week 10 - wednesday. what did we talk about last time? network basics
TRANSCRIPT
Eavesdropping and wiretapping Eavesdropping means overhearing private
information without much effort Administrators need to periodically monitor
network traffic Wiretapping implies that more effort is
being used to overhear information Passive wiretapping is only listening to
information Active wiretapping means that you may
adding or changing information in the stream
Cable wiretapping
If you are on the same LAN, you can use a packet sniffer to analyze packets Packets are constantly streaming by, and your computer usually only
picks up those destined for it Passwords are often sent in the clear Wireshark is a free, popular packet sniffer
Cable modems are filters that give you only the data you need Sophisticated attackers can tap into a cable network Data is supposed to be encrypted, but many networks don’t turn
encryption on Inductance is a property that can allow you to measure the
signals inside of a wire without a direct physical connection Using inductance or physically connecting to a wire changes its
impedance, which can (but usually is not) measured Signals are often multiplexed, sharing media with other
signals, which can increase the sophistication needed to wiretap
Wireless eavesdropping
Wireless networks are easy to disrupt, but attackers usually have little to gain by this
Since they are broadcast, it is not difficult to intercept the signal Special antennas can receive the signal from a
longer distance than usual Some networks are entirely unencrypted WEP is almost completely broken WPA and WPA2 have vulnerabilities that
can be exploited in some cases
Other media
Microwave is easy to intercept Long distance phone can use microwaves Cell phones can use microwaves
One difficulty with making use of the intercepted signal is that microwave signals are heavily multiplexed, making it hard to untangle individual signals
Satellites are similar (unsecure but heavily multiplexed)
Optical fiber is very difficult to tap Cutting a single fiber means recalibrating the network Repeaters and taps that connect the fiber are the best
places to attack
Impersonation
Rather than wiretapping, attackers will more often try to impersonate a legitimate user
Different approaches: Guess the identity and authentication
information Use other communications or
wiretapping to gain such information Circumvent the authentication
mechanism Use a target that will not be
authenticated Use a target with known authentication
data
Authentication issues
Passwords are often easy to guess Because we’re bad at picking passwords Because the user may not have realized that the machine
would be exposed to network attacks Passwords are sent in the clear Bad hashes can give information about the password Sometimes buffer overflows can crash the
authentication system Sometimes authentication is not needed
.rhosts and .rlogin files in Unix Guest accounts
Default passwords on routers and other devices that never get changed
Authentication attacks
Spoofing is when an attacker carries out one end of a networked exchange
A masquerade is spoofing where a host pretends to be another host URL confusion: someone types hotmale.com (don’t go
there!) or gogle.com Phishing is a form of masquerading Session hijacking (or sidejacking) is carrying on
a session started by someone else Login is encrypted, the rest of the data often isn’t Firesheep allows you to log on to other people’s Facebook
and Twitter accounts in, say, the same coffeeshop Man-in-the-middle attacks
Confidentiality threats
Misdelivery Data can have bad addresses, occasionally because of
computer error Human error (e.g. James Hughes (student) instead of
James Hughes (professor)) is more common) Exposure of data can happen because of
wiretapping or unsecure systems anywhere along the network
Traffic flow analysis Data might be encrypted Even so, it is very hard to hide where the data is going
to and where it is coming from Tor and other anonymization networks try to fix this
Integrity threats
Attackers can falsify some or all of a message, using attacks we’ve talked about Parts of messages can be combined Messages can be redirected or deleted Old messages can also be replayed
Noise can degrade the signals All modern network protocols have error
correction built in Malformed packets can crash systems Protocols often have vulnerabilities
Web site vulnerabilities
Web sites are supposed to be up all the time They can be studied and attacked over a long period of time
Known vulnerabilities in web servers allow hackers (even unsophisticated ones) to gain control of web sites and deface them
Buffer overflows can crash web applications URL and SQL injection attacks
If web applications are poorly written, they may blindly execute whatever is passed into the URL
Could point to ../../../sensitive.dat, gaining access to files in other directories
Could give SQL to destroy or publicize the contents of the database Server-side includes can tell the server to do specific
