3-Protecting SystemsDr. John P. AbrahamProfessorUTPA

Hardening Operating System3 pronged approach:

◦operating system updates, ◦Protect against buffer overflows,◦ configuring operating system

protections

Operating System updates Security Patch: Covers discovered

Vulnerabilities Turn on automatic updates

Hotfix – specific to a customer situation Service Pack – Cumulative security

patches and other software updates. Designate one server within your

organization as the patch update service

Buffer Overflow ProtectionCorrupts system memory and causes

freezingMay change the return address (from a

routine) to a different one where the malware is residing.

Programmers should write defensive programming. Show the textbook to the students.◦For windows based programming use: Data

execution prevention(DEP) and Address Space Layout Randomization (ASLR)

Defensive programming Microsoft environmentData Execution Prevention (DEP)

◦DEP is available in VISTA and beyond◦Designated memory only to hold data not

code (No eXecute NX bit associated with the memory). Buffer overflow redirection would not work within a NX memory.

◦Programmers can turn on this feature.Address Space Randomization (ASLR).

◦Each time Vista.. Is rebooted .EXE and .DLL are loaded randomly into 256 possible locations. Attackers find it difficult to work with unpredictable code locations.

Configuring Operating System ProtectionSecurity Policy

◦A document that clearly defines the defense mechanisms an organization will employ in order to keep information secure.

◦Configuration baseline – permissions on files, registry permissions, logins, authentications, etc. You may want to create a Security template to handle it.

◦Deployment – individually or by group policy

Preventing Attacks that Target Web browserAttacks through cookies, scripts, Java,

ActiveX and cross-site scripting.

Cookies

information about visits saved on user’s computer. First party cookie is created by the site that the user is currently viewing. Third-party cookies are cookies created by some one else is accessed in a current visit to a different site.

Cookies do not present a security threat, but is a privacy risk. Track browsing habits, etc. Also provides IP address.

Scripts (Java, VB, etc.)

Web pages containing scripts download the scripts to the computer and is executed. The program can send information about the user to a host. Scripts can’t access files on the computer, so limited risk exists.

Java

Java can create applets that run on local computers. Defense against hostile jave applets is a Sandbox (a fence). Unsigned java applet does not come from a trusted source and must be run within the sandbox and gives warning to the users. If users do not read the message, or understand the risk, it can cause serious trouble. Sandbox warnings are given at the bottom left. Signed java applets are from trusted sources and have not been altered.

ActiveX – Add-onsframework for defining reusable

software components (known as controls) that perform a particular function or a set of functions in Microsoft Windows in a way that is independent of the programming language. A software application can then be formed from one or more of these components in order to provide its functionality. They do not run in a sandbox. It can do anything on the computer such as creating, modifying and deleting files. A signed ActiveX control is generally safe. Unsigned is riskier.

Cross Site Scripting (XSS)

Scripts that extract information from victim and pass it to the attacker.

Changes contents of dynamic websites and injects a script into it that asks for personal information through input validation.

A web site that displays bad login screens with login name is a good one for these types of attacks.

It could send a URL to click

SMTP Open Relays

A user can set up a email receiving address and a sending address. Usually they are the same like pop.dia.sbc.net and smtp.dia.sbc.net. Some smpt servers are configured to sned mail through other domains (known as relays). An attacker can send spam through such relays without getting caught.

Instant Messaging

Once a user signs up with the instan message server, the client’s IP and port is sent to all buddies and communication can take place directly. With direct connection virus and worms can be spread. Attacker can also view contents of messages.

Peer-to peer

All types of attacks can take place through P2P networks. BitTorrent is more secure than P2P. However, both can be used to download illegal software or music.

Defenses

Antivirus – always a step behind, update with definition files.

Pop-up blockers. Now incorporated into the browser.

Anti-spam. Spam filter with smtp server. Install spam filter with pop3

Personal firewals.Host Intrusion Detection systems

(HIDS) monitoring files systems and logfiles.