1

Security Security

Automated Attacks DefinedAutomated Attacks Defined

Microsoft’s Approach to VulnerabilitiesMicrosoft’s Approach to Vulnerabilities

How to Protect Your P.C.How to Protect Your P.C.

2

Anti Hacker Poetry in the Mac Anti Hacker Poetry in the Mac OS XOS X

Your karma check for today:Your karma check for today:

There once was a user that whined/There once was a user that whined/

his existing OS was so blind/his existing OS was so blind/

he'd do better to pirate/he'd do better to pirate/

an OS that ran great/an OS that ran great/

but found his hardware declined./but found his hardware declined./

Please don't steal Mac OS!/Please don't steal Mac OS!/

Really, that's way uncool./Really, that's way uncool./

(C) Apple Computer, Inc." (C) Apple Computer, Inc."

3

Automated Attack VectorsAutomated Attack Vectors

4

Automated Attack VectorsAutomated Attack Vectors VirusesViruses

A computer program file capable of A computer program file capable of attaching to disks or other files attaching to disks or other files

Necessary characteristics of a virus:Necessary characteristics of a virus:It is able to replicateIt is able to replicate

It requires a host program as a carrierIt requires a host program as a carrier

It is activated by external actionIt is activated by external action

5

Automated Attack VectorsAutomated Attack Vectors Viruses: Polymorphic virusesViruses: Polymorphic viruses

Creates copies during replication that Creates copies during replication that are functionally equivalent but have are functionally equivalent but have distinctly different byte streamsdistinctly different byte streams

Randomly insert superfluous instructionsRandomly insert superfluous instructions

Interchange order of independent Interchange order of independent instructionsinstructions

Use encryption schemesUse encryption schemes

This variable quality makes difficult to This variable quality makes difficult to locate, identify, or removelocate, identify, or remove

6

Automated Attack VectorsAutomated Attack Vectors WormsWorms

A self-replicating computer program, similar A self-replicating computer program, similar to a virusto a virusA virus attaches itself to, and becomes part A virus attaches itself to, and becomes part of, another executable programof, another executable programA worm is self-contained and does not need A worm is self-contained and does not need to be part of another program to propagate to be part of another program to propagate itselfitselfThe Robert Morris WormThe Robert Morris Worm

Written at CornellWritten at CornellReleased at MITReleased at MITFixed at HarvardFixed at Harvard

7

Automated Attack VectorsAutomated Attack Vectors WormsWorms

Necessary characteristics of a worm:Necessary characteristics of a worm:It is able to replicate without user interventionIt is able to replicate without user intervention

It is self-contained and does not require a hostIt is self-contained and does not require a host

It is activated by creating process It is activated by creating process

If it is a network worm, it can replicate across If it is a network worm, it can replicate across communication linkscommunication links

Some customers like to distinguish between Some customers like to distinguish between worms that use buffer overruns to propagate worms that use buffer overruns to propagate and those that use e-mailand those that use e-mail

8

Automated Attack VectorsAutomated Attack Vectors Worms: ExamplesWorms: Examples

SQL SlammerSQL Slammer

BlasterBlaster

MyDoomMyDoom

SasserSasser

9

Automated Attack VectorsAutomated Attack Vectors BotsBots

Derived from the word RobotDerived from the word Robot

Program designed to search for Program designed to search for information Internet with little human information Internet with little human interventionintervention

Search engines, such as Yahoo and Search engines, such as Yahoo and Altavista, typically use bots to gather Altavista, typically use bots to gather information for their databasesinformation for their databases

10

Automated Attack VectorsAutomated Attack Vectors BotsBots

Bots analogous to agentBots analogous to agentTypically an exeTypically an exeBots are not exploits themselvesBots are not exploits themselves

They are payloads delivered by worms, They are payloads delivered by worms, viruses and hackersviruses and hackersInstalled after compromiseInstalled after compromise

Infect system and maintain access for Infect system and maintain access for attackers to control themattackers to control them

Botnets – thousands of system controlledBotnets – thousands of system controlled

11

Automated Attack VectorsAutomated Attack Vectors BotsBots

Thousands of highly configurable bot Thousands of highly configurable bot packages available on Internetpackages available on InternetUsually between 10,000-100,000 machinesUsually between 10,000-100,000 machinesSome at 350,000Some at 350,000Considered the No. 1 emerging online threat Considered the No. 1 emerging online threat (CNN, Jan 1, 2006)(CNN, Jan 1, 2006)Some use IRC channels to communicateSome use IRC channels to communicate

