april 23, 2003liudvikas bukys1 four security incidents at the university of rochester and what you...
TRANSCRIPT
![Page 1: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/1.jpg)
April 23, 2003 Liudvikas Bukys 1
Four Security Incidents at the University of
Rochester
And What You Can Learn From Them
![Page 2: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/2.jpg)
April 23, 2003 Liudvikas Bukys 2
Outline
• Three notorious incidents– Cuckoo’s Egg (1988)
• A brief visit from the Chaos Computer Club.
– Morris Worm (November 1988)• The messy fate we had in common with many other sites; about
which I testified at the trial in Syracuse.
– Takedown (January 1995)• Amidst the compromise of San Diego computers and the well-
publicized tracking down of fugitive Kevin Mitnick, our site is cracked with the same tools and some licensed software is stolen.
• One unresolved case– A persistent attacker (December 2001 – October 2002)
• Someone with a grudge keeps trying to do damage (and sometimes succeeds).
![Page 3: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/3.jpg)
April 23, 2003 Liudvikas Bukys 3
Cuckoo’s Egg – Events
• Symptom:– A call from Cliff Stoll, and a referral to the FBI– Intruder had been observed visiting one
system and exploring
• Vulnerabilities exploited:– Guest account set up for vendor (BBN),
which stored the password information in cleartext on one of their (compromised) systems
![Page 4: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/4.jpg)
April 23, 2003 Liudvikas Bukys 4
Cuckoo’s Egg – Lessons
• Lessons:– You can’t control reusable passwords
• Today:– Reusable passwords are still used (and stored) by
many applications
– Cliff Stoll is among the most careful and meticulous writers around, but he still got some details wrong. Take the press with a grain of salt.
![Page 5: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/5.jpg)
April 23, 2003 Liudvikas Bukys 5
Cuckoo’s Egg – Fixes
• Technical Solutions:• n-factor authentication• One-time passwords• Secure password storage (tokens)• Biometrics• Certificates• Application-opaque authentications (e.g.
Kerberos tickets)
![Page 6: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/6.jpg)
April 23, 2003 Liudvikas Bukys 6
Morris Worm – Events
• Symptoms:– Many systems under enough load to make
them useless; reappearance after reboot
• Vulnerabilities exploited:– Sendmail “wizard” debug code– Rexec password cracking via dictionary
attack– Finger daemon buffer overflow into stack
frame– Hunting for trusted hosts
![Page 7: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/7.jpg)
April 23, 2003 Liudvikas Bukys 7
Morris Worm – Lessons
• Communication among humans inadequate; CERT organized in the aftermath
• System monoculture is a risk• Heightened interest in:
– Diligent system administration and patch distribution– Code audit
• If called to testify, anticipate being asked about any remark in any forum
• In retrospect, did successful prosecution deter worm authors?– Over ten years until the next major Internet worm incidents– But now new widespread worm outbreaks are frequent
![Page 8: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/8.jpg)
April 23, 2003 Liudvikas Bukys 8
Morris Worm – Fixes
• Buffer & Stack overflow protection & prevention of execution
• Constrained operating system environments:– Sandbox– Capability-based systems– Chroot– Reference Monitor
• Recent work:– e.g. “systrace” Interactive Policy Generator for System Calls
(U Mich)
– e.g. “Okena StormWatch” Intrusion Prevention System (Cisco)
![Page 9: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/9.jpg)
April 23, 2003 Liudvikas Bukys 9
A Note on Worms
• Recent models of worm behavior by Moore, Shannon, Savage, Paxson, Weaver, others.– Good fit to available data for Code Red worm
(TCP/HTTP exploiter of Microsoft IIS) and Sapphire/Slammer worm (UDP exploiter of Microsoft SQL Server).
• “Flash Worms” predicted and now observed.• “Since high-speed worms are no longer simply a
theoretical threat, worm defenses need to be automatic; there is no conceivable way for system administrators to respond to threats of this speed. Human-mediated filtering provides no benefit for actually limiting the number of infected machines.”
![Page 10: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/10.jpg)
April 23, 2003 Liudvikas Bukys 10
Takedown – Events
• Grad student observes a super-user “su” into his account, and also the insertion of commands into his terminal session, while he is logging in remotely to SGI (through their firewall with a challenge-response authentication token)
• Prolonged offline analysis of how it happened is inconclusive until after more information was gathered from other affected sites (Loyola University Chicago and SDSC)– Some log files wiped
– Other log files recovered with substantial effort (attacker deleted process accounting files but system still had an open file)
• Brief second intrusion when systems were placed back online to let the mail flow
• Source code files, licensed from SGI, were copied to another compromised site
![Page 11: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/11.jpg)
April 23, 2003 Liudvikas Bukys 11
Takedown – Events
• Vulnerabilities exploited:– Trusted hosts +– TCP sequence number prediction +– Simple one-way protocol (rshell/rcmd) – vulnerability to IP spoofing
![Page 12: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/12.jpg)
April 23, 2003 Liudvikas Bukys 12
Takedown – Lessons
• Trusted hosts – d-oh!• Diligent administration is not enough
– Crackers discover/use/hoard vulnerabilities that are not known widely or for which no patches are available
– TCP sequence number prediction attacks described in 1985 (R.T. Morris, CSTR 117, AT&T Bell Labs)
• Obscurity is not enough– Why would a cracker go to the effort at my site?
