Information Security: The Big Picture – Part IV

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:31

Thêm vào BST

Báo xấu

137
lượt xem 8
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

You hear a lot of talk about firewalls in relation to network security. The name “firewall” comes from the building industry and it denotes a wall constructed to stop (or at least slow) the spread of fire from one space to another. In network security, a firewall serves the same purpose. But instead of being built from bricks or steel it is built with computers and routers. But the concept is still the same. A network firewall is designed to protect what’s “inside” the firewall from what may be “outside.” Most often, you will hear firewalls used in reference to Internet protection, and most...

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Information Security: The Big Picture – Part IV

Information Security: The Big Picture – Part IV Stephen Fried Information Security: The Big Picture - SANS GIAC © 2000 1 1
Agenda • General Security Introduction • Telecommunications Fundamentals • Network Fundamentals • Network Security • World Wide Web Security • Information Secrecy & Privacy • Identification and Access Control • Programmatic Security • Conclusion Information Security: The Big Picture - SANS GIAC © 2000 2 Next up is Network Security. This section will take our discussion of network protocols and configuration one step further. In this section we will learn about network configuration, network attacks, and various other network security topics. 2
Firewalls • Firewalls protect “inside” from “outside” • Can be a single machine or a series of machines • Allow for filtering and inspection of packets • Basic Types – Application Gateways – Packet Filters – Stateful Inspectors Information Security: The Big Picture - SANS GIAC © 2000 3 You hear a lot of talk about firewalls in relation to network security. The name “firewall” comes from the building industry and it denotes a wall constructed to stop (or at least slow) the spread of fire from one space to another. In network security, a firewall serves the same purpose. But instead of being built from bricks or steel it is built with computers and routers. But the concept is still the same. A network firewall is designed to protect what’s “inside” the firewall from what may be “outside.” Most often, you will hear firewalls used in reference to Internet protection, and most companies that are on the Internet today use a firewall to protect their corporate networks from the evils of the Big Bad Internet. A firewall can be as simple as a single box. In some cases you can even use a network router to handle basic firewall protection. More often, a firewall is a dedicated computer running specialized software that can track and analyze the traffic passing into and out of the network and act quickly to prevent “dangerous” connections. However, in some instances the “firewall” is actually a system of several computers combined with specially programmed network equipment to offer more robust protection against a wide variety of attacks. The firewall will be preprogrammed with a series of rules specifying the types of traffic that it will allow and the types of traffic it will not allow. The firewall operates by looking at each packet that passes through it. It may examine the source and destination address, the application that sent the packet, or even the packet’s relationship to other similar packets. It then matches the packet against that list of rules. If the packet is “permitted” based on the rule set, the firewall allows it to pass through. If the packet is “denied” because of a rule violation, the firewall will block it before it passes through to the inside network. There are three basic types of firewalls: • Application gateways use a specialized program for each type of application or service that needs to pass through the firewall. Thus, there may be a program for web traffic, a program for file transfer programs, and a program for terminal sessions. The benefit of an application gateway is that it can do a detailed analysis of the packets and can be customized to the particular needs of the organization using the firewall. The disadvantage is that a customized program must be written for each application that uses the firewall. Application gateways are also slower than other types of firewalls and may not stand up to the performance needs of a large network. • Packet filters simply look at each packet’s source, destination, and application name and make a determination based on the programmed rule set. The advantage to packet filters is that they can work very quickly, a plus on large, fast networks. The disadvantage is that their ability to analyze the packet in greater detail is limited. • Stateful Inspection firewalls do a more detailed analysis than packet filters. They look at the packet’s relationship to other packets that have passed through and can also look at traffic over time. This allows for a more sophisticated analysis of the traffic and makes for a better firewall. 3
