You are on page 1of 53

To Stop a Hacker is to Think Like One!

G.B.P.E.C. Pauri

Hacking &
Security Policies

Presented by:
Balram Sahu
Electrical Engg.
IInd Year
Background

 Seminar Objectives
• Provide insight into current efforts and future plans
for network security.
• Provide helpful perspective on nature of today’s
Internet security risk
• Provide guidelines to achieving goals.
• Demonstrations of tools used by hackers
Presentation Outline

 Part 1: Threats to Security


 Part 2: Performing a Risk Assessment
 Part 3: Hacker Technologies
 Part 4: Buffer Overflow Exploits
 Part 5: Firewalls
 Part 6: Denial of Service and Trojans
 Part 7: Security Policy
 Part 8: How to Handle an Attack?
 Part 9: Educational Resources
Why Security

 96% of large companies & govt. agencies had


computer security breaches in 2005
 Three-quarters suffered financial losses
 Most frequent problems
• Computer viruses (85%)
• Abuse of Internet access (79%)
• Web-site vandalism (64%)

Source: 2005 CSI/FBI Computer Crime and Security Survey


Threats to Security

Internal threats, such as


internal attacks or code
vulnerabilities

External threats, such


as social engineering
or viruses
Addressing Internal Threats

Internal attacks
Restricted Area
of Network

 Failure to update hotfixes and security patches


 Blank or weak passwords
 Default installation with unnecessary services
External Threats
Organizational Social
Social Social
Organizational
Organizational
Attacks Engineering
Engineering Automated
Automated
Automated
Engineering
Attacks
Attacks
Attacks Attacks
Attacks

Acquire
Improper
Bypasses
Harmful confidential
permissions
code,
Technology can
maliciousto
Blocks
Uses software
access to gain
data
information
result in
programs,
gain to
accessgain
network to a business
restricted
selfaccess
replicating
access
network
or services
Restrictedor competitive
data advantage
Data
FC DoS DoS

Accidental Breaches
Accidental Breaches Denial of
DenialFails
Connection of
In Security
in Security Viruses, Viruses,
Viruses, Trojan
Trojan Horses,
Horses, Service (DoS)
Service (DoS)
Trojan
and Horses,
and Worms
Worms Denial of
and Worms
User Service (DoS)
General Prevention

 Test and apply service packs and hotfixes


 Run and maintain antivirus software
 Run an intrusion detection system at the perimeter
to your network
 Block all messages containing Readme.exe or
Admin.dll attachments
 Reinstall infected systems
Protecting E-Mail
 Microsoft Outlook e-mail security update
• Blocks common script and executable extensions
• Disables active scripting
• Warns users about attempts to access
the Outlook address book or send e-mail
 Internet Explorer service packs for Microsoft Outlook Express
• Internet Explorer 5.01 SP2
• Internet Explorer 5.5 SP2
• Internet Explorer 6 (full installation required on upgrades)
Protecting Web Servers
Internet
Internet
Information
Information Service
Service
 Apply the latest hotfixes
 Install the latest service pack
 Install the security roll-up packages
 Remove unnecessary IIS components
 Install UrlScan with the default rule set
Protecting File Servers

 Remove unnecessary file shares


 Use an AGDLP or AGUDLP Strategy
 Assign the minimum required permissions
 Enforce complex passwords
Microsoft Strategic Technology
Protection Program

 Two-phase program that integrates Microsoft


products, services, and support
• Phase 1: Get Secure
• Phase 2: Stay Secure
Phase 1: Get Secure

 The Microsoft Security Tool Kit

• Contains tools that provide a baseline level of security for


servers that are connected to the Internet.
• Provides support for Windows NT 4.0 and Windows 2003.

