Before You Begin: Refer to Handout ML 92W-0000051 The MITRE Technical Document Template, for complete instructions. Notes: Do not press RETURN to move to a new part except where specifically directed to do so; always use the mouse because the appropriate spacing has already been inserted with the style. When using this attachment for a letter, replace every occurrence of the word ATTACHMENT with the word ENCLOSURE. Two sections are provided so that you have a blank one in case you have more than one attachment or enclosure. Delete all blank sections before you print the final document. Important: Always use the appropriate styles from the style list box on the ruler for heading and captions. If you accidentally choose the wrong style or want to change a style, place your cursor where you want to make the change and choose the correct style from the style list box on the ruler. To Delete Instructions: Place the cursor anywhere outside the left margin of the instruction box so that the arrow points in, double-click, and choose CUT. SUMMARY OF THE BLACK HAT BRIEFINGS (9-10 JULY 1997) The Black Hat Briefings is a descendant of the DEF CON hacker conference held annually in Las Vegas, Nevada. The purpose of the Black Hat Briefings is to allow information systems security professionals and hackers to discuss technical and non-technical issues relating to computer security. This was the first year that the Black Hat Briefings were held. The conference conveniently occurred just before the DEF CON conference. There were 14 presentations over two days, not all of which are covered in this summary. * Internet Attack Methodologies - Chris Goggans * Auditing and Risk Analysis of Windows NT - Dominique Brezinski * Firewalls: How the Firewall Fits into the Corporate Landscape - Myles Connley * TCP/IP Internals: Everything You Wanted to Know About Hacking the TCP/IP Stack - Route * Meet The Enemy - Ray Kaplan * Denial-of-Service Attacks and Defensive Strategies - Sluggo * Analysis of Microsoft Crypto and Software - Mudge * Commercial Cryptography, Opportunities, Threats and Implementations - Bruce Schneier * A Review of Free Software for Securing Systems and Networks - Peter Shipley * Secure Source Code Review - Adam Shostack * SNMP, SNMP2 Remote Management Security and Implementation Considerations - Jeremy Rauch * CIFS and Other SMB Security Issues - Hobbit * Legal Ramifications of Poorly Implemented Security - Yobie Benjamin * Secure Implementations of ActiveX in a Corporate Environment - QMaster * Business Impact Analysis: What is Worth Protecting, and When - The Priest This report summarizes only those presentations attended by MITRE personnel. Slides of the presentations will soon be available on the World Wide Web (WWW) at http://www.blackhat.com. The following sections provide a summary of each presentation. Internet Attack Methodologies - Chris Goggans In this session, Chris Goggans provided an introduction to the techniques for breaking into a computer network. Mr. Goggans proposed four phases to an attack: network mapping, information gathering, bug exploitation, and masking the intrusion. In the network mapping phase, the attacker can make use of InterNIC queries (e.g., whois) to determine what network addresses are assigned to the target. Next, the attacker can attempt to use the Domain Name Service (DNS) to get a listing of the host names and Internet Protocol (IP) addresses of all registered computer systems. Finally, the attacker can perform a ping (or Internet Control Message Protocol [ICMP] echo) scan of all addresses within the target's network address range. In the information gathering phase, the attacker can use the "finger" command to get the names of user accounts on the target's network. To get a list of network services that are available, the attacker can do a "port scan," where a tool is used to attempt a connection to each port number on a computer, and record the successful attempts. Because there are tools to detect port scans, and because they are a clear indication to the target that they are being attacked, several "stealth" scan techniques have been developed. The most general-purpose technique is the "half-open" port scan. In this technique, the attacker runs a tool that initiates a connection just far enough to tell that the service is available, but does not complete it. Next, the attacker can check for Network File System (NFS)-exported filesystems on systems that are running the NFS service. The attacker can also take advantage of the Simple Network Management Protocol (SNMP) to gather additional information about the network. In the attack phase, the user can attempt to exploit known security holes in incorrectly configured tftp, old versions of ftp, old versions of sendmail, rexec, rlogin, rexd, NIS, NIS+, NFS, the X Window System, DNS, gopher, Kerberos, Server Message Block (SMB), Network News Transfer Protocol (NNTP), Post Office Protocol (POP)/Internet Mail Access Protocol (IMAP), Hypertext Transfer Protocol (HTTP), rpc statd, and walld. The attacker can also use "IP address spoofing" to pretend to be a trusted host, and thereby gain access to NFS, rlogin, or rexec. A brief explanation was given for each security hole. Once the attacker has broken into a computer system on the corporate network, the attacker can use the victim host to watch for plaintext passwords sent across the network. If the attacker wishes to do a denial-of-service attack, there is SYN flooding, User Datagram Protocol (UDP) flooding, ICMP redirect, ping flooding (for overloading low-bandwidth Internet connections), and the ping of