The Barbarians are Here!
How to compromise a password
start w/a compromised system
instrument the system by installing a trojan horse
It doesn't matter if it's not in the dictionary, or how often you
change your password sniffers usually yield lots of passwords.
ISPs are a popular target. ISPs usually won't bother to tell you
either. Back in the old days of NEARnet, a bunch of passwords were
sniffed, but the management didn't want to tell the account holders.
Policymakers seemed to think admitting that they had been broken into
would make them look insecure (duh).
If a password is compromised, it's hard to figure out where over
your shoulder? at the ISP? It's hard to assign
responsibility/liability. In the age of key recovery, this grows
Famous case (sendmail in 1988 contained a debug command that
permitted execution of arbitrary code by outsiders)
exploit vulnerability in a program or protocol
Another example: Network 3.x and the Delft University of Technology attack.
Some companies (notably Microsoft) say: Customers don't ask for
security. But that's because customers ASSUME their systems are secure!
A new exploit allows people to pose as the router and intercept
packets. This affects Win95, 98, NT. Microsoft's point of view: "The
standards bodies made us do it this way."
takes advantage of inappropriate trust
permits an attacker to capture and take over a network session
(program called IP Watcher)
works through firewalls!!!
All you have to do is wait for someone to connect and steal their
session. Specifically being used to take over connections to Cisco
routers via telnet. Then you can remove port filters.
Firewalls & Security
firewalls work on the theory that all the bad guys are outside
common scenarios: only permit outgoing traffic, etc.
modern memory divided into 8-bit bytes
all data types represented by some collection of these bytes
example: an integer on a Pentium is 32 bits long and consumes 4 bytes
Buffer overruns facilitated by programs like C. Memory has finite
size. No run-time checking ensures that data written into an array
will in fact fit it's up to the programmer to do this, but it's
hard to do.
Much testing is designed around instances of mistakes. But security
attacks are launched by thinking individuals, who will anticipate
what you've done and try other things.
Types of Buffer Overruns
stack overruns to modify return address; temp variables often
stored on stack, including return address. then exploit references
What Causes these Problems?
languages require programmers to know how big their data elements are
programmer must always check lengths when writing to memory
this is time consuming and hard
few tools exist for checking programs for overruns
error checking in C is minimal
most programs are written on a deadline, with little QA
Just about any system can be affected: Unix, Windows, MacOS ... any
system written in C, C++ or some other languages; code-reuse
aggravates this problem
shuts you down by denying you network services
simple packet floods to overload your server
more complex attacks to crash your server or otherwise overload it
without requiring a flood
Currently, Linux is popular, so there are lots of exploits. But if NT
becomes more popular, it will become a better target. (See Back
Modern TCP stacks can defend against a syn attack (even though you
need only 1 packet every 15 seconds to get hammered) by increasing support from 5 half-open connections to 100 or more (5 is *not enough* for heavily trafficked web servers)
if more than half of these are in use (which should only happen
during an attack), flush half at random
Attacker sends packet to router w/directed broadcast
address, all the innocent machines send response to victim. Attack
looks like it's coming from router, not attacker. Very attractive to
hijack a really fast connection to perpetrate a smurf attack.
Virtually impossible to trace.