Easy to useEasy to useControl thousands of systemsControl thousands of systemsObscures traffic among legitimate IRC traffic Obscures traffic among legitimate IRC traffic (TCP port 6667)(TCP port 6667)Obscures attacker’s identityObscures attacker’s identity

12

Automated Attack VectorsAutomated Attack Vectors Bots: usesBots: uses

DDoS attacksDDoS attacks

Information theftInformation theftkeyboard logging, network monitoring, etckeyboard logging, network monitoring, etc

Trade Bandwidth between hacker Trade Bandwidth between hacker communitiescommunities

Warez i.e. host illegal dataWarez i.e. host illegal dataPirated software, movies, games, etc.Pirated software, movies, games, etc.

13

Automated Attack VectorsAutomated Attack Vectors Bots: prime targetsBots: prime targets

High bandwidth (“cable bots”)High bandwidth (“cable bots”)

High availability systemsHigh availability systems

Low user sophisticationLow user sophistication

System located in geography providing System located in geography providing low likelihood of law enforcement low likelihood of law enforcement effectivenesseffectiveness

14

Automated Attack VectorsAutomated Attack Vectors Bots: examplesBots: examples

Agobot = Gaobot = Phatbot = PolybotAgobot = Gaobot = Phatbot = PolybotThousands of variantsThousands of variants

Uses MS03-001 and MS03-026/MS03-039 Uses MS03-001 and MS03-026/MS03-039 to propagateto propagate

TCP port 135 and TCP port 445TCP port 135 and TCP port 445

Probes admin shares using hard coded Probes admin shares using hard coded list of user names and passwordslist of user names and passwords

15

Automated Attack VectorsAutomated Attack Vectors Bots: examplesBots: examples

Agobot = Gaobot = Phatbot = PolybotAgobot = Gaobot = Phatbot = PolybotSteals CD keys for hard coded list of Steals CD keys for hard coded list of popular gamespopular games

Inventories running processesInventories running processesKills processes in hard coded list Kills processes in hard coded list

FirewallsFirewalls

AV softwareAV software

Other wormsOther worms

16

Automated Attack VectorsAutomated Attack Vectors BackdoorsBackdoors

Provides user access without using normal Provides user access without using normal authorization or vulnerability exploitation authorization or vulnerability exploitation Typically run under system contextTypically run under system contextOnce installed, allows anyone or any Once installed, allows anyone or any program that knows listening port number program that knows listening port number (and password) to remotely control host(and password) to remotely control hostIntruders access backdoor server using Intruders access backdoor server using either text or graphics based clienteither text or graphics based clientAllows intruders to run any command or Allows intruders to run any command or processprocess

17

Automated Attack VectorsAutomated Attack Vectors TrojansTrojans

Term borrowed from Greek historyTerm borrowed from Greek history

Malicious program disguised as Malicious program disguised as something benignsomething benign

Screen saver, game, etc.Screen saver, game, etc.

exe, com, vbs, bat, pif, scr, lnk, js, etc.exe, com, vbs, bat, pif, scr, lnk, js, etc.

It seems to function as user expectsIt seems to function as user expects

18

Automated Attack VectorsAutomated Attack Vectors TrojansTrojans

May or may not appear in process listMay or may not appear in process list

May install a backdoorMay install a backdoor

Generally spread through e-mail and Generally spread through e-mail and exchange of disks and filesexchange of disks and files

Worms also spread Trojan horses, IRC Worms also spread Trojan horses, IRC channels, P2P applications, porn sites, channels, P2P applications, porn sites, etc. etc.

19

Security at MicrosoftSecurity at Microsoft

20

Security Teams at MicrosoftSecurity Teams at Microsoft

PSS Security – Microsoft Services and Our Customers

Trustworthy Computing SecurityStrategy for Trustworthy Computing

Microsoft SecurityResponse Center

(MSRC)

Corporate SecurityOperations, Network Security

Security Business & Technology Unit(SBTU)

Microsoft ConsultingNational Practice TWC

Premier Support ServicesSecurity Solutions Architects

Secure Windows Initiative (SWI)

Security Center of Excellence(SCOE)

MSN, MS.com, etc.

21

Vulnerability ReportedVulnerability Reported

Is the reported problem really a Is the reported problem really a vulnerabilityvulnerability??

