What Bugs and Backdoors ?
Practically, no computer
software ever made is free of bugs.
A bug may mean some problem in the software, which
is undesired by its author. It may mean some kind of limitation in the
software, which does not allow it to do the appropriate work. These are the
loopholes or vulnerabilities in the program, which make it less secure.
Hackers, who
know about these loopholes, can misuse it or use it for their own benefit
whereas some of them may disclose it to make everyone aware about it. One
solution for this is to keep the software always updated With bug fixes, which
are normally provided by its developer. e. g. added virus databases in an
antivirus utility, service packs for operating systems etc. One should use them
regularly in order to stay away from the new viruses or vulnerabilities. There
are people who post the known vulnerabilities in the software to make everyone
aware of it.
Another security vulnerability is due
to the backdoors (also called trapdoors). These are the programs
which when stored on the target systems, may allow easy access to hackers or
give them sufficient information about the target to carry out the attacks.
There are several backdoor programs used by the hackers. These are like
automated tools, which carry out the destructive jobs for the hackers. Trojan horse
programs may also come into this category. In order to save from the backdoors,
cleaner solutions are also available (which work in similar manner as the
antivirus utilities).
A back door is a feature of a program that call be used
to make it act in some way that the person who is running it did not intend.
A backdoor can be more or less "powerful",
according to how much access to your client's features and/or account it gives
to an intruder. In the worst cases, a backdoor will let an intruder execute
arbitrary commands on the machine your client or bot is running, allowing full
access to your account. This can in turn allow an intruder to compromise your
whole system's security, by cracking passwords or otherwise. They can also make
you send mail, post to Usenet, etc.
One of the ways the Internet Worm spread was by sending
new code to the finger daemon. Naturally, the daemon was not expecting to
receive such a ting, and there were no provisions in the protocol for receiving
one. But the program did issue a gets call, which does not specify a maximum
buffer length. The Worm filled the read buffer and more with its own code, and
continued on until it had overwritten the return address in gets's stack frame.
When the subroutine finally returned, it branched into that buffer and executed
the invader's code.
This buffer overrun is called stack smashing, and it is
the most common way attackers subvert programs. It takes some care to craft the
code because the overwritten characters are machine code for the target host,
but many people have done it. The history of computing and the literature is
filled with designs to avoid or frustrate buffer overflows. It is not even
possible in many computer languages. In addition, a number of C compilers and
libraries use a variety of approaches to frustrate or detect stack-smashing
attempts.
A bug is something in a program that does not meet its
specfication.
They are thus particularly hard to model because, by
definition, which assumptions if any will fail.
The effect of a bug is not necessarily limited to ill
effects or abuses of the particular service involved. Rather, the entire system
can be penetrated because of one failed component. There is no perfect defense,
but there are steps one can take to shift the odds.
The administrator should be checking for all the input
correctness at every point. If the program has fixed size buffers of any sort,
then it should be made sure that they do not overflow. If we use dynamic memory
allocation, prepare for memory or file system exhaustion, and proper recovery
strategies, which may need memory or disk space, too.
The next rule is least privilege. We should not give
network daemons any more power than they need. Very few need to run as the
super user, especially on firewall machines.
2.4 Authentication Failures
Authentication: Authentication is the method of
validating the identity of genuine or authorized users.
Ø Something that you know
The
very first and the foremost is your user-id and password
The
next can be your personal matters such as
Your
date of birth,
Yours
mothers maiden name
Your
pet’s name
These
are simple to use and require no special hardware, user-id and password
continue to be the most popular method of authentication.
PINS
(Personal identification Number) in ATM is very common
However,
how would the machine verify it?
We
need to keep the data in the machine.
Hackers
too can locate that database!
Ø Something that you have
Image
of person’s face,
Retina,
or iris
Fingerprints
Hand
geometry
Digital
Signature
Footprint
and walking style
Ø Something that you Have
Pattern
of blood vessels in the retina
Thumb
impression
DNA
pattern
Voice
Prints
Handwriting
characteristics
Typing
characteristics.
