COMPUTER AND NETWORK
SYSTEM ADMINISTRATION
Summer 1996 - Lesson 27
Intruders
A. Introduction
> viruses and intruders are the most publicized types
of threats to security
> attacks range from the benign to the serious
> some intruders are curious and are simply exploring
the extent of their skills
> other are performing industrial and military espionage
> in spite of a nationwide crackdown on network hackers
in 1990 with new laws and convictions the problem is
worse than ever
1. Extent of threat
- Bell labs reports (circa 1993):
attempts to copy passwd file (> once every other day)
suspicious RPC calls (> once per week)
attempts to connect to nonexistent 'bait' machines
(> every two weeks)
2. More malevolent attacks
- increased threat of malevolent attacks from less
skilled users
- this is due to increased international competition
- hackers clubs are known to sell their services
- hackers communicate and exchange intrusion techniques,
list of passwords, etc.
- hackers have access to CERT advisories and make use
of them
B. Classes of intruders
1. masquerader - an unauthorized user who gains access to
legitimate user's account
2. misfeasor - a legitimate user who gains access to
unauthorized resources, or who misuses authorized
resources
3. clandestine user - an individual who seizes supervisory
control of a system and uses this control to evade
auditing and access controls
C. Prevention
1. password protection
- the problem is that the defender must attempt to thwart
all possible attacks
- the attacker need only find one weak link
- Typical UNIX password mechanism
+ each user selects a password of up to 8 usable
characters in length
+ this is converted into a 56-bit value (7-bit ASCII)
+ the encryption routine, crypt(3), is based on DES
+ the crypt() routine uses a 12-bit 'salt' value
+ salt -------> | |
password ---> | crypt | ---> salt-passwd
(76 bits)
+ to validate user the salt and password are
passed through crypt() and compared to the
last 64 bits of the encrypted passwd
+ the salt ensures that two identical passwords
will appear differently in /etc/passwd
+ the salt effectively extends the passwd by two
characters in length (extends search space by
a factor of 4096)
> How??? It prevents a hacker from precomputing all
encrypted values for a password (such as JoeBob)
and placing them in a list
> if there is a 12-bit salt then the hacker would
have to build a list of 4096 different entries,
JoeBob01, JoeBob02, etc. for each of the 95 * 8
entries
+ the salt prevents one from using a hardware
implementation of DES
- how fast can one crack?
+ a 1024 node CM can perform 6.4 million encryptions
per second
+ what is the search space of a well chosen password?
> 95^8 if passwords are minimum of 8 characters
> this is ~7 * 10^15, still need 10^9 seconds
or about 15 years of CM time on the average to
crack a single password
+ or can build up a list and match against the list
> unfortunately, the complete list for 95^8 plus salt
is prohibitively large
- BUT! passwords are not well chosen
+ one study gathered 14,000 passwords from various
machines
+ built a search list of 6 million words
+ the 1K CM can test the list against 6M possibilities
in less than an hour
+ what do you think the success rate was?
> 25% - and you only need to get one!
- what about access control?
+ shadow passwords
+ it only takes a few seconds of root level access
to get the shadow passwd file
+ bad NFS implementation might get you the passwd file
+ users tend to use the same password in multiple
domains
> crack it in one place and use it on the shadow
passwd domain
- proactive passwd checker
+ allow the user to choose a password
+ validate the password immediately
+ check for simple things - length, upper, lower,
digit, punctuation
+ then, run against an 8Mbyte dictionary or a hash
table of the dictionary
2. authorization schemes
- Kerberos (MIT)
- AFS built on Kerberos, provides encrypted authentication
services
- the initial reply from the authentication server
is subject to typical password cracking techniques
if a hacker can listen to the network
- Biggest problem is not all UNIXes, much less all other
types of non-UNIX Internet hosts, come pre-packaged to
run Kerberos, etc.
D. Detection
1. motivation
- if intrusion prevention fails (and it will) then
you want the ability to detect an intruder
- the more quickly an intruder can be detected the
less damage will have been done
- intrusion detection may act as a deterent
- some intrusion detection techniques collect more audit
information - this can be useful for studying hacker's
techniques
2. statistical anomaly detection
- this method involves collecting data about the behavior
of legitimate users over a period of time
- statistical tests are applied to new behavior to determine
whether or not the new behavior is legitimate
- look for deviations from the historical profile
- native audit records: use the current operating
logs (wtmp, pacct)
- detection-specific audit records: collect special
audit information
- the statistical approach works best against masqueraders
- a user who masqerades as another would have little information
about the historical profile of the user whose account they
are using
- there is an overlap between the intruder profile and the
historical profile
- this leads to false-negatives and false-positives
- false negatives are devastating
- false positives are a burden to the sys admin who must check
each one out
- examples of profile elements used in IDES developed at SRI:
+ login frequency by day of week and time of day
+ login frequency by location
+ time since last login
+ elapsed time per session
+ resource utilization (processor, memory, and I/O)
+ amount of output to remote locations
+ password failures
+ execution frequency of various commands
+ frequency of setuid root programs executed
3. rule-based intrusion detection
- this method attempts to define a set of rules that indicate
intruder behavior
- anomaly detection: create rules that detect deviation from
previous behavior
> analyze previous behavior and attempt to automatically
generate rules that describe behavior
> may require up to 10^6 rules !!
- penetration detection:
+ write rules that are specific to machine, OS, and recent
intrusion tactics
+ rules are writen by experts rather than by algorithms
+ this method is more effective against malfeasors
+ for each rule that is fired a suspicion rating is increased
+ when the suspicion rating crosses a threshold then an anomaly
is reported
- example of penetration detection rules used by IDES package:
+ reads a file in another user's directory
+ write to another user's file
+ a user opens a disk device
+ a user is logged in more than once
+ a user makes a copy of a system program
4. distributed intrusion detection
- until recently intrusion detection algorithms worked
on single-user systems
- the Network Security Monitor (NSM) from UC Davis is
an example; DIDS is another (Distributed Intrusion Detection System)
- runs a daemon on each monitored system
- the daemons send interesting audit records to a central
host
- the central host does the intrusion processing
- can be expanded to WAN
- the local daemons can convert format to a system-wide
standard so NSM can be used for a heterogenous group
of architectures