Security

Goals

1. Keep the system available
1. Denial of service attacks are common, generally easy, and can be costly to the victum.
2. Can threaten lives (consider a nuclear power station, a hospital emergency room, or anything military).
2. Protect the data's integrity
1. The DMV, the police, and my gradebook all need this.
3. Protect the data's secrecy
1. Aids clinics, adopted kids records, your diary.
4. Be user friendly
1. Never get in the way of any legitamite thing I want to do
2. Be easy to use
5. Be flexible
1. Let the owner specify exactly the permissions needed, and do so easily.
2. Consider the printer operator:   should he be able to read all files?
3. Consider the Census beruro.  They would like to allow statistical querriies, but not specific querries.  How to manage?
6. Be auditable and verifiable
1. Know who has what permissions (who can access the tape drive)
2. Know what permissions a person has (what can fred access)
3. Know what a person HAS done (has fred accessed the tape drive?).
7. Be revokeable
1. Make sure fred cannot access the tape drive
8. Be intercetpable by the police
1. Very contraversial
9. Keep the superuser honest yet functional
1. I should be able to back up files, restore files, and yet not read private files (yes, this is possible)
10. Be computationally quick
1. No expesive encryption schemes
11. Be trusted
1. If I don't trust the system, the system is of know use

Methods

General Ideas

1. First, protect the hardware.
1. Denial of service becomes trivial
2. Generally, if I can pull the hard drive from the case, I can access the data (unless encrypted).
2. Second, protect the software
1. If the editor or database software cannot be trusted, it becomes easy to get your data.
3. Third, protect the data
1. Often, data is more important than software or hardware.
4. Fourth, protect the people.
1. If the superuser can be blackmailed, all bets are off (sometimes).
2. If I can trick you into entering bad data, I win even if the computer is unaccessable to me (DMV license fakes, for instance).
Access by User ID
5. Hard to verify user id
1. Passwords are O.K,
1. Humans do not pick random passwords.
1. Crack generaly gets about 1/4 of all passwords (maybe a little less).
2. Checking reasonableness before accepting them is a good thing
3. Machine generating them is great, but they can be hard to remember
4. There are programs that generate pronouceable but made-up words.
5. Generally, breaking one host will give you accounts on other hosts.
2. Hard to keep password lists secret
1. Some systems store only a hashed value, and never the original passwords.
2. Body verification
1. Retinas, fingerprints all work well and are cheap (but no network standards exist)
2. User accptance issues
3. Smart cards work well and are cheap, but no network standards exist
6. Works the way people do generally
7. Bad for shared resources, like video game top scores or multiuser databases.
8. Humans are stupid (run torjan horses, write down passwords, tell friends, stuff like that).

Access by program
9. Works the way system designers think. (Great for shared databases and top-score lists and backup programs).
10. Unix setuid scheme is an example of this.
11. Often very aquward (what permissions does the standard system editor get?)
12. Generally a horrible security scheme.  Way to easy to get a computer program to do unintended things.
1. Examples, the Mach display postscript, the X11 keyserv program, people running sound programs remotely
Capabilities
13. Capabilities are token granting access to an item
14. Generally, a LONG bit string.
15. ANYONE who knows the capability can access the thing.
16. Capabilites cannot be selectively revoked.

Detection of Intrusion

17. Generally, VERY people intensive (and therefore very costly).
18. Can be done better with audit records
1. Show who attempted to do what
2. Look for unusual behavior (access to system files, files not owed by the user, lots of permission denied errors, etc).
19. Builds trust in the system.

Attacks

The Programmers attack
1. Logic Bomb
1. Definition: Code added secretly by the original designers to do bad things on certain conditions.
2. Real Example 1:  Software wipes out database unless the authors payrole id apears in the payroll calulation.
3. Real example 2: Guy writes library software that stops working by DATE, and wont reenable it until contract is payed off.
2. Trapdoor
1. Definition.  A secret way around the security scheme inserted by the original programmers.
2. Real Example 1: One air force team sent a bogus update of Multics to a site, and then broke into the site with the inserted trapdoor.  The original Mutlics writers could not find it even after alerted.
3. Trojan Horse
1. Definition:  An aparently useful program that also does a scret bad thing
2. Can be in data as well as programs, thanks to applications with macro capabilities.
3. Real example 1:  Program shows nude pictures of women, meanwhile has turned of modem sound and then dialed a long distance number to Rumania.  The bills are horrible, and the long distance company in Rumania makes a bundle.
4. Virus
1. Definition:  A piece of code that can replicate itself into real programs.
2. Can be in data as well as code
3. See below...
5. Worm
1. Definition:  A piece of code that replicates itself to other hosts via the network.
2. Generally attacks rlogin, rsh, or sendmail.
3. The Moris Worm of 1992?? is a great example (and he went to jail).
Viruses
1. How they work
1. Start by attaching themselves to some piece of code. (program boot sector, whatever)
2. Wait for that piece of code to execute
3. Replicate again to a new peice of code.
2. How to detect
1. Look for a signature (hash value)
2. Look for an activity (format track system call)
3. Run checksums on all executables
3. How to avoid detection
1. Replicate so rapidly that they never catch you
2. Polymorph so that you never have the same signature
3. Don't do abnormal activities.
Attacks against a network

