Apply Your Knowledge
Exercises
7.1. Examining a Buffer-Overflow Vulnerability
This exercise takes an in-depth look at the Microsoft Outlook buffer-overflow vulnerability described in the “Buffer-Overflow Attacks” section of this chapter.
Estimated Time: 15 minutes
NOTE
Microsoft Security Bulletin Ms00-043 This exercise directs you to a specific page on the Microsoft Web site. As the Internet is constantly changing, it's possible that the URL might change in the future. If the link does not work, use the Search link on the Microsoft homepage to look for “Microsoft Security Bulletin MS00-043.”
1. | Open your Web browser and point it to http://www.microsoft.com/technet/security/bulletin/ms00-043.asp. This is the official security bulletin from Microsoft detailing the Outlook buffer-overflow vulnerability. |
2. | Review the technical description of the vulnerability. What are the possible ramifications if this vulnerability were exploited by a hacker on an unpatched system? |
3. | Review the frequently asked questions section of the bulletin. What steps would a malicious user need to take to exploit this vulnerability? |
4. | What steps does Microsoft recommend taking to ensure that systems are safeguarded against this vulnerability? |
7.2. Setting Up a Computer Incident Response Team
Every security-conscious organization should have a Computer Incident Response Team (CIRT) prepared to react to possible computer-security incidents. This exercise demonstrates the basic principles behind forming such a team.
Estimated Time: 1 hour
1. | Write a mission statement for your CIRT. It should simply explain the reason the team is being formed and its objectives. |
2. | Develop an organizational structure for the team. What areas of your organization will be represented? Who will lead the team? To whom will the team report? |
3. | Write incident-notification procedures for the team. Who will have the authority to declare an incident and activate the team? What activation procedures will be followed during normal business hours? What steps should be taken if an incident takes place overnight or on the weekend? How soon after an incident notification occurs should the team be assembled? |
4. | Write incident-response procedures for the team. What steps will the team take when an incident occurs? Will the team immediately seek assistance from law enforcement or a higher-level CIRT? What standards of evidence collection will be followed? |
7.3. Antispoofing Techniques
In the “Denial-of-Service Attacks” section of this chapter, you learned of the danger that spoofed packets pose to your network's security. This exercise demonstrates basic antispoofing principles.
Estimated Time: 15 minutes
1. | Describe several of the reasons a malicious individual might want to send spoofed packets into or out of your network. |
2. | What are some of the network devices/systems on your network that you might be able to use to detect such packets? |
3. | Describe how you would implement antispoofing rules on those devices. Write any necessary device-specific rules that implement those techniques. |
Review Questions
| 1: | What legal limitations are placed on investigators gathering evidence that may be used in the prosecution of a computer crime? |
| 2: | What are some of the physical threats that should be considered when designing a comprehensive computer security plan? |
| 3: | Name several of the techniques viruses use to avoid detection by virus-scanning software. |
| 4: | What is the most critical element necessary to preserve the chain of evidence when preparing to prosecute a computer crime? |
| 5: | What type of evidence should be gathered when preparing to present a case to prosecutors? |
Exam Questions
| 1: | Which of the following attacks utilize ICMP to cause a denial of service?
|
| 2: | John is a system administrator with XYZ Corporation attempting to track down the source of a security penetration. He's isolated the activity to several systems in a single department and noticed that the users of those machines all recently started playing a game that one employee received from a friend via email. What type of malicious code should John suspect?
|
| 3: | Exactly one year after the termination of a problem system administrator, all the data on a server utilized by that administrator mysteriously disappeared. What type of malicious code was likely behind this occurrence?
|
| 4: | Which of the following attacks utilize a “brute-force” approach to cause a denial of service?
|
| 5: | Which of the following hacker tools is used to automate a dictionary attack against a system?
|
| 6: | Several users in your organization recently reported that they received telephone calls from the IT Department requesting their passwords to assist with system maintenance. You're quite certain that nobody in the IT Department actually made these telephone calls. What type of attack may be taking place?
|
| 7: | Mary is a Unix system administrator for a large organization. She notices that there is unusual activity from the accounts of several users outside of normal business hours. She suspects that hackers may have used a tool to find weak passwords on her system and wants to use the Crack utility to detect others. She should download Crack and use it on the _______ file.
|
| 8: | Which one of the following security tools helps detect unauthorized file modification?
|
| 9: | Ben is developing an incident declaration policy for his CIRT team. Which of the following events would likely constitute a computer security incident?
|
| 10: | Richard is a network administrator at a government agency. His intrusion detection system recently alerted him to the presence of an unauthorized user on his system. The user gained access and immediately initiated an FTP session to a host on the Internet that Richard was not familiar with. The intruder downloaded a software package and then began executing commands reserved for the system administrator. What type of package did the intruder likely download?
|
| 11: | Acme Widgets' CIRT was activated last night in response to a computer security incident. They determined that a virus was loose on the network and successfully removed it. What step in the incident-handling process should they take next?
|
| 12: | Renee is the CIRT leader for ABC Chemical Corporation. She just activated her team in response to a suspected network intrusion. What is the first step the CIRT should take?
