1 / 34

Security Holes

Security Holes. Richard Johnson NCAR/UCAR Security Administrator WESTNET, June 22-24, 2005. Introduction. Hacking tools and associated security risks Are we protecting against more attacks, or against new threats? New to us Realization of theory. Outline. Background

btoni
Download Presentation

Security Holes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Holes • Richard Johnson • NCAR/UCAR Security Administrator • WESTNET, June 22-24, 2005

  2. Introduction • Hacking tools and associated security risks • Are we protecting against more attacks, or against new threats? • New to us • Realization of theory

  3. Outline • Background • Thinking and talking about security • Typical current threats • Worms & kiddies • Waves of the near future, new threats • Combined attacks, targeted economic attacks

  4. Background:Risk • Risk is a function, perhaps non-linear • f ( Threat [attacker], Vulnerability [exploit], Asset [target dollar & time value] ) • Assign weights, make linear approximation, come up with relative measures • Or wave hands in a relative way • Still a long way away from actuarial quality

  5. Background:Threat Models • What do attackers want? • Hosts, Credentials, Data • Target of opportunity or target of choice • Low hanging fruit • Extensive effort

  6. Background:Vulnerabilities • Typical vulnerabilities • Buffer overflows • UI feature design errors • Code quality typically poor

  7. Background:Security Goals (C I A) • Confidentiality • FERPA, HIPAA, Mandatory breach disclosures, Privacy law • Integrity • SOX, Research results • Availability • Key goal for most institutions • Loss of confidentiality and integrity lead to availability loss during cleanup

  8. Current Threats:Overview • Let’s look at things from perspective of threat • Risk is dependent on site-specific assets • How we got here • Worms • Kiddies

  9. Current Threats:Past Predictions • 1998, Randy Marchany, vt.edu • Client trojans will be the next big thing • 2002, Steve Linford and spamhaus.org volunteers • Worm writers in league with spammers • Perhaps our worries will be as accurate

  10. Current Threats:Worms 1 • Mostly MS Windows phenomenon. Why? • Large population • Highly vulnerable population • Insanely bad ‘feature’ design, Poor engineering choices, Poor code quality, Sporadic patching • Vulnerabilities not unique to Windows, but combination spells disaster

  11. Current Threats:Worms 2 • Typical attacker goals • Showing off • Botnets (zombies) for spamming, phishing, dDoS extortion • Typical behavior • Promiscuous, Opportunistic, Spread widely and rapidly

  12. Current Threats:Worms 3 • Prevention • Anti-virus, Anti-spyware, Firewalls, Patching, Switching OS • Detection • Anti-virus, Anti-spyware, IDS, Honeypots, User complaints about slowness, External reports • Cleanup • Anti-virus removal tools, spyware removal tools, some reinstallation

  13. Current Threats:Kiddies 1 • Mostly shell problem on UNIX-like systems. Why? • Tradition/culture • Available tools, kits • Poor administration practices • Vulnerabilities not unique to UNIX-like systems

  14. Current Threats:Kiddies 2 • Typical attacker goals • Showing off • Botnets (zombies) for carding, dDoS extortion • Typical behavior • Brute force credentials attempts • Attended exploit runs

  15. Current Threats:Kiddies 3 • Prevention • Firewalls, Patching, Hardened credentials (one-time passwords) • Detection • External notification, Honeypots, IDS, Users notice strange processes, Log entry changes • Cleanup • Patching, credentials changes, process killing, reinstallation

  16. Current Threats:Strange Dichotomy • Kiddies on UNIX-like systems • Mostly attended exploits • Worms on MS Windows systems • Automated exploits • This is driven by culture, and will change under economic pressure

  17. New Threats:Overview • What big holes are going to bite us next? • Changes in worms • Changes in kiddie behavior • Combined arms

  18. New Threats:Worms 1 • Short-order botnets • Creating botnets to order rather than renting portions of larger nets • Adapation to avoid notice by... • Anti-virus companies • ISPs hosting binary repositories