Demilitarized Zones (DMZs) • Used in many e-business situations • Create a “semi-trusted” zone on the network • Protect DMZ systems from the Internet • Protect internal systems from the DMZ Internet DMZ Internal Network Information Security: The Big Picture - SANS GIAC © 2000 4 We have seen that firewalls can be used to protect internal organizational resources form the perils of the Big Bad Internet. But firewalls can also be used in many different configurations for different applications. For example, many organizations are rushing to put e-commerce systems on the Internet. However, this presents a double problem for the organization. First, there is the problem of protecting your systems from the Internet – a problem we have already covered (and will cover more later on). The second problem is the one of protecting the systems on your internal network from the Internet commerce systems. This may sound kind of strange. After all, if the commerce systems are yours, why do you need protection against them? Well, look back at your Defense in Depth strategy. You need to present multiple layers to attackers in order to better protect your internal systems. So, in the event your Internet systems get successfully attacked, you need something standing between them and your internal network. One answer is the use of a concept called the Demilitarized Zone, or DMZ. The concept of a Demilitarized Zone comes from the military. It refers to an area of land between two warring armies that belongs to neither side and in which neither army can launch an attack. In the network security field, a DMZ refers to a small network that sits between the Internet and your real internal network. In this zone sits your e-commerce systems. On one side of the DMZ is a firewall that protects the DMZ from the Internet. On the other side of the DMZ is a firewall that protects the internal network from the DMZ. (Editor’s note: in some cases, the term DMZ is used to referred to servers placed outside your firewall which have no protection from the Internet. In these cases, the term screened subnet is used to refer to a protected area that sits between an external firewall (protecting the screened subnet from the Internet) and an internal firewall (protecting your internal network from the screened subnet). – JEK) Why the two firewalls? Well, the outside firewall serves several purposes. First, it limits what systems and protocols can actually get inside the DMZ and touch the systems inside. It also protects against many types of Internet attacks. Remember our mantra – if you are connected to the Internet you need a firewall. OK, so what’s the internal firewall for? This is to protect against the eventuality (no, not the possibility but the eventuality) that the outside firewall will be compromised and attackers will break into your DMZ systems. The inside firewall limits the systems that the DMZ machines can access. So, if the DMZ systems are successfully attacked, the attackers will have only a handful of systems on the inside they can even see on the internal network. DMZs come in many different configurations, and new designs are as common as the number of companies that use them. If you are planning to put e-commerce systems on the Internet, you might want to look at setting up your own DMZ. 4
Proxies • Centralized traffic control • More efficient use of network bandwidth • Hides real IP addresses of machines behind the proxy Information Security: The Big Picture - SANS GIAC © 2000 5 Do you own any stock in a company? I do, and several times a year I get a mailing from one company or another telling me about their annual meeting and asking me to vote on whatever important issues will be discussed at the meeting. The voting form is called a proxy statement, because by filling it out and mailing it in I am allowing somebody else, my proxy, to cast my vote for me (hopefully following my instructions). Well, networks can use proxies too, and the effect is quite the same. A proxy server sits somewhere on the network, usually close to the firewall. When a computer inside the network wishes to communicate with a computer outside the network it asks the proxy to make the connection on its behalf. The proxy makes the connection and acts as an intermediary between the inside computer and the outside computer. Proxies make a lot of sense from a network security standpoint. They concentrate network access to a single machine, making firewall rule sets easier to program. They also hide the actual IP address of the internal machine from the outside machine. All the outside machine ever sees is the IP address of the proxy server. This is an important consideration for security-conscious networks that do not want outside people knowing what IP addresses their inside machines use. Proxies can also store, or cache, information that is repeatedly requested by inside machines. In this way, when a subsequent request is made for that information, the proxy server returns the information from memory rather than having to retrieve it from across the network. This leads to faster response times for the inside computers. 5
Proxy Configuration 98.143.54.212 207.46.131.137 Proxy Server Internet 98.143.54.78 98.143.54.79 98.143.54.80 Information Security: The Big Picture - SANS GIAC © 2000 6 The diagram on this slide illustrates how proxies work in practice. On this network we have four machines. There are three computers with IP addresses 98.143.54.78, 98.143.54.79, and 98.143.54.80. We also have a proxy server with an address of 98.143.54.212. The proxy server is connected to the Internet. When a computer program needs to connect to a machine on the Internet, the request goes first to the proxy server. The request will say something like “computer 98.143.54.78 needs to talk with computer 207.46.131.137 on the Internet.” The proxy server notes the request and then replaces the original IP address with its own. The request will then be “computer 98.143.54.212 needs to talk with computer 207.46.131.137 on the Internet.” The connection is then made to the Internet machine. Once the connection is established, all communications between the original machine, 98.143.54.78 and the Internet machine will be relayed through the proxy server. From the viewpoint of the Internet machine, however, it believes it is communicating with the proxy server, not the original inside machine. So, even if all three computers on this network are communicating simultaneously with the Internet machine, the Internet machine just thinks it has three connections to the same proxy server, not three connections to three separate computers. It is the responsibility of the proxy server to keep track of what connections belong to which machines. 6
