Copyright Michael B. Scher This document may be freely distributed by electronic media solely for non-commercial purposes. Reproduction in any form must be of the entire work including this copyright notice. Print copies (except a personal use copy) with permission of the author only. All other rights reserved.
strange(at)cultural.com OUTLINE for "Computer Security and Intrusion: The Technical (a sketch of things to come)"Lecture on computer security concepts, complex system intrusion trends and predictions; given as part of the "Doing Business in a Networked World" conference at the John Marshall Law School.
January 16, 1998
Full text of talk available here.
Computer Security and Intrusion:
The Technical (a sketch of things to come)
I. Two loosely-defined areas of weakness
A. Protocols: how we transmit data
1. Example: telnet
a) clear text sending of usernames, passwords, whole
session
b) designed for reliability under poor conditions
c) not designed for use over hostile networks
d) similarly with FTP, POP
e) Compensation via one-time passwords, or tunneling
through a more secure protocol
2. Even "secure" protocols may have subtle design or
implementation flaws
B. Programs:
1. Unanticipated input, kind or quantity
2. Poor handling of unexpected situations
3. Common libraries of functions mean a problem in a library
function could implicate dozens of programs.
4. Example: Sun Solaris 2.x getopt() "buffer overflow"
a) ordinarily, function returns an error if you typo an
option for a program
b) function didn't limit size of option
c) option given could be huge and overwrite part of the
real program
d) allows "hijacking" of the running program, and all its
privileges
5. Vulnerabilities can be "local" or "remote"
II. The Firewall as a security measure
A. Benefits
1. Restricts outside access
2. Delimits services available in both directions
3. Prevents direct contact between outside systems and
internal systems
B. Drawbacks
1. Sense of safety makes IS staff or management overconfident
and leads to weak internal security.
2. Internet is often not the only ingress to the network
a) dialup modem pool
b) user's desktop fax/modem
c) emergency modems on servers, and routers
d) human frailty
III. Two growing areas of vulnerability
A. "Passive attacks"
1. Generally untargeted, always awaits the victim's initiative
2. Network "sniffing" is an example of one that's been around
for many years.
3. Next generation takes advantage of a weakness in a client's
program when they connect to a trojan-horse site on
the net.
a) FTP
b) WWW
c) USENET News
d) . . .
4. MS IE 4.x example
a) buffer overflow
b) somewhat selectively targetable via web server's ability
to discriminate between browser types
c) in theory, allows one to do almost anything to victim
user's system
d) ideal for attacker to slip into busy site
e) attacker may be long gone before anyone's system is
compromised
f) difficult attack to actually put together - until someone
comes out with a kit
g) defeats adage that you can't get a virus by just browsing
the WWW
5. Yahoo example
a) major webserver exploited
b) hoax threatening "logic bomb"
B. "Complex attacks"
1. Targeted, with two or more machines exploited to gain access
to one of them - not mere machine-to-machine hopping
2. Example: Mitnick hacks Shimomura
a) TCP "hijacking" attack
b) client host already connected to server
c) client rendered non-responsive with SYN flood
d) brute-force sequence number guess successful
e) account backdoored (.rhosts with + + in it)
f) also example of reliance for security on protocol not
designed for security
3. Example: DNS cache corruption and Eugene Kashpureff
a) Name servers cache past lookups for efficiency
b) DNS server replies are trivial to spoof if the real
server has been rendered unresponsive
c) Tricked server gives out bogus information until its
time in the cache is up, cache fills, or server restarts
d) Kashpureff tricked hundreds of name servers into
caching the wrong information about
www.internic.net, having them point to the IP address
for www.alternic.net instead, virtually taking
www.internic.net off the Internet.
IV. Ultimate combination-of-all-the-above house of horrors attack.
A. Direct takeover of poorly-secured, well-connected machine
B. Installation of overflow-sending web pages
C. Cache corruption of hundreds of name servers from 3rd site,
redirecting traffic from a very busy site to the dangerous
web site
D. Later check of logs automatically encrypted and sent off site from the
compromised machine, to see what systems were compromised,
or perhaps compromised systems send out the data, encrypted,
onto USENET?
V. Conclusion
A. Technical security problems largely stem from
1. Use of programs and protocols under conditions or
expectations for which they were not designed
2. Programmers or designers not anticipating all kinds of data
the program or protocol might encounter
3. Errors in coding or implementation that weaken otherwise
strong programs and protocols
B. Passive and complex attacks
1. Firewalls do not necessarily protect against many of these
2. Likely to see many new ones over the next few years
3. Protection:
a) policy, policy, policy
b) restricted set of networking tools
c) regular audits
d) regular security upgrades