April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them

April 23, 2003 Liudvikas Bukys 1

Four Security Incidents at the University of

Rochester

And What You Can Learn From Them


Outline

• Three notorious incidents– Cuckoo’s Egg (1988)

• A brief visit from the Chaos Computer Club.

– Morris Worm (November 1988)• The messy fate we had in common with many other sites; about

which I testified at the trial in Syracuse.

– Takedown (January 1995)• Amidst the compromise of San Diego computers and the well-

publicized tracking down of fugitive Kevin Mitnick, our site is cracked with the same tools and some licensed software is stolen.

• One unresolved case– A persistent attacker (December 2001 – October 2002)

• Someone with a grudge keeps trying to do damage (and sometimes succeeds).


Cuckoo’s Egg – Events

• Symptom:– A call from Cliff Stoll, and a referral to the FBI– Intruder had been observed visiting one

system and exploring

• Vulnerabilities exploited:– Guest account set up for vendor (BBN),

which stored the password information in cleartext on one of their (compromised) systems


Cuckoo’s Egg – Lessons

• Lessons:– You can’t control reusable passwords

• Today:– Reusable passwords are still used (and stored) by

many applications

– Cliff Stoll is among the most careful and meticulous writers around, but he still got some details wrong. Take the press with a grain of salt.


Cuckoo’s Egg – Fixes

• Technical Solutions:• n-factor authentication• One-time passwords• Secure password storage (tokens)• Biometrics• Certificates• Application-opaque authentications (e.g.

Kerberos tickets)


Morris Worm – Events

• Symptoms:– Many systems under enough load to make

them useless; reappearance after reboot

• Vulnerabilities exploited:– Sendmail “wizard” debug code– Rexec password cracking via dictionary

attack– Finger daemon buffer overflow into stack

frame– Hunting for trusted hosts


Morris Worm – Lessons

• Communication among humans inadequate; CERT organized in the aftermath

• System monoculture is a risk• Heightened interest in:

– Diligent system administration and patch distribution– Code audit

• If called to testify, anticipate being asked about any remark in any forum

• In retrospect, did successful prosecution deter worm authors?– Over ten years until the next major Internet worm incidents– But now new widespread worm outbreaks are frequent


Morris Worm – Fixes

• Buffer & Stack overflow protection & prevention of execution

• Constrained operating system environments:– Sandbox– Capability-based systems– Chroot– Reference Monitor

• Recent work:– e.g. “systrace” Interactive Policy Generator for System Calls

(U Mich)

– e.g. “Okena StormWatch” Intrusion Prevention System (Cisco)


A Note on Worms

• Recent models of worm behavior by Moore, Shannon, Savage, Paxson, Weaver, others.– Good fit to available data for Code Red worm

(TCP/HTTP exploiter of Microsoft IIS) and Sapphire/Slammer worm (UDP exploiter of Microsoft SQL Server).

• “Flash Worms” predicted and now observed.• “Since high-speed worms are no longer simply a

theoretical threat, worm defenses need to be automatic; there is no conceivable way for system administrators to respond to threats of this speed. Human-mediated filtering provides no benefit for actually limiting the number of infected machines.”


Takedown – Events

• Grad student observes a super-user “su” into his account, and also the insertion of commands into his terminal session, while he is logging in remotely to SGI (through their firewall with a challenge-response authentication token)

• Prolonged offline analysis of how it happened is inconclusive until after more information was gathered from other affected sites (Loyola University Chicago and SDSC)– Some log files wiped

– Other log files recovered with substantial effort (attacker deleted process accounting files but system still had an open file)

• Brief second intrusion when systems were placed back online to let the mail flow

• Source code files, licensed from SGI, were copied to another compromised site


Takedown – Events

• Vulnerabilities exploited:– Trusted hosts +– TCP sequence number prediction +– Simple one-way protocol (rshell/rcmd) – vulnerability to IP spoofing


Takedown – Lessons

• Trusted hosts – d-oh!• Diligent administration is not enough

– Crackers discover/use/hoard vulnerabilities that are not known widely or for which no patches are available

– TCP sequence number prediction attacks described in 1985 (R.T. Morris, CSTR 117, AT&T Bell Labs)

• Obscurity is not enough– Why would a cracker go to the effort at my site?

• Security perimeters get ragged– firewall + smart card doesn’t protect a session

hijacked from outside


Takedown – Fixes

• Ingress filtering: drop incoming packets with forged source address

• Egress filtering: drop outgoing packets with forged source address (good citizenship)

• TCP sequence number defense– Need unpredictable content but must take care to minimize

probability of collision with sequence numbers of packets from old stale connection.

– State is specific to particular <localhost,localport,remotehost,remoteport> 4-tuple.

– See RFC1948 (Bellovin, May 1996)

• Firewalls constrain allowed network operations to a deliberately-analyzed subset of possible network behavior – minimize the exposure to the unanticipated.


Persistent – Events

• From December 2001 – Fall 2002, UR experienced many network attacks from many sites using a variety of tools

• Compromised machines were backdoored and used for subsequent attacks, or deliberately destroyed– Pharmacy robotic picker– Facilities environmental monitoring systems– Simon School email servers– Many PCs and workstations

• Periodic “spite” attacks on non-UR sites: web defacements apparently solely for the purpose of posting derogatory remarks about UR


Persistent – Events

• Majority of attacks were via intermediaries that had themselves been compromised and backdoored: a few academic and government sites (MIT, CMU, NIH), many small businesses in a single large IP address block serving DSL

• Common features of the intermediaries showed that the incidents were related:– Backdoors with the same password– Lingering connections back to a common attacking site (in

China)

• Use of both general-purpose and cracker-specific proxies and relays. (Note: Many people make use of the same relays for privacy/censorship reasons.)


Persistent – Attacks

• Successive waves of scanning for and exploitation of vulnerabilities:– Microsoft SQL server and MSDE default

administrator passwords– PC Anywhere weak passwords– SMB/NETBIOS weak administrator

passwords– Windows Terminal Server weak passwords– Usual array of web server holes (mostly in

Microsoft IIS) and http-exploitable holes (e.g. Sun Answerbook)


Persistent - Tools

• Use of a variety of turn-key tools for vulnerability detection and exploitation; notably:– Fluxay, a graphical user interface with

extensibility, databases of vulnerable hosts and installed remote agents, and one-click functioning of common operations such as compromise-and-install-backdoor

– ISS (Internet Security Scanner), a commercial tool, for which there are known license-key generators


Persistent – Lessons

• Perimeter defense becomes ineffective once it has been breached and the attacker has a “foot in the door.”

• Insider always has a foot in the door.• There is a practically limitless supply of vulnerable

systems that attackers can use as remote agents.• Response time across organizational and national

boundaries is a problem. ISPs and nations are almost immovable. Educational sites tend to have incident response processes in place. Small businesses will cut to the chase if you find the right person.

• There is evidence there if you dig hard & soon enough.


Readings

• Stoll, “Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage”– ISBN 0743411463

• Eichin, Rochlis, “With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988”– http://www.mit.edu:8001/people/eichin/virus/main.html

• Shimomura, Markoff, “Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw – By the Man Who Did It”– http://www.takedown.com– ISBN 0786862106– This is not a balanced treatment, but it does describe the raw

events of the interrelated SDSC, Rochester, and Loyola incidents.

Documents

April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them