Upload
loren-copeland
View
212
Download
0
Embed Size (px)
Citation preview
April 23, 2003 Liudvikas Bukys 1
Four Security Incidents at the University of
Rochester
And What You Can Learn From Them
April 23, 2003 Liudvikas Bukys 2
Outline
• Three notorious incidents– Cuckoo’s Egg (1988)
• A brief visit from the Chaos Computer Club.
– Morris Worm (November 1988)• The messy fate we had in common with many other sites; about
which I testified at the trial in Syracuse.
– Takedown (January 1995)• Amidst the compromise of San Diego computers and the well-
publicized tracking down of fugitive Kevin Mitnick, our site is cracked with the same tools and some licensed software is stolen.
• One unresolved case– A persistent attacker (December 2001 – October 2002)
• Someone with a grudge keeps trying to do damage (and sometimes succeeds).
April 23, 2003 Liudvikas Bukys 3
Cuckoo’s Egg – Events
• Symptom:– A call from Cliff Stoll, and a referral to the FBI– Intruder had been observed visiting one
system and exploring
• Vulnerabilities exploited:– Guest account set up for vendor (BBN),
which stored the password information in cleartext on one of their (compromised) systems
April 23, 2003 Liudvikas Bukys 4
Cuckoo’s Egg – Lessons
• Lessons:– You can’t control reusable passwords
• Today:– Reusable passwords are still used (and stored) by
many applications
– Cliff Stoll is among the most careful and meticulous writers around, but he still got some details wrong. Take the press with a grain of salt.
April 23, 2003 Liudvikas Bukys 5
Cuckoo’s Egg – Fixes
• Technical Solutions:• n-factor authentication• One-time passwords• Secure password storage (tokens)• Biometrics• Certificates• Application-opaque authentications (e.g.
Kerberos tickets)
April 23, 2003 Liudvikas Bukys 6
Morris Worm – Events
• Symptoms:– Many systems under enough load to make
them useless; reappearance after reboot
• Vulnerabilities exploited:– Sendmail “wizard” debug code– Rexec password cracking via dictionary
attack– Finger daemon buffer overflow into stack
frame– Hunting for trusted hosts
April 23, 2003 Liudvikas Bukys 7
Morris Worm – Lessons
• Communication among humans inadequate; CERT organized in the aftermath
• System monoculture is a risk• Heightened interest in:
– Diligent system administration and patch distribution– Code audit
• If called to testify, anticipate being asked about any remark in any forum
• In retrospect, did successful prosecution deter worm authors?– Over ten years until the next major Internet worm incidents– But now new widespread worm outbreaks are frequent
April 23, 2003 Liudvikas Bukys 8
Morris Worm – Fixes
• Buffer & Stack overflow protection & prevention of execution
• Constrained operating system environments:– Sandbox– Capability-based systems– Chroot– Reference Monitor
• Recent work:– e.g. “systrace” Interactive Policy Generator for System Calls
(U Mich)
– e.g. “Okena StormWatch” Intrusion Prevention System (Cisco)
April 23, 2003 Liudvikas Bukys 9
A Note on Worms
• Recent models of worm behavior by Moore, Shannon, Savage, Paxson, Weaver, others.– Good fit to available data for Code Red worm
(TCP/HTTP exploiter of Microsoft IIS) and Sapphire/Slammer worm (UDP exploiter of Microsoft SQL Server).
• “Flash Worms” predicted and now observed.• “Since high-speed worms are no longer simply a
theoretical threat, worm defenses need to be automatic; there is no conceivable way for system administrators to respond to threats of this speed. Human-mediated filtering provides no benefit for actually limiting the number of infected machines.”
