SlideShare uma empresa Scribd logo

Csc290 ch10

N
nageshchauhan
TecnologiaEducação
1 de 45
Baixar para ler offline
Network Security Intruders and Viruses Hofstra University – Network 05/01/06 1 Security Course, CSC290A
Password Management Part Two - Cracking Hofstra University – Network 05/01/06 2 Security Course, CSC290A
Intrusion Techniques Objective: Gain access to a system Frequent Goal: Acquiring a user password Most systems have a file that maps a password to each user Password file protection: one-way encryption access control Hofstra University – Network 05/01/06 3 Security Course, CSC290A
Password Learning Techniques g 1. Try default passwords used with standard u accounts shipped with the system e 2. Exhaustive try of all short passwords s 3. Try words in system’s dictionary or list of s likely passwords (hacker bulletin boards) a 4. Collect information about users (full names, t names of spouses and children, pictures and t books in their office, related hobbies) a 5. Try users’ phone numbers, social security c numbers, room numbers k 6. Try all legitimate license plate numbers 7. Use a trojan horse 8. Tap the line between a remote user and the system Hofstra University – Network 05/01/06 4 Security Course, CSC290A
Password Protection Unix password scheme threats: Gain access through a guest account and run a password cracker Obtain a copy of the password file and run a password cracker Goal: Run a password cracker Rely on people choosing easily guessable passwords! Hofstra University – Network 05/01/06 5 Security Course, CSC290A
Password Cracking Hofstra University – Network 05/01/06 6 Security Course, CSC290A
Password Cracking Unix Password File (/etc/passwd): daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: nobody:x:60001:60001:Nobody:/: eric:GmTFg0AavFA0U:1001:10:Eric Schwartz:/export/home/eric:/bin/ksh temp:kRWegG5iTZP5o:1002:10:IP Administration:/export/home/ipadmin:/bin/ksh jfr:kyzKROryhFDE2:506:506::/home/jfr:/bin/csh Results of the password cracker: $ john passwd Loaded 3 passwords with 3 different salts (Standard DES [24/32 4K]) temp (temp) jenny (eric) solaris1 (jfr) Hofstra University – Network 05/01/06 7 Security Course, CSC290A
Password Crackers Hofstra University – Network 05/01/06 8 Security Course, CSC290A
Virus and Related Threats Hofstra University – Network 05/01/06 9 Security Course, CSC290A
Malicious Programs Two categories: Those that need a host program – fragments of programs - parasitic Those that are independent – self contained Some replicate – used as a differentiator Hofstra University – Network 05/01/06 10 Security Course, CSC290A
Taxonomy of Malicious Programs Hofstra University – Network 05/01/06 11 Security Course, CSC290A
Malicious Programs Logic Bombs: logic embedded in a program that checks for a set of conditions to arise and executes some function resulting in unauthorized actions Trapdoors: secret undocumented entry point into a program, used to grant access without normal methods of access authentication (e.g.,War Games) Hofstra University – Network 05/01/06 12 Security Course, CSC290A
Trojan Horse Hofstra University – Network 05/01/06 13 Security Course, CSC290A
Malicious Programs Trojan Horse: secret undocumented routine embedded within a useful program, execution of the program results in execution of the routine Common motivation is data destruction Hofstra University – Network 05/01/06 14 Security Course, CSC290A
Malicious Programs Zombie: a program that secretly takes over an Internet attached computer and then uses it to launch an untraceable attack Very common in Distributed Denial-Of-Service attacks Hofstra University – Network 05/01/06 15 Security Course, CSC290A
Viruses Hofstra University – Network 05/01/06 16 Security Course, CSC290A
Viruses A virus is a submicroscopic parasitic particle that infects cells in biological organisms. Viruses are non-living particles that can only replicate when an organism reproduces the viral RNA or DNA. Viruses are considered non-living by the majority of virologists www.virology.net Hofstra University – Network 05/01/06 17 Security Course, CSC290A
Viruses Viruses: code embedded within a program that causes a copy of itself to be inserted in other programs and performs some unwanted function Infects other programs Code is the DNA of the virus Hofstra University – Network 05/01/06 18 Security Course, CSC290A
Worms Hofstra University – Network 05/01/06 19 Security Course, CSC290A
Worms Worms: program that can replicate itself and send copies to computers across the network and performs some unwanted function Uses network connections to spread from system to system Hofstra University – Network 05/01/06 20 Security Course, CSC290A
Bacteria Bacteria: consume resources by replicating themselves Do not explicitly damage any files Sole purpose is to replicate themselves Reproduce exponentially Eventually taking up all processors, memory or disk space Hofstra University – Network 05/01/06 21 Security Course, CSC290A
Nature of Viruses Four stages of virus lifetime Dormant phase: virus idle Propagation phase: cloning of virus Triggering phase: virus activation Execution phase: unwanted function performed Hofstra University – Network 05/01/06 22 Security Course, CSC290A
Virus Structure program V:= {goto main: 1234567; special marker determines if infected subroutine infect-executable := {loop: file:= get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file;} subroutine do–damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: transfer control to the original program } Hofstra University – Network 05/01/06 23 Security Course, CSC290A
Avoiding Detection Infected version of program is longer than the corresponding uninfected one Solution: compress the executable file so infected and uninfected versions are identical in length Hofstra University – Network 05/01/06 24 Security Course, CSC290A
Avoiding Detection Hofstra University – Network 05/01/06 25 Security Course, CSC290A
Compression Program infected uninfected Hofstra University – Network 05/01/06 26 Security Course, CSC290A
