ISA 330 Introduction to Proactive System Security Philip Robbins September 14, 2013 Information Security & Assurance Program University of Hawai'i West Oahu Week #2 1 Desktop, Server, and Embedded Operating System Vulnerabilities 2 Desktop, Server, and Embedded OS Vuls Topics Windows & *nix OS Vulnerabilities Embedded OS Vulnerabilities Tools & Resources Class Discussions Quiz #1 Assignment #1 3 OS Vulnerabilities Windows How do we deal with this? 4 OS Vulnerabilities Windows -OSs contain serious vulnerabilities that attackers can exploit. -Default installations are especially at risk. How do we deal with this? -Reducing our attack surface. -Disable, reconfigure, uninstall unnecessary services. -Employ System Hardening techniques. -Monitor new vulnerabilities / automatic updates. -Periodic assessment / scans. -Patch. 5 OS Vulnerabilities CVE search on NVD 6 7 OS Vulnerabilities Windows File Systems Purpose is to store and manage information. File Allocation Table (FAT): Standard File System for most removable media. Why would using FAT in a multiuser environment be considered a critical vulnerability? 512 B = 1 sector 1 cluster = smallest allocated unit for a file 8 OS Vulnerabilities Windows File Systems Purpose is to store and manage information. File Allocation Table (FAT): Standard File System for most removable media. Why would using FAT in a multiuser environment be considered a critical vulnerability? Because FAT doesnt support file-level access control lists (ACLs)! 512 B = 1 sector 1 cluster = smallest allocated unit for a file 9 OS Vulnerabilities Windows File Systems New Technology File System (NTFS): Supports larger files and disk volumes while addressing security through ACLs and FS journaling. Alternate Data Streams (ADSs) is a NTFS feature used for compatibility with the old Apple Hierarchical File System, using both data forks (contents of documents), and resource forks (file type identification) to store data. Why are ADSs considered a security risk? 10 OS Vulnerabilities Windows File Systems New Technology File System (NTFS): Supports larger files and disk volumes while addressing security through ACLs and FS journaling. Alternate Data Streams (ADSs) is a NTFS feature used for compatibility with the old Apple Hierarchical File System, using both data forks (contents of documents), and resource forks (file type identification) to store data. Why are ADSs considered a security risk? ADSs make it possible for hackers who want to hide & store, exploitation tools, and other malicious files on compromised systems. 11 OS Vulnerabilities Windows File Systems New Technology File System (NTFS): Tools used for detecting ADSs -- LADSProgram lists all alternate data streams of an NTFS directory. lnsLNS is a tool that searches for NTFS streams (aka alternate data streams or multiple data streams). TripwireEnterprise Vulnerability Management Solution using signatures to find vulnerabilities. dir /r Command Prompt (cmd) Command used from the directory you want to display and ADSs available in Windows Vista and later. 12 OS Vulnerabilities Windows File Systems New Technology File System (NTFS): Using LADS & lns to detect ADSs. LADS - Freeware version 4.00 (C) Copyright Frank Heyne Software (http://www.heysoft.de) This program lists files with alternate data streams (ADS) Use LADS on your own risk!http://www.heysoft.de Scanning directory C: size ADS in file Error 32 opening C:\pagefile.sys The following summary might be incorrect because there was at least one error! 0 bytes in 0 ADS listed LADS - Freeware version 4.00 (C) Copyright Frank Heyne Software (http://www.heysoft.de) This program lists files with alternate data streams (ADS) Use LADS on your own risk!http://www.heysoft.de Scanning directory C:\compaq size ADS in file C:\compaq\test_file:ipeye.exe C:\compaq\test_file2:klogger.exe C:\compaq\test_file3:psexec.exe C:\compaq\test_file4:pslist.exe bytes in 4 ADS listed Compromised System lns (c) 2002, Arne Vidstrom -c:\compaq\test_file - Alternative data stream [:ipeye.exe:$DATA] c:\compaq\test_file2 - Alternative data stream [:klogger.exe:$DATA] c:\compaq\test_file3 - Alternative data stream [:psexec.exe:$DATA] c:\compaq\test_file4 - Alternative data stream Compromised System Uncompromised System 13 OS Vulnerabilities Remote Procedure Call (RPC) Interprocess communication mechanism. Allows a computer program to cause a subroutine or procedure (program) to execute in another address space (on another computer within a shared network). 