Operating Systems Security Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu Audio video recordings of this lecture are available at http www cse wustl edu jain cse571 07 Washington University in St Louis CSE571S 4 1 2007 Raj Jain Overview Layers of Security 10 Immutable Laws of Security Malware Defenses Passwords Application Security Email Browsing Washington University in St Louis CSE571S 4 2 2007 Raj Jain Layers of Security Application Security Network Security OS Security User Security Physical Security A lock is as strong as the weakest door Washington University in St Louis CSE571S 4 3 2007 Raj Jain Common Operating Systems Windows 9x XP Vista Windows Server NT 2000 2003 Linux Linux Server Unix Solaris HPUX Multiple books on security issues of each one Most malware exploits windows due to popularity We will mostly concentrate on Windows We cover only a very small subset Washington University in St Louis CSE571S 4 4 2007 Raj Jain 10 Immutable Laws of Security 1 If a bad guy can persuade you to run his program on your computer it s not your computer anymore 2 If a bad guy can alter the operating system on your computer it s not your computer anymore 3 If a bad guy has unrestricted physical access to your computer it s not your computer anymore 4 If you allow a bad guy to upload programs to your website it s not your website any more 5 Weak passwords trump strong security Washington University in St Louis CSE571S 4 5 2007 Raj Jain Laws of Security Cont 6 A computer is only as secure as the administrator is trustworthy 7 Encrypted data is only as secure as the decryption key 8 An out of date virus scanner is only marginally better than no virus scanner at all 9 Absolute anonymity isn t practical in real life or on the Web 10 Technology is not a panacea Ref http www microsoft com technet archive community colum ns security essays 10imlaws mspx mfr true Washington University in St Louis CSE571S 4 6 2007 Raj Jain Where Malware Hides Autoexec bat or autoexec nt can start malware before windows start Config sys config nt Autorun inf on CD ROMs or even hard drives Boot ini bootsect dos command com dosstart bat msdos sys io sys Desktop ini Can be used to hide files and autolaunch programs when a folder is viewed Host lmhost Manipulating SMTP server settings or the Host file and intercepting sent e mail Washington University in St Louis CSE571S 4 7 2007 Raj Jain Malware Cont Nested archives zip rar tar cab detected only by recursive scanning Auto run files in archives Embedded applications in Documents word PowerPoint excel Embedded macros in documents Can secretly send a named doc to a remote sender OLE2 formatted documents can be executed Rasphone pbk Can modify dialup network setting including DNS and make long distance calls Washington University in St Louis CSE571S 4 8 2007 Raj Jain Malware Cont Startup folder Web cache malware dropped in by websites Path variable illegitimate program will run then load legitimate program Trusted publishers can execute programs w o user approval Registry entries Embedded URLs in HTML Emails can execute programs Washington University in St Louis CSE571S 4 9 2007 Raj Jain Malware Trends Moving from hobby to criminals more attempts to gain financial information Viruses are distributed through compromised websites Compromised clients are then directed to download more malware Washington University in St Louis CSE571S 4 10 2007 Raj Jain Magnitude of the Problem Messagelabs com 69 of all emails is spam 1 in 43 contain virus 70 of all spam is sent from addresses of innocent users Antiphishing org Phishing email increasing 26 per month 2 to 15 of the phishing is successful Dell com Average PC has 50 to 70 spyware infections Secretservice gov 29 of all successful intrusions by insiders Washington University in St Louis CSE571S 4 11 2007 Raj Jain Defenses Don t give users Admin access Windows Vista requires run as administrator for Privileged operations Install or uninstall programs Configure windows system settings View or change security permissions Change networking configuration Stop start load or pause services Modify drivers Registry etc Washington University in St Louis CSE571S 4 12 2007 Raj Jain Defenses Cont Update often Use Personal firewall Use antivirus software keep updated Use anti spam Use anti spyware Boot up password Boot only from primary hard drive Can t load NTFS4DOS Password protect the bios Washington University in St Louis CSE571S 4 13 2007 Raj Jain Defenses Cont Disable guest account Rename administrator account unlimited retries Rename guest account to administrator helps catch hackers Run services on non default ports https x com 3809 Install software on non default folders Use encrypted file system EFS Disable LM and NTLM authentication Enable account lockout after a certain number of tries Potential DoS Attack Washington University in St Louis CSE571S 4 14 2007 Raj Jain Defenses Cont Use two factor authentication biometric smart card USB token etc Disable Simple File Sharing SFS removes most NTFS permissions to close to Share All connecting users come in as administrator or guests Washington University in St Louis CSE571S 4 15 2007 Raj Jain Passwords Most people use only alphabets with dictionary words Easily broken Common passwords password admin 12345 Often leave manufacturer defined password unchanged Most people use the same passwords for all accounts Get their password in a less secure environment and use it in a more secure environment Washington University in St Louis CSE571S 4 16 2007 Raj Jain Windows Login Passwords Windows 2000 allows 127 character passwords with 64k possible characters 4 9 10611 passwords System managers can set policies Requiring minimum length and types of characters Upper case alphabets Lower case alphabets Numerals symbols Unicode characters Alt nnnn 4 s numeric keypad Most keyboards have 94 characters Most hackers will try 94 possibilities Washington University in St Louis CSE571S 4 17 2007 Raj Jain Password Hashing Windows uses LAN Manager LM hashes or NT hashes LM Hash is case insensitive and truncates password to 14 characters LM Has in not salted Results in the same output if two accounts use the same password Salted Random value is mathematically applied to the password before hashing Challenge Response is used over the network Washington University in St Louis CSE571S 4 18 2007 Raj Jain Password Attacks Password resetting much easier than cracking