CS363Week 10 - Wednesday

Last time

What did we talk about last time? Network basics

Questions?

Project 3

Assignment 4

Security PresentationCody Kump

Eavesdropping

Eavesdropping and wiretapping Eavesdropping means overhearing private

information without much effort Administrators need to periodically monitor

network traffic Wiretapping implies that more effort is

being used to overhear information Passive wiretapping is only listening to

information Active wiretapping means that you may

adding or changing information in the stream

Cable wiretapping

If you are on the same LAN, you can use a packet sniffer to analyze packets Packets are constantly streaming by, and your computer usually only

picks up those destined for it Passwords are often sent in the clear Wireshark is a free, popular packet sniffer

Cable modems are filters that give you only the data you need Sophisticated attackers can tap into a cable network Data is supposed to be encrypted, but many networks don’t turn

encryption on Inductance is a property that can allow you to measure the

signals inside of a wire without a direct physical connection Using inductance or physically connecting to a wire changes its

impedance, which can (but usually is not) measured Signals are often multiplexed, sharing media with other

signals, which can increase the sophistication needed to wiretap

Wireless eavesdropping

Wireless networks are easy to disrupt, but attackers usually have little to gain by this

Since they are broadcast, it is not difficult to intercept the signal Special antennas can receive the signal from a

longer distance than usual Some networks are entirely unencrypted WEP is almost completely broken WPA and WPA2 have vulnerabilities that

can be exploited in some cases

Other media

Microwave is easy to intercept Long distance phone can use microwaves Cell phones can use microwaves

One difficulty with making use of the intercepted signal is that microwave signals are heavily multiplexed, making it hard to untangle individual signals

Satellites are similar (unsecure but heavily multiplexed)

Optical fiber is very difficult to tap Cutting a single fiber means recalibrating the network Repeaters and taps that connect the fiber are the best

places to attack

Impersonation

Rather than wiretapping, attackers will more often try to impersonate a legitimate user

Different approaches: Guess the identity and authentication

information Use other communications or

wiretapping to gain such information Circumvent the authentication

mechanism Use a target that will not be

authenticated Use a target with known authentication

data

Authentication issues

Passwords are often easy to guess Because we’re bad at picking passwords Because the user may not have realized that the machine

would be exposed to network attacks Passwords are sent in the clear Bad hashes can give information about the password Sometimes buffer overflows can crash the

authentication system Sometimes authentication is not needed

.rhosts and .rlogin files in Unix Guest accounts

Default passwords on routers and other devices that never get changed

Authentication attacks

Spoofing is when an attacker carries out one end of a networked exchange

A masquerade is spoofing where a host pretends to be another host URL confusion: someone types hotmale.com (don’t go

there!) or gogle.com Phishing is a form of masquerading Session hijacking (or sidejacking) is carrying on

a session started by someone else Login is encrypted, the rest of the data often isn’t Firesheep allows you to log on to other people’s Facebook

and Twitter accounts in, say, the same coffeeshop Man-in-the-middle attacks

Confidentiality threats

Misdelivery Data can have bad addresses, occasionally because of

computer error Human error (e.g. James Hughes (student) instead of

James Hughes (professor)) is more common) Exposure of data can happen because of

wiretapping or unsecure systems anywhere along the network

Traffic flow analysis Data might be encrypted Even so, it is very hard to hide where the data is going

to and where it is coming from Tor and other anonymization networks try to fix this

Integrity threats

Attackers can falsify some or all of a message, using attacks we’ve talked about Parts of messages can be combined Messages can be redirected or deleted Old messages can also be replayed

Noise can degrade the signals All modern network protocols have error

correction built in Malformed packets can crash systems Protocols often have vulnerabilities

Web site vulnerabilities

Web sites are supposed to be up all the time They can be studied and attacked over a long period of time

Known vulnerabilities in web servers allow hackers (even unsophisticated ones) to gain control of web sites and deface them

Buffer overflows can crash web applications URL and SQL injection attacks

If web applications are poorly written, they may blindly execute whatever is passed into the URL

Could point to ../../../sensitive.dat, gaining access to files in other directories

Could give SQL to destroy or publicize the contents of the database Server-side includes can tell the server to do specific

things, but they can be manipulated by attackers who cleverly edit the HTTP requests

