1 1 Secure System Administration - SANS GIAC © 2000, 2001 Backups and Hidden Data Hello, I am Stephen Northcutt again and welcome back for the second section of our course. Next, we will learn about fundamental threats that affect organizations and cause them loss. For all that you read about hackers, they are only one source of harm and in well defended organizations, hackers are not able to cause much, if any, damage. 2 2 Secure System Administration - SANS GIAC © 2000, 2001 Forget Hackers! ( Major Loss Vectors ) •Backups, or the lack of • Viruses and other malicious code • Hiding data Contrast this with the average home (and dare I say workplace as well) system. The anti-virus signatures are out of date. In fact, the only reason there is anti-virus code at all was that it came factory installed. The system hasn’t been backed up – ever. Perhaps three or four important files were copied off to a floppy, but that is it. Hard disks are generally rated with a Mean Time Between Failure (MTBF). The question isn’t if the disk will fail, but when. The newest viruses are fairly destructive and delete files so the combination of out of date virus signatures and no backups is really getting scary. We will also discuss how systems might be very open to attack from networks and ways that people may be hiding data from you right on your own computer systems. 3 3 Secure System Administration - SANS GIAC © 2000, 2001 Failure to Backup I want to be clear, MSBACKUP for Windows 95/98 is not the way I backup these operating systems. I prefer tools that use the Archive bit to manage backups and MSBACKUP doesn’t. I used it once helping out in a Perl class (Perl is a most wonderful programming language) where the students were told to bring their laptops. Now you would think that if you were coming to take a class in Perl and they told you to bring your laptop, you would load Perl ahead of time. So we are faced with this class of students that don’t have Perl and it is bigger than a floppy disk’s capacity even when zipped and some of them don’t have CD-ROM drives. What to do? Well, I remembered that NT had a backup facility that could write the backup across multiple disks, even floppies, so I did a CTRL-F on my C:\ drive and typed in backup and sure enough, my Windows 95 box had a backup utility and it worked. We were able to make a “backup” of Perl and write it to a couple floppies and restore it to the other systems. Very quickly we ran into a gotcha that I am sure is “fixed in the next release”. The Windows 98 and NT backup programs were not compatible so we had to make 2 backups. 4 4 Secure System Administration - SANS GIAC © 2000, 2001 The Archive Bit (Windows) • Used by backup programs to decide which files require safekeeping • Files with “A” bit need to be saved! C:\>attrib SCANDISK.LOG C:\SCANDISK.LOG A AUTOEXEC.BAT C:\AUTOEXEC.BAT A CONFIG.SYS C:\CONFIG.SYS A COMMAND.COM C:\COMMAND.COM MYFILE.TXT C:\MYFILE.TXT SHR IO.SYS C:\IO.SYS SHR MSDOS.SYS C:\MSDOS.SYS C:\> Windows systems use a special tag called an archive bit to signal backup programs that the file has changed since the previous backup operation. The archive attribute exists in both FAT and NTFS file systems. We use the ATTRIB program to see the attributes files have. In this slide, seven files are shown, three have their archive bit set “on” and the others do not. A backup program will use these "bits" to capture files the next time we backup this computer and, may reset (turn off) this bit depending on the type of backup performed. In Windows NT and WIN2K you or the backup software you utilize must have at least the Backup Operator privilege to perform backups. If you do not have Backup Operator or Administrator privileges, you may not be able to backup system files or the system registry. We are going to discuss three backup techniques: full, incremental, and differential. We will lightly touch on best practice, but I am far more concerned that you know how to do a backup, or why files might NOT get backed up, than the theory and practice of backups. 5 5 Secure System Administration - SANS GIAC © 2000, 2001 Full Backups • Capture the entire system configuration • Clear files’ archive bits • Are expected to safely copy the system registry • Require full permission to the system Full Full backups are typically performed on a weekly basis, disregard the archive "bit", and capture all files. A full backup is needed to restore a system from a catastrophic failure but will not restore files that changed since the backup was performed. Differential and Incremental backups address this issue but do so in different ways. Differential backups leave the archive bit after saving the changed file. When I perform a full backup on Sunday, and then a differential backup on Monday, Monday’s tape will contain only the information that changed between Sunday and Monday. A differential backup on Tuesday will store files that changed on Monday and Tuesday. If one assumes that at least one file changes each day of the week, then the size of the differential backup will grow each day of the week Incremental backups turn off the archive bit after they backup, so they only backup changed files. Assuming a full backup on Sunday, then on Mondays, incremental and differential backups will require the same quantity of space and time to complete. On Fridays, incremental backups will only be backing up the files that have changed since the last incremental backup and will be faster and require less space than differential backups. 