4-1©2009 Raj JainCSE571SWashington University in St. LouisOperating Systems Operating Systems SecuritySecurityRaj Jain Washington University in Saint LouisSaint Louis, MO [email protected]/video recordings of this lecture are available at:http://www.cse.wustl.edu/~jain/cse571-09/4-2©2009 Raj JainCSE571SWashington University in St. LouisOverviewOverview! Layers of Security! 10 Immutable Laws of Security! Malware! Defenses! Passwords! Application Security: Email, Browsing4-3©2009 Raj JainCSE571SWashington University in St. LouisLayers of SecurityLayers of Security! A lock is as strong as the weakest door.Physical SecurityOS SecurityNetwork SecurityApplication SecurityUser Security4-4©2009 Raj JainCSE571SWashington University in St. LouisCommon Operating SystemsCommon Operating Systems! Windows (9x, XP, Vista)! Windows Server (NT, 2000, 2003)! Linux! Linux Server! Unix! Solaris! HPUXMultiple books on security issues of each one.Most malware exploits windows – due to popularity.⇒ We will mostly concentrate on WindowsWe cover only a very small subset of issues.4-5©2009 Raj JainCSE571SWashington University in St. Louis10 Immutable Laws of Security10 Immutable Laws of Security1. If a bad guy can persuade you to run his program on your computer, it's not your computer anymore2. If a bad guy can alter the operating system on your computer, it's not your computer anymore3. If a bad guy has unrestricted physical access to your computer, it's not your computer anymore4. If you allow a bad guy to upload programs to your website, it's not your website any more5. Weak passwords trump strong security4-6©2009 Raj JainCSE571SWashington University in St. LouisLaws of Security (Cont)Laws of Security (Cont)6. A computer is only as secure as the administrator is trustworthy7. Encrypted data is only as secure as the decryption key8. An out of date virus scanner is only marginally better than no virus scanner at all9. Absolute anonymity isn't practical, in real life or on the Web10. Technology is not a panaceaRef:http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true4-7©2009 Raj JainCSE571SWashington University in St. LouisWhere Malware Hides?Where Malware Hides?! Autoexec.bat or autoexec.nt can start malware before windows start! Config.sys, config.nt! Autorun.inf on CD-ROMs or even hard drives! Boot.ini, bootsect.dos, command.com, dosstart.bat! msdos.sys, io.sys! Desktop.ini - Can be used to hide files and auto-launch programs when a folder is viewed! Host, lmhost! Manipulating SMTP server settings or the Host file and intercepting sent e-mail.4-8©2009 Raj JainCSE571SWashington University in St. LouisMalware (Cont)Malware (Cont)! Nested archives (zip, rar, tar, cab) - detected only by recursive scanning! Auto-run files in archives! Embedded applications in Documents (word, PowerPoint, excel)! Embedded macros in documents - Can secretly send a named doc to a remote sender! OLE2 formatted documents can be executed! Rasphone.pbk - Can modify dialup network setting including DNS and make long distance calls4-9©2009 Raj JainCSE571SWashington University in St. LouisMalware (Cont)Malware (Cont)! Startup folder! Web cache - malware dropped in by websites! Path variable - illegitimate program will run then load legitimate program! Trusted publishers - can execute programs w/o user approval! Registry entries! Embedded URLs in HTML Emails (can execute programs)4-10©2009 Raj JainCSE571SWashington University in St. LouisMalware TrendsMalware Trends! Moving from hobby to criminals⇒ more attempts to gain financial information! Viruses are distributed through compromised websites! Compromised clients are then directed to download more malware4-11©2009 Raj JainCSE571SWashington University in St. LouisMagnitude of the ProblemMagnitude of the Problem! Messagelabs.com:" 69% of all emails is spam. 1 in 43 contain virus" 70% of all spam is sent from addresses of innocent users! Antiphishing.org:" Phishing email increasing 26% per month" 2% to 15% of the phishing is successful! Dell.com:" Average PC has 50 to 70 spyware infections! Secretservice.gov:" 29% of all successful intrusions by insiders4-12©2009 Raj JainCSE571SWashington University in St. LouisDefensesDefenses! Don't give users Admin access⇒ Windows Vista requires "run as administrator" for Privileged operations:" Install or uninstall programs" Configure windows system settings" View or change security permissions" Change networking configuration" Stop, start, load, or pause services" Modify drivers" Registry" etc.4-13©2009 Raj JainCSE571SWashington University in St. LouisDefenses (Cont)Defenses (Cont)! Update often! Use Personal firewall! Use antivirus software - keep updated! Use anti-spam! Use anti-spyware! Boot-up password! Boot only from primary hard drive - Can't load NTFS4DOS! Password protect the bios4-14©2009 Raj JainCSE571SWashington University in St. LouisDefenses (Cont)Defenses (Cont)! Disable guest account! Rename administrator account - unlimited retries! Rename guest account to administrator - helps catch hackers! Run services on non-default ports https://x.com:3809! Install software on non-default folders! Use encrypted file system (EFS)! Disable LM and NTLM authentication! Enable account lockout after a certain number of tries ⇒ Potential DoS Attack4-15©2009 Raj JainCSE571SWashington University in St. LouisDefenses (Cont)Defenses (Cont)! Use two factor authentication - biometric, smart card, USB token, etc.! Disable Simple File Sharing. SFS removes most NTFS permissions to close to Share. All connecting users come in as administrator or guests4-16©2009 Raj JainCSE571SWashington University in St. LouisPasswordsPasswords! Most people use only alphabets with dictionary words ⇒ Easily broken! Common passwords: password, admin, 12345, ...! Often leave manufacturer defined password unchanged! Most people use the same passwords for all accounts ⇒ Get their password in a less secure environment and use it in a more secure environment4-17©2009 Raj JainCSE571SWashington University in St. LouisWindows Login PasswordsWindows Login Passwords! Windows 2000 allows 127 character passwords with 64k possible characters ⇒ 4.9×10611passwords! System managers can set policies: Requiring minimum length and types of characters" Upper case alphabets" Lower case alphabets" Numerals" symbols" Unicode characters: Alt+nnnn 4 #s numeric keypad! Most keyboards have 94 characters ⇒ Most