There
are various methods used for this purpose, but the most commonly used one is by
way of login name and passwords. In order to keep your authentication method
foolproof, some strict policy have to be adopted. But, still the authentication
failure is one of the ways in which the intruders can penetrate into the
systems.
Firstly the
passwords have to be properly designed using all the available rules.
Sometimes, if the password is stored in some user database in clear text, then
the intruder can easily intercept it another example of authentication failure
is by way of a fake login program
run on a terminal. Windows 2000 prevents this attack by requiring the
combination of Ctrl-Alt-Del before actual login, which terminates any fake
login program being run there. One more form of authentication attack may come
from the remote login programs. Protocols like rlogin, telnet are vulnerable to
this. If these are available on for your host, intruders may keep retrying till
they are lucky and get a chance to penetrate these systems. Hence, normally it
is advised to turn often-remote login features for added security.
Most of the attacks that take place are as a result of
some authentication failure. But authentication failures or authentication race
refers to the tactic of beating a one-time password scheme that works with many
security systems.
Usually a one-time password is a good technique of
ensuring that the password even if intercepted and understood will not have any
significance since its not going to be used again. But even then eavesdroppers
can easily pick up a plain password on an unencrypted session and they may take
a shot at single time passwords also.
For this we assume an example of a password that contains
only digits and is of known length. The attacker initiates ten connections to the
desired service. Each connection is waiting for the san1e unknown password. The
valid user connects and starts typing the correct password.
The attack program watches this, and relays the correct
characters to its ten connections as they arc typed. When anyone digit remains
to be entered, the program sends a different digit to each of its connections,
before the valid user can type the last digit. Because the computer is faster,
it wins the race, and one of the connections is validated. These authentication
schemes often allow only a single login with each password, so the valid user
will be rejected, and will have to try again. Of course, in this case the
attacker needs to know the length of the password.
2.5 Protocol Failures
Sometimes, the protocol used in the
networks also has certain limitations or problems contained in them, which
prevent the applications from doing the appropriate things. Since they work
from behind the applications, this may increase the vulnerability. An example
of such failure is the TCP protocol failure. TCP provides the circuits or paths
for the I P datagrams.
These may be sent across the network. The attackers checking for the packets can get
information about the source IP. Similarly the IP is a stateless and unreliable
protocol. No guarantee of delivery of packets can be given for it. It is
possible for attackers to send packets using any known or valid source address.
This is called source address spoofing. Although the operating system controls
this, still it cannot be relied on.
All the classes of attacks discuss
situations in which everything was working properly, but trustworthy
authentication was not possible. Here, in Protocol failures, we consider the
reverse: areas where the protocols themselves arc buggy and inadequate, thus
denying the application the opportunity to do the right thing.
In the cryptography world finding
holes in protocols is a popular game. Sometimes the creators simply make
mistakes. More often, the holes arise because of different assumptions. Proving
the correctness of cryptography exchanges is a difficult business and is the
subject of much active research.
Secure protocols must rest on a secure
foundation. Consider ssh which is a fine protocol for secure remote access. Ssh
has a feature where a user can specify a trusted public key by storing it in a
file called authorized keys (local file). Then, if the client knows the private
key, the user can log in without having to type a password. IN UNIX, this file
typically resides in the .ssh directory in the user's home directory. Now,
consider the case in which someone uses the ssh to log into a host, an attacker
can spoof the replies to inject a bogus authorized keys file.
The authorized keys file introduces
another vulnerability. If a user gets a new account in a new environment he
typically copies all of the important files there from an existing account,
including the .ssh directory, so that all of the .ssh keys are available from
the new account. However, the user may not realize that copying the authorized
keys file means that this new account can be accessed by any key trusted to
access the previous account.