  19. New Threats:Worms 2 • Infectors modified from toolkits to avoid anti-virus signatures • Infects only in specified nets or domains • Infects only up to number of desired zombies (1k, 5k, 10k, ...) • Infectors less likely to be noticed and added to anti-virus signature databases • Auxiliary payload sites less likely to be noticed and shut down

  20. New Threats:Worms 3 • Prevention • Anti-virus, Anti-spyware, Firewalls, Patching, Switching OS • Detection • Anti-virus, Anti-spyware, IDS, Honeypots, User complaints about slowness, External reports, Traffic anomaly flagging • Cleanup • Anti-virus removal tools, spyware removal tools, reinstallation

  21. New Threats:Worms 4 • Recent example of this technique change • UK NISCC warning about systematic targeting of UK government and commercial systems

  22. New Threats:Kiddies 1 • Kiddies growing up, getting jobs • Geosci/Supercomputer compromises • Israeli Commercial Espionage

  23. New Threats:Kiddies 2 • Geosci/Supercomputer compromises • Goals • Hosts & credentials for further attacks • Noisy attacks as lottery & diversion • Training • Organized crime “East of Prague” feeding exploits and techniques

  24. Current Threats:Kiddies 4 • Israeli Commercial Espionage Case • Israeli private detective agencies hired cracker in london to compromise competitors of their clients • Targeted attacks against specific MS Windows machines • Specifically delivered trojan with social engineering to encourage install

  25. Current Threats:Kiddies 5 • Uncovering the Commercial Espionage Ring • Trojan’s author used it to to compromise famous author ex-father-in-law’s machine • Trojan’s author left money trail to data dump and aux. payload sites • Without those kiddie tradecraft mistakes (personal involvement, money trail), this case would not have been broken

  26. Current Threats:Combined Arms 1 • Breaking the dichotomy between kiddies and worms • Goals • Showing off • Espionage • Economic disruption

  27. Current Threats:Combined Arms 2 • Specifically designed trojans • Content from target, “Porn” or “payroll” hooks, Target primed for delivery of a presentation • Covert channels for communication • Pivot APIs for control through multiple covert hops on varied architectures

  28. Current Threats:Combined Arms 3 • Interesting “new” techniques • Drivers are not as well audited as rest of OSes are yet • Firewire DMA • USB false registration

  29. Current Threats:Combined Arms 4 • Demonstration of chem plant toxic release • Plant has corporate net with firewall between it and Internet • Plant has separate process control net, not connected to corporate net or Internet • Goal: Seize control workstations, and release toxic gas into city to force evacuation

  30. Current Threats:Combined Arms 4 • How it was engineered • Web search used to find corporate MS Office docs • Copy of legit presentation trojaned with embedded web scripts to run in unrestricted local context (exploit of a misfeature) • Trojan emailed “from” boss to subordinate with request for review

  31. Current Threats:Combined Arms 5 • How it was engineered, cont. • Trojan compromises user’s workstation, calls out in encrypted covert channel (slack created at end of some packets, etc.) • Attacker pivots through workstation to compromise user’s account on domain controller • Then pivots to database server, and compromises it via stored procedure hole

  32. Current Threats:Combined Arms 6 • How it was engineered, cont. • Oracle licenses are expensive • Database server has connections to process control net as well as corp. net • Process control workstations are not patched, and fall to direct network exploits • Boom.

  33. New Threats:Summary • Worms becoming less promiscuous • Limits anti-virus effectiveness • Attackers increasingly motivated financially • Market is maturing, labor specializing, techniques are percolating down • Increasing confluence of techniques for combined attacks

  34. Moving Onwards • Software quality won’t improve • Attackers will continue to diversify • Detection will increasingly be a matter of • Anomaly detection in flows, traffic content • Counterintelligence including honeypots • Cleanup will increasingly involve rebuilds

More Related