750 likes | 1.28k Views
Securing Your Microsoft Windows SOHO Network Harold Toomey, Product Manager Symantec Corporation htoomey@symantec.com 8 January 2002 Agenda The Threat Hackers Attacks Security Best Practices The 80-20 Rule Patches Password strength The Tools Norton Internet Security 2002
E N D
Securing Your Microsoft Windows SOHO Network Harold Toomey, Product Manager Symantec Corporation htoomey@symantec.com 8 January 2002
Agenda • The Threat • Hackers • Attacks • Security Best Practices • The 80-20 Rule • Patches • Password strength • The Tools • Norton Internet Security 2002 • Enterprise-Class tools • Typical SOHO Network • Network layout • Vulnerable segments • Security tips
The Threat • Whether your Internet connection is always on or you only dial in occasionally, your computer is vulnerable every minute it's online • Hackers have the tools and knowledge to compromise your system • Security experts are calling 2001 the worst year for computer viruses • December is the worst month • Experts predict 2002 will be even worse • Predict “viruses and their cousins, the self-propagating worms, will find new and even more nasty ways to attack computer systems, possibly even hitting mobile devices, pocket PCs and smart phones in the coming year.” (Source: Reuters 12-26-2001 & USA Today 12-27-2001) r
Why Hackers Attack • Professionals • Military tool / Cyber warfare • Industrial espionage • Hacktivism • Hackers • Money $$ (credit cards, extortion) • Power (DDoS zombies) • Fame (want a “name”) • Fun (adventure game) • Socialize (hacker clubs) • Revenge (www.grc.com) • Cheap (can’t afford own hard drive space) • Because they can r
Why Hackers Attack • Script Kiddies • Only use tools others have created • Usually just kids (10-17) • White Hat Hackers • Good intent • Test for security vulnerabilities before attackers can abuse them • Black Hat Hackers • Evil intent r
Trojan Horses and Backdoors • Trojan Horses • Replace known programs • A login Trojan works like normal login, but captures user passwords or gives privileged access on demand • Will have the same behavior as the programs they are replacing and are difficult to find • Usually contain backdoors • Mask the existence of backdoors • Backdoors • May replace known programs • Backdoors give attackers direct access (often root level) to the system, foregoing normal authentication • May replace login command to allow quick root level access • May listen on certain ports for further direct access k
SubSeven Trojan • What it does • Allows remote control of Windows: • File • Monitoring • Network • Protection from it • Keep your systems updated • Eliminate all unneeded programs • Periodically scan network for common backdoor services • Check critical files for tampering (MD5 signature) • Use intrusion detection (IDS)
SubSeven Trojan NT Server Workstation Router Hub Attacker Internet Controls system from remote location Laptop Linux Server
SubSeven Trojan - GUI Connect to remote system
SubSeven Trojan - GUI we have captured a very confidential email message! >Logon – mailserver.xyz-company.com <lordoftherings> > New Message < Jcombs@xyz-company.com Company layoffs < John, With the recent end of quarter our worst fears have been realized. We will fall short of our expected earnings. We must immediately move to control our spending. This is the time to trim the fat from our organization. I propose that we incorporate the following measures: Implement a 20% reduction in work force, I hate layoffs as much as anyone, but this is necessary. Eliminate all unnecessary travel. I know that these measures will be unpopular, but they must be made to stabilize things. Please draw up plans to implement these measures and have them ready by Friday. As you already know, this Information is very sensitive and must remain confidential. David Smith CEO XYZ Company Select Key logger to capture what is typed on the keyboard of the remote system
Backdoor - Back Orifice 2000 • From “cult of the dead cow” • Allows remote control of Windows: • File system • Registry • System • Extensive multi-media controls • Capture images from server screen • Record confidential conversations • NT registry passwords and Win9x screen saver password dumping • Most virus detection software will identify the binary version • Completely open-source (anyone can change it) • Passwords • Network • Processes
Back Orifice 2000 NT Server Workstation Router Hub Attacker Internet Controls system from remote location Laptop W2K Server
Capture audio or video from the victims system if a microphone or camera is attached. You could record confidential meetings held behind closed doors.
