Current Network Security Threats

 

 

 

 

Jaypee Institute of Information Technology University, Noida

 

Current Network Security Threats

 

2007

 

These Documents Are For Educational Purpose

Presented here by

Gautam Sarswat

Contact at : gautam.sarswat.jbs@gmail.com

 

 

 

Outline

• Network Telescope

• Denial-of-Service Attacks

• Viruses and Worms

• Botnets

Network Telescope

• Chunk of (globally) routed IP address space – 16 million IP addresses

• Little or no legitimate traffic (or easily filtered)

• Unexpected traffic arriving at the network telescope can imply remote network/security events

• Generally good for seeing explosions, not small Events

• Depends on random component in spread

Network Telescope: Denial-of-Service Attacks

• Attacker floods the victim with requests using random spoofed source IP addresses

• Victim believes requests are legitimate and responds to each spoofed address

• According to observation 1/256th of all victim responses to spoofed addresses

Denial-of-Service Attacks

Analysis DoS Attacks over time

Network Telescope Observation Station

• http://www.caida.org/data/realtime/telescope/

• Prevalence and trends in spoofed-source denial-of-service attacks

– http://www.caida.org/data/realtime/telescope/?monitor

=telescope_backscatter

• (live demo)

What is a Network Worm?

• Self-propagating self-replicating network program

– Exploits some vulnerability to infect remote machines

• No human intervention necessary

– Infected machines continue propagating infection

Network Telescope: Worm Attacks

• Infected host scans for other vulnerable hosts by randomly generating IP addresses

• It monitor 1/256th of all IPv4 addresses

• It see 1/256th of all worm traffic of worms with no bias and no bugs

Witty Worm Background

March 19, 2004

• ISS Vulnerability

– A buffer overflow in a PAM (Protocol Analysis Module) in a Internet Security Systems firewall products

• Version 3.6.16 of iss-pam1.dll

– Analyzes ICQ traffic (inbound port 4000)

– Discovered by eEye on March 8, 2004

– Jointly announced March 18,2004 when “patch” available

• Upgrade to the next version at customer cost…

• By far the closest to a zero-day exploit

– Instead of 2-4 weeks after bug release, Witty appeared after 36 hours

Witty Worm Structure

March 19, 2004

• Infects a host running an ISS firewall product

• Sends 20,000 UDP packets as quickly as possible:

– to random source IP addresses

– to random destination port

– with random size between 796 and 1307 bytes

• Damage Victim:

– select random physical device

– seek to random point on that device

– attempt to write over 65k of data with a copy of the beginning of the vulnerable dll

• Repeat until machine is rebooted or machine crashes irreparably

Typical (Code-Red) Host Infection Rate

Early Growth of Witty (5 minutes)

Witty Worm Spread

March 19, 2004

• Sharp rise via initial coordinated activity

• Peaked after approximately 45 minutes

– Approximately 30 minutes later than the fastest worm we’ve seen so far (SQL Slammer)

– Still far faster than any human response

– At peak, Witty generated:

• 90 GB/sec of network traffic

• 11 million packets per second

Early Growth of Witty (2 hours)

Early Growth of Witty (3 days)

Witty Worm Victims

• Consistent with past worms:

– Globally distributed

– Majority high-bandwidth home/small business users

• Unique victim characteristics

– 100% taking proactive security measures

– Infected via software they ran purposefully

Geographic Spread of Witty

Witty Summary

• ~12,000 hosts infected in 30 minutes

• Averaged more than 11 million probes per second world-wide

• Unstoppable

• Irreparably destroyed a significant number of infected computers

Conclusions

• Witty incorporates a number of novel and disturbing features:

– Next day exploit for publicized bug

– Wide-scale deployment

– Successful exploit of small population (no more security through obscurity)

– Future worms will continue to emulate botnets

– increasing levels of stealth and flexibility

– Infected a security product

• Witty demonstrates conclusively that the patch model of networked device security has

failed

– You can’t encourage people to sign on to the ‘net with one click and then also expect them to be security experts

– Running commercial firewall software at their own expense is the gold standard for end user behavior

• Recognition that security is important

• Recognition that they can’t do it themselves

• End-user behavior cannot solve current software security problems

• End-user behavior cannot effectively mitigate current software security problems

• We must:

– Actively address prevention of software vulnerabilities

– Turn our attention to developing large-scale, robust, reliable infrastructure that can mitigate current security problems without end-user intervention

About Blackworm

• Began to spread January 15, 2006

• 95k Visual Basic executable email attachment run by users

• Also spread to attached network shares

• Malicious: on the 3rd day of every month:

– searches for files with 12 common file extensions (.doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd,and .dmp)

– replaces those files with the text string “DATA Error [47 0F 94 93 F4 K5]“

So who cares?

• Blackworm is not particularly different from many, many other email viruses, except…

• Every infected computer automatically generates an http request for a web page that displayed a hit count graph (self-documenting code?)

• Logs for the website were available before the first date of payload destruction

• Some victims could be notified before they lost data

Log Analysis

• Simple! Just take the logs and look at who connected and you’ll have the infected IP

addresses!

• Except that the url was publicized…

• Many folks looked at the page to observe the spread of the virus

• Denial-of-service attacks added a large volume of spurious traffic

Log Filtering

• Why not just count IP addresses that were logged once?

• Web traffic aggregators (NAT, proxy servers) obscure victim IP addresses; multiple probes can represent multiple infections

• DHCP use allows two different computers to have the same IP at the time that they

become infected

Log Filtering Process

• Remove referer/browser strings set by common DDoS tools (91.1% of all hits)

• Remove requests for pages different from the one accessed by the virus (0.2%)

• Remove any request with a referer string (virus did not use one in its probes) (0.8%)

• Remove requests from invulnerable Operating Systems: MacOS, Unix, cell phone, and PDA devices (0.03%)

Sources of Error and Uncertainty

• Infected computers that failed to send the probe

• Network firewalls or outages that prevented victims from reaching the web page

• Denial-of-Service attacks preventing infected computers from reaching the web page

• People who viewed the counter only once using a vulnerable browser, but were not infected

Estimating a Victim Count

• Lower bound: for each IP address, the number of unique, vulnerable browser types received from that IP address

• Upper bound: for each IP address, the total number of probes received from that IP address

• Blackworm victim estimate: between 469,507 and 946,835 (3.2%-6.4% of original log entries)

Blackworm Overall

Blackworm by Continent

Blackworm by Country (>2%)

Concurrent Infections

• 45,401 Blackworm victims (10%) had concurrent spyware and/or botnet infections advertised in their browser string

– Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Sgrunt|V109|29|S493689067|dial; FunWebProducts; XBE|29|S04069679521143#398|isdn; snprtz|S04138822910124)

Conclusions

• Log analysis allows insight into email virus spread given sufficient data mining

• Email viruses spread in a slower and steadier pattern than Internet worms, which infect the vast majority of their victims in the first day

• Diurnal patterns are strongly apparent in spread data (people read their email when

they are awake)

• Country distribution of victims does not correlate with web infrastructure development

• Spread strongly influenced by geographic location (based on social and linguistic similarity)

• TLD distribution reflects geographic distribution rather than # of vulnerable hosts/TLD

• 10% of victims had concurrent botnet or spyware infection

Botnets

• Significant transition in motivation for widespread, non-specific malicious activity

– From notoriety -> want to be noticed

– To money -> want stealth to protect revenue stream

• So how do you make money?

– Sending spam

– DoS extortion

– Active (phishing) and passive identity theft

Current Events

• Malicious software development is a business aimed at scalable, manageable

distributed systems

• Coordinated activity makes current antivirus activities increasingly irrelevant

• Demise of signature-based security?

• High system complexity + naïve/uneducated = bad combination Cooperative Association for Internet Data Analysis Current Security Research

• Longitudinal study of Blackworm

• Spamscatter

• Botnet Economics

• Worm Risk Analysis

• Anomaly Detection

Reference

http://www.caida.org

Ad-Hoc Network’s Problems

802.11 Introduction

 

802.11 and 802.11x refers to a family of specifications developed by the IEEE for wireless LAN technology. 802.11 specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. The IEEE accepted the specification in 1997.

 

There are several specifications in the 802.11 family:

 

802.11 — applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).

 

802.11a — an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS.

