Internet & Web Security

Simson L. Garfinkel

simsong@vineyard.net

Simson L. Garfinkel

Web Security & Commerce(With Gene Spafford)

O’Reilly & Associates, 1997

Practical UNIX and Internet SecurityGarfinkel & Spafford

O’Reilly & Associates, 1997

Vineyard.NET, Inc.July 1, 1995-

WARNING #1

I’m not here to sell you anything.(No easy answers)

WARNING #2

I hate Power Point.

Internet Security Today 1/3

What are the main security-related problems on the Internet Today?Hijacked web serversDenial-of-Service AttacksUnsolicited Commercial E-MailOperator Error, Natural DisastersMicrosoft...

Internet Security Today 2/3

What are not the major security-related problems?Eavesdropped electronic mail.

• (Misdirected email is a problem.)• (Email swiped from backup tapes is a problem.)

Sniffed credit card numbers.• (Credit card numbers stolen from databases is a

problem.)

Hostile Java & ActiveX applets.

Internet Security Today 3/3

So why does the press focus on the non-problems?The real problems are old problems.

(see Practical UNIX Security, 1991)The real problems are hard to solve

(I’m not here to sell you anything.)Netscape IPO

(Netscape sells a product, not a service.)

Hijacked Web Servers

Hijacked Web Servers

FBIAugust 17, 1996 - Attacks on the

Communications Decency Act.

CIASeptember 18, 1996 - “Central Stupidity

Agency”

NetGuide Live“CMP Sucks.”

Hijacked Web Servers

Attacker gains access and changes contents of web server.

Usually stunts. Can be very bad:

Attacker can plant hostile applets.Attacker can plant data sniffersAttacker can use compromised machine to take

over internal system.

Hijacked Web Servers

Usually outsiders. (Could be insiders masquerading as

outsiders.) Nearly impossible to trace.

How do they do it?

Administrative passwords captured by a password sniffer.

Utilize known vulnerability:sendmail bug.Buffer overflow.

Use web server CGI script to steal /etc/passwd file, then crack passwords.

Mount the web server’s filesystem.

How do you defend against it?

Patch known bugs. Don’t run unnecessary services on the web

server. Don’t run sendmail

Use smap if possible.Large sites may just after to suffer.

How do you defend? (2)

Never use telnet or ftp to access web server.ssh/scpstelSecurity Dynamics’ SecureIDDigital Pathways’s SecureNet Key(S/Key, Kerberos)

How do you defend? (3)

Practice good host security.Don’t run SunOS.Use tools like SATAN, ISS, COPS, Tiger...

Monitor system for unauthorized changes.Tripwire

Monitor system for signs of penetrationIntrusion detection systems

How do you defend? (3)

Make frequent backups. Have a hot spare ready. Monitor your system frequently.

Denial-of-Service Attacks

Denial-of-Service

Publicity is almost as good as changing somebody’s web server.Attack on PANIXAttack on CyberPromotions

Costs real moneyLost SalesDamage to reputation

Kinds of Denial-of-Service Attacks

Direct attack: attack the machine itself. Indirect attack: attack something that points

to the machine. Reputation attack: attack has nothing to do

with the machine, but references it in some way.

Direct Denial-Of-Service Attack

Send a lot of requests (HTTP, finger, SMTP)Easy to trace.Relatively easy to defend against with TCP/IP

blocking at router.

Direct Denial-Of-Service Attack 2

SYN FloodingSubverts the TCP/IP 3-way handshake

• SYN / ACK / ACK

Hard to trace• Each SYN has a different return address.

Defenses now well understood• Ignore SYNs from impossible addresses.• Large buffer pools (10 1024)• Random drop, Oldest drop.

Direct Denial-Of-Service Attack 2

SYN Flooding 2Most machines are not protected.

Indirect Denial-Of-Service Attack

Attack DNShttp://www.vineyard.net/ 204.17.195.200

DNS spoofing (hard) Upstream DNS server (easier) InterNIC (easy!)

Indirect Denial-Of-Service Attack

Attack Routing Attack routers (hard) Inject bogus routes on BGP4 peering

sessions (easy)Accidents have been widely reported.Expect to see an actual BGP4 attack sometime

this year.

Reputation-based Denial-Of-Service Attack

Spoofed e-mailTo: everybody@AOL.COMFrom: astrology@mail.vineyard.netSubject: Call Now!

Hello. My name is Jean Dixon …

We got 3.9MB of angry responses.

Unsolicited Commercial E-Mail

Unsolicited Commercial E-Mail

Pits freedom-of-speech against right of privacy.

Consumes vast amounts of management time.

Drain on system resources.

Who are the bulk-mailers?

Advertising for Internet neophytes. Advertising for sexually-oriented services. Advertising get-rich-quick schemes. Advertising bulk-mail service.

How do they send out messages?

Send directly from their site. Send through an innocent third party. Coming soon:

Sent with a computer virus or ActiveX applet

How did they get my e-mail addresses?

Usenet & Mailing list archives. Collected from online address book.

AOL registry.University directory.

GuessedSequential CompuServe addresses.

Break into machine & steal usernames.

Operator Error & Natural Disasters

Operator Error & Natural Disasters

Still a major source of data loss. Hard to get management to take seriously.

Not sexy.Preparation is expensive.If nothing happens, money seems misspent.

Operator Error

Accidentally delete a file. Accidentally install a bad service. Accidentally break a CGI script. Psychotic break.

Natural Disaster

Fire Flood Earthquake

Solutions

Frequent BackupsBackup to high-speed tape.Real-time backup to spare machines.Make sure some backups are off-site.

Recovery plans. Recovery center. Test your backups & plans!

Microsoft

Microsoft

Danger of homogeneous environment. No demonstrated commitment to computer

security.Windows 95 is not secure.Word Macro Viruses.ActiveXSMB

Windows NT …?