Acknowledgments Giovanni Vigna (UCSB) Chris Kruegel (UCSB) Engin

Acknowledgments  Giovanni Vigna (UCSB)  Chris Kruegel (UCSB)  Engin

Acknowledgments Giovanni Vigna (UCSB) Chris Kruegel (UCSB) Engin Kirda (Eurecom) Paolo Milani (TUV) Reading Hackers, Heroes of the Computer Revolution by Steven Levy

http://www.gutenberg.org/etext/729 The Hacker Crackdown: Law and Disorder on the Electronic Frontier by Bruce Sterling http://www.mit.edu:8001/hacker/hacker.html The Jargon File, version 4.4.7 by Eric S. Raymond http://www.catb.org/jargon/oldversions/jarg447.txt

References SecurityFocus.com Bugtraq Focus-ids Phrack.org Milw0rm.com Packetstormsecurity.org

Zone-h.org Many other security sites Intro Errors, bugs, and failures network:

Networks: composed of hardware whose behavior is determined by software (roughly...) Errors, bugs, and failures network: software software software

Networks: composed of hardware whose behavior is determined by software (roughly...) Errors, bugs, and failures network: OS OS

OS Networks: composed of hardware whose behavior is determined by software (roughly...) Applications run on operating systems Errors, bugs, and failures network:

OS OS protocols OS

protocols Networks: composed of hardware whose behavior is determined by software (roughly...) Applications run on operating systems interoperate through protocols Errors, bugs, and failures network: OS

OS protocols OS protocols

Networks: composed of hardware whose behavior is determined by software (roughly...) Applications run on operating systems interoperate through protocols Designed by humans Not perfect! Errors, bugs, and failures

network: OS OS protocols OS

protocols Networks: composed of hardware whose behavior is determined by software (roughly...) Applications run on operating systems interoperate through protocols A human error may introduce a bug (or fault) Designed by humans

Not perfect! The IEEE Standard Glossary of Software Engineering Terminology defines fault as an incorrect step, process, or data definition in a computer program When a fault gets triggered, it might generate a failure...

Security Bugs Errors Failures A security error is made by a human As a consequence, a security bug is introduced A security bug is also called a vulnerability When the bug is triggered (or exploited) it generates a security failure

The security of a system is compromised... Security Other security problems There is an overall concept of system security in terms of Privacy/Confidentiality Integrity/Consistency Availability

Some applications work as designed but contain vulnerabilities When installed in systems with a conflicting security policy We thought it was a good idea to let allow students to have PHP applications in their web home directories... When configured insecurely Our secure remote terminal service is protected by a 16 character password, which is currently set to AAAAAAAAAAAAAAAA...

There is nothing to worry about , because No one will do that! Why would anyone do that?

Weve never been attacked Were secure: we use cryptography Were secure: we use ACLs Were secure: we use a firewall Weve reviewed the code, and there are no security bugs

We know its the default, but the administration can turn it off If we dont run as administrator, stuff breaks But well slip the schedule Its not exploitable But thats the way weve

always done it If we only had better tools... Software vulnerabilities Meanwhile in the real world Source: http://web.nvd.nist.gov/view/vuln/statistics

Security Analysis Security analysis is the process of determining the security of a system With respect to a set of known design guidelines With respect to a set of known security problems With respect to its environment It answers questions like:

Is it designed securely? Is it implemented securely? Is it deployed and configured securely? The security analysis process is difficult to automate and requires experience and skills Goals and skills Learn how to identify design and implementation vulnerabilities

in operating systems, network protocols, and applications Learn by example: vulnerabilities and how to exploit them The Devil Is In The Details Lesson learned, attack patterns, design patterns Learn about protection/detection mechanisms and techniques Skills: Ability to understand and assess the security implications of networked systems

Ability to perform the security analysis of a system Ability to understand and contribute to the research on this topic History Crypto is old (Caesar Cipher) Even hacking has a bit of a history Brief history of hacking 1876. Alexander Graham Bell invents telephone.

