1 / 30

Information Security Analytics

Information Security Analytics. Dr. Bhavani Thuraisingham The University of Texas at Dallas Attacks to Databases Hardware Security July 2011. Outline of the Unit. 1. Brute-force (or not) cracking of weak or default usernames/passwords 2. Privilege escalation

edena
Download Presentation

Information Security Analytics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Security Analytics Dr. Bhavani Thuraisingham The University of Texas at Dallas Attacks to Databases Hardware Security July 2011

  2. Outline of the Unit • 1. Brute-force (or not) cracking of weak or default usernames/passwords • 2. Privilege escalation • 3. Exploiting unused and unnecessary database services and functionality • 4. Targeting unpatched database vulnerabilities • 5. Stolen backup (unencrypted) tapes • 6. SQL injection • http://www.darkreading.com/security/encryption/211201064/index.html

  3. Brute-force (or not) cracking of weak or default usernames/passwords • Older versions of Oracle and others database systems used well known default passwords • New versions have changed this practice and don’t allow database systems to keep default passwords • Even unique, non-default database passwords aren’t hacker-safe – with Bruce Force attacks and password cracking tools • Steer clear of default passwords, and institute tight password management and regular change-ups.

  4. Privilege Escalation • There have been several insider attacks that came as a result of a malicious user possessing more system privileges than he or she should have had. • Outside attackers sometimes have higher-level privileges by compromising the operating system. • Privilege escalation usually has more to do with misconfiguration: A user is mistakenly granted more access and privileges on the database or related applications than he actually needs to do his job. • Sometimes an inside attacker (or an outsider who has taken over a victim’s machine) can go from one application to the database, even if he doesn't have database credentials. • Solution: Give users only the access and rights they need on the database, nothing more

  5. Exploiting unused and unnecessary database services and functionality • One of the first things an outside attacker will look for is whether his potential victim is running the Listener feature on its Oracle database. Listener seeks out and forwards network connections to the Oracle database, and thus can expose users and database links. • Via Google, an attacker can search and find exposed Listener services on databases. • Other features, such as hooks between operating systems and the database, can leave the database exposed to an attack. Such a hook can become a communications link to the database. • Often, database administrators run too many services and services may be open up to vulnerabilities • Solution: Install only the database features you need.

  6. Targeting unpatched database vulnerabilities • Oracle and other database vendors patch their vulnerabilities. However difficult for organizations to keep up with the patches • Database vendors are careful not to disclose many details about the vulnerabilities and their patches fix so that attackers are not notified • Some hacker sites post exploit scripts for known database vulnerabilities • Solution: Organizations must be vigilant about installing patches in a timely manner.

  7. Stolen backup (unencrypted) tapes • If the database data on the stolen are not encrypted and the tapes get into the wrong hands then there is a huge problem • But this type of attack is more likely to occur with an insider selling the media to an attacker. • Solution: Encrypt the critical data. Use a safe for sensitive database tapes

  8. SQL Injection • SQL injection attacks occur where the fields available for user input let SQL statements through to query the database directly. • Outside of the client, Web applications typically are the weakest link. In some cases, if the attacker gets a screen on the application for username and password, all he has to do is provide a SQL statement or database command and that goes directly to the database • If the application does not examine the content of the logon. “The problem is that the authentication and authorization has been moved to the application server. • Now instead of a user name, it is a SQL command put into a packet and sent by the application server to the database. • The database reads the SQL command, and it could shut down a database altogether

  9. SQL Injection • Solution is to look at the content the user is providing. • SQL injection attacks can occur both from the Web application to the database, and from within the database itself. • There are some programming practices that help prevent SQL injection flaws in applications, such as using what are called “bind variables,” or parameters for queries. • In languages such as Java, that means using question marks as placeholders in the SQL statement and binding the “received” values to those placeholders • Another practice is to avoid displaying certain database error messages to avoid giving away potentially sensitive information to a would-be attacker

  10. SQL Injection • Conasier ing a very simple web application that processes customer orders. Suppose Acme Widgets has a simple page for existing customers where they simply enter their customer number to retrieve all of their current order information. The page itself might be a basic HTML form that contains a textbox called CustomerNumber and a submit button. When the form is submitted, the following SQL query is executed: SELECT *FROM OrdersWHERE CustomerNumber = CustomerNumber The results of this query are then displayed on the results page. During a normal customer inquiry, this form works quite well.

