1 email or call for office visit, or call 404 894-5177Quiz-2 Review ECE-6612 Prof. John A. Copeland fax Office: Klaus 3362 or call for office visit, or call March 28, 2016

2 Email Security - PGP, S/MIME IP Security - IPsec (AH, ESP modes, VPN) Quiz-2 Topic Areas Quiz-2 Topic Areas Security - PGP, S/MIME IP Security - IPsec (AH, ESP modes, VPN) Web Security - Secure Socket Layers (SSL, TLS) - Certificates, CA’s, Hashes (MD5) Intruders (and other Malicious Users) - Protection DNS - cache poisoning (Birthday Attack used) IDS - (Base-Rate Fallacy, False-Positive Rate) Viruses - Worms, Trojan Horses, Logic Bombs, ... TCP-IP, Firewalls, Secure Electronic Transactions (SET), and Trusted Systems We have discussed: BotNets, DDos, SPAM, Phishing Slides 17 (1 -11): Buffer Overflows, Stack Frames 2

3 The test will also cover these slide sets:06a DNS.ppt (5 hacks) 06-IP Networks.ppt (after Slide 9) Ethernet Addresses (how far do they go?), ARP Routing Tables, IPsec: ESP, AH * Know uses of: nslookup, whois, traceroute, google. 3

4 The combinations are called:HTTPS SFTP ESMTP SSH SSL and TLS are above the TCP Socket, so it is part of the Application Layer (a “shim”) TLS is Transport Layer Security (is not “IPsec Transport Level Security”) TLS is used for (SMTP/TLS or POP/TLS or IMAP/TLS) SSL is used for secure Web access (HTTPS) (now uses TLS v1.2) Secure Shell, SSH, is Telnet + SSL + other features Secure Copy, SCP, copies files using SSH (SFTP has FTP-like functions) Versions of SSL (v.1, v.2, v.3) and TLS (v1.0, v.1.1) should be replaced by TLS v.1.2 4

5 Internet ArchitectureWeb Server Browser Router Application Application Layer Layer (HTTP) (HTTP) Port 80 Port 31337 Buffers Packets that Transport need to be forwarded Transport Layer (based on IP address). Layer (TCP,UDP) (TCP,UDP) Segment No. Segment No. Network Network Layer (IP) Layer (IP) IP Address Network Network IP Address Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Ethernet Token Ring E'net Phys. Token Ring Phys. Layer Phys. Layer Layer Phys. Layer 5

6 IPsec - Security AssociationsTransport, Host-Host Tunnel, Gateway-Gateway (Routers) 6

7 Fast Flux DNS URL in Phish -> One of Many botsroot DNS server Host at poly.edu wants IP address for Host sends a "recursion-requested" query request to dns.poly.edu. [Host is doing a non-recursive search] Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. 2 3 TLD DNS server 4 5 Fast Flux - many IP’s of bot Phishing sites. local DNS server dns.poly.edu 7 6 1 8 Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu. requesting host joe.poly.edu authoritative DNS server dns.urhcked.com $ nslookup answer $ nslookup answer DNS Hack #3 2: Application Layer 7 From “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross

8 DNS Cache Poisoning - Birthday Attack<- Sending 260 requests for same domain, cnn.com, and N Replies with fake Auth. N.S. IP address. with random IDs Lookup Time * is is is <- Correct guess of one ID. Probable no. of hits 260*N/(256^2) =1 if N =252 Prob(hits>0)=0.63 Total packets = 512 is is is is is Local DNS -> caches = is dns.cnn.com is * Local DNS sends 260 queries with different IDs. DNS Hack #4 Local DNS NS-CNN.COM Hacker DOS Attack 8

9 Five DNS Hacks DNS Hack #0 – modify /etc/resolv.conf or Windows’ Registry, to change the IP of the Local DNS Server. DNS Hack #1 – add a line to /etc/hosts or Windows’ Registry. DNS Hack #2 – In URL link, hide the actual domain: e.g., DNS Hack #3 – Fast-Flux DNS: gives different IP every time. DNS Hack #4 – Poison the Local DNS Server’s cache (using a “Birthday” Attack) 9

