Intro, history, hacking Network Security Lecture 1 Welcome to - - PowerPoint PPT Presentation

Intro, history, hacking

Network Security Lecture 1

Welcome to Network Security

Should be able to

• identify design and

implementation vulnerabilities in network protocols and applications

• exploit such vulnerabilities

in practice

• detect and protect from

attacks Skills

• Ability to analyze the

security of networked systems

• Ability to perform security

assessments of a system

• Ability to fix vulnerabilities

Eike Ritter Network Security - Lecture 1 1

Module Outline

• TCP/IP security
• Web security
• Browser security
• Malicious web
• Intrusion detection systems

Eike Ritter Network Security - Lecture 1 2

Organization

• Lectures

– 2/week

• Office hours

– Tuesdays 4-5pm, and by appointment

• Homework

– 2 assignments (mix of programming, network analysis, attacks) – Reading assignments, roughly once a week

• Examination

– 1.5 hours – Covers everything we discuss in class

• Grading

– 80% examination – 20% homework

• Check

http://www.cs.bham.ac.uk/~exr/teaching/lectures/networkSecurity/11_1 2 regularly for updates and news

Eike Ritter Network Security - Lecture 1 3

What is expected from you

• Participate in lectures

– Handouts are available (print and online), but they don’t cover everything – Be active: Something is not clear? Ask questions!

• Absolutely no plagiarism

– Be familiar with School’s plagiarism policy – It’s OK to discuss with others, but everything you submit must be yours

• Any problem, doubt, special need; come talk to

me

Eike Ritter Network Security - Introduction 4

NETWORK SECURITY

A brief history

Eike Ritter Network Security - Lecture 1 5

‘60

• Advanced Research Projects

Agency (ARPA) funds development of ARPANET

• First four nodes in 1969

– UCLA (Vint Cerf, Steve Crocker, Jon Postel, Leonard Kleinrock) – SRI (Doug Engelbart) – UCSB (Glen Culler, Burton Fried) – University of Utah

• Uses the Network Control

Protocol (NCP) through Information Message Processors (IMP)

Eike Ritter Network Security - Lecture 1 6

http://www.computerhistory.org/internet_history/full_size_images/1969 _4-node_map.gif

‘70

• UNIX, C, Email, Telnet,

FTP, TCP, Ethernet, USENET

• More hosts join the

ARPANET

Eike Ritter Network Security - Lecture 1 7

http://www.computerhistory.org/internet_history/full_size_images/1975 _net_map.gif

‘80

• Berkeley UNIX includes

the TCP/IP suite (sockets)

• ARPANET standardizes
• n TCP/IP (1983)
• MILNET detaches from

public network (ARPANET)

• DNS

Eike Ritter Network Security - Lecture 1 8

http://www.computerhistory.org/internet_history/full_size_images/1988 _nsfnet_map.gif

… up to now

• Even more hosts attach

to the Internet

• 1991: the Web is born

(Tim Berners-Lee at CERN)

• The dot-com boom and

bust

Eike Ritter Network Security - Lecture 1 9

http://opte.org/maps/

Vulnerabilities

Eike Ritter Network Security - Lecture 1 10

Source: http://web.nvd.nist.gov/view/vuln/statistics

Incidents

• Stats from cert.org/stats/
• “Incident reports received -

Given the widespread use of automated attack tools, attacks […] have become so commonplace […] provide little information with regard to assessing the scope and impact of

• attacks. Therefore, we

stopped providing this statistic at the end of 2003.”

• So, we just gave up…

Eike Ritter Network Security - Lecture 1 11

Terminology

• Vulnerability

– A flaw or weakness in a system's implementation that could be exploited to violate the system's security policy

• Exploits

– An attack that leverages a vulnerability to violate a system’s security policy

Eike Ritter Network Security - Lecture 1 12

HACKING, HACKERS

Eike Ritter Network Security - Lecture 1 13

What is a hacker?

• The term “hacker” was introduced at MIT in the 60s to

describe “computer wizards”

– “someone who lives and breathes computers, who knows all about computers, who can get a computer to do anything. Equally important, though, is the hacker's attitude. Computer programming must be a hobby, something done for fun, not out

• f a sense of duty or for the money.”

(Brian Harvey, UC Berkeley, http://www.cs.berkeley.edu/~bh/hacker.html)

• It has been eventually used to denote “malicious hackers”
• r “crackers”, that is, people that perform intrusions and

misuse computer systems

• More jargon: http://www.eps.mcgill.ca/jargon/jargon.html

Eike Ritter Network Security - Lecture 1 14

Phreaking

• In 1971, John Draper learns that a toy whistle

found in Cap’n Crunch cereal box emits sounds at 2600 Hz frequency

• The 2600 frequency was used by AT&T to

indicate that a trunk line was ready and available to route new call

• Free long-distance calls

(blue box)…

• John Draper arrested

in 1972 for toll fraud

Eike Ritter Network Security - Lecture 1 15

Early problems

• Bob Metcalfe, “The Stockings Were Hung by the

Chimney with Care”, RFC 602, December 1973

• “The ARPA Computer Network is susceptible to

security violations for at least the three following reasons”

– Sites used to physical limitations of access are not protected against unauthorized access (e.g., passwords which are easy to guess) – “The TIP allows access to the ARPANET to a much wider audience than is thought or intended.” – “There is a lingering affection for the challenge of breaking someone's system”

Eike Ritter Network Security - Lecture 1 16

The cuckoo’s egg

• Cliff Stoll was a system administrator at LBL in

1986

• While investigating an accounting discrepancy, he

discovers an account created without billing address

• Further investigation reveals the presence of an

intruder

• Cliff Stoll decides to monitor the actions of the

intruder instead of simply cutting him/her off (honeypot of sorts)