6 6 Secure System Administration - SANS GIAC © 2000, 2001 Partial Backup Methods • Incremental – Checks for the archive bits – Stores copies of files with bit set – Clears the archive bit • Differential – Does not clear the archive bit An incremental backup is a backup that scans the server for data changes that have occurred since the last full or incremental backup. This is done by scanning the file system and looking for files that have their archive bit turned on. When an incremental backup is completed, all the files examined will have their archive bits turned off. Combining full and incremental backups techniques allow administrators to save the system configuration using a full backup, then quickly capture the information that has changed since the last full backup. One big problem exists with incremental backups. If I perform a full backup on Sunday, then incremental backups Monday through Friday, restoring data is a major challenge. To properly restore a system from full loss, the system administrator must first restore from the full backup tape, then restore from every incremental backup that was made in the order in which they were made. This means that if you don’t have good log notes and good labeling, you should stick with full backups. WARNING: Do not mix Differential and Incremental backups between Full backups. An Incremental backup resets the archive "bit" thereby preventing a Differential backup from identifying files to capture. 7 7 Secure System Administration - SANS GIAC © 2000, 2001 NTBackup Windows NT has a backup tool as well called NTBackup. Click Start, select programs, select “Administative Tools (Common)” then “Backup” to run NTBackup. If you are not streaming your audio, please take a minute and run whichever backup program you have, Windows 9x or NT 4.0/Windows 2000. Get familiar with it now before you are under fire. You don’t have to do the whole disk. You can select a folder or even a file. Run the attrib command before and after. You can even experiment with the attrib command to foil the backup process. Below are best practices for backups: • Full backups (all files) when possible. Why perform incremental or differential backups if we can obtain a full backup every day? • When full backups cannot be performed on a daily basis, use differential backups, not incrementals since differentials are easier if you need to recover. A full restore requires either the last full backup followed by the last differential backup or the last full backup followed by each incremental backup in the correct order. • Place legible, unique labels on all tapes. • Create a log in which you record which tapes are used and on which servers. Note any errors or pertinent events every day. 8 8 Secure System Administration - SANS GIAC © 2000, 2001 TAR (Tape Archive –Unix) • Create tar file tar cvf archive file • Extract tar file tar xvf archive file • List contents of tar archive tar tvf archive file • Copy current directory to another tar cpf - . | ( cd newdir; tar xvpf - ) –Where • “Archive” is a file or tape device • “File” is the file or directory to archive Unix has three primary backup tools, tar, dump/restore and dd. Tar is ideal for backing up a particular directory tree. Tar’s primary functions: -Create an archive, tar c. The slide shows tar cvf. The v means verbose mode. When this is set, tar tells what it is doing and that is helpful. f is always followed by the filename of the tarfile you are creating, extracting from, or creating a table of contents from. If you are having trouble with tar, odds are you didn’t follow the f with the filename of the tarfile. -Extract files using tar, the TApe aRchive, tar –x -Table of contents, tar -t The fourth bullet is a bit advanced, but please notice the vertical bar “|” or pipe symbol. This says take the tarfile being created on the left, change directory “cd” to a new directory and extract the tarfile there. Unix allows you to pipe (|) information. Try ls /dev | wc to see how many files are in /dev (wc is useful for counting things - it gives lines, words, and bytes). 9 9 Secure System Administration - SANS GIAC © 2000, 2001 dump and dd (Unix) • Full dump of /usr: dump 0uf /dev/nrst0 /usr • Image copy of a file system dd if=/dev/hd0a of=/dev/nrst0 dump and dd, if misused, can be dangerous. dump is the primary tool for whole system backup and works with restore. If your Unix system is in production, make sure a senior system admin guides you through these your first time. The simplest form of the dump command is: dump, dump level, u (update dumpdates file), f (device name) and the file system to dump. The last parameter may be specified as a mount point like /usr or a disk device name - /dev/hd0a. dd is a utility that reads input files block by block. If you specify a disk device, you can capture file system metadata, blocks of “data” marked deleted that could be useful for evidence gathering following a break in. This data would be missed if using tar or dump which rely on the UNIX file system. dd then, is preferred for forensics. Unix files do not have an archive bit, so the date of the file is used to determine whether it needs to be backed up. Unix backup scripts will often have some way of checking the date, or last backup time. 10 10 Secure System Administration - SANS GIAC © 2000, 2001 Backup Summary • Files and file systems are accidentally deleted everyday • Disks crash, or have sectors go bad • Fires, floods, and smoke damage happen • Make