A security vulnerability is a flaw in a product A security vulnerability is a flaw in a product that makes it infeasible – even when using that makes it infeasible – even when using the product properly – to prevent an the product properly – to prevent an attacker from usurping privileges on the attacker from usurping privileges on the user's system, regulating its operation, user's system, regulating its operation, compromising data on it, or assuming compromising data on it, or assuming ungranted trust.ungranted trust.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/vulnrbl.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/vulnrbl.asp

22

Vulnerability ReportedVulnerability Reported

23

Protecting Your P.C.Protecting Your P.C.

24

How To Protect Your PCHow To Protect Your PC

Three primary ways to exploit you:Three primary ways to exploit you:Weak passwordsWeak passwords

Unpatched vulnerabilitiesUnpatched vulnerabilities

Social EngineeringSocial Engineering

25

How To Protect Your PCHow To Protect Your PC Use Complex PasswordsUse Complex Passwords

At least eight characters longAt least eight characters long

Does not contain all or part of user's account Does not contain all or part of user's account namename

Contain characters from three of following Contain characters from three of following four categories:four categories:

English uppercase characters (A through Z)English uppercase characters (A through Z)

English lowercase characters (a through z)English lowercase characters (a through z)

Base-10 digits (0 through 9)Base-10 digits (0 through 9)

Non-alphanumeric (for example, !, $, #, %) Non-alphanumeric (for example, !, $, #, %) extended ASCII, symbolic, or linguistic charactersextended ASCII, symbolic, or linguistic characters

26

How To Protect Your PCHow To Protect Your PC Other OptionsOther Options

Use a pass phrase instead of passwordUse a pass phrase instead of password

Use non-English words in passwordUse non-English words in password

Rename accounts including Rename accounts including Administrator accountAdministrator account

27

How To Protect Your PCHow To Protect Your PC Keep Your PC UpdatedKeep Your PC Updated

Use Windows Update AND Office Use Windows Update AND Office UpdateUpdate

Use automatic update clientUse automatic update client

XP SP2XP SP2

Run antivirus and anti-spyware Run antivirus and anti-spyware softwaresoftware

28

How To Protect Your PCHow To Protect Your PC Social EngineeringSocial Engineering

Do not open e-mail from people you Do not open e-mail from people you don’t knowdon’t know

Do not open e-mail attachmentsDo not open e-mail attachments

Do not follow URLs sent in e-mailDo not follow URLs sent in e-mail

Do not go to web sites that you cannot Do not go to web sites that you cannot trusttrust

29

Biometrics 101 (cont)Biometrics 101 (cont)

Required System ComponentsRequired System Components

A biometric authentication device is made A biometric authentication device is made up of three components: up of three components:

A database of biometric data. A database of biometric data.

Input procedures and devices. Input procedures and devices.

Output and graphical interfaces. Output and graphical interfaces.

30

Identification Vs. VerificationIdentification Vs. Verification

In identification, the system then attempts to find In identification, the system then attempts to find out who the sample belongs to, by comparing the out who the sample belongs to, by comparing the sample with a database of samples in the hope of sample with a database of samples in the hope of finding a match (this is known as a finding a match (this is known as a one-to-many one-to-many comparisoncomparison). ). "Who is this?""Who is this?"

Verification is a Verification is a one-to-one comparisonone-to-one comparison in which in which the biometric system attempts to verify an the biometric system attempts to verify an individual's identity. individual's identity. "Is this person who he/she "Is this person who he/she claims to be?"claims to be?"

31

Human trait examples used in Human trait examples used in BiometricsBiometrics

FingerprintsFingerprintsA fingerprint looks at the patterns found on a fingertip. There are a A fingerprint looks at the patterns found on a fingertip. There are a variety of approaches to fingerprint verification. Ex. traditional variety of approaches to fingerprint verification. Ex. traditional police method of matching minutiae; others use straight pattern-police method of matching minutiae; others use straight pattern-matching devices; verification approaches can detect when a live matching devices; verification approaches can detect when a live finger is presented; some cannot.finger is presented; some cannot.

Hand GeometryHand GeometryHand geometry involves analyzing and measuring the shape of the Hand geometry involves analyzing and measuring the shape of the hand. This biometric offers a good balance of performance hand. This biometric offers a good balance of performance characteristics and is relatively easy to use. It might be suitable characteristics and is relatively easy to use. It might be suitable where there are more users or where users access the system where there are more users or where users access the system infrequently and are perhaps less disciplined in their approach to infrequently and are perhaps less disciplined in their approach to the system.the system.