14 OS Vulnerabilities Remote Procedure Call (RPC) 15 OS Vulnerabilities Remote Procedure Call (RPC) 16 OS Vulnerabilities 17 OS Vulnerabilities 18 OS Vulnerabilities 19 OS Vulnerabilities Network Basic Input / Output System (NetBIOS) -OSI Session Layer 5. -Software loaded into memory that allows a program to interact with a shared network resource or device. -NetBIOS frees an application from understanding the details of a network. -Still used today for ensuring backward capability. -Uses ports open to the internet: UDP/137 UDP/138 TCP/139 20 OS Vulnerabilities Network Basic Input / Output System (NetBIOS) Why is NetBIOs over TCP/IP considered a security risk? 21 OS Vulnerabilities Network Basic Input / Output System (NetBIOS) Why is NetBIOs over TCP/IP considered a security risk? 22 OS Vulnerabilities Network Basic Input / Output System (NetBIOS) Why is NetBIOs over TCP/IP considered a security risk? Because an attacker can gain the following information: -Computer name -Contents of the remote name cache, including IP addresses -A list of local NetBIOS names -A list of names resolved by broadcast or via WINS -Contents of the session table with the destination IP addresses 23 OS Vulnerabilities Server Message Block (SMB) -OSI Application Layer 7. -Used for sharing access to files, printers, serial ports, and misc communications between nodes on a network. -Uses TCP/445 port. -Vulnerabilities are associated with Microsofts implementation of the SMB protocol and the components it directly relies on. 24 OS Vulnerabilities Common Internet File System (CIFS) -Replaces SMB but allows backward capability. -Remote File System Protocol that allows computers to share network resources over the internet. 25 OS Vulnerabilities Domain Controllers - Servers that handle authentication. - DCs using CIFS listen on the following ports: DNS (53), HTTP (80), Kerberos (88), RPC (135), NetBIOS (137 & 139), LDAP (389), HTTPS (443), SMB/CIFS (445), LDAP over SSL (636), Active Directory Global Catalog (328) - Most attackers look for DCs because they contain so much information they want to access. 26 OS Vulnerabilities Null Sessions -Allows you to connect to a remote machine without using a user name or password. -Anonymous logins. -i.e. FTP, SQL (null SA password), IPC$, etc This is the most frequently used method for network reconnaissance employed by hackers. 27 OS Vulnerabilities Buffer Overflows -Occurs when data is written to a buffer (temporary memory space) and, because of insufficient bounds checking, corrupts data in memory next to the allocated buffer. -Applications written in C & C++ are vulnerable. -Can allow attackers to run shell code. 28 OS Vulnerabilities Trojan -Non replicating type of malware. -Program that appears to perform a desired function. -Gains privileged access. -Allows remote administration (backdoors). -Creates a file server (FTP). -Drops malicious payload. 29 OS Vulnerabilities Rootkits -Installed by intruders who have gained root access. -Contains malicious Trojan binary programs. -Designed to hide and maintain privileged access. -Can reside in the kernel. -Removal becomes complicated. 30 Class Discussion What are the benefits of using passwords as an authentication method? Why can it be considered a weakness / vulnerability? 31 Class Discussion What are the benefits of using passwords as an authentication method? Cost effective and disposable. Why can it be considered a weakness / vulnerability? What you know v.s. what you are or what you have. A username and password is all that stands between an attacker and access. 