Eike Ritter Network Security - Lecture 1 17

The cuckoo’s egg – cont’d

• The vulnerability

– Emacs provided a utility (movemail) to allow users to change spool file

• wnership and move it

– At LBL it was installed setuid root

• The exploit

– The attacker used movemail to copy his own script over the atrun utility, which is run periodically with system privileges

• Consequences

– Intruder gained root access – Used the system to probe military systems in the MILNET – Looked for potentially sensitive documents searching for keywords like “SDI” (Strategic Defense Initiative), “nuclear”, “norad”

• Investigation

– FBI involved – Conenctions traced back to Germany – In 1989 arrest of Markus Hess, who operated for the KGB

Eike Ritter Network Security - Lecture 1 18

The Morris Worm

• On November 2, 1988, Robert T. Morris releases

the Internet worm

• A mistake in the propagation procedure leads to

the overload of infected machines

• Internet had to be “turned off”
• RTM was sentenced to three years’ probation, a

$10,000 fine, and 400 hours of community service

• The Computer Emergency Response Team (CERT)

was created

Eike Ritter Network Security - Lecture 1 19

The Morris Worm – cont’d

• Worm: self-replicating program that spreads

across a network of machines

• Vulnerabilities & exploits

– “Debug” function of sendmail, which enabled to send an email with a program as a recipient

• Worm sent a message with body that created a C program

which transferred the rest of the modules from the

• riginating host, linked them, and executed them

– fingerd stack-based buffer overflow – Weak passwords – Trusted hosts (~/.rhost)

Eike Ritter Network Security - Lecture 1 20

Kevin Mitnick

• 1981: breaks into Pac Bell

phone center. 1year probation.

• 1982: cracks Pacific
• Telephone. 6 months of

juvenile prison.

• 1987: breaks into SCO. 3 years

probation.

• 1988: expelled from Pierce for

computer misuse

• 1992: cracks into California

DMV

• 1994: breaks into San Diego

Supercomputer Center

• 1995: well-publicized arrest

(Shimomura and New York Time’s John Markoff)

Eike Ritter Network Security - Lecture 1 21

Kevin Mitnick – cont’d

• Christmas 1994 attack against San Diego Supercomputer

Center (SDSC)

• Sophisticated TCP spoofing attack, which exploits the trust

relationship between two hosts, x-terminal and server

– x-terminal: diskless host – server: host providing boot images to x-terminal – x-terminal allows unauthenticated logins and commands from server

• Exploit

– DoS against server – Attacker spoofs server and injects command # rsh x-terminal "echo + + >>/.rhosts"

Eike Ritter Network Security - Lecture 1 22

Other famous incidents

• Summer 2001: Code Red

– Exploits buffer overflow in IIS – Defaces the vulnerable site to display: HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

• August 2003: Blaster worm

– Exploits buffer overflow in DCOM RPC service of Windows and binds a command shell to port 4444 of the infected target – Transfers payload on compromised machine via TFTP – SYN floods windowsupdate.com (but not windowsupdate.microsoft.com) – Jeffrey Lee Parson, 18 year old, arrested

Eike Ritter Network Security - Lecture 1 23

Even more incidents

• October 2005: Samy

– XSS worm spreading on myspace.com – Displays the string “but most of all, Samy is my hero”, sends a friend request to the author of the worm, posts messages containing the payload to friends of the victim – In 20 hours, it infected over one million users

• July 2010: Stuxnet

– Spies and reprograms industrial systems (e.g., power plants, nuclear reactors)

Eike Ritter Network Security - Lecture 1 24

Incidents overview

• Motivations

– Free phone calls – Test what is possible – Spy on military systems – Bragging rights – Denial of service – Delay nuclear program in nation state (perhaps)

• Targeted systems

– Phone networks – UNIX, Windows systems – Web applications – Industrial control systems

• Techniques

– Signaling attacks – Buffer overflows, privilege escalation, etc. – Social engineering – Network flooding – 0-day exploits, testing on mock systems, etc.

Eike Ritter Network Security - Lecture 1 25

ETHICS, RULES, LAWS

Eike Ritter Network Security - Introduction 26

Ethics

• We will look at how to break software and

protocols and discuss attacks

– The goal is to educate and increase awareness – The goal is to teach how to build a more secure computing environment

• None of this is in any way an invitation to

undertake these attacks in any fashion other than with the informed consent of all involved parties

• If unsure, come talk with me first

Eike Ritter Network Security - Lecture 1 27

SoCS Computer Policy

• http://www.it.bham.ac.uk/policy/
• “Any person who wilfully and knowingly gains unauthorised access

to a computer system or attempts to disable a computer system commits a disciplinary offence.”

• “Any person who wilfully, knowingly and without authorisation

introduces or attempts to introduce a virus or other harmful or nuisance program or file, , or to modify or destroy data […] commits a disciplinary offence.”

• “Any person who wilfully, knowingly and without authorisation

denies access or attempts to deny access […] commits a disciplinary

• ffence.”
• “Any unauthorised person who attempts to monitor traffic on the

University Network or any person who attempts to connect an unauthorised device with the intention of monitoring traffic (ie eavesdropping) commits a disciplinary offence”

Eike Ritter Network Security - Lecture 1 28

Would you hire a hacker?

Yes, because… No, because…

Eike Ritter Network Security - Lecture 1 29

Some definitely would not

Eike Ritter Network Security - Lecture 1 30

NEXT ON

Eike Ritter Network Security - Lecture 1 31

Next time

• TCP/IP
• Some attacks against network protocols

Eike Ritter Network Security - Lecture 1 32