Post on 19-Mar-2016
description
Recent Security Threats & Vulnerabilities
Computer security
Bob Cowlesbob.cowles@slac.stanford.edu
HEPiX, Spring 2004 – Edinburgh, UK
Work supported by U. S. Department of Energy contract DE-AC03-76SF00515
25 May 2004 HEPiX - Spring 2004 2
Windows
Worms Windows AD & SUS for patching Viruses Web exposures (IE) Leaked code for WinNT & Win2K
25 May 2004 HEPiX - Spring 2004 3
Application of Patches to Windows
0200400600800
1000
12001400160018002000
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31
Days Since Patch Released
Vuln
erab
le S
yste
ms MS03-026
MS03-039
MS03-043
MS04-011
MSBlaster Released
MSBlaster at SLAC
25 May 2004 HEPiX - Spring 2004 4
Sasser Experience (MS 04-011)
Patched Quickly Servers within 10 hours All workstations within 80 hours
VPN changes No access to local drives of desktops Firestorm of protest Disappeared after dust settled (Citrix & RDP)
Ongoing problems w/ unpatched systems
25 May 2004 HEPiX - Spring 2004 5
AD & SUS for patching Problematic patching
Office vs.Windows Update Front Page DLL’s MDAC
Machine vs. User GPOs SUS Update times New Installs XP SP2 has many improvements (in 2005)
25 May 2004 HEPiX - Spring 2004 6
Visitor
BaBar Detector
BSDRemote access
HEP AcceleratorSSRL
BSD-Private
SLAC Basic
Internet The way we were …
25 May 2004 HEPiX - Spring 2004 7
Visitor
BaBar Detector
Remote access
HEP AcceleratorSSRL
SLAC Basic
Internet The way we were …
BSDBSD-Private
25 May 2004 HEPiX - Spring 2004 8
Visitor
BaBar Detector
Remote access
HEP AcceleratorSSRL
SLAC Basic
Internet The way we were …
BSDBSD-Private
25 May 2004 HEPiX - Spring 2004 9
Visitor
BaBar Detector
Remote access
HEP AcceleratorSSRL
SLAC Basic
Internet The way we were …
BSDBSD-Private
25 May 2004 HEPiX - Spring 2004 10
Visitor
BaBar Detector
Remote access
HEP AcceleratorSSRL
SLAC Basic
Internet The way we were …
BSDBSD-Private
25 May 2004 HEPiX - Spring 2004 11
Visitor
BaBar Detector
BSDRemote access
HEP Accelerator
SSRL
BSD-Private
SLAC Basic
Internet
Servers
The way we are now …
25 May 2004 HEPiX - Spring 2004 12
Visitor
BaBar Detector
Remote access
HEP Accelerator
SSRL
SLAC Basic
Internet
Servers
The way we are now …
BSD
BSD-Private
25 May 2004 HEPiX - Spring 2004 13
Visitor
BaBar Detector
Remote access
HEP Accelerator
SSRL
SLAC Basic
Internet
Servers
The way we are now …
BSD
BSD-Private
25 May 2004 HEPiX - Spring 2004 14
Visitor
BaBar Detector
Remote access
HEP Accelerator
SSRL
SLAC Basic
Internet
Servers
The way we are now …
BSD
BSD-Private
25 May 2004 HEPiX - Spring 2004 15
Viruses
More sophistication (Bobax and Kibuv) Zip files Encrypted zip files From microsoft.com From security@<your-domain-name> Run automatically Leave backdoors; smtp for spam
25 May 2004 HEPiX - Spring 2004 16
IE Exposures
Numerous unpatched vulnerabilities Cannot escape IE (but can control) Unclear how much XP SP2 will fix There is still problem of user knowledge
25 May 2004 HEPiX - Spring 2004 17
Unix & Linux
Local Exploits = Remote Exploits mremap (2 times) ASN.1 do_brk Solaris: vfs_getvfsws() CDE dt….. Xfree86 yp*
25 May 2004 HEPiX - Spring 2004 18
Universities & Labs Exploits against Solaris, AIX, Linux Attacker(s) seem sophisticated Install SK rootkit on Linux Install trojaned sshd
gets passwords from keyboard/tty entry accesses RSA keys
Cracks yp or kerberos password files One time password tokens are in your future
25 May 2004 HEPiX - Spring 2004 19
Cisco
Router BGP (TCP problem) Wireless access points PIX Stolen code for IOS
25 May 2004 HEPiX - Spring 2004 20
Security Software
Checkpoint Black Ice Zone Alarm ISS RealSecure (IDS) TCPDump / Ethereal Norton anti-virus PIX
25 May 2004 HEPiX - Spring 2004 21
Macintosh
USB Keyboard - ^C gives local root Apple File Server bo Quicktime bo URL processing in Terminal app Safari – Help system bo Volume URI handler registration (no fix)
25 May 2004 HEPiX - Spring 2004 22
Other Software Grid – Slashdot & 2600 IM software – AIM & Yahoo Messenger CVS RealPlayer Winzip Web HP JetAdmin Acrobat Reader 5.1 Dameware & Serv-U
25 May 2004 HEPiX - Spring 2004 23
DameWareHow I spent my Christmas vacation
25 May 2004 HEPiX - Spring 2004 24
DameWare (2) Over 13 different Warez kits installed 30 compromised machine, half used for scanning
other systems ftp speed tests were run to measure suitability for
storing warez Serv-U ftp and Radmin installed at random port
numbers. Look at Hacker Defender – rootkit for Windows
available in source to avoid AV scanners
25 May 2004 HEPiX - Spring 2004 25
Evils of HTML email It’s big & it hides bad stuff
Phishing scams Citibank, eBay, PayPal
Outlook 2003 setting (reg for Outlook XP) didtheyreadit.com
25 May 2004 HEPiX - Spring 2004 26
Outlook 2003Tools -> Options -> Preferences
25 May 2004 HEPiX - Spring 2004 27
didtheyreadit.com
Email tracking using transparent gif image Not clear how they track time open Follows forwarding of email Technically easily defeated
but most don’t know how
25 May 2004 HEPiX - Spring 2004 28
Final Thoughts Attacks coming faster; attackers getting smarter Complex attacks using multiple vulnerabilities No simple solution works
Patching helps Firewalls help AV & attachment removal help Encrypted passwords/tunnels help
You can’t be “secure”; only “more secure” We must share information better
HEPiX Security email list – do we need a PGP encrypted remailer?