chapter 3 network and computer attacks. objectives after reading this chapter and completing the...
TRANSCRIPT
Chapter 3Network and Computer
Attacks
ObjectivesAfter reading this chapter and completing the
exercises, you will be able to:Describe the different types of malicious
software and what damage they can doDescribe methods of protecting against
malware attacksDescribe the types of network attacksIdentify physical security attacks and
vulnerabilities
2
IntroductionAs an IT security professional, you need to be
aware of attacks an intruder can make on your network.
Attacks include unauthorized attempts to access network resources or systems, attempts to destroy or corrupt information, and attempts to prevent authorized users from accessing resources.
You must have a good understanding of both network security and computer security.
Hands-On Ethical Hacking and Network Defense, Second Edition 3
Malicious Software (Malware)Network attacks prevent a business from
operatingMalicious software (malware)
Virus Worm Trojan program
Goals Destroy data Corrupt data Shutdown a network or system Make money
4
VirusesVirus attaches itself to a file or program
Needs host to replicateDoes not stand on its ownNo foolproof prevention method
Antivirus programs Detection based on virus signatures
Signatures are kept in virus signature file Must update periodically Some offer automatic update feature
5
6
Table 3-1 Common computer viruses
Macro VirusesVirus encoded as a macro (a single instruction
that expands automatically into a set of instructions to perform a particular task.)Programs that support a macro programming
language (e.g., Visual Basic for Applications) Lists of commands Can be used in destructive ways
Example: Melissa Appeared in 1999
Even nonprogrammers can create macro virusesInstructions posted on Web sites
Security professionals learn from thinking like attackers
7
WormsReplicates and propagates without a host
Infamous examples: Code Red Nimda
Theoretically can infect every computer in the world over a short period
Cyber attacks against ATMs are a serious concern for the banking industry and law enforcement agencies worldwideExamples:
Slammer and Nachi ATM worm attacks8
9
Table 3-2 Common computer worms
10
Table 3-2 Common computer worms (cont’d.)
Trojan ProgramsInsidious attack against networks and computers
Disguise themselves as useful programsAllow attackers remote accessCan install backdoors and rootkits
Backdoors or rootkits are programs that give attackers a means of regaining access to the attacked computer later.
A rootkit is a type of malicious software that is activated each time your system boots up.Rootkits are difficult to detect because they are activated
before your system's Operating System has completely booted up.
A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS.
11
Trojan ProgramsBack Orifice is one of the most common Trojan
programs used today. It allows attackers to take full control of the attacked computer, like Windows XP Remote Desktop functions, except that Back Orifice works without the user’s knowledge.
A good software or hardware firewall would most likely identify traffic that’s using unfamiliar ports.
But Trojan programs that use common ports, such as TCP port 80 (HTTP) or UDP port 53 (DNS), are more difficult to detect.
Also, many home users and small businesses don’t use software or hardware firewalls.
12
13
Table 3-3 Trojan programs and ports
SpywareSends information from infected computer to
attackerConfidential financial dataPasswordsPINsAny other stored data
Can register each keystroke enteredPrevalent technology
Educate users about spyware
14
15
Figure 3-2 A spyware initiation program
AdwareSimilar to spyware
Installed without users being awareSometimes displays a bannerMain purpose
Determine user’s purchasing habits so that Web browsers can display advertisements tailored to this user
Main problemSlows down computers
16
Protecting Against Malware AttacksDifficult task
New viruses, worms, and Trojan programs appear daily
Antivirus programsDetected many malware programs
Educate users about these attacksUsers who aren’t trained thoroughly can open
holes into a network that no technology can protect against
17
18
Figure 3-3 Detecting a virus
Educating Your UsersStructural training
Includes all employees and managementE-mail monthly security updatesRecommend virus signature database updating
Activate automatic updates
SpyBot and Ad-AwareTwo most popular spyware and adware removal
programsHelp protect against spyware and adware
FirewallsSoftware (personal) and hardware (enterprise)
19
Avoiding Fear TacticsAvoid scaring users into complying with
security measuresSometimes used by unethical security
testersAgainst the OSSTMM’s Rules of Engagement
Promote awareness rather than instilling fearUsers should be aware of potential threatsBuild on users’ knowledge
Makes training easier
20
Intruder Attacks on Networks and Computers
AttackAny attempt by an unauthorized person to
access, damage, or use network resourcesNetwork security
Concern with security of network infrastructureComputer security
Concerned with security of a stand alone computer Not part of a network infrastructure
Computer crimeFastest growing type of crime worldwide
21
Denial-of-Service AttacksDenial-of-service (DoS) attack
Prevents legitimate users from accessing network resources
Some forms do not involve computers For example, intentionally looping a
document on a fax machine by taping two pages together can use up reams of paper on the destination fax machine, thus preventing others from using it
22
Denial-of-Service AttacksDoS Do not attempt to access information,
but:Cripples (disturbs) the networkMakes it vulnerable to other attacks
Installing an attack yourself is not wiseOnly explain how the attack could happen
23
Distributed Denial-of-Service AttacksDistributed denial-of-service (DDoS) attack
Attack on host from multiple servers or workstations
Network could be flooded with billions of packetsLoss of bandwidthDegradation or loss of speed
Often participants are not aware they are part of the attackThey, too, have been attacked
24
Distributed Denial-of-Service Attacks
25
Distributed Denial-of-Service Attacks
26
DDoS attacks are difficult to stop because owners of the compromised computers, referred to as zombies, are unaware that their systems are sending malicious packets to a victim thousands of miles away.