Network Attack Methods • Denial of Service • SYN Flooding • Distributed DoS • Smurf • Session Hijacking • Teardrop • IP Spoofing • Land • Spamming • TCP Sequence Prediction • Junk Mail/Chain Letters • IP Fragmentation • Main in the Middle • Ping of Death • Session Replay Information Security: The Big Picture - SANS GIAC © 2000 7 In the following few slides we are going to talk about various types of attacks that have occurred over the Internet in the past. But before we begin, I should point out a couple of important facts. First, we will not be going into very technical depth about each of these attacks. Some of them can get quite complicated, but we will stick to the high-level description as much as possible. Second, many of these attacks have many variations that have been used over time. You may hear of them referred to in several different ways in your continuing security education. In the interests of time we will restrict our discussion to the original attack, and mention any variations only as necessary for clarification. Finally, while each of these attacks can be used by itself, you will very often see them used in combination, or see one attack used as the basis for another. For example, many of the attacks are based on some form of Denial of Service. 7
Denial of Service • Keeping the computer or network from doing anything useful • Can be a system crash, more often just flooding it • Very hard to prevent • Distributed DoS – the latest wrinkle Information Security: The Big Picture - SANS GIAC © 2000 8 Denial of Service, or DoS, is one of the most common attacks in use today. It works just like it sounds: it is used to deny service to a system or network. Denial of Service attacks are aimed at preventing a computer or network from performing its normal duties. This can take the form of crashing a computer, but more often it takes the form of flooding the network or computer with hundreds, or even millions, of information or service requests. The computer quickly gets overwhelmed and can’t handle the load. Once this happens, service is denied to legitimate users of the service because they can’t seem to get the server’s attention. Denial of service attacks are appealing to attackers for a number of reasons. First, they are deceptively simple to do. As we shall see shortly when we talk about SYN flooding, the methods for performing a DoS attack are not that difficult to learn or perform. Second, depending on how the DoS is performed, all you are doing is preventing legitimate traffic from getting to the server. You do not necessarily have to crash the machine or ruin any of the server’s resources. The attacker mentality will say that this is no more harmful than driving slowly on the highway or taking your time at the drive-in line at the bank. Well, tell that to Yahoo, eBay, or any one of the dozen other large Internet sites that got hit with DoS attacks in the spring of 2000. To them, the damage and the losses were very real. Classic DoS attacks occur when a single system or network floods your network with packets. The attack can be stopped by instructing your routers or firewalls not to accept packets from that system. However, a new breed of DoS attacks has recently surfaced, the Distributed Denial of Service, or DDoS. We’ll look at Distributed Denial of Service on the next slide. 8
Distributed Denial of Service Handler Agent Agent Agent Internet Agent Attacker Victim Information Security: The Big Picture - SANS GIAC © 2000 9 In DDoS attacks, the attacker is not a single system or network, it comes from a wide distribution of computers from all over the Internet, sometimes seemingly at random. Distributed denial of service attacks are more complicated to set up from an attacker’s point of view, but their effects can be much more devastating. In a classic DDoS attack, there are a number of roles and components. On the roles side, there is the Attacker, the Victim, and a number of “innocent” third parties (called Agents) that play an unwilling role in the attack. The attacker will break into each of the Agent’s computers and plant a program that can perform a DoS attack against the victim. There can be hundreds or even thousands of Agents involved in an attack. One of the Agents is tagged as the Handler. It is the Handler’s responsibility to coordinate the attack on behalf of the Attacker. When the Attacker is ready to launch the attack, he contacts the Handler and tells it who the real Victim is, how long the attack should last, and any other information the Agents will need. The Handler then relays that information to the Agents and off they go. What the Victim sees is a DoS attack from many different sites all coming at once. What makes DDoS attacks so unique and powerful is that it uses the diversity of the Internet to strengthen the attack. The attack seems to be coming from everywhere at once, and since there is no authentication on TCP/IP connections, there is no way to tell the real origin of the attack. 9
