The Network

2
Network Security
Secure against what/whom
Security goals Attacker model
Same hub
`trusted LAN
Internet
Typical attacker model security protocol analysis:
Attacker has full network control why so pessimistic
Eavesdrop / block messages / insert messages / ...
3
Network Layers Packets Examples
Application Data
TCP header Application Data
TCP header Application Data IP header
TCP header Application Data IP header Frame h. Frame f.
IP
spoofing
MAC
spoofing
ARP poisoning
DNS spoofing
Application
Layer
Transport
Layer
Network
Layer
Link
Layer
Physical
Layer
Session
Hijacking
email
http
TCP
UDP
IP
Ethernet, MAC
Radio, Cables
(TCP/IP model ~ Simplified OSI Model)
4
Media Access Control (MAC)
1
Unique Identifier Network Interface
used in link layer protocols
basic `authentication wifi
Spoofing; can claim any
e.g. ifconfig / registry entries
(some driver support needed)
Common in routers
ISP/modem restrictions
1) Not to be confused with Message Authentication Code (also MAC).
5
Internet Protocol (IP)
Address Identifies Network Node
used in network layer protocols
source/destination IP in plain text
Rooting
on LAN (e.g. subnet mask) via ARP
outside LAN via gateway
Routers (e.g. gateway) have routing tables
Connected LAN / next router to send to
Time to live (TTL) prevents endless looping
6
Address Resolution Protocol (ARP)
Address Resolution Protocol
Find MAC for IP on LAN
ARP request Machine A: where is IP-B?
Machine with IP-B responds to Machine A:
IP-B at MAC address `00:01:02:...:EF
Machine A stores response in ARP Cache
Usually even if no request sent
7
ARP Poisoning / Spoofing
Address Resolution Protocol
Find MAC for IP on LAN
ARP request Machine A: where is IP-B?
Machine with IP-B responds to Machine A:
IP-B at MAC address `00:01:02:...:EF
Machine A stores response in ARP Cache
Usually even if no request sent
Can send fake response (without request)
E.g. replace network gateway
8
ARP Spoofing Defenses
Some legitimate uses
redirect unregistered hosts
transparent redundancy
Defenses
Tools to detect fake responses, poisoned
caches, multiple occurrences MAC
Static entries for key addresses
maintainability
MAC spoofing
Awareness of weakness
E.g. protection at higher layers
9
IP spoofing & sniffing
Can claim any source in IP packet
Message seems to come from that IP
Any responses will go to that IP not attacker
Response not needed; e.g. side effect, DOS attack
Other way of getting it
Mitigate
Firewalls (see below)
IP traceback
Packet sniffing (& analysis e.g. Wireshark )
hubs vs switches
10
Transmission Control Protocol
SYN
Seq = x
SYN-ACK
Seq = y
Ack = x + 1
ACK
Seq = x + 1
Ack = y + 1
C
L
I
E
N
T
S
E
R
V
E
R
Turn IP traffic into reliable stream
Maintain order
Guarantee delivery
Resending if needed
Sets up `connection
Creates channel (on port)
sequence numbering
detect out-of-order, missing
initialized in handshake
Checksums
TCP Handshake
11
TCP Session Spoofing
Attacker model
Cannot see messages
Can IP spoof messages
Create fake session - Session spoofing;
Take out victim client with DOS
So it wont see/react to SYN-ACKs
Send IP spoofed SYN
attacker does not get SYN-ACK
needs to guess sequence number
Easy if sequential, now often pseudo-random
can now send requests as if victim client
Blind injection as with IP spoofing
send only, replies not received
12
TCP Session Hijacking
Attacker model
Can eavesdrop messages
Can IP spoof messages
Session Hijacking
Sniff syn/ack numbers existing session
Send commands with IP spoofing
Eavesdrop responses
Interesting if authentication used to create session
Side effect TCP attacks
`ACK storms if Client/Server try to resynchronize
13
Flooding, e.g. Ping, SYN
Send more messages than target can handle
Smurfing
Distributed DOS (DDOS)
subvert large number of machines (botnet)
bombard a target side e.g. at specific time
Denial of service (DOS) attack
Attacker
Broadcast address
Target
IP spoofed
echo req.
