Professional Documents
Culture Documents
Eaheart CurrentInternetThreats
Eaheart CurrentInternetThreats
Security Forum
February 27, 2002
Presentations
Bill Eaheart
Network Security – Network & Telecom
Current Threats
Eric Pancer
Systems Security – ISS
The Audience is listening
John Kristoff
Manager R&D - Network & Telecom
Data Leaks
Rob Thomas
Guest Speaker - Life in the Underground
Information Security at DePaul
Information Security Team (INFOSEC)
Eric Pancer – System Security
Bill Eaheart – Network Security
Defense in depth
Physical Security
Intrusion Detection Systems
Firewalls
Auditing
Virtual Private Networks
Encryption
Strong Passwords
Access control Lists
Logging
Crackers
One who breaks security on a system
Script Kiddies
Do mischief with scripts and programs written by others, often
without understanding the exploit they are using.
Are you safe?
10
Skill Level
6
Sophistication of Tools
4
0
92 93 94 95 96 97 98 99 00 01
Show me the numbers!
2001 CSI/FBI Computer Crime and Security Survey
Unauthorized Use of Computer Systems
within the last 12 months
80
Percentage of Respondents
70
70 6462 64
1996
60
50 1997
50 42
37 1998
40 33
1999
30 25
2119 2000
181716 1818
20 1211 2001
10
0
Yes No Don't Know
80% of problems are due to ….
Is this changing?
Point of Attack
80
70
Percentage of Respondents
70
59 1996
60 54 52 54 57
51 1997
47
50 44
38 39 38 1998
40 35
31 1999
28
30 24 22
18 2000
20
2001
10
0
Internal Systems Remote Dial-in Internet
CERT Web Site
www.cert.org
CERT Statistics
1996 - 2001
Incidents Reported
Vulnerabilities Reported
Ports
Services
Third-party software
Passwords
Social Engineering
Back Doors
Trojan Horses
Information Gathering
The Company
Find Initial Information
Available information
Whois
Nslookup - Host
Host Look up
Name: test.company.com
Address: 10.10.81.10
Aliases: www.company.com
Information Gathering
Traceroute
ARIN whois
The Company (NET-COMPANY)
100 South State Street Avenue
Chicago, IL 60612
US
Netname: COMPANY
Netblock: 10.10.0.0 - 10.10.255.255
Coordinator:
Company Administrator (ZD12-ARIN) abuse@company.com
(312) 323-1234
DNS1.COMPANY.COM 10.10.120.120
DNS2.COMPANY.COM 10.10.240.120
user@test /]#
Tracing route to DNS1.company.com [10.10.80.10]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms badguy.home.com [192.20.40.50]
2 <1 ms <1 ms <1 ms rtr-isp.com [192.10.30.30]
3 <1 ms <1 ms <1 ms rtr-isp.com [192.10.20.20]
4 <1 ms <1 ms <1 ms 192.10.10.10
5 1 ms 1 ms 1 ms isp.location.net [16.6.9.33]
6 1 ms 1 ms 1 ms 16.6.9.122
7 15 ms 14 ms 11 ms 16.6.9.218
8 8 ms 10 ms 5 ms 10.10.1.1.
9 48 ms 84 ms 59 ms test.company.com [10.10.120.120]
Trace complete.
Information Gathering
Nessus
SAINT
Nessus
Nessus Scan Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 1
- Number of security holes found : 4
- Number of security warnings found : 18
- Number of security notes found : 4
TESTED HOSTS
test.company.com (Security holes found)
DETAILS - List of open ports :
. Information found on port telnet (23/tcp)
Remote telnet banner :
HP-UX test B.11.00 U 9000/800 (tc)
login:
ÿüÿüÿþÿþ!ÿþ
. Vulnerability found on port snmp (161/udp) : SNMP community name: public
CVE : CAN-1999-0517 CVE : CVE-1999-0018
------------------------------------------------------
This file was generated by the Nessus Security Scanner
Information Gathering
Types of Machines
Potential vulnerabilities
MD5
Encryption - secure communication and data storage
GNU PG
Complete and free replacement for PGP
Can be used without restriction
Public/Private Key
Encryption
Plain Text
This is a test message.
