Institute of Technology, Sligo Dept of Computing

Security Engineering.
NDC 3

Warning

IT Sligos computer network is monitored and activity is logged against a users account. Any students in breach of the AUP may be subjected to disciplinary action up to and including expulsion. A copy of the students AUP is available on the IT sligo homepage.

Protocols

Security protocols are the rules that govern secure communications. They are designed so that the system will survive Malicious attacks.

Password Eavesdropping Risks.

Used to authenticate Human users and many embedded systems. Problems include difficulty in choosing a password that is difficult to guess or remembering passwords generated randomly by the system. Embedded systems made up to mid 90s broadcast serial number which also acted as the password. E.g. Car Alarms.

Password Attack embedded systems.

Common attack methods included using a Grabber which recorded code and later replayed it. Separate codes were used to lock and unlock but these also had limitations. Devices which could try one code after another were produced.

Challenge and response.

Most modern car locks use a more sophisticated two pass protocol. As the key is inserted into the steering lock the engine management unit sends a challenge to the using a random number to the key. The key computer a response by encrypting the challenge. Problem In many systems the random number is not random.

Passwords

Examples of passwords

Bank card pin no. Logon to computer system Social Security no & Mothers maiden name.

The ease with which this info can be found out leads to Identity theft. Criminals obtain credit cards / mobile phones in your name.

Passwords Contd.

Passwords are one of the biggest problems facing security industry. People often choose the same passwords in many web sites that require logins. Attacks may be carried out by people guessing passwords and by insiders in other systems.

Applied psychology issues.

User will disclose password to third party.

Accidently On purpose fraud Result of deception social engineering

User will enter the password correctly with high enough probability User will remember the password without having to write it down.

Social Engineering

Different ring tones for internal and external telephones. Ringing a user and asking for a password. May have built up a relationship over a few days before actually asking for a password.

Password memorability problems.

Design errors.

Mothers Maiden name.

Icelanders have no surnames Women from many countries do not change their name on marriage. Use birthdates, age, etc Supervisor, guest, administrator passwords.

Asked to supply a password.

Default passwords

Types of attack.

Targeted attack on one account

Intruder tries to guess a particular users account. Intruder tries to get logon as any user of the system To access intranet.

Attempt to penetrate any account on a system

Attempt to penetrate any account on any system

Service denial attack.

Prevent a legitimate user from accessing the system, cancelling someone's credit cards.

Intrusion detection issues.

Account may be frozen after 3 bad login attempts. Intruders may try one password on many accounts.

Technical protection of passwords.

There are a broad range of attacks focussing mainly on

Where the passwords are stored How passwords are entered.

How passwords are entered

Interface Design

Poor interface design means that users can read others passwords as they are entered into the system Using sniffers to harvest clear text passwords sent over networks. Windows NT / 2000 send encrypted passwords over the network.

Eavesdropping

How passwords are entered 2

The need for trusted path.

Simple attack programme may look just like the usual logon screen prompt. When the user enters their password it will store the password, generate an error on screen and take the user to the genuine logon. Criminals have set up false cash machines.

Attacks on password storage.

Attacks via Audit trail.

Failed logon attempts log may contain a large number of passwords as users get the username, password sequence out of phase. Passwords are not kept in plaintext. The passwords when entered are passed through a one-way function and the user is logged on if the password matches a previously stored value.

One way encryption.

Attacks on password storage 2

Password Cracking.

Users get access to the password file. A dictionary attack is carried out comparing words in a dictionary encrypted and compared with the password file. Unix systems limit the length of passwords to 8 characters, ninth and subsequent characters are ignored. Military systems administrators often prefer to issue random passwords as they can compute the probability that the password can be cracked.

Absolute Limits

Access control

Hardware

Memory addresses a particular programme can access. Groups and roles. The person will get a group permission based on the role they have in the organisation transactions well formed, a Debit matches a Credit. Combnation of all others, may also include dual authentication.

Operating System Permissions

Middleware DBMS

Application

Access Control lists

User

Sam
Alice Bob

Accounting Data Rw Rw r

Another way of simplifying access rights management is to store the access control matrix

Windows NT

Attributes

Read, Write, Execute, Take Ownership, Change Permissions, & Delete.

Users and Resources can be partitioned into domains and trust can be inherited in one direction or both. The Data structure to manage this is the registry.

Institute of Technology, Sligo Dept of Computing

Computer security
National Diploma in Computing (ACCS)

Recommended Reading.

Bulletproofing TCP/IP-based Windows NT/2000 Networks. Gilbert Held, Wiley, ISBN 0-471-4 507-7

Skills Issues

Many attacks are not performed by professionals, rather by script kiddies, teenagers downloading software and attack scripts prepared by others. As systems become even more complex, methods of protecting systems and keeping up with vonurabilities is more difficult. Hacking has become progressivly deskilled while defence is becoming unmanageably complex.