 Toll-free virus support


Phase 2: Stay Secure

 Worldwide security-readiness events

 Tools, updates, and patches


• Enterprise security tools
• Windows Update auto-update functionality
• Bimonthly product roll-up patches

 Consulting engagements
Part 2: Performing a Risk Assessment
Strategies to Manage Risk

Acceptance

Contingency
Avoidance Risk
Plans

Mitigation
Analyzing Risk
1.
1. Identify
Identify
Resources
Resources

2.
2. Identify
Identify
Threats
Threats
5.
5. Review
Review
Plan
Plan

3.
3. Calculate
Calculate
4.
4. Implement
Implement Exposure
Exposure
Security
Security
Measures
Measures
Identifying the Resources to Protect
1.
1. Identify
Identify
Resources
Resources
Software
Software

Hardware
Hardware
Data
Data

People
People
Documentation
Documentation
Identifying the Threats to
Resources
2.
2. Identify
Identify
Threats Social
Threats Engineering

Automated
Organizational Attacks
Attacks

Restricted
Data

Accidental
Breaches in
Security Denial of
Viruses, Trojan Service (DoS)
Horses,
and Worms
Calculating Exposure
3.
3. Calculating
Calculating
Exposure
Exposure

Exposure
Exposure == Probability
Probability xx Impact
Impact

 Example

 A security risk to data valued at $500,000 has


a 75% probability of occurring
• Multiply 75% x $500,000 to calculate a $375,000
exposure value.

 Rank risks to an organization based on


exposure value
External Attacks Most Frequent

Frequent Points of Attack


 Greater use of
Internet
59
Internet
connection
 Tools & techniques
Internal
evolve to enable
systems
38 new opportunities
for attack
0 20 40 60 80
Percent of respondents

Source: 2000 CSI/FBI Computer Crime and Security Survey


20-Year Trend: Stronger Attack Tools
Relative Technical Complexity

packet forging /
sniffer / spoofing Hacking
exploiting back sweepers
known doors Tools
vulnerabilities
GUI
stealth
self-replicating hijacking diagnostics
code sessions

disabling
password audits Average
cracking
password Intruder
guessing

1980 1985 1990 1995


Source: GAO Report to Congress, 1996
Trend Has Continued
Relative Technical Complexity

DDoS Hacking
Insertion
Tools Tools
Windows Trinoo
Remote ?
Control PrettyPark
Stacheldraht

Melissa

Kiddie
Scripter

1998 1999 2000 2001


Part 3: Hacker Technologies
The Threats

 Hacker Technologies
– Internet Engineering
– System Administration
– Network Management
– Reverse Engineering
– Distributing Computing
– Cryptography
– Social Engineering
The Threats

 Hacking Tools become more and more


sophisticated and powerful in term of
• Efficiency
• Distributing
• Stealth
• Automation
• User friendliness
 These hacking tools could be easily
download from the Internet
The Threats
 Your host does not need to be as famous as yahoo
or ebay to be targeted

– They need a place to hide their trace

– They need your host as a stepping stone to hack other sites

– They need your host resource to carry out their activities

– Your host security weakness can be identified by scan tool

– Security of any network on the Internet depends on the security


of every other networks

– No network is really secure


The Threats

 The Trends
• From Jan to April 2000 (before we fully deploy our IE firewall
for RLAB segment) , our site has received the following
security warning
– Web page defacement
– Unauthorized system access
– Port scanning
– Ping broadcast scanning
– Telnet probe scanning
Part 4: Buffer Overflow Exploits
How they Hack in?

 General Steps
• Locate the victim host by some scanning program
• Identify the victim host vulnerability
• Attack the victim host via this vulnerability
• Establish backdoors for later access

 Some hacking tools can automate the above


steps into a single command.
How they Hack in?

 Buffer Overflow Exploit


• stuffing more data into a buffer than it can
handle
• it overwrites the return address of a function
• it switches the execution flow to the hacker code
How they Hack in?

 Buffer Overflow Exploit


Low Memory
Text Region
Address
(program code)

Data Region
(initialization/unintialization)

Stack Region
(subroutine local variable High Memory
and return address) Address

Process Memory Region


How they Hack in?

 Buffer Overflow Exploit


Top of Stack
void function(char *str) {
char buffer[16];
Function
local
strcpy(buffer,str);
} variable
void main() { buffer
char large_string[256];
int i; sfp Save Frame Pointer
for( i = 0; i < 255; i++)
large_string[i] = 'A';
ret Return address

function(large_string); Str*
}
Bottom of stack
How they Hack in?

 Real Case Study I


• Hackers first located the victim hosts by sunrpc scan of
137.189 network
• Break-in the victim hosts via amd (Berkeley Automounter
Daemon) buffer overflow vulnerability
• Created backdoor on port 2222 by starting a second instance
of inetd daemon
• Used the victim hosts to scan other networks
How they Hack in?