 

802.11b (also referred to as 802.11 High Rate or Wi-Fi) — an extension to 802.11 that applies to wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing wireless functionality comparable to Ethernet.

 

802.11g — applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.

 

 

Ad Hoc Networks

 

Wireless Networks without access to a LAN.

 

In conjunction with mobile un-wired devices Mobile Ad-Hoc Networks (MANET) .

 

The Network is built-up spontaneous without any existing infrastructure .

 

Each Device is also a Router to transfer Data between devices, that are not in direct transmission-distance .

 

To manage the transmission between Devices, Routing-Protocols are needed (Ad-Hoc Protocols).

 

Some nodes may have special functions or roles.

 

 

Problems in Ad-Hoc Networks

 

While building up Ad-Hoc Networks, several problems can be addressed, some as a consequence of other problems:

When a node [A] inside an Ad-Hoc Network wants to send data to a second node [B], that he is not able to see, because this one is out of his transmission-rage, how can the data be transferred from [A] to [B] anyway?

 

How can the destination [B] be identified?

 

How can the way from [A] to [B] be determined?

 

Can a technique to determine the way be found, that is scalable for small networks (1-100 nodes) medium-large networks (100-10.000 nodes) and large networks (10.000-several million nodes)?

 

How can a way from [A] to [B] be determined without flooding the network with inquiries? How can the number of inquiries been kept small?

 

How can a way from [A] to [B] be determined without knowing each node of the network? How can the information a node has to know about the network been kept small? How much does a node realy has to know about the network?

 

Can a technique to determine the way be found that is scalable (under condititions) for networks with high changerate and low changrate?

 

How can a node [A] establish coperation relationships with the nodes that it needs to transfer data to [B]?

 

Is it nessessary to identify malicious or unfair nodes or is there a way to accept this conditions?

 

Can the network be kept resistant against malicious nodes?

 

How can redundance been introduced to be resistant?

 

 

Malware Defense Using Network Security Authentication

 

 

 

 

 

Author

Gautam Sarswat

JIITU, NOIDA

 

 

 

Case

Malware attack

in a mobile network where threats originate from

inside and administrators have limited control over

client machines.

 

Causes

&

Favorable Factors

Malware defenses have primarily relied upon intrusion

fingerprints to detect suspicious network

behavior. While effective for discovering computers

that are already compromised, these systems

are not designed to stop the spread or damage of

malware. Standard gateway firewalls can prevent

outside-based attacks.

Current malware defenses are largely based on

fingerprint or signature technology which look for

a type of network behavior or even specific code.

A malware signature or fingerprint is

the sequence of network transmissions required to

exploit a vulnerability. Signature-based solutions

are limited in their effectiveness, as new variants of

worms can bypass the malware defense by changing

their signature or fingerprint.

 

 

 

Consequences

The damage from malware

has been recently estimated at $12.5 billion

worldwide in 2003 alone and is expected to increase[5].

 

 

Facts

Malware is any unwanted software that exploits

flaws in other software to gain illicit access. A computer

worm is one of the most common forms of

malware, and is typically defined as a computer program

that replicates independently by sending itself

to other systems[2, 3, 7].

This definition is important

since a worm, unlike other forms of malware,

does not require human interaction such as checking

e-mail or transmitting files. In these scenarios,

the user is initiating the action, and the machine

cannot be compromised independently of this interaction.

Therefore, computer worms are among the

most dangerous forms of malware and are difficult

to defend against.

Despite the large quantity and variety of known

worms, only one worm, the Morris Worm exploited

a zero-day vulnerability. This is a vulnerability

that was unknown to the general public, but fortunately

these occurrences have been rare.

All

other worms have been created sometime after the

vulnerabilities have been discovered, publicized, and

often fixed. Although the threat of a zero-day worm

exists, the greater threat continues to be from published

vulnerabilities, thus it is important to focus

efforts on curtailing the spread of worms that exploit

them.

Signature based malware defense systems

are effective for detecting the spread of known

malware, they rely on continuous filtering at higher

OSI layers, and thus are very resource intensive.

These defense systems are not suited for protecting

high speed connections without significantly reducing

bandwidth. The resource intensive nature

of these defenses prevents them from being implemented

at every level in a network and are most

often implemented at the slowest connection of the

network—the connection to the Internet.

Despite the fact that vulnerabilities are often

more publicized than the exploits, past and current

research focuses on the attack stage of malware.

 

Even

if the local network is monitored by a fingerprint based

system, a mobile client can connect to the

network for a duration of time that is long enough

propagate malware, but not long enough for current

adaptive signature-based systems to react and disconnect

the system from the network . Unfortunately,

personal (host) firewalls do not offer a realistic

solution.

 

 

Solution

 

key assumption :

every system in the network is under control of the

system administrator which is hardly the case with

publicly accessible mobile networks.

A new strategy for malware

defense using security authentication which

focuses on vulnerabilities rather than exploits. The

proposed system uses a remote security scanner to

check for vulnerabilities and quarantines machines

using logical network segmentation.

A publicized vulnerability often has a

fix (software patch) available, inconveniences of human

interaction with these fixes can lead to unpatched

systems. Since applying patches is the

optimal solution for worm defense

 

Systems are given limited

access to the network based on their perceived

threat. Commercial systems, such as Perfigo1,

have a similar ability to isolate/quarantine vulnerable

devices and provide controlled access to patch

servers and remediation systems.

The strategy of the proposed

architecture is to isolate systems based on

the system vulnerabilities before they can become

infected or attack others. This results in a defense

against internal and external malware threats. As

seen in figure 1(a), the proposed architecture is composed

of three fundamental parts: a system to detect

vulnerabilities, a system to enforce the quarantine,

and a system to integrate and manage the overall

security policy. These three parts must seamlessly

work together to provide protection from attacks

and are described in detail in the following

sections.

1.1 Security Authentication and

Vulnerability Detection

The primary objective of authentication

is to bind an identity to a subject.

In a mobile

environment, even individuals that should have access

to certain network resources could use machines

that have been infected from another source and are

inherently insecure. Therefore, the proposed security

authentication is fundamentally different from

user authentication because it authenticates the security

of the machine by detecting and characterizing

the system vulnerabilities.

The system must be able to detect vulnerabilities

remotely because not every client is under the

control of the network administrator. Much like a

unseaworthy boat, a vulnerable system is not fit for

full network access. It is a weak point in the network

which puts the host and the entire network

at risk.

Security authentication is a needed addition

to user authentication to assess and quantify

the risk of a particular system. As previously de-

scribed, not all insecure systems pose the same level

of risk thus should be managed differently. The results

of the vulnerability detection, or the security

authentication credentials, are passed to the policy

manager, discussed in section 1.3, which determines

the appropriate action.

In terms of the authentication process, when a

machine connects to the network, the security scanner

initially probes all client ports for running services.

Based on the results of the initial probe, it

attempts to determine what services are running.

Then the scanner tries to exploit known vulnerabilities

of each service in an attempt to test the overall

system security. Ideally the vulnerability detector

would be akin to a master worm without a payload.

This tool would attempt to exploit known

vulnerabilities but not actually harm the system,

and finally would report its analysis regarding the

system security to the policy manager. The security

authentication process occurs periodically to maintain

the correctness of the vulnerability assessment

 

1.2 Quarantine System

The quarantine system component has the responsibility

of isolating a machine so it cannot become

infected, infect, or attack any network hosts.

However as previously described, the system should

provide network connectivity commensurate with

the security authentication level. The ability to provide

of multiple levels of containment is different

from other defense systems, that can only connect

or disconnect machines.

Based on the perceived threat, which is determined

via the security authentication process, the

machine is given a certain amount and level of access.

As previously described, access is restricted

such that the machine cannot become infected, infect,

or attack other hosts. However, enough network

access is given to allow other programs to

function properly. Machines can operate in a controlled

fashion until a fix is developed and properly

tested, which may require several weeks . Quarantine

can also be used to safeguard the defense

system components and to assure the security of

control information. Another desired feature is immediate

protection, for example a host should be

protected by default when it first comes onto the

network and is later put into a less restricted position

if it is secure. Finally, the system can protect

against multi-headed malware by applying a more

restrictive quarantine to the client.

To provide the desired quarantine functionality,

the proposed system must integrate with standard

networking technologies, topologies, and techniques.

