Welcome to Network Security Should be able to Skills • identify design and • Ability to analyze the implementation security of networked Intro, history, hacking vulnerabilities in network systems protocols and applications • Ability to perform security • exploit such vulnerabilities assessments of a system Network Security in practice • Ability to fix vulnerabilities Lecture 1 • detect and protect from attacks Eike Ritter Network Security - Lecture 1 1 Module Outline Organization • Lectures • TCP/IP security – 2/week • Office hours • Web security – Tuesdays 4-5pm, and by appointment • Homework • Browser security – 2 assignments (mix of programming, network analysis, attacks) – Reading assignments, roughly once a week • Malicious web • Examination – 1.5 hours • Intrusion detection systems – Covers everything we discuss in class • Grading – 80% examination – 20% homework • Check http://www.cs.bham.ac.uk/~exr/teaching/lectures/networkSecurity/11_1 2 regularly for updates and news Eike Ritter Network Security - Lecture 1 2 Eike Ritter Network Security - Lecture 1 3 What is expected from you • Participate in lectures – Handouts are available (print and online), but they don’t cover everything – Be active: Something is not clear? Ask questions! • Absolutely no plagiarism Be familiar with School’s plagiarism policy – A brief history – It’s OK to discuss with others, but everything you submit must be yours NETWORK SECURITY • Any problem, doubt, special need; come talk to me Eike Ritter Network Security - Introduction 4 Eike Ritter Network Security - Lecture 1 5 ‘60 ‘70 • Advanced Research Projects Agency (ARPA) funds • UNIX, C, Email, Telnet, development of ARPANET FTP, TCP, Ethernet, • First four nodes in 1969 USENET – UCLA (Vint Cerf, Steve Crocker, Jon Postel, Leonard Kleinrock) • More hosts join the – SRI (Doug Engelbart) – UCSB (Glen Culler, Burton ARPANET Fried) – University of Utah • Uses the Network Control Protocol (NCP) through Information Message Processors (IMP) http://www.computerhistory.org/internet_history/full_size_images/1969 http://www.computerhistory.org/internet_history/full_size_images/1975 _4-node_map.gif _net_map.gif Eike Ritter Network Security - Lecture 1 6 Eike Ritter Network Security - Lecture 1 7 ‘80 … up to now • Berkeley UNIX includes • Even more hosts attach the TCP/IP suite to the Internet (sockets) • 1991: the Web is born • ARPANET standardizes (Tim Berners-Lee at on TCP/IP (1983) CERN) • MILNET detaches from • The dot-com boom and public network bust (ARPANET) • DNS http://www.computerhistory.org/internet_history/full_size_images/1988 _nsfnet_map.gif http://opte.org/maps/ Eike Ritter Network Security - Lecture 1 8 Eike Ritter Network Security - Lecture 1 9 Vulnerabilities Incidents • Stats from cert.org/stats/ • “Incident reports received - Given the widespread use of automated attack tools, attacks […] have become so commonplace […] provide little information with regard to assessing the scope and impact of attacks. Therefore, we stopped providing this statistic at the end of 2003.” Source: http://web.nvd.nist.gov/view/vuln/statistics • So, we just gave up… Eike Ritter Network Security - Lecture 1 10 Eike Ritter Network Security - Lecture 1 11 Terminology • Vulnerability – A flaw or weakness in a system's implementation that could be exploited to violate the system's security policy • Exploits – An attack that leverages a vulnerability to violate a system’s security policy HACKING, HACKERS Eike Ritter Network Security - Lecture 1 12 Eike Ritter Network Security - Lecture 1 13 What is a hacker? Phreaking • The term “hacker” was introduced at MIT in the 60s to • In 1971, John Draper learns that a toy whistle describe “computer wizards” found in Cap’n Crunch cereal box emits sounds at – “someone who lives and breathes computers, who knows all about computers, who can get a computer to do anything. 2600 Hz frequency Equally important, though, is the hacker's attitude. Computer programming must be a hobby, something done for fun, not out • The 2600 frequency was used by AT&T to of a sense of duty or for the money.” indicate that a trunk line was ready and available (Brian Harvey, UC Berkeley, http://www.cs.berkeley.edu/~bh/hacker.html) to route new call • It has been eventually used to denote “malicious hackers” • Free long-distance calls or “crackers”, that is, people that perform intrusions and misuse computer systems (blue box)… • More jargon: http://www.eps.mcgill.ca/jargon/jargon.html • John Draper arrested in 1972 for toll fraud Eike Ritter Network Security - Lecture 1 14 Eike Ritter Network Security - Lecture 1 15 Early problems The cuckoo’s egg • Bob Metcalfe, “The Stockings Were Hung by the • Cliff Stoll was a system administrator at LBL in Chimney with Care”, RFC 602, December 1973 