Session Hijacking • Taking over a connection that has already been established • Bypasses any identification or authentication required to establish • Attacker pretends to be legitimate user Information Security: The Big Picture - SANS GIAC © 2000 10 With many computer services a user is required to identify himself to the service and provide proof of his identity. This process is called authentication. Without proper authentication, a computer can not be assured of the identity of the user and will not grant that user access to its services. Many attackers wish to use services that they would normally not have authorization to use. And while they can try to connect to the computer to gain access to the service, they will not be able to pass through the authentication process. The answer to this problem is to take over a session that somebody has already established. This process is called session hijacking. In a Session Hijacking attack, the attacker monitors the network waiting for a user to establish an authorized connection to a computer or service. Then, the attacker sets up his computer to look just like the victim’s computer, with the same IP address, name, etc. He then uses a Denial of Service attack, or some other method, to block access to the victim’s computer and effectively take it off the network. Once this is done, the attacker then appears to be the original user and computer that originally authenticated. The attacker’s computer looks to the service like a legitimate computer and the attacker never has to authenticate himself. 10
IP Fragmentation • If packets are larger than a network can handle, they are fragmented in multiple parts • Fragmented parts are reassembled at destination • Attacks – Tiny fragment – Overlapping fragments – Teardrop Information Security: The Big Picture - SANS GIAC © 2000 11 In the IP protocol, there are allowances for the fact that there may be many different types of equipment, computers, and networks connected together. For instance, a computer may want to transmit packets of 1 kilobyte (1024 bytes) in size, but the routers between the computer and the destination may only be able to handle packets of 512 bytes in size. If this is the case, IP will automatically split the original packet into smaller pieces that will be able to make it all the way across the network. This process is called fragmentation. Once the fragments reach their destination they are reassembled to recreate the original packet. Fragmentation is good because it ensures the accurate transmission of information in a way that is transparent to the user or application. However, like all good things, packet fragmentation has also been used for evil purposes as a way of attacking computers and slipping past firewalls. There have been three basic types of IP fragmentation attacks. The first is the “Tiny Fragment” attack. In the Tiny Fragment attack, the attacker creates a packet and then fragments the packet into very small pieces. The fragment is so small, in fact, that some of the header information gets forced into more than one packet. The tiny fragments take advantage of the fact that many filtering firewalls can not handle incomplete header information and allow such fragments through, even if the re-assembled packet would not be allowed through the same firewall. The overlapping fragment attack works by the attacker again splitting the packet into fragments. However, instead of the fragments being reassembled sequentially, the fragments are reassembled so that subsequent packets actually overwrite sections of the first fragment. Finally, an attack called the teardrop attack was launched by creating fragments so that a second fragment was placed entirely inside the first fragment. Many fragment reassemblers couldn’t handle the offsets involved and crashed the machine. Packet fragmentation may seem a bit esoteric for ordinary folks to worry about, but it is a classic example of the technical lengths and the in-depth knowledge attackers will seek in order to work their evil. 11
Ping of Death • Maximum PING packet size 64K • Microsoft allows larger packets • Send a PING packet greater than 64K … POOF! Information Security: The Big Picture - SANS GIAC © 2000 12 A popular attack for a while was the so-called Ping of Death. The Ping of Death worked by exploiting a problem known as a Buffer Overflow. We will cover buffer overflows later in the course. For now all you need to know is that normal TCP/IP packets have a maximum allowable size of 64K, or roughly 65,000 bytes. Almost all TCP/IP-based computers come with a utility package called PING – the Packet InterNet Groper. Ping is an application level implementation of the ICMP protocol. It is generally used to see if a host computer is running and available on a network. It works by sending a number of characters to the remote host and waiting for the host to send them back to the originating computer. In most implementations, the amount of data ping will send is less that 100 bytes. However, a programming error in the Microsoft TCP/IP stack allowed ping to use packets of any size, including larger than the 64K TCP/IP packet limit. All an attacker has to do is to use the ping utility with one of these huge packets against a machine susceptible to this attack. Once the packet hits the victim machine it will instantly crash. 12
