Data And Network Security

GSM 522 Session 13 September 22, 2011 G Krishnamurthy

Agenda
Introduction To Data Security Introduction To Network Security
ICMP (Ping) Abuse Smurfing Fragmentation Attacks OS Vulnerabilities Firewall Failures

DATA SECURITY

Cryptography
Involves coding a message to ensure data security Can be characterized by:
type of encryption operations used

substitution / transposition / product

number of keys used

single-key or private / two-key or public

way in which plaintext is processed

block / stream
4

Types of Cryptanalytic Attacks

Select plaintext and obtain ciphertext to attack cipher
chosen ciphertext select ciphertext and obtain plaintext to attack cipher

Choose text
select either plaintext or ciphertext to encrypt/decrypt to attack cipher

Caesar Cipher
Earliest known substitution cipher by Julius Caesar First attested use in military affairs Replaces each letter by 3rd letter on Example:
Text: meet me after the toga party Cipher: PHHW PH DIWHU WKH WRJD SDUWB

Encryption Exercises
Please go to www.cryptoclub.org This is a site where work is in progress However, we can try to encrypt and decrypt text Form unique groups and we will assign numbers to each group

Encryption Exercises
Please encrypt the following sentence using Caesar ciphers
The quick brown fox jumps over the lazy dog India has won one bronze medal at the 2012 London Olympics Use the following values of the key
Group <n>: n; e.g Group 1 1, Group 2 2, Group 3 3 and so on

Check how the text gets encrypted What are the changes in the encrypted text by changing the key?

Cryptanalysis of Caesar Cipher

Characteristics
Only have 26 possible ciphers A maps to A,B,..Z Could simply try each in turn

How would cryptanalysis be done

a brute force search given ciphertext, just try all shifts of letters need to recognize when we have plaintext

NETWORK SECURITY

Security Services
X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources X.800 defines it in 5 major categories

11

Security Services (X.800)

Authentication - assurance that the communicating entity is the one claimed Access Control - prevention of the unauthorized use of a resource Data Confidentiality protection of data from unauthorized disclosure Data Integrity - assurance that data received is as sent by an authorized entity Non-Repudiation - protection against denial by one of the parties in a communication

12

Security Mechanisms (X.800)

Specific security mechanisms:
encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization
trusted functionality, security labels, event detection, security audit trails, security recovery

Pervasive security mechanisms:

13

Classify Security Attacks

passive attacks - eavesdropping on, or monitoring of, transmissions to: active attacks modification of data stream to:
masquerade of one entity as some other replay previous messages modify messages in transit denial of service obtain message contents, or monitor traffic flows

14

Types of Attacks

15

Scans and Recon

If an attacker wants to map your network, the trivial way is to ping all the IP addresses in your network... Therefore, if you allow pings, your network is exposed.

Smurf Attack
Ping a broadcast address, with the (spoofed) IP of a victim as source address All hosts on the network respond to the victim The victim is overwhelmed Keys: Amplification and IP spoofing Protocol vulnerability; implementation can be patched by violating the protocol specification, to ignore pings to broadcast addresses ICMP echo just used for convenience
All ICMP messages can be abused this way "Fraggle" is the equivalent, using UDP instead of ICMP

Defending Against IP spoofing

Ingress filtering
Forbid inbound broadcasts from the internet into your networks Forbid inbound packets from non-routable networks

Egress filtering
Prevent stations in networks you control from spoofing IPs from other networks by dropping their outbound packets
Make your network a less attractive and useful target for attackers that want to launch other attacks Be a good internet citizen (reputation is important)

Drop outbound broadcasts

References
RFC 2267 - "Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing".

What is a Firewall?
A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services
only authorized traffic is allowed

Auditing and controlling access

can implement alarms for abnormal behavior

Itself immune to penetration Provides perimeter defence

Firewalls Packet Filters

Firewalls Packet Filters

Simplest of components Uses transport-layer information only
IP Source Address, Destination Address Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ICMP message type

Examples
DNS uses port 53
No incoming port 53 packets except known trusted servers

Usage of Packet Filters

Filtering with incoming or outgoing interfaces
E.g., Ingress filtering of spoofed IP addresses Egress filtering

Permits or denies certain services

Requires intimate knowledge of TCP and UDP port utilization on a number of operating systems

How to Configure a Packet Filter

Start with a security policy Specify allowable packets in terms of logical expressions on packet fields Rewrite expressions in syntax supported by your vendor General rules - least privilege
All that is not expressly permitted is prohibited If you do not need it, eliminate it

Every ruleset is followed by an implicit rule reading like this.

