Write a discussion paper of 5 computer and network vulnerabilities
with US Government. How did it happen and what are the impacts.
Study
the computer and network vulnerabilities and exploits( SeeKizza
Chapters 3 and 4).
APA
Format and 5 page double Space, must be free of plagiarism.
chapter_3_4.pdf
Unformatted Attachment Preview
Chapter 3: Security Threats to Computer
Networks
3.1 Introduction
In February, 2002, the Internet security watch group CERT Coordination Center
first disclosed to the global audience that global networks, including the Internet,
phone systems, and the electrical power grid, are vulnerable to attack because of
weakness in programming in a small but key network component. The
component, an Abstract Syntax Notation One, or ASN.1, is a communication
protocol used widely in the Simple Network Management Protocol (SNMP).
There was widespread fear among government, networking manufacturers,
security researchers, and IT executives because the component is vital in many
communication grids, including national critical infrastructures such as parts of
the Internet, phone systems, and the electrical power grid. These networks were
vulnerable to disruptive buffer overflow and malformed packet attacks.
This example illustrates but one of many potential incidents that can cause
widespread fear and panic among government, networking manufacturers,
security researchers, and IT executives when they think of the consequences of
what might happen to the global networks.
The number of threats is rising daily, yet the time window to deal with them is
rapidly shrinking. Hacker tools are becoming more sophisticated and powerful.
Currently, the average time between the point at which a vulnerability is
announced and when it is actually deployed in the wild is getting shorter and
shorter.
Traditionally, security has been defined as a process to prevent unauthorized
access, use, alteration, theft, or physical damage to an object through
maintaining high confidentiality and integrity of information about the object and
making information about the object available whenever needed. However, there
is a common fallacy, taken for granted by many, that a perfect state of security
can be achieved; they are wrong. There is nothing like a secure state of any
object, tangible or not, because no such object can ever be in a perfectly secure
state and still be useful. An object is secure if the process can maintain its
highest intrinsic value. Since the intrinsic value of an object depends on a
number of factors, both internal and external to the object during a given time
frame, an object is secure if the object assumes its maximum intrinsic value
under all possible conditions. The process of security, therefore, strives to
maintain the maximum intrinsic value of the object at all times.
Information is an object. Although it is an intangible object, its intrinsic value can
be maintained in a high state, thus ensuring that it is secure. Since our focus in
this book is on global computer network security, we will view the security of this
global network as composed of two types of objects: the tangible objects such as
the servers, clients, and communication channels and the intangible object such
as information that is stored on servers and clients and that moves through the
communication channels.
Ensuring the security of the global computer networks requires maintaining the
highest intrinsic value of both the tangible objects and information – the
intangible one. Because of both internal and external forces, it is not easy to
maintain the highest level of the intrinsic value of an object. These forces
constitute a security threat to the object. For the global computer network, the
security threat is directed to the tangible and the intangible objects that make up
the global infrastructure such as servers, clients, communication channels, files,
and information.
The threat itself comes in many forms, including viruses, worms, distributed
denial of services, and electronic bombs, and derives many motives, including
revenge, personal gains, hate, and joy rides, to name but a few.
3.2 Sources of Security Threats
The security threat to computer systems springs from a number of factors that
include weaknesses in the network infrastructure and communication protocols
that create an appetite and a challenge to the hacker mind, the rapid growth of
cyberspace into a vital global communication and business network on which
international commerce and business transactions are increasingly being
performed and many national critical infrastructures are being connected, the
growth of the hacker community whose members are usually experts at gaining
unauthorized access into systems that run not only companies and governments
but also critical national infrastructures, the vulnerability in operating system
protocols whose services run the computers that run the communication network,
the insider effect resulting from workers who steal and sell company databases
and the mailing lists or even confidential business documents, social
engineering, physical theft from within the organizations of things such as laptop
and mobile devices with powerful communication technology and more
potentially sensitive information, and security as a moving target.
