information assurance and computing systems special presentation by dr. afccp qsl wyle (aka dr....

Information Assurance and Computing Systems

Special PresentationBy

Dr. AFCCP QSL WYLE (AKA Dr. Yang)

What is the talk not about?

• A thorough coverage of solutions to information assurance issues,

• An in-depth coverage of cryptography, database security, operating security, or network security.

What is the talk about?

• A brief introduction to information assurance issues in computing,

• A brief introduction to defense strategies or countermeasures,

• Introduction to the area of computer forensics, and

• Emerging attacks.

Objectives

• Raise the awareness about information assurance issues,

• Share the resource about how hackers attack, how campus networks can defend against malicious attacks, and

• Survey on how students react to IA topics.

Outline (in disguise)

Outline

• Introduction to the expedition of software security

• Attacks• Countermeasures• Conclusion

Fasten the seat belt please!

Turbulence detectedahead!!

Short Stories

Some historical ones:• (1942) Against Japanese—cryptanalysis found “AF” for

“Midway island” in an intercepted Japanese naval codes.• (1989) C. Stoll, “The Cuckoo’s Egg”.• (1988) Robert Morris Worm: released from MIT but originally

from Cornell. Robert was convicted to three years of probation, a fine of $10,050, and 400 hours of community service.

Some more recent ones: • (1999) Chernobyl virus, originated from Taiwan. • (2005) Virus attacks by the Beagle (or Bagle) Virus.• And many more.

Are there security issues in computing areas?

• Operating systems - Windows

• Database systems - Telephone Database

• Application systems - EZ-Pass

• Network systems - Too many problems

• Web application systems – SQL Injection

• E-mail systems – Viruses, SPAM

Is security breach a hole in software?

• Yes! – buffer overflow – SQL injection – telnet– ftp

Is security breach a hole in software?

• No! – password – virus – SPAM

Security

• Confidentiality• Integrity• Availability• Authenticity• Authority and

privileges

Hacking Strategies

Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\75CYANG.PASSHE.000>nmap -v -A -T4 -P0 taz.cs.wcupa.edu

Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-13 12:06 Eastern DaylightTimeInitiating Parallel DNS resolution of 1 host. at 12:06Completed Parallel DNS resolution of 1 host. at 12:06, 0.35s elapsedInitiating SYN Stealth Scan at 12:06Scanning taz.cs.wcupa.edu (144.26.29.100) [1697 ports]Discovered open port 22/tcp on 144.26.29.100Discovered open port 80/tcp on 144.26.29.100Discovered open port 21/tcp on 144.26.29.100Discovered open port 443/tcp on 144.26.29.100Discovered open port 25/tcp on 144.26.29.100SYN Stealth Scan Timing: About 9.99% done; ETC: 12:11 (0:04:31 remaining)Increasing send delay for 144.26.29.100 from 0 to 5 due to 11 out of 20 droppedprobes since last increase.

Attack Phase I: Reconnaissance & Scanning

Arin and whois Search

Attack Phase II: Gaining Access1. Direct attack: denial-of-service, password guessing

2. Indirect attack with user ports: Trajan Horse, Backdoors, and RootKits, etc.

3. Indirect attack with well-known ports: Virus, Worms, SPAM

Attack Phase II: Gaining Access – Password Guessing with Cain

1. Configure: choose an adaptor (or machine).

2. Start Dictionary Guessing

Attack Phase II: Gaining Access – Password Guessing with LC4

1. Session>Options

2. Start Dictionary Guessing

Import>From Local Machine

(Brute Force version is not free)

Result of Running LC4

Result of Scanning Protected Storage

Attack Phase II: Gaining Access – Packet Sniffing with Ethereal

1. Set the option

2. Open a Command Prompt

3. Start the Capturing

4. Enter the telnet


Demonstration

Attack Phase II: Gaining Access

More indirect attacks are found than direct attacks!

What do you mean?

More indirect attacks are found than direct attacks!

1. User ports are closed unless requested and approved.2. Most well-known ports are open (Check the folder C:\WINDOWS\system32\drivers\etc\services to find some well-known ports.)

Direct Attacks vs. Indirect Attacks

• Direct attacks such as password attacks become more difficult as users become smarter.

• Sending viruses, worms, or spyware via e-mail has become more prevalent.

• E-mail spam is almost part of our life.

• Beware of the “wolf”, e.g., Trojan Horse!!

Trojan Horse

• A set of programs known as a Trojan Horse server and client programs.

• The server must be installed on the victimized machine.

• Once this was done, the machine is considered compromised.

• A hacker can use a client program to communicate with the server from wherever the Internet accessing is available.

A Trojan Horse Example

Example of a Trojan Horse Server

Example of a Trojan Horse Client

One Question Left - How can the server be installed?

• Clicking an icon that is appealing to your eye when you serve the web,

• Clicking the attachment that comes with an e-mail message, or

• Downloading a piece of software from a unfamiliar web site.

Defense and Countermeasures

Countermeasures:against Trojan Horse

• DeepFreeze software has been installed in all WCU computing lab machines.