2.6 Information Leakage
Many
times, the attackers rely on the information leakage which is due to various reasons and
helps them to get the inside information about the victim. In case of the
internal attacks, either the information is directly available to the attacker
or is passed on from inside. This information may include internal lP
addresses, Network topology and structure, login names, passwords, host names
etc. Sometimes, protocols also give away some information. Finger is the
protocol, which gives the information about the users connected to the live
hosts. Attackers may also use the social engineering skills on the basis of the
information given by these protocols, to get further vitally important
information. It is also possible to use the information given on the websites
such as phone numbers, user names etc. Obviously the defense against any such
kind of information leakage is to use good firewalls and keep them properly
configured.
2.7 Exponential Attacks – Viruses and
Worms
These types of attacks are normally made by
the hackers when they become desperate after trying several techniques and are
not successful. For exponential attacks, the hackers may even use viruses or
worms as their tools. Obviously the purpose here is not to gain information,
but to destroy it. Viruses are the malicious codes attached to the legitimate
programs. Desperate hackers may send such viruses Using various ways into the
system to create havoc. Similarly worms are the snippets of codes in different
forms, which spread across the network and create destruction. An example of
worms used by hackers is the infamous
'I
love you' worm, which
spread and created havoc through the Internet. One may be surprised
to know that this worm was taken out of a project made by a 23 year old
student!
Sometimes
the attackers may also use the 'Trojan horse' programs for exponential attacks.
These look like and behave as if they are legitimate programs but internally
are working in destructive ways for which they have been designed. In order to
safeguard from viruses, worms or Trojan horse programs, users are advised to
use the scanners developed especially for this purpose. The antivirus utilities
if used & updated frequently allow users to stay away from these kinds of
attacks.
2.8 Denial – of – Service Attacks
The
Denial Of Service (DOS) attack has gained a lot of attention in the last few
years. The basic purpose of a DOS attack is simply to flood/overhaul a network
so as to deny the authentic users services of the network. A DOS attack can be
launched in many ways. The end result is the flooding of a network, or change
in the configurations of routers on the network.
The
reason it is not easy to detect a DOS attack is because there is nothing
apparent to suggest that a user is launching a DOS attack, and is actually not
a legitimate user of the system. This is because in a DOS attack, the attacker
simply goes on sending a flood of packets to the server/network being attacked.
It is up to the server to detect that certain packets are from an attacker, and
not from a legitimate user, and take an appropriate action. This is not an easy
task. Failing this, the server would fall short of resources (memory, network
connections, etc.) and come to a grinding halt after a while.
A
typical mechanism to launch a DOS attack is with the help of the SYN requests.
On the Internet, a client and a server communicate using the TCP/IP protocol.
This involves the creation of a TCP connection between the client and the
server, before they can exchange any data. The sequence of these interactions
is as follows:
1.
The client sends a SYN request to the server.
A SYN (abbreviation of synchronization) request indicates to the server that
the client is requesting for a TCP connection with it.
2.
The server responds back to the client with
an acknowledgement, which is technically called as SYN ACK.
3.
The client is then expected to acknowledge
the server's SYN ACK. This is shown in the Figure below:
|
3. Acknowledge SYN
ACK
|
Only after all the three steps above
are completed that a TCP connection between a client and a server is considered
as established. At this juncture, they can start exchanging the actual
application data.
An attacker interested in launching a
DOS attack on a server, performs step 1.
The server performs step 2.
However, the attacker does not
perform step 3. This means that the TCP connection is not complete. As a
result, the server needs to keep the entry for the connection request from the
client as incomplete, and must wait for a response (i.e. step 3) from the
client.
The client (i.e. the attacker) is not
at all interested in executing step 3. Instead, she simply keeps quiet. Now,
imagine that the client sends many such SYN requests to the same server, and
does not perform step 3 in any of the requests.
Clearly, a lot of incomplete SYN
requests would be pending in the server's memory, and if these are too many,
the server could come to a halt!