3.2.1 Design Philosophy
Although the design philosophy on which both the computer network
infrastructure and communication protocols were built has tremendously boosted
were cyberspace development, the same design philosophy has been a constant
source of the many ills plaguing cyberspace. The growth of the Internet and
cyberspace in general was based on an open architecture work in
progress philosophy. This philosophy attracted the brightest minds to get their
hands dirty and contribute to the infrastructure and protocols. With many
contributing their best ideas for free, the Internet grew in leaps and bounds. This
philosophy also helped the spirit of individualism and adventurism, both of which
have driven the growth of the computer industry and underscored the rapid and
sometimes motivated growth of cyberspace.
Because the philosophy was not based on clear blueprints, new developments
and additions came about as reactions to the shortfalls and changing needs of a
developing infrastructure. The lack of a comprehensive blueprint and the
demand-driven design and development of protocols are causing the everpresent weak points and loopholes in the underlying computer network
infrastructure and protocols.
In addition to the philosophy, the developers of the network infrastructure and
protocols also followed a policy to create an interface that is as user friendly,
efficient, and transparent as possible so that all users of all education levels can
use it unaware of the working of the networks and therefore are not concerned
with the details.
The designers of the communication network infrastructure thought it was better
this way if the system is to serve as many people as possible. Making the
interface this easy and far removed from the details, though, has its own
downside in that the user never cares about and pays very little attention to the
security of the system.
Like a magnet, the policy has attracted all sorts of people who exploit the
network’s vulnerable and weak points in search of a challenge, adventurism, fun,
and all forms of personal gratification.
3.2.2 Weaknesses in Network Infrastructure and Communication Protocols
Compounding problems created by the design philosophy and policy are the
weaknesses in the communication protocols. The Internet is a packet network
that works by breaking the data to be transmitted into small individually
addressed packets that are downloaded on the network’s mesh of switching
elements. Each individual packet finds its way through the network with no
predetermined route, and the packets are reassembled to form the original
message by the receiving element. To work successfully, packet networks need
a strong trust relationship that must exist among the transmitting elements.
As packets are disassembled, transmitted, and reassembled, the security of each
individual packet and the intermediary transmitting elements must be
guaranteed. This is not always the case in the current protocols of cyberspace.
There are areas where, through port scans, determined users have managed to
intrude, penetrate, fool, and intercept the packets.
The two main communication protocols on each server in the network, UDP and
TCP, use port numbers to identify higher layer services. Each higher layer
service on a client uses a unique port number to request a service from the
server, and each server uses a port number to identify the service needed by a
client. The cardinal rule of a secure communication protocol in a server is never
to leave any port open in the absence of a useful service. If no such service is
offered, its port should never be open. Even if the service is offered by the
server, its port should never be left open unless it is legitimately in use.
In the initial communication between a client and a server, the client addresses
the server via a port number in a process called a three-way handshake. The
three-way handshake, when successful, establishes a TCP virtual connection
between the server and the client. This virtual connection is required before any
communication between the two can begin. The process begins by a client/host
sending a TCP segment with the synchronized (SYN) flag set; the server/host
responds with a segment that has the acknowledged valid (ACK) and SYN flags
set, and the first host responds with a segment that has only the ACK flag set.
This exchange is shown in Fig. 3.1. The three-way handshake suffers from
a half-open socket problem when the server trusts the client that originated the
handshake and leaves its port door open for further communication from the
client.
Fig. 3.1: A three-way handshake
As long as the half-open port remains open, an intruder can enter the system
because while one port remains open, the server can still entertain other threeway handshakes from other clients that want to communicate with it. Several
half-open ports can lead to network security exploits including both TCP/IP and
UDP, Internet Protocol spoofing (IP spoofing), in which IP addresses of the
source element in the data packets are altered and replaced with bogus
addresses, and SYN flooding where the server is overwhelmed by spoofed
packets sent to it.