Types of Viruses Parasitic Virus: attached to executables, replicates when program is executed Memory-resident virus: part of a resident system program, affects every program executed Boot sector virus: infects a master boot record and spreads when system is booted from infected disk Hofstra University – Network 05/01/06 27 Security Course, CSC290A
Types of Viruses Stealth virus: virus designed to hide itself from detection by antivirus software (compression, interception of I/O logic) Polymorphic virus: mutates with every infection making detection by “signature” impossible (mutation engine) Macro virus: infects Microsoft Word docs; 2/3’s of all viruses Hofstra University – Network 05/01/06 28 Security Course, CSC290A
Macro Viruses 2/3s of all viruses Mainly Microsoft products – platform independent Affect documents not executables Easily spread by e-mail Autoexecuting macro is the culprit Hofstra University – Network 05/01/06 29 Security Course, CSC290A
Worms Uses network connections to spread from system to system Similar to a virus – has same phases: dormant, propagation, trigger and execution Morris Worm – most famous Recent: OSX.Leap.A, Kama Sutra,Code Red Hofstra University – Network 05/01/06 30 Security Course, CSC290A
Buffer Overflow Program attempts to write more data into buffer than that buffer can hold… …Starts overwriting area of stack memory Can be used maliciously to cause a program to execute code of attackers choose Overwrites stack point Hofstra University – Network 05/01/06 31 Security Course, CSC290A
Mechanics of stack-based buffer overflow Stack is like a pile of plates 0X0692 When a function is 0X0691 called, the return return 0X0123 0X0690 address is pushed on function the stack 0 0X0689 In a function, local local s 0X0688 variables are written on stack the stack memory y 0X0687 Memory is written on s 0X0686 stack 0X0685 char username[4] reserved 4 bytes of 0X0684 space on stack Hofstra University – Network 05/01/06 32 Security Course, CSC290A
Mechanics of stack-based buffer overflow When function copies 0X0692 too much on the stack... 0X0691 ...the return pointer is overwritten return 0X0123 0X0689 0X0690 function Execution path of X 0X0689 function changed when function ends local X 0X0688 Local stack memory has stack X 0X0687 malicious code memory X 0X0686 0X0685 0X0684 Hofstra University – Network 05/01/06 33 Security Course, CSC290A
Antivirus Approaches Detection – determine that it has occurred and locate the virus Identification – identify the specific virus Removal – remove all traces and restore the program to its original state Hofstra University – Network 05/01/06 34 Security Course, CSC290A
Generations of Antivirus Software First: simple scanners (record of program lengths) Second: heuristic scanners (integrity checking with checksums) Third: activity traps (memory resident, detect infected actions) Fourth: full-featured protection (suite of antivirus techniques, access control capability) Hofstra University – Network 05/01/06 35 Security Course, CSC290A
Advanced Techniques Generic Decryption Digital Immune System Behavior-Blocking Software Hofstra University – Network 05/01/06 36 Security Course, CSC290A
Generic Decryption Easily detects even most complex polymorphic virus No damage to the personal computer Contains following elements: CPU emulator – software based virtual computer Virus signature scanner – scans target code for known signatures Emulation control module – control execution of target code Hofstra University – Network 05/01/06 37 Security Course, CSC290A
Digital Immune System Pioneered by IBM Response to rate of virus propagation Integrated mail systems - Outlook Mobile program systems – ActiveX, Java Expands the use of program emulation Depends on a central virus analysis machines Hofstra University – Network 05/01/06 38 Security Course, CSC290A
Digital Immune System Hofstra University – Network 05/01/06 39 Security Course, CSC290A
Behavior-Blocking Software Monitors program behavior in real-time for malicious actions – part of OS Look for well defined requests to the OS: modifications to files, disk formats, mods to scripts or macros, changes in config settings, open network connections, etc. IPS – Intrusion Prevention Systems Hofstra University – Network 05/01/06 40 Security Course, CSC290A
Malicious Code Protection Types of Products Scanners - identify known malicious code - search for signature strings Integrity Checkers – determine if code has been altered or changed – checksum based Vulnerability Monitors - prevent modification or access to particularly sensitive parts of the system – user defined Behavior Blockers - list of rules that a legitimate program must follow – sandbox concept Hofstra University – Network 05/01/06 41 Security Course, CSC290A
Important URLs http://www.cert.org/ Originally DARPA’s computer emergency response team. An essential security site http://www.research.ibm.com/antivirus/ IBM’s site on virus information. Very good papers – a little outdated http://www.afsa.org/fsj/sept00/Denning.cfm Hacktivism: An Emerging Threat to Diplomacy, another Denning term along with Information Warfare http://csrc.nist.gov/virus/Computer Security Resources Center – Virus information and alerts Hofstra University – Network 05/01/06 42 Security Course, CSC290A
Important URLs http://www.ciac.org/ciac/ Computer Incident Advisory Capability -another bookmark-able site to visit regularly http://csrc.nist.gov/publications/nistpubs/800-42/NIST Guideline on Network Security Testing – covers password cracking http://www.openwall.com/john/ Very good password cracker, “John the Ripper” http://csrc.nist.gov/publications/nistpubs/800-36/NIST Guide to Selecting Information Security Products http://www.xensource.com/ Xen Source - Hottest Area In Virtualization Hofstra University – Network 05/01/06 43 Security Course, CSC290A
… enough! Hofstra University – Network 05/01/06 44 Security Course, CSC290A
...coming to the end! Take Home Final Exam – On Website Due Next Class Return Papers Any Problems, Please Email Or Call Good Luck Hofstra University – Network 05/01/06 45 Security Course, CSC290A