1. Trafic analysis
1. Find out who is talking, and to whom.
2. Can be defeated by sending bogus messages
3. Militarily very useful!!
2. Listen to others talk
1. Great way to get data
2. Helps if you can talk someone into asking for the data you want.
3. Great way to get passwords (rlogin/telnet/nfs/http/ftp/novel/etc do not encrypt data).
4. Challenge/responce verify passwords without sednig passwords.
3. Pretend to be someone else (masquerade).
1. Sometimes, you can just lie about your network address.
1. But often you will not see the reply.
2. Often the reply is not needed (it was a command, not a question).
2. Can offer verification tokens (passwords or whatever) that you know or learned from snooping.
3. Reply previous converstations
Encryption can usually defeat this

General Ideas

Don't break into some important place from your own computer.  Pick a patsy, hack him, but don't bother him.  Just use him as a platform for attacking real places.  The NMU Airforce breakin of '97' illustrates this.

Denial of service is almost impossible to stop.
    Pick a server
    Start a conversation
    Start another conversation
    Keep starting them until the server reaches its limit.  If the server drops dead connections (and all good servers do) keep starting MORE.
    If there is a per host limit, use more than one host.

The Bogus login story.  Just put up a bogus login screen, and wait for someone to enter there password.  Log the entry, reject them, and call exi().  They will think they mistyped their login name/password, and try again.  You keep the log.

Once your in, keep making new accounts as needed.  Set up login/ftp/webserver with a backdoor so that you can keep coming in.

In July 1997 the agriculture department took down there entire main web site for a week ro two because someone had completely hacked it.  They did the total reinstall.  Comodities traders were pissed because of a lack of reports on production in foreign markets.

Easy Ways to Break a Unix System

• Change IFS
  IFS is the seperator between words.  Set IFS to be "/'.  Then run some SUID script.  If you know the script invokes a utility "/bin/date" then put a command called "bin" in your path.  That will cause the program bin to run as SUID.
• Change PATH.  If you know the SIUD program runs 'date' make sure you have a program named 'date' ahead of any real 'date' in the new path.
• Exploit a race condition.  For example, nice -19 suidprogram; ln -s evilprogram suidprogram.  After the OS notices that the script is SUID, but before the shell can load it, you switch the code to your own.  Veryy clever.You might need to do this many times to get it to work, but it will eventually.
• Exploit links.  Make a link from .somethingrc to /etc/secretfile.  Run the program.  When you get the error message, it will (hopefully) have the secretfile as context.  Or maybe it will core dump, and the core dump has what you want.
• Exploit link #2.  Some SUID program make a temporary file.  Before you run the program, make a link with the same name to the file you want to destroy (/etc/password??).

Known Wndows Problems

1. Boot it past the BIOS prompt with a system disk of your choice.  The BIOS must store the password somewhere.  Read the password there.  For each bios there is a known location.  Look there.  Such programs can be found on SIMTEL.  Why would this NOT work in a UNIX or Windows NT enviornment?
2. Pull the battery from the motherboard, or reset the bios with the corrct dip switch.  Then do the above
3. The TEADROP attack.  By sending "out of band" data to port 139 (netbios-ssn) of a windows machine, the machine could be made to crash.  Classic denial of service, with no data compromise.  The modified teardrop attack works by sending pairs of deliberately constructed IP fragments which are reassembled into an invalid UDP datagram. Overlapping offsets cause the second packet to overwrite data in the middle of the UDP header contained in the first packet in such a way that the datagrams are left incomplete. Each such packets causes a crash of Win 95, or a memory allocation (remember there's only so much RAM around) on WinNT.
4.  Land Attack sends SYN packets with the same source and destination IP addresses and the same source and destination ports to a host

computer. This makes it appear as if the host computer sent the packets to itself. Windows 95 and Windows NT operate slowly while the host computer tries to respond to itself.
5. c:/win and c:/win/system32 have default permissions of "change" for everyone including guest.  Replace any *.dll you want!
6. Massive password guessing.  The admin account never locks out for bad passwords, and the default is NOT to log bad password attempts.  Can try 1,152,000 passwords per day for reasonable hardware.  Check http://somarsoft.com/ntcrack.htm for more info.
7. The WIN 3.1 password scheme can be undone without guessing.  and if that person uses the password on more than one system ...