Scribd Logo
Upload

Welcome to Scribd!

  • Eaheart CurrentInternetThreats

    Uploaded by

    zkazimi
    58 views32 pages
    The document summarizes a security forum held at DePaul University on February 27, 2002. It discusses presentations made on current network threats, systems security monitoring, and data leaks. It also provides information on DePaul's Information Security Team, the roles and responsibilities, and contact information. Security principles of defense in depth are outlined, as well as who poses threats like hackers and crackers. Statistics on security incidents and vulnerabilities from 1996-2001 are presented. The document concludes with discussions on why attackers target organizations and common methods used, such as port scanning and exploiting services.

    Original Description:

    Original Title

    Eaheart_CurrentInternetThreats

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document summarizes a security forum held at DePaul University on February 27, 2002. It discusses presentations made on current network threats, systems security monitoring, and data leaks. It also provides information on DePaul's Information Security Team, the roles and responsibilities, and contact information. Security principles of defense in depth are outlined, as well as who poses threats like hackers and crackers. Statistics on security incidents and vulnerabilities from 1996-2001 are presented. The document concludes with discussions on why attackers target organizations and common methods used, such as port scanning and exploiting services.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    58 views32 pages

    Eaheart CurrentInternetThreats

    Uploaded by

    zkazimi
    The document summarizes a security forum held at DePaul University on February 27, 2002. It discusses presentations made on current network threats, systems security monitoring, and data leaks. It also provides information on DePaul's Information Security Team, the roles and responsibilities, and contact information. Security principles of defense in depth are outlined, as well as who poses threats like hackers and crackers. Statistics on security incidents and vulnerabilities from 1996-2001 are presented. The document concludes with discussions on why attackers target organizations and common methods used, such as port scanning and exploiting services.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 32

    DePaul University

    Security Forum
    February 27, 2002
    Presentations
     Bill Eaheart
     Network Security – Network & Telecom
     Current Threats
     Eric Pancer
     Systems Security – ISS
     The Audience is listening
     John Kristoff
     Manager R&D - Network & Telecom
     Data Leaks
     Rob Thomas
     Guest Speaker - Life in the Underground
    Information Security at DePaul
     Information Security Team (INFOSEC)
     Eric Pancer – System Security
     Bill Eaheart – Network Security

     Role at the University


     Promote awareness
     Assist with computer security
     Provide guidance and resources to DePaul community
     Contact
     infosec@infosec.depaul.edu
     abuse@depaul.edu
     http://networks.depaul.edu/security/
    Security Principles

     Defense in depth
     Physical Security
     Intrusion Detection Systems
     Firewalls
     Auditing
     Virtual Private Networks
     Encryption
     Strong Passwords
     Access control Lists
     Logging

     Prevention is ideal – Detection is a must


     Security through obscurity
    Who are the threats?
    Hackers
    A person who enjoys exploring the details of programmable
    systems and how to stretch their capabilities

    Crackers
    One who breaks security on a system

    Script Kiddies
    Do mischief with scripts and programs written by others, often
    without understanding the exploit they are using.
    Are you safe?

    Hacker/Cracker Skills vs.


    Availability of sophisticated tools
    12

    10

    Skill Level
    6
    Sophistication of Tools
    4

    0
    92 93 94 95 96 97 98 99 00 01
    Show me the numbers!
    2001 CSI/FBI Computer Crime and Security Survey
    Unauthorized Use of Computer Systems
    within the last 12 months

    80
    Percentage of Respondents

    70
    70 6462 64
    1996
    60
    50 1997
    50 42
    37 1998
    40 33
    1999
    30 25
    2119 2000
    181716 1818
    20 1211 2001
    10
    0
    Yes No Don't Know
    80% of problems are due to ….
     Is this changing?
    Point of Attack

    80
    70
    Percentage of Respondents

    70
    59 1996
    60 54 52 54 57
    51 1997
    47
    50 44
    38 39 38 1998
    40 35
    31 1999
    28
    30 24 22
    18 2000
    20
    2001
    10
    0
    Internal Systems Remote Dial-in Internet
    CERT Web Site
    www.cert.org
    CERT Statistics
    1996 - 2001

    Incidents Reported

    Year 1996 1997 1998 1999 2000 2001


    Incident 2573 2134 3734 9859 21576 52658

    Vulnerabilities Reported

    Year 1996 1997 1998 1999 2000 2001


    Vulner. 345 311 262 417 1090 2437
    Why do they do it?
     Information
     Corporate
     Source Code
     Resources
     Storage
     Access
     Bandwidth
     Launching point
     Challenge
     Activism
     Political - Hacktivism
    How do they get in?

