CSS 211 - Introduction to Network Security

Lesson 2 - Protecting Systems

Objectives:

This lesson introduces the student to basic system protection against common attack types. Objectives important to this lesson:

  1. Hardening operating systems
  2. Preventing browser based attacks
  3. SQL injection
  4. Communications-based attacks
  5. Software security applications
Concepts:

Chapter 3 begins with an overview of how web pages can be rigged as attack vectors, and some observations about why data holding devices (servers and workstations) need protection as well as the network they are on.

Hardening the Operating System

The text lists the number of lines of code that are estimated to be in several different operating systems, including some historical versions of Windows. The point seems to be that patches and fixes are expected in larger programs. Because there is more to go wrong? Maybe, or maybe it is more likely that the pieces do not all fit together well because it is cobbled together out of lots of parts. I tried to find a definitive count for the number or lines of code in Windows 7, and only found disclaimer statements from Microsoft folks who said they can't possibly track that. Okay, so they don't pay programmers by the number of lines of code they write. It's more important to know how much RAM, how much hard drive space, and how great a processor I need to run it.

You are probably aware that Microsoft tends to release patches and such on particular Tuesdays, unless there is a pressing reason to do it sooner. The text offers a chart of definitions on page 82, explaining the difference between seven kinds of downloads you might be asked to apply to a program or an operating system. These phrases are presented in the text as though they were universally understood by all software publishers as meaning the same thing. This is not true in all cases. See the note on page 83, and take an aspirin or two as you read it over again. "Most vendors call a general security update a patch, but Microsoft calls it a security update." How's that again? Who's right and who's wrong?

  • critical update - typically corrects a failure in the program; usually not a security failure
  • feature pack - a collection of additions that are typically not critical: they are new features, not fixes for existing ones; usually not a security fix
  • update - a collection of fixes that correct problems; typically not security related, but Adobe seems to use this word to include security updates as well

  • patch (security patch) - a release that typically addresses a security issue
  • hotfix - a package with one or more fixes, often related to security issues, that may only apply in a custom environment
  • update rollup - a set of fixes that may include all of the above types
  • service pack - a package that contains all the above changes to the program that apply since its release, or since the last service pack

The text points out that the first three types in the list typically do not address security issues, but the last four types do. On page 83, the text turns the discussion to managing patches and other updates. The four options offered by Windows are presented as representative examples of your choices:

  • install automatically
  • download automatically, but let me choose what to install
  • check for update, notify me, but let me choose to download and install
  • never check

The first three include automatically checking for updates, or their functions would not take place. In the environment of my day job, we typically do not have devices check Microsoft for updates because of the degree of customization of applications and the possibility of patches breaking some functionality. We follow the model in the next topic instead, automated patch update service.

In environments where the users do not own their computers (e.g. large companies, government offices, schools) it is better to have central control over configuration and patches. The advantages listed in the book all apply:

  • a distributed network of servers can be used for patch distribution to workstations, making better use of bandwidth and access (see the illustration on page 85; the LANs are in different geographic locations)
  • computers that are not allowed to go to the Internet can get updates (for example, computers in state prisons)
  • administrators can test updates before general deployment, and request hotfix updates for a customized environment instead
  • administrators can choose not to deploy updates that do not apply to their configurations
  • hotfixes provided by the vendor can be deployed, which would not be available from the general update site of the vendor
  • users cannot refuse updates to "their" computers
Buffer Overflow Protection

When programs run on a well managed operating system, they run in memory address ranges (buffers) that are allocated for their use. Well behaved programs do not attempt to use memory outside their allocated buffers. When they do reach for addresses outside allocated ranges, this is a buffer overflow. This can be enough to stop a computer from running, depending on what is in the memory that is overwritten.

As the text explains, an attacker may overflow a buffer to change the value of a pointer stored in it. (A pointer is a variable that remembers a memory address.) How does that hurt or help? Well, the pointer that the attacker is changing holds the address of the process that is legitimately using that memory. Change the pointer to the address of the attacker's malware, and you have given the malware control of the memory that was overflowed, and access to the data stored in it. More importantly, you have given the malware the ability to overwrite the data with more program code. You should see how this might allow malware to take over what a legitimate program was doing, or to gain space to load more of itself.