Spyware and Adware • Adware • Pop up ads • AdBots are legal! • Spyware • “Spyware is ANY SOFTWARE which employs a user's Internet connection in the background without their knowledge or explicit permission.” – Steve Gibson • Symptoms • Can slow down a PC significantly • Hide in executables • Have a “hibernate” setting in registry! • Example: Time Sink, Inc.’s TSAdBot.exe (evil!) • Provide a removal tool on web • www.gohip.com/remove_browser_enhancement.html • More info: http://grc.com/optout.htm
Viruses & Worms • A few viruses that received media attention • Naked Wife • Anna Kournikova • ILOVEYOU • Melissa • A few worms that received media attention • CodeRed II • Nimda • SirCam • http://securityresponse.symantec.com/
2001 CSI/FBI Computer Crime and Security Survey Average Reported Losses $4.42 M $4.45 M $454K $322K $275K Outside System Penetration Sabotage and Denialof Services UnauthorizedInsiderAccess Financial Fraud Theft of Proprietary Information Mar 12, 2001
Web Site Defacements Source: attrition.org
Security Best Practices • No need to start from scratch • Rather than analyzing every risk, look at what others are doing • Meet standards of due care • Use existing standards and industry “best practices” • Pay attention to regulations and requirements • Government • Industry • Partners
Security Best Practices • Best Practices that Block Most Attacks • Employ a layer 7, full inspection firewall • Use automatically updated anti-virus at gateway, server, and client • Ensure security patches are up to date • Ensure passwords are strong • Turn off unnecessary network services
Security Best Practices • The 80-20 rule of security 1) Security patches 2) Password strength 3) Unnecessary services • The 80-20 rule means do 20% of the work to gain 80% of the results
Security Patches • Norton AntiVirus LiveUpdate • Schedule to check for updates regularly • Updates virus signatures • Updates content to entire Norton Internet Security 2002 suite • Virus Scans • Scan for viruses 3x weekly • Enable Personal Firewall • Be sure it is “Enabled” k
Security Patches • MS Windows Update • Download critical updates at a minimum • %SystemRoot%\system32\wupdmgr.exe • http://windowsupdate.microsoft.com/ Product Updates • MS Office Product Updates • http://windowsupdate.microsoft.com/ Microsoft Office Product Updates • Other software products k
Password Strength • Password stealing • CGI script exploits, password cracking, social engineering, shoulder surfing, … • Network sniffing • Reading the password directly from network traffic • Password guessing • Predictable passwords • blank, “guest”, user name, family name, birthdays, license plates, pets, etc. • Dictionary attack • “earth1” is an example of a password that is susceptible to dictionary attack • Brute force k
Password Strength • Password cracking tools • Use available tools to regularly check for bad passwords • Commercial tools • Symantec Enterprise Security Manager • Symantec NetRecon • Hacker tools • LØphtCrack (www.atstake.com/research/lc3/) • John the Ripper (www.openwall.com/john/) • Caution: Use of such tools may be grounds for dismissal and/or legal action r
Password Strength • Don’t send passwords over the network in clear text • Consider two-factor authentication • A password + something else • For example, encryption key pair, smart card, … • Enforce strict password policies • E.g. minimum 8 characters • Keep your systems and applications patched and updated r
Password Strength • Do’s • Use mixed-case letters • Use uppercase letters throughout the password • Use alphanumeric characters and include punctuation • Use mixed-case letters • Do not just capitalize the first letter, but add uppercase letters throughout the password • Use at least six characters, eight characters for Windows NT • Password rules apply to the first N characters of the password • Use a seemingly random selection of letters and numbers • Change passwords regularly r
Password Strength • Do’s • Use password expiration settings • No old (recycled) passwords • Can't use passwords less than N days old • Old and new passwords must differ by at least N characters • Watch for • Maximum number of character pairs • E.g. “HiiiiiiMom” • Minimum inside digits • E.g. “Hi123456Mom” • Test your passwords • http://www.securitystats.com/tools/password.asp r
Password Strength • Do Not’s • Use a network login ID in any form (reversed, capitalized, or doubled as a password) • Use your first, middle or last name or anyone else’s in any form • Do not use your initials or any nicknames you may have or anyone else’s • Use a word contained in English or foreign dictionaries, spelling lists, or other word lists and abbreviations • Use a password that can be typed quickly, without having to look at the keyboard ("shoulder surfing") r
Password Strength • Do Not’s • Use other information easily obtained about you • This includes pet names, license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, and so on • Use a password of all numbers, or a password composed of alphabet characters • Mix numbers and letters • Use dates e.g., September, SEPT1999 or any combination thereof • Use keyboard sequences, e.g., qwerty. • Use a sample password, no matter how good, that you’ve gotten from a book that discusses information and computer security r
Password Strength • Do Not’s • Use any of the above things spelled backwards, or in caps, or otherwise disguised • Write a password on sticky notes, desk blotters, calendars, or store it online where it can be accessed by others. • Use shared accounts • Accountability for group access is extremely difficult • Reveal a password to anyone r
Unnecessary Services • Turn off non-essential services • Every service is a potential hole into your network • Allow connections only from trusted systems • Do not share unnecessary resources • Turn off File Sharing • At least password protect if used • Example: Disable web server services if not used • Ports 80 & 8080 r
Unnecessary ServicesHacker Exploitation of File Sharing 1) Find open file shares - Use Legion v2.1 from www.rhino9.com 2) Crack passwords - Copy SAM files from Windows systems - Use LØphtcrack.exe to crack passwords - www.lØpht.com - Can also obtain backup of SAM files. Must rename first. NOTE: To get SAM files, - Run rdisk.exe to create an emergency repair disk - Look in \WinNT\system32 for SAM files
Unnecessary ServicesHacker Exploitation of File Sharing 3) Login 4) Install BØ2K - Run BØpeep - Can wrap Elf Bowling game with BØ2K using Suranwrapper - BØ2K executable is only 110KB 5) Use a packet sniffer - Snort (www.whitehat.com for signatures) - eEye Iris 2.0 Traffic Analyzer (www.eeye.com) 6) Keep Under FBI Limit - FBI Cyber Crime Unit - CIA Cyber Crime Unit - Won't prosecute unless > $10,000 or child porn Source: 23.org, 5-17-2000