How To Protect Your Network From Attack From A Hacker On A University Server

Network Security:

A New Perspective







•

Security: State of the Industry

•

Case Study: Hacker University

 





•

Dave Supinski VP of Regional Sales

•

[email protected]

•

Cell Phone 215-292-4473

   

       
          

Needs:

•

Reliance and dependency on

e-business

•

Need to interconnect

networks

•

Direct communication with

suppliers and customers

Risks:

•

Sensitive information being

compromised

•

Increase number of

intrusions and viruses

•

Corporate policies being

violated

•

Constant attacks from

sophisticated offenders

 

        


•

_{12 newborns would be given to the wrong parents each day.}

•

291 pacemaker operations would be performed incorrectly.

•

_{315 entries in Webster's Dictionary will be misspelled.}

•

3056 copies of tomorrow's Wall Street Journal would be

missing one of the three sections.

•

_{18,322 pieces of mail would be mishandled every hour.}

•

20,000 incorrect drug prescriptions would be written each year.

•

_{880,000 credit cards would have incorrect cardholder}

      

BASED ON RESPONSES FROM 538 SECURITY SPECIALISTS IN U.S. CORPORATIONS, GOVERNMENT AGENCIES AND UNIVERSITIES.

SOURCE: 2001 COMPUTER SECURITY INSTITUTE/FBI COMPUTER CRIME AND SECURITY SURVEY

                                           ! " # $   % & "  ' '  ' '   ' ' '        (*) + ,*-. + / 0*1 2 ) + 2 3 ) /14 5 , +76 8 5/ 1 . 9 / )

 
        

Expenses Associated With Electronic Crime Are High

Hypothetical Scenario: $1 Million Stolen From a Small, Online Bank

    
  
 
   
   

        
   

E-commerce Firms At A Higher Risk

Employees Cause Most Digital Break-Ins

BASED ON A SURVEY OF 1,600 SENIOR INFORMATION TECHNOLOGY PROFESSIONALS


   
   

Apply protective mechanisms (technologies) to reduce

unauthorized access and intrusion attacks

Try to detect intrusions and attempted intrusions by

reviewing audit logs and installing intrusion detection

systems .

Enable users to recover from security breach damage,

prevent breaches from happening again, and

prosecute offenders if necessary

Three-Tier Security Approach

Avoidance

Intrusion

Detection

Security

Investigation

         


•

Even the most sophisticated mechanisms have been

compromised by sophisticated hackers

•

Firewalls, VPNs, and encryption technologies are

complex to deploy and manage – leading to holes

and vulnerabilities

    
    
        


•

Only detects attacks identified on the signature

database

•

Large number of false positives and no dealing with

false negatives

•

Low throughput rates

•

Limited post-event analysis capabilities

                       

•

Requires lots of storage – heavily used networks

become a challenge

•

Collects all information

•

Advanced monitoring system required to find

appropriate information quickly

                

•

Hackers usually come through back door

Hackers usually come through back door

•

Hijacking computers, Installation of Trojan

_{Hijacking computers, Installation of Trojan}

Horses, …

Horses, …

•

Any hacker who breaks into a site erases all

Any hacker who breaks into a site erases all

logs which are capable of tracking them

logs which are capable of tracking them

•

_{Log analysis tools can be ineffective}

_{Log analysis tools can be ineffective}

•

_{Correlation of log data is difficult because of lack}

_{Correlation of log data is difficult because of lack}

of synchronization between systems

of synchronization between systems

•

Sifting through “tons” of log data / alarms

Sifting through “tons” of log data / alarms

requires trained resources and time

requires trained resources and time

          

•

Web Defacements

•

Domain Name Service (DNS) Attacks

•

Distributed Denial of Service (DDoS) Attacks

•

Virus and Worms

•

Routing Vulnerabilities

•

Infrastructure Attacks

   
 
   
 
      
      
    
        

firewall

Internal hosts

12:13 Scan detected from host x.x.x.x 12:14 Buffer overflow on host y.y.y.y

NIDS

r.r.r.r

s.s.s.s

t.t.t.t

y.y.y.y

Internet

  