32

Security Measures for the Security Measures for the Internet Age Internet Age

33

EncryptionEncryption

Encryption Decryption

PlaintextPlaintextCiphertextCiphertext PlaintextPlaintext

•CryptographyCryptography: art and science of keeping messages secure•CryptanalysisCryptanalysis: art and science of breaking ciphertext•CryptologyCryptology: area of mathematics that covers both

34

Encryption continuedEncryption continued

If If M=the plaintext messageM=the plaintext message

C=the encrypted ciphertextC=the encrypted ciphertext

E=encryption algorithmE=encryption algorithm

D=decryption algorithmD=decryption algorithm

ThenThenE(M)=CE(M)=C

D(C)=MD(C)=M

D(E(M))=MD(E(M))=M

35

Algorithms and KeyspacesAlgorithms and Keyspaces

The cryptographic algorithm (cipher) is a The cryptographic algorithm (cipher) is a mathematical function used for encryption and mathematical function used for encryption and decryptiondecryption

Security based on restriction to internals of Security based on restriction to internals of algorithmalgorithm

ButButIf someone leaves groupIf someone leaves group

Someone buys algorithmSomeone buys algorithm

Problems of restricted algos solved with using Problems of restricted algos solved with using keyskeys

36

KeysKeys

Any one of a large number of valuesAny one of a large number of valuesThe total possible set of keys is called the The total possible set of keys is called the keyspacekeyspaceThe encryption and decryption is dependent on The encryption and decryption is dependent on keykeySoSo

EEKK(M)=C(M)=CDDKK(C)=M(C)=MDDKK(E(EKK(M))=M(M))=MWhat does this mean?What does this mean?

DDK2K2(E(EK1K1(M))=M(M))=M

37

Private vs. Public Key Private vs. Public Key EncryptionEncryption

symmetric

asymmetric

38

Symmetric vs. Asymmetric Symmetric vs. Asymmetric algorithmsalgorithms

SymmetricSymmetricTypically use the same key for encryption and Typically use the same key for encryption and decryptiondecryptionSender and receiver must agree to secret key before Sender and receiver must agree to secret key before sending messagesending message

AsymmetricAsymmetricKey for encryption is different from one for decryptionKey for encryption is different from one for decryptionEncryption key can be made publicEncryption key can be made publicDecryption key is privateDecryption key is privateSometimes called public key encryptionSometimes called public key encryption

39

Cryptanalysis Cryptanalysis

Recovering the plaintext without the key (an Recovering the plaintext without the key (an attack)attack)All secrecy resides in the keyAll secrecy resides in the keyTypes of attackTypes of attack

Ciphertext-only attackCiphertext-only attackKnown-plaintext attack Known-plaintext attack Chosen-plaintext attackChosen-plaintext attackAdaptive-chosen-plaintext attackAdaptive-chosen-plaintext attackRubber-hose attackRubber-hose attackPurchase-key attackPurchase-key attack

40

Public Key InfrastructurePublic Key Infrastructure

Involves hardware, software, data transport Involves hardware, software, data transport mechanism, smart cards, governing mechanism, smart cards, governing policies and protocolspolicies and protocols

Requires services ofRequires services ofRegistration AuthorityRegistration Authority

Certificate AuthorityCertificate Authority

Data RepositoriesData Repositories

41

Digital SignaturesDigital Signatures

Consists of two pieces of informationConsists of two pieces of information the data being transmittedthe data being transmitted

The private key of the individual or organization The private key of the individual or organization sending the datasending the data

The private key acts as a digital signature The private key acts as a digital signature to verify that the data is from the stated to verify that the data is from the stated sourcesource

42

Transaction SecurityTransaction Security

Secure Socket Layer (SSL)Secure Socket Layer (SSL)Uses the SSL in the TCP/IP modelUses the SSL in the TCP/IP modelCreates a Creates a secure negotiated sessionsecure negotiated session between client between client and serverand server

Secure Negotiated SessionSecure Negotiated SessionAll communication between client and server is All communication between client and server is encryptedencrypted

URL, credit card number, cookies, attached documentsURL, credit card number, cookies, attached documents

Agree upon a symmetric session key Agree upon a symmetric session key Used for only one session and then destroyedUsed for only one session and then destroyed

43

Multi-layered Network SecurityMulti-layered Network Security

Technology SolutionsDATADATA

Technology Solutions

Organizational Policies

Industry and Legal Standards