In addition to the three-way handshake, ports are used widely in network
communication. There are well-known ports used by processes that offer
services. For example, ports 0 through 1023 are used widely by system
processes and other highly privileged programs. This means that if access to
these ports is compromised, the intruder can get access to the whole system.
Intruders find open ports via port scans. The two examples below from G-Lock
Software illustrate how a port scan can be made [1]:
! TCP connect() scanning is the most basic form of TCP scanning. An
attacker’s host is directed to issue a connect() system call to a list of
selected ports on the target machine. If any of these ports is listening,
connect() system call will succeed; otherwise, the port is unreachable and
the service is unavailable.
UDP Internet Control Message Protocol (ICMP) port unreachable
scanning is one of the few UDP scans. Recall from Chap. 1 that UDP is a
connectionless protocol, so it is harder to scan than TCP because UDP
ports are not required to respond to probes. Most implementations
generate an ICMP port_unreachable error when an intruder sends a
packet to a closed UDP port. When this response does not come, the
intruder has found an active port.
In addition to port number weaknesses usually identifiable via port scans, both
TCP and UDP suffer from other weaknesses.
Packet transmissions between network elements can be intercepted and their
contents altered such as in initial sequence number attack. Sequence numbers
are integer numbers assigned to each transmitted packet, indicating their order of
arrival at the receiving element. Upon receipt of the packets, the receiving
element acknowledges it in a two-way communication session during which both
the transmitting elements talk to each other simultaneously in full duplex.
In the initial sequence number attack, the attacker intercepts the communication
session between two or more communicating elements and then guesses the
next sequence number in a communication session. The intruder then slips the
spoofed IP addresses into the packets transmitted to the server. The server
sends an acknowledgment to the spoofed clients. Infrastructure vulnerability
attacks also include session attacks, packet sniffing, buffer overflow, and session
hijacking. These attacks are discussed in later chapters.
The infrastructure attacks we have discussed so far are of the penetration type
where the intruder physically enters the system infrastructure, either at the
transmitting element or in the transmitting channel levels, and alters the content
of packets. In the next set of infrastructure attacks, a different approach of
vulnerability exploitation is used. This is the distributed denial of services (DDoS).
The DDoS attacks are attacks that are generally classified as nuisance attacks in
the sense that they simply interrupt the services of the system. System
interruption can be as serious as destroying a computer’s hard disk or as simple
as using up all the available memory of the system. DDoS attacks come in many
forms, but the most common are the following: smurfing, ICMP, and ping of death
attacks.
The “smurf” attack utilizes the broken-down trust relationship created by IP
spoofing. An offending element sends a large amount of spoofed ping packets
containing the victim’s IP address as the source address. Ping traffic, also called
Protocol Overview Internet Control Message Protocol (ICMP) in the Internet
community, is used to report out-of-band messages related to network operation
or misoperation such as a host or entire portion of the network being
unreachable, owing to some type of failure. The pings are then directed to a large
number of network subnets, a subnet being a small independent network such as
a LAN. If all the subnets reply to the victim address, the victim element receives a
high rate of requests from the spoofed addresses as a result, and the element
begins buffering these packets. When the requests come at a rate exceeding the
capacity of the queue, the element generates ICMP Source Quench messages
meant to slow down the sending rate. These messages are then sent,
!
supposedly, to the legitimate sender of the requests. If the sender is legitimate, it
will heed the requests and slow down the rate of packet transmission. However,
in cases of spoofed addresses, no action is taken because all sender addresses
are bogus. The situation in the network can easily deteriorate further if each
routing device itself takes part in smurfing.
We have outlined a small part of a list of several hundred types of known
infrastructure vulnerabilities that are often used by hackers to either penetrate
systems and destroy, alter, or introduce foreign data into the system or disable
the system through port scanning and DDoS. Although for these known
vulnerabilities, equipment manufacturers and software producers have done a
considerable job of issuing patches as soon as a loophole or a vulnerability is
known, quite often, as was demonstrated in the Code Red fiasco (seen later), not
all network administrators adhere to the advisories issued to them.
