2. Introduction
• As of 1996, the Internet connected an
estimated 13 million computers in 195
countries on every continent, even
Antarctica . The Internet is not a single
network, but a worldwide collection of loosely
connected networks that are accessible by
individual computer hosts in a variety of ways,
including gateways, routers, dial-up
connections, and Internet service providers.
3. Introduction
• The Internet is easily accessible to anyone
with a computer and a network connection.
Individuals and organizations worldwide can
reach any point on the network without
regard to national or geographic boundaries
or time of day.
4. Introduction
• However, along with the convenience and
easy access to information come new risks.
Among them are the risks that valuable
information will be lost, stolen, corrupted, or
misused and that the computer systems will
be corrupted. If information is recorded
electronically and is available on networked
computers, it is more vulnerable than if the
same information is printed on paper and
locked in a file cabinet.
5. Introduction
• Intruders do not need to enter an office or
home, and may not even be in the same
country. They can steal or tamper with
information without touching a piece of paper
or a photocopier. They can create new
electronic files, run their own programs, and
hide evidence of their unauthorized activity.
6. Basic Security Concepts
• Three basic security concepts important to
information on the Internet are
confidentiality, integrity, and availability.
Concepts relating to the people who use that
information are authentication, authorization,
and nonrepudiation.
7. Basic Security Concepts
• Confidentiality - restricting access to
information to authorized users.
• Integrity - ensuring that stored data and data
in transit are not modified unintentionally or
maliciously.
• Availability - ensuring that network services
are not interrupted unintentionally or
maliciously.
8. Internet Security Today
• What are the main security-related problems on
the Internet Today?
– Hijacked web servers
– Denial-of-Service Attacks
– Unsolicited Commercial E-Mail
– Operator Error, Natural Disasters
– Microsoft...
– Probe
– Scan
– Packet Sniffer
– Malicious Code
9. Internet Security Today
• What are not the major security-related
problems?
– Eavesdropped electronic mail.
• (Misdirected email is a problem.)
• (Email swiped from backup tapes is a problem.)
– Sniffed credit card numbers.
• (Credit card numbers stolen from databases is a
problem.)
– Hostile Java & ActiveX applets.
11. Hijacked Web Servers
• FBI
– August 17, 1996 - Attacks on the Communications
Decency Act.
• CIA
– September 18, 1996 - “Central Stupidity Agency”
• NetGuide Live
– “CMP Sucks.”
12. Hijacked Web Servers
• Attacker gains access and changes contents of
web server.
• Usually stunts.
• Can be very bad:
– Attacker can plant hostile applets.
– Attacker can plant data sniffers
– Attacker can use compromised machine to take
over internal system.
13. Hijacked Web Servers
• Usually outsiders.
• (Could be insiders masquerading as outsiders.)
• Nearly impossible to trace.
14. How do they do it?
• Administrative passwords captured by a
password sniffer.
• Utilize known vulnerability:
– sendmail bug.
– Buffer overflow.
• Use web server CGI script to steal /etc/passwd
file, then crack passwords.
• Mount the web server’s filesystem.
15. How do you defend against it?
• Patch known bugs.
• Don’t run unnecessary services on the web
server.
16. How do you defend?
• Practice good host security.
• Monitor system for unauthorized changes.
– Tripwire
• Monitor system for signs of penetration
– Intrusion detection systems
17. How do you defend?
• Make frequent backups.
• Have a hot spare ready.
• Monitor your system frequently.
19. Denial-of-Service
• Publicity is almost as good as changing
somebody’s web server.
– Attack on PANIX
– Attack on CyberPromotions
• Costs real money
– Lost Sales
– Damage to reputation
20. Kinds of Denial-of-Service Attacks
• Direct attack: attack the machine itself.
• Indirect attack: attack something that points
to the machine.
• Reputation attack: attack has nothing to do
with the machine, but references it in some
way.
21. Direct Denial-Of-Service Attack
• Send a lot of requests
(HTTP, finger, SMTP)
– Easy to trace.
