Network Security Lecture 8
Dr John C. Murray Faraz Janan Senior Lecturer Lecturer
Hackers
• What is Hacking?
– Rough or a heavy blow (in dictionary)
– Unconventional way to access computer systems
• Why do Hackers hack? – Motives / Incentives
– Anything else?
In the past…
• In years past, security threats came from geniuses or nerdy students with lots of time.
– Relatively few people doing this – though the motivation for some was to prove that they could break into another network.
• Since then, the number of potential attackers and the sophistication of the attacks have increased exponentially.
– Attacks that once required attackers to have an advanced degree in computing can now be done with easily downloaded and freely available tools that the average secondary school student can figure out how to use.
Impact!
• Every company and almost every person connects to the Internet, making essentially the whole world vulnerable to attack.
• `That’s a large playground.
• Financial cost (Sony Playstation $170M), loss of information (ANON hacked NASA, FBI), privacy (celeb leaks), identity theft (bank cards), website attacks, online scams, Damaged reputation (Panama Papers), rival advantage, just for fun etc.
Motive!
• Today’s attackers can be much more organized.
– Organized crime (steal billions by extorting companies by threatening a denial of service (DoS) attack on the companies’ public web servers.
– Or they steal identity and credit card information for sometimes hundreds of thousands of people with one sophisticated attack.
– Attacks might come from nation-states, non-state actors or terrorists. Not only might they attack military and government networks, but they might try to disrupt infrastructure services for utilities and transportation and cripple economies. (John Nash in The Beautiful Mind – sort of)
Internal web server
Firewall
Example – firewall
router
switch
Internet
nodes
So here’s our network with a firewall…
You’re sitting on the inside – feeling comfy, but is it really that safe?
What potential danger could there be?
printer
An Inside Job!
• A perimeter firewall (a firewall on the edge, or perimeter, of the network) does not protect the Enterprise from all the dangers possible through the Internet connection.
• Not only that, a higher percentage of security attacks actually come from inside the Enterprise network, and the firewall does not even see those packets (TJX Scandal)
• What kinds of attack do you think might occur and for what purpose?
Types of Attack
• Denial of service (DoS) attacks: An attack whose purpose is to break things.
– DoS attacks called destroyers try to harm the hosts, erasing data and software.
– DoS attacks called crashers cause harm by causing hosts to fail or causing the machine to no longer be able to connect to the network.
– DoS attacks called flooders flood the network with packets to make the network unusable, preventing any useful communications with the servers.
Types of Attack cont…
• Reconnaissanceattacks:
– This kind of attack may be disruptive as a side effect, but its goal is gathering information to perform an access attack. An example is learning IP addresses and then trying to discover devices that do not appear to require encryption to connect to the server (e.g Android 5 mounted on Moto E and Galaxy S6 is not encrypted by default)
• A•ccessattacks:
– An attempt to steal data, typically data for some financial advantage, for a competitive advantage with another company, or even for international espionage.
– Example: Operation Shady RAT
Attack attack!
• Computer viruses are just one tool that can be used to carry out any of these attacks. A virus is a program that is somehow transferred onto an unsuspecting computer, possibly through an e-mail attachment or website download.
• A virus could just cause problems on the computer, or it could steal information and send it back to the attacker.
• Different types of virus, the most common are attachments to an executable, boot time runners, direct-action, memory resident, x-day viruses, multipartite, overwrite virus, polymorphic, Network and FAT viruses etc
Back Orifice
• http://en.wikipedia.org/wiki/Back_Orifice • Sub 7
Antivirus Software
• Today, most computers use some type of anti- virus software to watch for known viruses and prevent them from infecting the computer.
• Among other activities, the anti-virus software loads a list of known characteristics of all viruses, with these characteristics being known as virus signatures.
• By periodically downloading the latest virus signatures, the anti-virus software knows about all the latest viruses.
Antivirus Software
• By watching all packets entering the computer, the anti- virus software can recognize known viruses and prevent the computer from being infected.
• These programs also typically run an automatic periodic scan of the entire contents of the computer disk drives, looking for any known viruses.
• It has two components, an engine and a library of virus signatures to identify threat
• Developing an AV software is a complicated job, however, some open source codes and projects are available for starters (http://www.clamav.net/ )
Unsecured Wireless
• Access from the wireless LAN: Wireless LANs
allow users to access the rest of the devices in
the Enterprise.
– The wireless radio signals might leave the building, so an unsecured wireless LAN allows the user across the street in a coffee shop to access the Enterprise network, letting the attacker begin the next phase of trying to gain access to the computers in the Enterprise.
• Nowadays almost every router has a static access key, which prevents unauthorized access to a greater extent, however, wireless public hotspots such as airports, cafees mostly (Ad-hoc networks) are unsecure. Ad-hoc networks are easily subject to Man-in-the-Middle attack
Here’s one I picked up earlier. • Infected mobile laptops:
– When an employee brings his or her laptop (PC2) home, with no firewall or other security, the laptop may become infected with a virus.