Distributed Denial – Of –
Service
Why
use your own machine for such things when you can use hundreds of other
people's machines?
1.
Attacker
takes control of a less secure network say X.
2.
Let
us assume that there are 100 systems in X’s network.
3.
Attacker
uses all these 100 systems to attack the actual target T.
4.
Hence,
instead of one attacker, there are 100 attackers.
5.
The
attacker uses common users to install a zombie program on as many machines on
the Internet.
6.
The
attacker waits, when the time comes it controls all the machines and makes all
the machines to flood the target
2.9 Botnets
The zombies used for DDoS attacks are just the tip of the
iceberg. Many hackers have constructed botnets: groups of bots-robots, zombies,
and so on-that they can use for a variety of nefarious purposes.
The most obvious, of course, is the DDoS attacks
described earlier. But they also use them for distributed vulnerability
scanning.
Botnet is usually an executable file made by someone to
infect a computer and gain control over your computer Packeting: When your
connection is used to send a PING packet to an IP at certain intervals causing
the receiving IP to stop responding. The attacker can use your machine to
launch virus on other networks without you realising it.
(Note : What is PING? Packet Internet
Groper)
These days, home PCs are a desirable target for
attackers. Most of these systems run Microsoft Windows and often are not
properly patched or secured behind a firewall, leaving them vulnerable to
attack. Especially machines with broadband connection that are always on are a
valuable target for attackers. As broadband connections increase, so to do the
number of potential victims of attacks.
Once these attackers have compromised a machine, they
install a so called IRC bot - also called zombie. Internet Relay Chat (IRC) is
a form of real-time communication over the Internet. It is mainly designed for
group (one-to-many) communication in discussion forums called channels, but
also allows one-to-one communication
Crackers benefit from this situation
and use it for their own advantage. With automated techniques they scan
specific network ranges of the Internet searching for vulnerable systems with
known weaknesses.
A botnet is a network of compromised
machines that can be remotely controlled by an attacker. Due to their immense
size (tens of thousands of systems can be linked together), they pose a severe
threat to the community.
A botnet refers to a type of bot running
on an IRC network that has been created with a Trojan. When an infected
computer is on the Internet, the bot can then start up an IRC client and
connect to an IRC server. The bot joins a specific IRC channel on an IRC server
and waits there for further commands.
This allows an attacker to remotely
control this bot and use it for fun and also for profit.
Attackers even go a step further and bring different bots
together. Such a structure, consisting of many compromised machines which can
be managed from an IRC channel, is called a botnet. Due to their immense size -
botnets can consist of several ten thousand compromised machines. Botnets pose
serious
threats. Distributed denial-of-service (DDoS) attacks are
one such threat.
Even a relatively small botnet with
only 1000 bots can cause a great deal of damage. These 1000 bots have a
combined bandwidth (1000 home PCs with an average upstream of 128 Kb/s can
offer more than 100 Mb/s) that is probably higher than the Internet connection
of most corporate systems.
Uses of Botnets:
The most common uses were criminally
motivated (i.e. monetary) or for destructive purposes.
1.
Distributed
Denial-of-Service Attacks
2.
Spamming
(bulk email )
3.
Sniffing
Traffic
4.
Spreading
new malware
A botnet is nothing more then a tool,
there are as many different motives
for using them as there are people.
Ø
Artificially
increments the click counter (No. of hits)
Ø
Attacking
IRC Chat Networks (clone attack) - the victim is flooded
Ø
Manipulating
online polls/games
Ø
Mass
identity theft: Bogus emails that pretend to be legitimate, ask their intended
victims to go online and submit their private information.
Multiple bots can join in one channels
and the person who has made them can now spam IRC chat rooms, launch huge
numbers of Denial of Service attacks against the IRC servers causing them to go
down.
Good
Botnets and Bad Botnets
A bot is common parlance on the
Internet for a software program that is a software agent. A bot interacts with
other network services intended for people as if it were a person.
One typical use of bots is to gather information.