Denial of service

Networks are one of the best places to launch an attack on availability

In this setting, these are usually called denial of service (DoS) attacks

Transmission failure can happen because a line is cut or because there is too much noise

Flooding is a common technique Ask for too many connections Request too many of some other service

Three way handshake

TCP is built on a three-way handshake Client requests a connection by sending a SYN packet The server acknowledges the request by sending a SYN-ACK packet back The client responds with an ACK, establishing the connection

An attacker can just keep sending SYN packets The server will allocate some resources, wait for the ACK, and

never get it A clever attacker will spoof at least his own IP so that the SYN-ACK

is sent elsewhere A more sophisticated attacker will spoof many different IP

addresses (or have many bots in a botnet) sending all these SYN's

Denial of service attacks

Echo-chargen Chargen sets up a stream of packets for testing Echo packets are supposed to be sent back to the sender If you can trick a server into sending echo packets to itself, it will respond

to its own packets forever Ping of death

A ping packet requests a reply If you can send more pings than a server can handle, it goes down Only works if the attacker has more bandwidth than the victim (DDoS

helps) Smurf

A ping packet is broadcast to everyone, with the victim spoofed as the originator

All the hosts try to ping the victim The real attacker is hidden

Teardrop A teardrop attack uses badly formed IP datagrams They claim to correspond to overlapping sequences of bytes in a packet There’s no way to put them back together and the system can crash

Distributed denial of service Distributed denial of

service (DDoS) attacks use many machines to perform a DoS attack

Usually, many targets have been compromised with a Trojan horse making them zombies

These zombie machines are controlled by the attacker, performing flooding or other attacks on a victim

The attacker is hard to trace

DNS attacks

The Domain Name System (DNS) uses Domain Name Servers (also DNS) to convert user readable URLs like google.com to IP addresses

Taking control of a server means that you get to say where google.com is

For efficiency, servers cache results from other servers if they didn’t know the IP DNS cache poisoning is when an attacker

gives a good server a bad IP address

Active and mobile code threats Cookies

Small files saved by your browser on your disk Can be per-session or persistent Intercepted cookies can allow impersonation

Server side scripting Includes ASP, JSP, and PHP Again, poorly sanitized inputs can cause arbitrary code to be

executed on the server Active code

Java applets are run in a sandbox, preventing them from accessing most of your system▪ Some JVM implementations had weaknesses allowing them out

ActiveX is Microsoft’s system for running code in a browser▪ It has far too much power and can do anything to your system▪ Usually, you have to click a button to allow the ActiveX control to run

Summary of vulnerabilitiesTarget Vulnerability Target Vulnerability

Precursors to attack

• Port scan• Social engineering• Reconnaissance• OS and application

fingerprinting

Confidentiality

• Protocol flaw• Eavesdropping• Passive wiretap• Misdelivery• Exposure• Traffic flow analysis

Authentication failures

• Impersonation• Guessing• Eavesdropping• Spoofing• Session hijacking• Man in the middle

attack

Integrity

• Protocol flaw• Active wiretap• Impersonation• Falsification• Noise• Web site defacement• DNS attack

Programming flaws

• Buffer overflow• Addressing errors• Server-side include• Malicious Java or

ActiveX• Worms, viruses, Trojan

horses

Availability

• Protocol flaw• Transmission failure• Flooding• DNS attack• Traffic redirection• DDoS

Network Security Controls

Architecture

Good network architecture can make security better

Segmentation means separating the network into different parts Web server Database server Application servers

Redundancy is important Multiple servers that check if each other have

gone down Avoid single points of failure

Encryption

Encryption is important for network security

Link encryption encrypts data just before going through the physical communication layer Each link between two hosts could have

different encryption Message are in plaintext within each host Link encryption is fast and transparent

End-to-end encryption provides security from one end of the transmission to the other Slower Responsibility of the user Better security for the message in transit

Virtual private networks

Encryption that allows people in a public network to communicate securely with a private network creates a virtual private network (VPN)

A user’s system negotiates a key with a firewall that guards a private network Communication takes place in a tunnel

Public key infrastructure

As we discussed before, the big problem with public keys is making sure you get the right one

Public key infrastructure (PKI) is the solution to this problem

A PKI sets up certificate authorities who certify that keys belong to who they’re supposed to

