Recent Security Threats & Vulnerabilities

Computer security

Bob Cowlesbob.cowles@slac.stanford.edu

HEPiX, Spring 2004 – Edinburgh, UK

Work supported by U. S. Department of Energy contract DE-AC03-76SF00515

25 May 2004 HEPiX - Spring 2004 2

Windows

Worms Windows AD & SUS for patching Viruses Web exposures (IE) Leaked code for WinNT & Win2K

25 May 2004 HEPiX - Spring 2004 3

Application of Patches to Windows

0

200

400

600

800

1000

1200

1400

1600

1800

2000

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31

Days Since Patch Released

Vul

nera

ble

Sys

tem

s MS03-026

MS03-039

MS03-043

MS04-011

MSBlaster Released

MSBlaster at SLAC

25 May 2004 HEPiX - Spring 2004 4

Sasser Experience (MS 04-011)

Patched Quickly Servers within 10 hours All workstations within 80 hours

VPN changes No access to local drives of desktops Firestorm of protest Disappeared after dust settled (Citrix & RDP)

Ongoing problems w/ unpatched systems

25 May 2004 HEPiX - Spring 2004 5

AD & SUS for patching

Problematic patching Office vs.Windows Update Front Page DLL’s MDAC

Machine vs. User GPOs SUS Update times New Installs XP SP2 has many improvements (in 2005)

25 May 2004 HEPiX - Spring 2004 6

Visitor

BaBar Detector

BSDRemote access

HEP AcceleratorSSRL

BSD-Private

SLAC Basic

Internet The way we were …

25 May 2004 HEPiX - Spring 2004 7

Visitor

BaBar Detector

Remote access

HEP AcceleratorSSRL

SLAC Basic

Internet The way we were …

BSDBSD-Private

25 May 2004 HEPiX - Spring 2004 8

Visitor

BaBar Detector

Remote access

HEP AcceleratorSSRL

SLAC Basic

Internet The way we were …

BSDBSD-Private

25 May 2004 HEPiX - Spring 2004 9

Visitor

BaBar Detector

Remote access

HEP AcceleratorSSRL

SLAC Basic

Internet The way we were …

BSDBSD-Private

25 May 2004 HEPiX - Spring 2004 10

Visitor

BaBar Detector

Remote access

HEP AcceleratorSSRL

SLAC Basic

Internet The way we were …

BSDBSD-Private

25 May 2004 HEPiX - Spring 2004 11

Visitor

BaBar Detector

BSDRemote access

HEP Accelerator

SSRL

BSD-Private

SLAC Basic

Internet

Servers

The way we are now …

25 May 2004 HEPiX - Spring 2004 12

Visitor

BaBar Detector

Remote access

HEP Accelerator

SSRL

SLAC Basic

Internet

Servers

The way we are now …

BSD

BSD-Private

25 May 2004 HEPiX - Spring 2004 13

Visitor

BaBar Detector

Remote access

HEP Accelerator

SSRL

SLAC Basic

Internet

Servers

The way we are now …

BSD

BSD-Private

25 May 2004 HEPiX - Spring 2004 14

Visitor

BaBar Detector

Remote access

HEP Accelerator

SSRL

SLAC Basic

Internet

Servers

The way we are now …

BSD

BSD-Private

25 May 2004 HEPiX - Spring 2004 15

Viruses

More sophistication (Bobax and Kibuv) Zip files Encrypted zip files From microsoft.com From security@<your-domain-name> Run automatically Leave backdoors; smtp for spam

25 May 2004 HEPiX - Spring 2004 16

IE Exposures

Numerous unpatched vulnerabilities Cannot escape IE (but can control) Unclear how much XP SP2 will fix There is still problem of user knowledge

25 May 2004 HEPiX - Spring 2004 17

Unix & Linux

Local Exploits = Remote Exploits mremap (2 times) ASN.1 do_brk Solaris: vfs_getvfsws() CDE dt….. Xfree86 yp*

25 May 2004 HEPiX - Spring 2004 18

Universities & Labs

Exploits against Solaris, AIX, Linux Attacker(s) seem sophisticated Install SK rootkit on Linux Install trojaned sshd

gets passwords from keyboard/tty entry accesses RSA keys

Cracks yp or kerberos password files One time password tokens are in your future

25 May 2004 HEPiX - Spring 2004 19

Cisco

Router BGP (TCP problem) Wireless access points PIX Stolen code for IOS

25 May 2004 HEPiX - Spring 2004 20

Security Software

Checkpoint Black Ice Zone Alarm ISS RealSecure (IDS) TCPDump / Ethereal Norton anti-virus PIX

25 May 2004 HEPiX - Spring 2004 21

Macintosh

USB Keyboard - ^C gives local root Apple File Server bo Quicktime bo URL processing in Terminal app Safari – Help system bo Volume URI handler registration (no fix)

25 May 2004 HEPiX - Spring 2004 22

Other Software

Grid – Slashdot & 2600 IM software – AIM & Yahoo Messenger CVS RealPlayer Winzip Web HP JetAdmin Acrobat Reader 5.1 Dameware & Serv-U

25 May 2004 HEPiX - Spring 2004 23

DameWareHow I spent my Christmas vacation

25 May 2004 HEPiX - Spring 2004 24

DameWare (2)

Over 13 different Warez kits installed 30 compromised machine, half used for scanning

other systems ftp speed tests were run to measure suitability for

storing warez Serv-U ftp and Radmin installed at random port

numbers. Look at Hacker Defender – rootkit for Windows

available in source to avoid AV scanners

25 May 2004 HEPiX - Spring 2004 25

Email

Evils of HTML email It’s big & it hides bad stuff

Phishing scams Citibank, eBay, PayPal

Outlook 2003 setting (reg for Outlook XP) didtheyreadit.com

25 May 2004 HEPiX - Spring 2004 26

Outlook 2003Tools -> Options -> Preferences

25 May 2004 HEPiX - Spring 2004 27

didtheyreadit.com

Email tracking using transparent gif image Not clear how they track time open Follows forwarding of email Technically easily defeated

but most don’t know how

25 May 2004 HEPiX - Spring 2004 28

Final Thoughts

Attacks coming faster; attackers getting smarter Complex attacks using multiple vulnerabilities No simple solution works

Patching helps Firewalls help AV & attachment removal help Encrypted passwords/tunnels help

You can’t be “secure”; only “more secure” We must share information better

HEPiX Security email list – do we need a PGP encrypted remailer?