Recomendados

Malicious
MaliciousMalicious
Maliciousashraf karaimeh
 
Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo MaliciosoJose Manuel Acosta
 
Mitppt
MitpptMitppt
MitpptAarti Prakash
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02Computer Science Club
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Analysis of virus algorithms
Analysis of virus algorithmsAnalysis of virus algorithms
Analysis of virus algorithmsUltraUploader
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 

Recomendados

Malicious
MaliciousMalicious
Maliciousashraf karaimeh
 
Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo MaliciosoJose Manuel Acosta
 
Mitppt
MitpptMitppt
MitpptAarti Prakash
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02Computer Science Club
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Analysis of virus algorithms
Analysis of virus algorithmsAnalysis of virus algorithms
Analysis of virus algorithmsUltraUploader
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsIOSR Journals
 
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Jasmin Hami
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Computer viruses
Computer virusesComputer viruses
Computer virusesMDAZAD53
 
Firewall
FirewallFirewall
FirewallAhmed Elnaggar
 
Firewall
FirewallFirewall
FirewallNetwax Lab
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superwormUltraUploader
 
Program security
Program securityProgram security
Program securityG Prachi
 
Advanced metamorphic techniques in computer viruses
Advanced metamorphic techniques in computer virusesAdvanced metamorphic techniques in computer viruses
Advanced metamorphic techniques in computer virusesUltraUploader
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
Virus and Antivirus
Virus and AntivirusVirus and Antivirus
Virus and AntivirusBordaArka
 
Antivirus programs and Security Teams in E-Commerce by Ilakia
Antivirus programs and Security Teams in E-Commerce by IlakiaAntivirus programs and Security Teams in E-Commerce by Ilakia
Antivirus programs and Security Teams in E-Commerce by IlakiaILAKIA
 