things, but they can be manipulated by attackers who cleverly edit the HTTP requests
Denial of service
Networks are one of the best places to launch an attack on availability
In this setting, these are usually called denial of service (DoS) attacks
Transmission failure can happen because a line is cut or because there is too much noise
Flooding is a common technique Ask for too many connections Request too many of some other service
Three way handshake
TCP is built on a three-way handshake Client requests a connection by sending a SYN packet The server acknowledges the request by sending a SYN-ACK packet back The client responds with an ACK, establishing the connection
An attacker can just keep sending SYN packets The server will allocate some resources, wait for the ACK, and
never get it A clever attacker will spoof at least his own IP so that the SYN-ACK
is sent elsewhere A more sophisticated attacker will spoof many different IP
addresses (or have many bots in a botnet) sending all these SYN's
Denial of service attacks
Echo-chargen Chargen sets up a stream of packets for testing Echo packets are supposed to be sent back to the sender If you can trick a server into sending echo packets to itself, it will respond
to its own packets forever Ping of death
A ping packet requests a reply If you can send more pings than a server can handle, it goes down Only works if the attacker has more bandwidth than the victim (DDoS
helps) Smurf
A ping packet is broadcast to everyone, with the victim spoofed as the originator
All the hosts try to ping the victim The real attacker is hidden
Teardrop A teardrop attack uses badly formed IP datagrams They claim to correspond to overlapping sequences of bytes in a packet There’s no way to put them back together and the system can crash
Distributed denial of service Distributed denial of
service (DDoS) attacks use many machines to perform a DoS attack
Usually, many targets have been compromised with a Trojan horse making them zombies
These zombie machines are controlled by the attacker, performing flooding or other attacks on a victim
The attacker is hard to trace
DNS attacks
The Domain Name System (DNS) uses Domain Name Servers (also DNS) to convert user readable URLs like google.com to IP addresses
Taking control of a server means that you get to say where google.com is
For efficiency, servers cache results from other servers if they didn’t know the IP DNS cache poisoning is when an attacker
gives a good server a bad IP address
Active and mobile code threats Cookies
Small files saved by your browser on your disk Can be per-session or persistent Intercepted cookies can allow impersonation
Server side scripting Includes ASP, JSP, and PHP Again, poorly sanitized inputs can cause arbitrary code to be
executed on the server Active code
Java applets are run in a sandbox, preventing them from accessing most of your system▪ Some JVM implementations had weaknesses allowing them out
ActiveX is Microsoft’s system for running code in a browser▪ It has far too much power and can do anything to your system▪ Usually, you have to click a button to allow the ActiveX control to run
Summary of vulnerabilitiesTarget Vulnerability Target Vulnerability
Precursors to attack
• Port scan• Social engineering• Reconnaissance• OS and application
fingerprinting
Confidentiality
• Protocol flaw• Eavesdropping• Passive wiretap• Misdelivery• Exposure• Traffic flow analysis
Authentication failures
• Impersonation• Guessing• Eavesdropping• Spoofing• Session hijacking• Man in the middle
attack
Integrity
• Protocol flaw• Active wiretap• Impersonation• Falsification• Noise• Web site defacement• DNS attack
Programming flaws
• Buffer overflow• Addressing errors• Server-side include• Malicious Java or
ActiveX• Worms, viruses, Trojan
horses
Availability
• Protocol flaw• Transmission failure• Flooding• DNS attack• Traffic redirection• DDoS
Architecture
Good network architecture can make security better
Segmentation means separating the network into different parts Web server Database server Application servers
Redundancy is important Multiple servers that check if each other have
gone down Avoid single points of failure
Encryption
Encryption is important for network security
Link encryption encrypts data just before going through the physical communication layer Each link between two hosts could have
different encryption Message are in plaintext within each host Link encryption is fast and transparent
End-to-end encryption provides security from one end of the transmission to the other Slower Responsibility of the user Better security for the message in transit
Virtual private networks
Encryption that allows people in a public network to communicate securely with a private network creates a virtual private network (VPN)
A user’s system negotiates a key with a firewall that guards a private network Communication takes place in a tunnel
Public key infrastructure
As we discussed before, the big problem with public keys is making sure you get the right one
Public key infrastructure (PKI) is the solution to this problem
