Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 2Agenda • Principles of attack and defense • Three famous attacks • Introduction to vulnerabilities • Basic countermeas
Trang 1Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 1
Information Assurance
Foundations
Core issues and challenges
Stephen Northcutt The SANS Institute
Hello My name is Stephen Northcutt and the material we are going to cover this next hour is central
to understanding the theory and practice of information security This is a foundational course,
developed for the SANS LevelOne Security Essentials certification program When you complete
this course there will be a quiz available from the SANS web page to help reinforce the material and
ensure your mastery of it
In the next 45 minutes or so, I am going to take you on a tour of three famous attacks to see what
lessons we can learn from them Along the way, we are going to discuss the three key dimensions of
protection and attack Most of you are already familiar with them They are: confidentiality,
integrity, and availability Throughout the LevelOne Security Essentials certification program, you
will be deploying countermeasures to protect confidentiality, integrity, and availability; and you may
experience attacks against these dimensions We can think of these as the “primary colors” of
information assurance By mixing and matching these and we do mix and match, because they are
interrelated we are able to develop either a very strong attack, or develop a strong defense
Trang 2Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 2
Agenda
• Principles of attack and defense
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
• Summary
The next slide is titled “Agenda”
This slide shows the main topics we are going to cover We will discuss the threats that are arrayed
against our computer systems To focus that discussion, we will be concerned with some of the more
famous attacks that have occurred Now, information assurance can get really complex, but these
kinds of problems decompose nicely As we work our way through the material, we are going to be
pointing out aspects of the confidentiality, integrity, and availability, in both the attacks and also the
defenses we discuss So if you are new to security, or if you just want a quick review, the way I
think about these things is – a credit card
Have you ever had a credit card not be accepted? Three different times in a row, when I was buying
tires at a local store in my town, my credit card did not clear All three times, the bank said their
computers were down Well, that is an availability attack Well, it certainly felt like an attack to
me! I live in a small town and a lot of people know me – and so to have my card rejected was very
embarrassing Confidentiality makes sure that no one but you knows your credit card number An
example of a confidentiality defense is the way that “key” on the bottom of your browser turns solid
when you are executing a secure transaction the bit stream is encrypted to foil casual
eavesdroppers An example of an integrity attack would be telling someone they lie so much, their
own mother doesn’t believe them! (Ha ha - well, maybe that’s not exactly right.) It might be
spoofing by using someone else’s credit card, or modifying the balance of someone else’s account.
Trang 3Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 3
Three Bedrock Principles
• Confidentiality
• Integrity
• Availability
Your next slide is titled “Three Bedrock Principles”
Keep in mind that the keys we have been discussing are interrelated So, an attacker may exploit an
unintended function on a web server and use the cgi-bin program “phf” to list the password file
Now, this would breach the confidentiality of this sensitive information (the password file) Then,
on the privacy of his own computer system, the attacker can use brute force or dictionary-driven
password attacks to decrypt the passwords Then, with a stolen password, the attacker can execute
an integrity attack when they gain entrance to the system And they can even use an availability
attack as part of this overall effort to neutralize alarms and defensive systems, so they can’t report
his existence When this is completed, the attacker can fully access the target system, and all three
dimensions (confidentiality, integrity and availability) are in jeopardy
Now, I chose a very simple, well-known attack for a reason A large number (in fact, an
embarrassingly large number) of corporate, government, and educational systems that are
compromised and exploited are defeated by these well-known, well-published attacks
Now, not all the bad things that happen to computer systems are attacks per se There are fires,
water damage, mechanical breakdowns, and plain old user error But all of these are called threats.
We use threat models to describe a given threat and the harm it could do if the system has a
vulnerability
Trang 4Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 4
The LevelOne Threat Model
• Threat
• Vulnerability
• Compromise
Vulnerabilities are the gateways by which threats are manifested.
The next slide is titled “The LevelOne Threat Model.”
