Recent Security Threats Vulnerabilities Computer security Bob Cowles
Recent Security Threats & Vulnerabilities Computer security Bob Cowles bob. cowles@slac. stanford. edu HEPi. X, Spring 2004 – Edinburgh, UK Energy contract DE-AC 03 -76 SF 00515 25 May 2004 Work supported by U. S. Department HEPi. X - of Spring 2004
Windows u. Worms u. Windows AD & SUS for patching u. Viruses u. Web exposures (IE) u. Leaked code for Win. NT & Win 2 K 25 May 2004 HEPi. X - Spring 2004 2
MSBlaster Released 25 May 2004 HEPi. X - Spring 2004 MSBlaster at SLAC 3
Sasser Experience (MS 04 -011) u. Patched Quickly l l Servers within 10 hours All workstations within 80 hours u. VPN changes l l l No access to local drives of desktops Firestorm of protest Disappeared after dust settled (Citrix & RDP) u. Ongoing problems w/ unpatched systems 25 May 2004 HEPi. X - Spring 2004 4
AD & SUS for patching u. Problematic patching l l l Office vs. Windows Update Front Page DLL’s MDAC u. Machine vs. User GPOs u. SUS Update times u. New Installs u. XP SP 2 has many improvements (in 2005) 25 May 2004 HEPi. X - Spring 2004 5
The way we were … Internet Visitor SLAC Basic Remote access Ba. Bar Detector BSD-Private BSD SSRL HEP Accelerator 25 May 2004 HEPi. X - Spring 2004 6
The way we were … Internet Visitor SLAC Basic Remote access Ba. Bar Detector BSD-Private BSD SSRL HEP Accelerator 25 May 2004 HEPi. X - Spring 2004 7
The way we were … Internet Visitor SLAC Basic Remote access Ba. Bar Detector BSD-Private BSD SSRL HEP Accelerator 25 May 2004 HEPi. X - Spring 2004 8
The way we were … Internet Visitor SLAC Basic Remote access Ba. Bar Detector BSD-Private BSD SSRL HEP Accelerator 25 May 2004 HEPi. X - Spring 2004 9
The way we were … Internet Visitor SLAC Basic Remote access Ba. Bar Detector BSD-Private BSD SSRL HEP Accelerator 25 May 2004 HEPi. X - Spring 2004 10
Internet Visitor SLAC Basic Remote access The way we are now … Ba. Bar Detector BSD-Private BSD SSRL Servers HEP Accelerator 25 May 2004 HEPi. X - Spring 2004 11
Internet Visitor SLAC Basic Remote access The way we are now … Ba. Bar Detector BSD-Private BSD SSRL Servers HEP Accelerator 25 May 2004 HEPi. X - Spring 2004 12
Internet Visitor SLAC Basic Remote access The way we are now … Ba. Bar Detector BSD-Private BSD SSRL Servers HEP Accelerator 25 May 2004 HEPi. X - Spring 2004 13
Internet Visitor SLAC Basic Remote access The way we are now … Ba. Bar Detector BSD-Private BSD SSRL Servers HEP Accelerator 25 May 2004 HEPi. X - Spring 2004 14
Viruses u. More sophistication (Bobax and Kibuv) u. Zip files u. Encrypted zip files u. From microsoft. com u. From security@<your-domain-name> u. Run automatically u. Leave backdoors; smtp for spam 25 May 2004 HEPi. X - Spring 2004 15
IE Exposures u. Numerous unpatched vulnerabilities u. Cannot escape IE (but can control) u. Unclear how much XP SP 2 will fix u. There is still problem of user knowledge 25 May 2004 HEPi. X - Spring 2004 16
Unix & Linux u. Local Exploits = Remote Exploits umremap (2 times) u. ASN. 1 udo_brk u. Solaris: vfs_getvfsws() u. CDE dt…. . u. Xfree 86 uyp* 25 May 2004 HEPi. X - Spring 2004 17
Universities & Labs u. Exploits against Solaris, AIX, Linux u. Attacker(s) seem sophisticated u. Install SK rootkit on Linux u. Install trojaned sshd l l gets passwords from keyboard/tty entry accesses RSA keys u. Cracks yp or kerberos password files u. One time password tokens are in your future 25 May 2004 HEPi. X - Spring 2004 18
Cisco u. Router u. BGP (TCP problem) u. Wireless access points u. PIX u. Stolen code for IOS 25 May 2004 HEPi. X - Spring 2004 19
Security Software u. Checkpoint u. Black Ice u. Zone Alarm u. ISS Real. Secure (IDS) u. TCPDump / Ethereal u. Norton anti-virus u. PIX 25 May 2004 HEPi. X - Spring 2004 20
Macintosh u. USB Keyboard - ^C gives local root u. Apple File Server bo u. Quicktime bo u. URL processing in Terminal app u. Safari – Help system bo u. Volume URI handler registration (no fix) 25 May 2004 HEPi. X - Spring 2004 21
Other Software u. Grid – Slashdot & 2600 u. IM software – AIM & Yahoo Messenger u. CVS u. Real. Player u. Winzip u. Web HP Jet. Admin u. Acrobat Reader 5. 1 u. Dameware & Serv-U 25 May 2004 HEPi. X - Spring 2004 22
Dame. Ware How I spent my Christmas vacation 25 May 2004 HEPi. X - Spring 2004 23
Dame. Ware (2) u. Over 13 different Warez kits installed u 30 compromised machine, half used for scanning other systems uftp speed tests were run to measure suitability for storing warez u. Serv-U ftp and Radmin installed at random port numbers. u. Look at Hacker Defender – rootkit for Windows available in source to avoid AV scanners 25 May 2004 HEPi. X - Spring 2004 24
Email u. Evils of HTML email l It’s big & it hides bad stuff u. Phishing scams l Citibank, e. Bay, Pay. Pal u. Outlook 2003 setting (reg for Outlook XP) udidtheyreadit. com 25 May 2004 HEPi. X - Spring 2004 25
Outlook 2003 Tools -> Options -> Preferences 25 May 2004 HEPi. X - Spring 2004 26
didtheyreadit. com u. Email tracking using transparent gif image u. Not clear how they track time open u. Follows forwarding of email u. Technically easily defeated l but most don’t know how 25 May 2004 HEPi. X - Spring 2004 27
Final Thoughts u Attacks coming faster; attackers getting smarter u Complex attacks using multiple vulnerabilities u No simple solution works l l Patching helps Firewalls help AV & attachment removal help Encrypted passwords/tunnels help u You can’t be “secure”; only “more secure” u We must share information better l HEPi. X Security email list – do we need a PGP encrypted remailer? 25 May 2004 HEPi. X - Spring 2004 28
- Slides: 28