Firewall Rules - Example 1 We wish to allow inbound mail (SMTP, port 25) but only to the gateway machine GW. Also, mail from site SPIGOT is to be dropped.

Solution 1:

Firewall Rules - Example 2 Now suppose that we want to implement the policy any inside host can send mail to the outside.

Solution 2:

This solution allows calls to come from any port on an inside machine, and will direect them to port 25 on the outside. Simple enough

Firewall Ruleset Review

action Block Block ourhost * * port * * theirhost * SPIGOT port * * Flags Remarks Default Do not trust SPIGOT ACK Mar 09

Allow Allow

GW *

* 25

* *

25 *

Allow Allow
Block Block Block Allow

* *
* * * *

* *
* * * *

NET-2 NET-3
NET-4 NET-5 NET-6 *

* *
* * * *

ACK ACK
ACK ACK ACK

Mar 09 Mar 09
Jan 12 Jan 12 Jan 12 Sep 12

Firewall Ruleset Review

How would you rate the firewall ruleset? What do you feel would happen if I send a mail from NET-5? X sends a mail from NIIT University (NU). Will it reach?

Spoofing

IP Spoofing
Any station can send packets pretending to be from any IP address Replies will be routed to the appropriate subnet
Route asymmetry So, attacker might not get replies if spoofing a host on a different subnet
For some attacks this is not important

Analogy
Nothing prevents you from physically mailing a letter with an invalid return address, or someone elses, or your own. Likewise, packets can be inserted in the network with invalid or other IP addresses.

IP Spoofing with Amplification

Use broadcasts pretending to originate from victim All replies go back to victim Class B broadcast: 253^2 = 64 009 replies
Assuming class C subnetting

This may use any IP protocol (ICMP, TCP, UDP)

Any application or service that replies using these protocols Famous attack: Smurf (using ICMP) DoS
CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks Many others Smurf Amplifier Registry: http://www.powertech.no/smurf/

BotNets

Agenda
Intro To Botnets What Are They? How Does A BotNet Operate? How Is A BotNet Organized? How Do BotNets Hide? What is the function of Botnets?

Part 1: Intro to Botnets What are they?

In the news
Sep 13 2012 Malware inserted on PC production lines, says study July 19 2012 Huge spam botnet Grum is taken out by security researchers Mar 26 2012 - Microsoft moves to disable Zeus botnet Dec 5 2011 Botnets: Hi-tech crime in the UK July 29 2010 - Multi-Purpose Botnet Used in Major Check Counterfeiting Operation

Introduction
Malware is currently the major source of attacks and fraudulent activities on the Internet.
Attacker (Botmaster )

Malware is used to infect computers.

Botnet is a network of zombies, i.e. compromised computers under control of an attacker. Bot is a program loaded on zombie computer that provides remote control mechanisms to an attacker.
Zombies

39

Bot
Bot - a small program to remotely control a computer

Characterized by
Remote control & communication (C&C) channels to command a victim E.g. perform DOS attack, send spam The implemented remote commands E.g. update bot binary to a new version Spreading mechanisms to propagate it further E.g. port scanning, email
40

41

http://en.wikipedia.org/wiki/Botnet

C&C channel
Means of receiving and sending commands and information between the botmaster and the zombies. Typical protocols
Internet Relay Chat (IRC) protocol HTTP Overnet (Kademlia)

Protocols imply (to an extend) a botnets communication topology.

The topology provides trades-off in terms of bandwidth, effectiveness, stealth, and so forth.
42

Botnet Infection Stages - Centralized

43

Part 2 How does a botnet operate?

Popular Botnets Propagation Methods

Spammed Messages

Social Networking Websites

Install Malware Become Bot

Worm

Removable Devices Malicious Websites

45

Shift in the way that malware is distributed

Every 1.3 seconds a new web page is getting infected
Every month almost 2 million web pages across 210,000 websites are infected with Malware

Malware attacks have grown by 600% since 2008

46

Sample subjects and attachments

Sample subjects:
A killer at 11, he's free at 21 and kill again! British Muslims Genocide Naked teens attack home director. 230 dead as storm batters Europe. Re: Your text Radical Muslim drinking enemies's blood. Saddam Hussein alive! Fidel Castro dead. FBI vs. Facebook
47

Sample attachments:
Postcard.exe ecard.jpg FullVideo.exe Full Story.exe Video.exe Read More.exe FullClip.exe GreetingPostcard.exe MoreHere.exe FlashPostcard.exe GreetingCard.exe ClickHere.exe ReadMore.exe FlashPostcard.exe FullNews.exe NflStatTracker.exe ArcadeWorld.exe Left-right-brain-test.gif

Part 3 How is a botnet organized?