On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are
manifested” So, for a threat model to have any meaning at all, there has to be a threat Are there
people with the capability and inclination to attack - and quite possibly harm - your computer
systems and networks? What is the probability of that happening? The probability is high that any
non-private address will be targeted several times a year The most common countermeasure for
most organizations is to deploy firewalls or other perimeter devices These work quite well to
reduce the volume of attacks that originate from the Internet, but they don’t protect systems from
insiders, or attacks like macro viruses which are able to pass through firewalls about 99% of the
time We will be discussing threats in greater detail in another LevelOne course in this very same
step – it is called the “Internet Threat Briefing”
So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its
specific vulnerability, the result can easily be system compromise Again, the most common tactic is
to protect systems with perimeter devices such as firewalls It’s cost-effective, it’s practical, and it’s
highly recommended Even the most open universities or other research environments that require
themselves to be very open should be able to do some perimeter defense, even if they can only do it
at the department or building level, or even if they can only do it at the host level
Now we are ready to see what the LevelOne program is designed to do It will teach you to identify
and repair the system and network vulnerabilities that allow many of the most well-known
confidentiality, integrity, and availability attacks to succeed In that way, if your perimeter defense
should ever fail for any reason, you greatly reduce the risk of harm
Trang 5Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 5
Three Lessons From History
• Morris worm
• Kevin Mitnick
• Melissa virus
Your next slide is titled “Three Lessons From History”
Perhaps the three most famous information security defense failures are: the Morris worm, Mitnick
attack, and Melissa virus We don’t have time in this course to explore each of these in detail, but
you should be familiar with each of these as a security professional As homework, please try a ‘net
search for these attacks and read a bit more There are information security lessons that we ought to
be able to learn from these well-known attacks In each case, there was a computer system
vulnerability, and it was exploited
In each of the cases, there was an absence of defense in depth In fact, in the case of the Mitnick
attack and most systems affected by the Morris worm, the exploit did not have to penetrate any
defensive perimeters So, that’s “defense in shallow”!
As we go through each of the attacks, try to look out for the three primary security dimensions:
confidentiality, integrity, and availability Consider how the defenses for each failed, or did not exist
in the first place The vulnerability is listed in every case; so please note how the threat was able to
exploit the vulnerability to compromise or affect the target system(s)
Trang 6Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 6
The Morris Worm
• Availability attack (denial of
service)
replication
• Internet communications effectively
lost
Your next slide is titled “The Morris Worm”
If you haven’t read Zen and the Art of the Internet, you probably should It is available at
http://sunland.gsfc.nasa.gov/info/guide/The_Internet_Worm.html We’ll do a small reading from that
section:
“On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an
experimental, self-replicating, self-propagating program called a worm and injected it into the Internet He
chose to release it from MIT, to disguise the fact that the worm came from Cornell Morris soon discovered
that the program was replicating and reinfecting machines at a much faster rate than he had anticipated
there was a bug Ultimately, many machines at locations around the country either crashed or became
"catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a
solution Eventually, they sent an anonymous message from Harvard over the network, instructing
programmers how to kill the worm and prevent reinfection However, because the network route was
clogged, this message did not get through until it was too late Computers were affected at many sites,
including universities, military sites, and medical research facilities The estimated cost of dealing with the
worm at each installation ranged from $200 to more than $53,000
The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a
system and waits for other systems to connect to it and give it email, and a hole in the finger daemon
fingerd, which serves finger requests People at the University of California at Berkeley and MIT had
copies of the program and were actively disassembling it (returning the program back into its source form)
to try to figure out how it worked
Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued
spread of the worm After about twelve hours, the team at Berkeley came up with steps that would help
retard the speed of the worm Another method was also discovered at Purdue and widely published The
information didn't get out as quickly as it could have, however, since so many sites had completely
disconnected themselves from the Internet.”