|
| 13: | John maintains a Web server for the Save the Fish charity group. His server contains a large amount of interactive CGI code that provides scientists with information on various fish species. He recently noticed that Web users are inputting extremely long strings into several form fields resulting in strange activity. What type of vulnerability is likely the cause of this?
|
| 14: | Ben is the administrator of a Unix system and wants to protect his system from buffer-overflow vulnerabilities in operating-system components. He wants to check the most vulnerable service first. Where should he start?
|
| 15: | What type of viruses often infect Microsoft Office documents?
|
Answers to Exercises
Exercise 7.1
Two possible events could occur. If the overflow field is filled with random data, the system could crash. If the overflow field is filled with clever code, a hacker could gain illegitimate access to the system.
The malicious user would have to use a hexadecimal editor to alter the header information of a legitimate email message to exploit the overflow vulnerability.
Microsoft recommends application of an Outlook security patch to correct the vulnerability.
Exercise 7.2
Answers to this exercise will vary based upon the student's organization. The plan should address all the questions presented in the exercise.
Exercise 7.3
A malicious individual might want to send spoofed packets into your network to gain unauthorized access to a system or to hide the packets' true origin. She may want to send spoofed packets out of your network to launch an attack on a remote system.
Spoofed packets can often be detected at the firewall or router level.
Answers to this question will vary based upon the technology used on the student's network. However, the general principle would be to check inbound packets to ensure that they do not contain a private IP address or an IP address found only on the internal network. Conversely, egress filtering should be used to ensure that all outbound packets contain a valid public IP address belonging to the organization.
Answers to Review Questions
| A1: | Investigators must be extremely careful to ensure that the legal rights of the suspect are protected. This includes ensuring that evidence be collected in a legal manner and that questioning of suspects take place within the constraints of the law. See the section “Collecting Evidence.” |
| A2: | Answers will vary. Some possibilities include fire, flood, earthquake, building collapse, break-ins, or severe weather. See the section “Physical/Human Attacks.” |
| A3: | Polymorphic techniques, stealth techniques, encryption technology. See the section “Viruses.” |
| A4: | Maintaining a detailed log of who had access to a piece of evidence from the moment it was collected to the time it is used at trial. See the section “Maintaining the Chain of Evidence.” |
| A5: | Event log files from all affected systems, backup tapes showing evidence of tampering, firewall and intrusion-detection system logs, session transcripts, tools used by the hacker, and any other relevant evidence. See the section “Collecting Evidence.” |
Answers to Exam Questions
| A1: | C. Smurf utilizes a large number of forged ICMP Echo Request packets to implement a denial-of-service attack. See the section “Smurf.” |
| A2: | B. Trojan horses are often introduced into a computing environment by users unaware of their hidden payload. See the section “Trojan Horses.” |
| A3: | D. Logic bombs are often the work of disgruntled former employees who decide to leave behind a nasty surprise for their successors. See the section “Logic Bombs.” |
| A4: | A, D. Both Smurf and SYN Flood use a large number of packets to cause a denial of service by overwhelming the targeted system. See the section “Denial of Service.” |
| A5: | C. Crack is a well-known utility that detects weak user passwords. See the section “Hacker Tools.” |
| A6: | D. The fake system administrator ploy is a type of social-engineering attack. See the section “Fake System Administrators.” |
| A7: | B. The /etc/passwd file contains encrypted users' passwords in a standard Unix installation. See the section “Dictionary Attacks.” |
| A8: | C. Tripwire helps detect unauthorized file modifications. See the section “Unauthorized Modification of Files.” |
| A9: | B, C. A physical break-in or Web site defacement are both obviously malicious acts that require immediate response. IP sweeps occur on a regular basis and probably do not require declaration of an incident. Firewalls and intrusion-detection systems often provide false-positive reports and require further investigation before declaring an incident. See the section “General Incident-Handling Principles.” |
| A10: | B. Hackers often use rootkit software to transform a normal logon to that of a privileged account. See the section “Hacker Tools.” |
| A11: | B. IRTs should always gather after an incident to review the lessons learned. See the section “General Incident-Handling Principles.” |
| A12: | D. In any type of computer-security incident, responders should first take measures to contain the incident to protect unaffected systems. See the section “General Incident-Handling Principles.” |
| A13: | B. Buffer-overflow vulnerabilities frequently occur in CGI code. See the section “Buffer-Overflow Attacks.” |
| A14: | A. The DNS service is the most common source of operating-system component buffer-overflow vulnerabilities. See the section “Buffer-Overflow Attacks.” |
| A15: | D. Macro viruses use languages such as VBScript and often infect Microsoft Office documents. See the section “Viruses.” |
Suggested Readings and Resources
1. Practical Internet and Unix Security, Simson Garfinkel and Gene Spafford .
2. Ten Most Critical Internet Security Threats, SANS Institute, http://www.sans.org/topten.htm.
3. Computer Forensics: Incident Response Essentials, Warren G. Kruse II and Jay G. Heiser .