ITS Offsite Workshop 2002

ITS Offsite Workshop 2002
•
Security Issues and PolyU Cases
•
PolyU Computer Systems Security Policy
(SSP)
•
ITS/CLO Partnership In IT Security
Implementation

Security Issues
Security Issues and
PolyU cases
By
Chan Ping Fong
Senior Computer Officer
Information Technology Services office

Security Issues
Why?

Security Issues
Typical University IT Environment ...
•
10,000+ networked devices
•
Very high-speed, high-capacity networks with fast connections to the
Internet
•
Hardware and software deployed are significantly diverse

Security Issues
Typical University IT Environment ...
•
Usually first to implement new technologies, sometimes even before they are matured
•
Residence Halls networked
•
Networked systems are being probed continually for vulnerabilities

Security Issues
Typical University IT Environment…
•
Computer locations vary widely, from under a someone's desk to professional data centers
•
Departments control own technology and mostly act independently
•
Non-existent or under-staffed technical/security staff

Security Issues
Typical University IT Environment
•
Hundreds of people authorized to access confidential information from central databases
•
User can extract data to any networked device, to use local manipulation tools
•
Once extracted, no one knows on which of the thousands of networked devices sensitive data is hosted

Security Issues
Typical Security Threats
•
Virus Attacks
•
Hacking and Cracking
•
User Abuses
•
Spam Mails
•
Denial of Service (DoS) Attacks
Cases reported and complaints received almost everyday

Security Issues
•
Melissa
•
I Love You
•
SirCam
•
Code Red and Code Red II
•
Nimda
•
Goner

Security Issues
•
Multiple attack mechanisms
 Spreads via email ( not an attachment )
 Spreads via visiting infected web page
 Targeting 16 vulnerabilities !! ( some IIS, but not all )
•
Nimda also threatened internal networks
 Unlike CodeRed, which was only attacking IIS servers
 Windows 9x and NT vulnerable via ‘open share attack’
 Attacks IIS via Web Folder Transversal ( malformed ‘get’ )
 And also via an incorrect MIME header

Security Issues
•
Any PC on the NET communicate by using
TCP/IP
•
Any one could knock on your doors
–
There are 65535 ports
–
Your machine may serve any of 65536 ports
• Port scanning by hackers
– Find out the weakest link
• Force you busy, can’t do any useful job
– Denial of Service (DoS attack)

Security Issues
• Member of HARNET
–
Another cyber community on the Internet
• More web applications on campus network
–
More expose & risk
• Restricted access from outside
–
By PolyU firewall, proxy server & VPN
• Limited restriction on access PCs within campus
–
Protected by switches and routers
–
Protected by departmental or personal firewall
– Rest, limited restriction

Security Issues
Hacking and Cracking (Before)
•
Only really good hackers could crack
• Difficult to write programs to affect
Operating Systems
• Cracking was “expensive” – learning curve and time
•
Most cracking had specific purposes – e.g., financial gain, espionage, sabotage

Security Issues and Problems at PolyU
Hacking and Cracking
(Now) …
• Veteran crackers are “publishing” code for neophyte crackers: e.g., log-wipe utilities
•
Operating system and application APIs are easy to use: e.g., Microsoft VBS
•
More complicated operating systems and software cause more bugs
•
Automated vulnerability scanning

Security Issues
Hacking and Cracking
•
Cracking for profit: e.g., credit card theft, industrial espionage
• Cracking for fun: e.g., “script kiddies”
•
Cracking for political reasons: e.g.,
PRC Government webpage defacements
•
Cracking as part of cyber-warfare

Security Issues
•
Veteran crackers writing and publishing tools
•
Cracker tools exist for cellular, voice, data communications
•
Cracker FAQs exist for almost all systems

Security Issues
•
Unauthorized access
•
Cracking password
•
Trojan horse
•
Tapping
• Remote capture of someone’s workstation

Security Issues
Typical User Abuses
•
Download huge files
•
Send out unsolicited massive emails
•
Steal and sell email addresses
•
Steal and leak out passwords to others

Security Issues
Typical User Abuses
•
Put unlicensed software/films/songs for others to download
•
Conduct commercial activities using
PolyU IT facilities and resources

Security Issues
•
Chain letters
•
Spreading large number of e-mails to many different users
•
Mail relay

Security Issues
•
Port Scanning
•
Ping Flooding
•
Mail bomb
•
Re-broadcasting of unwanted packets

Quote
From
Richard A. Clarke
“The Internet was built without a government or master plan.
It was also built without security as part of the central design. Our entire infrastructure is vulnerable because security was not designed in from the ground up.”
Richard A. Clarke,
National Coordinator for Security,
Infrastructure Protection, and Counter-Terrorism, speaking at the Washington D.C. Summit, 18 April 2000

Quote from
Computer Economics
“It is estimated that the worldwide impact of malicious code was 13.2 Billion Dollars in the year 2001 alone, with the largest contributors being SirCam at $1.15 Billion, Code
Red (all variants) at $2.62 Billion, and NIMDA at $635
Million.”
Computer Economics,
2001 Economic Impact of Malicious Code Attacks,
02 Jan 2002

It’s a wild world
• Every week we see new break-ins, new attack tools, new vulnerabilities
• 2002 CSI/FBI Computer Crime and Security Survey (503 respondents):
– 90% of respondents detected “unauthorized use of computer systems” in the last 12 months;
– The combined losses from just 223 respondents total $445 million
– $170 million from “theft of proprietary info” and $19 million from “system penetration”