10 Definitions Virus - code that copies itself into other programs.A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on messages or attached documents (e.g., macro viruses). “viruses” are technically “worms”. Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (time, trigger). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. “Vulnerability” - a program defect that permits “Intrusions”. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product. Bot, BotNet - Large P2P network (hundreds to millions) of compromised computers (Bots) that communicate to commit DDoS, SPAM, Phish. 10

11 The Stages of a Network Intrusion [RAERU]1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports. [ACCESS] 3. Elevate privileges to “root” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE] Flow-based* "CI", signature-based? Vulnerability Scan Signature?, Flow-Based Port Profile* Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based * StealthWatch 11

12 Protection from a Network Intrusion1. Use a “Firewall” between the local area network and the world- wide Internet to limit access (Chapter 10). 2. On Microsoft PC’s, with XP and later, use the OS firewall that limits incoming and outgoing communications by Application (program), not just port number. For Mac, buy "Little Snitch" ($35). Detection 1. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or remove malware from a local host). 2. Use a program like TripWire* on each host to detect when systems files are altered, and an alert to Sys Admin. Reaction 1. Have a plan and the means to implement it. Protection from a Network Intrusion Rule 2: Multiple Layers of Protection are needed to reach a high level of security at an affordable cost. 12

13 Anomaly-Based Intrusion DetectionA Negative Event, True or False, is one that does not trigger an Alarm High statistical variation in most measurable network behavior parameters results in high false-alarm rate Detected as Positive, -> Alarm #False-Positives = #Normal Events x FP-rate #False-Negatives = #Bad Events x FN-rate False Alarms, False Positives (FP) Undetected Intrusions, False Negatives (FN) # Normal Events = #TruePositves + #FalsePositives Detection Threshold Figure 9.1 13

14 "Base-Rate Fallacy" CalculationsIf the “behavior” is a connection: For legitimate connections (total number = LC) True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1 Correctly handled connections (no alarms) = TNR * LC Incorrectly handled connections (false alarms) = FPR * LC For malicious connections (total number = MC) False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1 Correctly handled connections (real alarms) = TPR * MC Incorrectly handled connections (no alarms) = FNR * MC If LC >> MC then (FPR * LC) >> (TPR * MC) hence “false alarms” are much greater than “real alarms” when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1) See Slide Set 09A, #17 for example calculations. 14

15 Network Firewall - economical, one point to manage. Chapter 10a - Firewalls Network Firewall - economical, one point to manage. Host-based FW - can filter based on application, depends on user unless a central management system is used. Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set up inside or outside. NAT - Network Address Translation, Private Address ranges (10. , , …). Inbound connections must match “forwarding table” Proxy Server - checks application header and data. Mail proxy may filter spam, viruses, and worms. Web may filter URLs, & domains. Attacks - how does Firewall protect against scanning, bad-fragments, bad TCP flags, Smurf attack, ... Host-based Firewalls - xinetd (/etc/hosts.allow), iptables, Zone Alarm, Black Ice (now ISS Desktop Proventia), “Little Snitch” 15

16 Chapter 10b - Trusted SystemsSubject, Object, Access Rights (permissions) Policy - Access matrix or ACL (access control list) 3 Basic Security Rules: No read up (simple security property) No write down (do not widen accessibility) Need to Know. Reference Monitor, audit file, security kernel database. 3 Requirements to be a “Trusted System”: Complete Mediation, Isolation, Verifiability “Common Criteria” Security Specifications are multi-national trust ratings. 16