     Ports
     Services
     Third-party software
     Passwords
     Social Engineering
     Back Doors
     Trojan Horses
    Information Gathering

     The Company
     Find Initial Information
     Available information
     Whois

     Nslookup - Host
    Host Look up

    [user@test /]# host www.company.com


    Server: host.atthome.com
    Address: 192.168.10.10

    Name: test.company.com
    Address: 10.10.81.10
    Aliases: www.company.com
    Information Gathering

     Address Range of the Network


     American Registry for Internet numbers www.arin.net
     Asia Pacific Network Information www.apnic.net
     Reseaux IP Europeens www.ripe.net
     Cyberabuse – www.cyberabuse.org

     Traceroute
    ARIN whois
    The Company (NET-COMPANY)
    100 South State Street Avenue
    Chicago, IL 60612
    US

    Netname: COMPANY
    Netblock: 10.10.0.0 - 10.10.255.255

    Coordinator:
    Company Administrator (ZD12-ARIN) abuse@company.com
    (312) 323-1234

    Domain System inverse mapping provided by:

    DNS1.COMPANY.COM 10.10.120.120
    DNS2.COMPANY.COM 10.10.240.120

    Record last updated on 26-Mar-2001.


    Database last updated on 25-Feb-2002 20:01:06 EDT.
    Traceroute

    user@test /]#
    Tracing route to DNS1.company.com [10.10.80.10]
    over a maximum of 30 hops:
    1 <1 ms <1 ms <1 ms badguy.home.com [192.20.40.50]
    2 <1 ms <1 ms <1 ms rtr-isp.com [192.10.30.30]
    3 <1 ms <1 ms <1 ms rtr-isp.com [192.10.20.20]
    4 <1 ms <1 ms <1 ms 192.10.10.10
    5 1 ms 1 ms 1 ms isp.location.net [16.6.9.33]
    6 1 ms 1 ms 1 ms 16.6.9.122
    7 15 ms 14 ms 11 ms 16.6.9.218
    8 8 ms 10 ms 5 ms 10.10.1.1.
    9 48 ms 84 ms 59 ms test.company.com [10.10.120.120]

    Trace complete.
    Information Gathering

     Find Active Machines


     Ping
     Ping Sweep
    Ping Sweep
    [user@test /]# nmap –sP 10.10.82.11-30

    Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )


    Host d8211.company.com (10.10.82.11) appears to be up.
    Host d8212.company.com (10.10.82.12) appears to be up.
    Host d8213.company.com (10.10.82.13) appears to be up.
    Host d8214.company.com (10.10.82.14) appears to be up.
    Host d8215.company.com (10.10.82.15) appears to be up.
    Host d8216.company.com (10.10.82.16) appears to be up.
    Host d8217.company.com (10.10.82.17) appears to be up.
    Host d8218.company.com (10.10.82.18) appears to be up.
    Host d8220.company.com (10.10.82.20) appears to be up.
    Host d8221.company.com (10.10.82.21) appears to be up.

    Nmap run completed -- 21 IP addresses (18 hosts up) scanned in 2 seconds


    Information Gathering

     Find open ports


     Port scanners
     Scanport for Windows
     Nmap for *nix

     Modems – War dialing

     Figure out the operating system


     Nmap
    Nmap
    [user@test /]# nmap -O 10.10.82.11
    Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
    Interesting ports on test.company.com (10.10.1.1):
    (The 1520 ports scanned but not shown below are in state: closed)
    Port State Service
    7/tcp open echo
    9/tcp open discard
    13/tcp open daytime
    19/tcp open chargen
    21/tcp open ftp
    23/tcp open telnet
    25/tcp open smtp
    37/tcp open time
    6112/tcp open dtspc
    Remote OS guesses: Windows ME or Windows 2000 RC1 through final release
    Uptime 20.028 days (since Wed Feb 6 11:05:16 2002)
    Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds
    Information Gathering

     Figure out which services are running


     Assumptions
     Telnet
     Vulnerability scanners
     Commercial
     ISS – Internet Scanner
     CyberCop
     Secure Scanner
     Shareware
     SARA

     Nessus

     SAINT
    Nessus
    Nessus Scan Report
    ------------------
    SUMMARY
    - Number of hosts which were alive during the test : 1
    - Number of security holes found : 4
    - Number of security warnings found : 18
    - Number of security notes found : 4
    TESTED HOSTS
    test.company.com (Security holes found)
    DETAILS - List of open ports :
    . Information found on port telnet (23/tcp)
    Remote telnet banner :
    HP-UX test B.11.00 U 9000/800 (tc)
    login:
    ÿüÿüÿþÿþ!ÿþ
    . Vulnerability found on port snmp (161/udp) : SNMP community name: public
    CVE : CAN-1999-0517 CVE : CVE-1999-0018
    ------------------------------------------------------
    This file was generated by the Nessus Security Scanner
    Information Gathering

     Exploiting the system


     Clear map of the network
     Active Machines

     Types of Machines

     Ports and Services

     Potential vulnerabilities

     Look for known vulnerabilities and run


    exploits
    Security Tools
     Port Scanner – Nmap
     Anti Virus – Norton’s, McAfee, Inoculate IT
     Vulnerability Scanner – Nessus
     Firewall – ZoneAlarm, PortSentry
     IDS - Snort
     Encryption Software – PGP, GNU PG
     SSH
     OpenSSH

     PuTTY – ssh client

     MD5
    Encryption - secure communication and data storage

     Pretty Good Privacy – PGP


     Develop by Philip Zimmerman
     Restricted use

     GNU PG
     Complete and free replacement for PGP
     Can be used without restriction

     Public/Private Key
    Encryption
    Plain Text
    This is a test message.

