340 likes | 346 Views
Security Holes. Richard Johnson NCAR/UCAR Security Administrator WESTNET, June 22-24, 2005. Introduction. Hacking tools and associated security risks Are we protecting against more attacks, or against new threats? New to us Realization of theory. Outline. Background
E N D
Security Holes • Richard Johnson • NCAR/UCAR Security Administrator • WESTNET, June 22-24, 2005
Introduction • Hacking tools and associated security risks • Are we protecting against more attacks, or against new threats? • New to us • Realization of theory
Outline • Background • Thinking and talking about security • Typical current threats • Worms & kiddies • Waves of the near future, new threats • Combined attacks, targeted economic attacks
Background:Risk • Risk is a function, perhaps non-linear • f ( Threat [attacker], Vulnerability [exploit], Asset [target dollar & time value] ) • Assign weights, make linear approximation, come up with relative measures • Or wave hands in a relative way • Still a long way away from actuarial quality
Background:Threat Models • What do attackers want? • Hosts, Credentials, Data • Target of opportunity or target of choice • Low hanging fruit • Extensive effort
Background:Vulnerabilities • Typical vulnerabilities • Buffer overflows • UI feature design errors • Code quality typically poor
Background:Security Goals (C I A) • Confidentiality • FERPA, HIPAA, Mandatory breach disclosures, Privacy law • Integrity • SOX, Research results • Availability • Key goal for most institutions • Loss of confidentiality and integrity lead to availability loss during cleanup
Current Threats:Overview • Let’s look at things from perspective of threat • Risk is dependent on site-specific assets • How we got here • Worms • Kiddies
Current Threats:Past Predictions • 1998, Randy Marchany, vt.edu • Client trojans will be the next big thing • 2002, Steve Linford and spamhaus.org volunteers • Worm writers in league with spammers • Perhaps our worries will be as accurate
Current Threats:Worms 1 • Mostly MS Windows phenomenon. Why? • Large population • Highly vulnerable population • Insanely bad ‘feature’ design, Poor engineering choices, Poor code quality, Sporadic patching • Vulnerabilities not unique to Windows, but combination spells disaster
Current Threats:Worms 2 • Typical attacker goals • Showing off • Botnets (zombies) for spamming, phishing, dDoS extortion • Typical behavior • Promiscuous, Opportunistic, Spread widely and rapidly
Current Threats:Worms 3 • Prevention • Anti-virus, Anti-spyware, Firewalls, Patching, Switching OS • Detection • Anti-virus, Anti-spyware, IDS, Honeypots, User complaints about slowness, External reports • Cleanup • Anti-virus removal tools, spyware removal tools, some reinstallation
Current Threats:Kiddies 1 • Mostly shell problem on UNIX-like systems. Why? • Tradition/culture • Available tools, kits • Poor administration practices • Vulnerabilities not unique to UNIX-like systems
Current Threats:Kiddies 2 • Typical attacker goals • Showing off • Botnets (zombies) for carding, dDoS extortion • Typical behavior • Brute force credentials attempts • Attended exploit runs
Current Threats:Kiddies 3 • Prevention • Firewalls, Patching, Hardened credentials (one-time passwords) • Detection • External notification, Honeypots, IDS, Users notice strange processes, Log entry changes • Cleanup • Patching, credentials changes, process killing, reinstallation
Current Threats:Strange Dichotomy • Kiddies on UNIX-like systems • Mostly attended exploits • Worms on MS Windows systems • Automated exploits • This is driven by culture, and will change under economic pressure
New Threats:Overview • What big holes are going to bite us next? • Changes in worms • Changes in kiddie behavior • Combined arms
New Threats:Worms 1 • Short-order botnets • Creating botnets to order rather than renting portions of larger nets • Adapation to avoid notice by... • Anti-virus companies • ISPs hosting binary repositories
New Threats:Worms 2 • Infectors modified from toolkits to avoid anti-virus signatures • Infects only in specified nets or domains • Infects only up to number of desired zombies (1k, 5k, 10k, ...) • Infectors less likely to be noticed and added to anti-virus signature databases • Auxiliary payload sites less likely to be noticed and shut down
New Threats:Worms 3 • Prevention • Anti-virus, Anti-spyware, Firewalls, Patching, Switching OS • Detection • Anti-virus, Anti-spyware, IDS, Honeypots, User complaints about slowness, External reports, Traffic anomaly flagging • Cleanup • Anti-virus removal tools, spyware removal tools, reinstallation
New Threats:Worms 4 • Recent example of this technique change • UK NISCC warning about systematic targeting of UK government and commercial systems
New Threats:Kiddies 1 • Kiddies growing up, getting jobs • Geosci/Supercomputer compromises • Israeli Commercial Espionage
New Threats:Kiddies 2 • Geosci/Supercomputer compromises • Goals • Hosts & credentials for further attacks • Noisy attacks as lottery & diversion • Training • Organized crime “East of Prague” feeding exploits and techniques
Current Threats:Kiddies 4 • Israeli Commercial Espionage Case • Israeli private detective agencies hired cracker in london to compromise competitors of their clients • Targeted attacks against specific MS Windows machines • Specifically delivered trojan with social engineering to encourage install
Current Threats:Kiddies 5 • Uncovering the Commercial Espionage Ring • Trojan’s author used it to to compromise famous author ex-father-in-law’s machine • Trojan’s author left money trail to data dump and aux. payload sites • Without those kiddie tradecraft mistakes (personal involvement, money trail), this case would not have been broken
Current Threats:Combined Arms 1 • Breaking the dichotomy between kiddies and worms • Goals • Showing off • Espionage • Economic disruption
Current Threats:Combined Arms 2 • Specifically designed trojans • Content from target, “Porn” or “payroll” hooks, Target primed for delivery of a presentation • Covert channels for communication • Pivot APIs for control through multiple covert hops on varied architectures
Current Threats:Combined Arms 3 • Interesting “new” techniques • Drivers are not as well audited as rest of OSes are yet • Firewire DMA • USB false registration
Current Threats:Combined Arms 4 • Demonstration of chem plant toxic release • Plant has corporate net with firewall between it and Internet • Plant has separate process control net, not connected to corporate net or Internet • Goal: Seize control workstations, and release toxic gas into city to force evacuation
Current Threats:Combined Arms 4 • How it was engineered • Web search used to find corporate MS Office docs • Copy of legit presentation trojaned with embedded web scripts to run in unrestricted local context (exploit of a misfeature) • Trojan emailed “from” boss to subordinate with request for review
Current Threats:Combined Arms 5 • How it was engineered, cont. • Trojan compromises user’s workstation, calls out in encrypted covert channel (slack created at end of some packets, etc.) • Attacker pivots through workstation to compromise user’s account on domain controller • Then pivots to database server, and compromises it via stored procedure hole
Current Threats:Combined Arms 6 • How it was engineered, cont. • Oracle licenses are expensive • Database server has connections to process control net as well as corp. net • Process control workstations are not patched, and fall to direct network exploits • Boom.
New Threats:Summary • Worms becoming less promiscuous • Limits anti-virus effectiveness • Attackers increasingly motivated financially • Market is maturing, labor specializing, techniques are percolating down • Increasing confluence of techniques for combined attacks
Moving Onwards • Software quality won’t improve • Attackers will continue to diversify • Detection will increasingly be a matter of • Anomaly detection in flows, traffic content • Counterintelligence including honeypots • Cleanup will increasingly involve rebuilds