Quiz-2 Review

ECE-6612http://www.csc.gatech.edu/copeland/jac/6612/

Prof. John A. Copelandjohn.copeland@ece.gatech.edu

404 894-5177fax 404 894-0035

Office: Klaus 3362email or call for office visit, or call 404 894-5177

March 25, 2015

Quiz-2 Topic AreasEmail Security - PGP, S/MIME

IP Security - IPsec (AH, ESP modes, VPN)

Web Security - Secure Socket Layers (SSL, TLS)

- Certificates, CA’s, Hashes (MD5)

Intruders (and other Malicious Users) - Protection

DNS - cache poisoning (Birthday Attack used)

IDS - (Base-Rate Fallacy, False-Positive Rate)

Viruses - Worms, Trojan Horses, Logic Bombs, ...

TCP-IP, Firewalls, Secure Electronic Transactions (SET), and Trusted Systems

We have discussed:

BotNets, DDos, SPAM, Phishing

Slides 17 (1 -11): Buffer Overflows, Stack Frames

Quiz-2 Topic Areas

2

3

DefinitionsVirus - code that copies itself into other programs.

A “Bacteria” replicates until it fills all disk space, or CPU cycles.

Payload - harmful things the malicious program does, after it has had time to spread.Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). Email “viruses” are technically “worms”.Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net).

Logic Bomb - malicious code that activates on an event (time, trigger).

Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.

“Vulnerability” - a program defect that permits “Intrusions”.Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.Bot, BotNet - Large P2P network (hundreds to millions) of compromised computers (Bots) that communicate to commit DDoS, SPAM, Phish.

1. Scan the network to: [RECONNAISANCE]• locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers).

2. Run “Exploit” scripts against open ports. [ACCESS] 3. Elevate privileges to “root” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE]

4

The Stages of a Network Intrusion [RAERU]

Flow-based* "CI", signature-based?

Signature?, Flow-Based Port Profile*

Signature?, "Port-Profile*", Forbidden Zones*, Host-based

Signature?, "Port-Profile*", Forbidden Zones*, Host-based

Host-based

Vulnerability Scan

* StealthWatch

5

Protection from a Network Intrusion

Rule 2: Multiple Layers of Protection are needed to reach a high level of security at an affordable cost.

Protection

1. Use a “Firewall” between the local area network and the world-wide Internet to limit access (Chapter 10).

2. On Microsoft PC’s, with XP and later, use the OS firewall that limits incoming and outgoing communications by Application (program), not just port number. For Mac, buy "Little Snitch" ($35).

Detection

1. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or remove malware from a local host).

2. Use a program like TripWire* on each host to detect when systems files are altered, and email an alert to Sys Admin.

Reaction

1. Have a plan and means to implement it.

6

Anomaly-Based Intrusion Detection

High statistical variation in most measurable network behavior parameters results in high false-alarm rate

Detection Threshold

UndetectedIntrusions,

False Negatives(FN)

FalseAlarms,

False Positives(FP)

#False-Negatives = #Bad Events

x FN-rate

#False-Positives = #Normal Events

x FP-rate

Figure 9.1

# Normal Events =#TruePositves + #FalsePositives

Detected as Positive, ->

Alarm

A Negative Event, True or False, is one that does not trigger an Alarm

If the “behavior” is a connection:

For legitimate connections (total number = LC)

True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1 Correctly handled connections (no alarms) = TNR * LC Incorrectly handled connections (false alarms) = FPR * LC

For malicious connections (total number = MC)

False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1 Correctly handled connections (real alarms) = TPR * MC Incorrectly handled connections (no alarms) = FNR * MC

If LC >> MC then (FPR * LC) >> (TPR * MC) hence “false alarms” are much greater than “real alarms” when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1)

See Slide Set 09A, #17 for example calculations.7

"Base-Rate Fallacy" Calculations

Chapter 10a - FirewallsNetwork Firewall - economical, one point to manage.

Host-based FW - can filter based on application, depends on user unless a central management system is used.

Simple Firewall - drops packets based on IP, port

Stateful - Keeps track of connections, set up inside or outside.

NAT - Network Address Translation, Private Address ranges (10. , 192.168, …). Inbound connections must match “forwarding table”

Proxy Server - checks application header and data. Mail proxy may filter spam, viruses, and worms. Web may filter URLs, & domains.

Attacks - how does Firewall protect against scanning, bad-fragments, bad TCP flags, Smuft attack, ...

