Copyright Michael B. Scher This document may be freely distributed by electronic media solely for non-commercial purposes. Reproduction in any form must be of the entire work including this copyright notice. Print copies (except a personal use copy) with permission of the author only. All other rights reserved.

strange(at)cultural.com

OUTLINE for "Computer Security and Intrusion: The Technical (a sketch of things to come)"
Lecture on computer security concepts, complex system intrusion trends and predictions; given as part of the "Doing Business in a Networked World" conference at the John Marshall Law School.

January 16, 1998

Full text of talk available here.


Computer Security and Intrusion:
The Technical  (a sketch of things to come)


I. Two loosely-defined areas of weakness
      A. Protocols: how we transmit data
            1. Example:  telnet
                 a) clear text sending of usernames, passwords, whole
                 session
                 b) designed for reliability under poor conditions
                 c) not designed for use over hostile networks
                 d) similarly with FTP, POP
                 e) Compensation via one-time passwords, or tunneling
                       through a more secure protocol
            2. Even "secure" protocols may have subtle design or
            implementation flaws
      B. Programs:
            1. Unanticipated input, kind or quantity
            2. Poor handling of unexpected situations
            3. Common libraries of functions mean a problem in a library
      function could implicate dozens of programs.
            4. Example:  Sun Solaris 2.x getopt() "buffer overflow"
                 a) ordinarily, function returns an error if you typo an
                       option for a program
                 b) function didn't limit size of option
                 c) option given could be huge and overwrite part of the
                       real program
                 d) allows "hijacking" of the running program, and all its
                       privileges
            5. Vulnerabilities can be "local" or "remote"
II.  The Firewall as a security measure
      A. Benefits
            1. Restricts outside access
            2. Delimits services available in both directions
            3. Prevents direct contact between outside systems and
                 internal systems
      B. Drawbacks
            1. Sense of safety makes IS staff or management overconfident
                 and leads to weak internal security.
            2. Internet is often not the only ingress to the network
                 a) dialup modem pool
                 b) user's desktop fax/modem
                 c) emergency modems on servers, and routers
                 d) human frailty
III. Two growing areas of vulnerability
      A. "Passive attacks"
            1. Generally untargeted, always awaits the victim's initiative
            2. Network "sniffing" is an example of one that's been around
                 for many years.
            3. Next generation takes advantage of a weakness in a client's
                 program when they connect to a trojan-horse site on
                 the net.
                 a) FTP
                 b) WWW
                 c) USENET News
                 d)  . . .
            4. MS IE 4.x example
                 a) buffer overflow
                 b) somewhat selectively targetable via web server's ability
                       to discriminate between browser types
                 c) in theory, allows one to do almost anything to victim
                 user's system
                 d) ideal for attacker to slip into busy site
                 e) attacker may be long gone before anyone's system is
                       compromised
                 f) difficult attack to actually put together - until someone
                       comes out with a kit
                 g) defeats adage that you can't get a virus by just browsing
                       the WWW
            5. Yahoo example
                 a) major webserver exploited
                 b) hoax threatening "logic bomb"
      B. "Complex attacks"
            1. Targeted, with two or more machines exploited to gain access
                 to one of them - not mere machine-to-machine hopping
            2. Example:  Mitnick hacks Shimomura
                 a) TCP "hijacking" attack
                 b) client host already connected to server
                 c) client rendered non-responsive with SYN flood
                 d) brute-force sequence number guess successful
                 e) account backdoored (.rhosts with + + in it)
                 f) also example of reliance for security on protocol not
                 designed for security
            3. Example: DNS cache corruption and Eugene Kashpureff
                 a) Name servers cache past lookups for efficiency
                 b) DNS server replies are trivial to spoof if the real
                       server has been rendered unresponsive
                 c) Tricked server gives out bogus information until its
                       time in the cache is up, cache fills, or server restarts
                 d) Kashpureff tricked hundreds of name servers into
                 caching the wrong information about
                       www.internic.net, having them point to the IP address
                       for www.alternic.net instead, virtually taking
                       www.internic.net off the Internet.
IV.  Ultimate combination-of-all-the-above house of horrors attack.
      A. Direct takeover of poorly-secured, well-connected machine
      B. Installation of overflow-sending web pages
      C. Cache corruption of hundreds of name servers from 3rd site,
            redirecting traffic from a very busy site to the dangerous
            web site
      D. Later check of logs automatically encrypted and sent off site from the
            compromised machine, to see what systems were compromised,
            or perhaps compromised systems send out the data, encrypted,
            onto USENET?
V.  Conclusion
      A. Technical security problems largely stem from
            1. Use of programs and protocols under conditions or
            expectations for which they were not designed
            2. Programmers or designers not anticipating all kinds of data
            the program or protocol might encounter
            3. Errors in coding or implementation that weaken otherwise
                 strong programs and protocols
      B. Passive and complex attacks
            1. Firewalls do not necessarily protect against many of these
            2. Likely to see many new ones over the next few years
            3. Protection:
                 a) policy, policy, policy
                 b) restricted set of networking tools
                 c) regular audits
                 d) regular security upgrades