Upload
suzan-bishop
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Computer Security Update
Bob Cowles, [email protected]
Presented at HEPiX - TRIUMF23 Oct 2003
Work supported by U. S. Department of Energy contract DE-AC03-76SF00515
23 Oct 2003 HEPiX - TRIUMF 2
23 Oct 2003 HEPiX - TRIUMF 3
Slammer Impact
23 Oct 2003 HEPiX - TRIUMF 4
Australia
JapanKorea
China
India
23 Oct 2003 HEPiX - TRIUMF 5
http://www.microsoft.com/security/security_bulletins/
23 Oct 2003 HEPiX - TRIUMF 6
23 Oct 2003 HEPiX - TRIUMF 7
Application of Patches to Windows
0
200
400
600
800
1000
1200
1400
1600
1800
2000
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31
Days Since Patch Released
Vu
lner
able
Sys
tem
s
MS03-026
MS03-039
MS03-043
Internet Avg
MSBlaster Released
MSBlaster at SLAC
23 Oct 2003 HEPiX - TRIUMF 8
FireWall Log – Infected Machines
Sep 16 18:29:18 icmp 134.79.137.220 -> 134.79.72.98 (8/0)Sep 16 18:29:19 icmp 134.79.137.220 -> 134.79.72.198 (8/0)Sep 16 18:29:20 icmp 134.79.137.220 -> 134.79.73.42 (8/0)
Sep 16 18:38:46 tcp 134.79.137.220(3325) -> 134.76.2.205(135)Sep 16 18:38:47 tcp 134.79.137.220(3169) -> 134.76.2.48(135)Sep 16 18:38:48 tcp 134.79.137.220(3249) -> 134.76.2.128(135)
Sep 16 18:40:06 icmp 134.79.129.243 -> 134.79.72.0 (8/0)Sep 16 18:40:06 icmp 134.79.129.243 -> 134.79.72.64 (8/0)Sep 16 18:40:07 icmp 134.79.129.243 -> 134.79.72.128 (8/0)
Sep 16 18:40:17 tcp 134.79.136.68(4107) -> 134.79.124.0(135)Sep 16 18:40:18 tcp 134.79.136.68(4194) -> 134.79.124.98(135)Sep 16 18:40:19 tcp 134.79.136.68(4292) -> 134.79.124.196(135)
Sep 16 22:28:25 tcp 134.79.129.243(4413) -> 134.76.24.39(135)Sep 16 22:28:26 tcp 134.79.129.243(4377) -> 134.76.22.41(135)Sep 16 22:28:27 tcp 134.79.129.243(4383) -> 134.76.22.113(135)
23 Oct 2003 HEPiX - TRIUMF 9
Infection Sources @ SLAC
• 32% VPN
• 22% DHCP (reg, internal network)
• 20% Fixed IPOn vacation, laptop infected outside, etc.
• 14% Infected during build / patch
• 12% Dialup
23 Oct 2003 HEPiX - TRIUMF 10
Blaster - Easy to Get Infected09/29/103 11:46:42 Host: 134.79.25.55 Port: 135 TCP Blocked
09/29/103 11:46:41 Host: 134.79.25.55 Port: 135 TCP Blocked
email @ 12:21pm:Bob, is host "illusion" yours, as per my so-called memory? But the mac addr is registered to Richard Mount ...
Sep 29 11:41:37 dhcp2 dhcpd: DHCPACK on 134.79.25.55 to 00:10:a4:e4:2a:b8 (illusion)
host roam-rmount2 { hardware ethernet 00:10:a4:e4:2a:b8; }# 01/25/00 # PC54566, Richard Mount
23 Oct 2003 HEPiX - TRIUMF 11
https://rhn.redhat.com/errata/rh73-errata-security.html
23 Oct 2003 HEPiX - TRIUMF 12
23 Oct 2003 HEPiX - TRIUMF 13
23 Oct 2003 HEPiX - TRIUMF 14
23 Oct 2003 HEPiX - TRIUMF 15
http://docs.info.apple.com/article.html?artnum=61798
23 Oct 2003 HEPiX - TRIUMF 16
23 Oct 2003 HEPiX - TRIUMF 17
23 Oct 2003 HEPiX - TRIUMF 18
23 Oct 2003 HEPiX - TRIUMF 19
http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
23 Oct 2003 HEPiX - TRIUMF 20
23 Oct 2003 HEPiX - TRIUMF 21
http://www.cisco.com/warp/public/707/advisory.html
23 Oct 2003 HEPiX - TRIUMF 22
23 Oct 2003 HEPiX - TRIUMF 23
It Sucks Not to Patch
• Popular rookit in many variations
• Hides files, directories, processes; precompiled password
• With keyboard and/or ssh sniffers
• Listens on *all* open ports for backdoor
• Any port open inbound allows backdoor signal, sk thens opens outbound tcp for encrypted shell connection
23 Oct 2003 HEPiX - TRIUMF 24
suckit (cont)
• Home page http://hysteria.sk/sd/
• Latest versions not publicly available
• Also find exploits for– ptrace– sendmail 8.11.x
23 Oct 2003 HEPiX - TRIUMF 25
Last 24 Hours
Last 30 Days
http://www.trendmicro.com/map/
23 Oct 2003 HEPiX - TRIUMF 26
Ballmer @ Gartner ITXpo
• Windows has fewer vulnerabilities than RH Linux [RH6]
• No roadmap for Linux. There’s nobody to hold accountable for security issues
• The security of Microsoft products is our top priority. We have our best brains on it.
• We understand this is an issue of customer satisfaction.
http://www.theregister.co.uk/content/4/33522.html
23 Oct 2003 HEPiX - TRIUMF 27
Microsoft @ Stanford
• Universities tend to be a worst case• Diverse, unmanaged
– Population– Hardware– Software
• Unlikely to fit into AD model
• Stanford had 8000 machines compromised by Blaster BEFORE students returned for classes
23 Oct 2003 HEPiX - TRIUMF 28
Feedback to Microsoft
• Clear & meaningful impact statements
• Fix IE (30+ outstanding bugs)
• Reduce the attack vector (profile services)
• Don’t require license check for security patches (e. g. MS Office CD)
• No tie-in to IE (no active scripting)
23 Oct 2003 HEPiX - TRIUMF 29
Feedback to Microsoft (cont)
• Open up patching tools and process
• Understand 3rd party tools +/-
• Allow other vendors to use same tools for their Windows products
• Provide feedback on real patch status (local & remote)
• Need general patch deployment tool not requiring AD
23 Oct 2003 HEPiX - TRIUMF 30
Conclusions
[Unchanged from last year]
• Poor administration is still a major problem
• Firewalls cannot substitute for patches
• Multiple levels of virus/worm protection are necessary
• Clue is more important than open source
23 Oct 2003 HEPiX - TRIUMF 31
No Easy Solutions
Questions?