  11. SQL Injection • Suppose John visits the page and enters his customer ID (14). The following query would retrieve his results: SELECT *FROM OrdersWHERE CustomerNumber = 14 However, the same code can be a dangerous weapon in the hands of a malicious user. Imagine that Mal comes along and enters the following data in the CustomerNumber field: “14; DROP TABLE Orders”. This would cause the following query to execute: SELECT *FROM OrdersWHERE CustomerNumber = 14; DROP TABLE Orders

  12. SQL Injection Solutions: Implement parameter checking on all applications. For example, if you’re asking someone to enter a customer number, make sure the input is numeric before executing the query. You may wish to go a step further and perform additional checks to ensure the customer number is the proper length, valid, • Limit the permissions of the account that executes SQL queries. The rule of least privilege applies. If the account used to execute the query doesn’t have permission to drop tables, the table dropping will not succeed! • Use stored procedures (or similar techniques) to prevent users from directly interacting with SQL code. • As with many security principles, an ounce of prevention is worth a pound of cure. Take the time to verify the code running on your servers

  13. Hardware Security • http://www.sans.org/reading_room/whitepapers/vpns/overview-hardware-security-modules_757

  14. What is Secure Biometrics? • Study the attacks of biometrics systems • Modifying fingerprints • Modifying facial features • Develop a security policy and model for the system • Application independent and Application specific policies • Enforce Security constraints • Entire face is classified but the nose can be displayed • Develop a formal model • Formalize the policy • Design the system and identify security critical components • Reference monitor for biometrics systems

  15. Security Vulnerabilities • Type 1 attack: present fake biometric such a synthetic biometric • Type 2 attack: Submit a previously intercepted biometric data: replay • Type 3 attack: Compromising the feature extractor module to give results desired by attacker • Type 4 attack: Replace the genuine feature values produced by the system by fake values desired by attacker • Type 5 attack: Produce a high number of matching results • Type 6 attack: Attack the template database: add templates, modify templates etc.

  16. Security and Privacy for Biometrics • Privacy of the Individuals have to be protected • CNN News Release: August 29, 2005 • Distorting Biometrics Enhances Security and Privacy • Biometric data converted to numerical strings by mathematical algorithm for later use • If the mathematical templates are stolen could be dangerous • Researchers have developed method to alter the images in a defined and repeated way • Hackers steal the distortion not the original face or fingerprint

  17. Secure Electronic Voting Machines Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to Biometrics

  18. References and Disclaimer • Analysis of an Electronic Voting System TADAYOSHI KOHNO ADAM STUBBLEFIELD AVIEL D. RUBIN DAN S. WALLACH IEEE Symposium on Security and Privacy 2004 • Security Analysis of the Diebold AccuVote-TS Voting Machine Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten http://itpolicy.princeton.edu/voting. • The views expressed in this presentation are obtained entirely from the above two papers. Prof. Bhavani Thuraisingham has not carried out any analysis of the electronic voting machine discussed in this presentation.

  19. Properties of a Good Voting System • The anonymity of a voter’s ballot must be preserved, both to guarantee the voter’s safety and to guarantee that voters have no evidence that proves which candidates received their votes. • The voting system must also be tamper-resistant to thwart a wide range of attacks ( including ballot stuffing by voters and incorrect tallying by insiders) • “Butterfly ballots” in the Florida 2000 presidential election is the importance of human factors. • A voting system must be comprehensible to and usable by the entire voting population, regardless of age, infirmity, or disability. • Flaws in any of these aspects of a voting system can lead to indecisive/incorrect election results.

  20. Electronic Voting System • As a result of the Florida 2000 presidential election the inadequacies of widely-used punch card voting systems have become well understood by the general population. • This has led to increasingly widespread adoption of “direct recording electronic” (DRE) voting systems. • Voters go to their home precinct and prove that they are allowed to vote there by presenting say an ID card. The voter is then typically given a PIN, a smartcard, or some other token • User then enters the token at a voting terminal and then votes • When the voter’s selection is complete, DRE systems will typically present a summary of the voter’s selections • The ballot is “cast” • The most fundamental problem with such a voting system is that the entire election hinges on the correctness,

  21. What is the problem? • The problem with such a voting system is that the entire election hinges on the correctness, robustness, and security of the software within the voting terminal. • Should that code have security relevant flaws, they might be exploitable either by unscrupulous voters or by malicious insiders. • If flaws are introduced into the voting system software then the results of the election cannot be assured to accurately reflect the votes legally cast by the voters.