Antivirus PPt
Antivirus PPtAntivirus PPt
Antivirus PPtArnab Singha
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System ThreatsReddhi Basu
 
Firewalls
FirewallsFirewalls
FirewallsShreya Singireddy
 
Antivirus
AntivirusAntivirus
AntivirusPankaj Kumawat
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detectionUltraUploader
 
Copy of antiviruse
Copy of antiviruseCopy of antiviruse
Copy of antiviruseSWAMY NAYAK
 
Ch19
Ch19Ch19
Ch19saurabhmittal79
 
Ch19
Ch19Ch19
Ch19Joe Christensen
 

Mais conteúdo relacionado

Mais procurados

Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsIOSR Journals
 
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Jasmin Hami
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and preventionCholo Legisma
 
Computer viruses
Computer virusesComputer viruses
Computer virusesMDAZAD53
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superwormUltraUploader
 
Program security
Program securityProgram security
Program securityG Prachi
 
Advanced metamorphic techniques in computer viruses
Advanced metamorphic techniques in computer virusesAdvanced metamorphic techniques in computer viruses
Advanced metamorphic techniques in computer virusesUltraUploader
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
Virus and Antivirus
Virus and AntivirusVirus and Antivirus
Virus and AntivirusBordaArka
 
Antivirus programs and Security Teams in E-Commerce by Ilakia
Antivirus programs and Security Teams in E-Commerce by IlakiaAntivirus programs and Security Teams in E-Commerce by Ilakia
Antivirus programs and Security Teams in E-Commerce by IlakiaILAKIA
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System ThreatsReddhi Basu
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detectionUltraUploader
 
Copy of antiviruse
Copy of antiviruseCopy of antiviruse
Copy of antiviruseSWAMY NAYAK
 

Mais procurados (20)

Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning Worms
 
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
Stopping threats with Votiro's Advanced Content Disarm and Reconstruction tec...
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and prevention
 
Virus detection and prevention
Virus detection and preventionVirus detection and prevention
Virus detection and prevention
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Firewall
FirewallFirewall
Firewall
 
Firewall
FirewallFirewall
Firewall
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superworm
 
Program security
Program securityProgram security
Program security
 
Advanced metamorphic techniques in computer viruses
Advanced metamorphic techniques in computer virusesAdvanced metamorphic techniques in computer viruses
Advanced metamorphic techniques in computer viruses
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not Enough
 
Virus and Antivirus
Virus and AntivirusVirus and Antivirus
Virus and Antivirus
 
Antivirus programs and Security Teams in E-Commerce by Ilakia
Antivirus programs and Security Teams in E-Commerce by IlakiaAntivirus programs and Security Teams in E-Commerce by Ilakia
Antivirus programs and Security Teams in E-Commerce by Ilakia
 
Antivirus PPt
Antivirus PPtAntivirus PPt
Antivirus PPt
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
 
Firewalls
FirewallsFirewalls
Firewalls
 
Antivirus
AntivirusAntivirus
Antivirus
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
 
Copy of antiviruse
Copy of antiviruseCopy of antiviruse
Copy of antiviruse
 

Semelhante a Csc290 ch10

Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Tammy Clark
 
Malicious software
Malicious softwareMalicious software
Malicious softwaremsdeepika
 
Computer viruses and anti viruses
Computer viruses and anti virusesComputer viruses and anti viruses
Computer viruses and anti virusesMohit Jaiswal
 
Computer virus and cyber attack
Computer virus and cyber attackComputer virus and cyber attack
Computer virus and cyber attackBhavesh soni
 
Computer worms viruses and Prevention
Computer worms viruses and PreventionComputer worms viruses and Prevention
Computer worms viruses and PreventionPratimesh Pathak
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 
Virus detection based on virus throttle technology
Virus detection based on virus throttle technologyVirus detection based on virus throttle technology
Virus detection based on virus throttle technologyAhmed Muzammil
 
An approach to containing computer viruses
An approach to containing computer virusesAn approach to containing computer viruses
An approach to containing computer virusesUltraUploader
 
Preventing lateral spread of ransomware
Preventing lateral spread of ransomwarePreventing lateral spread of ransomware
Preventing lateral spread of ransomwareOsirium Limited
 

Semelhante a Csc290 ch10 (20)