Isolating a system at the network layer

(OSI layer 3), for example, prevents the propagation

across interconnected LAN’s. This is critical since

the majority of worms employ a network address

scan to find potential hosts. For example,

very restrictive IP netmasks can provide a network

layer security cell, as seen in figures 2 and 4. This

cell ensures the quarantined system will not contact

nor be contacted by any other clients without

going through the default router or gateway. The

router, acting as a packet filter, can then enforce

traffic rules to control certain traffic and bandwidth

usage.

Although network layer security cells provide significant

protection, it is important to realize that

clients are still connected to the same physical network.

Consider the logical segmentation depicted in

figure 2. Despite the segmentation at the network

layer, spurious ARP requests and other traffic can

be seen by all clients on the same switch. Thus an

additional component of the security cell is needed

to segment the network at MAC layer (OSI layer

2) . Separation at the MAC layer prevents direct

contact between system connected to the same

physical network. Isolating systems at the network

And MAC layers creates a proper security cell, where

quarantined systems are truly limited in their network

access.

 

1.3 Policy Manager

Although methods for detecting vulnerabilities,

obtaining security authentication credentials, and

quarantining systems have been discussed, an entity

is needed to associate this information to the appropriate

type and amount of network access. As seen

in figure 1, the policy manager communicates with

the other two components (security authentication

and quarantine systems) and continually performs

three critical tasks (scan, assess, and quarantine).

Once a machine enters the network it is initially

placed in a restrictive security cell, where it undergoes

security authentication (scan task). The policy

manager reviews the results (assess task) and then

places the machine in an appropriate security group

(quarantine task). The tasks occurs periodically,

giving machines the opportunity to move between

groups for example after a software patch has been

properly applied. A re-assessment can also occur

if suspicious activity is detected (via intrusion detection

systems , honeypots, honeynets, etc…).

Regardless of why or when the tasks are performed,

the objective is to place the machine in the correct

security group.

Consider the following scenario: a system enters

the network with an out-of-date version of the

Apache httpd service running that has a vulnerability

that allows remote arbitrary code execution.

This information is discovered by the security scanner

and passed on to the policy manager. Using this

information, the policy manager can deduce that

the client is in one of two possible states: vulnerable

and infected, or vulnerable and clean. If the

client is in an infected state, it is a hazard to the

entire network. If the client is in a clean state, however,

it is not dangerous, but merely at risk. It is

difficult to distinguish between a vulnerable client

and an infected client that is still vulnerable since

a worm does not usually fix the vulnerability that

it exploits. With the current tools, the systems are

indistinguishable from a simple scan, however, these

two classes of systems could be distinguishable with

more sophisticated tools. The policy manager must

determine an appropriate quarantine based on the

specificity of the scan results and the security policy

that is in place.

A simple policy would only offer two types of

access, full or very restricted access. This type

of policy protects any vulnerable system from further

infection by restricting its access solely to update

servers from which the system can be patched.

Although this simple policy only offers two basic

types of connectivity, it still better than current systems

since it allows infected machines to access select

network resources. This policy was utilized by

the proof-of-concept system described in section 2,

which can compensate for low specificity of information

returned from a simplistic security scanner.

The second type of policy offers more controlled

access by segmenting the network based on security

groups as seen in figure 3. In this type of policy

there exists a population of secure clients, a population

of infected clients, and a population of known

vulnerable but not infected clients. Utilizing security

groups, systems are segmented from each other

based on vulnerabilities. For example in figure 3,

all clients are being protected from Apache worms

while simultaneously clients vulnerable to Windows

File Sharing worms are being protected from attack.

In this mode the policy manager would notify

the quarantine system to deny certain types of traffic

that could spread the worms or compromise the

vulnerable systems. Therefore, unlike the previous

policy model (disconnecting vulnerable machines),

this model allows some programs operate normally

and securely even if vulnerabilities are present. This

is beneficial considering the amount of time required

to create and test software fixes.

A third type of policy would combine security

authentication with user authentication to produce

a hybrid system of security levels. This system

would segment the network based on the type of services

that exist in the organization, such as financial

services, SQL services, WWW services, etc. Each

client would employ user authentication to gain ac-

cess to a level and security authentication to show

that the machine that is in use is safe to enter this

level.

This section has described three different policy

options; however, new policies as well as combinations

of policies are also possible. The system is

only limited by the accuracy of the security scanner

and the complexity of the policy manager. Furthermore,

this example only considered one vulnerability.

However a security group can provide isolation

for multiple vulnerabilities, thus defending against

multi-headed malware.

 

1.4 Scalability

Although the proposed malware defense is described

in terms of having one machine per system

component, multiple security scanners and quarantine

system agents can be utilized in a distributed

fashion. The policy manager still coordinates access

for the entire system and could perform load balancing

to ensure that certain components are not

overworked. Regardless of additional resources necessary

for a large implementation, the network is

able to run at full speed, which is in sharp contrast

to fingerprint-based defenses. Therefore with

the addition of a more advanced policy manager,

the proposed system is scalable to different sizes of

Networks.

 

2 System Implementation

The previous section described a new security

system that utilizes security authentication to defend

against malware. Using this architecture, machines

are authenticated based on system vulnerabilities

and then isolated if necessary to prevent

the spread of malware. The system consists of

three components: security authentication, policy

management, and system quarantine. While these

system components have been described in general

terms, this section discusses how they are implemented

in a TCP/IP network

 

2.1 Vulnerability Detector

Security authentication provides an evaluation of

the vulnerabilities associated with a machine. It is

important to obtain the most accurate and detailed

information possible in order for the policy manager

to determine the most effective quarantine.

 

Of the current available tools, Nessus offers the

most advanced scanning functionality [8]. Nessus

has the capability of remotely scanning a client to

determine running services, the versions, and if the

client is susceptible to specific security threats. The

assessment library associated with Nessus is very

comprehensive, covering a large variety of architectures,

operating systems, and services. In contrast,

Nmap provides a faster assessment of running services

and versions [9], such as OpenSSH [10] and

Apache [1]. These scanners can be used together

to create a fast and comprehensive authentication

system. For example, the results of an initial Nmap

scan can be used by Nessus to conduct a more directed

and thorough assessment. After the assessment,

a machine with a known vulnerable version of

any service is flagged as insecure. This information,

security authentication credentials, is forwarded to

the policy manager which can determine the appropriate

action based on threat level and policy

scheme.

 

2.2 Quarantine System

Standard networking

tools should be utilized, since it would not require

clients to have any custom or specific software. As

previously described, quarantining must be done at

the network layer (OSI layer 3) and the MAC layer

(OSI layer 2) to effectively defend against malware.

The Internet Protocol provides logical address

segmentations (subnets), that form the basis for the

network layer quarantine. For example the security

cells shown in figure 2 can be easily created using

subnets. Figure 4 depicts one IP security cell, where

the netmask 255.255.255.252 represents a extremely

limited subnet. There are two usable addresses

in the cell, 10.0.0.1 and 10.0.0.2. The security

scanner and gateway occupies 10.0.0.1 and

the client has the 10.0.0.2 address. A machine infected

with a worm can only successfully scan one

address (which is the security scanner itself) without

passing through the default router or gateway.

The security scanner is assumed to be secured by

the network administrator and thus is not at risk of

attack. All other traffic from the infected machine

is directed by another important component of the

quarantine system, the packet-filter/router.

The quarantine packet-filter/router denies unwanted

traffic between security cells and groups

and facilitates communication between security cells

that require interconnectivity. The specific behavior

of the system is determined by the policy manager

but enforced by the quarantine system. This functionality

can be provided using iptables [19]. This

can also be accomplished through advanced routing

as long as the security policy scheme does not

require port filtering, etc. Table 1 shows a sample

configuration for a firewall, which reflects a simplest

security policy. In this example, the general network

occupies the 192.168.0.0/16 address space and the

security cells occupy the 10.0.0.0/8 address space.

These simple rules prevent communication between

the security cells and the general network, and between

security cells themselves. This prevents any

machines in quarantine from being infected or from

mounting an attack on other machines.

