SYSTEM PROTECTION & SECURITY

System and Network Threats

Threats

System and Network Threats

Virus Laptop & mobile theft Ddos attack Unauthorized access of information Abuse of wireless network System protection Telecom fraud Misuse of web application Website defacement Worms Port scanning

Worms

Talk Outline
What are worms? The life cycle of a simple worm:
 scanning

for a victim  exploiting the victim  cloning itself onto the victim  running the clone to further spread infection  stealth techniques used to hide itself

What are worms?

A worm is a self replicating program Self-replicating => it makes copies of itself and sends them over to hosts across a network All copies have the same functionality and generally lack any sort of synchronization among themselves Worms are hated because:
  

Bandwidth consumption Might crash computers they infect Infected computers may be used for other attacks such as DDoS, Phishing attacks etc

Types of worms
Network worms generally exploits a service spreads Email worms use mass emails to spread and either target the email client (Outlook) or rely on user intervention (a click) to spread IRC worms IM worms File sharing worms XSS worms MySpace ??

The life cycle of a simple worm

Scanning for a victim Exploiting the victim Cloning itself onto the victim Running the clone to further spread infection Stealth techniques used to hide itself

The life of a worm

Victim (2) Victim (1) (2) Victim

(2) Victim

The life of a worm

Scans for Victim Rooted !!

Scan Send Exploit Get a copy Worm created Victim found

Scanning for a victim

Random scan random IP Selective random scan IP from global and local routing addresses Full scan scan all IP addresses Divide and conquer scan divide IP addresses among child worms Subnet scan detect and scan local subnet Etc etc

Exploiting the victim

What is an exploit? simply put: a piece of code which provides access to a victim computer by utilizing some flaw in the logic of a program running on the victim computer By access I mean the ability to run commands/programs on the remote computer Network worms use what is called a remote exploit an exploit which can be launched remotely and which gives some code running privileges on the victim Find a suitable exploit to use in the worm

Cloning itself onto the victim

Once the victim has been exploited the worm needs to get a copy of itself on the victim Tftp?? Blaster worm Http server ?? Ftp server ?? Compile source?? Include worm in the shellcode??

Running the clone to further spread infection

Once the clone has been downloaded run it Make it a service?? Add a registry entry for startup?? Clone starts scanning again Clone finds a victim Cycle continues

Stealth techniques used to hide itself

Hide process Hide files Hide activity Delete logs rootkit??

The life of a worm

Scans for Victim Rooted !!

Scan Send Exploit Get a copy Worm created Victim found

Examples of worms
Slammer Worm Code Red worm MyDoom.B

Port Scanning
Three way handshaking Stealth Scan Xmas Scan FIN Scan NULL Scan Ideal Scan

Tools
Nmap Softperfect network scanner Port scanner ActiveX control Acunetix Nessus Etc etc..

DOS (distributed denial of service)

What is Ddos attack??

The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Contd..
A denial of service attack (DoS) is an attack through which a person can make a system unusable, or slow it down for users by overloading its resources. If an attacker is unable to gain access to a machine, the attacker most probably will crash the machine to accomplish a denial of service attack.

Why DoS attack??

Attempt to flood a network, to increase network traffic. Attempt to disrupt connections between two machines. Attempt to prevent a particular individual from accessing a service.

Types of Ddos attack

Smurf Buffer overflow attack Ping of death Teardrop SYN Tribal flood Attack

Tools for DoS Attack

Jolt2 Bubonic.c Land and LaTierra Targa

Authentication

What is Authentication?
Authentication is any process by which a system verifies the identity of a user who wishes to access it. Authentication exists to establish trust between two parties, or authentication entities. These entities consist of an identity and a key.