 


      

  
 
           
     

firewall

Internal hosts

12:13 Denial of service attack

NIDS

router

router

ISP

Service

Provider

12:13 tcp traffic to x.x.x.x –detailed data 12:14 tcp traffic to x.x.x.x –detailed data 12:15 tcp traffic to x.x.x.x –detailed data 12:16 tcp traffic to x.x.x.x –detailed data 12:17 tcp traffic to x.x.x.x –detailed data 12:18 tcp traffic to x.x.x.x –detailed data 12:19 tcp traffic to x.x.x.x –detailed data 12:20 tcp traffic to x.x.x.x –detailed data 12:21 tcp traffic to x.x.x.x –detailed data Packet-level analysis to

Block tcp packets to address x.x.x.x

 





 

•

Crime Scene: Hacker University

•

Case: Student bringing down the grade server

•

Verdict: Guilty of penetration, creation of a backdoor,

leaving files behind, and launching a DoS attack

     
 
  

•

Proverbial Friday Morning – Linux Server is not

responding

The screen shows all the traffic during 12:44 pm - 12:49 pm . Most of the traffic monitored was IP (99.91%). The plot reveals a relatively low level of activity and a sudden spike in traffic load at about 12:48:16. Analyzing this traffic segment in more detail reveals in a large number of ICMP packets generated from 205.152.118.182 as shown in the





 

To discover what machines are out there on the network, applications like telnet or ping are employed. We first filter on all telnet traffic to see who was using telnet. The top 20 host pair connections are shown. Notice that there are lots of telnet sessions that involved the IP address 139.92.137.2 with a lot of other machines. All the other machines reside on two known local subnets, 171.64.250.xx and 130.237.15.xx. This clearly indicates that a user on an external host, 139.92.137.2, was





 

By filtering on all IP traffic involving the host 139.92.137.2, we can focus on everything that this particular user did. The user performed a variety TCP transactions and sent or received two UDP packets. The time plots suggest that the user surfed around, looking for a vulnerable machine, then broke in somewhere and performed some data transfers

Next, we list out all the TCP flows that the attacker was engaged in. Here, we clearly see the sequential progression of actions that the attacker took. First the attacker was hunting for a particular machine to penetrate. In total, 15 different IP hosts were visited before the

We see that the attacker sent some packets to this machine addressed to the sunrpc port. The two UDP packets that we recorded were also targeted to this machine. The method of break-in was a buffer

overflow on the sunrpc port. The subsequent result of this was that the attacker gained root access to the machine which allowed him/her to basically take over the machine. The user creates a "backdoor" through port 60000 which allows him to gain automatic root access via this





 

After breaking into a local machine, the attacker then performs file transfers of various tools to setup for the attack. The key file that the user transfers is a set of his/her own unix tools. The source code for these tools are bundled in the file tb which he downloads from his





 

The attacker performs two ftp file transfers back to his/her home server to download two key files: smurf.c which is the code used to instigate the denial of service attack (via broadcast pings) and newones which is a list of 560 IP hosts involved in the attack. These addresses are the destination addresses in the ICMP ping packets sent by

           

•

NetDetector – “Security Camera for Your Network”

•

WAN/LAN Networks up to gigabit speeds

•

Store up to 1 TB of Data

•

Integrated IDS

•

Application reassembly

–

_Telnet

–

Email

–

Instant Messenger

–

_Web

–

VoIP


   


•

IDS and Anomaly Detection:

customize alerts to identify malicious

attacks, worms, spoofing, SNORT etc.

•

_{Investigation of Security Alerts:}

_{identify real threats from “false}

positives”, fine tune security parameters

•

_{Security Impact Analysis:}

_{conduct complete analysis of security}

breach - determine source, identify systems and information

compromised

•

_{Law-Enforcement / Auditing:}

_{record traffic for auditing and legal}

requirements

•

_{Monitoring of Unauthorized Network Usage:}

_{reconstruction of}

web pages, emails, telnet, chat and other applications to determine

source of violation