For MAC layer quarantining, a Virtual LAN

(VLAN) can be used to separate machines connected

to the same physical network, thus providing

the appearance and functionality of multiple physical

LAN’s [15]. Using this approach, the VLAN

boundaries would be aligned with the boundaries

of the security cells and network providing layer 2

protection to supplement the aforementioned layer

3 protection. Layer 2 protection through VLAN’s

is a key addition to the quarantine system and is

increasingly supported by most wired LAN’s. Wireless

LAN’s can provide this functionality if the Access

Point (AP) is equipped with Point Coordination

Function (PCF) [15]. In this case, the AP

could apply the MAC security rules to the arriving

MAC frames, isolating the MAC traffic from

different groups. Malware containment for wireless

networks that do not rely on an AP for communication

(e.g. ad-hoc networks) is a difficult problem

and is the subject of continued research [17].

 

2.3 Distributing the Quarantine

Information to Machines

The quarantine policy, which consists of MAC

and network quarantine directives, must be distributed

to the clients. The Dynamic Host Configuration

Protocol (DHCP) is the basic tool for

the system because clients can be configured with

network parameters remotely [15]. DHCP allows

remote specification an IP address, netmask, and

lease renegotiation parameters. The use of DHCP

allows host isolation to a security cell when it first

enters the network. This accomplishes the goal of

immediate protection.

For example, consider a DHCP server configured

to model the network as shown in figure 2,

where some cells have been eliminated for simplicity.

When a new client performs a DHCP request,

the client is issued an address from pre-configured

security cells with a restrictive 255.255.255.252

netmask and a very short DHCP lease time. If the

client has vulnerabilities, the DHCP server renews

its address in a security cell until it becomes secure.

If the client is secure, it is given an address from the

standard network pool of addresses.

A sample DHCP configuration can be seen in figure

5. This sample configuration shows a shared

physical network in which there are two separate

subnets, 10.0.0.0/8 and 192.168.0.0/16. The

lease times for the 10.0.0.0/8 subnet are 60 seconds

to facilitate a quick renewal after a security

scan. The lease times on the 192.168.0.0/16 subnet

are longer, 10 to 20 minutes, but still short to

mitigate the threat of quickly developed malware.

The first pool described is the secure pool and only

known clients, clients that have passed a security

scan, may receive addresses from this pool. The

second pool described is a security cell with a very

restrictive netmask which models a security cell as

shown in figure 4. A standard configuration would

have one additional pool to define each additional

security cell, but these have been omitted from the

configuration file sample for simplicity.

Unfortunately there are limitations with current

DHCP implementations [16]. Once a client has received

its address lease, there is no way to force

the client to accept a different address. The address

change can only occur if the client requests

a lease renewal. Hence, if a client is found to be

insecure in the middle of its standard pool DHCP

lease, the system is unable to logically relocate the

client into a security cell until the client requests a

lease renewal. During this period of time, a significant

number of hosts could be found to have

a new vulnerability and become infected. This is

not a limitation specific to this security mechanism,

however. RFC 3203 [16] calls for a DHCP reconfigure

extension in which a DCHP server can send a

FORCERENEW message to a client to force an immediate

lease renegotiation. This would provide a

solution to this issue, but this problem is currently

mitigated by a choosing a short DHCP lease time

that ensures that most clients would renew in the

time between when a vulnerability is discovered and

a worm is crafted to exploit the vulnerability. Furthermore,

another workaround is available at layer 2

in that the machine could be removed from its current

VLAN until it requests a new address. This is

an extreme measure, however, and considering past

worms, a lease time of up to two weeks would be

acceptable, but a time of one day would avert all

but the fastest attacks.

 

2.4 Policy Manager

The policy is determined in advance by

the system administrator can be a simple scheme

separating vulnerable machines from others, or a

complex system of security cells. Again, this is dependent

on the level of detailed offered by the security

authentication system and the needs of the

network.

Once a machine has connected to the network

and undergone the security authentication, the pol-

icy manager receives security authentication credentials.

The policy manager, implemented for example

as a daemon process, maps the credential to the

appropriate security cell. After determining how

the security policy applies to a client, the policy

manager sends the specific quarantine and route information

to the quarantine system. However, the

policy manager can also be independent of the network

technology. In this case, the policy manager

only needs to inform the quarantine system of the

machine identity and the appropriate security cell.

The quarantine system can then invoke the appropriate

network and MAC layer functions.

 

3 Experiment Results

A proof-of-concept system was developed to test

the merits of the proposed malware defense in a

mobile network environment, as well as the suitability

of current networking technology. As seen in

figure 6, the system consisted of a mobile network

where four computers were interconnected via a 1

Gbps switch. Each computer, installed with Gentoo

Linux 2004.1 [4] (2.6.7 kernel), served as either

a mobile client or the malware defense system.

Machine A implemented the proposed malware

defense system consisting of the security scanner,

policy manager, and the quarantine system. Nmap

was utilized for the security scanner, while IP Forwarding

and IP Tables were utilized for quarantining

[19]. As previously described, Nmap has the

ability to scan for open services and, in certain circumstances,

identify service versions. IP forwarding

and IP tables provide routing and filtering support

required for isolating machines in certain security

cells. A daemon process was created for the policy

manager, which mapped the vulnerability status of

a mobile to the appropriate security cell.

The mapping process utilized a simple file that

described the defense policy. As described in section

1.4, the policy implemented separated machines two

basic groups, vulnerable and secure. Note, when

a machine enters the network, it is automatically

placed into a security cell and is assumed to be vulnerable

until the security authentication determines

whether to continue quarantine or allow the machine

onto the network. The secure portion of the

mobile network consisted of the 192.168.0.0/16

subnet, while the security cells were constructed on

the 10.0.0.0/8 subnet as shown in figure 2. Although

the security cells are logically close and share

the same address space, the security cells are strictly

separate at the network level and have no interconnectivity.

Three security cells were constructed as

quarantine areas.

Figure 7 shows the basic operation of the complete

system at a high level. A new mobile client

enters the network and is placed into state 1, an

initial security cell. After a short period of time,

the security scanner scans the client to discover any

known vulnerabilities. This is represented as state 2

in figure 7. After the scan is complete, the security

scanner relays the security authentication credentials

to the policy manager. The policy manager

then decides what kind of access to grant the client.

If the client has no known vulnerabilities, the client

is given an address from the standard network address

pool and thus rests in state 3. If this is not the

case, the machine returns to a state 1, the initial security

cell, and the process can repeat if necessary.

The security cell has access to either a local update

server or the Internet so the system administrator

of that particular system can update the system

when possible to gain additional network connectivity.

The short lease time ensures that clients are

admitted to the normal network shortly after its security

authentication is complete.

To represent different vulnerabilities, the mobile

clients (machines B, C, and D) executed different

versions of OpenSSH [10]. Again, machine A acted

as the security scanner, policy manager, and the

quarantine system. Client C had an older version

that was known to be insecure, while client B had a

current version of OpenSSH, and client D had no

services running. Once a client entered the network,

it was assigned a security cell address via

DHCP. Afterwards, it was then scanned by machine

A for known vulnerabilities. Machine B, with a current

version of SSH, passed the security scan and

was marked as such in the DHCP configuration file.

Upon DHCP renewal which occurred within one

minute, it was then assigned an address from the

192.168.0.0/16 pool and it immediately moved to

the new network where it could access other network

services. Client C, with an insecure version of

OpenSSH, was also assigned a security cell address

via DHCP. During its scan by machine A, however,

it was noted to be running this insecure version and

it was not placed into a trusted clients section for

DHCP. Upon DHCP renewal, client C again received

an address for a security cell and was denied

access to the standard network. It is important to

note that this client was not simply disconnected

from the network, but maintained limited access to

select resources, which would allow the user to patch

this machine.

For stress testing, machines were scripted to turn

vulnerable services on and off for several minutes at

a time. When the client was in a secure state, it

was given an address in the 192.168.0.0/16 subnet,

but upon DHCP renewal, if the client had

reached an insecure state, it was relegated to the

security cells until it again became secure. Machine

A seamlessly moved the clients from security cell to

the standard pool and vice versa. The system was

tested for several days and successfully defended the

network without any problems. Therefore, this example

demonstrates the proposed malware defense

is able to successfully manage and quarantine machines

based on vulnerabilities using current networking

tools.

 

 

 

Why to implement this solution??

 

This maximizes

the usefulness of the machine in question

while preventing attacks.

The

unique ability to quarantine machines without any

specialized host software, the proposed system

can defend against internal malware threats

in a mobile network.