Ch19
Ch19Ch19
Ch19
 
Ch19
Ch19Ch19
Ch19
 
Unit - 5.ppt
Unit - 5.pptUnit - 5.ppt
Unit - 5.ppt
 
Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!Giving The Heave Ho To Worms, Spyware, And Bots!
Giving The Heave Ho To Worms, Spyware, And Bots!
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Computer viruses and anti viruses
Computer viruses and anti virusesComputer viruses and anti viruses
Computer viruses and anti viruses
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Computer virus and cyber attack
Computer virus and cyber attackComputer virus and cyber attack
Computer virus and cyber attack
 
Computer worms viruses and Prevention
Computer worms viruses and PreventionComputer worms viruses and Prevention
Computer worms viruses and Prevention
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
The VTC experience
The VTC experienceThe VTC experience
The VTC experience
 
Final malacious softwares
Final malacious softwaresFinal malacious softwares
Final malacious softwares
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
 
Virus detection based on virus throttle technology
Virus detection based on virus throttle technologyVirus detection based on virus throttle technology
Virus detection based on virus throttle technology
 
Iss lecture 9
Iss lecture 9Iss lecture 9
Iss lecture 9
 
Viruses
VirusesViruses
Viruses
 
viruses
virusesviruses
viruses
 
An approach to containing computer viruses
An approach to containing computer virusesAn approach to containing computer viruses
An approach to containing computer viruses
 
Preventing lateral spread of ransomware
Preventing lateral spread of ransomwarePreventing lateral spread of ransomware
Preventing lateral spread of ransomware
 