SYN Flooding • Exploits the three-way TCP handshake • Each SYN request allocates resources in a host • Completion of the final ACK releases those resources • Attacker sends many SYNs but no ACKs Information Security: The Big Picture - SANS GIAC © 2000 13 Another common denial of service attack exploits the way most computers handle the three-way handshake that begins all TCP sessions. Recall that a TCP session begins with a host sending a SYN packet to another. The second host sends a SYN-ACK packet back to the first. Finally the first sends an ACK back to the second, thus completing the connection. Each time that a host receives a SYN packet, it must allocate some resources to tracking the new connection. Usually this is a bit of memory set aside by the machine. The machine holds those resources and tracks the state of the three-way handshake and subsequent connection until the session is completed. When the session is closed the resources are released. As more connections are established, the more resources are required to track the state of those connections. Normally this is not a problem. There are enough connections releasing resources for the machine to always have sufficient resources on hand when needed. SYN flooding uses this behavior to its advantage. In a SYN flood attack, the attacking computer sends hundreds or thousands of SYN requests to the target machine. The target dutifully sends back ACK packets and waits for the third completing ACK packet. The attacker, however, never sends the third packet. Instead, it just keeps flooding the target with SYN requests. Each of those requests will allocate more resources in the target until it finally runs out of resources and crashes. SYN floods are an effective, inexpensive and simple method of crashing or seriously crippling a machine. 13
TCP Sequence Prediction • Exploit trust between trusted hosts • Initial TCP sequence numbers are supposed to be “random” - they often are not • Attacker floods “Bystander’s” queue • Attacker determines sequence numbers on “Victim” • Attacker opens TCP connection from “Bystander” to “Victim.” Bystander never receives ACK • Attacker generates Bystander’s ACK • Attacker gains access to Victim as Bystander Information Security: The Big Picture - SANS GIAC © 2000 14 A TCP Sequence Prediction attack tries to exploit weaknesses in the way sequence numbers are generated in many TCP/IP stacks. Recall that TCP/IP sessions are started by a three-step handshake between two hosts. Again, the first host sends a SYN to the second host along with a sequence number. The second host acknowledges that connection with an ACK and it’s own sequence number. Finally, the first host ACKs the second and away they go. But what if we were able to spoof both the second host as well as the sequence numbers that host uses? If the method of generating initial sequence numbers is easy to guess it wouldn’t be that hard to do. That is exactly how TCP Sequence Prediction attacks work. The sad fact is that despite the fact that initial sequence numbers should be random, many TCP/IP stacks generate sequence numbers in patterns that are notoriously easy to guess. With that in mind, here’s how a TCP Sequence Prediction attack works. In this attack there are three computers. We’ll call them Attacker, Victim, and Bystander. Victim and Bystander are machines on the same network that have a trust relationship between them. This means that Victim trusts transmissions from Bystander and vice versa. The first step in the attack is to flood Bystander’s connection queue. This is accomplished by using a standard SYN flood attack like the one we examined in the last slide. With Bystander busily fending off SYN packets, the next step is to determine the TCP sequence number algorithm on Victim. The most common method for doing this is to create a series of connections to Victim and see what Victim sends back as initial sequence numbers. If you get enough of these it becomes easy to guess what the next initial number will be. Next, the Attacker opens a TCP connection to Victim. However, Attacker spoofs the source address of the connection as having come from Bystander. When Victim tries to send an ACK back to Bystander it never gets received because Bystander is still trying to fight off all those SYN flood packets. However, Victim needs an ACK before it can continue communicating with Bystander. No problem, Attacker is ready and waiting to send the ACK to Victim, again masquerading as Bystander. So what do we have now? We have an open TCP connection from Attacker to Victim. And, to make matters worse, Victim believes that the connection is actually coming from Bystander. Since Victim has a trust relationship with Bystander, Attacker can now log into Victim as a trusted user, typically as the administrative user. This allows the Attacker free access to Victim’s machine. All this may take a minute to understand, and you may have to go through it several times before it finally sinks in. That’s OK, TCP Sequence Prediction is a tricky maneuver to pull of, but it can be quite an effective method of attack. In fact, it was the combination of TCP sequence prediction and trust relationships that allowed Kevin Mitnick to break into the computer of security expert Tsutomu Shimomura. 14