The possibility of this worm vaccination framework

is promising for several reasons. Firstly, it does not

rely on global network traffic monitoring. Secondly,

the system is easily applied at any location and is

not specific to specific software packages. It would

also be effective against unknown worms.

The proposed quarantine approach is based on

standard IP routing which eliminates the need for

resource intensive network monitoring required by

fingerprint-based systems. This allows the network

to run at full speed without the overhead of an intrusion

detection system (IDS) or a fingerprint-based

firewall, although these components can be integrated

into the security authentication paradigm.

The proposed system is also generic in that systems

are quarantined for specific vulnerabilities, not

specific worms, so new worm variants that exploit

the same vulnerability are automatically thwarted.

Since there is often a space of weeks between the

patch for a vulnerability and the time a worm is

released to exploit the same vulnerability , the

proposed system provides protection before the malware

is likely to exist. Furthermore, the proposed

model does not require any client side tools, therefore

it is effective for any client in the network.

For example, the system does not require personal

(host) firewalls or IDS software, which are not feasible

to centrally manage in a publicly available mobile

network. As a result, the system is able to successfully

defend against internal malware threats.

 

Unlike current systems that disconnect a suspect

machine, the quarantine system affords the machine

a certain level of network connectivity. This allows

the machine to still function until the malware

or vulnerability is addressed.

 

 

 

 

 

References

 

[1] Apache HTTP Server Project. httpd.apache.org.

[2] M. Bishop. Computer Security: Art Science. Addison

Wesley, 2003.

[3] D. Ellis. Worm anatomy and model. In Proceedings

of the First ACM Workshop on Rapid Malware,

2003.

[4] Gentoo Linux. www.gentoo.org.

[5] G. V. Hulme. Under attack. InformationWeek,

July 2004.

[6] J. C. Hung, K.-C. Lin, N. H. Lin, and L. H. Lin. A

behavior-based anti-worm system. In Proceedings

of the Seventh International Conference on Advanced

Information Networking and Applications,

2003.

[7] D. M. Kienzle and M. C. Elder. Recent worms:

A survey and trends. In Proceedings of the First

ACM Workshop on Rapid Malware, 2003.

[8] Nessus Security Scanner. www.nessus.org.

[9] Nmap Security Scanner. www.insecure.org.

[10] OpenSSH, the Open Source Version of the SSH

Protocol. www.openssh.org.

[11] Perfigo. Neutralizing Internet-borne Threats at the

Network Edge. www.perfigo.com.

[12] L. L. Peterson and B. S. Davie. Computer Networks:

A Systems Approach. Morgan Kaufmann,

second edition, 2000.

[13] S. Sidiroglou and A. D. Keromytis. A network

worm vaccine architecture. In Proceedings of the

Twelfth IEEE International Workshop on Enabling

Technologies, 2003.

[14] Snort, Open Source Network Intrusion Detection

System. www.insecure.org.

[15] A. S. Tanenbaum. Computer Networks. Prentice

Hall, fourth edition, 2003.

[16] Y. T’Joens, C. Hublet, and P. D. Schijver. DHCP

reconfigure extension. IETF RFC 3203, December

2001.

[17] H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang. Security

in mobile ad hoc networks: Challenges and

solutions. IEEE Wireless Communications, pages

38 – 47, February 2004.

[18] C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring

and early warning for internet worms. In

Proceedings of the First ACM Workshop on Rapid

Malware, 2003.

[19] E. D. Zwicky, S. Cooper, and D. B. Chapman.

Building Internet Firewalls. O’Reilly, 2000.

Bluetooth Hacking1

Author

Gautam Sarswat

JIITU NOIDA

 

Bluetooth Introduction

● Wire replacement technology

● Low power

● Short range 10m – 100m

● 2.4 GHz

● 1 Mb/s data rate

● Bluetooth SIG

– Trade Association

– Founded 1998

– Owns & Licenses IP

– Individual membership free

– Promoter members: Agere, Ericsson, IBM, Intel,

Microsoft, Motorola, Nokia and Toshiba

– Consumer http://www.bluetooth.com

– Technical http://www.bluetooth.org

 

Bluetooth Technology

● Data and voice transmission

● ACL data connections

● SCO and eSCO voice channels

● Symmetric and asymmetric connections

● Frequency hopping

● ISM band at 2.4 GHz

● 79 channels

● 1600 hops per second

● Multi-Slot packets

 

 

Bluetooth Piconet

● Bluetooth devices create a piconet

● One master per piconet

● Up to seven active slaves

● Over 200 passive members are possible

● Master sets the hopping sequence

● Transfer rates of 721 Kbit/sec

● Bluetooth 1.2 and EDR (aka 2.0)

● Adaptive Frequency Hopping

● Transfer rates up to 2.1 Mbit/sec

 

 

Bluetooth Scatternet

● Connected piconets create a scatternet

● Master in one and slave in another piconet

● Slave in two different piconets

● Only master in one piconet

● Scatternet support is optional

 

 

Bluetooth Architecture

● Hardware layer

● Radio, Baseband and Link Manager

● Access through Host Controller Interface

– Hardware abstraction

– Standards for USB and UART

● Host protocol stack

● L2CAP, RFCOMM, BNEP, AVDTP etc.

● Profile implementations

● Serial Port, Dialup, PAN, HID etc.

 

Bluetooth Stack



 

 

Bluetooth Security

● Link manager security

● All security routines are inside the Bluetooth chip

● Nothing is transmitted in “plain text”

● Host stack security

● Interface for link manager security routines

● Part of the HCI specification

● Easy interface

● No further encryption of pin codes or keys

 

 

Security Modes

● Security mode 1

● No active security enforcement

● Security mode 2

● Service level security

● On device level no difference to mode 1

● Security mode 3

● Device level security

● Enforce security for every low-level connection

 

Linux and Bluetooth

# hciconfig -a

hci0: Type: USB

BD Address: 00:02:5B:A1:88:52 ACL MTU: 384:8 SCO MTU: 64:8

UP RUNNING PSCAN ISCAN

RX bytes:9765 acl:321 sco:0 events:425 errors:0

TX bytes:8518 acl:222 sco:0 commands:75 errors:0

Features: 0xff 0xff 0x8b 0xfe 0x9b 0xf9 0×00 0×80

Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3

Link policy: RSWITCH HOLD SNIFF PARK

Link mode: SLAVE ACCEPT

Name: ‘Casira BC3-MM’

Class: 0x1e0100

Service Classes: Networking, Rendering, Capturing, Object Transfer

Device Class: Computer, Uncategorized

HCI Ver: 1.2 (0×2) HCI Rev: 0×529 LMP Ver: 1.2 (0×2) LMP Subver: 0×529

Manufacturer: Cambridge Silicon Radio (10)

# hcitool scan

Scanning …

00:04:0E:21:06:FD AVM BlueFRITZ! AP-DSL

00:01:EC:3A:45:86 HBH-10

00:04:76:63:72:4D Aficio AP600N

00:A0:57:AD:22:0F ELSA Vianect Blue ISDN

00:E0:03:04:6D:36 Nokia 6210

00:80:37:06:78:92 Ericsson T39m

00:06:C6:C4:08:27 Anycom LAN Access Point

Sniffing with hcidump

● Recording of HCI packets

– Commands, events, ACL and SCO data packets

● Only for local connections

● Decoding of higher layer protocols

– HCI and L2CAP

– SDP, RFCOMM, BNEP, CMTP, HIDP, HCRP and AVDTP

– OBEX and CAPI

● No sniffing of baseband or radio traffic

 

Security Commands

● HCI_Create_New_Unit_Key

● HCI_{Read|Write}_Pin_Type

● HCI_{Read|Write|Delete}_Stored_Link_Key

● HCI_{Read|Write}_Authentication_Enable

● HCI_{Read|Write}_Encryption_Mode

● HCI_Authentication_Requested

● HCI_Set_Connection_Encryption

● HCI_Change_Local_Link_Key

● HCI_Master_Link_Key

 

Pairing Functions

● Events

● HCI_Link_Key_Notification

● HCI_Link_Key_Request

● HCI_Pin_Code_Request

● Commands

● HCI_Link_Key_Request_Reply

● HCI_Link_Key_Request_Negative_Reply

● HCI_Pin_Code_Request_Reply

● HCI_Pin_Code_Request_Negative_Reply

 

How Pairing Works

● First connection

(1) HCI_Pin_Code_Request

(2) HCI_Pin_Code_Request_Reply

(3) HCI_Link_Key_Notification

● Further connections

(1) HCI_Link_Key_Request

(2) HCI_Link_Key_Request_Reply

(3) HCI_Link_Key_Notification (optional)

 

BlueSnarf

● Trivial OBEX PUSH channel attack

– obexapp (FreeBSD)

– PULL known objects instead of PUSH

– No authentication

● Infrared Data Association

– IrMC (Specifications for Ir Mobile Communications)

● e.g. telecom/pb.vcf

● Ericsson R520m, T39m, T68

● Sony Ericsson T68i, T610, Z1010

● Nokia 6310, 6310i, 8910, 8910i

 

HeloMoto

● Requires entry in ‘Device History’

● OBEX PUSH to create entry

● Connect RFCOMM to Handsfree or Headset

– No Authentication required

– Full AT command set access

● Motorola V80, V5xx, V6xx and E398

 

Blooover -What is it?