14
NL DNS
Server
DNS
Local Name
Server
Client
Root Name
Server
NL DNS
Server
NL Name
Server
NL DNS
Server
NL DNS
Server
TUE Name
Server
Root 1:0:0:1
MyServer 10:1:2:3
nl.ns.com 1:2:3:4
com NS 1:2:3:4
nl NS nl.ns.com
tue NS ns1.tue.nl
131:155:2:3
ru NS ns.ru.nl
www 131:155:2:51
owinfo 131:155:2:51
1. www.tue.nl ?
2. no www.tue.nl
ref to root NS
6. nl.ns.com known
10. store ns1.tue.nl in cache
13. store www.tue.nl in cache
4. no www.tue.nl
ref nl NS for .nl
8. no www.tue.nl
ref tue NS for .tue.nl
NS in domain; glue rec.
Local NS 10:0:0:2
recent.com 5:6:7:8
In Browser/OS
Privacy Risk
Authoritative Name Servers
Query/Answer
16-bit ID
15
Guess ID
DNS Spoofing / Poisoning
Target Name
Server
Evil Client
Root 1:0:0:1
MyServer 10:1:2:3
nl.ns.com 1:2:3:4
1. www.tue.nl ?
Local NS 10:0:0:2
recent.com 5:6:7:8
1. www.tue.nl ?
1. www.tue.nl ?
1. www.tue.nl ?
... www.tue.nl at 1:2:3:4
... www.tue.nl at 1:2:3:4
... www.tue.nl at 1:2:3:4
... www.tue.nl at 1:2:3:4
Attacker IP
16
DNS Spoofing / Poisoning
Local Name
Server
Evil Client
Root 1:0:0:1
MyServer 10:1:2:3
nl.ns.com 1:2:3:4
1. evil.tue.nl ?
Local NS 10:0:0:2
recent.com 5:6:7:8
1.evil.tue.nl ?
1. evil.tue.nl ?
1. evil.tue.nl ?
... evil.tue.nl at whatever
ns1.tue.nl at 1:2:3:4
Glue
record
evil NS
Variation: Ask for non-existent domain
Real name server will not respond
... evil.tue.nl at whatever
ns1.tue.nl at 1:2:3:4
17
DNS Spoofing / Poisoning
Name Server
Target Client
1. www.tue.nl ?
Local NS 10:0:0:2
recent.com 5:6:7:8
1. www.tue.nl ?
1. www.tue.nl ?
1. www.tue.nl ?
... www.tue.nl at 1:2:3:4
... www.tue.nl at 1:2:3:4
... www.tue.nl at 1:2:3:4
... www.tue.nl at 1:2:3:4
Evil Site
Evil page with
Many TUE images
Embedded
Launched against client
18
NL DNS
Server
DNS SEC
Local Name
Server
Client
Root Name
Server
NL DNS
Server
NL Name
Server
NL DNS
Server
NL DNS
Server
TUE Name
Server
Root 1:0:0:1
MyServer 10:1:2:3
nl.ns.com 1:2:3:4
com NS 1:2:3:4
nl NS nl.ns.com
tue NS ns1.tue.nl
131:155:2:3
ru NS ns.ru.nl
www 131:155:2:51
owinfo 131:155:2:51
1. www.tue.nl ?
2. no www.tue.nl
ref to root NS
6. nl.ns.com known
4. no www.tue.nl
ref nl NS for .nl
8. no www.tue.nl
ref tue NS for .tue.nl
NS in domain; glue rec.
Local NS 10:0:0:2
recent.com 5:6:7:8
Authoritative Name Servers
19
Firewalls
Placed between networks
e.g. LAN & internet
embedded in OS i.e. between PC & LAN
Filter traffic between networks
Prevent access to (potentially vulnerable) parts
Relatively simple way of mitigate many risks
Very widely used
Many different types
What is filtered, how (white-list/black-list, packets/content)
Where is it placed
Internet
Intranet
Firewall
20
Firewalls (2)
Network layer: Packet filtering
Do not let in packets for machine Y port X
If Y is not SSH server, block port 22
Do not let in packets with `local source
block IP spoofing local addresses from outside
Transport Level: e.g. Proxy Server
Stateless vs Statefull firewall
E.g. Open TCP connections
Only allow response if query sent
21
Firewalls (3)
Application Level: Application Gateway
Analyze & Filter content of communication
Content: meaning of data for the applications.
remove active elements from web pages
remove macros from word documents, etc.
