Lecture Security+ Certification: Chapter 3(part 2) - Trung tâm Athena

Chapter 3 - Attacks and malicious code (part 2). After studying this chapter you will be able to: Discuss man-in-the-middle attacks, replay attacks, and TCP session hijacking; detail three types of social-engineering attacks and explain why they can be incredibly damaging; list major types of attacks used against encrypted data; list major types of malicious software and identify a countermeasure for each one.

Chapter 3 :Attacks and

Man in the Middle

 Class of attacks in which the attacker places

himself between two communicating hosts andlistens in on their session

 Both of the other hosts think they are

communicating with each other

 Class of attacks in which the attacker places

himself between two communicating hosts andlistens in on their session

 Both of the other hosts think they are

communicating with each other

Man-in-the-Middle Attacks

Man-in-the-Middle Applications

 Web spoofing

 TCP session hijacking

 Information theft

 Other attacks (denial-of-service attacks,

corruption of transmitted data, traffic analysis

to gain information about victim’s network)

 Web spoofing

 TCP session hijacking

 Information theft

 Other attacks (denial-of-service attacks,

corruption of transmitted data, traffic analysis

to gain information about victim’s network)

Man-in-the-Middle Methods

 ARP poisoning (Hunt)

 ICMP redirects – Router sends redirect packet

to host, saying a better route exists for certaintraffic See:

redirects-are-bad.pdf

http://www.qorbit.net/documents/icmp- DNS server cache poisoning See:

http://www.securityfocus.com/guest/17905

 ARP poisoning (Hunt)

 ICMP redirects – Router sends redirect packet

to host, saying a better route exists for certaintraffic See:

redirects-are-bad.pdf

http://www.qorbit.net/documents/icmp- DNS server cache poisoning See:

http://www.securityfocus.com/guest/17905

 Attempts to circumvent authentication

TCP Session Hijacking

 Attacker uses techniques to make the victim

believe he or she is connected to a trusted host,when in fact the victim is communicating withthe attacker

 Well-known tool

• Hunt (Linux)

 Attacker uses techniques to make the victim

believe he or she is connected to a trusted host,when in fact the victim is communicating withthe attacker

 Well-known tool

• Hunt (Linux)

Attacker Using Victim’s TCP Connection

 Often the first thing a blackhat will try

 Can circumvent the most elaborate and

expensive security system

 Class of attacks that uses trickery on peopleinstead of computers

 Exploits trusts between people instead ofmachines

 Often the first thing a blackhat will try

 Can circumvent the most elaborate and

expensive security system

Social Engineering Goals

Social Engineering Examples

 Calling the help desk or the IT department

and pretending to be a “boss” having troublewith logging in

 Calling the help desk or the IT department

and pretending to be a “consultant” just hiredand needing access quickly

 See:

http://www.smh.com.au/articles/2003/09/04/1062548967124.html

 Calling the help desk or the IT department

and pretending to be a “boss” having troublewith logging in

 Calling the help desk or the IT department

and pretending to be a “consultant” just hiredand needing access quickly

 See:

http://www.smh.com.au/articles/2003/09/04/1062548967124.html

Social Engineering Remedies

 Training/education

 Have clearly defined policies and procedures

 Rewards for good behavior

 Fire/reprimand people who don’t follow properprocedures

 Hire penetration testers to probe your defenses

 Training/education

 Have clearly defined policies and procedures

 Rewards for good behavior

 Fire/reprimand people who don’t follow properprocedures

 Hire penetration testers to probe your defenses

Dumpster Diving

Online Attacks

 Use chat and e-mails venues to exploit trust

relationships

 Users often do things before they think about it

 The immediacy of the medium often leads toquick decisions

 If you must use IRC, use your own servers

 Use chat and e-mails venues to exploit trust

relationships

 Users often do things before they think about it

 The immediacy of the medium often leads toquick decisions

 If you must use IRC, use your own servers

Attacks Against Encrypted Data

Weak Keys

 Secret keys used in encryption that exhibit

regularities in encryption, or even a poor level

of encryption

 Some algorithms have a number (usually a

small number) of weak keys

 The Wired Equivalent Privacy (WEP)

mechanism used in wireless networks suffersfrom weak keys

 Secret keys used in encryption that exhibit

regularities in encryption, or even a poor level

of encryption

 Some algorithms have a number (usually a

small number) of weak keys

 The Wired Equivalent Privacy (WEP)

mechanism used in wireless networks suffersfrom weak keys

Mathematical Attack

 Attempts to decrypt encrypted data using

mathematics to find weaknesses in theencryption algorithm

 Is much faster than just guessing (brute-forceattack)