Encrypted
-----BEGIN PGP MESSAGE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
qANQR1DBwU4DSTJMC1F2PksQCACdcf2IVYDlAr76yd5HF25PA3Qh6CCGBucLxgbt
KQ5DfRqHduaU7BiCFbbbf188PM2iJraUsYUTz7kZAJ8DNx7JsJZcmo1gvs8UGUuP
7jkSBEGSv59C3sXOMq9Zvzcd0uReWzzsZv+cjqZNBkKlueC88sYZvaFM4DAfbpkf
gXK2XWRVbgymilclY3drHiyBVAk+EGmmQ2gZ4sNLZmoFlPD1G2SOuQhp63n2XgHT
ce/DpZ+rjDvF0dpDkv30G609cC82E0mVnzV9Ca6qNmxB2LY5P94ido2mfPp55T8h
5VBGL2k3pQOblpjE0fN8un8vHzM6fab5pCALDnUI06v5YVzZB/4yFGXOqUvd3fgf
1o/ayYkKZ+Cb6eKkUz4EmXASBmQNM9VBgXTjaizEHC4WCj3Crm7R1InDO9c47/9i
YZZ6sHLJ0h5TU8SM1KfFRuJat438B2DElc9AECDQsqEM64BEOmqTKRkZ8OGdV0aE
GcUpwcaif7WbrOlA8c/8kiNOOGGP/SqjnEesxjNfloKkhuy3Ck+j+D6jGu8B/96c
YsKcKKk6GQwzopSmivhCZHOmDOdA4LIHzY+KTma+ASJGDlO1RTCECvQncn1G77Ll
ktbBo5AtgeHi1uvk4qj1ZFr7fyVhwRdGP2wbxq8JupZ8h5DPyT4wM7TpgtlEjeSJ
l4vuObkzyS4QPOiAADW3IxHheN/8ZAnW9V1M7B26ZXK0v15htVNwUPFuKghw4kOP
epYVa+8f
=WOpm
-----END PGP MESSAGE-----
Telnet
Telnet
Plain Text!!
SSH
Secure Shell program to log into another
computer over a network,
secure communications over insecure
channels.
Encrypted text
I smell a password…
Telnet session:
Frame 30 (61 on wire, 61 captured) Telnet Data: login:
Frame 32 (55 0n wire, 55 captured) Telnet Data: f
Frame 36 (55 on wire, 55 captured) Telnet Data: r
Frame 48 (55 on wire, 55 captured) Telnet Data: e
Frame 51 (55 on wire, 55 captured) Telnet Data: d
Frame 53 (54 on wire, 54 captured) Telnet Data: Password:
Frame 60 (55 on wire, 55 captured) Telnet Data: f
Frame 62 (55 on wire, 55 captured) Telnet Data: r
Frame 65 (55 on wire, 55 captured) Telnet Data: e
Frame 66 (55 on wire, 55 captured) Telnet Data: d
Frame 68 (55 on wire, 55 captured) Telnet Data: f
Frame 69 (60 on wire, 60 captured) Telnet Data: o
Frame 72 (55 on wire, 55 captured) Telnet Data: o
MD5
MD5 is a one-way hash function, meaning that
it takes a message and converts it into a fixed
string of digits, also called a message digest.
www.cert.org
www.ciac.org/ciac
www.incidents.org
www.securityfocus.com
http://csrc.ncsl.nist.gov/
Vendor sites for patches
References
Network Security, Private Communication in a PUBLIC World, by
Charlie Kaufman, Radia Perlman and Mike Speciner
www.webopedia.com
www.nessus.org
www.nmap.org
www.cert.org