Top 10 Attack Source by Country
35%
30%
25%
20%
15%
10%
5%
0%
2.0% 2.5%
2.5%
2.6%
3.9%
4.5%
5.9%
7.8%
8.8%
Ja pa n re
G at
B ri ta in
It al y ai
T w an
C an ad a ra
F e nc er
G m an y
29.6%
C hi na
So h ut
K or ea
U ni d te
St es at

Top 10 Attack Sources per Internet Capita “ in terms of number of attacks per 10,000 Internet Users”
30
25
26.16
20
14.50
15
10
7.07
5
0
D en m k ar
7.10
7.52
Ta iw an
Po la nd
7.74
M al ay si a
Tu rk ey
7.85
8.60
10.03
11.57
F ra e nc
So ut
K h or ea
Th ai la nd
H on g
K on g
Is ra el

Some Security News …
• Bugbear-Worm tries to steal credit cards and passwords.
10 Oct 02
• CERT Advisory Trojan Horse Sendmail Distribution. 08
Oct 02
• W32/Bugbear-A continues to cause problems. 07 Oct 02.
• Cyberattacks against energy firms rise, 09 Jul 02.
• Hacker swipes $35,000 from Singapore Bank, 05 Jul 02.

Security Issues and Problems at PolyU
Intrusion Purposes/Consequences …
•
Unauthorized access to data
•
Installation of malicious code to collect passwords, keystrokes, or other data in transit
•
Huge consumption of network resources, leading to slow to no response on campus network

Security Issues
Intrusion Purposes/Consequences
•
Loss of machine power for intended purposes
•
Defacement for political reasons
•
Installation of programs to support attacks on internal or external systems, e.g. DDoS zombies

Security Issues
• URL of incident
– http://www.attrition.org/mirror/attrition/2000/09/19/www.banking.hsbc.
co.uk/mirror.html
Note to the administrator: You should really enforce stronger passwords. I cracked 75% of your NT accounts in 16 seconds on my SMP Linux box.
Please note the only thing changed on this server is your index page, which has been backed up. Nothing else has been altered.

IT Security Stories
Should it take an incident to wake us up?
Indiana U Office of the Bursar (2001)
IU Faculty Research Information
Database (1997)
University of Michigan patient records
University of Washington patient records
Stolen passwords at Berkeley, UCLA,
Harvard
Many other cases not publicized

Recent Case at our Sister University
A student hacked into the PCs of 4 other students
Accessed the homework of other students
Obtained the password of another student
Impersonate and withdrew the classmate from university

The PolyU Real Cases

The PolyU Real Cases
E-Mails sent to staff in the same department framing senior members of sexual abuses
ITS investigated and located the source being another institution in HK
Case reported to police and a member in that institution identified
Police decided not to pursue due to ‘public interest’

The PolyU Real Cases
Departments (and some students) sent out surveys and promotional e-mails to large number of recipients
Recipients regarded that mail spamming and filed complaints to PolyU
Some recipients (ISP) blacklisted PolyU and barred PolyU e-mails

The PolyU Real Cases
Some Departments requested ITS to help but disregarded ITS’s advice and kept on sending
Case reported to the Human Subject
Ethics Subcommittee

The PolyU Real Cases
Millions of short enquiry packets (pings) sent out to Internet by a Department
Ate up over 80% of PolyU’s Internet bandwidth for 2 hours
ITS traced two machines in the department’s lab and 100s of hours wasted
Nobody was identified due to no log kept in lab
Many more similar cases detected in the same department

The PolyU Real Cases
PolyU Real Case 4 …
A graduate student sent out large volume of e-mails on the Internet to solicit money to help his sick wife
Over 200 complaints were received by
ITS from all over the world
Some recipients reported to their police and activated investigation by HK and
PRC police

The PolyU Real Cases
During the investigation, it was also found that the student had also used the
PolyU IP address to register and host a commercial website for business activities
Case reported to the Head

The PolyU Real Cases
PolyU Real Case 5
A graduate student sent out more than once obscene e-mails to over 200 selected recipients in the media and the HK higher education community to attack a senior staff in his department
Vast amount of time spent in the investigation. More than 200 man-hours just in ITS plus that of the senior management

The PolyU Real Cases
PolyU Real Case 6
The lab instructor of a training course mistakenly generated an infinite loop among the campus Netware servers
Paralyzed the whole campus network which finally had to be shut down and restarted
ITS spent over 100 man-hours to trace the problem and the instructor and fixed the network

The PolyU Real Cases
PolyU Real Case 7 …
Code Red, Code Red II and Nimda Viruses attacks
ITS sent out alerts and patches to all users
ITS called urgent meetings with departments
ITS identified and isolated infected ports to contain the impact
Over 300 PolyU PCs affected by Nimda

The PolyU Real Cases
Affected machines in turn degraded performance of the campus network and Internet
Damage considered small compared to two other HK institutions which had to shut down the entire campus network to ‘stop the bleeding’

The PolyU Real Cases
Some Linux machines in some departments were attacked
They became the ‘launch pad’ of port scanning to other machines on campus and the Internet
ITS received many complaints
The department refused to take action and ITS had to disable their ports from the network

The PolyU Real Cases
Other PolyU Real Abuses
Theft of passwords
Use PolyU IT resources to solicit money
Use PolyU IT resources to run business
Give computer accounts to other persons
Insult other users on Internet with foul languages
Mail bombs

The PolyU Real Cases
•
Reputation of the institution tarnished
•
Increases the risk of suits filed by students and others and associated liability
•
Wastes of resources

The PolyU IT Security
•
Prevention is better than cure
•
Users cooperate and follow ITS advices
•
Must be secure to sustain the future
•
The cooperation of CLO is essential