Introduction to

Systems Security

(January 14, 2010)

© Abdou Illia – Spring 2010

Learning Objectives
 Discuss main security threats
 Discuss types of systems’ attacks
 Discuss types of defense systems

2
2009 Computer Crime and Security
Survey (2009 CSI Security Report)
 Survey conducted by the Computer Security
Institute (http://www.gocsi.com).
 Copy of Survey report on course web site
 Based on replies from 494 U.S. Computer
Security Professionals.

3
2009 CSI Report: Types of attacks
or Misuse in last 12 months

4
2008 CSI Survey vs 2009 CSI

2007: $66,930,950 reported by 194 respondents 5

 Attack Trends
 Growing Incident Frequency until 2001
 Incidents reported to the Computer Emergency
Response Team/Coordination Center

1998 1999 2000 2001

3,474 9,859 21,756 52,658

 Growing Malevolence since 2000

 Most early attacks were not malicious
 Malicious attacks are the norm today

6
2009 CSI Survey: Security monitoring

7
2009 CSI Survey: Defense Technology

8
 2009 Sophos Security Threat Report
 Report focused on Sophos’ security software
 General discovery

*
9
* Infected USB drives take advantage of computers that have auto-run enabled, which allow the automated
execution of code contained on the flash drive.
 2009 Sophos Security Threat Report
 Malware* hosted on websites

10
* Malicious software
2009 Sophos Security Threat Report
 Malware hosting countries

11
2009 Sophos Security Threat Report
 Spam-relaying countries

Climbing the list year after year

12
 2009 Sophos Security Threat Report
 Web server’s software affected

Web server software

Apache IIS SunONE

Operating System

Computer hardware
RAM chip
HD Processor
Web server computer

 As of March 2007 Apache served 58% of all web servers

 Apache available for Microsoft Windows, Novell NetWare and Unix-like OS
13
Other Empirical Attack Data
 Riptech (acquired by Symantec)
 Analyzed 5.5 billion firewall log entries in 300
firms in 5-month period
 Detected 128,678 attacks
 i.e. 1,000 attacks per firm / year
 Attacks were:
 Code Red and Nimda virus/worm (69%)
 Other non-target attacks (18%)
 Target attacks (13%)

14
Other Empirical Attack Data
 SecurityFocus
 Data from 10,000 firms in 2001

 Attack Targets
 31 million Windows-specific attacks
 22 million UNIX/LINUX attacks
 7 million Cisco IOS attacks
 All operating systems are attacked!
15
Summary Questions (Part 1)
1. What does malware refer to?
2. Systems running Microsoft operating systems are
more likely to be attacked than others. T F
3. With Windows OS, you can use IIS or another web
server software like Apache. T F
4. What web server software is most affected by web
threats today?
5. What types of email-attached file could/could not
hide a malware?
6. Could USB drives be used as means for infecting a
system with malware? How?
16
 Attackers
Elite Hackers

Systems attackers Script Kiddies

Virus writers & releasers

Corporate employees

 Elite Hackers Cyber vandals

Cyber terrorists

 Hacking: intentional access without authorization or

in excess of authorization
 Characterized by technical expertise and dogged
persistence, not just a bag of tools
 Use attack scripts to automate actions, but this is
not the essence of what they do
 Could hack to steal info, to do damage, or just to
prove their status

17
Systems attackers
 Elite Hackers (cont.)
 Black hat hackers break in for their own purposes
 White hat hackers can mean multiple things
 Strictest: Hack only by invitation as part of vulnerability
testing
 Some hack without permission but report vulnerabilities
(not for pay)
 Ethical hackers
 Hack without invitation but have a “code of ethics”
 e.g. “Do no damage or limited damage”
 e.g.“Do no harm, but delete log files, destroy security settings”
18
 Attackers
Elite Hackers

Systems attackers Script Kiddies

Virus writers & releasers

Corporate employees

Cyber vandals
 Script Kiddies
Cyber terrorists

 “Kids” that use pre-written attack scripts (kiddie

scripts)
 Called “lamers” by elite hackers
 Their large number makes them dangerous
 Noise of kiddie script attacks masks more
sophisticated attacks

19
 Attackers
Elite Hackers

Systems attackers Script Kiddies

Virus writers & releasers

Corporate employees

Cyber vandals
 Virus Writers and Releasers
Cyber terrorists

 Virus writers versus virus releasers

 Writing virus code is not a crime

 Only releasing viruses is punishable

20
 Attackers
Elite Hackers

Systems attackers Script Kiddies

Virus writers & releasers

Corporate employees

Cyber vandals
 Cyber vandals
Cyber terrorists

 Use networks to harm companies’ IT infrastructure

 Could shut down servers, slowdown eBusiness systems
 Cyber warriors
 Massive attacks* by governments on a country’s IT
infrastructure
 Cyber terrorists
 Massive attacks* by nongovernmental groups on a
country’s IT infrastructure
 Hackivists
 Hacking for political motivation
21
* Multi-pronged attacks: release virus, active hacking, attacking Internet routers, etc.
Summary Questions (Part 2)
1. What is meant by white hat hacker?
2. What is the difference between script kiddies
and elite hackers?
3. Is releasing a virus a crime in the U.S.?
4. What is the difference between cyber war
and cyber terrorism?