death (for old operating systems that have not been patched). These attacks can render a host (or a network) inaccessible. Mr. Goggans suggested browsing the World Wide Web site of the Computer Underground Society at http://www.underground.com for more information on vulnerabilities. In the intrusion masking phase, the attacker edits log files, audit files, and process accounting files to remove all recorded information about the attack. An attacker may choose to install software onto the machine so it will be easier to break into the machine later. Through the use of a "root kit," the attacker can hide this software from the system administrator. A "root kit" could, for example, modify standard system commands so that the attacker's software will be ignored. Auditing and Risk Analysis of Windows NT - Dominique Brezinski Many people are wondering if Windows NT is really secure. Mr. Brezinski attempted to answer this question by giving an overview of the security mechanisms of Windows NT, existing (and future) vulnerabilities, and techniques and tools for assessing security posture. The security mechanisms of Windows NT that were discussed were console login, network login, and object access. Vulnerabilities discussed included anonymous connections (null credentials), network authorization, buffer overflows, Trojan horses, file permissions, and privilege escalation (e.g., getadmin). To secure a Windows NT machine, Mr. Brezinski suggested reducing the number of services, securing file permissions (he referenced Microsoft's Guidelines for Securing Windows NT-based Networks and Systems), securing registry permissions, and using automated tools to check for known vulnerabilities. The use of password-checking programs and port scanners was also recommended. Firewalls: How the Firewall Fits into the Corporate Landscape - Myles Connley In this session, Myles Connley provided a high-level overview of what a firewall is, why it is important, what types of firewalls are available, and some attacks that firewalls cannot repulse. Mr. Connley listed five types of firewall technologies: packet filters, proxy gateways, network address translation, intrusion detection, and logging. A packet filter comes in two forms: standard and stateful. A standard packet filter looks at individual network packets to decide whether to permit or deny the packet based on source address, destination address, source port and destination port, and whether the packet is a new connection or part of an existing connection. A stateful packet filter tracks the last few minutes of network activity, and determines if the packets should be allowed through the firewall. The disadvantages of packet filters are their limited ability to detect attacks on permitted network services and poor logging facilities. A proxy is an application that runs on the firewall and receives requests that are forwarded from inside the private network to the outside. The disadvantages of proxies are lower throughput and the danger that the proxies may be vulnerable to penetration. Network address translation hides the network addresses of systems inside of a private network from systems on the Internet. The disadvantage of network address translation is that it often cannot handle complex protocols. Intrusion detection firewalls work by watching a network for well-known attacks and breaking connections that appear to be malicious. The disadvantages of intrusion detection firewalls is that they can generate a lot of false alarms and can be too late by the time they detect a real intrusion. Logging is a useful tool to have in case legal recourse is needed against a successful intruder. The disadvantage of logging is that it is very administrator intensive to maintain and review the logs. TCP/IP Internals. Everything You Wanted to Know About Hacking the TCP/IP Stack - Route Route (or "Mike"), the editor of Phrack magazine, gave a tutorial on Transmission Control Protocol (TCP)/IP vulnerabilities. The topics covered included many well-known attacks such as SYN flooding, and session hijacking. He demonstrated a tool called "Juggernaut" (in Phrack 50, available at http://www.fc.net/phrack.html) that exploited many of the vulnerabilities discussed in his presentation. He also demonstrated a new tool, "Loki2", to be published in Phrack 51. This tool is basically a secure shell that uses Diffie-Hellman key exchange and 160-bit Blowfish encryption. The unique aspect of the tool is that it can use ICMP or UDP packets for transport. These packets can sometimes slip by filtering routers and some firewall configurations. He suggested that the tool could be used to provide a "back door" for hackers once they have obtained access to a system. By compiling this code into the kernel of the attacked machine, the hacker could obtain root access to the machine at a later date. When the kernel sees the specially formatted ICMP or UDP packet, it will start a root shell. The session would be encrypted as before. He said that people have known about these vulnerabilities for years, but that no attention was given to these problems until people started exploiting them. Meet the Enemy - Ray Kaplan The purpose of this session was to allow security professionals to ask a panel of expert hackers about computer security issues. The hackers admitted that not any one of them knew everything about hacking. However, they did know from whom to get information if they needed it. One member of the audience asked what the panel thought would be the source of the next series of attacks. For example, buffer overflows seem to be so popular