Trang 7Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 7
K Mitnick vs T Shimomura
• Confidentiality, integrity and availability
attack
• Reconnaissance probing to determine
trust relationship (“r utilities”)
• IP spoofing to act as one side of trust
relationship
• Lack of site or system perimeter
defenses to retard or defeat attack
Your next slide is titled, “K Mitnick vs T Shimomura”
It was Christmas Eve, December 1994, when Kevin Mitnick executed his famous attack against
Tsutomu Shimomura How did he defeat one of the most skilled security information professionals
in the country? Was it wizardry? No, it was a combination of basic attack principles, along with one
neat technical hack that allowed this attack to succeed
First, there was a confidentiality attack There was no firewall, or perimeter defense, so it was
possible to probe the facility to gather information From the reconnaissance probing, Mitnick was
able to discover that there was a trust relationship between two of Shimomura’s systems
Next, Mitnick exploited an availability vulnerability with an attack called a SYN flood to silence
one half of the trust relationship With the real server unavailable, he assumed that system’s identity
by spoofing and attacked the integrity of the trust relationship When he got control of the system,
he was able to steal many sensitive files, including closely held security programs that were virtually
irreplaceable When considering the damage to your organization from a threat, be sure to consider
what would happen if your organization’s most important secrets were lost
It is worth noting that even if all this had succeeded (which it did), the actual attack would have
failed if there had been one more layer of defense - such as a system perimeter like TCP Wrappers
with a “deny all computers and then only allow trusted hosts to access the system” defensive policy
(Editor’s note: TCPWrappers would likely NOT stop this attack Mitnick spoofed Shimomura’s
address so that Mitnick’s computer appeared to be at the address used by Shimomura The
additional layer of defense that COULD prevent the attack from succeeding would be to configure
the border router to block incoming packets with a source address that matched the site’s internal
address – JFK)
Trang 8Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 8
Your next slide is titled, “Melissa Virus”
The Melissa macro virus was first observed Friday, March 26, 1999, and quickly became one of the most
well-known and widely-spread macro virus infections to date Many sites were aware of Melissa on Friday, others
over the weekend, and of course still others found out Monday morning, so that March 28 was indeed a
challenging day By late Friday, an excellent description of the virus, including how to identify and contain it at
the host level, had been developed and published by the Computer Emergency Response Team (CERT) at
Carnegie Mellon
According to Network Associates’ (NAI’s) web site, the virus was first discovered on an "alt.sex" newsgroup
and spread rapidly This extraordinarily rapid spread of Melissa serves as a warning of how fast a virus with an
unknown signature can spread If you examine the virus source code, you can see the virus replicated so rapidly
by going through Microsoft Outlook address books and sending itself to the first 50 entries in each book
Now, the Melissa virus did no damage in the sense of deleting or stealing files; and only sites with desktop
systems running Microsoft’s Outlook email client were directly affected However, even systems that did not
spread the virus directly by email still had their Microsoft Word documents infected, and continued to pass on
the virus Moreover, the cost of dealing with Melissa is in the millions of dollars How did a virus that does no
explicit damage (such as deleting files) do so much harm? Wreak this much havoc? Well, most of the financial
losses are in the area of lost productivity This is a big availability attack.