Smurf Attack • Use ICMP Echo Request (“Ping”) packets sent to network “broadcast” address • Source address is spoofed to victim’s address • Ping replies (thousands of them) are sent to victim’s computer Information Security: The Big Picture - SANS GIAC © 2000 15 The “Smurf” attack is another denial of service attack. In Smurf attacks, the victim is denied service by having his computer’s network line flooded while trying to reply to misdirected Ping packets. Specifically, it involves the use (or misuse) of the network broadcast address. The broadcast address of a network is a special IP address on each network segment that can re-direct packets to all the hosts on that network. There are three parties in a Smurf Attack: The attacker, the agent(s), and the victim. Note that the agent can also be a victim. To launch the attack, the attacker sends an ICMP echo request (or Ping) packet send to the broadcast address of a local network. In addition to doing this, the attacker also spoofs the source address of the request to be that of the victim. The broadcast address then re-directs the ping to all the other hosts on that network, which then act as the agents for the attack. Being good little agents, they want to reply to the request. However the only information they have is the spoofed IP address of the victim. All the computers on the network then send replies back to the poor victim. The victim then becomes overwhelmed with replies. The result can be severe network congestion or outages. Attackers have developed automated tools that enable them to send these attacks to multiple agent networks at the same time, causing all of the agents on each of those networks to direct their responses to the same victim. Attackers have also developed tools to look for network routers that do not filter broadcast traffic and networks where multiple hosts respond. These networks can be subsequently used as intermediaries in attacks. 15
Smurf Attack A ts u es R eq Source: D B Dest: All Re p lie C s Attacker Re que sts D Target Information Security: The Big Picture - SANS GIAC © 2000 16 This diagram shows how a Smurf attack works in practice. The attacker makes a simple echo request. Normally, echo requests will send data from a source machine, in this case the attacker, to the destination machine in this case Machine D. The destination machine will then echo the data back to the source machine. Plain and simple. In the Smurf attack, however, the attacker spoofs the information in the echo request. Instead of using the attacker’s machine as the source machine, the attacker uses the address of the target machine as the source address. It also uses a broadcast address as the destination instead of a single IP address. Thus, the request will be sent to all the computers on the network, A, B, C and D in the diagram. When A, B, C and D get the request they will try to send the response to the source address, in this case it is the spoofed address D. The poor D computer will then receive all the echo replies from across the network. In this diagram this only looks like a few reply packets, but in large networks using a prolonged attack this can amount to hundreds of thousands of reply packets. Computer D doesn’t stand a chance. We won’t go into this in much detail, but this illustration shows the basics of how an attack works and how network elements and the IP protocol can be manipulated to launch an extremely effective attack. 16
Land Attack • Attacker sends a SYN packet • Source IP and Destination IP equal • Can crash or hang systems Information Security: The Big Picture - SANS GIAC © 2000 17 Denial of Service exploits come in many flavors and varieties. As you have seen, many of them involve exploiting weaknesses or bugs in the implementation of the network protocols within the system. Many of these weaknesses arise from the fact that system designers do not think that users (human or automated) will give or use bad input or bad information as part of their processing. The designers may put in some error checking as part of their processes, but by and large they trust that the information given to a program will generally be of good quality. The Land Attack proves this to be totally wrong. The Land Attack uses the fact that under normal circumstances the following packet would not appear destined for a computer: • A SYN packet; • with the source and destination IP addresses equal; • with the source and destination ports equal. This just doesn’t happen in real life. Well, it turns out that when you send such a packet to some systems it crashes or hangs the target, making it impossible to continue processing information. This is a perfect example of how you don’t need too much in-depth technical knowledge to pull off an attack. All you need to do is to think of doing something no one has ever tried before. 17
Spamming • Originated by the “Greencard Lawyers” • Flooding UseNet news groups with commercial postings or “flames” • Cross-posting to many different news groups • Starting a “flame war” • Will generate flood of angry replies Information Security: The Big Picture - SANS GIAC © 2000 18 You don’t need to know the technical details of TCP/IP or ICMP to launch a denial of service attack. Many times you don’t even need to know that much about computers or networks. All you need is a keyboard, a connection to the Internet, and an idea. Let’s take the case of the “Greencard Lawyers.” They decided they wanted to advertise their services on the Internet, but weren’t quite sure the best way to do it. Keep in mind that this was in the early 90’s. The use of the Web as a global commercial medium was just starting to take form, and the Internet was still very much an academic and research community with very strong anti-commercial sentiments. UseNet is the global bulletin board service of the Internet. People subscribing to UseNet read one or more news groups dedicated to such diverse topics as current events, computer science, travel, sex, politics, etc. The Greencard lawyers decided that the best way to advertise was to post their message on hundreds of UseNet news groups. When they did this, it