22
 Attacks preps: examining email headers
Received: from hotmail.com (bay103-f21.bay103.hotmail.com [65.54.174.31])
     by barracuda1.eiu.edu (Spam Firewall) with ESMTP id B10BA1F52DC
     for <[email protected]>; Wed, 8 Feb 2006 18:14:59 -0600 (CST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
     Wed, 8 Feb 2006 16:14:58 -0800
Message-ID: <[email protected]>
Received: from 65.54.174.200 by by103fd.bay103.hotmail.msn.com with HTTP;
     Thu, 09 Feb 2006 00:14:58 GMT
X-Originating-IP: [192.30.202.14] Source IP Address
X-Originating-Email: [[email protected]]
X-Sender: [email protected]
In-Reply-To: <10E30E5174081747AF9452F4411465410C5BB560@excma01.cmamdm.enterprise.corp>
X-PH: V4.4@ux1
From: <[email protected]>
To: [email protected]
X-ASG-Orig-Subj: RE: FW: Same cell#
Subject: RE: FW: Same cell#
Date: Thu, 09 Feb 2006 00:14:58 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 09 Feb 2006 00:14:58.0614 (UTC) FILETIME=[DCA31D60:01C62D0D]
X-Virus-Scanned: by Barracuda Spam Firewall at eiu.edu
X-Barracuda-Spam-Score: 0.00

IP Address Locator: http://www.geobytes.com/IpLocator.htm

23
Display email headers in Gmail, Yahoo!, Hotmail: http://aruljohn.com/info/howtofindipaddress/
 Attacks preps: examining email headers
Received: from Spyro364 (12-208-4-66.client.mchsi.com [12.208.4.66]) Sending computer’s domain
by fillmore.eiu.edu (Postfix) with ESMTP id AD8A739C18F4; name and IP Address. A
Fri, 29 Aug 2008 23:31:27 -0500 (CDT) proxy server is used to hide
Return-Receipt-To: "Trevor Bartlett" <[email protected]> the sending computer’s real
From: "Trevor Bartlett" <[email protected]> IP address for security
To: "Laura Books" <[email protected]>,
"Brad Burget" <[email protected]>,
reason.
"Jan Runion" <[email protected]>, Could ping fillmore.eiu.edu to have
"Mandi Loverude" <[email protected]>, DNS convert the EIU’s receiving
"Joe Benney" <[email protected]>, server’s name (i.e. fillmore.eiu.edu)
"John Walczak" <[email protected]> into the corresponding IP address of
Cc: "Vicki Hampton" <[email protected]>, "Abdou Illia" <[email protected]>
the server.
Subject: AITP Networking With IT Professionals
Date: Fri, 29 Aug 2008 23:31:27 -0500
Message-ID: !&!AAAYAAAAAAAHlvebngHR1Ho0mBdl39GGiCgAAAEAAAAIhhC6mcc1ZGhpyF6F1EIaoBAAAAAA==@eiu.edu
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0000_01C90A2F.5CB9A220"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AckKWTTHhYKvGjoUQfSXzrjBGue7+g==
Content-Language: en-us

IP Address Locator: http://www.geobytes.com/IpLocator.htm

24
Display email headers in Gmail, Yahoo!, Hotmail: http://aruljohn.com/info/howtofindipaddress/
 Attacks preps: examining email headers
Received: from barracuda.eiu.edu (barracuda1.eiu.edu [139.67.8.80]) 193.194.158.22 is the IP address
by eureka.eiu.edu (Postfix) with ESMTP id D355235FF8D8 of the sender’s email server.
for <[email protected]>; Fri, 29 Aug 2008 23:22:04 -0500 (CDT) That server delivered the email
X-ASG-Debug-ID: 1220070124-092800670000-XywefX to ismtp1.eiu.edu
X-Barracuda-URL: http://139.67.8.80:8000/cgi-bin/mark.cgi
Received: from ismtp1.eiu.edu (localhost [127.0.0.1])
by barracuda.eiu.edu (Spam Firewall) with ESMTP id 94B32111114D
for <[email protected]>; Fri, 29 Aug 2008 23:22:04 -0500 (CDT)
Received: from ismtp1.eiu.edu (ismtp1.eiu.edu [139.67.9.21]) by barracuda.eiu.edu with ESMTP id OHAHGovHCxVIjPwe
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: vkAABNnuEjBwp4Wo2dsb2JhbACROoEPAQEBAQEBBwUIBxGedBUIA4Y5YwMIBHiDLw
Received: from exchange-zav1.bvdep.com ([193.194.158.22] ) by ismtp1.eiu.edu with ESMTP; 29 Aug 2008 23:22 -0500
Received: from safaribo.bvdep.com ([172.28.32.40]) by exchange-zav1.bvdep.com with Microsoft SMTPSV(5.0.2195);
Sat, 30 Aug 2008 06:22:01 +0200
Received: from mail pickup service by safaribo.bvdep.com with Microsoft SMTPSVC;
Sat, 30 Aug 2008 00:22:01 -0400
From: <[email protected]> 172.28.32.40 could be
To: <[email protected]> considered the source IP
X-ASG-Orig-Subj: Welcome to CourseSmart address. It’s actually the shown
Subject: Welcome to CourseSmart IP address of the first computer
Date: Sat, 30 Aug 2008 00:22:01 -0400 in the chain of devices involved
Message-ID: <[email protected]> in the sending. It’s more likely
MIME-Version: 1.0 the IP address of a “pick up
Content-Type: text/plain; server”.