  22. A solution? • A solution for securing electronic voting machines is to introduce a “voter-verifiable audit trail”. • A DRE system with a printer attachment, or even a traditional optical scan system will satisfy this requirement by having a piece of paper for voters to read and verify that their intent is correct reflected. • This paper is stored in ballot boxes and is considered to be the primary record of a voter’s intent. • If the printed paper has some kind of error, it is considered to be a “spoiled ballot” and can be mechanically destroyed, giving the voter the chance to vote again. • The correctness of any voting software no longer matters; either a voting terminal prints correct ballots or it is taken out of service. • If there is any discrepancy in the vote tally, the paper ballots will be available to be recounted

  23. Certified Voting Systems and issues • “CERTIFIED” DRE SYSTEMS. Many government entities have adopted paperless DRE systems • Such systems have been “certified” for use without any public release of the analyses • The CVS source code repository for Diebold’s AccuVote-TS DRE voting system recently appeared on the Internet. • Rubin et al discovered significant and wide-reaching security vulnerabilities in their analysis of the AccuVote-TS voting terminal • Voters can easily program their own smartcards to simulate the behavior of valid smartcards used in the election. • With such homebrew cards a voter can cast multiple ballots without leaving any trace. • A voter can also perform actions that normally require administrative privileges (e.g. viewing partial results and terminating the election early)

  24. Certified Voting Systems and issues • The protocols used when the voting terminals communicate with their home base both to fetch election configuration information and to report final election results do not use cryptographic techniques to authenticate either end of the connection nor do they check the integrity of the data in transit. • Given that these voting terminals could potentially communicate over insecure phone lines or even wireless Internet connections, even unsophisticated attackers can perform untraceable “man-in-the-middle” attacks.

  25. Certified Voting Systems and issues • Rubin et al considered both the specific ways that the code uses cryptographic techniques and the general software engineering quality of its construction. • They state neither provides them with any confidence of the system’s correctness. • Cryptography, when used at all, is used incorrectly. In many places where cryptography would seem obvious and necessary, none is used. • No evidence of disciplined software engineering processes. Comments in the code and the revision change logs indicate the engineers were aware of some problems • No evidence of any change-control process that might restrict a developer’s ability to insert arbitrary patches to the code. • Software is written entirely in C++. Rubin et al state when programming in a language like C++, which is not type-safe, programmers must exercise tight discipline to prevent their programs from being vulnerable to buffer overflow attacks and other weaknesses.

  26. What happened next? • Following the release of our results, the state of Maryland hired SAIC and RABA and the state of Ohio hired Compuware to perform independent analyses of Diebold’s AccuVote-TS systems • These analyses supported Rubin’s findings; also showed that many of the issues raised and attacks identified still apply to more recent versions of the AccuVote-TS system • These analyses also identified security problems with the back-end GEMS server.

  27. Security Threats • Smartcards • Exploiting the lack of cryptography; Creating homebrew smartcards; Casting multiple votes ; Accessing administrator and poll worker functionality • Election configurations and election data • Tampering with the system configuration; Tampering with ballot definitions; Impersonating legitimate voting terminals; Key management and other cryptographic issues with the vote and audit records; Tampering with election results and linking voters with their votes; Audit logs ; Attacking the start of an election • Software engineering • Code legacy; Coding style; Coding process; Code completeness and correctness

  28. Rubin’s conclusions • Using publicly available source code, they performed an analysis of the April 2002 snapshot of Diebold’s AccuVote-TS electronic voting system. • They found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and janitors is even greater • Based on the analysis of the development environment, including change logs and comments, they believe that an appropriate level of programming discipline for a project was not maintained. • There is little difference in the way code is developed for voting machines relative to other commercial endeavors. • They believe that an open process would result in more careful development as more scientists and software engineers would solve problems. • Need to use appropriate encryptions and security models

  29. Analysis of Feldman et al • Malicious software running on a single voting machine can steal votes with little if any risk of detection. • The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. • The authors have constructed demonstration software that carries out this vote-stealing attack. • Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. • In practice, poll workers and others often have unsupervised access to the machines.

  30. Analysis of Feldman et al • AccuVote-TS machines are susceptible to voting-machine viruses; computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post election activity. • Authors have constructed a demonstration virus that spreads in this way, installing their demonstration vote-stealing program on every machine it infects. • While some of these problems can be eliminated by improving Diebold’s software, others cannot be remedied without replacing the machines’ hardware. • Changes to election procedures would also be required to ensure security.

More Related