1878. First teenage males flung off phone system by enraged authorities. But also in other fields In 1961, students from Caltech (California Institute of Technology, in Pasadena) hacked the Rose Bowl football game. 1982, MIT hacked the Harvard-Yale football game. Balloon with MIT popped out of the ground.

Seriously now 1972, John Draper builds the blue box and starts phone phreaking Dec 1973, Bob Metcalfe, The Stockings Were Hung by the Chimney with Care, Request for Comments no. 602 August 1986: German hackers penetrate Lawrence Berkeley Laboratory systems and try to obtain secrets to be sold to the KGB November 1988: The Internet worm brings down the Internet (Robert Morris Jr.)

December 1994: Kevin Mitnick attacks the Supercomputer Center in San Diego using a TCP spoofing attack 2010: Stuxnet attack uranium enrichment facilities in Iran Capn Crunch In 1972 John Draper finds that the whistle that comes with the Capn Crunch cereal produces a sound at 2600 Hz

The 2600 frequency was used by AT&T to authorize longdistance calls Phone Phreaking John Draper became Captain Crunch and built a blue box produced a number of different tones that could be used for in-band signaling Draper was eventually sentenced to five years

probation for toll fraud His story became an integral part of hacker culture Who else? Steve Wozniak Metcalfes story Inventor of Ethernet The Stockings Were Hung by the Chimney with Care, Request for Comments no. 602

Identifies vulnerabilities in the ARPAnet Says we should worry The German Hackers Incident Cliff Stoll was a system administrator at LBL in August 1986 On his first day, he started investigating a 75 cent accounting discrepancy for CPU time He found out that an account had been created with no

billing address More investigation identified the presence of an intruder Instead of cutting out the intruder, Cliff Stoll decided to monitor the intruder in order to find out who he/she was and how he/she was able to gain privileged access The German Hackers Incident The intruder was using a configuration problem in the Emacs editor

Emacs can work as a mailer and it used the movemail program to move a users inbox from /var/ spool/mail to the home directory using interlocking The LBL configuration of /var/spool/mail didnt allow the program to work as an uprivileged process Therefore the movemail program was installed setuid root The German Hackers Incident

In this configuration, movemail allowed anybody to move files to any directory of the system The intruder used the bug to substitute his own copy of the atrun program, which is executed every 5 minutes to perform scheduled jobs and housecleaning tasks The program ran with administrative privileges After the execution of the operation the legitimate copy would be copied back to hide tracks

The German Hackers Incident The intruder gained administrative privileges and started creating accounts and backdoor programs The intruder was using the LBL hosts to connect to military systems in the MILNET Military sites and databases were searched for keywords such as SDI (Strategic Defense Initiative), stealth, SAC (Strategic Air

Command), nuclear, NORAD Cliff Stoll, at this point, called the FBI The German Hacker Incident With the help of the FBI and of the Bundeskriminalamt (BKA) he was able to trace the intruder to Hanover 1989: the investigation ends with the arrest of Markus Hess in Germany, who apparently worked for the Eastern Bloc

Markus was sentenced to a year and eight months and a 10,000 DM fine He was put on probation Other hackers were involved in the break-in and received similar sentences 1988 The Internet Falls Over November 2, 1988: The Internet worm, developed by Robert T. Morris, was injected in the Internet

A mistake in the replication procedure led to unexpected proliferation The Internet had to be turned off Damages were estimated in the order of several hundred thousand dollars RTM was sentenced to three years probation, a $10,000 fine, and heh-heh 400 hours of community service The CERT (Computer Emergency

Response Team) was created as a reaction to this incident The Internet Worm A worm is a self-replicating program that spreads across a network of computers The worm worked only on Sun 3 systems and VAX computers running BSD UNIX The worm consisted of two parts:

A main program A bootstrap program The Internet Worm First step: Remote privileged access fingerd buffer overflow char line[512]; line[0] = \0;

gets(line); sendmail (the DEBUG option allows one to specify a number of commands to be executed) The bootstrap program (99 lines of C code) was transferred using a connection from the infecting machine The bootstrap program was compiled and run, causing the transfer of a precompiled version of the main program on the infected host