– When the user returns to the office in the morning, the laptop connects to the Enterprise network, with the virus spreading to other PCs. A PC may vulnerable in part because the users may have avoided running the daily anti-virus software scans that, although useful, can annoy the user.
Although this is generally an automated process.
Mwahahahaha!
• Disgruntled employees:
– A user is planning to move to a new company.
– They steal information from the network and load it onto a USB flash drive (or similar). This allows him to carry the entire customer database in a device that can be easily concealed and removed from the building.
• Not an exhaustive list!
Self-defending Network
• Network Admission Control (NAC by Cisco) is one security tool to help prevent two of the attacks just described. Among other things, NAC can monitor when devices first connect to a LAN, be they wireless or wired.
– Recognizes users, their devices, and their roles in the network
– Supports distinct protocols for authentication, authorization, and accounting
– The NAC feature, partly implemented by features in the LAN switches, would prevent a computer from connecting to the LAN until its virus definitions were updated, with a requirement for a recent full virus scan.
Self-defending Network
– The user must present some sort of credentials (or a credit card) before being granted access to the network.
– NAC also includes a requirement that the user supply a username and password before being able to send other data into the LAN, helping prevent the guy at the coffee shop from gaining access.
– e.g connections on Megabus, student hostels etc.
The Attackers Toolkit
• What tools are at the disposal of the attacker?
The Attackers Toolkit
• Scanner:
– A tool that sends connection requests to different TCP and UDP ports, for different applications, in an attempt to discover which hosts run which IP services, and possibly the operating system used on each host.
• Spyware:
– A virus that looks for private or sensitive information, tracking what the user does with the computer, and passing the information back to the attacker in the Internet.
The Attackers Toolkit cont…
• Worm:
– A self-propagating program that can quickly replicate itself around Enterprise networks and the Internet, often performing DoS attacks, particularly on servers.
• Keystroke logger:
–
A virus that logs all keystrokes, or possibly just keystrokes from when secure sites are accessed, reporting the information to the attacker.
Loggers can actually capture your username and password to secure sites before the information leaves the computer, which could give the attacker access to your favourite financial websites. The program on the victims computer usually called ‘server’ can even take screen shots and send it back to the host (Sub 7)
The Attackers Toolkit cont…
• Phishing:
– The attacker’s website masquerades as a legitimate website, often for a bank or credit card company. The phisher sends e-mails listing the illegitimate website’s URL but making it look like the real company
– The phisher hopes that a few people will take the bait, connect to the illegitimate website, and enter information such as their name, address, credit card number, and other important information.
– Re: Expiration Notice, request to restore service, Mail Quota, load advice etc.
–
The Attackers Toolkit cont…
• Malware:
– This refers to a broad class of malicious viruses, including spyware.
– The solution is to provide security in depth throughout the network.
– SonyDRM-
http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_ scandal
Firewall – what they do
• Firewalls examine all packets entering and exiting a network for the purpose of filtering unwanted traffic.
• Firewalls determine the allowed traffic versus the disallowed traffic based on many characteristics of the packets, including their destination and source IP addresses and the TCP and UDP port numbers (which imply the application protocol).
• Firewalls also examine the application layer headers.
Firewall
• The term firewall is taken from the world of building and architecture.
– two basic requirements.
• Must be made of fire-resistant materials
• The architect limits the number of openings in the wall (doors, conduits for wires and plumbing), limiting the paths through which the fire can spread.
– Similarly, a network firewall must itself be hardened against security attacks. It must disallow all packets unless configured with a rule that allows the traffic – a process often called “opening a hole,” again with analogies to a firewall in a building.
Demilitarized Zone (DMZ)
• Firewalls sit in the packet-forwarding path between two networks, often with one LAN interface connecting to the secure local network, and one to the other, less-secure network (often the Internet).
• Because some hosts need to be accessible from the Internet, the firewall typically also has an interface connected to another small part of the Enterprise network – the demilitarized zone (DMZ).
• The DMZ LAN is a place to put devices that need to be accessible, but that access puts them at higher risk.
Web server
Firewall
Example – firewall
router
switch
Internet
nodes
printer
Example – firewall with DMZ
Internal web server
Firewall
router
external web servers
router
switch
Internet
nodes
printer
DMZ
• To do its job, the firewall needs to be configured to know which interfaces are connected to the inside, outside, and DMZ parts of the network. Then, a series of rules can be configured that tell the firewall which traffic patterns are allowed and which are not.
Firewall – Example Rules
•
Intrusion detection and Prevention
The world of network security includes a couple of types of tools that can be used to help prevent the more sophisticated kinds of attacks:
– Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). IDS and IPS tools detect these threats by watching for trends, looking for attacks that use particular patterns of messages, and other factors.
– For instance, an IDS or IPS can track sequences of packets between hosts to look for a file being sent to more and more hosts, as might be done by a worm trying to spread inside a network.
