Hans Hedbom

Attacks on Computer Systems

Attacks

“Non-Technical” attacksExample

Social engineeringPhishing

CauseLow user awareness or missing policies/routines

Technical attacksExample

See following slides

CauseTransitive trustBugs and configuration errors in apps and OSVulnerabilities in protocols and Network Infrastructure2

Threats to confidentiality

Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010

NETWORK ATTACKS

SYN-Attacks

The attacker sends a large amount of SYN-packets to the serverfills-up the SYN-bufferserver is unable to accept more connections Denial of

Service

5

Client ServerSYN

SYN,ACK

ACK

Timeout ~4 min.

TCP event diagram

IP Fragmentation Attack

Intentional fragmentation of IP-packets may confuse routers, firewalls and servers

6

Data

IP-packet

Header

Fragment 1 Fragment 2Header Data DataH

Offset 0 Offset 20 Offset 16

Data

IP-packet

Header

Original

Fragmented

Assembled

Overlap!

Sniffer Attacks

Eavesdropping on a network segment.

7

TelnetClient

Telnet ServerIP Network

Attacker

Telnet (password in the clear)

Telnet

Passwords over the Net

8

Telnet FTP

Rlogin Rexec

POP SNMP

NFS SMB

HTTP

IP-Spoofing

Counterfeiting of IP-sender-addresses when using UDP and TCP

9

NFSClient

NFSServerIP Network

Attacker

NFS-request

NFS-response SYN-attack

Session Hijacking

Attacker hijacks a session between a client and a serverit could for example be an administrator using telnet for remote

login

10

Telnet client

Telnet serverIP Network

Attacker

Telnet traffic

SYN-attack IP-Spoofing

DNS Cache Poisoning

DNS = Domain Name Serviceis primarily used to translate names into IP-addresses

e.g. ”www.sunet.se” to ”192.36.125.18”

data injection into the DNS server

cross checking an address might help

11

OS (SOFTWARE) ATTACKS

Race Condition Attacks

Explores software that performs operations in an improper sequence. e.g. psrace (Solaris 2.x).

13

Application Create file

Store data

Use data

Set SUID

Remove file

Create link/usr/bin/ps

/tmp/ps_data

/tmp/sh

Buffer overflows

Buffer overflow accounts for 50 % of the security bugs (Viega and McGraw)

Data is stored in allocated memory called buffer. If too much data need to be stored the additional bytes have to go somewhere. The buffer overflows and data are written past the bounds.

WEB ATTACKS

Browser Vulnerabillities

Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010

Window of Exposure

Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010

Phishing

Phishing (only works with predictable or time invariant values)Trick the user to access a forged web page.

1. Username

2. Ask for login credentials

3. Give login credentials

4.Ok alt Deny (error code)

SSL/TLS Forged Web Page

Phishing

Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010

Phishing

Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010

Pharming

2.Username

3.Chalange

5.Chalange

6. Responce

8.Responce

9.Ok alt Deny

1.Username

4.Chalange

7 .Responce

9.Ok alt Deny

XSS

xss_selling_platform_v2.0.swf

What is SQL Injection?

$name = $HTTP_POST_VARS["name"];

$passwd = $HTTP_POST_VARS[“passwd"];

$query = “select name from users where name = ‘”.$name.”’ and passwd = ‘”.$passwd.”’” ;

$result = mysql_query($query);

What is SQL Injection?

BOT-NETS

Bot-nets

A bot-net is a large collection of compromised computers under the control of a command and control server.A bot-net consists of bots (the malicious program), drones (the hijacked computers) and (one or more) C&C server.A bot is usually a combination of a worm and a backdoor.IRC and HTTP are the primary communication protocols in today's bot-nets.Bots are usually self spreding and modular.

26

Uses of bot-nets

Bot-nets could be used for the following:Click Fraud

Making drones click on specific advertisements on the web.DDoS

For financial gain or blackmail.Keyloging

For financial gain and identity theft.Warez

Collecting, spreading and storingSpam

For financial gain.

And of course as a private communication network.27

Detecting and preventing bot-nets

Detection is all about finding the C&C server.Look for suspicious traffic patterns in firewall logs and other logs.Take note of servers whit a high number of incoming connections.Monitor the suspicious C&C and inform the owner and the authorities when you are sure that it is a bot-net controller.

PreventionAll the usual rules apply: patch and protect. Do egress filtering in firewalls as well as ingress. This will stop infections from spreading and could block outgoing traffic from drones within the intranet.

ProblemsSome bot-nets are encrypted.Tracking the C&C to the real bot-net owner can be hard.

28

Bot activity

Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010