Kevin Mitnick One of the most well-known hackers in the community 1982: One-year probation for breaking into PacBells offices 1982: Enrolls at University of Southern California and uses campus machines to perform illegal activities: 6 months of juvenile prison in Stockton, California 1987: Mitnick breaks into SCO. Sentence: three-year

probation 1988: Enrolls at Pierce and misuses campus systems. Expelled, appealed unsuccessfully 1988: Mitnick breaks into DEC and steals software. Caught by FBI. One-year sentence at Lompoc, California Kevin Mitnick 1992: Mitnick violates probation

and goes into hiding 1994: California Department of Motor Vehicles issues $1-million warrant for Mitnick's arrest on charges of fraudulently trying to acquire driver identification Christmas 1994: Mitnick accused of invading San Diego Supercomputer Center

Kevin Mitnick against SDSC A very sophisticated TCP spoofing attack The attack exploits the trust between hosts: X-terminal: diskless SPARCstation running Solaris 1 server: host providing boot image to x-terminal X-terminal allows unauthenticated logins (and command execution requests) coming from

server Denial-of-service attack against server Impersonation of server with respect to the xterminal when executing: rsh x-terminal "echo + + >>/.rhosts" Kevin Mitnick February 1995: FBI arrests Mitnick in Raleigh, North Carolina. Sentenced to 46 months in prison (concurrently with a 22month sentence)

January 2000: Mitnick released from prison after almost 5 years (probation forbade him from connecting to the Internet or sending e-mail) January 2003: Mitnick can surf the Internet after 8 years Other Stories Other Stories

2010 Stuxnet: attacking Irans nuclear progr Stuxnet

four zero days 1 known exploit 2 stolen certificates 2 rootkits (one in PLC!) 2 Siemens security issues 1 target Is this a course on hacking?

Hacking The term hacker was introduced at MIT in the 60s to describe computer wizards It has been eventually used to denote malicious hackers or crackers, that is, people that perform intrusions and misuse computer systems We will use the term hacker with this last connotation keeping in mind that it is also used to describe

[] someone who lives and breathes computers, who knows all about computers, who can get a computer to do anything. Equally important, though, is the hacker's attitude. Computer programming must be a hobby, something done for fun, not out of a sense of duty or for the money. (Brian Harvey, University of Berkeley http://www.cs.berkeley.edu/~bh/hackers.html) Other terms of the hackers jargon Other terms of the hackers jargon

31337, l33t, eleet: Clueful. Plugged-in. One of the cognoscenti. Also used as a general positive adjective. This term is not actually native hacker slang; it is used primarily by crackers and warez d00dz, for which reason hackers use it only with heavy irony. The term used to refer to the folks allowed in to the hidden or privileged sections of BBSes in the early 1980s (which, typically, contained pirated software). A true hacker would be more likely to use wizardly. Oppose lamer

haXOr 0-day exploit All your base are belong to us Ethics Is malicious hacking/cracking legal? NO! Is it legal to discuss vulnerabilities and how they are actually exploited? YES, and it is a good thing, provided that

The goal is to educate and increase awareness The goal is to teach how to build a more secure computing environment A full disclosure policy has been advocated by many respected researchers, provided that The information disclosed has been already distributed to the parties that may provide a solution (e.g., vendors) See: Responsible vulnerability disclosure process (IETF Internet Draft)

The ultimate goal is to prevent similar mistakes from being repeated Legality In the Netherlands Since 2006: all penetration in computer systems is illegal, even if it does not involve cracking the security Destruction of computers, networks, and data, or

rendering them unusable is against the law This now includes DoS and DDoS attacks Spreading of malware is punishable by law (upto 4 years in prison) Legal hacking: penetration testing Would you hire a hacker?