– Relatively easy to defend against with TCP/IP
blocking at router.
22. Direct Denial-Of-Service Attack 2
• SYN Flooding
– Subverts the TCP/IP 3-way handshake
• SYN / ACK / ACK
– Hard to trace
• Each SYN has a different return address.
– Defenses now well understood
• Ignore SYNs from impossible addresses.
• Large buffer pools (10 → 1024)
• Random drop, Oldest drop.
23. Indirect Denial-Of-Service Attack
• Attack Routing
• Attack routers (hard)
• Inject bogus routes on BGP4 peering sessions
(easy)
– Accidents have been widely reported.
– Expect to see an actual BGP4 attack sometime this
year.
24. Reputation-based Denial-Of-Service Attack
• Spoofed e-mail
To: everybody@AOL.COM
From: astrology@mail.vineyard.net
Subject: Call Now!
Hello. My name is Jean Dixon …
• We got 3.9MB of angry responses.
26. Unsolicited Commercial E-Mail
• Pits freedom-of-speech against right of
privacy.
• Consumes vast amounts of management time.
• Drain on system resources.
27. Who are the bulk-mailers?
• Advertising for Internet neophytes.
• Advertising for sexually-oriented services.
• Advertising get-rich-quick schemes.
• Advertising bulk-mail service.
28. How do they send out messages?
• Send directly from their site.
• Send through an innocent third party.
• Coming soon:
– Sent with a computer virus or ActiveX applet
29. How did they get my e-mail addresses?
• Usenet & Mailing list archives.
• Collected from online address book.
– AOL registry.
– University directory.
• Guessed
– Sequential CompuServe addresses.
• Break into machine & steal usernames.
31. Operator Error & Natural Disasters
• Still a major source of data loss.
• Hard to get management to take seriously.
– Not sexy.
– Preparation is expensive.
– If nothing happens, money seems misspent.
32. Operator Error
• Accidentally delete a file.
• Accidentally install a bad service.
• Accidentally break a CGI script.
• Psychotic break.
34. Solutions
• Frequent Backups
– Backup to high-speed tape.
– Real-time backup to spare machines.
– Make sure some backups are off-site.
• Recovery plans.
• Recovery center.
• Test your backups & plans!
36. Microsoft
• Danger of homogeneous environment.
• No demonstrated commitment to computer
security.
– Windows 95 is not secure.
– Word Macro Viruses.
– ActiveX
– SMB
• Windows NT …?
37. Probe
• A probe is characterized by unusual attempts
to gain access to a system or to discover
information about the system. One example is
an attempt to log in to an unused account.
Probing is the electronic equivalent of testing
doorknobs to find an unlocked door for easy
entry. Probes are sometimes followed by a
more serious security event, but they are
often the result of curiosity or confusion.
38. Scan
• A scan is simply a large number of probes
done using an automated tool. Scans can
sometimes be the result of a misconfiguration
or other error, but they are often a prelude to
a more directed attack on systems that the
intruder has found to be vulnerable.
39. Packet Sniffer
• A packet sniffer is a program that captures
data from information packets as they travel
over the network. That data may include user
names, passwords, and proprietary
information that travels over the network in
clear text. With perhaps hundreds or
thousands of passwords captured by the
sniffer, intruders can launch widespread
attacks on systems.
40. Malicious Code
• Malicious code is a general term for programs
that, when executed, would cause undesired
results on a system. Users of the system usually
are not aware of the program until they discover
the damage. Malicious code includes Trojan
horses, viruses, and worms. Trojan horses and
viruses are usually hidden in legitimate programs
or files that attackers have altered to do more
than what is expected. Worms are self-replicating
programs that spread with no human
intervention after they are started.
41. Malicious Code
• Viruses are also self-replicating programs, but
usually require some action on the part of the
user to spread inadvertently to other
programs or systems. These sorts of programs
can lead to serious data loss, downtime,
denial of service, and other types of security
incidents.