Info
All content is transcribed. I am currently working on reformatting the notes so they read a little better. Content will move around but no content will be removed.
Ethics
Professionals have unique ethical duties
Cyber security is a field that requires a high standard of ethics
There are many laws governing cyber security including
- DMCA
- National Security Regulations
- Contracts (Such as EULAs and NDAs)
Risk management is a huge part of security
How to manage risk? - Rule-based: Follow guidelines to set policy
- Relativistic management: Be as good as the rest / don’t have the worst
- Requirements-based
-preform a form risk analysis - NIST’S “Risk Management Framework”
Best practices - OWASP (Open Web Application Security Project)
- Apply defense-in-depth: many layers of protection
- Default-deny
- Fail Securely
- Least Privilege
- Avoid “Security through obscurity”
- Keep Security Simple
- Detect Intrusions
- ”You can’t block what you can’t see”
- Don’t trust infrastructure
- Establish secure defaults
Risk Management Frameworks
Six step process
- Prepare
- Establish goals get ready for process
- Categorize
- Select
- Implement
- Access
- Monitor
Incident Response
Preserve the evidence
Immediately report the incident
Identify the source
Contain the damage - change passwords
Repair/recover
Prevent future incidents / close the loop
Network Attacks
Spoofing
- sending a falsified address to make it appear traffic comes from a different system that it really does
- Easy way to do this
- ”scapy” packet manipulation tool
- Other ways to do this
- use “iptables” firewall to rewrite address
- ”raw” packets (requires root access)
- Problem
- You won’t get the replies
- the replies are sent to the spoofed address which will respond with a RST packet tearing down the connection
DoS (Denial of Service)
-
A attack in which a system becomes unable to do useful work
-
An attack against a viability
-
Often used with spoofing to prevent system from replying with RST packet
-
Two types
- Crash or freeze the attacked system
- Exhaust the other system’s resources
-
Exhausting resources
- Memory
- Disk space
- Computation Time (CPU)
- Network bandwidth
- Network sockets
-
Key strategy
- Take advantage of an inefficiency in remote system to make it use more resources than we use to attack
-
Common trick: amplification
- use features of the system or network to turn a small amount of work (or network traffic) into a large amount of work (or network traffic)
-
Preventing DoS is hard
- mathematically indistinguishable from a flash crowd
- Example CNN crashed on 9/11 because everyone was going to check the news
-
Examples of DoS attacks
- WinNUKE
- Attacked Windows 95 and NT machines by sending a packet marked “UPG” to the NetBIOS (Port 139) A bug caused the system to crash
- Ping of Death
- Ping sends ICMP requests that are 64 bytes long
- The IP standard allows us to change the size up to 64kb long
- You could crash older systems this way
- LAND (Local Area Network Denial)
- By spoofing a TCP SYN packet with the same address and port # from source and destination its possible to make a computer reply to itself in an infinite feedback loop until it crashes
- WinNUKE
-
Examples of Amplification DoS Attacks
- Slow Loris
- Opens a bunch of HTTP connections to an Apache web server tying up the “thread pool” sends just enough traffic to keep them alive but never completes or closes the request
- SMURF Attack
- Send a huge number of bogus packets to a broadcast address. spoof the source address using the target systems IP address
- All systems receiving the broadcast will reply with error messages which will all hit the target
- SYN flood
- send many packets that have the SYN flag set but do not complete the 3-way handshake. The system will fill up its network buffers with incomplete connections and become unable to accept new connections
- Slow Loris
Distributed Denial of Service Attack (DDoS)
-
Instead of using amplification use many machines to overwhelm a single target
-
often uses a large botnet of compromised systems
-
Examples
- TrinOO
- TFN
- Low Orbit Ion Cannon / High Orbit Ion Cannon
Snooping / Sniffing
-
Anyone connected to the network can “capture” the traffic using Wireshark/tcpdump
-
Often this is for legitimate troubleshooting
-
Packet captures are often stored in .pcap files for later analysis
-
Switches make this more difficult but wireless networks make it easy
-
Packet Capture Tool
- tcpdump: Command line tool for capturing packets
- Wireshark: Graphical tool makes this easier to read
- Snort: Analysis tool often used for intrusion detection
- Aircrack-ng: Wireless packet capture tool that can also crack WEP and WPA keys to decrypt and sniff wireless
- cain and Abel: Windows only
Man in the Middle Attack (MitM)
-
If an attacker can insert their own system in between yours and a target, they can not only intercept your packets but modify them and send them on
-
This is an attack on integrity