• Once logged on and logged off, all software installed or downloaded during this period will be deleted.

• It is somewhat conservative but effective.

• User awareness is the key!! But …

Countermeasures:Techniques

• Unplug the machine and

• Reformat the drive if you are sure the machine has been compromised.

• But…..are there other ways?

Countermeasures:Techniques

• Cryptology: Cryptography/Cryptanalysis

• Users: Use appropriate passwords

• Use Intrusion Detection software

• Network users: Stop using telnet, ftp. Use putty in lieu of telnet, and secure ftp (or WinScp3) in lieu of ftp

• Forensics: Manual removal of beagle virus, forensic tools.

Cryptography

• So What is my first name?

• My name is AFCCP QSL WYLE (aka Dr. Yang)

Cryptography

• So What is my first name?

• My name is AFCCP QSL WYLE (aka Dr. Yang)

• A: Cheer Sun Yang

Use SpyWare Detection – Netscape Browser

Protect Password

• Use strong passwords – length > 7, consist of alphabets, numbers, special characters.

• Use the first letter of a password phrase, e.g., IlteiaCra7S (I love to eat in an Chinese restaurant at 7pm on Sunday)

• Don’t write it down and store it in a README file at your laptop.

Countermeasures:Techniques – Forensics

• Understand how data hiding can be done,

• Prepare for incidents,

• Use incident response tools,

• Develop a methodology, and

• Know What to look for.

Countermeasures:Techniques – Forensic Tools

• Installing Perl Package Manager (PPM)

• Refer to the book “Windows Forensics and Incident Recovery” for more techniques.

C:\Documents and Settings\75CYANG.PASSHE.000>ppm install win32-apiDownloading ActiveState Package Repository packlist...doneUpdating ActiveState Package Repository database...doneSyncing site PPM database with .packlists...doneDownloading Win32-API-0.46...doneUnpacking Win32-API-0.46...doneGenerating HTML for Win32-API-0.46...doneUpdating files in site area...done 18 files installed

Example of Intrusion Detection

Sophos Anti-Virus ProgramIs this a real virus or a false alarm?


• Understand how data hiding can be done,

• Prepare for incidents,

• Use incident response tools,

• Develop a methodology, and

• Know What to look for.


• What should we do first assuming our machine has probably been compromised?

• A: Disconnect from the network

• Then what?

• A: Find out where the spyware hides

• Remove the spyware using anti-virus software.

Finding the Spyware Manually

Protect Windows

Protect Windows

The windows HOST file stored in C:

Protect Windows

The host file stored in C:\WINDOWS\system32\drivers\etc\host contains some IP addresses for some URL’s. Be sure that these are correct IP addresses.

Protect Windows

Browser Helper Objects – stored under the Registry Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

Under the key will be a list of globally unique identifier

Check the value at www.sysinfo.org

Protect Windows

Protect Windows – Detection and Removal Tools

• HijackThis

• a2HiJackFree

• InstallWatch Pro

• Unlocker

• VMWare

Countermeasures:responsibilities

• System administrators

• Network users

• Teachers

• Students

End of the Trip

Conclusion

• Security does not depend on secure software alone.

• Security does not depend on security officers alone.

• Security does not depend on any single user alone.

• Security does not depend on network security alone.

Bibliography(Classic)

• Ed Skoudis, “Counter Hack,” Prentice Hall PTR, 2006.

• Pfleeger and Pfleeger, “Security in Computing,” Prentice-Hall PTR.

• Warren G. Kruse II, Jay Heiser, “Computer Forensics,” Addison Wesley, 2002.

• Matt Bishop, “Computer Security,” Addison Wesley, 2003.

• Kaufman et. Al., “Network Security,” Prentice Hall.

Bibliography(Recent)

• Christopher Kruegel et. Al., “Intrusion Detection and Correlation,” Springer-Verlag, 2005.

• Mihai Christodorescu et. Al., “Malware Detection,” Springer-Verlag, 2006.

• John Daniel et. Al., “Computer Viruses and Malware,” Springler-Verlag, 2006.

• Ed Skoudis, “Malware,” Pearson Education, 2003.• Mark Osborne, “How to Cheat at Managing Information

Security,” Syngress, 2006.• David Maynor et. Al., “Emerging Threat Analysis,”

Syngress, 2006.

Bibliography(Recent)

• Ed Skoudis, “Counter Hack Reload,” PHPTR, 2006. • Michael Simpson, “Hands-On Ethical Hacking and

Network Defense,” Thomson Course Technology, 2006.• Ankit Fadia, “The Unofficial Guide to Ethical Hacking,”

Thomson Course Technology, 2005.• Jon Edney, William Arbaugh, “Real 802.11 Security,”

Addison Wesley, 2004.• Peter Szor, “The Art of Computer Virus Research and

Defense,” Addison Wesley, 2005.• Harlan Carvey, “Windows Forensics and Incident

Recovery,” Addison Wesley, 2005.

That’s all folks!

• Questions? Comments?

• Eggs and Tomatoes?