• Security perimeters get ragged– firewall + smart card doesn’t protect a session
hijacked from outside
![Page 13: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/13.jpg)
April 23, 2003 Liudvikas Bukys 13
Takedown – Fixes
• Ingress filtering: drop incoming packets with forged source address
• Egress filtering: drop outgoing packets with forged source address (good citizenship)
• TCP sequence number defense– Need unpredictable content but must take care to minimize
probability of collision with sequence numbers of packets from old stale connection.
– State is specific to particular <localhost,localport,remotehost,remoteport> 4-tuple.
– See RFC1948 (Bellovin, May 1996)
• Firewalls constrain allowed network operations to a deliberately-analyzed subset of possible network behavior – minimize the exposure to the unanticipated.
![Page 14: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/14.jpg)
April 23, 2003 Liudvikas Bukys 14
Persistent – Events
• From December 2001 – Fall 2002, UR experienced many network attacks from many sites using a variety of tools
• Compromised machines were backdoored and used for subsequent attacks, or deliberately destroyed– Pharmacy robotic picker– Facilities environmental monitoring systems– Simon School email servers– Many PCs and workstations
• Periodic “spite” attacks on non-UR sites: web defacements apparently solely for the purpose of posting derogatory remarks about UR
![Page 15: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/15.jpg)
April 23, 2003 Liudvikas Bukys 15
Persistent – Events
• Majority of attacks were via intermediaries that had themselves been compromised and backdoored: a few academic and government sites (MIT, CMU, NIH), many small businesses in a single large IP address block serving DSL
• Common features of the intermediaries showed that the incidents were related:– Backdoors with the same password– Lingering connections back to a common attacking site (in
China)
• Use of both general-purpose and cracker-specific proxies and relays. (Note: Many people make use of the same relays for privacy/censorship reasons.)
![Page 16: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/16.jpg)
April 23, 2003 Liudvikas Bukys 16
Persistent – Attacks
• Successive waves of scanning for and exploitation of vulnerabilities:– Microsoft SQL server and MSDE default
administrator passwords– PC Anywhere weak passwords– SMB/NETBIOS weak administrator
passwords– Windows Terminal Server weak passwords– Usual array of web server holes (mostly in
Microsoft IIS) and http-exploitable holes (e.g. Sun Answerbook)
![Page 17: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/17.jpg)
April 23, 2003 Liudvikas Bukys 17
Persistent - Tools
• Use of a variety of turn-key tools for vulnerability detection and exploitation; notably:– Fluxay, a graphical user interface with
extensibility, databases of vulnerable hosts and installed remote agents, and one-click functioning of common operations such as compromise-and-install-backdoor
– ISS (Internet Security Scanner), a commercial tool, for which there are known license-key generators
![Page 18: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/18.jpg)
April 23, 2003 Liudvikas Bukys 18
Persistent – Lessons
• Perimeter defense becomes ineffective once it has been breached and the attacker has a “foot in the door.”
• Insider always has a foot in the door.• There is a practically limitless supply of vulnerable
systems that attackers can use as remote agents.• Response time across organizational and national
boundaries is a problem. ISPs and nations are almost immovable. Educational sites tend to have incident response processes in place. Small businesses will cut to the chase if you find the right person.
• There is evidence there if you dig hard & soon enough.
![Page 19: April 23, 2003Liudvikas Bukys1 Four Security Incidents at the University of Rochester And What You Can Learn From Them](https://reader036.vdocument.in/reader036/viewer/2022083008/56649f1c5503460f94c32a0d/html5/thumbnails/19.jpg)
April 23, 2003 Liudvikas Bukys 19
Readings
• Stoll, “Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage”– ISBN 0743411463
• Eichin, Rochlis, “With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988”– http://www.mit.edu:8001/people/eichin/virus/main.html
• Shimomura, Markoff, “Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw – By the Man Who Did It”– http://www.takedown.com– ISBN 0786862106– This is not a balanced treatment, but it does describe the raw
events of the interrelated SDSC, Rochester, and Loyola incidents.