32 OS Vulnerabilities Passwords -All users / admins should change their passwords regularly. -Establish minimum length for users (8 chars) and admins (15 chars) -Require complexity: include letters, numbers, symbols, both upper and lower case chars. -No dictionary (common) or slang words (in any language). -No connection to the user: ss#, birthdays, or names. -Never write passwords down (esp. online, through, or store on a users computer). -Be aware of shoulder surfing. -Limit reuse of old passwords. -Set account lockout duration (i.e. timeout 30 seconds after first attempt). -Set account lockout thresholds (i.e. disable account after 3 attempts). 33 OS Vulnerabilities Passwords 34 OS Vulnerabilities 35 Vulnerability Scanners eEye Retina 36 Vulnerability Scanners Tenable Nessus 37 Vulnerability Scanners GFI Languard 38 Vulnerability Scanners OpenVAS 39 Patch Scanners HFNetchk & Shavlik -Created by Mark Shavlik. -MBSA is based on HFNetchk. -Shavlik for Patch Management. 40 Patch Scanners Microsofts System Management Server (SMS) -Patch Management for all computers on your network. 41 Patch Scanners Windows Software Update Services (WSUS) -Patch Management from the network. -WSUS downloads patches and publishes them internally. -Control over which updates are deployed. 42 OS Vulnerabilities System Hardening -Patch all known vulnerabilities (automatic updates v.s. patch testing). -Remove unwanted services. -Enforce password complexity & policies. -Removed unused user accounts. -Configure and manage user privileges. -Implement an Antivirus Solution. -Enable logging / monitoring tools. -Closed unused open network ports: FTP (20, 21), TFTP (69), Telnet (23), DNS (53), NNTP (119), NetBIOS (135, 137, 138, 139, 445), RDP (3389), SNMP (161, 162), RPC ( ) 43 OS Vulnerabilities *nix 44 Class Discussion Why do you think people believe windows is more vulnerable than *nix OSs? 45 Class Discussion Why do you think people believe windows is more vulnerable than *nix OSs? Because a majority of people use windows, most attackers focus on compromising that OS. Why do you think only 1% of all desktop users use Linux? 46 Class Discussion Why do you think only 1% of all desktop users use Linux? Even if Grandma knew about the alternative, (i) would she even prefer it, and (ii) is she capable? 47 OS Vulnerabilities *nix Samba - Free software. - *nix servers can share resources with Windows clients, and vice versa without prejudice. - Designed to trick Windows resources into believing that *nix resources are Windows resources. 48 OS Vulnerabilities Samba - Search NVD for *nix vulnerabilities related to samba. 49 Embedded OS Vulnerabilities What are Embedded Systems? Any computer system that isnt a general-purpose PC. What are Embedded Operating Systems? Embedded Systems that include their own operating system, including stripped-down versions of commonly used OSs. What are some examples of embedded systems that contain embedded Oss? 50 Embedded OS Vulnerabilities Things to keep in mind: Dont underestimate the security risks associated with embedded systems simply because theyre small, perform simple tasks, or the belief that no one would bother attacking them. Embedded OSs are networked and are everywhere (think about Critical Infrastructure & SCADA). Many of the vulnerabilities seen in common OSs directly carry over. Coding of the OS and patching can be difficult due to memory Constraints. How do you patch a PIC16F877? 51 Embedded OS Vulnerabilities W32.Stuxnet -Identified in Considered first cyber weapon. -Affected Supervisory Control and Data Acquisition Systems (SCADA) and Programmable Logic Controllers (PLC) within IRANS nuclear enrichment facilities. 52 Embedded OS Vulnerabilities Android 53 Embedded OS Vulnerabilities Android 54 Class Discussion What are some of the vulnerabilities associated with embedded devices like smart phones? What are the risks? 55 56 Embedded OS Vulnerabilities 57 Embedded OS Vulnerabilities 58 Class Tools Vulnerable targets Unleash hell!!!1 Practice researching and identifying vulnerabilities within our isolated test environment user: root password: toor xxx user: Administrator password: password 59 Class Tools Connecting to the VPN using Backtrack 5r3: - Install Network Manager Applet apt-get install network-manager-gnome 2.cp /etc/network/interfaces{,.backup} 3.echo auto lo > /etc/network/interfaces 4.echo iface lo inet loopback >> /etc/network/interfaces 5.Service network-manager start 6.nm-applet & 60 Install Network Manager Applet 0.8 1 61 Install Network Manager Applet 0.8 2 62 Create VPN connection to UHWO 3 63 Create VPN connection to UHWO 4 Use assigned accounts. 