 Real Case Study II


• Hackers first located the victim hosts by BIND port 53
scanning
• Identify the victim OS (a telnet probe)
• Set up a trap DNS daemon at the hacker DNS server
• Kicked the victim hosts to query the hacker DNS server
• Break-in victim hosts via BIND buffer overflow
• Established back door accounts at the victim hosts
• Distribute, built and operated the IRC Bot (eggdrop)
Part 5: Firewalls
Fighting Back

 Get Your Security Profile


 Set Your Security Policy
 Build the Firewall
Get Your Security Profile

 Act as a hacker and try to break-in your host


• Port scan your host and see what network ports are open
• Figure out if the version of your host OS and software
applications are vulnerable
• Can you cover up your trace after break-in? (Does your host have
any monitoring or intrusion detection system)
• Can you easily establish back door after break-ins? (Have you
built any firewall?)
Set Your Security Policy

 There is always a trade off between security and convenience


 Identify your host services
• shutdown any unnecessary ports and build the kernel as
minimum as possible
 Identify your target users, trusted hosts and networks so that
you can formulate your host access lists
 Set up your firewall
• use private IP network
• use proxy servers
Set Your Security Policy

 Set up your monitoring and intrusion detection systems


• COPS, tripewire, tcpdump, snmp
 Set up you operation codes/rules such as
• read only file system mounting
• ssh login
• sudo
• restrict login shell
 Set up your recovery plan
• recovery procedure and backup scheme
Build Your Firewall and IDS

 Control and monitor the traffic IN and OUT of your


network
 Block any unnecessary network connection from
non-trusted hosts and networks
 Define your access rules according to your security
policy
 Use packet filtering and Application Proxy
 Build sniffer to monitor your internal network traffic
Firewall Architecture
 Dual-home host architecture
Firewall Architecture
 Architecture using two routers
Firewall Architecture
 Architecture using a merged interior and exterior router
Build Your Firewall

How it protects your network

 Prevents port scanning


 Prevents DDOS attack and IP spoofing from your host
 Blocks any unnecessary network port opening
 Increases the difficulty of creating back door after break-in
 Facilitates the network monitoring and network intrusion
detection
Firewall in IE Network

Set your own filter rules at your host

Here is the example how you use ipchains to block all non-IE network TCP and
UDP connections to your host except 80 port

ipchains -A input -s 0.0.0.0./0.0.0.0 -d your_host_ip/255.255.255.255 80 -i eth0 -p 6 -j ACCEPT


ipchains -A input -s ! 137.189.96.0/255.255.252.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j DENY -y
ipchains -A input -s ! 137.189.96.0/255.255.252.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j DENY
Firewall Protection Services

LAN
LAN

Internet
Firewall

 Network address translation (NAT)


 Packet filters
 Server publishing
 Stateful inspection
Protecting the Internal Network
Addressing Scheme
Network address translation
Source IP Source port Target IP Target port
192.168.10.1 1033 Any 80
207.46.197.100 1998

207.46.197.100

192.168.10.3
Internet

Firewall
 NAT
 DNS zones
 Private network addressing
192.168.10.1
192.168.10.2
Filtering Protocols
Public Network Private Network
SMTP SMTP
POP3 POP3
IMAP IMAP
FTP
Telnet Firewall
Firewall Rules
Rules
Firewall SMTP
POP3
IMAP
FTP
Telnet
 Filtering strategies
• Deny all filter
• Allow all filter
Concealing an IP Address
Server publishing
Source Destination Port
Any 207.46.197.100 TCP 3389
192.168.10.3 TCP 3389

207.46.197.100
Web
Server
Internet Router 192.168.10.3

Firewall

192.168.10.1
192.168.10.2
Stateful Inspection
Public Network Private Network

Client: UDP 4444

Client Client: UDP:5555


Firewall

 Client sends a packet from UDP port 4444


• Response to UDP port 4444 = Permitted
• Response to UDP port 5555 = Denied
References

 http://www.research.ibm.com/journal/sj/403/palmer.
html
 http://www.research.ibm.com/journal/sj/403/palmer.
html.
 http://abcnews.go.com/Business/FinancialSecurity/
story?id=501292&page=2
 Introduction to Hacking written by D. M. Chess,
Thank You