backups, label them well, keep a set offsite • Test backups, randomly select files and restore You know the philosophy of this course by now. We are hoping you will experiment with a Windows backup tool and at least tar on Unix. Remember, these are tools that you know will always be available. If you have used them before you are under fire, you will be one step ahead of the game. I would like to close this section with an exhortation to take backups seriously. When I was writing the book Network Intrusion Detection , I was really paranoid. I backed up every day and once a week I would carry a zip disk to my neighbor’s house in case I suffered a disk crash. When I teach for SANS, I carry a CDROM with a backup of all my course files as well as a zip disk. That way, if my laptop goes belly up, I can still teach using the CD and someone else’s computers. Your data is valuable, in some sense it is the embodiment of your time. Take care of it! One reason to be religious about your backups is the threat from the nasty new viruses and malicious code that destroy files. They are the subject of the next section in this course. [...]... command prompt You can do the same thing with your GUI, from the Windows Explorer, right mouse click on a file or directory and hit Properties If you check the hidden button, that file will become a hidden file On this slide, we are setting the stage We turn on the command prompt by opening a MS-DOS window and type DIR for a directory listing On the next slide we will see how to use the attrib command... threats and have a chance at finding them Let’s learn a bit more about how data can be hidden on a computer system It makes sense for attackers or criminals to hide files and data for a number of reasons that don’t have your organization’s best interest at heart The best place to store illegal files is on someone else’s computer If you have files you don’t want to be found, you can make these files hidden. .. default behavior of tools that list files A classic trick on Unix systems is to mark the cluster as bad (unreliable disk space) and store the data there It is possible to hide files within files using steganographic techniques 30 Hidden Files • Common trick on Windows and Unix • Hidden file attribute • Misnaming a file Secure System Administration - SANS GIAC © 2000, 2001 31 Hiding files certainly cannot... through In Unix, for instance, many configuration files that control the user’s interface with the system are hidden files Security professionals should be alert for these sorts of tricks, know when and where hidden files are appropriate, and when those files require further investigation 31 Hidden Directory - FTP 12:31:19 12:31:20 12:31:21 12:31:21 12:31:23 12:31:23 12:32:03 12:32:07 12:31:09 ... there is an incoming directory, they change their working directory to incoming and then make a new directory, “ ” Any file that begins with a “.” is a hidden file in Unix and is hard to see The new directory will probably be used to store illegal files The way to do this on Windows systems is to hold down the shift and alt key and type in 255 on the numeric keyboard This will create a directory that is... is infected with malware and an anti-virus signature is not available yet, then what we may need to do is use tools to investigate the system and compare this against a known good system or our records from earlier work This is why using tools like Dr Watson or ScanDisk and creating a log for reference later is a wise idea As you have already seen from the examples of com and exe viruses, these will... attrib to set any of the FAT file attributes: read-only, hidden, archive, and system Any option given with a plus “+” sets the attribute and any option given with a minus “-” removes the attribute If you will notice carefully, our friend smime2.p7s is no longer visible to the DIR command Not to worry though, DIR /AH will find it Another way files are hidden is by giving them names people don’t think about... getting caught We will hide a file about 10% of the original and a second that is about 100% of the size Subseven3 is our graphics file and the two files with red arrows are the files we are hiding To make it work, we simply use Windows Explorer and drag Subseven3 and drop it into the steganographic tool Then we drag the file we wish to hide and drop it onto the graphics file 36 ... infection will propagate The ILOVEYOU virus is written in VBScript, and will therefore run on systems supporting windows script hosting (wsh), or systems that interpret Visual Basic and have a Wscript library The code consists of five routines and some supplementary support functions The routines are: main(), regruns(), spreadtoemail(), html(), and listadriv() Two of these subroutines will be examined in... There is a command line option to ls, ls –a for list all files This will show all files, including hidden files When I am working as a Unix system administrator, I like to alias “ls” to “ls –lart” to list all the files in reverse time order so the most recently modified file is the most obvious one This has protected me from any number of mistakes including missing a hidden file 33 Hidden File - Windows . System Administration - SANS GIAC © 2000, 2001 Backups and Hidden Data Hello, I am Stephen Northcutt again and welcome back for the second section of our. good log notes and good labeling, you should stick with full backups. WARNING: Do not mix Differential and Incremental backups between Full backups. An Incremental