The most common bots are those that
covertly install themselves on people's computers for malicious purposes, and
that have been described as remote attack tools. More generally they are web
software agents that interface with web pages. Web crawlers or spiders are web
robots that recursively gather web-page information, as does the bot used by
Google ("GoogleBot").
They may also be used to interact
dynamically with a site in a particular way, as by exploiting or locating
arbitrage opportunities for financial gain. An additional role of IRC bots may
be to lurk in the background of a conversation channel, commenting on certain
phrases uttered by the participants (based on pattern
matching). This is sometimes used as a
help service for new users, or even for mild censorship (e.g., profanity).
These bots can often handle many tasks, including reporting weather, zip-code
(pin code) information, sports scores,
converting currency or other units,
etc.
Others are used for entertainment,
such as SmarterChild AOL,Instant Messenger and Jabberwacky on Yahoo! Messenger.
2.10 Active Attacks
In the cryptographic literature, there
are two types of attacker Passive and Active.
The first is a passive adversary, who
can eavesdrop on all network communication, with the goal learning as much
confidential information as possible.
The other is an active intruder, who
can
§
Modify
messages at will,
§
Introduce
packets into the message stream, or
§
Delete
messages.
Many theoretical papers model a system
as a star network, with an attacker in the middle. Every message (packet) goes
to the attacker, who can log it, modify it, duplicate it, drop it, and so on.
The attacker can also manufacture messages and send them as though they are
coming from anyone else.
Passive attacks.
Ø
Eavesdropping:
the unauthorized capture of transmitted data either by some form of line
tapping or from the compromising emanations broadcast by the electrical signals
in the line. Radio, optical and microwave signals can be similarly intercepted covertly.
Ø
Traffic
Analysis: Even if the message has been protected by enciphering, an analysis of
the traffic down the line can, in many circumstances, reveal much to an
outsider. The number, size, frequency and times of messages sent, their sources
and their destination can indicate, for example an impending take – over bid,
or the launch of a new product.
Active Attacks.
As the name suggests, the attacker
takes active steps to interfere with the data being transmitted down a
communication channel:
Ø
Modification:
The message contents can be deliberately changed.
Ø
Re
– routing: The message is diverted to elsewhere than its intended destination.
One ploy is to divert to a PC , gather the password, and then break the link
with a ‘ line out of order – try again ‘ instruction. After a while all the
passwords can be collected from an entirely unsuspecting organization.
Ø
Injection
of false messages: A bogus message is sent.
Ø
Re
– play: The attacker causes the message to be repeated over again, perhaps many
times. Since the original message was found by the recipient as entirely
acceptable, so too will any replays of it.
Ø
Deletion:
the message is deleted, and thus never reaches its destination.
Ø
Delay:
The message is deliberately delayed.
Ø
Masquerade:
An attacker masquerades as an authorized user of the communication channel, and
by this impersonation obtains use of the system as normally befitting only an
authorized user.
Ø
Piggy
– in – the – middle: The attacker cuts into the link between two communication
parties, and conducts two conversation, one with each party, while convincing
each they are talking to the other.
Ø
Between
lines penetration: is made on legitimate user’s communication channel when the
valid user is not using it, such as when he or she has remained logged on
during the lunch break.
Ø
Jamming
Radio: optical and microwave links can be interfered with by signal jamming –
the creation of a stronger signal to down the intended transmission.
Practical side of attacks:
Application Level Attacks:
These attacks happen at an application
level in the sends that the attacker attempts
to access, modify or prevent access to information of a particular
application, or the application itself. Example of this are trying to obtain
someone's credit card information on the Internet, or' changing the contents of
a message to change the amount in a transaction, etc.
Network level attacks:
These attacks generally aim at reducing the capabilities
of a network by a number of possible means, These attacks generally make an
attempt to either slow down, or completely bring to halt, a computer network.