Último

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Csc290 ch10

  • 1. Network Security Intruders and Viruses Hofstra University – Network 05/01/06 1 Security Course, CSC290A
  • 2. Password Management Part Two - Cracking Hofstra University – Network 05/01/06 2 Security Course, CSC290A
  • 3. Intrusion Techniques Objective: Gain access to a system Frequent Goal: Acquiring a user password Most systems have a file that maps a password to each user Password file protection: one-way encryption access control Hofstra University – Network 05/01/06 3 Security Course, CSC290A
  • 4. Password Learning Techniques g 1. Try default passwords used with standard u accounts shipped with the system e 2. Exhaustive try of all short passwords s 3. Try words in system’s dictionary or list of s likely passwords (hacker bulletin boards) a 4. Collect information about users (full names, t names of spouses and children, pictures and t books in their office, related hobbies) a 5. Try users’ phone numbers, social security c numbers, room numbers k 6. Try all legitimate license plate numbers 7. Use a trojan horse 8. Tap the line between a remote user and the system Hofstra University – Network 05/01/06 4 Security Course, CSC290A
  • 5. Password Protection Unix password scheme threats: Gain access through a guest account and run a password cracker Obtain a copy of the password file and run a password cracker Goal: Run a password cracker Rely on people choosing easily guessable passwords! Hofstra University – Network 05/01/06 5 Security Course, CSC290A
  • 6. Password Cracking Hofstra University – Network 05/01/06 6 Security Course, CSC290A
  • 7. Password Cracking Unix Password File (/etc/passwd): daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: nobody:x:60001:60001:Nobody:/: eric:GmTFg0AavFA0U:1001:10:Eric Schwartz:/export/home/eric:/bin/ksh temp:kRWegG5iTZP5o:1002:10:IP Administration:/export/home/ipadmin:/bin/ksh jfr:kyzKROryhFDE2:506:506::/home/jfr:/bin/csh Results of the password cracker: $ john passwd Loaded 3 passwords with 3 different salts (Standard DES [24/32 4K]) temp (temp) jenny (eric) solaris1 (jfr) Hofstra University – Network 05/01/06 7 Security Course, CSC290A
  • 8. Password Crackers Hofstra University – Network 05/01/06 8 Security Course, CSC290A
  • 9. Virus and Related Threats Hofstra University – Network 05/01/06 9 Security Course, CSC290A
  • 10. Malicious Programs Two categories: Those that need a host program – fragments of programs - parasitic Those that are independent – self contained Some replicate – used as a differentiator Hofstra University – Network 05/01/06 10 Security Course, CSC290A
  • 11. Taxonomy of Malicious Programs Hofstra University – Network 05/01/06 11 Security Course, CSC290A
  • 12. Malicious Programs Logic Bombs: logic embedded in a program that checks for a set of conditions to arise and executes some function resulting in unauthorized actions Trapdoors: secret undocumented entry point into a program, used to grant access without normal methods of access authentication (e.g.,War Games) Hofstra University – Network 05/01/06 12 Security Course, CSC290A
  • 13. Trojan Horse Hofstra University – Network 05/01/06 13 Security Course, CSC290A
  • 14. Malicious Programs Trojan Horse: secret undocumented routine embedded within a useful program, execution of the program results in execution of the routine Common motivation is data destruction Hofstra University – Network 05/01/06 14 Security Course, CSC290A
  • 15. Malicious Programs Zombie: a program that secretly takes over an Internet attached computer and then uses it to launch an untraceable attack Very common in Distributed Denial-Of-Service attacks Hofstra University – Network 05/01/06 15 Security Course, CSC290A
  • 16. Viruses Hofstra University – Network 05/01/06 16 Security Course, CSC290A
  • 17. Viruses A virus is a submicroscopic parasitic particle that infects cells in biological organisms. Viruses are non-living particles that can only replicate when an organism reproduces the viral RNA or DNA. Viruses are considered non-living by the majority of virologists www.virology.net Hofstra University – Network 05/01/06 17 Security Course, CSC290A
  • 18. Viruses Viruses: code embedded within a program that causes a copy of itself to be inserted in other programs and performs some unwanted function Infects other programs Code is the DNA of the virus Hofstra University – Network 05/01/06 18 Security Course, CSC290A
  • 19. Worms Hofstra University – Network 05/01/06 19 Security Course, CSC290A
  • 20. Worms Worms: program that can replicate itself and send copies to computers across the network and performs some unwanted function Uses network connections to spread from system to system Hofstra University – Network 05/01/06 20 Security Course, CSC290A
  • 21. Bacteria Bacteria: consume resources by replicating themselves Do not explicitly damage any files Sole purpose is to replicate themselves Reproduce exponentially Eventually taking up all processors, memory or disk space Hofstra University – Network 05/01/06 21 Security Course, CSC290A
  • 22. Nature of Viruses Four stages of virus lifetime Dormant phase: virus idle Propagation phase: cloning of virus Triggering phase: virus activation Execution phase: unwanted function performed Hofstra University – Network 05/01/06 22 Security Course, CSC290A
  • 23. Virus Structure program V:= {goto main: 1234567; special marker determines if infected subroutine infect-executable := {loop: file:= get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file;} subroutine do–damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: transfer control to the original program } Hofstra University – Network 05/01/06 23 Security Course, CSC290A
  • 24. Avoiding Detection Infected version of program is longer than the corresponding uninfected one Solution: compress the executable file so infected and uninfected versions are identical in length Hofstra University – Network 05/01/06 24 Security Course, CSC290A
  • 25. Avoiding Detection Hofstra University – Network 05/01/06 25 Security Course, CSC290A
  • 26. Compression Program infected uninfected Hofstra University – Network 05/01/06 26 Security Course, CSC290A