Types of Authentication
User AuthenticationUser Authentication is the process of determining that a user is who he/she claims to be HTTP Basic, SSL & TLC Entity AuthenticationEntity authentication is the process of determining if an entity is who it claims to be. Cookies etc

Password Based Authentication System

Usernames Storing Usernames and Passwords Ensuring Password Quality Password Lockout Password Aging and Password History Automated Password Reset Systems Sending Out Passwords Single Sign-On Across Multiple DNS Domains

Password maintenance
Do NOT share your User ID(s) and password(s) with ANYONE Do NOT store your User ID(s) and password(s) on any loose bits of paper, sticky notes. Do NOT hide your User ID(s) and password(s) under the keyboard, or at any other would be "secret" hiding place. Do change your password(s) after time interval. Before entering your User ID and password, make sure no one is watching you Before using your User ID and password on a third-party computer, make sure it is well protected, and free of trojans and key loggers. - Passwords must be made up of a mixture of lower-case letters, upper case letters, numbers, and at least one special character, such as (!@#$%^&*()_+|) at least 7 characters Do not enter your email id or account no in cyber caf.

Password maintenance Contd..

System Access Password Creation Best Practices Virus Protection Malicious Code Best Practices Software Installation Encryption Web Browsing E-mail Use

Password Vulnerability
Organizational or end-user vulnerabilities: This includes lack of password awareness on the part of end users and the lack of password policies that are enforced within the organization. Technical vulnerabilities: This includes weak encryption methods and insecure storage of passwords on computer systems.

Cracking password
Social engineering Shoulder sniffing Interference Weak authentication Bypassing authentication Password cracking software (Brutus, John the ripper) Dictionary attacks Brute-force attacks

Other ways to crack passwords

Keystroke logging Weak password storage Network analyzer

Encrypted passwords
SSL HTTPS SSH/TLS Stelnet

BIOMETRICES

The password you never forget

SECURITY POLICY
Virus protection Physical security of computer equipment Access control Lan security Server Specific Security Wide Area Network Security TCP/IP & Internet Security Voice System Security

INTRUSION DETECTION
An IDS inspects all inbound and outbound network activity and identifies suspicious pattern that indicates an attack to compromise a system. Example: Snort, symantic manhunt etc

Firewall
A firewall is simply a program or hardware device that protects the resources of a private network from user of other network.

Honeypot
A honeypot is a device intended to be compromised. The goal of setting up a honeypot is to have the system probed, attack and potentially exploited.

Cryptography as a Security Tool

FOR MORE SECURITY

Encryption Basics
Encryption is yet another process by which information is protected from unauthorized access. It is normally accomplished by rendering the original information unreadable by using a reversible technique known only to the authorized entities.

Types of Encryption
Private/Symmetric Key Cryptography : Same key is used for encryption and decryption. Public/Asymmetric Key Cryptography : Different keys are used for encryption and decryption.

RC4 Basics
A symmetric key encryption algo. Invented by Ron Rivest. Normally uses 64 bit and 128 bit key sizes. Most popular implementation is in WEP for 802.11 wireless networks and in SSL. Cryptographically very strong yet very easy to implement. Consists of 2 parts: Key Scheduling Algorithm (KSA) & Pseudo-Random Generation Algorithm

RC4 Block Diagram

Secret Key

RC4

Keystream

Plain Text

Encrypted Text

RC4 break up
Initialize an array of 256 bytes. Run the KSA on them Run the PRGA on the KSA output to generate keystream. XOR the data with the keystream.

Array Initialization
C Code: char S[256]; Int i; For(i=0; i< 256; i++) S[i] = i; After this the array would like this : S[] = { 0,1,2,3, , 254, 255}

Encryption using RC4

Choose a secret key Run the KSA and PRGA using the key to generate a keystream. XOR keystream with the data to generated encrypted stream. Transmit Encrypted stream.

Decryption using RC4

Use the same secret key as during the encryption phase. Generate keystream by running the KSA and PRGA. XOR keystream with the encrypted text to generate the plain text. Logic is simple : (A xor B) xor B = A A = Plain Text or Data B = KeyStream

Making of a RC4 File Encryptor

Using a secret key generate the RC4 keystream using the KSA and PRGA. Read the file and xor each byte of the file with the corresponding keystream byte. Write this encrypted output to a file. Transmit file over an insecure channel.

Making of a RC4 File Decryptor

Using the same secret key used to encrypt generate the RC4 keystream. Read the encrypted file and Xor every byte of this encrypted stream with the corresponding byte of the keystream. This will yield the original plaintext

Thanking you.. For more detail

Contact me: Email: madhukar@hackersreloaded.com Web: http://www.hackersreloaded.com