Note that this automatically can lead to application level attacks, because
once someone is able to gain access to a network, usually she is able to
access/modify at least some sensitive information, causing havoc.
Cookies:
Cookies are born as a result of a
specific characteristics of the Internet. The Internet uses HTIP protocol,
which is stateless.
Suppose that the client sends an HTIP
request for a Web page to the server. The web server locates that page on its
disk, sends it back to the client, and completely forgets about this
interaction. If the client wants to continue this interaction, it must identify
itself to the server in the next HTIP request. Otherwise, the server would not
know that this same client and sent an HTIP request earlier. Since a typical
application is likely to involve a number of interactions between the client
and the server, there must be some mechanism for the client to identify itself
to the server each time it sends a HTIP request to the server. For this,
cookies are used. They are a popular mechanism of maintaining the state
information i.e. identifying a client to a server.
A cookie is just one or more pieces of
information stored as text strings in a text file on the disk of the client
computer i.e. Web browser.
Specific Attacks:
On the Internet, computers exchange
messages with each other in the form of small groups of data called as packets.
A packet, like a postal envelope contains the actua1 data to be send and the
addressing information. Attackers target these packets, as they travel from the
source computer to the destination computer over the Internet.
These attacks take two main forms:
(a) Packet Sniffing (also called as
snooping)
(b) Packet Spoofing.
Since the protocol used in this
communication is called as Internet Protocol (IP), other names for these two
attacks are: (a) IP sniffing and (b) IP spoofing. The meaning remains the same.
(a) Packet Sniffing:
Packet sniffing is a passive attack on
an ongoing conversation. An attacker need not hijack a conversation, but
instead, can simply observe i.e. sniff packets as they pass by. Clearly, to
prevent an attacker from sniffing packets, the information that is passing
needs to be protected in some ways.
This can be done at two levels:
i. The
data that is traveling can be encoded in some ways.
ii. the
transmission link itself can be encoded.
(b) Packet Spoofing:
In this technique, an attacker sends
packets with an incorrect source address. When this happens, the receiver i.e.
the party who receives the packets containing a false source address would
inadvertently send replies back to the forged address (called as spoofed
address) and not to the attacker.
This can lead to three possible cases:
i. The
attacker can intercept the reply- If the attacker is between the destination
and the forged source, the attacker can see the reply and use that information
for hijacking attacks.
ii. the
attacker need not see the reply-If the attacker's intention was a Denial of
Service(DOS) attack, the attacker need not bother about the reply. ,
iii. The
attacker does not want the reply- The attacker could simply be angry with the
host. so it may put that host's address as the forged source address and send
the packet to the destination. The attacker does not want a reply from the
destination, as it wants the host with the forged address to receive it and get
confused.
DNS Spoofing:
With DNS (Domain Name System), people
can identify Websites with human readable names such as www.yahoo.com and
computers C<lJ1 continue to treat them as IP addresses such as 120.9.32.23).
For this, a special server computer called as DNS server maintains the mappings
between domain names and the corresponding IP address. The DNS Server could be
located anywhere. Usually, it is with the Internet Service Provider (ISP) of
the users. With this background, the DNS spoofing attack works as follows:
1.
Suppose
that there is user A whose site domain name is www.A.com and the IP address is
100.10.10.10. So, all the DNS servers entry is maintained as: www.A.com
l00.10.10.10
2.
The
attacker B manages to hack and replace the IP address of A with his own ie
100.20.20.20 in the DNS server maintained by the ISP of user C. Therefore, the
DNS Server maintained by the ISP of A has the following entry: www.A.com
l00.20.20.20
3. When
C wants to communicate with A's site, the Web browser queries the DNS server
maintained by the ISP for A's IP address, providing it the domain name. C gets
the replaced i.e. (B's IP address) which is 100.20.20.20.
4.
Now,
C starts communicating with B, believing that he is communicating with A.
A protocol called as DNSSec (Secure
DNS) is being used to overcome such attacks.
No comments:
Post a Comment