1Network Security War StoriesCS 161/194-1Anthony D. JosephSeptember 7, 2005September 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner2About Me• Joined faculty in 1998– MIT SB, MS, PhD• Contact info– adj @ cs.berkeley.edu– http://www.cs.berkeley.edu/~adj/ • Research Areas: – Mobile/wireless computing, network security, and security testbeds• Office hours: 675 Soda Hall, M/Tu 1-2pmSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner3Outline• War stories from the Telecom industry• War stories from the Internet: Worms and Viruses• Crackers: from prestige to profit• Lessons to be learnedSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner4Phone System Hackers: Phreaks• Earliest phone hackers? • 1870’s teenagers • 1920’s (first automated switchboards)• Mid-1950’s saw deployment of automated direct-dial long distance switchesSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner5US Telephone System (mid 1950’s)• A dials B’s number• Exchange collects digits, assigns inter-office trunk, and transfers digits using Single or Multi Frequency signaling • Inter-office switch routes call to local exchange• Local exchange rings B’s phoneSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner6Early 1970’s Phreaks• John Draper (AKA “Captain Crunch”)– Makes free long-distance calls by blowing a “precise” tone (2600Hz) into a telephone using a whistle from a cereal box…– Tone indicates caller has hung up è stops billing!– Then, whistle digits one-by-one• “2600” magazine help phreaks make free long-distance calls• But, not all systems use SF for dialing…2September 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner7Blue Boxes: Free Long Distance Calls• Once trunk thinks call is over, use a “blue box” to dial desired number– Emits MF signaling tones• Builders included members of California's Homebrew Computer Club:– Steve Jobs (AKA Berkeley Blue)– Steve Wozniak (AKA Oak Toebark)• Red boxes, white boxes, pink boxes, …– Variants for pay phones, incoming calls, …September 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner8The Game is On• Cat and mouse game between telcos and phreaks– Telcos can’t add filters to every phone switch– Telcos monitor maintenance logs for “idle” trunks– Phreaks switch to emulating coin drop in pay phones– Telcos add auto-mute function– Phreaks place operator assisted calls (disables mute)– Telcos add tone filters to handset mics– …• The Phone System’s Fatal Flaw?– In-band signaling!– Information channel used for both voice and signaling– Knowing “secret” protocol = you control the systemSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner9Signaling System #7• “Ma Bell” deployed Signaling System #6 in late 1970’s and SS#7 in 1980’s – Uses Common Channel Signaling (CCS) to transmit out-of-band signaling information– Completely separate packet data network used to setup, route, and supervise calls– Not completely deployed until 1990’s for some rural areas• False sense of security…– Single company that owned entire network– SS7 has no internal authentication or securitySeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner10US Telephone System (1978-)• A dials B’s number• Exchange collects digits and uses SS7 to query B’s exchange and assign all inter-office trunks• Local exchange rings B’s phone• SS7 monitors call and tears down trunks when either end hangs upSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner11Cellular Telephony Phreaks• Analog cellular systems deployed in the 1970’s used in-band signaling• Suffered same fraud problems as with fixed phones– Very easy over-the-air collection of “secret”identifiers– “Cloned” phones could make unlimited calls• Not (mostly) solved until the deployment of digital 2ndgeneration systems in the 1990’sSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner12Today's Phone System Threats• Deregulation in 1980’s– Anyone can become a Competitive Local ExChange (CLEC) provider and get SS7 access– No authentication è can spoof any messages (think CallerID)…• PC modem redirections (1999-)– Surf “free” gaming/porn site and download “playing/viewing sw– Software mutes speaker, hangs up modem, dials Albania– Charged $7/min until you turn off PC (repeats when turned on)– Telco “forced” to charge you because of international tariffs • PBX hacking for free long-distance– Default voicemail configurations often allow outbound dialing for convenience– 1-800 social engineering (“Please connect me to x9011…”)3September 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner13Phreaking Summary• In-band signaling enabled phreaks to compromise telephone system integrity• Moving signaling out-of-band provides added security• New economic models mean new threats– Not one big happy family, but bitter rivals• End nodes are vulnerable– Beware of default configurations!• Social engineering of network/end nodesSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner14Outline• War stories from the Telecom industry• War stories from the Internet: Worms and Viruses• Crackers: from prestige to profit• Lessons to be learnedSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner15Internet Worms• Self-replicating, self-propagating code and data• Use network to find potential victims• Typically exploit vulnerabilities in an application running on a machine or the machine’s operating system to gain a foothold• Then search the network for new victimsSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner16Morris Worm• Written by Robert Morris while a Cornell graduate student (Nov 2-4, 1988)– Exploited debug mode bug in sendmail– Exploited bugs in finger, rsh, and rexec– Exploited weak passwords• Infected DEC VAX (BSD) and Sun machines– 99 lines of C and >3200 lines of C library codeSeptember 7, 2005 CS161 Fall 2005Joseph/Tygar/Vazirani/Wagner17Morris Worm Behavior• Bug in finger server– Allows code download and execution in place of a finger request• sendmail server had debugging enabled by default– Allowed execution of a command interpreter and downloading of code• Password guessing (dictionary attack)– Used rexec and rsh remote command interpreter services to attack hosts that share that
View Full Document
Unlocking...