Internet & Web Security

Prepared by:Jean Michael Castor

Introduction

• As of 1996, the Internet connected an estimated 13 million computers in 195 countries on every continent, even Antarctica . The Internet is not a single network, but a worldwide collection of loosely connected networks that are accessible by individual computer hosts in a variety of ways, including gateways, routers, dial-up connections, and Internet service providers.

Introduction

• The Internet is easily accessible to anyone with a computer and a network connection. Individuals and organizations worldwide can reach any point on the network without regard to national or geographic boundaries or time of day.

Introduction

• However, along with the convenience and easy access to information come new risks. Among them are the risks that valuable information will be lost, stolen, corrupted, or misused and that the computer systems will be corrupted. If information is recorded electronically and is available on networked computers, it is more vulnerable than if the same information is printed on paper and locked in a file cabinet.

Introduction

• Intruders do not need to enter an office or home, and may not even be in the same country. They can steal or tamper with information without touching a piece of paper or a photocopier. They can create new electronic files, run their own programs, and hide evidence of their unauthorized activity.

Basic Security Concepts

• Three basic security concepts important to information on the Internet are confidentiality, integrity, and availability. Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.

Basic Security Concepts

• Confidentiality - restricting access to information to authorized users.

• Integrity - ensuring that stored data and data in transit are not modified unintentionally or maliciously.

• Availability - ensuring that network services are not interrupted unintentionally or maliciously.

Internet Security Today• What are the main security-related problems on

the Internet Today?– Hijacked web servers– Denial-of-Service Attacks– Unsolicited Commercial E-Mail– Operator Error, Natural Disasters– Microsoft...– Probe– Scan – Packet Sniffer– Malicious Code

Internet Security Today

• What are not the major security-related problems?– Eavesdropped electronic mail.• (Misdirected email is a problem.)• (Email swiped from backup tapes is a problem.)

– Sniffed credit card numbers.• (Credit card numbers stolen from databases is a

problem.)

– Hostile Java & ActiveX applets.

Hijacked Web Servers

Hijacked Web Servers

• FBI– August 17, 1996 - Attacks on the Communications

Decency Act.

• CIA– September 18, 1996 - “Central Stupidity Agency”

• NetGuide Live– “CMP Sucks.”

Hijacked Web Servers

• Attacker gains access and changes contents of web server.

• Usually stunts.• Can be very bad:– Attacker can plant hostile applets.– Attacker can plant data sniffers– Attacker can use compromised machine to take

over internal system.

Hijacked Web Servers

• Usually outsiders.• (Could be insiders masquerading as outsiders.)• Nearly impossible to trace.

How do they do it?

• Administrative passwords captured by a password sniffer.

• Utilize known vulnerability:– sendmail bug.– Buffer overflow.

• Use web server CGI script to steal /etc/passwd file, then crack passwords.

• Mount the web server’s filesystem.

How do you defend against it?

• Patch known bugs.• Don’t run unnecessary services on the web

server.

How do you defend?

• Practice good host security.• Monitor system for unauthorized changes.– Tripwire

• Monitor system for signs of penetration– Intrusion detection systems

How do you defend?

• Make frequent backups.• Have a hot spare ready.• Monitor your system frequently.

Denial-of-Service Attacks

Denial-of-Service

• Publicity is almost as good as changing somebody’s web server.– Attack on PANIX– Attack on CyberPromotions

• Costs real money– Lost Sales– Damage to reputation

Kinds of Denial-of-Service Attacks

• Direct attack: attack the machine itself.• Indirect attack: attack something that points

to the machine.• Reputation attack: attack has nothing to do

with the machine, but references it in some way.

Direct Denial-Of-Service Attack

• Send a lot of requests (HTTP, finger, SMTP)– Easy to trace.– Relatively easy to defend against with TCP/IP

blocking at router.

Direct Denial-Of-Service Attack 2

• SYN Flooding– Subverts the TCP/IP 3-way handshake• SYN / ACK / ACK

– Hard to trace• Each SYN has a different return address.

– Defenses now well understood• Ignore SYNs from impossible addresses.• Large buffer pools (10 1024)• Random drop, Oldest drop.

Indirect Denial-Of-Service Attack

• Attack Routing• Attack routers (hard)• Inject bogus routes on BGP4 peering sessions

(easy)– Accidents have been widely reported.– Expect to see an actual BGP4 attack sometime this

year.

Reputation-based Denial-Of-Service Attack

• Spoofed e-mailTo: everybody@AOL.COMFrom: astrology@mail.vineyard.netSubject: Call Now!

Hello. My name is Jean Dixon …

• We got 3.9MB of angry responses.

Unsolicited Commercial E-Mail

Unsolicited Commercial E-Mail

• Pits freedom-of-speech against right of privacy.

• Consumes vast amounts of management time.• Drain on system resources.

Who are the bulk-mailers?

• Advertising for Internet neophytes.• Advertising for sexually-oriented services.• Advertising get-rich-quick schemes.• Advertising bulk-mail service.

How do they send out messages?

• Send directly from their site.• Send through an innocent third party.• Coming soon: – Sent with a computer virus or ActiveX applet

How did they get my e-mail addresses?

• Usenet & Mailing list archives.• Collected from online address book.– AOL registry.– University directory.

• Guessed– Sequential CompuServe addresses.

• Break into machine & steal usernames.

Operator Error & Natural Disasters

Operator Error & Natural Disasters

• Still a major source of data loss.• Hard to get management to take seriously.– Not sexy.– Preparation is expensive.– If nothing happens, money seems misspent.

Operator Error

• Accidentally delete a file.• Accidentally install a bad service.• Accidentally break a CGI script.• Psychotic break.

Natural Disaster

• Fire• Flood• Earthquake

Solutions

• Frequent Backups– Backup to high-speed tape.– Real-time backup to spare machines.– Make sure some backups are off-site.

• Recovery plans.• Recovery center.• Test your backups & plans!

Microsoft

Microsoft

• Danger of homogeneous environment.• No demonstrated commitment to computer

security.– Windows 95 is not secure.– Word Macro Viruses.– ActiveX– SMB

• Windows NT …?

Probe

• A probe is characterized by unusual attempts to gain access to a system or to discover information about the system. One example is an attempt to log in to an unused account. Probing is the electronic equivalent of testing doorknobs to find an unlocked door for easy entry. Probes are sometimes followed by a more serious security event, but they are often the result of curiosity or confusion.

Scan

• A scan is simply a large number of probes done using an automated tool. Scans can sometimes be the result of a misconfiguration or other error, but they are often a prelude to a more directed attack on systems that the intruder has found to be vulnerable.

Packet Sniffer

• A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travels over the network in clear text. With perhaps hundreds or thousands of passwords captured by the sniffer, intruders can launch widespread attacks on systems.

Malicious Code• Malicious code is a general term for programs

that, when executed, would cause undesired results on a system. Users of the system usually are not aware of the program until they discover the damage. Malicious code includes Trojan horses, viruses, and worms. Trojan horses and viruses are usually hidden in legitimate programs or files that attackers have altered to do more than what is expected. Worms are self-replicating programs that spread with no human intervention after they are started.

Malicious Code

• Viruses are also self-replicating programs, but usually require some action on the part of the user to spread inadvertently to other programs or systems. These sorts of programs can lead to serious data loss, downtime, denial of service, and other types of security incidents.