now. Every panel member agreed that the next class of attacks would be at the link layer: attacking routers, switches, smart hubs, and firewalls. They also anticipated the discovery of many more Windows NT vulnerabilities in the future. When asked about Asynchronous Transfer Mode (ATM), the panel agreed that ATM is okay, but that many implementations of old protocols (e.g., TCP/IP) over ATM can be insecure. The panel was asked how hard it is to attack cryptography systems. The panel members agreed that in general, attacking the cryptography itself is really never done. Finding weaknesses in the implementation is much easier. One member of the audience asked about the issue of releasing complete source code for exploits. For the most part, the hackers agreed that they should try to contact the vendor first and allow time for a fix. If the exploit is exceptionally bad, they may "cripple" the script to prevent "script kiddies" from running amok with it. However, the panel agreed that most vendors do not see a need to fix a problem unless the exploit code is made public. Denial-of-Service Attacks and Defensive Strategies - Sluggo This session provided information about different types of denial-of-service attacks, tools that are available to launch these attacks, and techniques that are available to protect against them. These are attacks which cause a computer system or a whole network to become unresponsive or unavailable. Denial-of-service attacks include SYN flooding (using "Neptune" or "flood" tools), data/service bombs (such as UDP, ICMP, and finger), service loops (where a service is fooled into sending data to itself in an infinite loop, e-mail spamming (using "UpYours," "Avalanche," "Unibomb," and "DnD" tools), hostile Java applets (such as "Ungr8ful" and "Downtime"), and DNS attacks. In the case of cache corruption problems, it was recommended that a site have the latest version of DNS and bind software. In the case of SYN flooding, it was recommended that the site use a router that provides SYN protection. In the case of e-mail spamming, it was recommended that the site set up e-mail filters to block sites that launch spamming attacks. In the case of the ping flooding (or "ping of death"), it was recommended that the site install the latest vendor patches to their operating systems and block ICMP packets at their router or firewall. To protect against hostile Java applets, it was recommended that Java be disabled either at the browser or at the firewall. If this is not done, it was recommended that when a user wishes to enter sensitive information on a site, the user should first quit the browser, then restart it, then clear the disk cache, and repeat this procedure when finished accessing the potentially hostile web site. Clearing the disk cache in this way will protect against the majority of known Java and JavaScript vulnerabilities. The presenter hinted that additional security vulnerabilities may be revealed in the browser cache mechanism in the next few months. Analysis of Microsoft Crypto and Software - Mudge Mudge, the author of L0phtCrack (a Windows NT password cracker), presented details on the development of L0phtCrack, how it works, and items that are included in L0phtCrack 1.5, the latest release. He also noted possible additions for version 2.0. Details of how L0phtCrack works are given in Hobbit's presentation on Common Internet File System (CIFS) security. Mudge went over some of the basics, however. The Windows NT password table contains two hashes. One is an MD4 hash of the 128-character Windows NT password. The other hash (used for network authentication) is based on only the first 14 characters of the capitalized NT password. This second hash, used with the LANMAN authentication protocol, contains certain weaknesses that make it easier for programs like L0phtCrack to crack the password. One weakness is that rather than having to search all of the possible character combinations for the 14-character password, the program only needs to look at capital letters. However, this still leaves a search space on the order of 14 characters. But because of the way the LANMAN hash works, it is very easy to reduce this search space to the order of 7 characters. The LANMAN hash "splits" the password and a separate hash is computed for each half. So in terms of computation, the search space is really over just 7 characters, except that it is being done twice. This makes it feasible to perform a brute-force attack (i.e., try all possible combinations) on the password. Mudge mentioned additions to L0phtCrack 1.5 that will allow searches for 16-character passwords. This version also allows the user to crack NT challenge/response sessions that have been captured from the network (which contain both hash values). Microsoft has responded to this with a "hotfix" that can force NT clients to not transmit the LANMAN hash. However, in a mixed environment with NT and 95 machines, 95 machines will still be sending LANMAN hashes. Commercial Cryptography, Opportunities, Threats and Implementations - Bruce Schneier Mr. Schneier pointed out the many benefits of cryptography and the fact that most products on the market do not use cryptography. Of those that do, many are poorly implemented. Some inhibit the user, so that the user chooses to go without the security features. Others have hidden flaws that give the user a false sense of security. Above and beyond all these problems is the fact that none of the current products scale well. A Review of Free Software for Securing Systems and Networks - Peter Shipley In this session, Peter Shipley