-
Tools for MitM
- Ettercan
- Hak5
- Wifi Pineapple
- Packet Squirrel
- LAN Turtle
-
Replay Attacks
- A kind of MitM attack in which someone captures packets and then sends duplicates of a request
- works even if the packets are encrypted
- can cause a site to repeat a action
-
How to stop/prevent MitM attacks
-
Router/Gateway
- Routing rules can mitigate attacks by blocking certain external traffic
-
Firewalls
- Firewalls can implement access control lists that block specific ports, know “bad behaviors”
- Firewalls can be:
- Edge firewalls (placed between 2 networks)
- internal firewalls (placed inside a system)
- Two kinds of firewalls
- packet filters: fast and efficient but can only filter based on info from packet header
- proxy
- firewalls / application gateway: Application-layer firewalls that can look …
-
Vulnerability scanners
- Check for vulnerable servers or workstations
- report which ones need patching or have other known weakness
-
Exploit: Specially crafted string of data intended to take advantage of a vulnerability
Network Session Hijacking
- Uses sequence number prediction to inject packets into an already established connection, bypassing firewalls
Attacks on Computer Security
-
Physical Security Compromises
- Direct, in-person manipulation of the hardware or software of a computer system
-
Software Exploits
- Exploits errors in logic of a program to circumvent security protections
-
Buffer overflows
- Technique that writes past the end of an array
-
Malware
- Malicious software that can infect a system and compromise security
Physical Security
-
Laptop Theft
-
Vandalism
-
Component Theft
-
Keyloggers
-
Authentication Bypass
-
Physical access makes breaking in easier
-
More control over the system
- Can use external hard drives, USB, Serial ports to access
- Can open case and access drives/buses directly
- can change the BIOS/UEFI settings
- can bypass firewall and other network protections
-
Harder to track
- No network logs
- can give attacker more time to break into system
-
-
Can cause most damage
- loss of entire computers
-
Most of our other security controls don’t matter if someone can get direct physical access to the system
-
Physical Access can bypass security protections
- No network protections(firewall) or monitoring
- Can bypass authentication by booting into an OS using a disk
- Can bypass boot restrictions by changing BIOS/UEFI
- can reset BIOS/UEFI passwords by removing battery
-
Can remove hard drive from system and clone it or install it in another system
-
Insider Threats
-
A significant % of computer crime comes from insider threats
- Disgruntled employees
- poorly trained users (phishing scams, downloading trojans)
- industrial espionage
-
Tailgating/Piggy backing
- Attacker bypasses locks, card key access, or other building security protections by following another user into the area
-
-
Key loggers
- Devices plugged into a system between the computer and keyboard that records key strokes
- Can use wireless to broadcast info or store info to recover later
- can steal passwords, cc numbers, other sensitive data
-
Have a security policy
-
Who is allowed to access what and when
-
Secure the building/area
- Bollards, turn stiles, barricades
- keys, locks, combination locks, card key access, biometrics
- security checkpoints/guards
- security cameras
- HVAC systems (prevent computers from environmental threats)
- EMP Protection
-
Secure the system
- Case locks
- BIOS/UEFI passwords
- Regular backups
- Proper erasure of deleted data
- DBAN Nuke, Degaussing, hardware shredding, ball-peen hammer?
-
Secure your users
- Training
- Having a well documented security policy
- timely account expiration
-
Multi-layer Security
- Don’t rely on just ONE mechanism use many different mechanisms in combination to improve security
- Don’t make security too onerous - or users will circumvent it
-
Software Exploits
- Any piece of software of reasonable complexity has bugs
- These bugs can often be exploited to circumvent security protections
- Common mistakes that cause risk
- Type errors
- Forgetting that integers can be negative
- Directly comparing floating point value’s
- Not validating inputs
- Directory traversal
- Code Injection
- In bash shell scripts, quote marks and
$
can lead to code execution or access environment variables.
- In bash shell scripts, quote marks and
- Type errors
Buffer Overflow
In some ways an “assembly language code injection”
Suppose a program has a fixed size array
char name[20];
It reads into that array without checking if the input fits
gets(name);
Providing more input that expected can overwrite other variables or control state of the program.
If an array is on the stack you can overwrite the “return address” of a function.
When the function returns the program will jump to a new memory location not back to where it was called like we would expect.
Most modern languages have “array bounds checking” to help protect against this.