- Some sites have reported that they shut down email entirely for multiple days
- Others lost email connectivity for several hours while cleaning the virus from their servers
- System administrator and help desk resources were tied up fighting the virus for periods ranging from three to
five days at most affected organizations
The Microsoft macro capability is a significant vulnerability, and the opportunity exists for far more serious
attacks than Melissa And I find this quite interesting because almost all actual users of Microsoft Office
products rarely take advantage of the macro language
Trang 9Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 9
Midpoint Review
• Principles of attack and defense
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
• Summary
Your next slide is titled “Midpoint Review”
At this point we are familiar with the basic security principles of confidentiality, integrity, and
availability We have examined how these principles come into play with three famous attacks: the
Morris worm, the Mitnick attack, and the Melissa Word macro virus
We have also discussed the threat model and its relationship to vulnerabilities Vulnerabilities are
the gateways by which threats are made manifest So next, let’s drill down into vulnerabilities a bit
more and examine the types of things that are commonly exploited Keep in mind that there are
broad-based threats, but on the whole a particular type of threat has to find its matching
vulnerability This is one reason the wise security professional is concerned about confidentiality
attacks such as reconnaissance probes - if the attacker can determine our specific configurations,
they can direct the appropriate attacks against our assets, and may well succeed
So let’s start this section by taking a quick look at three common vulnerabilities that involve
Windows, Unix, and networking, and discuss how they work - keeping in mind the basic security
failures that occur to make these attacks possible These vulnerabilities that we will talk about are:
- a confidentiality vulnerability called Windows NT null sessioning;
- a network availability vulnerability called echo – chargen;
- an integrity vulnerability against Unix systems: the IMAP buffer overflow
Trang 10Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 10
Null Session
net use \\172.20.244.164\IPC$ “” /USER:””
Your next slide is titled “Null Session”
The null session exploit is an attack against confidentiality In essence, it’s just “finger” on steroids
The attacker “logs in” to the Windows NT system using the “net use” command listed on your slide
After logging in, it is possible to gather a great deal of information from the Windows Registry
Though this could be done by hand, it would be very tedious, so there are tools to make this a
reasonable task The tool shown in the screen shot is DumpACL by SomarSoft It was available for
free from www.somarsoft.com, but they seem to have disappeared, which is a tragedy They were
wonderful folks and were among the first folks to develop security information and tools for NT
However, the software is still out on the Internet if you search with a ‘net search (Editor’s note:
SomarSoft has granted distribution rights for its tools, including DumpACL (now called DumpSec) to
SystemTools.com DumpSec can be obtained from either http://www.somarsoft.com or
http://www.systemtools.com - JEK)
The screenshot shown on the slide was from before I entered the “null session” Afterwards, I would
be able to enumerate boatloads of information about users, if that system was vulnerable to a null
session attack Enumerate is a popular term in the industry to describe what we used to call “depth
first, breadth second” searches So what? Why do you care? Well, if you find a PDC or BDC
(Primary Domain Controller or Backup Domain Controller) you can use null sessioning to get a long
list of user names, including all the members of the Administrator group Then you could try
consecutive ‘net uses’, trying different passwords I am not really big on passwords, since they can
be sniffed, or attacked by brute force, but they do have their place There are a lot of weak
passwords out there and every little bit helps So, the longer we delay an attacker while they try
dictionary attacks on our passwords, the more likely we are to catch them in the act
Trang 11Information Assurance Foundations - SANS GIAC LevelOne© 2000, 2001 11
08:08:16 spoofed.net.echo > 172.31.203.17.chargen: udp
08:21:48 spoofed.net.echo > 192.168.14.50.chargen: udp
08:25:12 spoofed.net.echo > 192.168.102.3.chargen: udp
08:42:22 spoofed.net.echo > 192.168.18.28.chargen: udp
08:47:21 spoofed.net.echo > 172.31.130.93.chargen: udp
08:51:27 spoofed.net.echo > 172.31.153.78.chargen: udp
08:53:13 spoofed.net.echo > 172.31.146.49.chargen: udp
Vulnerability scans to locate echo, chargen, daytime ports are highly recommended
echo port 7: will echo
back any data it
receives
chargen port 19: will transmit a
stream of characters when it receives data
Echo-Chargen
Your next slide is titled “Echo – Chargen”
This is a classic availability attack On your slide you have a trace of network traffic packet header
information showing two systems expending all their resources talking back and forth, but with no
messages of value being passed If you send a packet to the echo port with the word “hello”, it will
respond back “hello” If you connect to the chargen port, it generates a string of characters Soooo,
what if you spoof as the Internet address of the host with the echo port open and send a packet to the
host with the chargen…who sends a string of characters back to the echo host’s echo port…which
echoes those packets and sends them back to chargen host’s chargen port…and so on There is no
logical reason for having these services available, but you see them active on hosts (and sometimes
routers) time and time again Remember the TV commercial where the whole football stadium was
sucked into the argument over whether some cool refreshing malt beverage “tasted great” or was
“less filling”? Well, that could happen in your organization on your network if you are vulnerable to
echo - chargen
This oscillation will also work with echo to daytime and echo to quote of the day as well