Traditional botnet
Attacker

Botnet topology mainly refers to the organization of C&C channels between zombies and an attacker.

Commands & controls

Zombies
Infect

Your home computer

Attack

Victim
49

Topology
Based on C&C channels, there are two typical botnet topologies: Centralized Decentralized (P2P) Traditional botnet metrics: Resiliency
A botnet ability to cope with a loss of members (zombies) or servers

Latency
Reliability in message transmission

Enumeration
An ability to accurately estimate a botnet size Difficuly for security analysis

Re-sale
A possibility to carve off sections of the botnet for lease or resale to other operators.
50

Centralized botnet
Communication between attacker and zombies goes via centralized server
Classical communication method IRC (Internet Relay Chat)
Centralized server

51

Centralized botnet topologies

Centralized topology can be represented in different shapes. The exact organization of botnet depends on the bot operator
nothing prevents a bot operator to come up with a new topology.

Often seen topologies:

Star

Multi-server

Hierarchical

52

Star topology
Communication is directly between a single centralized server and ALL zombies. When new machine is infected, it is preconfigured to contact the server to announce its membership. Pros: Low latency
Each zombie is issued commands directly from the server.

Cons: Low resilience

Only server needs to be blocked to neutralize the whole botnet

53

Example
Koobface
Old variant employed start architecture:
Zombies connected to C&C server directly

54

Multi-server topology
Similar to start topology Instead of one server, multiple servers are used to provide instructions to zombies. Pros: Better resilience

Geographical distribution of servers

No single point of failure

Communication speed up More resistant to legal shut downs

Cons: Requires advance planning

55

Hierarchical topology
Zombies are generally not aware of the server location Pros: Ease of re-sale
A botnet operator can easily carve off sections of their botnet for lease or resale to other operators.

Hard to enumerate
Hard to evaluate the size and complexity of the botnet

Cons: High latency

makes some botnet attacks difficult.
56

Example - Gumblar
Gumblars architecture is not well studied, fully built on zombies Website visitors are infected with the Windows executable, it grabs FTP credentials from the victim machines. The FTP account is then used to infect every webpage on new webserver.

57

Hybrid topologies
High resilience Low latency Example,
Hierarchical P2P Centralized P2P

Centralized Peer-to-peer

58

Storm botnet
A three-level selforganizing hierarchy:
master servers proxy bots
transfers traffic between workers and master servers.

worker bots
responsible for sending the spam, proxy bots

Once a Storm binary is downloaded, an infected host might become a worker bot (if not reachable from the Internet) or a proxy
59

Part 4 How do botnets hide?

61

Rootkit
A rootkit is a tool that is designed to hide itself and other processes, data, and/or activity on a system To hide what is taking place an attacker wants to: Survive system restart Hide processes Hide services Hide listening TCP/UDP ports Hide kernel modules Hide drivers

62

How Rootkit Works

Overwrite first few bytes of target function with a jump to rootkit code Create trampoline function that first executes overwritten bytes from original function, then jumps back to original function When function is called, rootkit code executes Rootkit code calls trampoline, which executes original function
63

Rootkit Usage Example Hide process

Process list BEFORE the rootkit is launched. Process list AFTER the rootkit is launched.

64

Part 5 What is the function of botnets?

Botnet Activities The least damage caused by Botnets:

Bandwidth Consumption Other things:
DDOS attacks Spam Click Fraud Data Theft Phishing Mistrustful services
66 / 4

DDOS attacks

Attacker

Brazil

China Russia US

e.g. Google.com
67
http://en.wikipedia.org/wiki/Denial-of-service_attack

Click Fraud
Pay per Click (PPC) is an Internet advertising model used on websites in which advertisers pay their host only when an ad is clicked. Famous Bots: ClickBot(100k), Bahama Botnet (200k)

68

Click Fraud - FFSearcher

69

http://blog.trendmicro.com/click-fraud-takes-a-step-forward-with-troj_ffsearch/

Data Theft
Accounts for a great deal of botnet activity. Purpose: Harvesting user data
Screen captures Typed data Files

Anti-Spyware software
Highly controversial. Has resulted in Scareware.
70
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

Data Theft-Mumba Zeus Botnet

71

http://avg.typepad.com/files/revised-mumba-botnet-whitepaper_approved_yi_fv-2.pdf

Phishing
A deceptive email/website/etc. to harvest confidential information.

72
http://library.thinkquest.org/06aug/00446/Phishing.html

73
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

Thank You