64 Fix WICD error 65 Review Questions Question #1 MBSA performs which of the following security checks? a.Security update checks. b.IIS checks. c.System time checks. d.Computer logon checks. 66 Review Questions Question #1 MBSA performs which of the following security checks? a.Security update checks. b.IIS checks. c.System time checks. d.Computer logon checks. 67 Review Questions Question #2 Which ports should be filtered out to protect a network from SMB attacks? a.134 to 138 and 445. b.135, 139, and 443. c.137 to 139 and 445. d.53 and 445. 68 Review Questions Question #2 Which ports should be filtered out to protect a network from SMB attacks? a.134 to 138 and 445. b.135, 139, and 443. c.137 to 139 and 445. d.53 and 445. 69 Review Questions Question #3 Applications written in which programming language(s) are especially vulnerable to buffer overflow attacks? a.C b.Perl c.C++ d.Java 70 Review Questions Question #3 Applications written in which programming language(s) are especially vulnerable to buffer overflow attacks? a.C b.Perl c.C++ d.Java 71 Review Questions Question #4 Which of the following is the most efficient way to determine which OS a company is using? a.Run Nmap or other port-scanning programs. b.Use the whois database. c.Install a sniffer on the companys network segment. d.Call the company and ask. 72 Review Questions Question #4 Which of the following is the most efficient way to determine which OS a company is using? a.Run Nmap or other port-scanning programs. b.Use the whois database. c.Install a sniffer on the companys network segment. d.Call the company and ask. 73 Review Questions Question #5 Which program can detect rootkits on *nix systems? a.chkrootkit b.rktdetect c.SELinux d.Ionx 74 Review Questions Question #5 Which program can detect rootkits on *nix systems? a.chkrootkit b.rktdetect c.SELinux d.Ionx 75 Review Questions Question #6 Which of the following doesnt use an embedded OS? a.An ATM b.A workstation running Windows Vista Business c.A NAS device running Windows Server 2008 R2 d.A slot machine 76 Review Questions Question #6 Which of the following doesnt use an embedded OS? a.An ATM b.A workstation running Windows Vista Business c.A NAS device running Windows Server 2008 R2 d.A slot machine 77 Review Questions Question #7 Which of the following is a major challenge of securing embedded OSs? a.Training users b.Configuration c.Patching d.Backup and recovery 78 Review Questions Question #7 Which of the following is a major challenge of securing embedded OSs? a.Training users b.Configuration c.Patching d.Backup and recovery 79 Review Questions Question #8 SCADA systems are used for which of the following? a.Monitoring embedded OSs b.Monitoring ATM access codes c.Monitoring equipment in large-scale industries d.Protecting embedded OSs from remote attacks 80 Review Questions Question #8 SCADA systems are used for which of the following? a.Monitoring embedded OSs b.Monitoring ATM access codes c.Monitoring equipment in large-scale industries d.Protecting embedded OSs from remote attacks 81 Review Questions Question #9 (last one) Cell phone vulnerabilities make it possible for attackers to do which of the following? (Choose all that apply.) a.Use your phone as a microphone to eavesdrop on meetings. b.Install a BIOS-based rootkit. c.Clone your phone to make illegal long-distance phone calls. d.Listen to your phone concersations. 82 Review Questions Question #9 (last one) Cell phone vulnerabilities make it possible for attackers to do which of the following? (Choose all that apply.) a.Use your phone as a microphone to eavesdrop on meetings. b.Install a BIOS-based rootkit. c.Clone your phone to make illegal long-distance phone calls. d.Listen to your phone concersations. 83 Quiz #1 Multiple choice, closed book, closed notes. 84 Questions? www2.hawaii.edu/~probbins https://www.dorkatron.com/docs/ISA330/