A PKI sets up certificate authorities who certify that keys belong to who they’re supposed to
Their jobs include: Managing public key certificates Issuing certificates that connect a user to a key Scheduling certificate expiration Publishing certificate revocation lists
Secure protocols
SSH (secure shell) is a protocol for encrypted communication between computers Designed for Unix/Linux, but available on Windows Telnet, rlogin, and rsh should be replaced by SSH Negotiates symmetric key encryption usually using
public key encryption, similar to Project 2 SSL (secure sockets layer) or TLS
(transport layer security) creates a secure session (golden lock) between a web browser and a web server
IPSec
IPSec (IP Security Protocol Suite) is a group of protocols designed to provide security for general IP communication
There is an Authentication Header (AH) mode that provides authentication and integrity by supplying a cryptographic hash of the message and its addresses
There is an Encapsulated Security Payload (ESP) mode that can provide encryption, authentication, or both
In transport mode, IPSec encrypts only the payload of the packet
In tunnel mode, IPSec encrypts the entire packet and puts it inside of another packet, hiding its final destination inside of a private network
Content integrity
Encryption helps protect integrity from malicious attackers
Error correcting codes (like parity checks) can help prevent non-malicious problems with integrity
Cryptographic checksums (AKA cryptographic hash digests) protect from both malicious and non-malicious threats to integrity
Strong authentication
Who are you talking to? Passwords can be stolen
One-time passwords prevent the problem of stolen passwords RSA SecurIDs and other password tokens
generate one-time passwords Challenge-response systems serve
a similar role Kerberos is a system designed at MIT
Users interact with an authentication server who authenticates them
They get a ticket to access a file from a ticket granting server
The ticket lets you use a file Everything is time-stamped
Access controls on routers Routers want to block packet floods from
affecting the servers behind the router We can have ACLs that list all the legal (or
all the illegal) hosts that can send (or are not allowed to send) packets into the network
But, checking packets against ACLs slows down the system, making the router easier to flood
Since it is possible to forge source addresses, the ACLs might not correctly block the packets
Wireless security
A wireless access point has a Service Set Identifier (SSID) SSIDs are usually broadcast, weakening security
Even non-broadcast SSIDs can be discovered whenever someone connects to them
Wired Equivalent Privacy (WEP) was the old standard for encryption Tools like WEPCrack and AirSnort can break WEP in minutes
because of flaws in the RC4 encryption algorithm WiFi Protected Access (WPA) and later WPA2 have
better security Encryption keys change for each packet Several authentication mechanisms are allowed WPA2 can use AES There are still flaws in some implementations, as discussed by
Mark Yorgey
Firewalls
A firewall filters traffic between an inside network and an outside network The inside is more trusted and needs to be
protected from the outside Kinds of firewalls:
Packet filtering gateway or screening routers Stateful inspection firewalls Application proxies Guards Personal firewalls
Packet filtering gateway
Packet filtering gateways are simple They only allow certain packets to get by
Based on source or destination address Based on protocol (HTTP on port 80, for example)
A packet filter can be used in combination with other firewalls The packet filter can remove a lot of traffic so that a more
complex firewall has to worry about checking fewer packets Packet filters ignore the data inside the packets
They only use the addresses and port numbers
Stateful inspection firewall
A stateful inspection firewall keeps track of data inside of packets
For example, if a host inside the firewall initiates a TCP connection with a host outside, a stateful inspection firewall can remember this and let only that particular outside host’s packets in
Application proxies and guards An application proxy gateway (or bastion host)
appears to function like a host running a particular application
The outside world sends date to the application proxy’s IP address
The application proxy changes the addresses and forwards the data on to the real server
Only appropriate requests and responses are allowed through
All accesses can also be logged A guard is really the same thing, just with more
functionality For example, a guard might reassemble a file and run it
trhough a virus scanner
Personal firewalls
A personal firewall is software that runs on a workstation
These firewalls can give additional protection
The user and OS can have very fine grained control over what kind of connections can be made and what kind of applications can send and receive data
Next time…
Finish firewalls Intrusion detection Secure e-mail Review for Exam 2 Andrew Sandridge presents