(Spam e-mail blocking)
Also: Outgoing traffic
Prevent Trojan sending out company secrets
Multi level network with multiple firewalls
Issues:
Firewalls still need to be managed.
trade-off performance security
trade-off performance usability
only some protection LAN, high
value
data
Webserver
semi-
public
Internet
22
Intrusion Detection
Signature based
Detect behavior related to known attacks
Honey-pots, Honey-nets
Anomaly based / Statistical
Detect `unusual behavior
Detection rate - false positives
False alarm rates
Theory: perfect detecting (viruses/intruders) not
possible
Encrypted connections (tunneling)
23
Typical detected intrusions
Port scans,
DOS
ARP spoofing
DNS cache poisoning
etc.
Misuse of Identity / Credential
Attempts to cover attacks
e.g. delete system logs
24
IPSEC & Tunneling
SSH secure tunneling
Start TCP session
negotiate encryption protocols
build session key (server has public key)
Client authentication (public key, password)
IPSEC
Transport mode & Tunnel mode
payload only vs whole IP packet protected
Security Associations (SAs)
Key exchange: IKE to negotiate
keys, algorithms to use
confidentiality & integrity (keyed-hash as MAC)
Encryption issue for Firewall / IDS
25
Some Conclusions
Why network so vulnerable?
Security not designed in from start
Connects many `untrusted parties
Need to consider security across all layers
IP/IPSEC
TCP
HTTP, FTP
IP
TCP
SSL / TLS
IP
TCP
PGP
UDP
SMTP Kerb.
Some example Security Mechanisms and their place in the TCP/IP stack
Network Transport Application
Web service
security
SQL injection, XSS, XRSF
27
The danger of user input
Form/input modification
Can change (hidden) parameters
In address; www.website.com/display?file=5
Using own form or tools like TamperData.
Avoids client side verification
Value ranges
Size of input
etc.
Succeeds if no server side verification
28
SQL injection
User data used to construct query
Inject SQL code into the user input
Example:
SELECT id FROM usertable WHERE
(username=$username) AND
(password=$password)
Attackers input:
username = Whomever OR 1=1
password = Whatever OR 1=1
29
SQL injection (cont)
Stacked queries
Q1; Q2
Often disabled for security reasons
Blind SQL injection
Extract info without knowing DB structure
Error message may reveal information
E.g. query being used - does column exist - etc.
Fact error message appears can already give information
Timing to reveal information
if cant get back information directly
if check succeeds cause delay else exits directly
30
SQL injection countermeasures
Input filtering
Check size of input
Disallow/Escape/replace special characters
Use provided DB function if available
Problem distinguishing allowed input
Result verification
Parameterized queries
Pass parameters to DB in call not in query, e.g.:
q = "UPDATE Count SET Quantity = ? WHERE ID = ?";
srv.query( q, array(arg1, arg2, ...) )
( Be, Not Be )
31
Cross Site Scripting (XSS)
User input on webpage
posted comments
responses to parameterized requests
Use to inject code (script) into `trusted page
When viewed user other users
Runs code on victim machine
Code comes from `trusted site
Gain access victims machine
Exploit local vulnerability in script
Steal information
e.g. cookies (private info, credentials, session keys)
MIM., etc.