● Blooover – Bluetooth Wireless Technology Hoover

● Proof-of-Concept Application

● Educational Purposes only

● Phone Auditing Tool

● Running on Java

● J2ME MIDP 2.0

● Implemented JSR-82 (Bluetooth API)

● Nokia 6600, Nokia 7610, Nokia 6670, … Series 60

Siemens S65

SonyEricsson P900 …

 

Blooover- What does it do?

● Blooover is performing the BlueBug attack

– Reading phonebooks

– Writing phonebook entries

– Reading/decoding SMS stored on the device (buggy..)

– Setting Call forward (predef. Number) +49 1337 7001

– Initiating phone call (predef. Number) 0800 2848283

● Not working well on Nokia phones but on some T610

● Please use this application responsibly!

– For research purposes only!

– With permission of owner

 

Blueprinting – What is it?

● Blueprinting is fingerprinting Bluetooth Wireless

Technology interfaces of devices

Blueprinting – How

● Hashing Information from Profile Entries

– RecordHandle

– RFCOMM channel number

– Adding it all up (RecHandle1*Channel1)+

(RecHandle2*Channel2)+…+(RecHandlen*Channeln)

● Bluetooth Device Address

– First three bytes refer to manufacturer (IEEE OUI)

● Example of Blueprint

00:60:57@2621543

 

BlueSmack

● Using L2CAP echo feature

– Signal channel request/response

– L2CAP signal MTU is unknown

– No open L2CAP channel needed

● Buffer overflow

● Denial of service attack

BlueSmack

< HCI Command: Create Connection (0×01|0×0005) plen 13

0000: b6 1e 33 6d 0e 00 18 cc 02 00 00 00 01 ..2m………

> HCI Event: Command Status (0x0f) plen 4

0000: 00 01 05 04 ….

> HCI Event: Connect Complete (0×03) plen 11

0000: 00 29 00 b6 1d 32 6d 0e 00 01 00 .)…2m….

< ACL data: handle 0×0029 flags 0×02 dlen 28

L2CAP(s): Echo req: dlen 20

0000: 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 EFGHIJKLMNOPQRST

0010: 55 56 57 58 UVWX

> HCI Event: Number of Completed Packets (0×13) plen 5

0000: 01 29 00 01 00 .)…

> ACL data: handle 0×0029 flags 0×02 dlen 28

L2CAP(s): Echo rsp: dlen 20

0000: 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 EFGHIJKLMNOPQRST

0010: 55 56 57 58 UVWX

< HCI Command: Disconnect (0×01|0×0006) plen 3

0000: 29 00 13 )..

> HCI Event: Command Status (0x0f) plen 4

0000: 00 01 06 04 ….

> HCI Event: Disconn Complete (0×05) plen 4

0000: 00 29 00 16 .)..

Wireless LAN Security 802.11b and Corporate Networks

Wireless LAN Security 802.11b and Corporate Neotwrks

 

 

Analysis/Summary By:

Gautam Sarswat

 

Introduction

 

Current 802.11b products operate at 2.4GHz, and deliver up to 11Mbps of bandwidth – comparable to a standard Ethernet wired LAN inperformance. An upcoming version called 802.11a moves to a higher frequency range, and promises significantly faster speeds. It is expected to have security concerns similar to 802.11b.

This paper addresses the security concerns raised by both current and upcoming 802.11 network technologies.

 

 

Wireless LAN Business Drivers

 

Market maturity and technology advances will lower the cost and accelerate widespread adoption

of wireless LANs. End-user spending, the primary cost metric, will drop from about $250 in 2001

to around $180 in 2004 (Gartner Group). By 2005, 50 percent of Fortune 1000 companies will

have extensively deployed wireless LAN technology based on evolved 802.11 standards (0.7

probability). By 2010, the majority of Fortune 2000 companies will have deployed wireless LANs

to support standard, wired network technology LANs (0.6 probability).

 

 

Reality Check

 

802.11b standard shares unlicensed frequencies with other devices, including

Bluetooth wireless personal area networks (PANs), cordless phones, and baby monitors. These

technologies can, and do, interfere with each other. 802.11b also fails to delineate roaming

(moving from one cell to another), leaving each vendor to implement a different solution. Future

proposals in 802.11 promise to address these shortcomings, but no shipping products are on the

immediate horizon.

 

 

Wireless Security In The Enterprise

 

 

The following diagram depicts an intranet or internal network that is properly configured to handle

wireless traffic, with two firewalls in place, plus intrusion detection and response sensors to

monitor traffic on the wireless segment. One firewall controls access to and from the Internet. The

other controls access to and from the wireless access point. The access point itself is the bridge

that connects mobile clients to the internal network.

 

The access point has a dedicated IP address for remote management via SNMP (Simple

Network Management Protocol). The wireless clients themselves – usually laptops or desktops

and handhelds – may also use SNMP agents to allow remote management. As a result, each of

these devices contains a sensor to ensure that each unit is properly configured, and that these

configurations have not been improperly altered. The network itself is regularly monitored to

identify access points in operation, and verify that they are authorized and properly configured.

 

While this paper focuses on the risk issues from a corporate network perspective, these same

issues apply to home networks, telecommuters using wireless, and “public use” networks such as

those being set up by Microsoft to allow wireless Internet access at select Starbucks locations.

Remote users are now able to access internal corporate resources from multiple types of foreign

networks. Even organizations without internal wireless networks must take wireless into account

as part of their overall security practices.

 

 

Known Risks

 

most current 802.11b risks fall into seven basic categories

 

·         Insertion attacks

·         Interception and unauthorized monitoring of wireless traffic

·         Jamming

·         Client-to-Client attacks

·         Brute force attacks against access point passwords

·         Encryption attacks

·         Misconfigurations

 

classifications can apply to any wireless technology, not just 802.11b

 

Insertion Attacks

 

Insertion attacks are based on deploying unauthorized devices or creating new wireless networks

without going through security process and review.

 

Unauthorized Clients

An attacker tries to connect a wireless client, typically a laptop or PDA,

to an access point without authorization. Access points can be configured to require a

password for client access. If there is no password, an intruder can connect to the internal

network simply by enabling a wireless client to communicate with the access point. Note,

however, that some access points use the same password for all client access, requiring all

users to adopt a new password every time the password needs to be changed.

 

Unauthorized or Renegade Access Points

 An organization may not be aware that internal

employees have deployed wireless capabilities on their network. This lack of awareness could

lead to the previously described attack, with unauthorized clients gaining access to corporate

resources through a rogue access point. Organizations need to implement policy to ensure

secure configuration of access points, plus an ongoing process in which the network is scanned

for the presence of unauthorized devices.

 

 

Interception and Monitoring of Wireless Traffic

 

As in wired networks, it is possible to intercept and monitor network traffic across a wireless LAN.

The attacker needs to be within range of an access point (approximately 300 feet for 802.11b) for

this attack to work, whereas a wired attacker can be anywhere where there is a functioning

network connection. The advantage for a wireless interception is that a wired attack requires the

placement of a monitoring agent on a compromised system. All a wireless intruder needs is

access to the network data stream.

There are two important considerations to keep in mind with the range of 802.11b access points.

