Category: Security

Firewall Design Goals
– Enforcement of security policies
All traffic from internal network to the Internet, and vice versa, must pass through firewall
Only traffic authorized by policy is allowed to pass
Dependable
The firewall itself is immune to subversion

Lists the types of traffic authorized to pass through the firewall
includes: address ranges, protocols, applications and content types

Developed from the organization’s information security risk assessment and policy, and a broad specification of which traffic types the organization needs to support
– Refined to detail the filter elements that can be implemented within an appropriate firewall topology

firewalls cannot protect..
traffic that does not cross it
– routing around
– internal traffic
When misconfigured

Gives insight into traffic mix via logging
Network address translation
Encryption

Firewalls and Filtering
-packets checked then passed
-inbound & outbound affect when policy is checked

Filtering Types
-Packet filtering
access control list
-Session filtering
dynamic packet filtering
stateful inspection
context based access control

Decision made on a per-packet basis
No state information saved

Applies rules to each incoming and outgoing IP packet
typically a list of rules based on matches in the IP or TCP header
Forwards or discards the packet based on rules match

How can bots contact their master safely?
Simple, naive approach:
victims contact single IP, website, ping a server, etc.
Easily defeated (ISP intervention, blackhole routing, etc.)
still used by script-kiddies, first-time malware authors

Efficient and reliable
– able to reach to a sizable set of bots within a time limit
– hard to detect(i.e., blended with normal/regular traffic)
– Hard to disable or block

Advanced Persistent Threat(APT)
-Advanced:
malware, special operation and operators
-Persistent:
Long-term presence, multi-step, “low-and-slow”
-Threat:
Targeted at high-value organization and information

APT characteristics
– Zero-day exploit or a specially crafted malware
– No readily available signature for its detection

Social-engineering to trick even the most sophisticated users
– First compromise core internal network control elements such as routers and web servers to learn about the valuable targets
– Then play man-in-the-middle on the compromised routers/server to make social-engineering attacks very convincing to even forge answer challenge or inquiry by suspecting users

DNS request for large TCT record;
spoof victim’s IP

Open recursive DNS Servers(anyone can query)

Botnet command and control
Botnet is a network of compromised comuters that the “botmaster” uses for malicious purposes
– There needs to be command & control(C&C) from the botmaster to the bots
Example: a bot reports to the botmaster its status, is directed to a site to download a malware(botcode) update, and/or receives instructions to spam/phish/DDos, etc.

Botnet C&C problem
Naively, we could have victims contact us..
suppose we create malware(vx)
– download vx code; fiddle; compile
– uses email propagation/social engineering

Spreading is easy, but what if we want to use the compromised computers(victims)?

Naively, we could have victims contact us…
problems:VX must include author’s address(not stealthy)
single rallying point(not robust)
VX has hard-coded address(not mobile)

– In the past, often for “fame” and/or “fun”
e.g., defacing web pages
fast and large-scale spreading

Modern Malware
– now, often for profit and political gains
– Technical sophistication based on the latest technologies
– Efficiency, robustness, and evasiveness

Botnet
-Bot(zombie)
A compromised computer under the control of an attacker
Bot code(malware) on the computer communicates with the attacker’s server and carries out malicious activities per attacker’s instructions

Botnet
A network of bots controlled by an attacker to perform coordinated malicious activities
Key platform for most Internet-based attacks and frauds

Attacks and Frauds by Botnets
spam, distributed denial of service attacks, key logging & data/Identity theft, click fraud, phishing& pharming, Cheating in online games/polls, key/password cracking, Anonymized terrorist & criminal communication

DDos using botnets
Attacker, Bots/zombies, Syn flood,etc. Victim

What it did:
– Determine where it could spread
– Spread its infection
– Remain undiscovered and undiscoverable

Effect
Resource exhaustion – repeated infection due to programming bug
Servers are disconnected from the Internet by system admin to stop the infection

Exploit security flaws
– Guess password(encrypted passwd file readable)
– Fingerd: buffer overflow
– Sendmail: trrapdoor(accepts shell command)

spread
– Bootstrap loader to target machine, then fetch
– Rest of code(password authenticated)

Remain un-discoverable
– load code in memory, encrypt, remove file
– Periodically changed name and process ID