    Encrypted
    -----BEGIN PGP MESSAGE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

    qANQR1DBwU4DSTJMC1F2PksQCACdcf2IVYDlAr76yd5HF25PA3Qh6CCGBucLxgbt
    KQ5DfRqHduaU7BiCFbbbf188PM2iJraUsYUTz7kZAJ8DNx7JsJZcmo1gvs8UGUuP
    7jkSBEGSv59C3sXOMq9Zvzcd0uReWzzsZv+cjqZNBkKlueC88sYZvaFM4DAfbpkf
    gXK2XWRVbgymilclY3drHiyBVAk+EGmmQ2gZ4sNLZmoFlPD1G2SOuQhp63n2XgHT
    ce/DpZ+rjDvF0dpDkv30G609cC82E0mVnzV9Ca6qNmxB2LY5P94ido2mfPp55T8h
    5VBGL2k3pQOblpjE0fN8un8vHzM6fab5pCALDnUI06v5YVzZB/4yFGXOqUvd3fgf
    1o/ayYkKZ+Cb6eKkUz4EmXASBmQNM9VBgXTjaizEHC4WCj3Crm7R1InDO9c47/9i
    YZZ6sHLJ0h5TU8SM1KfFRuJat438B2DElc9AECDQsqEM64BEOmqTKRkZ8OGdV0aE
    GcUpwcaif7WbrOlA8c/8kiNOOGGP/SqjnEesxjNfloKkhuy3Ck+j+D6jGu8B/96c
    YsKcKKk6GQwzopSmivhCZHOmDOdA4LIHzY+KTma+ASJGDlO1RTCECvQncn1G77Ll
    ktbBo5AtgeHi1uvk4qj1ZFr7fyVhwRdGP2wbxq8JupZ8h5DPyT4wM7TpgtlEjeSJ
    l4vuObkzyS4QPOiAADW3IxHheN/8ZAnW9V1M7B26ZXK0v15htVNwUPFuKghw4kOP
    epYVa+8f
    =WOpm
    -----END PGP MESSAGE-----
    Telnet

     Telnet
     Plain Text!!
     SSH
     Secure Shell program to log into another
    computer over a network,
     secure communications over insecure
    channels.
     Encrypted text
    I smell a password…
    Telnet session:
    Frame 30 (61 on wire, 61 captured) Telnet Data: login:
    Frame 32 (55 0n wire, 55 captured) Telnet Data: f
    Frame 36 (55 on wire, 55 captured) Telnet Data: r
    Frame 48 (55 on wire, 55 captured) Telnet Data: e
    Frame 51 (55 on wire, 55 captured) Telnet Data: d
    Frame 53 (54 on wire, 54 captured) Telnet Data: Password:
    Frame 60 (55 on wire, 55 captured) Telnet Data: f
    Frame 62 (55 on wire, 55 captured) Telnet Data: r
    Frame 65 (55 on wire, 55 captured) Telnet Data: e
    Frame 66 (55 on wire, 55 captured) Telnet Data: d
    Frame 68 (55 on wire, 55 captured) Telnet Data: f
    Frame 69 (60 on wire, 60 captured) Telnet Data: o
    Frame 72 (55 on wire, 55 captured) Telnet Data: o
    MD5
     MD5 is a one-way hash function, meaning that
    it takes a message and converts it into a fixed
    string of digits, also called a message digest.

    [user@test /]# md5sum test.txt


    2d282102fa671256327d4767ec23bc6b test.txt

    [user@test /]# md5sum test.txt


    2bc4fd1e721de48ca6dfd992b2e88712 test.txt
    Security Sites

     www.cert.org
     www.ciac.org/ciac
     www.incidents.org
     www.securityfocus.com
     http://csrc.ncsl.nist.gov/
     Vendor sites for patches
    References
     Network Security, Private Communication in a PUBLIC World, by
    Charlie Kaufman, Radia Perlman and Mike Speciner

     Computer Security Issues and Trends, Vol. VII No. 1 by Richard


    Power

     Hackers Beware by Eric Cole

     www.webopedia.com

     www.nessus.org

     www.nmap.org

     www.cert.org

    You might also like