1986 • “The ARPA Computer Network is susceptible to • While investigating an accounting discrepancy, he security violations for at least the three following discovers an account created without billing reasons” address – Sites used to physical limitations of access are not protected against unauthorized access (e.g., • Further investigation reveals the presence of an passwords which are easy to guess) intruder – “The TIP allows access to the ARPANET to a much wider audience than is thought or intended.” • Cliff Stoll decides to monitor the actions of the – “There is a lingering affection for the challenge of intruder instead of simply cutting him/her off breaking someone's system” (honeypot of sorts) Eike Ritter Network Security - Lecture 1 16 Eike Ritter Network Security - Lecture 1 17 The cuckoo’s egg – cont’d The Morris Worm • The vulnerability • On November 2, 1988, Robert T. Morris releases – Emacs provided a utility ( movemail ) to allow users to change spool file ownership and move it the Internet worm – At LBL it was installed setuid root • A mistake in the propagation procedure leads to • The exploit – The attacker used movemail to copy his own script over the atrun utility, the overload of infected machines which is run periodically with system privileges • Consequences • Internet had to be “turned off” – Intruder gained root access • RTM was sentenced to three years’ probation, a – Used the system to probe military systems in the MILNET $10,000 fine, and 400 hours of community – Looked for potentially sensitive documents searching for keywords like “SDI” (Strategic Defense Initiative), “nuclear”, “norad” service • Investigation – FBI involved • The Computer Emergency Response Team (CERT) – Conenctions traced back to Germany was created – In 1989 arrest of Markus Hess, who operated for the KGB Eike Ritter Network Security - Lecture 1 18 Eike Ritter Network Security - Lecture 1 19 The Morris Worm – cont’d Kevin Mitnick • 1981: breaks into Pac Bell phone center. 1year • Worm: self-replicating program that spreads probation. across a network of machines • 1982: cracks Pacific Telephone. 6 months of • Vulnerabilities & exploits juvenile prison. “Debug” function of sendmail , which enabled to • 1987: breaks into SCO. 3 years – probation. send an email with a program as a recipient • 1988: expelled from Pierce for • Worm sent a message with body that created a C program computer misuse which transferred the rest of the modules from the • 1992: cracks into California originating host, linked them, and executed them DMV – fingerd stack-based buffer overflow • 1994: breaks into San Diego Supercomputer Center – Weak passwords • 1995: well-publicized arrest – Trusted hosts (~/.rhost) (Shimomura and New York Time’s John Markoff) Eike Ritter Network Security - Lecture 1 20 Eike Ritter Network Security - Lecture 1 21 Kevin Mitnick – cont’d Other famous incidents • Christmas 1994 attack against San Diego Supercomputer • Summer 2001: Code Red Center (SDSC) – Exploits buffer overflow in IIS • Sophisticated TCP spoofing attack, which exploits the trust – Defaces the vulnerable site relationship between two hosts, x-terminal and server to display: – x-terminal: diskless host HELLO! Welcome to http://www.worm.com! – server: host providing boot images to x-terminal Hacked By Chinese! – x-terminal allows unauthenticated logins and commands from server • August 2003: Blaster worm – Exploits buffer overflow in DCOM RPC service of Windows and • Exploit binds a command shell to port 4444 of the infected target – DoS against server – Transfers payload on compromised machine via TFTP – Attacker spoofs server and injects command – SYN floods windowsupdate.com (but not # rsh x-terminal "echo + + >>/.rhosts" windowsupdate.microsoft.com) – Jeffrey Lee Parson, 18 year old, arrested Eike Ritter Network Security - Lecture 1 22 Eike Ritter Network Security - Lecture 1 23 Even more incidents Incidents overview • October 2005: Samy • Motivations • Techniques – Free phone calls Signaling attacks – XSS worm spreading on myspace.com – Test what is possible – – Displays the string “but most of all, Samy is my – Spy on military systems – Buffer overflows, hero”, sends a friend request to the author of the – Bragging rights privilege escalation, etc. worm, posts messages containing the payload to – Denial of service – Social engineering – Delay nuclear program in friends of the victim nation state (perhaps) – Network flooding – In 20 hours, it infected over one million users • Targeted systems – 0-day exploits, testing on July 2010: Stuxnet – Phone networks mock systems, etc. • – UNIX, Windows systems – Spies and reprograms industrial systems (e.g., – Web applications power plants, nuclear reactors) – Industrial control systems Eike Ritter Network