32
XSS using posted comments
<H1>Comment Section</H1>
Comment from Mallory:
<script>Steal cookies</script>
Mallory
http://news.com
Victim Bob
Post to comments
<script>steal cookies</script>
news.com
Subscription based
News server
33
A news website
news.com/archive?item=5
HTML page with item 5
User system up to date
Virus scanner, Web client up to date
Correct Certificates for ssl (https), etc. etc.
http://news.com
34
An error message
news.com/archive?item=x
Error: Item x does not exist
User request non-existing item
Server responds with error message
Response mentions the requested item
http://news.com
35
Inject code
...item=<Bold>XSS</Bold>
Error: Item XSS does not exist
Can also inject a script e.g.
news.com/archive?item=
<script>alert(XSS")</script>
Code part of the news.com page
http://news.com
36
XSS using posted parameters
Mallory
http://news.com
Victim Bob
Hi Bob,
check out this new article on
news.com malformed-link
malformed-link
37
XSS: Exploit code injection
If can post in unchecked forum
Get user to go to forum page
Get other user to follow malformed link
send in email
put link on website
Many protection mechanisms will not work;
code comes from the correct server
e.g. for https: authentication fine.
Script can hide the error message part
user may not notice anything
38
XSS: Exploit code injection (cont)
How to get the user to accept a malformed link?
Users may get suspicious if they see:
https://news.com/archive?item=<script>...</script>
Hide from view:
news.com/archive?dummy=Very long argument
Encode it
%3C%73%63%72%69%70%74%3E is same as <script>
may not be recognized as such
both by human and nave filter
which hides the rest from view&item=<script>...</script>
39
XSS countermeasures
Client side: Difficult (for browser and user) to
distinguish between malicious code used by
XSS and genuine code as both come from
the correct server. Only user education: Do
not follow non-trustworthy links.
Server side:
Filtering of input data and convert to safe strings
e.g. < to &lt; etc. but much more needed.
Can be difficult, e.g. for email services which do have to
allow html code in their input.
Decrease value of information that can be stolen;
e.g. accept cookies only from correct IP.
40
Dynamic webpage coding?
1 / / Get user i nput ur l
2 $ur l = $_GET[ " ur l " ] ;
3 / / Pr i nt t o out put ( =webpage)
4 echo "<a hr ef =$ur l >Go t her e</ a>"
No checking of input
User can inject anything into webpage
there.com>Go nowhere</a></body>
41
HTML input sanitation
Function htmlspecialchars
converts chars with meaning for html
& (ampersand) becomes &amp;
(double quote) becomes &quot;
< (less than) becomes &lt;
> (greater than) becomes &gt;
Newer versions option:
also: (single quote) becomes &#039;
42
XSS safe coding ?
Input sanitation:
1 / / Get &quot e user i nput ur l
2 $ur l = ht ml speci al char s( $_GET[ " ur l " ] ) ;
3 / / Pr i nt t o out put ( =webpage)
4 echo " <a hr ef = $ur l >Cl i ck her e</ a>"
Remaining problem(s)?
Can escape context ( protected, not )
nowhere.com attrib=bla
href=javascript:SomeFunction()
htmlspecialchars
& => &amp;
=> &quot;
< => &lt;
> => &gt;
43
XSRF (Cross-Site request forgery)
<img src=http://bank.com/transfer.php?
from=Bob&to=Mallory&amount=1.000>
http://bank.com
http://evil.site.com
Logged in at
Victim Bob
44
XSRF Login attack
<img src=http://bank.com/login?
user=Mallory>
http://bank.com
http://evil.site.com
Logs in at
Victim Bob
45
Data is Dangerous
Both SQL and XSS use malformed data
Important conclusion
Not only external programs are a threat
Also data from untrusted source is dangerous
User input key risk for web services
Malware
47
Trojans, Viruses and Worms
Trojans
Malicious code embedded in programs
Viruses + Worms
Able to replicate
Worms: (no human action)
Exploit vulnerability (networked) machine to spread
Replication + Payload
Tool kits to build, buy infected machines
McAfee Labs: 2010 55K new malware per day
48
Example Worm
Conficker (2008-2009)
Building `botnet
Self updating worm
Random addresses, P2P.
installs Spy ware, creates spam servers
Attacks anti virus software
E.g. Prevent updates
Autorun viruses
E.g. through USB sticks
Social networks
Seems to come from friends
Anti virus solutions
49
Signature based
Heuristics & Behavioral
False Positive - False Negatives
`if it looks like a duck and
it quacks like a duck
White listing
Anti-anti virus
Large numbers of new viruses (or variants)
millions of signatures needed
Polymorphic viruses
the `retro-viruses' of the digital world
Stealth techniques
Root kits
Counterattack
Disable anti-virus software
Targeted attacks
Advanced persistent threats
51
52
Attacks on critical infrastructure
Scada (supervisory control and data acquisition)
Manage industrial processes
Power plants, Refineries, etc.