17 Bad fragments can crash Operating System (OS): "Teardrop" Chapter 11 - TCP/IP Bad fragments can crash Operating System (OS): "Teardrop" ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3= Unreachable [Codes: 0= Network, 1=Host,3= Port]) • "Ping of Death" - fragment extends beyond 2^16 bytes, • "Smurf" (Pong multiplication, Ping to broadcast address). “Spoofed” addresses for Flood DoS attacks (Source IP in Smurf). TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN Flags - bad combinations to 1) map OS, 2) cause crashes. TCP - Highjacked connection. IP address of one host can change if sequence numbers and acknowledge numbers are consistent. Original host must be DoS'ed (silenced). DNS - UDP port 53 used for DNS lookups, reverse lookups. What is “Fast Flux DNS” and “DNS Cache Poisoning”? ARP - Used by IP layer to find the MAC layer address to use. What is “ARP Poisoning”? 17

18 Bad fragments can crash Operating System (OS): "Teardrop" Chapter 11 - TCP/IP Bad fragments can crash Operating System (OS): "Teardrop" ICMP packets:, Type No. (11=Timeout, 8=Ping, 0= Pong, 3= Unreachable [Codes: 0= Network, 1=Host,3= Port]) • "Ping of Death" - fragment extends beyond 2^16 bytes, • "Smurf" (Pong multiplication, Ping to broadcast address). “Spoofed” addresses for Flood DoS attacks (Source IP in Smurf). TCP Handshake, SYN, SYN-ACK, ACK / RESET / FIN,FIN Flags - bad combinations to 1) map OS, 2) cause crashes. TCP - Highjacked connection. IP address of server can change if sequence numbers and acknowledge numbers are consistent. Original host must be DoS'ed (silenced). DNS - UDP port 53 used for DNS lookups, reverse lookups. What is “Fast Flux DNS” and “DNS Cache Poisoning”? ARP - Used by IP layer to find the MAC layer address to use. What is “ARP Poisoning”? 18

19 Chapter 13 - NetSec UtilitiesWhat do they do? John the Ripper Metasploit dsniff nmap Tripwire Wireshark, tcpdump, nslookup, traceroute, whois, netstat, dd Security Organizations: US-CERT (U.S. Computer Emergency Response Team) SANS NIPC (FBI - Nat. Infrastructure Protection Center) What to do if a host is compromised. Evidence – preserve chain of custody Disconnect from network, by power-off if possible. UNIX 'dd' utility good for making an image of a hard disk 19

20 Slide Set 14 - Wireless SecurityWEP is weak security, but far better than nothing (GTother). WPA is better, but needs long passphases (22 characters) WPA2 is best, but not completely compatible with older cards (GTwpa - available in 2010,  GTwifi in 2012). Use longest key-length possible. WPS 7-digit install is broken. Enable use of “allowed list” of MAC addresses. Use higher-layer security - IPsec or HTTPS(SSL), w TLS. Use a firewall and IDS to isolate wireless access points (WAP’s) just like you do for the Internet gateways. What is an Rogue WAP, an “Evil Twin” attack? Authentication: RADIUS, CHAP - Challenge Authentication 20

21 What was learned from homework problems? Outside ReadingHW What was learned from homework problems? Outside Reading "How Hackers Took Down a Power Grid" hackers-took-down-a-power-grid "Auto Industry, U.S. Reach Agreement on Cybersecurity" -  http://bloom.bg/1WezUFd "Anti-Virus Software can itself have a Vulnerability" us-software-could-make-your-company-more- vulnerable.html 21

22 It will not cover Simple Network Management Protocol (08-SNMP.ppt). The test will cover the slide sets 06-IP Networks.ppt, 07-SSL-SET, 08a Safer Downloading.ppt, 09a-Intrusion.ppt, 09b-Viruses, 10a-Firewalls.ppt, 10b- Trusted Systems, 11-TCP-IP.ppt, 13-Netsec Utilities.ppt, 14-Wireless Security, and 18-Shellcode.ppt (slides 1-14). It will not cover Simple Network Management Protocol (08-SNMP.ppt). You will be able to bring your Quiz-1 reference sheet. You should review areas you missed on Quiz-1.  We discussed SSL/TLS in connection with Public-Private keys, and secure . We did cover SET (Secure Electronic Transactions) protocol this year .  It has some interesting technology, like the "dual signature,"  but the standard has not gained traction after several years, but it, or something like it, may be necessary in the future. 22