Internet Protocol Suite

Designed by universities and research labs coopperating. Instead of users being honest and competent we have a huge user population that is incompetent with always on internet connections. A small minority thats competent and honest and a minoroty that is competent and malicious. There are also a number of opertunistic individuals using available tools oppourtunistically.

Deskilling a critical factor

There are a few organisations who know to track whats going on and tune defenses appropiatly. Most companies rely on a combination of standard products and services. Many devices come preconfigured, some users may not even change the default passwords. The products include, firewalls, virus scanners, and intrusion detection systems. An attacker who can work out how to defeat a widely sold system has a wide range of targets to aim at.

Network attack methods

IP address spoofing SPAM and Address Forgery General software-based attacks Application-based attacks Denial of service UDP flooding Router disturbance. LAN attacks

IP address spoofing

Method of hiding the originator of the packet. Routers only check destination address, not source, packet can be sent with incorrect source to hide originator. The hacker can change the IP address of his machine, to that of a different host. Replies will be directed to the host that legitimately is configured with the IP address. Can be difficult to trace back, particularly is the source address changes randomly.

Spam and Address Forgery

Services such as email and web assume that the lower levels are secure. A DNS lookup resolves a hostname against an IP address. By feeding false information into locally cached DNS tables, web requests can be re-directed to another site. This is called DNS cache poisoning.

General software-based attacks

Ping of Death

Batch files can be run on P.c.s to send continuous pings. Sending an oversized data gram > 65,536 can cause certain O.S. to hang or crash. (most O.S. have fixed this flaw. Configuring routers to block incoming pings can stop this type of attack.

Bogus Java Applets.

Applet can run and request information froma user which is transmitted to the attacker. Configuring your network to block applets and educating users to the dangers of bogus applets can reduce the likelihood of an attack.
Using a dictionary to break a password Lockout user after a pre-defined number of attempts. Use Firewall to block repetitive actions. Use Router to block login attempts from untrusted networks.

Dictionary Attack

Application-based attacks

Using TCP/IP applications such as FTP and email to harm an organisation Email-based attacks

Prevent people emailing distribution groups in your organisation from outside. Virus and Macro attacks, attached to incoming emails. Restrict access to distribution lists Use virus scanners and educate employees not to open attachments.

FTP Attacks

Many web servers are also FTP servers and breaking into FTP server can allow hacker to change web pages and add or delete files. Config access lists to support FTP from certain locations Mget and mput attacks, causing connection overload.

Denial of service

A denial of service (DoS) attack

This attempts to flood a device with so many bogus service requests that its resources are consumed to the point that the target has little ability to respond to legitimate requests. Pings are sent to the broadcast address of a network from a spoofed ip address. Each ping will result in 255 replies to the spoofed address. Use the no ip directed-broadcasts command to prevent multicast transmissions on the network. The SYN attack keeps the backlog queue in the device full and therefore it can not respond to legitimate SYN requests, using 3 way handshaking.

Directed Broadcasts (Smurf Attacks)

SYN Attacks (DoS)

UDP flooding

UDP Flooding (Character generator attack)

When simple TCP/IP services are installed on a host, A UDP packet sent to the broadcast address of the network with a destination port value of 19 results in each host generating a random pattern between 0 255 characters for testing. This leads to a flood os useless traffic between target and spoofed third party.

Router disturbance.

The router can be attacked using the UDP flooding attack.

The router uses TCP and UDP small servers to refer to the echo, chargen and discard functions. Adding the following lines can prevent this attack.

No service tcp-small-servers No service udp-small-servers

The router can be attacked by an unauthorised user getting access and changing the routers configuration etc.

Attacks on local Networks

Suppose an employee wants to get the password of another employee to perpetrate a fraud. He can install packet sniffer software to harvest passwords, needs physical access to the network. He can get the administrator password and create a suitable account.

Security role of the router

Access Control Access lists

Standard IP access lists Extended IP access lists

Examples

The role of the firewall

Access lists limitations Proxy services Operational Examples Network address translation

Defence against network attack.

Configuration management Firewalls

Packet filtering

Filters based on packet address and port numbers.

Circuit Gateways

Reassemble and examine all packets in each TCP circuit. More expensive but can provide added functionality.

Virtual Private Network Encrypted from firewall to firewall. Screening out Black listed web sites and newsgroups

Application Relays

Acts as a proxy for one or more services

Enforce rules such as stripping macros from word documments Removing active content from web pages. Can be a serious bottleneck, prevent users running latest apps.

Ingress Vs Egress Filtering

Almost all firewalls point outward preventing bad things out. Military systems monitor outgoing traffic to ensure nothing classified goes out in the clear. Industry using it to prevent their machines launching Denial of service attacks. Also prevents snitchware, software that phones home for copyright resons.

