Spoofing

                I’m safe I have a firewall and the best anti virus software out there.  I run UNIX I’m safe. UNIX is the best operating system around.  Don’t let yourself be fooled by these statements.  Spoofing is a real threat and if not vigilant and try to protect yourself as much as possible in the proper way you can become the next victim.  In this paper I will discuss what spoofing is, some of the operating systems that it can and has affected, the harm that can be caused by a spoofing attacker, how an attack is carried out, some examples of what to look for and ways to limit the damage caused by an attack and some of the best ways to protect yourself.   

Spoofing is a person or a program that assumes the identity of another person or program.  This false identity is used to either convince the victim to grant services were permissions that she should not have, or to implicate someone other than the attacker.  Spoofs are not limited to computer systems.  Any systems or processes that does not verify identity could become the victim of a spoof. (Pipken)

                Those of you who think some operating systems are impervious such as UNIX.  The simple truth is that if you are using UNIX right now you may be going through a spoofing server as we speak.  Here is a list of some operating systems that have known weaknesses: “SunRPC & NFS, BSD UNIX ‘r’ commands, anything wrapped by tcp daemon wrappers – site dependent; check your configuration, X windows and other applications that use IP addresses for authentication. (Cert).  As you can see that if an attacker wants to spoof you they can no matter what system you choose to use but in most cases you have to have something they want or if your system is connected to some system that they want access to.

                One of the many spoofing attacks is IP spoofing. “IP spoofing: to gain access, intruders create packets with spoofed source IP addresses.  This exploits application that use authentication based on IP addresses and leads to unauthorized user and possibly root access on the targeted system.  It is possible to route packers through filtering-router firewalls if they are not configured to filter incoming packets whose soured address is in the local domain. It is important to note that the described attack is possible even if no reply packers can reach the attacker”. (Cert).  Once an attacker has planted the package into the root directory then they have access to that system and can make any changes that they wish to make.  They may also attack other root sources connected to the one they just broke into.  One of the tools an attacker will use the hijacking tool.  “Once the intruders have root access on a system, they can use a tool to dynamically modify the UNIX kernel.  This modification allows them to hijack existing terminal and login connections from any user on the system.  In taking over the existing, connections, intruders can bypass on-time passwords and other strong authentication schemes by tapping the connection after the authentication is compete.  For example, a legitimate user connects to a remote site through a login or terminal session; the intruder hijacks the connection after the user has completed the authentication to the remote location; the remote site is now compromised.” (Cert)  Once the attacker is in everything that he or she does is inside the system.  Which means if all the protection that you have installed usually fights incoming traffic and if the attacker is inside a central hub he or she can compromised all systems that are connected to that hub, because other systems are told to trust that information from the source.  “Impact: Current intruders activity in spoofing source IP addresses can lead to unauthorized remote root access to systems behind a filtering-router firewall.  After gaining root access and taking over existing terminal and login connections, intruders can gain access to remote hosts”. (Cert) 

                How does IP spoofing work?  We will discuss an actual case and how the attack was accomplished.  First the attacker will probe the target site. “The apparent purpose of a probe is to determine if there might be some kind of trust relationship amongst systems which could be exploited with an IP spoofing attack”. (Technical).  Once a trust is identified the attacker will move to the next step.  “He or she will send a flurry of TCP SYNs (initial connection requests).  The purpose of these SYN’s is to fill the connection queen for a port on the server with “half-open” connections so it will not respond to any new connection requests.  In particular, it will not generate TCP RSTs in response to unexpected SYN-ACKs”. (Technical).  Once these “half-open” connections the attacker will move to the next step in the process.  The attacker will make a series of connection attempts.  “The purpose of these attempts is to determine the behavior of X-terminal’s TCP sequence number generator”. (Technical)  Once the TCP sequence number generator is figured out the attacker moves on.  The spoofing machine now has a one-way connection to the server.  In which he or she can use to access the root directory and of course once he or she has access to the root they can do anything they wish to do.

Web spoofing allows an attacker to create a " shadow copy " of the entire World Wide Web.  Accesses to the shadow web are funneled through the attackers machine, allowing the attacker to monitor all of the victim's activities including any passwords or account numbers the victim enters.  The attacker can also cause false or misleading data to be sent to a Web server in the victim's name, or to the victim and the name of any web server.  In short the attacker can observe and controls everything the victim does on the shadow Web.  You might think it is difficult for the attacker to spoof the entire World Wide Web, but is not.  The attacker need not store the entire contents of the Web.  The whole web is available on-line; the attacker’s server can just fetch a page from that the real Web when it needs to provide a copy of the page on the faults Web. (Web).  Therefore if you are not aware you are being spoofed then you probably would not the difference.

