INCS 745: Intrusion Detection and Hackers Exploits

INCS 745: Intrusion Detection and Hacker Exploits

Winter Term 2007

New York Institute of Technology-Amman's Campus

http://www.just.edu.jo/~tawalbeh/nyit/incs745.html

Announcements

  • Class room is: C103
  • Meeting time: Mon 3-6
  • The articles/presentations  are posted on the web.
  • THE BOOK Click Here

Reading Assignments

  • The reading assignments will be distributed in the class/by email

Exams

  • The final exam will be a take home exam.

Course Description

In this course we will study the most common methods used in computer and network hacking with the intention of learning how better to protect systems from such intrusions. These methods include reconnaissance techniques, system scanning, and gaining system access by network and application level attacks, and denial of service attacks. Traffic analysis methods and tools will be studied in this course. Also, we will present techniques for traffic filtering and monitoring, and intrusion detection.

Prerequisites/Corequisites

INCS 615 : Network Security and Perimeter Protection
CSCI 620 : Operating System Security

Course Topics/Handouts/Presentations:

  • An overview of Intrusion Detection. Intrusion Detection Framework

    • : Presentation1  Presentation2

    PART I: The most common methods used by Hackers:
    The most common methods used by intruders to gain control of home computers are discussed in the class, and includes:

    1. Trojan horse programs  Presentation Prepared By: Ibrahim Alqarout                                   Trojan horse programs are a common way for intruders to trick you (sometimes referred to as "social engineering") into installing "back door" programs. These can allow intruders easy access to your computer without your knowledge, change your system configurations, or infect your computer with a computer virus.

       
    2. Back door and remote administration programs Presentation.  On Windows computers, three tools commonly used by intruders to gain remote access to your computer are BackOrifice, Netbus, and SubSeven. These back door or remote administration programs, once installed, allow other people to access and control your computer. TOOL: BacK Office 2K

       
    3. Denial of service Presentation1 Prepared By: Murad Ali, Presentation2 Prepared By: Murad Ali  Another form of attack is called a denial-of-service (DoS) attack. This type of attack causes your computer to crash or to become so busy processing data that you are unable to use it. It is important to note that in addition to being the target of a DoS attack, it is possible for your computer to be used as a participant in a denial-of-service attack on another system.

       
    4. Being an intermediary for another attack Presentation1 Prepared By: Raghda Zahran,   Presentation2 Prepared By: Mohamad Almajali  Intruders will frequently use compromised computers as launching pads for attacking other systems. An example of this is how distributed denial-of-service (DDoS) tools are used. The intruders install an "agent" (frequently through a Trojan horse program) that runs on the compromised computer awaiting further instructions. Then, when a number of agents are running on different computers, a single "handler" can instruct all of them to launch a denial-of-service attack on another system. Thus, the end target of the attack is not your own computer, but someone else’s -- your computer is just a convenient tool in a larger attack.

       
    5. Unprotected Windows shares  Presentation Prepared By: Mohamad Almajali Unprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised computer not only creates problems for the computer's owner, but it is also a threat to other sites on the Internet. The greater immediate risk to the Internet community is the potentially large number of computers attached to the Internet with unprotected Windows networking shares combined with distributed attack tools.
      Another threat includes malicious and destructive code, such as viruses or worms, which leverage unprotected Windows networking shares to propagate.
      There is great potential for the emergence of other intruder tools that leverage unprotected Windows networking shares on a widespread basis.

       
    6. Mobile code (Java/JavaScript/ActiveX) Presentation1 Prepared By: Yousef Aburabia,   Presentation2 Prepared By: Radwan Abu Jassar There have been reports of problems with "mobile code" (e.g. Java, JavaScript, and ActiveX). These are programming languages that let web developers write code that is executed by your web browser. Although the code is generally useful, it can be used by intruders to gather information (such as which web sites you visit) or to run malicious code on your computer. It is possible to disable Java, JavaScript, and ActiveX in your web browser.

       
    7. Cross-site scripting Presentation1 Prepared By: Lo'ai Hatter,                                  Presentation2 Prepared By: Mo'utasem Abu Hamor A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser.
      You can potentially expose your web browser to malicious scripts by
      following links in web pages, email messages, or newsgroup postings without knowing what they link to
      using interactive forms on an untrustworthy site
      viewing online discussion groups, forums, or other dynamically generated pages where users can post text containing HTML tags

       
    8. Packet sniffing  Presentation1 Prepared By: Ayman Amaireh,     Presentation2 Prepared By: Amer Alherani packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travels over the network in clear text. With perhaps hundreds or thousands of passwords captured by the packet sniffer, intruders can launch widespread attacks on systems. Installing a packet sniffer does not necessarily require administrator-level access.
      Relative to DSL and traditional dial-up users, cable modem users have a higher risk of exposure to packet sniffers since entire neighborhoods of cable modem users are effectively part of the same LAN. A packet sniffer installed on any cable modem user's computer in a neighborhood may be able to capture data transmitted by any other cable modem in the same neighborhood. Sniffers
     

     

  • PART II: Intrusion Detection/Prevention Tools and Techniques: There are many techniques used to prevent/detect intrusion, these includes:

     

    1. Spy wares Presentation Prepared By: Murad Ali    
       
    2. FireWalls Presentation Prepared By: Yousef Aburabia
    3. Anti-Viruses  Presentation Prepared By: Ammar Jalawi
 

 

Textbook

  • "Cryptography and Network Security”  by William Stallings. Prentice Hall, 4th edition.

           

References

  1. "Tao of Network Security Monitoring, The: Beyond Intrusion Detection". By Richard Bejtlich. ISBN: 0321246772; Published: Jul 12, 2004.
  2. "Intruder Alarms". Gerard Honey.

Grading Policy

  • Reading Articles Assignments: 20 %  
  • Papers and Presentations: 40 %
  • Final: 40 %

Dr. Lo'ai A. Tawalbeh

 
17 Jan 2007