What we learned:
– Security scanning and patching
– Computer Emergency Response Team

Prevention: Limit contact to outside world
Detection and Identification
Removal

4 generations of antivirus software:
– simple scanners: Use “signatures” of known virus
– Heuristic scanners: Integrity checking: checksum, encrypted has
– Activity traps
– Full-featured analysis: host-based network-based, sandboxing-based

Macro:
An executable program(e.g.
instructions opening a file, starting an application)
embedded in a word processing document, e.g. MS Word

A common technique for spreading
-A virus macro is attached to a word document
– document is loaded and opened in the host system
– When the macro executes, it copies itself to macro file
– The global macro can be activated/spread when new documents are opened

Rootkit
Resides in opening systems
– Modifies OS code and data structure

Helps user-level malware
– E.g., hide it from user(not listed in “is” or “ps” command)

Inspect all files
FindFisrtFile()
{checkfile, FindNextFile, repeat -> windows API, NTQueryDirectoryObject -> Kernel Native Interface -> Device drive functions <-> Drivers

Worms
– Use network connections to spread from system to system

Four stages of viruses
Dormant Phase, Propagation Phase, Triggering Phase, Execution Phase

Virus structure
virus code -> Physically -> Original Program
Logically Virus code part(a) -> Original Program

First line: go to “main” of virus program
Second line: a special flag(infected or not)
Main: Find uninfected programs^ infect them
Do something damaging to the system
“go to” frist line of the host program
Avoid detection by looking at size of program
compress/ decompress the host program

Type of Virus
– parasitic virus: scan/infect programs
– Memory-resident virus: infect running programs
– Macro virus: embedded in documents, run/spread
– Boot sector virus: run/spread whenever the system is booted
– Polymorphic virus: encrypt part of the virus program randomly generated key

Boot Sector Virus
Bootstrap Loader, System Initialization
Virus code -> System Initialization -> Bootstrap Loader

Reasons attackers use malware: automation, scalability, and deniability
Attackers release malicious programs on the internet and let spread

types of malicious software
– needs host program: trap door, logic bombs, trojan horses, viruses, browser plug-in extension, script
– independent: Worms, botnet, APTs

Trap door
– A secret entry point to a program or system.
– Typically works by recognizing some special sequence of inputs or special user ID.

Logic Bombs
– Embedded in some legitimate program
– Explode or perform malicious activities when certain condition are met

Trojan Horses
– Hidden in an apparently useful host program
– Performs some unwanted/harmful function when the host program is executed

Viruses
– Infect a program by modifying it
– Self-copy into the program to spread

– Certain aggregate/statistical queries can be allowed by all users.
– Consider a student grade database with schema studentid, student_standing(junior or senior), exam1_score, exam2_score, final_grade.

Average score on an example is a query that any student should be able to run.
Attacker wants to find exact score of some student
Inference attack when target takes the exam late
– Average score before target takes the exam
– Average score after target takes the exam
– Target score can be easily found

Another example: only one student has junior standing in a senior class
– Get average score of students who have junior standing
– This query discloses score of a single student

Defenses Against Inference Attacks
– Do not allow aggregate query results when the set of tuples selected is either too small or too large
– Transform data by removing identifying information
deindentification
anonymization
this has to be done with care

– Malicious SQL commands are sent to a database
– Can impact both confidentiality(extraction of data) and integrity(corruption of data)
– In a web application environment, typically a script takes user input and build an SQL query
– Web application vulnerability can be used to craft an SQL injection

Return information about items shipped to a certain city specified user in web application that uses forms

Var Shipcity;
Shipcity = Request.form("Shipcity");
Var sql = "select * from OrdersTable where 
Shipcity = "" + Shipcity + """;

SQL Injection Example
– User enters REDMOND
– Script generates SELECT * FROM OrdersTable Where Shipcity = ‘Redmond’
– What if user enters Redmond’ ;DROP table OrdersTable;?
– In this case, SELECT * FROM OrdersTable WHERE Shipcity = ‘Redmond’;DROP OrderesTable is generated
Malicious user is able to inject code to delete the table
– Many other code injection examples exist

Input checking
(golden rule – all input is evil)

see OWASP top 10 proactive controls
https://www.owasp.org/index.php/OWASP_Proactive_Controls