April 23, 2003 Liudvikas Bukys 10
Takedown – Events
• Grad student observes a super-user “su” into his account, and also the insertion of commands into his terminal session, while he is logging in remotely to SGI (through their firewall with a challenge-response authentication token)
• Prolonged offline analysis of how it happened is inconclusive until after more information was gathered from other affected sites (Loyola University Chicago and SDSC)– Some log files wiped
– Other log files recovered with substantial effort (attacker deleted process accounting files but system still had an open file)
• Brief second intrusion when systems were placed back online to let the mail flow
• Source code files, licensed from SGI, were copied to another compromised site
April 23, 2003 Liudvikas Bukys 11
Takedown – Events
• Vulnerabilities exploited:– Trusted hosts +– TCP sequence number prediction +– Simple one-way protocol (rshell/rcmd) – vulnerability to IP spoofing
April 23, 2003 Liudvikas Bukys 12
Takedown – Lessons
• Trusted hosts – d-oh!• Diligent administration is not enough
– Crackers discover/use/hoard vulnerabilities that are not known widely or for which no patches are available
– TCP sequence number prediction attacks described in 1985 (R.T. Morris, CSTR 117, AT&T Bell Labs)
• Obscurity is not enough– Why would a cracker go to the effort at my site?
• Security perimeters get ragged– firewall + smart card doesn’t protect a session
hijacked from outside
April 23, 2003 Liudvikas Bukys 13
Takedown – Fixes
• Ingress filtering: drop incoming packets with forged source address
• Egress filtering: drop outgoing packets with forged source address (good citizenship)
• TCP sequence number defense– Need unpredictable content but must take care to minimize
probability of collision with sequence numbers of packets from old stale connection.
– State is specific to particular <localhost,localport,remotehost,remoteport> 4-tuple.
– See RFC1948 (Bellovin, May 1996)
• Firewalls constrain allowed network operations to a deliberately-analyzed subset of possible network behavior – minimize the exposure to the unanticipated.
April 23, 2003 Liudvikas Bukys 14
Persistent – Events
• From December 2001 – Fall 2002, UR experienced many network attacks from many sites using a variety of tools
• Compromised machines were backdoored and used for subsequent attacks, or deliberately destroyed– Pharmacy robotic picker– Facilities environmental monitoring systems– Simon School email servers– Many PCs and workstations
• Periodic “spite” attacks on non-UR sites: web defacements apparently solely for the purpose of posting derogatory remarks about UR
April 23, 2003 Liudvikas Bukys 15
Persistent – Events
• Majority of attacks were via intermediaries that had themselves been compromised and backdoored: a few academic and government sites (MIT, CMU, NIH), many small businesses in a single large IP address block serving DSL
• Common features of the intermediaries showed that the incidents were related:– Backdoors with the same password– Lingering connections back to a common attacking site (in
China)
• Use of both general-purpose and cracker-specific proxies and relays. (Note: Many people make use of the same relays for privacy/censorship reasons.)
April 23, 2003 Liudvikas Bukys 16
Persistent – Attacks
• Successive waves of scanning for and exploitation of vulnerabilities:– Microsoft SQL server and MSDE default
administrator passwords– PC Anywhere weak passwords– SMB/NETBIOS weak administrator
passwords– Windows Terminal Server weak passwords– Usual array of web server holes (mostly in
Microsoft IIS) and http-exploitable holes (e.g. Sun Answerbook)
April 23, 2003 Liudvikas Bukys 17
Persistent - Tools
• Use of a variety of turn-key tools for vulnerability detection and exploitation; notably:– Fluxay, a graphical user interface with
extensibility, databases of vulnerable hosts and installed remote agents, and one-click functioning of common operations such as compromise-and-install-backdoor
– ISS (Internet Security Scanner), a commercial tool, for which there are known license-key generators
April 23, 2003 Liudvikas Bukys 18
Persistent – Lessons
• Perimeter defense becomes ineffective once it has been breached and the attacker has a “foot in the door.”
• Insider always has a foot in the door.• There is a practically limitless supply of vulnerable
systems that attackers can use as remote agents.• Response time across organizational and national
boundaries is a problem. ISPs and nations are almost immovable. Educational sites tend to have incident response processes in place. Small businesses will cut to the chase if you find the right person.
• There is evidence there if you dig hard & soon enough.
April 23, 2003 Liudvikas Bukys 19
Readings
• Stoll, “Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage”– ISBN 0743411463
• Eichin, Rochlis, “With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988”– http://www.mit.edu:8001/people/eichin/virus/main.html
• Shimomura, Markoff, “Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw – By the Man Who Did It”– http://www.takedown.com– ISBN 0786862106– This is not a balanced treatment, but it does describe the raw
events of the interrelated SDSC, Rochester, and Loyola incidents.