Night Dragon (2009)
attacks against several global oil, energy, and
petrochemical companies.
Steal highly sensitive information
e.g. oil and gas field bids and operations
impacts multibillion dollar deals
Strategies standard
social engineering, spear-phishing, Windows exploits, Active
Directory compromises, remote administration tools (RATs)
Stuxnet
53
SCADA Essentials
PLC: programmable
logic controller
Connected to Sensors
and Actuators.
switches,
temperature and
pressure sensors
operate electric motors,
pneumatic or hydraulic
cylinders

PLC
Actual SCADA
system
54
SCADA Security issues
Not many attacks (especially compared to Internet)
limit security implemented
not designed with security in mind
Non-standard, proprietary protocol (extensions)
security trough obscurity
Communication
authenticated by means
of MAC and IP addresses
easy to fake MAC and IP
55
Stuxnet: SCADA-based cyberwarfare
Regular
Elaborate
Stuxnet
Slides by: Sandro Etalle
56
How it spreads
PHASE 1 PHASE 1
PHASE 2 PHASE 2
PHASE 3 PHASE 3
Slides by: Sandro Etalle
57
The attack phases
PHASE 1: almost normal worm, very smart
It spreads, hides, updates itself
It looks around
To duplicate itself
TO SEE IF IT CAN ENTER PHASE 2
PHASE 2: attacking Siemens, PLC systems
Infects the SIEMENS System
It modifies the PLC programming
PHASE 3: sabotage
Check for a specific factory environment.
If it does not find it, it does nothing
Slides by: Sandro Etalle
58
Phase 1: the Windows system
Elaborate standard worm
Get to LAN: USB Sticks
Within LAN: a.o. USB Sticks,
Print Spooler, Shared Folders
4 zero-days vulnerabilities
Rootkit to hide
Digitally signed with stolen
certificates
Checks which Antivirus active
addepts accordingly
Updates
Slides by: Sandro Etalle
59
Phase 2: targeted attack
Attacks specific SCADA
management systems
Hard-wired password (WinCC)
Siemens Project 7 folder
vulnerabilities
It replaces the PLC Code
massive changes
Hides using rootkit
First ever PLC rootkit
Slides by: Sandro Etalle
60
Phase 3: sabotage
It checks for a specific
configuration.
Types of devices
Used frequencies
If not found: it does
nothing
If found:
Slides by: Sandro Etalle
61
Stuxnet infections graph
Source: www.symantec.com
62
Stuxnet
Targeted attack on five different organizations
2,000 infections can be traced back to these five
organizations
Three organizations were targeted once, one was
targeted twice, and another was targeted three times
Organizations were targeted in J une 2009, J uly 2009,
March 2010, April 2010, and May 2010
All targeted organizations have a presence in Iran
Three variants exist (J un 2009, Apr 2010, Mar 2010) and
a fourth variant likely exists but has never been
recovered
Source: www.symantec.com
63
Other features
>1.5 MB IN SIZE
Written in different languages, C, C++
Cost? > 1M$
Many people with different expertise
+ a lab for testing
+ quality assurance
.
+ detailed info on the target system
+ insiders to steal the certificates
This thing has been tested for months on a
duplicate of the target SCADA system!
64
Antivirus?
Antivirus Software
Signatures, behavioral, reputation based
However stuxnet was devised to
Be invisible to signature-based systems
Avoid detection by behavior-based antivirus
It stopped when it encountered an antivirus that could detect it
And was thoroughly tested in the lab
Reputation-based mechanisms should work
But need a sufficiently large number of peers
Internet connection for updates is needed
Local reputation-based will probably not work
SCADA systems are too heterogeneous (and not as many as
regular clients)