Two defenses against overflow attacks in Windows systems are discussed: data execution prevention (DEP) and address space layout randomization (ASLR). The text notes that neither defense is a complete solution, and they should be run together, with other defense layers.

  • DEP - available in Vista and XP SP2, Linux, and Mac OS X; it sets an NX (No eXecute) bit for memory buffers to prevent execution of code in the buffer. If the malware tries to load code in the buffer, it would not be executable. This depends on the machine's processor supporting DEP (hardware based), or the operating system supporting it (software based), which is less effective. Also, an application would need to support DEP or it may crash. Note the illustration on page 87 showing a setting to turn DEP on for all programs and services except those in an exclusion list.

  • ASLR - The text lists this as a Vista feature, but follow the link to the left to see other operating systems that provide it. The idea is to place operating system code in randomly chosen memory buffers so the attacker has a low chance (1/256=0.39%) of finding a particular target. The result of the attack is more likely to be a crash. Several crashes will lead most users to ask for help, resulting in detection of the attack.
Configuring Operating System Protection

The text lists four approaches to protecting the operating system that are typically applied together in large organizations:

  • security policy - a formal statement of what users may and may not do, of what the security division will do to defend against attacks, and of what will be done in the event of an attack
  • configuration baseline - the basic configuration image for workstations (and another for servers); this includes the security settings and software for devices, the user accounts that will have access to programs and data, the methods and rules for IDs, passwords, and authentication to use resources
  • security template - this is essentially a list of settings and configurations that can be applied to machines automatically; this allows automation and standardization of the process of applying the same settings to all machines in a group, a location, or an organization; XP comes with default security template, but Windows Server 2008 and Vista do not
  • deployment - this is the method of applying the settings specified above to machines; as noted in the text, doing it one at a time is a poor practice that leads to errors and omissions unless it is only done for exceptions to the general rule; Group Policies in Active Directory services would be one method of doing this
Web Browser Attacks

The text describes cookies, which are not necessarily malicious themselves. The text defines a cookie as a file that a web site places on a user's computer, typically for the purpose of identifying the user on a return visit. A cookie could be called a first-party cookie if it is being used by the web site that wrote it on your machine. It is a third-party cookie if the same cookie is being accessed by any other web site (or entity).

The text points out that a separate entity might examine your cookies to tell where you have been on the Internet, what you have looked at or told other web sites, and make guesses about what advertising to show you. The text does not describe any kind of attack associated with cookies. It does mention that you could configure a browser to disable cookies, or to delete them when the browser is closed. The latter is a better option if your company uses processes that require cookies.

Computer languages are typically divided into script languages and compiled languages. The advantage to script languages is that they do not require special tools or software to use them, or to run them. Javascript is a script language designed to run in browsers. It was created by a developer working for Netscape, originally called Mocha, renamed Livescript, and eventually called Javascript. The scripts are saved as part of the HTML code of web pages, or as separate files. There is a security risk involved, in that the user is typically not asked whether the Javascript should run, and the user typically would not be aware that it is running. Some of the characteristics of Javascript are listed on page 90:

  • limitation: can't read, write, create, delete, or list the files on the computer running it
  • limitation: can't establish network connection to other computers
  • risk: can capture user information and send it to another location
  • risk: can send email that appears to be from the user

Javascript can be disabled in the browser settings.

Java is a compiled programming language. It can be used to make large programs (Java programs) or small ones (Java applets). Java applets are typically called and downloaded by web pages. The text describes a sandbox as a secure part of memory in which a Java applet could run, while being denied access to data it should not need.

Sandboxes are used for unsigned Java applets: applets whose origin has not been verified or are not from a trusted source. Signed applets carry "proof" that they are from trusted sources and are allowed to run without sandbox restrictions. The sandbox cannot keep the Java applet from doing things like the example on page 92. A Java applet is asking the user to provide a login ID and password. The only indication that this request is not coming from the operating system is the message at the bottom of the dialog box that says "Warning: Applet window". In the larger sense, this is not even a meaningful warning. What if the applet had a legitimate need to collect an ID and a password, for instance to allow access to a database? A user should be warned to beware any process that asks for things that should not be given out to everyone.