So why should we care if someone wants to pretend to be someone else or something else?  What harm can they possibly do?  Imagine anything and everything you do on the Internet can be monitored, copied, altered and used in such a way that could be very harmful to you.  If you go on-line and you only visit a place like CNN where all you are doing is reading the news then that probably won't be that harmful to you.  However, if you were to order a printer cartridge off the net then the attacker would have your credit card information, your name, your address and what ever else you had to enter to order the printer cartridge.  Now you can see it become a big problem.

                What if I never shop on the Internet?  Remember the attacker has total access to what you see on your side.   “In a spoofing attack, the attacker creates misleading context in order to trick the victim into making an inappropriate security relevant decision.  A spoofing attack is like a con game: the attacker sets up a faults but convincing world around the victim the victim does something that would be appropriate if the false world were real.  Unfortunately, activities that seem reasonable and the faults world may have disastrous affects in the real world”. (Web) If the attacker wants your credit-card number he or she might send you a pop up box with your servers information saying something like every six months we have to verifying that users have not PCS’ed or moved.  Please enter your account name and password.  Once you have entered your account name and password you assume that you are in a secure area, once there another pop-up box might say, we would now like to verify your billing information please enter your credit card information.  What could seem like harmless pop-up boxes could really be an attacker gaining access to your information.

                Spoofing attacks are possible in the physical world as well as electronic one.  For example, there have been several incidents in which criminals set up bogus automatic teller machines, typically in public areas like shopping malls.  The machine will except ATM cards and ask the person to enter their PIN code.  Once machine has the victims PIN, it could either eat the card or " malfunction " and return the card.  In either case, the criminal has enough information to copy the victim’s card then use the duplicate.  In these attacks, people were fooled by the context of what they saw: the location of the machines, their size and weight, the way they were decorated, and the appearance of their electronic displays. (Web)

                You can see from the two above paragraphs that people make choices based on what they see whether be electronic or physical based contextual clues. You may think that you cannot be fooled by these attackers but here are some examples that you may find it interesting.  “Is MICR0S0FT.COM the address of a large software company? (for awhile that address pointed to someone else entirely.  By the way the rounded symbols and MICR0S0FT here are the number 0, not the letter O).  Was Dole96.org Bob Dole's 1996 presidential campaign? (It was not; it played to a parity site.)” (Web).  Timing is everything or so the saying goes.  “People often get context from the timing of events.  If two things happened at the same time, you naturally think they're related.  If you click open to accept your bank’s page and user name/password dialog box appears, you naturally assume that you should type the name and password that you use for the bank.  If you click on a link in a document immediately starts downloading, you assume that the document came from the site you click on.  Either assumption could be wrong”. (Web) How many times have you been surfing through the net and you get a pop-up screen that asks you if  you trust this website?  And how many times to you actually read what the box says. We get so used seeing them that we click OK before we know what they are and when a site that you don't know pops up and you're immediately close it you think that the site is closed and that he cannot do any harm and about two minutes later the screen pops up asking you whether or not do you trust this web site and you think is the site you might of just clicked on so course you click OK.  This is a very common thing and might have happened to you already.

                 How does this all work though?  Another way some of the above problems can happen is URL rewriting.  “The attackers first trick is to rewrite all of the URL’s on some web page so that they point to the attacker server rather than the real server.  Assuming the attackers server is on the machine www.attacker.org, the attacker rewrites a URL by adding http://www.attacker.org to the front of the URL.  For example, http://home.netscape.com becomes http://www.attacker.org//home.netscape.com (the URL rewriting technique has been used for other reasons by to other web sites, the Anonymizer and Zippy filter Since all of the URL’ in the rewritten page now point to www.attacker.org, if the victim follows a link on the new page, the page will again be fetched through the attacker’s server.  The victim remains trapped in the attacker’s false Web, and can follow links forever without leaving it”. (Web)  Again unless you are aware of what to look for you could be spoofed and not know it.

