Rules - Example 1 We wish to allow inbound mail (SMTP, port 25) but only to the gateway machine GW. Also, mail from site SPIGOT is to be dropped.
Solution 1:
Firewall Rules - Example 2 Now suppose that we want to implement the policy any inside host can send mail to the outside.
Solution 2:
This solution allows calls to come from any port on an inside machine, and will direect them to port 25 on the outside. Simple enough
Allow Allow
GW *
* 25
* *
25 *
Allow Allow
Block Block Block Allow
* *
* * * *
* *
* * * *
NET-2 NET-3
NET-4 NET-5 NET-6 *
* *
* * * *
ACK ACK
ACK ACK ACK
Mar 09 Mar 09
Jan 12 Jan 12 Jan 12 Sep 12
Spoofing
IP Spoofing
Any station can send packets pretending to be from any IP address Replies will be routed to the appropriate subnet
Route asymmetry So, attacker might not get replies if spoofing a host on a different subnet
For some attacks this is not important
Analogy
Nothing prevents you from physically mailing a letter with an invalid return address, or someone elses, or your own. Likewise, packets can be inserted in the network with invalid or other IP addresses.
BotNets
Agenda
Intro To Botnets What Are They? How Does A BotNet Operate? How Is A BotNet Organized? How Do BotNets Hide? What is the function of Botnets?
In the news
Sep 13 2012 Malware inserted on PC production lines, says study July 19 2012 Huge spam botnet Grum is taken out by security researchers Mar 26 2012 - Microsoft moves to disable Zeus botnet Dec 5 2011 Botnets: Hi-tech crime in the UK July 29 2010 - Multi-Purpose Botnet Used in Major Check Counterfeiting Operation
Introduction
Malware is currently the major source of attacks and fraudulent activities on the Internet.
Attacker (Botmaster )
39
Bot
Bot - a small program to remotely control a computer
Characterized by
Remote control & communication (C&C) channels to command a victim E.g. perform DOS attack, send spam The implemented remote commands E.g. update bot binary to a new version Spreading mechanisms to propagate it further E.g. port scanning, email
40
41
http://en.wikipedia.org/wiki/Botnet
C&C channel
Means of receiving and sending commands and information between the botmaster and the zombies. Typical protocols
Internet Relay Chat (IRC) protocol HTTP Overnet (Kademlia)
43
Worm
45
46
Sample attachments:
Postcard.exe ecard.jpg FullVideo.exe Full Story.exe Video.exe Read More.exe FullClip.exe GreetingPostcard.exe MoreHere.exe FlashPostcard.exe GreetingCard.exe ClickHere.exe ReadMore.exe FlashPostcard.exe FullNews.exe NflStatTracker.exe ArcadeWorld.exe Left-right-brain-test.gif
Traditional botnet
Attacker
Botnet topology mainly refers to the organization of C&C channels between zombies and an attacker.
Zombies
Infect
Attack
Victim
49
Topology
Based on C&C channels, there are two typical botnet topologies: Centralized Decentralized (P2P) Traditional botnet metrics: Resiliency
A botnet ability to cope with a loss of members (zombies) or servers
Latency
Reliability in message transmission
Enumeration
An ability to accurately estimate a botnet size Difficuly for security analysis
Re-sale
A possibility to carve off sections of the botnet for lease or resale to other operators.
50
Centralized botnet
Communication between attacker and zombies goes via centralized server
Classical communication method IRC (Internet Relay Chat)
Centralized server
51
Star
Multi-server
Hierarchical
52
Star topology
Communication is directly between a single centralized server and ALL zombies. When new machine is infected, it is preconfigured to contact the server to announce its membership. Pros: Low latency
Each zombie is issued commands directly from the server.
53
Example
Koobface
Old variant employed start architecture:
Zombies connected to C&C server directly
54
Multi-server topology
Similar to start topology Instead of one server, multiple servers are used to provide instructions to zombies. Pros: Better resilience
55
Hierarchical topology
Zombies are generally not aware of the server location Pros: Ease of re-sale
A botnet operator can easily carve off sections of their botnet for lease or resale to other operators.
Hard to enumerate
Hard to evaluate the size and complexity of the botnet
Example - Gumblar
Gumblars architecture is not well studied, fully built on zombies Website visitors are infected with the Windows executable, it grabs FTP credentials from the victim machines. The FTP account is then used to infect every webpage on new webserver.
57
Hybrid topologies
High resilience Low latency Example,
Hierarchical P2P Centralized P2P
Centralized Peer-to-peer
58
Storm botnet
A three-level selforganizing hierarchy:
master servers proxy bots
transfers traffic between workers and master servers.
worker bots
responsible for sending the spam, proxy bots
Once a Storm binary is downloaded, an infected host might become a worker bot (if not reachable from the Internet) or a proxy
59
61
Rootkit
A rootkit is a tool that is designed to hide itself and other processes, data, and/or activity on a system To hide what is taking place an attacker wants to: Survive system restart Hide processes Hide services Hide listening TCP/UDP ports Hide kernel modules Hide drivers
62
Overwrite first few bytes of target function with a jump to rootkit code Create trampoline function that first executes overwritten bytes from original function, then jumps back to original function When function is called, rootkit code executes Rootkit code calls trampoline, which executes original function
63
64
DDOS attacks
Attacker
Brazil
China Russia US
e.g. Google.com
67
http://en.wikipedia.org/wiki/Denial-of-service_attack
Click Fraud
Pay per Click (PPC) is an Internet advertising model used on websites in which advertisers pay their host only when an ad is clicked. Famous Bots: ClickBot(100k), Bahama Botnet (200k)
68
69
http://blog.trendmicro.com/click-fraud-takes-a-step-forward-with-troj_ffsearch/
Data Theft
Accounts for a great deal of botnet activity. Purpose: Harvesting user data
Screen captures Typed data Files
Anti-Spyware software
Highly controversial. Has resulted in Scareware.
70
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
71
http://avg.typepad.com/files/revised-mumba-botnet-whitepaper_approved_yi_fv-2.pdf
Phishing
A deceptive email/website/etc. to harvest confidential information.
72
http://library.thinkquest.org/06aug/00446/Phishing.html
73
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
Thank You