The text turns to ActiveX. This discussion should cause you to run screaming into the night. Microsoft introduced the concept as a way to execute reusable code, and to share information between applications. ActiveX controls (add-ons, applications) have access to the entire operating system, and can do anything the user is allowed to do, once they are installed on a computer. Like Java applets, they can be viewed as being from a trusted source, however, in the same way, the source may not be aware of what the control actually does. ActiveX can be disabled in the web browser, but its functionality is not limited to the web browser.

The next topic is Cross Site Scripting (XSS), which is a method of using Javascript or ActiveX to send information to an attacker. If a web site asks users to fill out a form, to enter text in a field, or to input information that will be displayed to other users when requested, the attacker can append a script to the text that is entered, which is intended to run on the dynamic web page that is displayed to the next user. A Facebook page, for example, would be an ideal place to put such a script so that it runs on the computer of each user who views the attacker's page.

The text explains that a better name for this technique would be Javascript injection, because the attacker is causing his script to be injected into the web page the victim sees. The text offers an example of another kind of vulnerable site: one that redisplays user input that generates an error, such as redisplaying a user's login ID and password that did not work.

The attack method described in the text seems to have little to do with the XSS concept, but it is interesting. The attacker sends an email to a user, collects login ID and password, and uses that information to crack the user's account on some system. The key to this attack seems to be the very unusual URL in the link sent to the user.

To defend against cross site scripting:

  • web masters should determine that their web pages validate input, do not echo bad input to the user, and do not allow input of code where it does not belong
  • web server administrators should make sure web services and database programs are up to date on patches
  • users should never click an embedded link in an email message?

The last point is laughable. Users should be taught to read the address that an embedded link goes to, and make proper decisions. They should also be taught to drink and drive responsibly. Since we can't manage either one, we must live with the fact that users will follow links to bad places.

Hardening Web Servers

The text turns to attacks on web servers, which are typically public facing devices, making them obvious targets for attacks. The first topic is SQL Injection. SQL is Structured Query Language, which is used to manipulate, manage, and report on database files. The CIS 331 class at Baker is about using this language as a database administrator. The link provided here goes to my class notes for that course. The text goes over a few examples of the syntax for some SQL commands. The general format for retrieving data is like this:

SELECT column list FROM data table WHERE conditional test ;

SELECT is followed by a list of columns, which may be any columns in the table being accessed, separated by commas. If you want all columns, you can use a wildcard character. In most versions of SQL, the wild card for "all" is the asterisk. FROM is followed by the name of the table to be read. WHERE is optional, and can be used to specify which rows to retrieve. If the WHERE clause is not used, all rows will be be retrieved.

A comprehensive discussion of SQL is beyond the scope of this class.

Some of the dangers of allowing an attacker to run SQL commands on the system are access to data, loss of data, and loss of data integrity. SQL can also make calls to the operating system of the host computer.

Four defenses against SQL injection are listed:

  • validate input, rejecting SQL commands and scripts
  • provide drop down lists of choices for users (prepared statements) instead of allowing free form entry
  • do not assign more privileges than the users need
  • do not ask users for SQL commands (yes, some systems have allowed users to do this)
Communications-based Attacks

The text starts by telling us that email systems use two protocols, then comes back with a third possibility.

  • SMTP protocol uses port 25 on a TCP/IP stack, and is used for mail being sent to servers. This includes traffic from the user to a server, and from server to server.
  • POP3 protocol uses port 110 to retrieve mail from a server. It pulls the mail to your local device.
  • IMAP4 protocol is like POP3 in that it is used for mail retrieval, but different in that it uses port 143, and it leaves the mail in your server mailbox for access from other devices.
  • Secure versions of these protocols use other ports.