                Okay what can you do to protect yourself against these attacks?  The IP address attack is one of the hardest to protect against because if you use a filter you might be filtering out legitimate customers and as of yet, there is no solution to the hijacking problem.  However you can limit the damage of these attacks.  The key is detection: “If you monitor packets using a network-monitoring software such as netlog, look far a packet on your external interface that has both its source and destination IP addresses in your local domain.  If you find one, you are currently under attack.  Netlog is available by anonymous FTP from ftp://net.tamy.edu/pub/secutity/tamu/netlog-1.2.tar.gz”. (Technical).  However, most hackers will not bother home PC’s because there is no money or fame in it so unless you are a big company that if you were attacked it would draw a lot of media attention then the less likely you are going to become a target for an attacker.

                The physical spoofing such as false ATM’s can be hard to detect because of the context of which they are placed.  However, If you put your ATM card into a machine and you do exactly what you have done a hundred times before but this time the ATM does something funny like malfunction or keep your card or anything else out of the ordinary report it immediately.  The quicker you respond the less chance the attacker has to use your card information to steal form you and if done quickly and correctly you can help the next person from falling into the same trap.

                URL rewriting can be blocked in the “short-term: First, by disabling JavaScript in your browser so the attacker will be unable to hide the evidence of the attack.  Second, make sure your browser’s location line is always visible.  Third, pay attention to the URL’s displayed on your browser’s location line, making sure they always point to the server you think you’re connected to.  Long term:  there is no fully satisfactory long-term solution to this problem.  However, changing browsers so they always display the location line would help, although users would still have to be vigilant and know how to recognize rewritten URL’s.  For pages that are not fetched via a secure connection, there is not much more that can be done.  For pages fetched via a secure connection, and improved secure-connection indicator could help.  Rather than simply indicating a secure connection, browsers should clearly see who is at the other end of the connection.  This information should be displayed in plain language, in a manner intelligible to novice users; it should say something like ‘Microsoft Inc’ rather than ‘www.microsoft.com’”. (Web)

                The bottom line is a lot of thing can be prevented just by good computing practice and just being aware of your surroundings if something looks just a little off don’t be afraid to question it.  Up-date your Anti-virus protection.  Make sure if you are a big server that you stay on top of all the latest information and program fixes that protect against spoofing attacks. 

For more information please visit the web sites and reference material provided.

 

Works Cited

 

Web Spoofing An Internet Con Game.  By Edward W. Felten, Dirk Balfanz, Drew Dean and Dan S.

Wallach. 04 April 2002.  http://bau2.uibk.ac.at/matic/spoofing.htm

 

Technical details of the attack described by Markoff in NYT.  27 April 2002.

http://www.robertgraham.com/Shimomura-spoofing.html

 

Cert Advisory CA-1995-01 IP Spoofing Attacks and Hijacking Terminal Connections.  04 April 2002.

                http://www.cert.org/advisories/CA-1995-01.html

 

Donald L. Pipkin  Information security. Prentice Hall PTR, Prentice-Hall Inc. Upper saddle River, New

Jersey 07458.  2000.

                 

Points Paper

 

Spoofing definition:

 

Spoofing is a person or a program that assumes the identity of another person or program.  This false identity is used to either convince the victim to grant services were permissions that she should not have, or to implicate someone other than the attacker.  Spoofs are not limited to computer systems.  Any systems or processes that does not verify identity could become the victim of a spoof. (Pipken)

 

Three different ways to spoof

 

• IP spoofing
• Physical spoofing
• URL spoofing

 

 

IP spoofing:

            IP spoofing: to gain access, intruders create packets with spoofed source IP addresses.  This exploits application that use authentication based on IP addresses and leads to unauthorized user and possibly root access on the targeted system

 

Physical spoofing:

            Things like false ATM machines.        

 

URL spoofing

            The attackers first trick is to rewrite all of the URL’s on some web page so that they point to the attacker server rather than the real server.  Assuming the attackers server is on the machine www.attacker.org, the attacker rewrites a URL by adding http://www.attacker.org to the front of the URL.  For example, http://home.netscape.com becomes http://www.attacker.org//home.netscape.com

 

Ways to protect yourself

          IP spoofing: The IP address attack is one of the hardest to protect against because if you use a filter you might be filtering out legitimate customers and as of yet, there is no solution to the hijacking problem.  However you can limit the damage of these attacks.  The key is detection: “you can monitor packets using a network-monitoring software such as netlog”

            Physical spoofing: If you put your ATM card into a machine and you do exactly what you have done a hundred times before but this time the ATM does something funny like malfunction or keep your card or anything else out of the ordinary report it immediately.

            URL spoofing: URL rewriting can be blocked by using certain software and by setting up your systems configuration properly.