incurred the wrath of millions of people who were outraged at their bold misuse of Internet resources. In reply, UseNet subscribers on the Internet sent the lawyers thousands of e-mail replies, flooding their network and the network of their Internet Service Provider, which promptly cancelled their service. In addition to all that, the ensuing flood of postings about the topic in the various UseNet news groups created a second firestorm of activity that took weeks to die down. Nowadays, mass cross postings to news groups are more commonplace, though still considered socially unacceptable. And they still occasionally create a ruckus when they occur. Another way to create a firestorm of protest and hate mail is to begin a “flame war.” A flame war is the intentional or unintentional posting of an idea or opinion that others find offensive, in poor taste, or that they just don’t like. Often, people just seem to want to pick a fight and will intentionally say things to “stir up the pot” so to speak. One notorious trick is to impersonate someone else and post blatantly offensive or controversial notes. The angry replies will then be directed to the unwitting victim. 18
Junk Mail/Chain Letters • Commercial or social postings • Send to a mass audience • Often forwarded as “chain mail” • Can quickly clog e-mail network • Can cause “denial of service” • Should block at your mail gateways Information Security: The Big Picture - SANS GIAC © 2000 19 Your organization’s e-mail system can be used quite effectively to launch denial of service attacks, even if unintentionally. Many of us receive e-mail every day that we did not request and do not want. Very often these are advertisements for some service or other, a great deal or a one-time offer. Like their physical world counterparts, unsolicited junk e-mail has found its way into our daily on-line life. (Editor’s note: unsolicited junk e-mail is also sometimes referred to as unsolicited commercial email (UCE) or “spam”. – JEK) Another major annoyance is the electronic chain letter. We’ve all probably seen the note about the little boy collecting e-mails from around the world, or the one that promises your wildest riches if you just pass it on to 5 of your friends. These chain letters are also finding their way into our e-mail boxes and into our networks. It is understandable how this phenomenon has grown. When compared to physical snail mail, e-mail costs pennies per mailing or less, making it extremely affordable to produce. And the process of distribution can be almost completely automated. There are no envelopes, folding, licking, or hauling down to the post office. It’s all handled on-line and automatically. The problem with junk mail and chain letters is twofold. First, it creates a network capacity problem on your network. Depending on the size and configuration of your e-mail network, a large mass mailing coming into each of your employees can quickly fill up your network bandwidth and mail server message queues. Then, once your employees start forwarding the mail to their co-workers, you’ve got an additional bandwidth and capacity issue. Get a couple of good chain letter and junk mail postings going and you will see your network clog pretty rapidly. A good answer to the problem is the use of e-mail blocking. With this process, you examine the name and/or e-mail address of the sender of each mail. If the piece comes from a known junk mail distributor, or if you’ve had complaints about mail coming from that address, you can block the mail before it even gets into your network. This is a fairly easy and effective way of reducing network traffic and reducing the load on your e-mail network. Another good way to prevent network overload problems is to educate your users about junk mail and chain letters. If you let them know how destructive to your internal service they can be, and warn them about sending and forwarding such mail, it will also go a long way toward reducing any potential capacity problems. 19
Man in the Middle Alice Bob Melvin Information Security: The Big Picture - SANS GIAC © 2000 20 Man in the Middle attacks are another way attackers gain information or disrupt communications. The diagram in the slide shows a classic Man in the Middle attack. Alice and Bob establish some sort of communication between them. Melvin then intercepts the communications between Alice and Bob. How does he do this? Well, one way is to spoof his machine to both Alice and Bob. He make Alice think he is Bob and makes Bob think he is Alice. Another way this can happen is to physically tap into the network somewhere between Alice and Bob. In this way, Melvin can see all the traffic typically without being detected. In this position, Melvin can do one of two things. First, he can simply listen in on everything Alice and Bob have to say to each other. Second, if he is feeling particularly mischievous, he can stop direct communications between Alice and Bob and alter all the messages going back and forth. For example, if Alice says “I’ll buy 10 widgets at $10 each,” the attacker can change that to “I’ll buy 100 widgets at $100 each.” Then, when Bob replies, “that will be a total of $10,000,” the attacker can change that to “No problem, you can have them for free!” Man in the middle attacks are very difficult to detect unless Alice and Bob are using some sort of authentication for each message sent between them. The only way to prevent Man in the Middle attacks is to encrypt the communications between Alice and Bob so that Melvin will not be able to see or use any of the information in the transmission. 20