Their jobs include: Managing public key certificates Issuing certificates that connect a user to a key Scheduling certificate expiration Publishing certificate revocation lists

Secure protocols

SSH (secure shell) is a protocol for encrypted communication between computers Designed for Unix/Linux, but available on Windows Telnet, rlogin, and rsh should be replaced by SSH Negotiates symmetric key encryption usually using

public key encryption, similar to Project 2 SSL (secure sockets layer) or TLS

(transport layer security) creates a secure session (golden lock) between a web browser and a web server

IPSec

IPSec (IP Security Protocol Suite) is a group of protocols designed to provide security for general IP communication

There is an Authentication Header (AH) mode that provides authentication and integrity by supplying a cryptographic hash of the message and its addresses

There is an Encapsulated Security Payload (ESP) mode that can provide encryption, authentication, or both

In transport mode, IPSec encrypts only the payload of the packet

In tunnel mode, IPSec encrypts the entire packet and puts it inside of another packet, hiding its final destination inside of a private network

Content integrity

Encryption helps protect integrity from malicious attackers

Error correcting codes (like parity checks) can help prevent non-malicious problems with integrity

Cryptographic checksums (AKA cryptographic hash digests) protect from both malicious and non-malicious threats to integrity

Strong authentication

Who are you talking to? Passwords can be stolen

One-time passwords prevent the problem of stolen passwords RSA SecurIDs and other password tokens

generate one-time passwords Challenge-response systems serve

a similar role Kerberos is a system designed at MIT

Users interact with an authentication server who authenticates them

They get a ticket to access a file from a ticket granting server

The ticket lets you use a file Everything is time-stamped

Access controls on routers Routers want to block packet floods from

affecting the servers behind the router We can have ACLs that list all the legal (or

all the illegal) hosts that can send (or are not allowed to send) packets into the network

But, checking packets against ACLs slows down the system, making the router easier to flood

Since it is possible to forge source addresses, the ACLs might not correctly block the packets

Wireless security

A wireless access point has a Service Set Identifier (SSID) SSIDs are usually broadcast, weakening security

Even non-broadcast SSIDs can be discovered whenever someone connects to them

Wired Equivalent Privacy (WEP) was the old standard for encryption Tools like WEPCrack and AirSnort can break WEP in minutes

because of flaws in the RC4 encryption algorithm WiFi Protected Access (WPA) and later WPA2 have

better security Encryption keys change for each packet Several authentication mechanisms are allowed WPA2 can use AES There are still flaws in some implementations, as discussed by

Mark Yorgey

Firewalls

Firewalls

A firewall filters traffic between an inside network and an outside network The inside is more trusted and needs to be

protected from the outside Kinds of firewalls:

Packet filtering gateway or screening routers Stateful inspection firewalls Application proxies Guards Personal firewalls

Packet filtering gateway

Packet filtering gateways are simple They only allow certain packets to get by

Based on source or destination address Based on protocol (HTTP on port 80, for example)

A packet filter can be used in combination with other firewalls The packet filter can remove a lot of traffic so that a more

complex firewall has to worry about checking fewer packets Packet filters ignore the data inside the packets

They only use the addresses and port numbers

Stateful inspection firewall

A stateful inspection firewall keeps track of data inside of packets

For example, if a host inside the firewall initiates a TCP connection with a host outside, a stateful inspection firewall can remember this and let only that particular outside host’s packets in

Application proxies and guards An application proxy gateway (or bastion host)

appears to function like a host running a particular application

The outside world sends date to the application proxy’s IP address

The application proxy changes the addresses and forwards the data on to the real server

Only appropriate requests and responses are allowed through

All accesses can also be logged A guard is really the same thing, just with more

functionality For example, a guard might reassemble a file and run it

trhough a virus scanner

Personal firewalls

A personal firewall is software that runs on a workstation

These firewalls can give additional protection

The user and OS can have very fine grained control over what kind of connections can be made and what kind of applications can send and receive data

Upcoming

Next time…

Finish firewalls Intrusion detection Secure e-mail Review for Exam 2 Andrew Sandridge presents

Reminders

Read Sections 7.3 through 7.6Finish Assignment 4

Due on Friday Study for Exam 2

Next Monday