Furthermore, new vulnerabilities are being discovered almost every day either by
hackers in an attempt to show their skills by exposing these vulnerabilities or by
users of new hardware or software such as what happened with the Microsoft
Windows IIS in the case of the Code Red worm. Also, the fact that most of these
exploits use known vulnerabilities is indicative of our abilities in patching known
vulnerabilities even if the solutions are provided.
3.2.3 Rapid Growth of Cyberspace
There is always a security problem in numbers. Since its beginning as ARPANET
in the early 1960s, the Internet has experienced phenomenal growth, especially
in the last 20 years. There was an explosion in the numbers of users, which in
turn ignited an explosion in the number of connected computers.
By 1985, the Internet had fewer than 2,000 computers connected, and the
corresponding number of users was in the mere tens of thousands. However, by
2001, the figure has jumped to about 109 million hosts, according to Tony
Rutkowski at the Center for Next Generation Internet, an Internet Software
Consortium. This number represents a significant new benchmark for the number
of Internet users. Data from the World Internet Society shows about 2.2 billion
users in 2012 [[2],http://www.internetworldstats.com/stats.htm].
The tremendous growth of mobile internet enable devices is creating the growth
cited above. As it grew, it brought in more and more users with varying ethical
standards, added more services, and created more responsibilities. By the turn of
the century, many countries found their national critical infrastructures firmly
intertwined in the global network. An interdependence between humans and
computing devices and between nations on the global network has been created
that has led to a critical need to protect the massive amount of information stored
on these global networks. The ease of use of and access to the Internet and
large quantities of personal, business, and military data stored on the Internet
was slowly turning into a massive security threat not only to individuals and
business interests but also to national defenses.
As more and more people enjoyed the potential of the Internet, more and more
people with dubious motives were also drawn to the Internet because of its
enormous wealth of everything they were looking for. Such individuals have
posed a potential risk to the information content of the Internet, and such a
security threat has to be dealt with.
Statistics from the security company Symantec show that Internet attack activity
is currently growing by about 64% per year. The same statistics show that during
the first 6 months of 2002, companies connected to the Internet were attacked,
on average, 32 times per week compared to only 25 times per week in the last 6
months of 2001. Symantec reports between 400 and 500 new viruses every
month and about 250 vulnerabilities in computer programs [3].
In fact, the rate at which the Internet is growing with the rapid global acquisition
of internet enable devices, is becoming the greatest security threat ever. Security
experts are locked in a deadly race with these malicious hackers that at the
moment looks like a losing battle with the security community.
3.2.4 The Growth of the Hacker Community
Although other factors contributed significantly to the security threat, in the
general public view, the number one contributor to the security threat of computer
and telecommunication networks more than anything else is the growth of the
hacker community. Hackers have managed to bring this threat into news
headlines and people’s living rooms through the ever-increasing and sometimes
devastating attacks on computer and telecommunication systems using viruses,
worms, DDoS, and other security attacks.
Until recently most hacker communities worked underground forming groups
global like some in Table 3.1, Today, hackers are no longer considered as bad to
computer networks as it used to be, and now hackers are being used by
governments and organization to do the opposite of what they were supposed to
be doing, defending national critical networks and hardening company networks.
Increasingly, hacker groups and individuals are being used in clandestine
campaigns of attacking other nations. So hacker groups and individuals are no
longer as much under the cloud of suspicion as causing mayhem to computer
networks, and many are now in the open. In fact hacker Web sites like
HU www.hacker.org UH with messages like “The hacker explores the
intersection of art and science in an insatiable quest to understand and shape the
world around him. We gui …
Purchase answer to see full
attachment
Recent Comments