First, directional antennae can dramatically extend either the transmission or reception ranges of

802.11b devices. Therefore, the 300 foot maximum range attributed to 802.11b only applies to

normal, as-designed installations. Enhanced equipment also enhances the risk. Second, access

points transmit their signals in a circular pattern, which means that the 802.11b signal almost

always extends beyond the physical boundaries of the work area it is intended to cover. This

signal can be intercepted outside buildings, or even through floors in multistory buildings. Careful

antenna placement can significantly affect the ability of the 802.11b signal to reach beyond

physical corporate boundaries.

 

Wireless Packet Analysis

 A skilled attacker captures wireless traffic using techniques

similar to those employed on wired networks. Many of these tools capture the first part of the

connection session, where the data would typically include the username and password. An

intruder can then masquerade as a legitimate user by using this captured information to hijack

the user session and issue unauthorized commands.

 

Broadcast Monitoring

If an access point is connected to a hub rather than a switch, any

network traffic across that hub can be potentially broadcasted out over the wireless network.

Because the Ethernet hub broadcasts all data packets to all connected devices including the

wireless access point, an attacker can monitor sensitive data going over wireless not even

intended for any wireless clients.

 

Access Point Clone (Evil Twin) Traffic Interception

 An attacker fools legitimate wireless

clients into connecting to the attacker’s own network by placing an unauthorized access point

with a stronger signal in close proximity to wireless clients. Users attempt to log into the

substitute servers and unknowingly give away passwords and similar sensitive data.

 

 

Jamming

 

Denial of service attacks are also easily applied to wireless networks, where legitimate traffic can

not reach clients or the access point because illegitimate traffic overwhelms the frequencies. An

attacker with the proper equipment and tools can easily flood the 2.4 GHz frequency, corrupting

the signal until the wireless network ceases to function. In addition, cordless phones, baby

monitors and other devices that operate on the 2.4 GHz band can disrupt a wireless network

using this frequency. These denials of service can originate from outside the work area serviced

by the access point, or can inadvertently arrive from other 802.11b devices installed in other work

areas that degrade the overall signal.

 

Client-to-Client Attacks

 

Two wireless clients can talk directly to each other, bypassing the access point. Users therefore

need to defend clients not just against an external threat but also against each other.

 

File Sharing and Other TCP/IP Service Attacks

 Wireless clients running TCP/IP services

such as a Web server or file sharing are open to the same exploits and misconfigurations as

any user on a wired network.

 

DOS (Denial of Service)

A wireless device floods other wireless client with bogus packets,

creating a denial of service attack. In addition, duplicate IP or MAC addresses, both intentional

and accidental, can cause disruption on the network.

 

 

Brute Force Attacks Against Access Point Passwords

 

Most access points use a single key or password that is shared with all connecting wireless

clients. Brute force dictionary attacks attempt to compromise this key by methodically testing

every possible password. The intruder gains access to the access point once the password is

guessed.

In addition, passwords can be compromised through less aggressive means. A compromised

client can expose the access point. Not changing the keys on a frequent basis or when

employees leave the organization also opens the access point to attack. Managing a large

number of access points and clients only complicates this issue, encouraging lax security

practices.

 

Attacks against Encryption

 

802.11b standard uses an encryption system called WEP (Wired Equivalent Privacy). WEP has

known weaknesses (see http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html for more

information), and these issues are not slated to be addressed before 2002. Not many tools are

readily available for exploiting this issue, but sophisticated attackers can certainly build their own.

 

Misconfiguration

 

Many access points ship in an unsecured configuration in order to emphasize ease of use and

rapid deployment. Unless administrators understand wireless security risks and properly

configure each unit prior to deployment, these access points will remain at a high risk for attack or

misuse. The following section examines three leading access points, one each from Cisco,

Lucent and 3Com. Although each vendor has its own implementation of 802.11b, the underlying

issues should be broadly applicable to products from other vendors.

 

Server Set ID (SSID) –

SSID is a configurable identification that allows clients to communicate

with an appropriate access point. With proper configuration, only clients with the correct SSID

can communicate with access points. In effect, SSID acts as a single shared password

between access points and clients. Access points come with default SSIDs. If not changed,

these units are easily compromised. Here are common default passwords:

“tsunami” – Cisco

”101” – 3Com

“RoamAbout Default Network Name” – Lucent/Cabletron

“Compaq” – Compaq

“WLAN” – Addtron

“intel” – Intel

“linksys” – Linksys

“Default SSID”, “Wireless” – Other manufacturers

SSIDs go over the air as clear text if WEP is disabled, allowing the SSID to be captured by

monitoring the network’s traffic. In addition, the Lucent access points can operate in Secure

Access mode. This option requires the SSID of both client and access point to match. By

default this security option is turned off. In non-secure access mode, clients can connect to the

access point using the configured SSID, a blank SSID, or an SSID configured as “any.”

 

Wired Equivalent Privacy (WEP) –

WEP can be typically configured as follows:

No encryption

40 bit encryption

128 bit encryption

Most access points ship with WEP turned off. Although 128 bit encryption is more effective than

40 bit encryption, both key strengths are subject to WEP’s known flaws.

 

SNMP Community Passwords –

Many wireless access points run SNMP agents. If the

community word is not properly configured, an intruder can read and potentially write sensitive

data on the access point. If SNMP agents are enabled on the wireless clients, the same risk

applies to them as well.

By default, many access points are read accessible by using the community word, “public”.

3Com access points allow write access by using the community word, ”comcomcom”. Cisco

and Lucent/Cabletron require the write community word to be configured by the user or

administrator before the agent is enabled.

 

Configuration Interfaces –

Each access point model has its own interface for viewing and

modifying its configuration. Here are the current interface options for these three access points:

Cisco – SNMP, serial, Web, telnet

3Com – SNMP, serial, Web, telnet

Lucent / Cabletron – SNMP, serial (no web/telnet)

3Com access points lack access control to the Web interface for controlling configuration. An

attacker who locates a 3Com access point Web interface can easily get the SSID from the

“system properties” menu display. 3Com access points do require a password on the Web

interface for write privileges. This password is the same as the community word for write

privileges, therefore 3Com access points are at risk if deployed using the default “comcomcom”

as the password.

 

Client Side Security Risk –

Clients connected to an access point store sensitive information

for authenticating and communicating to the access point. This information can be

compromised if the client is not properly configured. Cisco client software stores the SSID in the

Windows registry, and the WEP key in the firmware, where it is more difficult to access.

Lucent/Cabletron client software stores the SSID in the Windows registry. The WEP key is

stored in the Windows registry, but it is encrypted using an undocumented algorithm. 3Com

client software stores the SSID in the Windows registry. The WEP key is stored in the Windows

registry with no encryption.

 

Installation –

By default, all three access points are optimized to help build a useful network as

quickly and as easily as possible. As a result, the default configurations minimize security.

 

 

 

Wireless Information Security Management

 

The following cost-effective guidelines help enable organizations to establish proper

security protections as part of an overall wireless strategy –

 

Wireless Security Policy and Architecture Design

Security policy, procedures and best

practices should include wireless networking as part of an overall security management

architecture to determine what is and is not allowed with wireless technology.

 

Treat Access Points As Untrusted

Access points need to be identified and evaluated on a

regular basis to determine if they need to be quarantined as untrusted devices before wireless

clients can gain access to internal networks. This determination means appropriate placement of

firewalls, virtual private networks (VPN), intrusion detection systems (IDS), and authentication

between access point and intranets or the Internet

 

Access Point Configuration Policy

 Administrators need to define standard security settings

for any 802.11b access point before it can be deployed. These guidelines should cover SSID,

WEP keys and encryption, and SNMP community words.

 

Access Point Discovery

Administrators should regularly search outwards from a wired

network to identify unknown access points. Several methods of identifying 802.11b devices exist,

including detection via banner strings on access points with either Web or telnet interfaces.

Wireless network searches can identify unauthorized access points by setting up a 2.4 GHz

monitoring agent that searches for 802.11b packets in the air. These packets may contain IP

addresses that identify which network they are on, indicating that rogue access points are

operating in the area. One important note: this process may pick up access points from other

organizations in densely populated areas.

 

Access Point Security Assessments

 Regular security audits and penetration assessments

quickly identify poorly configured access points, default or easily guessed passwords and

community words, and the presence or absence of encryption. Router ACLs and firewall rules

also help minimize access to the SNMP agents and other interfaces on the access point.