provided an overview of the free utilities that are designed to protect a corporate network. The topics included Email security, firewall tools, network encryption tools, network monitoring tools, auditing tools, Unix login tools, Unix auditing tools, and Unix operating systems. Examples of each type of tool were provided, as well as a list of Universal Resource Locators (URLs) to access the free utilities. The tools mentioned for each tool type included: * Email Security * PGP, RIPEM, TIS-PEM, SENDMAIL, QMAIL * Firewall Tools * Drawbridge, Karlbridge, SCREEND, TIS Toolkit, Socks, XP-Beta * Network Encryption Tools * S/WAN, swIPe * Auditing Tools * SATAN, ISS, Toneloc, Crack, Courtney, Gabriel, Scan-Detector * UNIX Login Tools * SSH, S/Key, Kerberos, Shadow, Npasswd, Passwd+ * Access Control Utilities * TCP Wrapper, Securelib, Xinetd * UNIX Monitoring Tools * Tripwire, SWATCH, COPS * Network Daemons * IDENTD, Xinetd, RPCBIND Secure Source Code Review - Adam Shostack In this session, Adam Shostack provided some recommendations on how to perform an effective source code review. Mr. Shostack's recommendation is to limit a code review to two hours and a maximum of 5,000 lines of code. It should be the goal to make the review as comfortable an experience as possible. Mr. Shostack suggests providing comfortable chairs and snacks. After these initial recommendations, Mr. Shostack provided some of the security issues to watch for when reviewing the source code. The main recommendations are to set the environment to a safe state, watch for proper parsing of input to the program (the user interface, input files, and parameters), watch for "race conditions" (where a properly timed attack could thwart the security of the software), watch for unsafe operating system calls, and verify for good internal error checking. SNMP, SNMP2 Remote Management Security and Implementation Considerations - Jeremy Rauch This session discussed issues with the various versions of SNMP. SNMPv1 has several well-known security flaws. It uses weak authentication, which makes it susceptible to replay attacks and IP spoofing. An attacker could use these weaknesses to gain information about the network, including routing tables, network topology, traffic patterns, and filter rules. SNMPv2 includes some security features to prevent replay attacks. A hash of the packet and a secret passphrase can be included with an authenticated message. It is also possible to encrypt the message. However, Mr. Rauch pointed out that one of the fields, privDst, is duplicated in the distParty field (which gets encrypted using the Data Encryption Standard (DES) algorithm). This could allow for a known plaintext attack against DES. The DES passphrase is a 16-character, user-defined passphrase. The passphrase could also be susceptible to dictionary attacks. Mr. Rauch briefly discussed SNMPv3, which is still in draft. The new version should address time drift and replay attacks. CIFS and Other SMB Security Issues - Hobbit The Common Internet Filesystem (CIFS) is the Windows NT equivalent of NFS. It is supposed to be more secure than NFS, but Hobbit pointed out many issues that need to be addressed regarding CIFS. The first step in attacking CIFS is to determine the name of resources that are being shared. Establishing a session with some of these shared resources can be as simple as specifying a null username. If this does not work, an authentication session can be observed using a sniffer and a password-cracking utility such as L0phtCrack can be used to determine the password. Hobbit described LANMAN and Window NT password hashing in detail. SMB message signing and NT challenge/response authentication were also discussed. Legal Ramifications of Poorly Implemented Security - Yobie Benjamin In this session, Yobie Benjamin pointed out the necessity for a business to have a well-implemented security policy. The danger is that employers can be held liable for the illegal actions of their employees. Numerous examples were provided. Mr. Benjamin said that a company can be held liable if the employee's action has some connection to the performance of a job-related activity. The company could be liable even if the employee acts on his or her own, contrary to the express instructions of the company. This is the case even for low-level employees, where it may be understood that the employee is not speaking or acting on behalf of the company. Next, Mr. Benjamin talked about the Federal Sentencing Guidelines for Organizational Defendants. According to Mr. Benjamin, this document permits fines up to $290 million to be applied to an organization that is found guilty. The actual fine is based on the culpability of the organization, which is measured by "reviewing the steps taken by the organization prior to the offense to prevent and detect criminal conduct and the level and extent of involvement in, or tolerance of, the offense by certain personnel and the organization's actions after the offense has been committed." Given this information, it was stressed that it is important to be able to demonstrate that the company had taken steps to prevent illegal activity. Secure Implementations of ActiveX In a Corporate Environment - QMaster This presentation covered ActiveX security. Authenticode was presented as a way to ensure that ActiveX controls come from a valid source. However, it was acknowledged that this really only lets users know who has attacked them. Blocking these controls at the firewall was also discussed. When using this template for a letter, replace the word ATTACHMENT with the word ENCLOSURE.