These compromised computers are usually part of a botnet (a network of “robot” computers) following instructions from a central location or system.
For more information, do a search on “Estonia DDoS.”
Buffer Overflow AttacksVulnerability in poorly written code
Doesn’t check for amount of memory space useFor example, if a program defines a buffer
size of 100 MB (the total amount of memory the program is supposed to use), and the program writes data over the 100 MB mark without triggering an error or preventing this occurrence, you have a buffer overflow.
27
Buffer Overflow AttacksAttacker writes code that overflows buffer
The trick is to not fill the overflow buffer with meaningless data, but fill it with executable program code. That way, the OS runs the code, and the attacker’s program does something harmful.
Usually, the code elevates the attacker’s permissions to an administrator’s level or gives the attacker the same privileges as the program’s owner or creator
Train programmer in developing applications with security in mind
28
Buffer Overflow Attacks
29
30
Table 3-4 Buffer overflow vulnerabilities
Ping of Death AttacksType of DoS attack
Not as common as during the late 1990sHow it works
Attacker creates a large ICMP packet More than allowed 65,535 bytes
Large packet is fragmented into small packets Reassembled at destination
Destination point cannot handle reassembled oversize packet Causes it to crash or freeze
31
Session HijackingEnables attacker to join a TCP session
Attacker makes both parties think he or she is the other party
Complex attack Beyond the scope of this book
32
Addressing Physical SecurityProtecting a network from attacks is
not always a software issue.You should have some basic skills in
protecting a network from physical attacks as well.
Inside attacks More likely than outside attacks
33
KeyloggersUsed to capture keystrokes on a computer
SoftwareLoaded on to computerBehaves like Trojan programs
HardwareSmall and easy to install deviceGoes between keyboard and computerExamples: KeyKatcher and KeyGhost
Available as software (spyware) Transfers information
34
35
Figure 3-4 An e-mail message captured by KeyKatcher
36
Figure 3-5 The KeyGhost menu
Behind Locked DoorsAs a security professional, you should be aware
of the types of locks used to secure a company’s assets.
If an intruder gets physical access to a server, whether it’s running Linux or Windows, it doesn’t matter how good your firewall or IDS is.
Encryption or public key infrastructure (PKI) enforcements don’t help in this situation, either.
If intruders can sit in front of your server, they can hack it. Simply put, lock up your server.
37
Behind Locked Doors (Solution)Lock up servers
Average person Can pick deadbolt lock in less than five minutesAfter only a week or two of practice
Experienced hackers Can pick deadbolt lock in under 30 seconds
Rotary locks are harder to pickRequire pushing in a sequence of numbered
barsKeep a record of who enters and leaves the room
Security cards can be used for better security
38
SummaryBe aware of attacks
Network infrastructures and standalone computers
Can be perpetrated by insiders or outside attackers
Malicious softwareVirusesWormsTrojan programsSpywareAdware
39
Summary (cont’d.)Attacks
Denial-of-Service (DoS)Distributed Denial-of-Service (DDoS)Buffer overflowPing of DeathSession hijacking
KeyloggersMonitor computer system
Physical security Everyone’s responsibility
40