 

Wireless Client Protection –

 Wireless clients need to be regularly examined for good security

practices. These procedures should include the presence of some or all of the following:

 

·         Distributed personal firewalls to lock down access to the client

·         VPNs to supplement encryption and authentication beyond what 802.11b can provide

·         Intrusion detection and response to identify and minimize attacks from intruders, viruses,Trojans and backdoors

·         Desktop assessments to identify and repair security issues on the client device

 

 

 

Security Management in Intranet Systems

 

Research By :

Kuo Lane Chen

Vance Etnyre

Huei Lee

 

Analysis/Summary By:

Gautam Sarswat

 

ABSTRACT

The purpose of this research paper is to examine possible information security problems and recommend possible ways to evaluate and reduce information system risks.

 

INTRODUCTION

Despite the growing popularity of VPN-based Intranet systems, security remains one of the major concerns regarding the use of the Internet. Organizations now have to contend with Internet “worms”, network intrusions, and compromised computers.

 

LITERATURE REVIEW

In 2002, Microsoft provided a system of advanced Internet development tools – the .Net Framework and XML Web services. The .NET platform is similar to Sun Microsystems’s Java 2 Platform Enterprise Edition (J2EE). These systems aid application developers by providing useful tools to create web-based applications. They also provide security control structures for Intranet applications development (Stiefel & Oberg, 2002).

There are two security weaknesses inherent in the current infrastructure of Intranet-based systems. First, high-speed telecommunication lines (Internet backbone) are subject to line breakage, causing disruption of service. Second, messages and other information are susceptible to being intercepted, recorded or modified as they pass from the host to the recipient.

virtually no law that prevents any Internet Service Provider (ISP) from observing, recording, selling, or giving away any information that passes through host computers. Major problems in Internet and Intranet security include virus attacks, denial-of-service, industrial espionage, and spam mail.

 

SECURITY MANAGEMENT TECHNIQUES

can be divided into three major approaches: 1) general technological approaches, 2) behavioral approaches, and 3) systems programming approach.

 

General Technological Approaches

1. Authentication

Authentication means that a person using the system is required to prove his or her identity (Panko, 2003). The forms of authentication include passwords, personal identification number, membership ID, or cryptographic key (Raisinghani & Savoie, 1999).

 

2. Authorization

Authorization means that only certain individuals or groups or users filling certain roles may have access to specific resources.

 

3. Encryption

Encryption converts the sender’s message into ciphertext, which an interceptor will not be able to read. At the receiving end, the receiver decrypts the ciphertext back to the sender’s original message.

Secure Socket Layer (SSL), developed by Netscape Communications, is a popular encryption protocol that makes language passing through the Internet indecipherable. It has become a de facto standard for Internet e-commerce security (Panko, 2003).

 

4. Digital Certification

Digital certification is another way to assure security. Using digital certification, a sender adds to each message a digital certificate, which is created by a certificate authority

 

5. Firewall Systems

Webopedia.com defines a firewall as “A system designed to (selectively) prevent unauthorized access to or from a private network.” There are two kinds of firewall systems: Packet Filter Firewalls and Applications Firewalls. In Packet Filter Firewalls, the packet IP and TCP headers are examined any packet IP or TCP header containing a local resource address is terminated. A technique known as network address translation is also used in firewall systems. Applications firewalls, also known as proxy firewalls, examine the application layer messages to check for possible problems (Panko, 2003).

 

Behavioral Approaches

Behavioral approaches means that careful internal management can prevent security problems.

 

Systems Software Approaches

Since most PC-based systems in small and medium companies are Microsoft systems, it is important to discuss special approaches in Microsoft’s new .NET platform.

The .Net environment gives programmers and service providers a single platform that can be used to compile programs written in several different programming languages. The Common Language Runtime feature of .NET allows providers with a mechanism that can combine components written in different languages into a coherent integrated package.

One of the most important features of the .NET platform is the ability to create Web Service applications. However, without Microsoft’s Internet Information Service (IIS) package installed and activated, the user loses the ability to create Web Service applications. Also, in order to use the IIS package, the user must be granted administrative security clearance. As one can see, this creates major problems for the network security. Once the user is granted the permission to use the IIS package, this access to the critical network components with IIS makes the entire network vulnerable to severe accidents and malicious attacks because it allows users unnecessary access to other various resources of the server. In general, IIS provides only three types of security control techniques: authentication, authorization, and impersonation. Authentication includes forms, Passport authentication, and Windows authentication. In Passport authentication, the user is redirected to a login page on Microsoft’s site. These security control techniques are sufficient for e-commerce, but more rigorous security control methods should be available to protect other more restricted configurations such as company Intranet systems. (Augustyniak, 2002).

One of the issues discussed in .Net Framework is the role-based security. Instead of examining each individual user name, an administrator can assign a user a specific role-

based security clearance. For instance, a general employee has the right to login into the systems, but he does not have right to revise the payroll file. Role-based security methods can be coded in various programming languages for .NET applications (Stiefel & Oberg, 2002).

The NET platform allows students to learn how to create and use Web Service applications – the hottest new topic in computing. This, however, opens a new security problem. Unlike most business settings, where each person has responsibility (and accountability) for a single computer, many universities use a “semi-open lab” environment. Although there are limitations to general use of all university computers, in a semi-open lab, any student can log in to any available computer. Although there is some temporary accountability in this scheme, additional security problems are inherent in this environment.

In any computing environment, a primary goal of system administrators is to allow convenient access to authorized users while denying access to unauthorized users and unauthorized uses of system resources. This requires a balance between the security concerns of system administrators and the access needs of system users.

 

RESEARCH METHOD

An experiment has been conducted to establish a method for balancing the needs of system administrators and system users. Graduate students within an MIS program at University of Houston – Clear Lake were divided into two groups. The participants were asked to identify themselves as primarily ‘programmers’ or primarily ‘administrators’. Each group was asked to evaluate alternative modes of configuration in a university semi-open lab environment. The three alternatives for computer lab configuration are:

1. Alternative 1 – (Full Access to All)

One way to configure software in open labs is to have all authorized software available to all workstations. This would provide maximum access to software resources. The cost of doing this can be huge, however, and the exposure to risk of unauthorized uses and unauthorized users could be unacceptably large.

2. Alternative 2 (Segregating) – Restricting Access to a limited set of public resources

In this alternative, a small number of computers in the ‘open lab’ environment are configured to contain a full implementation of the .NET platform (including IIS), while the rest of the computers are configured with a limited configuration (excluding IIS). Only students from a special list are allowed access to the restricted computers.

3. Alternative 3 (Isolating) – Removing a limited set of resources from general availability.

Removing a limited set of resources from general availability and using them to create a local private network change the strategy in a significant way. Computers on the private network are subjected to risk as the server software executes, but that risk is isolated to the private network. Computers in the “open labs” can be easily protected from these higher-risk machines.

In the experiment, seven students identified themselves as “primarily programmers”. Five students called themselves “primarily administrators”. Student participants were asked to evaluate each of the three configurations using four evaluation categories in a “10*10” weighted scoring scheme. The evaluation categories were: Accessibility, Cost Control, Performance Efficiency, and Risk Control. Each category was evaluated with a score from 0 (totally unacceptable) to 10 (ideal). Weights were assigned to each category with the total of all weights equal to 10.0. In such an evaluation system, the range of weighted scores is from 0.0 to 100.0.

 

ANALYSIS

The problem of resolving preferences is relatively easy in this situation. A balance should be found between the preferences of the programmers, who gave the highest rating to alternative 1 (“Full Access”), and the preferences of the administrators, who gave the highest rating to alternative 3 (“Isolated Subset”).

 

CONCLUSIONS AND FUTURE RESEARCH ISSUES

In any computing environment, the primary goal of system administrators is to allow convenient access to authorized users while denying access to unauthorized users and unauthorized uses of system resources. This requires a balance between the security concerns of system administrators and the access needs of system users. One purpose of this paper is to review security management techniques for an intranet system.Another purpose is to propose a method for evaluating system configurations. The method proposed allowed for a balancing of concerns of system administrators and system users. The Research Methods section of this paper discussed a method and an experiment for evaluating various system configurations. The results of the experiment, which showed a preference for an “Isolated Subset” of system resources to implement high-risk applications, were limited to the type of configuration found at many universities.Further studies can and should be conducted to see if the same evaluation method can be used in other computing environments.