Host-based Firewalls - xinetd (/etc/hosts.allow), iptables, Zone Alarm, Black Ice (now ISS Desktop Proventia), “Little Snitch”

8

Chapter 10b - Trusted Systems

Subject, Object, Access Rights (permissions)

Policy - Access matrix or ACL (access control list)

Basic Security Rules:

No read up (simple security property)

No write down (do not widen accessibility)

Need to Know.

Reference Monitor, audit file, security kernel database.

Requirements to be a “Trusted System”:

Complete Mediation,

Isolation,

Verifiability

“Common Criteria” Security Specifications are multi-national trust ratings.

9

Chapter 11 - TCP/IP

Bad fragments can crash Operating System (OS): "Teardrop"ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3= Unreachable [Codes: 0= Network, 1=Host,3= Port]) • "Ping of Death" - fragment extends beyond 2^16 bytes, • "Smurf" (Pong multiplication, Ping to broadcast address).

“Spoofed” addresses for Flood DoS attacks (Source IP in Smurf).

TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN

Flags - bad combinations to 1) map OS, 2) cause crashes.

TCP - Highjacked connection. IP address of one host can change if sequence numbers and acknowledge numbers are consistent. Original host must be DoS'ed (silenced).

DNS - UDP port 53 used for DNS lookups, reverse lookups.What is “Fast Flux DNS” and “DNS Cache Poisoning”?

ARP - Used by IP layer to find the MAC layer address to use.What is “ARP Poisoning”?

10

Chapter 10a - FirewallsNetwork Firewall - economical, one point to manage.

Host-based FW - can filter based on application, depends on user unless a central management system is used.

Simple Firewall - drops packets based on IP, port

Stateful - Keeps track of connections, set up inside or outside.

NAT - Network Address Translation, Private Address ranges (10. , 192.168, …). Inbound connections must match “forwarding table”

Proxy Server - checks application header and data. Mail proxy may filter spam, viruses, and worms. Web may filter URLs, & domains.

Attacks - how does Firewall protect against scanning, bad-fragments, bad TCP flags, Smuft attack, ...

Host-based Firewalls - xinetd (/etc/hosts.allow), iptables, Zone Alarm, Black Ice (now ISS Desktop Proventia), “Little Snitch”

11

Chapter 10b - Trusted Systems

Subject, Object, Access Rights (permissions)

Policy - Access matrix or ACL (access control list)

Basic Security Rules:

No read up (simple security property)

No write down (do not widen accessibility)

Need to Know.

Reference Monitor, audit file, security kernel database.

Requirements to be a “Trusted System”:

Complete Mediation,

Isolation,

Verifiability

“Common Criteria” Security Specifications are multi-national trust ratings.

12

Chapter 11 - TCP/IP

Bad fragments can crash Operating System (OS): "Teardrop"ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3= Unreachable [Codes: 0= Network, 1=Host,3= Port]) • "Ping of Death" - fragment extends beyond 2^16 bytes, • "Smurf" (Pong multiplication, Ping to broadcast address).

“Spoofed” addresses for Flood DoS attacks (Source IP in Smurf).

TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN

Flags - bad combinations to 1) map OS, 2) cause crashes.

TCP - Highjacked connection. IP address of server can change if sequence numbers and acknowledge numbers are consistent. Original host must be DoS'ed (silenced).

DNS - UDP port 53 used for DNS lookups, reverse lookups.What is “Fast Flux DNS” and “DNS Cache Poisoning”?

ARP - Used by IP layer to find the MAC layer address to use.What is “ARP Poisoning”?

13

HW

What was learned from homework problems?

Outside ReadingLenovo – Removing "Starfish" – https man-in-

the-middleDell – "System Detect" vulnerabilityApple Pay – Credit Card scams 7x higher than

normal"Wipe the Drive" – what to do with a

compromised PC"Olympic Games" (Flame, Stuxnet, Iran)Crypto-Locker malware

14

15

The test will cover the slide sets 06-IP Networks.ppt, 07-SSL-SET, 08a Safer Downloading.ppt, 09a-Intrusion.ppt, 09b-Viruses, 10a-Firewalls.ppt, 10b-Trusted Systems, 11-TCP-IP.ppt, 13-Netsec Utilities.ppt, and 18-Shellcode.ppt (slides 1-11).

It will not cover Simple Network Management Protocol (08-SNMP.ppt).

You will be able to bring your Quiz-1 reference sheet. You should review areas you missed on Quiz-1. 

We discussed SSL/TLS in connection with Public-Private keys, and secure email.

We did cover SET (Secure Electronic Transactions) protocol this year .  It has some interesting technology, like the "dual signature,"  but the standard has not gained traction after several years, but it, or something like it, may be necessary in the future.