IP Address Locator: http://www.geobytes.com/IpLocator.htm

25
Display email headers in Gmail, Yahoo!, Hotmail: http://aruljohn.com/info/howtofindipaddress/
Attacks preps: looking for targets
 Scanning (Probing)
 Ping messages (To know if a potential victim exist and is turned-on)
 Firewalls usually configured to prevent pinging by outsiders
 Supervisory messages (To know if victim available)
 Tracert, Traceroute (To know how to get to target)

26
http://www.netscantools.com/nstpro_netscanner.html
Attacks preps: identifying targets
 Examining scanning result reveals
 IP addresses of potential victims
 What services victims are running. Different services have
different weaknesses
 Host’s operating system, version number, etc.
 Whois database at NetworkSolutions.com also used when
ping scans fail
 Social engineering
 Tricking employees into giving out info (passwords, keys, etc.)
 Deciding the type of attacks to launch given available info
27
 Framework for Attacks

Attacks

Physical Access Social Engineering

Attacks --
-- Opening Attachments
Dialog Attacks
Wiretapping Password Theft
--
Server Hacking Information Theft
Eavesdropping Penetration
Vandalism
Impersonation Attacks
Message Alteration
Malware
Denial of --
Scanning Viruses
Break-in Service
(Probing) Worms

28
Dialog attack: Eavesdropping
 Intercepting confidential message being transmitted
over the network

Dialog

Hello
Client PC
Server
Bob
Alice

Hello

Attacker (Eve) intercepts

29
and reads messages
 Dialog attack: Message Alteration
 Intercepting confidential messages and modifying
their content

Dialog

Balance = Balance =
Client PC $1 $1,000,000 Server
Bob Alice

Balance =
$1 Balance =
$1,000,000
Attacker (Eve) intercepts 30
and alters messages
 Dialog attack: Impersonation

I’m Bob

Hi! Let’s talk.

Client PC Attacker Server
Bob (Eve) Alice

31
Encryption: Protecting against
eavesdropping and message alteration
3
2 Encrypted 5
Message
Encryption Decryption
software >/??!@#% software
+ Key + Key

Client PC 4
Server
>/??!@#%

1
“Hello” “Hello”
Original Decrypted
Message Message
Attacker intercepts
but cannot read
32
 Authentication: Protecting against
Impersonation

I’m Bob

Prove it!
Client PC Attacker (Authenticate Yourself)
Server
Bob (Eve) Alice

33
Secure Dialog System: Protecting
against all dialog attacks
Secure Dialog

Client PC
Automatically Handles: Server
Bob
Authentication Alice
Encryption
Integrity

Attacker cannot
read messages, alter
messages, or impersonate

34
 Break-in attack

Attack
Packet
User: jdoe
Password: brave123
Client PC IP addr.: 12.2.10.13

Internet
User: admin
Password: logon123
IP addr.: 12.2.10.13 Attacker

Server
Internal
Corporate
Network
35
Flooding Denial-of-Service (DoS) attack

Message Flood

Server
Attacker
Overloaded By
Message Flood

36
 Firewalls: Protecting against
break-ins and DoS
Passed Packet

Hardened Internet
Client PC Firewall Packet
User
Internet
Attack
Packet

Dropped
Packet
Attacker
Hardened Internal
Server Corporate
Log File Network
 Firewalls could be hardware or software-based
 Firewalls need configuration to implement access policies
37
 Security audits need to be performed to fix mis-configuration
Intrusion Detection System (IDS):
Protecting against break-ins and DoS
 Software or hardware device that
 Capture network activity data in log files
 Analysis captured activities
 Generate alarms in case of suspicious activities

38
Intrusion Detection System
 Intrusion Detection System (IDS):
Protecting against break-ins and DoS

1.
4. Alarm Intrusion Suspicious
Detection Packet
System
Network
2. Suspicious
Administrator Internet
Packet Passed
Attacker

3. Log
Packet

Hardened
Server
Log File
Corporate Network
39
Other defense measures
 Good Access Control policies
 Strong passwords
 Good access rights implementation for
resources (computer, folders, printers, etc.)
 Good group policies
 Installing patches for
Most
 Operating systems important

 Application software

40
Summary Questions (Part 3)
1. What do ping messages allow? Why are ping scans
often not effective?
2. What does social engineering mean?
3. What is meant by eavesdropping? Message
alteration?
4. What kind of techniques could be used to protect
against eavesdropping?
5. What is meant by DoS?
6. What kind of tools could be used to protect a
system against DoS?
41