Depends Would you fire a hacker? Case study high-level: what are the steps? details of steps in remainder of the course Penetration of a Bank System

Bank X (millions of accounts, hundred thousands of online accounts) asks for vulnerability analysis Assumptions: hacker-style No previous knowledge about topology/services No inside help Initial data Small set of IP addresses Access to one online account

Letter from the bank verifying that we were working for them Goal is to determine if there is a way to break the security of the system Penetration of a Bank System Process: Network analysis Target acquisition

Service scanning Vulnerability exploitation Banking service analysis IP Sweep Starting nmap by Fyodor (fyodor[email protected], www.insecure.org/nmap/) Host sales.bankx.com (192.168.20.1) appears to

be up. Host sales1.bankx.com (192.168.20.4) appears to be up. Host sales4.bankx.com (192.168.20.5) appears to be up. Host sales2.bankx.com (192.168.20.20) appears to be up. Nmap run completed -- 256 IP addresses (4 hosts up) scanned in 1 second

Target acquisition Target acquisition traceroute Target acquisition

Service scanning Different types of scans TCP half-open scan TCP connect TCP FIN scan FTP bounce scan UDP scan TCP port sweep

UDP port sweep Late r FTP bounce attack Allows one to open TCP connections bypassing

the firewall protections Used to perform internal scanning If upload is enabled can be used to attack services filtered by the firewall Inside scan Vulnerability Exploitation Two-step process, based on available services

Checking for the presence of vulnerabilities Mail-based DNS-based FTP-based WWW-based Exercising the vulnerabilities that could possibly be in place When we are in

a new game begins what do we want to use our bot for? All of this stuff and more will be detailed in the upcoming lectures

Recently Viewed Presentations

  • Adele - jarrettseportfolio

    Adele - jarrettseportfolio

    Adele Laurie Blue Adkins, Born on May 5th, 1988 in Tottenham, London, began singing at the age of four and asserts that she became obsessed with voices. Adele graduated from BRIT School in Croydon in May of 2006. She credits...
  • Online Registration Overview

    Online Registration Overview

    One way is through BeAScout which is a web portal that allows parents to input a zip code and find nearby units. The other two ways are initiated by unit: through a URL that is attached to an email or...
  • Parent Information Night - Mister Ambrose

    Parent Information Night - Mister Ambrose

    About Our Student Teacher, Ms. Stevens 24 years old; lives in Somerville; from Everett. Graduate student at Lesley University B.A. from Emerson College in Writing, Literature, and Publishing Was a permanent sub and taught a few of Mr. Ambrose's classes...
  • Tudalen Datblygu Syniadau - Welsh Government

    Tudalen Datblygu Syniadau - Welsh Government

    DEVELOPING IDEAS Create a spider plan that includes all your ideas for the final piece of work. Choose the medium you wish to work in. Choose a suitable artist, designer, craftsman or sculptor for your idea. DEVELOPING IDEAS The Task...
  • Caring in Nursing - Chipola College

    Caring in Nursing - Chipola College

    Caring in Nursing Caring is Universal Influences the way people think, feel and act Many nursing theorists have tired to "define" caring - Nightingale was first Caring is the heart of nursing Benner (Holistic Theory) Equates excellent nursing practice with...
  • Tour of the Cell - Ms. Lin

    Tour of the Cell - Ms. Lin

    Cells gotta work to live! What jobs do cells have to do? Build proteins proteins control every cell function Utilize energy for daily life for growth Make new cells growth repair renewal Making New Cells Centrioles Function Help coordinate cell...
  • UAVs in Agricultural and Environmental Monitoring

    UAVs in Agricultural and Environmental Monitoring

    Juan Maldacena (IAS), Daniel Freedman (MIT)Alfonso Ramallo (Santiago de Compostela), Nick Dorey (Cambridge) Kostas Skenderis (Amsterdam), Dario Martelli (King's College) Free de Finetti theorem: 'quantum exchangeability' yields a beautiful characterization of freeness with amalgamation.
  • Gladiator Startup 1.0 - CAS

    Gladiator Startup 1.0 - CAS

    Wireless communication. Parts of cellular communication system. Cellular system idea. Fundamental concepts in cellular communication. Outline Important note: Slides present summary of the results. Detailed derivations are given in notes.