hans hedbom attacks on computer systems. attacks “non-technical” attacks example social...
Post on 11-Jan-2016
219 Views
Preview:
TRANSCRIPT
Hans Hedbom
Attacks on Computer Systems
Attacks
“Non-Technical” attacksExample
Social engineeringPhishing
CauseLow user awareness or missing policies/routines
Technical attacksExample
See following slides
CauseTransitive trustBugs and configuration errors in apps and OSVulnerabilities in protocols and Network Infrastructure2
Threats to confidentiality
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
NETWORK ATTACKS
SYN-Attacks
The attacker sends a large amount of SYN-packets to the serverfills-up the SYN-bufferserver is unable to accept more connections Denial of
Service
5
Client ServerSYN
SYN,ACK
ACK
Timeout ~4 min.
TCP event diagram
IP Fragmentation Attack
Intentional fragmentation of IP-packets may confuse routers, firewalls and servers
6
Data
IP-packet
Header
Fragment 1 Fragment 2Header Data DataH
Offset 0 Offset 20 Offset 16
Data
IP-packet
Header
Original
Fragmented
Assembled
Overlap!
Sniffer Attacks
Eavesdropping on a network segment.
7
TelnetClient
Telnet ServerIP Network
Attacker
Telnet (password in the clear)
Telnet
Passwords over the Net
8
Telnet FTP
Rlogin Rexec
POP SNMP
NFS SMB
HTTP
IP-Spoofing
Counterfeiting of IP-sender-addresses when using UDP and TCP
9
NFSClient
NFSServerIP Network
Attacker
NFS-request
NFS-response SYN-attack
Session Hijacking
Attacker hijacks a session between a client and a serverit could for example be an administrator using telnet for remote
login
10
Telnet client
Telnet serverIP Network
Attacker
Telnet traffic
SYN-attack IP-Spoofing
DNS Cache Poisoning
DNS = Domain Name Serviceis primarily used to translate names into IP-addresses
e.g. ”www.sunet.se” to ”192.36.125.18”
data injection into the DNS server
cross checking an address might help
11
OS (SOFTWARE) ATTACKS
Race Condition Attacks
Explores software that performs operations in an improper sequence. e.g. psrace (Solaris 2.x).
13
Application Create file
Store data
Use data
Set SUID
Remove file
Create link/usr/bin/ps
/tmp/ps_data
/tmp/sh
Buffer overflows
Buffer overflow accounts for 50 % of the security bugs (Viega and McGraw)
Data is stored in allocated memory called buffer. If too much data need to be stored the additional bytes have to go somewhere. The buffer overflows and data are written past the bounds.
WEB ATTACKS
Browser Vulnerabillities
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
Window of Exposure
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
Phishing
Phishing (only works with predictable or time invariant values)Trick the user to access a forged web page.
1. Username
2. Ask for login credentials
3. Give login credentials
4.Ok alt Deny (error code)
SSL/TLS Forged Web Page
Phishing
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
Phishing
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
Pharming
2.Username
3.Chalange
5.Chalange
6. Responce
8.Responce
9.Ok alt Deny
1.Username
4.Chalange
7 .Responce
9.Ok alt Deny
XSS
xss_selling_platform_v2.0.swf
What is SQL Injection?
$name = $HTTP_POST_VARS["name"];
$passwd = $HTTP_POST_VARS[“passwd"];
$query = “select name from users where name = ‘”.$name.”’ and passwd = ‘”.$passwd.”’” ;
$result = mysql_query($query);
What is SQL Injection?
BOT-NETS
Bot-nets
A bot-net is a large collection of compromised computers under the control of a command and control server.A bot-net consists of bots (the malicious program), drones (the hijacked computers) and (one or more) C&C server.A bot is usually a combination of a worm and a backdoor.IRC and HTTP are the primary communication protocols in today's bot-nets.Bots are usually self spreding and modular.
26
Uses of bot-nets
Bot-nets could be used for the following:Click Fraud
Making drones click on specific advertisements on the web.DDoS
For financial gain or blackmail.Keyloging
For financial gain and identity theft.Warez
Collecting, spreading and storingSpam
For financial gain.
And of course as a private communication network.27
Detecting and preventing bot-nets
Detection is all about finding the C&C server.Look for suspicious traffic patterns in firewall logs and other logs.Take note of servers whit a high number of incoming connections.Monitor the suspicious C&C and inform the owner and the authorities when you are sure that it is a bot-net controller.
PreventionAll the usual rules apply: patch and protect. Do egress filtering in firewalls as well as ingress. This will stop infections from spreading and could block outgoing traffic from drones within the intranet.
ProblemsSome bot-nets are encrypted.Tracking the C&C to the real bot-net owner can be hard.
28
Bot activity
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
top related