SMTP servers are meant to transfer messages from one domain to another in a relay system. An open relay system is one that an attacker can use to send whatever they want, and look like whoever they want. The text proposes defenses against this that would make the system unusable:

  • turn off relay, so your email is limited to an internal system only
  • limit relays to local users, which would also severely limit the use of email

Both of these defenses would be unacceptable to most organizations.

The text continues with a discussion of Instant Messaging (IM). IM provides live chat lines between two or more users. Recent products support voice, video, and file transfer. The text explains that IM uses a server to provide connection information to users. A user starts an IM client, which tells the server the user's IP address. The server is used to provide an IP address for every person the user is allowed to contact, but when the user initiates contact with a message, it goes directly to the other user's IP address. (A newer term that means spam sent through instant messaging is spim. This term is not used in this chapter.)

Defenses against IM attacks are based on providing protections that the service does not include:

  • using an IM server to prevent the users' addresses from being sent on the Internet
  • restricting connection to known/trusted users
  • enabling an antivirus feature
  • blocking file transfers
  • adding encryption

Peer to Peer (P2P) Networks use direct IP connections between nodes. All hosts on a P2P network can request and provide services; there are no dedicated servers. This type of network is often set up for a temporary purpose, but environments that use the client-server model typically forbid their use due to the same problems inherent in IM. The text discusses BitTorrent networks, based on a protocol established in 2001. Files are shared across multiple peers on their way to a requester, which enables each receiver of a piece of a file to send a copy on to any other peer. A feature the text notes about BitTorrent networks is that files are advertised as being available: users do not have to search for them.

The text states that BitTorrent cannot be used to distribute malware, but this appears to be a misperception on the part of the author. See the discussion in the article on Wikipedia behind the link above. The author should know better than to make a statement that something cannot contain a virus.

Software Security Applications

Since some of the problems discussed in this chapter did not have satisfactory solutions, the idea of installing software to reach a solution should be welcome at this point. Several types of dedicated software solutions are discussed.

Antivirus

A number of applications are available that protect against viruses and more. The text discusses the scanning and monitoring features that are common. The text presents an aspect of these programs as a disadvantage: they must be continuously updated with new virus definition files (signature files) that enable the product to recognize and deal with viruses. I do not see this as a disadvantage as much as a feature. New viruses are created all the time. You should expect that you have to update your protection to make sure you are protected against all currently known threats.

"The price of liberty is eternal vigilence." (attributed to Thomas Jefferson, repeated and reworded by many)

Popup Blockers

Popups are defined as small web browser windows that are spawned from web pages or other processes. Popups are typically spawned to hold ads, but they can be made for additional information, input forms, or other purposes. A popup blocker can be a feature of a browser, of an antivirus product, or a free standing application.

Anti-Spam

Spam is associated with email. It should not be a surprise that an anti-spam product can be installed on your outgoing queue (your SMTP server), or your incoming queue (your POP3 or IMAP4 server). Why not both? I can't think of a reason, but the book does not discuss it.

The text also discusses contracting a third party to filter your spam, instead of applying the filter to your own system.

Some email clients can be configured to block spam, but they may have to have particular settings turned on to do so. My copy of Outlook, for example, will not let me set a rule for Junk Mail (spam) unless I change from live mode to cached mode. The Junk Mail option would allow me to block a sender, block a sender's domain, or classify a sender as safe. These are the same settings listed for the third party option above.

The last option described in the text is to install separate filtering software that works with your email client.

Personal Software Firewalls

The text spends two paragraphs on firewalls (also called packet filters). This software may be part of the operating system, part of an antivirus solution, or a standalone product. We will see more on this subject later in the text.

Host Intrusion Detection Systems

The last topic in the chapter concerns systems to detect intrusions, which may be part of a security software solution. The text talks about them falling into four groups, but these might be thought of as four security approaches that the software could take:

  • file system monitor - watches for changes to files
  • logfile analyzer - watches for trouble patterns in system logs
  • connection analyzer - watches attempts to connect to this system, and attempts to connect to other systems from this one
  • Kernal analyzer - the Kernal is the core of the operating system; this system watches for attempts to attack the Kernal

HID systems need a baseline of behavior in order to detect a change from the normal activity in a system. The text will revisit this concept later.