The Barbarians are Here!

Jeff Schiller

How to compromise a password

  • start w/a compromised system
  • instrument the system by installing a trojan horse

    It doesn't matter if it's not in the dictionary, or how often you change your password sniffers usually yield lots of passwords. ISPs are a popular target. ISPs usually won't bother to tell you either. Back in the old days of NEARnet, a bunch of passwords were sniffed, but the management didn't want to tell the account holders. Policymakers seemed to think admitting that they had been broken into would make them look insecure (duh).

    If a password is compromised, it's hard to figure out where over your shoulder? at the ISP? It's hard to assign responsibility/liability. In the age of key recovery, this grows dangerous.

    Program Security

  • Famous case (sendmail in 1988 contained a debug command that permitted execution of arbitrary code by outsiders)
  • exploit vulnerability in a program or protocol
  • Another example: Network 3.x and the Delft University of Technology attack.

    Some companies (notably Microsoft) say: Customers don't ask for security. But that's because customers ASSUME their systems are secure!

    A new exploit allows people to pose as the router and intercept packets. This affects Win95, 98, NT. Microsoft's point of view: "The standards bodies made us do it this way."

    Inappropriate trust

    Session stealing

  • takes advantage of inappropriate trust
  • permits an attacker to capture and take over a network session (program called IP Watcher)
  • works through firewalls!!!

    All you have to do is wait for someone to connect and steal their session. Specifically being used to take over connections to Cisco routers via telnet. Then you can remove port filters.

    Firewalls & Security

  • firewalls work on the theory that all the bad guys are outside
  • common scenarios: only permit outgoing traffic, etc.

    Buffer Overruns

  • modern memory divided into 8-bit bytes
  • all data types represented by some collection of these bytes
  • example: an integer on a Pentium is 32 bits long and consumes 4 bytes

    Buffer overruns facilitated by programs like C. Memory has finite size. No run-time checking ensures that data written into an array will in fact fit

  • it's up to the programmer to do this, but it's hard to do.

    Much testing is designed around instances of mistakes. But security attacks are launched by thinking individuals, who will anticipate what you've done and try other things.

    Types of Buffer Overruns

  • data overruns
  • stack overruns to modify return address; temp variables often stored on stack, including return address. then exploit references stack pointer.

    What Causes these Problems?

  • C, C++
  • languages require programmers to know how big their data elements are
  • programmer must always check lengths when writing to memory
  • this is time consuming and hard
  • few tools exist for checking programs for overruns
  • error checking in C is minimal
  • most programs are written on a deadline, with little QA

    Just about any system can be affected: Unix, Windows, MacOS ... any system written in C, C++ or some other languages; code-reuse aggravates this problem

    DoS Attacks

  • shuts you down by denying you network services
  • simple packet floods to overload your server
  • more complex attacks to crash your server or otherwise overload it without requiring a flood

    Currently, Linux is popular, so there are lots of exploits. But if NT becomes more popular, it will become a better target. (See Back Orifice.)

    SYN Attack

  • Modern TCP stacks can defend against a syn attack (even though you need only 1 packet every 15 seconds to get hammered) by increasing support from 5 half-open connections to 100 or more (5 is *not enough* for heavily trafficked web servers)
  • if more than half of these are in use (which should only happen during an attack), flush half at random

    Smurf attack

  • Attacker sends packet to router w/directed broadcast address, all the innocent machines send response to victim. Attack looks like it's coming from router, not attacker. Very attractive to hijack a really fast connection to perpetrate a smurf attack. Virtually impossible to trace.