 The more examples of encrypted data you have,and the more you know about the original data,the better your attack can be

 Attempts to decrypt encrypted data using

mathematics to find weaknesses in theencryption algorithm

 Is much faster than just guessing (brute-forceattack)

 The more examples of encrypted data you have,and the more you know about the original data,the better your attack can be

Categories of cryptanalysis

 Cyphertext-only analysis uses only the

encrypted form of the data with no informationabout the cleartext content

 Known plaintext attack uses some number ofmessages in both encrypted and cleartext form

 Chosen plaintext attack uses a known, chosenmessage to generate the cyphertext

 Cyphertext-only analysis uses only the

encrypted form of the data with no informationabout the cleartext content

 Known plaintext attack uses some number ofmessages in both encrypted and cleartext form

 Chosen plaintext attack uses a known, chosenmessage to generate the cyphertext

Birthday Attack

 Class of brute-force mathematical attacks thatexploits mathematical weaknesses of hash

algorithms and one-way hash functions

 For k inputs, the same output should appear

after 1.2*k^(1/2) inputs (you are trying to

“guess” a previous input for which you know theoutput)

 This is much faster than a brute force attack

 Class of brute-force mathematical attacks thatexploits mathematical weaknesses of hash

algorithms and one-way hash functions

 For k inputs, the same output should appear

after 1.2*k^(1/2) inputs (you are trying to

“guess” a previous input for which you know theoutput)

 This is much faster than a brute force attack

Password Guessing

 Determines a user’s password using

techniques such as brute force or dictionaryattacks

 A password is “guessed” by inputting a stringinto the hash function If the resulting hash isthe same as that stored by the OS, the input isthe password, or at least generates the samehash value

 Determines a user’s password using

techniques such as brute force or dictionaryattacks

 A password is “guessed” by inputting a stringinto the hash function If the resulting hash isthe same as that stored by the OS, the input isthe password, or at least generates the samehash value

Brute Force

 Method of breaking passwords that involvescomputation of every possible combination ofcharacters for a password of a given characterlength

 Will eventually find the correct password

 Very computationally intensive

 Longer passwords require longer to guess

 Method of breaking passwords that involvescomputation of every possible combination ofcharacters for a password of a given characterlength

 Will eventually find the correct password

 Very computationally intensive

 Longer passwords require longer to guess

 Method of breaking passwords by using a

predetermined list of words as input to thepassword hash

 Only works against poorly chosen passwords

 Dictionary lists are available on the Internet

 *Use the user’s wife’s name, child’s name, dog’sname, etc first (if you know them)

 Method of breaking passwords by using a

predetermined list of words as input to thepassword hash

 Only works against poorly chosen passwords

 Dictionary lists are available on the Internet

 *Use the user’s wife’s name, child’s name, dog’sname, etc first (if you know them)

Password Cracking Programs

 L0phtcrack (now LC4) – costs money

 John the Ripper – free

 Ideally, you run these off-line against acaptured password file (or SAM file inWindows)

 L0phtcrack (now LC4) – costs money

 John the Ripper – free

 Ideally, you run these off-line against acaptured password file (or SAM file inWindows)

 To stop software exploits

• Stay appraised of latest security patches provided

 To stop software exploits

• Stay appraised of latest security patches provided

by software vendors

Buffer Overflow Attacks

 Work by inputting more characters than theprogram was written to accept

 Extra characters contain instructions and anew value to be loaded into the

microprocessor’s Instruction Pointer register

 The microprocessor loads in the new

Instruction Pointer value, then executes theattack code

 Work by inputting more characters than theprogram was written to accept

 Extra characters contain instructions and anew value to be loaded into the

microprocessor’s Instruction Pointer register

 The microprocessor loads in the new

Instruction Pointer value, then executes theattack code

Buffer Overflow Attacks

 The attack code typically downloads the realexploit, or installs a backdoor program