Combinations.

Multiple firewalls may be used. There may be an outside packet filter connecting the outside world to a screened subnet. (DMZ) demilitarized zone. The DMZ contains a number of proxies to filter mail and web. The DMz is connected to the internal network via a further filter that does network address translation. Such elaborate installations can get in the way such that people install unauthorised back doors.

Strengths and Limitations of Firewalls.

Can be made very simply, as they do only a small number of things. This elimminates many vunerabilities and sources of error. Equipment only as good as its configuration. Organisations dont learn enough to do it propperly. Big trade off security Vs performance Many attacks come from people inside the system.

Access Control

Ciscos IOS (Internetworking Operating System) controls the operation of the communications device. This supports

A Modem connection Remote access A Console connection Local access A telnet connection Remote access

Many organisations have the IP address of a router as the .1 address. If we can telent to the router and write a programme that sends a random array of characters to the router it may be possible to break into it over a long period of time. Two router modes

User exec limited number of functions Privileged exec session Perform router configurations

You need the enable password (if set) to go from User to privileged mode.

Password Encryption

You can set username / password pairs on your router. Normally these passwords are not encrypted and can be viewed by anyone looking at the router configuration. To encrypt router passwords

Service password-encryption

The encryption uses a type 7 password and the passwords can be unscrambled quite easily info on web. Enable secret command uses type 5 and is more secure (uses a one way hash)

Access List Restrictions

You can use access lists to limit or block all telnet access. You can turn off the Telnet listener
Line vty 0 4 Transport input none

If you want to restrict telnet to 198.78.46.0

Access-list 1 permit 198.78.46.0 0.0.0.255 Line vty 0 4 Access-class 1 in

The access class statement provides you with the capability to perform checks in a particular direction.

Protecting Hardwired Connection

Console port provides exec password without password, it assumes the user is authorised. You can set a user EXEc password on these ports.
Line console 0 Login Password cisco Exec-timeout 5 0

The timeout for a unattended console is 5 minutes in the above example Routers should be kept in a physically secure location.

SNMP

Simple Network Management Protocol. The SNMP protocol uses a string to authorise SNMP access, usually default of public is used. To limit SNMP to 1 host and to change string use the following.

Snmp-server community thenewstring ro 1 Access-list 1 permit host 198.78.46.8 Default community string changed to thenewstring SNMP has read only access ro Access list 1 applied which limits SNMP access to a particular host.

SNMP Traps

The router can be configured to send SNMP alerts to the management station given 3 occurrences. Packet received with incorrect community string Trap-source which indicates interfaces on which traps originate Associate an ip address with a host string
Snmp-server trap-authentication Snmp-server trap-source Ethernet 1 Snmp-server host 198.78.46.8 thenewstring

The router will send authentication traps out E1 to 198.78.46.8 using the community string thenewstring

Access lists

An ordered list of statements that permit or deny the flow of packets across an interface. This represents a filtering mechanism since the list parameters are matched against applicable information in each packet. The access list is then applied to an interface in a specific direction. Access Lists will be considered in a separate lecture.

Access List example to prevent spoofing

!Anti spoofing statements !Deny private addresses Access-list 101 deny 10.0.0.0 0.255.255.255 any Access-list 101 deny 172.16.0.0 0.31.255.255 any Access-list 101 deny 192.168.0.0 0.0.255.255 any !Deny address all zeros, all ones, loopback Access-list 101 deny 0.0.0.0 0.255.255.255.255 any Access-list 101 deny host 255.255.255.255 any Access-list 101 deny 127.0.0.0 0.255.255.255 any !Deny class D and E addresses Access-list 101 deny 224.0.0.0 15.255.255.255 any Access-list 101 deny 240.0.0.0 7.255.255.255 any !Deny source address of your network Access-list 101 deny 198.78.46.0 0.0.0.255 any

New capability in access lists

Named access lists Dynamic access lists Reflexive access lists Time-based access lists TCP intercept Context based access control (CBAC)

Access list limitations

Access lists are blind with respect to the operation being performed. They can not look into the packet to see if a harmful operation is occurring and to either stop the operation and / or generate an appropriate alert. Examples of limitations

Repeated login attempts Application harm blocking FTP commands

The role of the virus scanner and encryption.

Virus overview

Types of virus Prevention Detection Scanning Private key DES Leased line Vs switched networks Public key encryption

Encryption

Intrusion Detection

Examples of Intrusion detection

Sounding an alarm when a threshold is passed. May be misuse detection or anomaly detection.

Three or more failed logins Credit card expenditure of more than twice moving average of last 3 months Mobile phone call lasting more than 6 hours. Attempting to download a password file. Random number detection (Benfords law) all numbers are not random.