•
Intrusion detection and Prevention
IDS and IPS systems differ mainly in how they monitor the traffic and how they can respond to a perceived threat.
– IDS tools typically receive a copy of packets via a monitoring port, rather than being part of the packets’ forwarding path. The IDS can then rate and report on each potential threat, and potentially ask other devices, such as firewalls and routers, to help prevent the attack (if they can).
– IPS tools often sit in the packets’ forwarding path, giving the IPS the capability to perform the same functions as the IDS, but also to react and filter the traffic.
Intrusion detection and Prevention
• The ability to react is important with some threats, such as the Slammer worm in 2003, which doubled the number of infected hosts every 9 seconds or so, infecting 75,000 hosts in the first 10 minutes of the attack.
• This kind of speed requires the use of reactive tools, rather than waiting on an engineer to see a report and take action.
Firewalls – more in depth
• Intercept packets
• Funnels all traffic entering its network interfaces over a single path (data bus).
• Each packet is checked according to a rule.
• Packet headers are read for conditions that match rules set up in security tables.
Example – firewall
Security Rules list
Packet Forward if passed
Data Bus
Apply Rules
Data Bus
? Packet
External interface
Drop if failed
X
Packet
Firewall Classifications
• Trusted Network
– Inside the security perimeter and under complete administrative control of the enterprise.
• Untrusted Network
– Outside the security perimeter and known to the firewall, but beyond the enterprise’s administrative control – this might be researchers using their own servers/host machines on a separate subnet.
• Unknown Network
– Unknown networks that the firewall has received no information or instructions about – basically almost the entire Internet.
Access List
• Simplest form of network security technology.
– Also called: access control lists or filters.
– Filter packets according to three criteria: • Source IP address
• Destination IP address
• Port number
– If rule is a positive match – packet is accepted and forwarded to the network.
– If the match rule is deny – the packet is dropped.
– If a packet’s evaluation runs to the bottom of the access list without a match, it is dropped by default (implicit deny rule).
Access List
• Access lists are stateless
– Access rules are applied without the benefit of understanding the context of each connection made by hosts (called sessions).
– Simple packet filters have no idea which session packets belong to, so decisions to forward or block them are based strictly on source address, destination address, or port number.
– Decisions to allow packets are made at the Network layer or Transport layer
– Knowing which conversation a packet belongs to makes for better security – so build on the access list and track sessions…
Session Tracking
• Session based is also known as stateful,
or context-based packet filtering.
– The inside host initiates a connection to an external node. If ok, the firewall notes the session’s start time, source/destination addresses, and port numbers.
– The return messages from the outside node are allowed through the firewall.
– Session based tracking look for state information in TCP/UDP headers, which could create temporary opening in the firewall
NAT and PAT
• NetworkAddressTranslation(NAT)
• PortAddressTranslation(PAT)
– Hides the internal network from the global network
10.1.1.1 / port 2351
10.1.1.2 / port 4211
10.1.1.3 / port 3315
NAT–onetoone
NAT 209.78.21.18 209.78.21.19 209.78.21.20
Router
Internet
10.1.1.10
PAT 209.78.21.21: 2351 209.78.21.21: 4211 209.78.21.21: 3315
PAT – one to many
NAT and PAT
User requests a web page
Internet
NAT 209.78.21.18
NAT maps the public IP address
Router
10.1.1.1
10.1.1.10
The internal network is hidden
10.1.1.1 / port 2351
10.1.1.2 / port 4211
10.1.1.3 / port 3315
Router
PAT maps the public IP address
PAT 209.78.21.21: 2351 209.78.21.21: 4211 209.78.21.21: 3315
Internet
10.1.1.10
The internal network is Users request web hidden pages
Other Security Flaws • Cross-site Scripting
OSI Model for Hackers!!
• Layer 1:
– Accessing fiber optics, sniffing packets, CAT5 interference, wifi communication etc.
– i.e. nmap, Wireshark
• Layer 2:
– MAC Flooding (turn Switch into a hub), MAC Spoofing (change hardcoded MAC address to bypass Access List), MAC duplication, ARP Spoofing, footprint capture etc.
– i.e macof, dnsniff, GhostMAC, SpoofMAC
OSI Model for Hackers • Layer 3:
– Extract IP Address, router Password, port reading, routing protocols, Smurf attack
– E.g GetIP, NetCat, hPing
• Layer 4:
– Session hijacking, man-in-the-middle – E.g NetStat, Firesheep, Cain
• Layer 5:
– Remote procedural call attacks, file system attacks, server attacks, SQL injection
OSI Model for Hackers!
• Layer 6:
– File type conversions, encoding/decoding, Hex editing (game hacking – Asphalt 8!! )
• Layer 7:
– Steal login credentials, backdoor access, bruitforce access, OS command and control, default password access, extracting user info (key loggers), DNS poisioning
– NetBus, Tini, Back Oriface, virus intruders, obscure, phishing attacks urls etc.
Questions