 If you need the application, you can’t filtertraffic to the TCP or UDP port at the firewall

 If you don’t need the application, filter thetraffic and remove the application

 The attack code typically downloads the realexploit, or installs a backdoor program

 If you need the application, you can’t filtertraffic to the TCP or UDP port at the firewall

 If you don’t need the application, filter thetraffic and remove the application

 The code is then run against the backend

database, displaying database information to

 Many web pages are connected to back-enddatabases

 Databases uses a language called StructuredQuery Language (SQL)

 SQL injection is the process of adding SQLcode to the end of a legitimate entry in a textbox

 The code is then run against the backend

database, displaying database information to

Malicious Software

 Self-replicating programs that spread by

“infecting” other programs

 Require some action to trigger (run)

 Damaging and costly

Virus Databases

Evolution of Virus Propagation Techniques

Protecting Against Viruses

 Enterprise virus protection solutions

• Desktop antivirus programs

• Virus filters for e-mail servers

• Network appliances that detect and remove viruses

 Instill good behaviors in users and system

administrators

• Keep security patches and virus signature databases up to date

• Train users to not open unsolicited attachments

• Unhide file extensions

 Enterprise virus protection solutions

• Desktop antivirus programs

• Virus filters for e-mail servers

• Network appliances that detect and remove viruses

 Instill good behaviors in users and system

administrators

• Keep security patches and virus signature databases up to date

• Train users to not open unsolicited attachments

• Unhide file extensions

Backdoors (Programs)

 Remote access program surreptitiously installed on

user computers that allows attacker to control behavior

 Detection and elimination

• Up-to-date antivirus software

 Remote access program surreptitiously installed on

user computers that allows attacker to control behavior

 Detection and elimination

• Up-to-date antivirus software

 Some viruses are classified as Trojans –

example “vacation pictures.jpg.vbs”

 A lot of “free” software contains other programs– gator, etc

 Class of malware that uses social engineering tospread

 Appears to be one thing, but contains

something else

 Some viruses are classified as Trojans –

example “vacation pictures.jpg.vbs”

 A lot of “free” software contains other programs– gator, etc

 Often the work of former employees

For example: macro virus

 Set of computer instructions that lie dormantuntil triggered by a specific event

 Once triggered, the logic bomb performs a

malicious task

 Almost impossible to detect until after

triggered

 Often the work of former employees

For example: macro virus

 Self-contained program that uses securityflaws such as buffer overflows to remotelycompromise a victim and replicate itself tothat system

 Do not infect other executable programs

 Account for 80% of all malicious activity onInternet

 Examples: Code Red, Code Red II, Nimda

 Self-contained program that uses securityflaws such as buffer overflows to remotelycompromise a victim and replicate itself tothat system

 Do not infect other executable programs

 Account for 80% of all malicious activity onInternet

 Examples: Code Red, Code Red II, Nimda

Defense Against Worms

 Latest security updates for all computers andnetwork devices

 Filter all the traffic you can at the firewall

 Remove unneeded services/applications

 Network and host-based Intrusion DetectionSystems

 Antivirus programs

 Latest security updates for all computers andnetwork devices

 Filter all the traffic you can at the firewall

 Remove unneeded services/applications

 Network and host-based Intrusion DetectionSystems

 Antivirus programs

• Attacks on encrypted data

 Mechanisms, countermeasures, and bestpractices for:

 Do Project 3-1 on Page 90 of the textbook

Don’t do step number 9

 Do Project 3-5 on Page 93 of the textbook

 Assignment: Pick out one of the tools we havebeen using and write a short paper about

what type of tool it is, why you like it, whatyou can do with it, etc Not a step-by-step,just a short review

 Do Project 3-1 on Page 90 of the textbook

Don’t do step number 9

 Do Project 3-5 on Page 93 of the textbook

 Assignment: Pick out one of the tools we havebeen using and write a short paper about

what type of tool it is, why you like it, whatyou can do with it, etc Not a step-by-step,just a short review