  • 27. Types of Viruses Parasitic Virus: attached to executables, replicates when program is executed Memory-resident virus: part of a resident system program, affects every program executed Boot sector virus: infects a master boot record and spreads when system is booted from infected disk Hofstra University – Network 05/01/06 27 Security Course, CSC290A
  • 28. Types of Viruses Stealth virus: virus designed to hide itself from detection by antivirus software (compression, interception of I/O logic) Polymorphic virus: mutates with every infection making detection by “signature” impossible (mutation engine) Macro virus: infects Microsoft Word docs; 2/3’s of all viruses Hofstra University – Network 05/01/06 28 Security Course, CSC290A
  • 29. Macro Viruses 2/3s of all viruses Mainly Microsoft products – platform independent Affect documents not executables Easily spread by e-mail Autoexecuting macro is the culprit Hofstra University – Network 05/01/06 29 Security Course, CSC290A
  • 30. Worms Uses network connections to spread from system to system Similar to a virus – has same phases: dormant, propagation, trigger and execution Morris Worm – most famous Recent: OSX.Leap.A, Kama Sutra,Code Red Hofstra University – Network 05/01/06 30 Security Course, CSC290A
  • 31. Buffer Overflow Program attempts to write more data into buffer than that buffer can hold… …Starts overwriting area of stack memory Can be used maliciously to cause a program to execute code of attackers choose Overwrites stack point Hofstra University – Network 05/01/06 31 Security Course, CSC290A
  • 32. Mechanics of stack-based buffer overflow Stack is like a pile of plates 0X0692 When a function is 0X0691 called, the return return 0X0123 0X0690 address is pushed on function the stack 0 0X0689 In a function, local local s 0X0688 variables are written on stack the stack memory y 0X0687 Memory is written on s 0X0686 stack 0X0685 char username[4] reserved 4 bytes of 0X0684 space on stack Hofstra University – Network 05/01/06 32 Security Course, CSC290A
  • 33. Mechanics of stack-based buffer overflow When function copies 0X0692 too much on the stack... 0X0691 ...the return pointer is overwritten return 0X0123 0X0689 0X0690 function Execution path of X 0X0689 function changed when function ends local X 0X0688 Local stack memory has stack X 0X0687 malicious code memory X 0X0686 0X0685 0X0684 Hofstra University – Network 05/01/06 33 Security Course, CSC290A
  • 34. Antivirus Approaches Detection – determine that it has occurred and locate the virus Identification – identify the specific virus Removal – remove all traces and restore the program to its original state Hofstra University – Network 05/01/06 34 Security Course, CSC290A
  • 35. Generations of Antivirus Software First: simple scanners (record of program lengths) Second: heuristic scanners (integrity checking with checksums) Third: activity traps (memory resident, detect infected actions) Fourth: full-featured protection (suite of antivirus techniques, access control capability) Hofstra University – Network 05/01/06 35 Security Course, CSC290A
  • 36. Advanced Techniques Generic Decryption Digital Immune System Behavior-Blocking Software Hofstra University – Network 05/01/06 36 Security Course, CSC290A
  • 37. Generic Decryption Easily detects even most complex polymorphic virus No damage to the personal computer Contains following elements: CPU emulator – software based virtual computer Virus signature scanner – scans target code for known signatures Emulation control module – control execution of target code Hofstra University – Network 05/01/06 37 Security Course, CSC290A
  • 38. Digital Immune System Pioneered by IBM Response to rate of virus propagation Integrated mail systems - Outlook Mobile program systems – ActiveX, Java Expands the use of program emulation Depends on a central virus analysis machines Hofstra University – Network 05/01/06 38 Security Course, CSC290A
  • 39. Digital Immune System Hofstra University – Network 05/01/06 39 Security Course, CSC290A
  • 40. Behavior-Blocking Software Monitors program behavior in real-time for malicious actions – part of OS Look for well defined requests to the OS: modifications to files, disk formats, mods to scripts or macros, changes in config settings, open network connections, etc. IPS – Intrusion Prevention Systems Hofstra University – Network 05/01/06 40 Security Course, CSC290A
  • 41. Malicious Code Protection Types of Products Scanners - identify known malicious code - search for signature strings Integrity Checkers – determine if code has been altered or changed – checksum based Vulnerability Monitors - prevent modification or access to particularly sensitive parts of the system – user defined Behavior Blockers - list of rules that a legitimate program must follow – sandbox concept Hofstra University – Network 05/01/06 41 Security Course, CSC290A
  • 42. Important URLs http://www.cert.org/ Originally DARPA’s computer emergency response team. An essential security site http://www.research.ibm.com/antivirus/ IBM’s site on virus information. Very good papers – a little outdated http://www.afsa.org/fsj/sept00/Denning.cfm Hacktivism: An Emerging Threat to Diplomacy, another Denning term along with Information Warfare http://csrc.nist.gov/virus/Computer Security Resources Center – Virus information and alerts Hofstra University – Network 05/01/06 42 Security Course, CSC290A
  • 43. Important URLs http://www.ciac.org/ciac/ Computer Incident Advisory Capability -another bookmark-able site to visit regularly http://csrc.nist.gov/publications/nistpubs/800-42/NIST Guideline on Network Security Testing – covers password cracking http://www.openwall.com/john/ Very good password cracker, “John the Ripper” http://csrc.nist.gov/publications/nistpubs/800-36/NIST Guide to Selecting Information Security Products http://www.xensource.com/ Xen Source - Hottest Area In Virtualization Hofstra University – Network 05/01/06 43 Security Course, CSC290A
  • 44. … enough! Hofstra University – Network 05/01/06 44 Security Course, CSC290A
  • 45. ...coming to the end! Take Home Final Exam – On Website Due Next Class Return Papers Any Problems, Please Email Or Call Good Luck Hofstra University – Network 05/01/06 45 Security Course, CSC290A