Mitigating Software Exploits
- Least Privilege
- Don’t run services as the admin user if not required
- Don’t make binaries setuid
- Patching
- A patch is a modification to a program that fixes a bug often a security flaw
- Patching is an arms race between hackers and devs
- Window of Opportunity: time between patch and discovery
- Sandboxing
- Using VMs, containers, chroot, jails, or other techniques to isolate software systems
- Browsers hace a “javascript sandbox”
- System Hardening
- Execute Disable/ No Execute bit (XD/NX)
- Stock randomization (ASLR) and stack canaries
- Secure Programming
Open Source Software
Having access to the source code doesn’t really help the hacker that much
- They use fuzzers that generate lots of random strings
In practice, open source software has a much better record
Malware
Malware: Malicious Software → Malicious Software
Types of malware:
- Trojan horse: designed to look like real software
- Virus: piece of code copies itself into another program spreading from system to system
- Worm: program that spreads across a network
- Spyware: program that collects info from a system without their knowledge
- Ransomeware: encrypts files and holds them hostage for money
Rootkit
- Software used by an attacker to hide their tracks
- Deletes info from system logs to cover its tracks
- Often uses hidden files
- Sometimes replaces system utilities
- Often contains “backdoors”
Virus Payloads
- Spam servers
- Backdoors
- Hard drive bomb / Logic bomb
- Ransome ware
- Crypto Miners
- Keyloggers
How Viruses spread
- Boot sector infections
- Autorun files
- Phishing campaigns / infectious attachments
- Macros
Containing Malware
Antivirus software
- Signature based: check for particular patterns, strings, or hash values, that uniquely identify a virus
- Heuristic: Checks for particular execution and memory patterns that are common to different malware
- can quarantine, delete or repair infected files
- require constant updates
- significant performance impact on a system
Sandboxing
- Don’t allow normal users to have admin rights
- Use admin account only for admin tasks
- use permissions and other os tools to isolate processes
- disable autorun files
- disable macros
- ”secure boot” verification of boot system
Use a More Secure OS
- Why does linux have so few viruses
- Its harder to write viruses for
- open source means fewer bugs (2024 update: XZ exploit)
- Linux users tend to be more tech savvy
- Attackers tent to like linux and hate windows
There is malware that infects Linux system though
- Tents to consist of RATs
Linux Anti-malware tools
- clamAV free anti-virus
- rkhunter
- maldet
Windows Anti-malware tools
- MalwareBytes
- Windows Application Firewall
- Windows Defender
Application Whitelisting
- Only allows specifically identified programs to run
- Can prevent worms, trojans, and some viruses
- Can block warez/pirated software
Training
- Teach users NOT to click links/plug-in flash drive
- Avoid “fear tactics”
Social Engineering
Uses various psychological techniques such as
- Authority: Social engineers often impersonate authority figures
- Urgency: Convey a sense of urgency
- Intimidation make threats to scare users
Social Engineering takes many forms
- Vishing (phishing but over the phone) (real creative name :))
- Pharming: fake website that looks like real website
- Typo Squatting: Creation of websites with similar name but different (whitehouse.gov vs. whitehouse.com)
- Shoulder Surfing: Looking over someones shoulder
- Dumpster Diving: Gathering info by finding info in the trash
- Phishing: You know this one
- Spear Phishing: Target phishing attack
- Include company logo and letterhead
- uses the names of real people from an org.
- spoofed to come from email account like yours
- Whailing: targeting phishing attack directed at a large profit target
- Foot printing or OSINT(Open Source Intelligence): process of gather info about a site to attack it
- Robots.txt: tells you exactly where the sensitive data is
- Robots.txt is a file on a webserver that tells the web crawlers (like search engine indexers) to not index
- DirBuster: Program that takes a URL and a wordlist and uses the word list to brute force possible URLs
- Comes with a bunch of default “word lists” that contain common paths for many web apps
Enumeration tools
- Nmap
- Aircracking
- Nikto
- Fping
- Hping
A lot of information can be gathered directly from the web server’s headers - using netcat/telnet
Or by attaching a proxy
OWASP 2AP
Error codes are very informative
Cookies
can be used for tracking
A “web bug” is a small image (often 1px by 1px) embedded into an email, websites, or other document - When the web bug is viewed it is downloaded from a server
- This leaves a message in the server log to track you.
Google “Dorks” are short search strings that can often find info about compromised systems
Shodan searchable database of everything connected to the internet
Software for gather and organizing OSINT info
- Recon-Ng
- Maltgo
Archives
- Archive.org
- Caches (Google cache)
- Pastebin
- Web scrappers
Social engineering toolkit creates phishing emails to steal credentials
Authentication
Securing a resource has two parts
- Authentication: process of verifying the identity of a user
- Authorization: What a user has access to
You need both you can’t just have one
Three main factors of authentication
- Something you know
- Passwords, PINs, or “Security Questions”
- Something you have
- ID card, Token, Yubi Key kinda thing
- Something you are
- Fingerprints, Retina Scans, Skeleton Scanning
Basic Principle: Defense in Depth
- Don’t rely on just one factor for authentication (This is where multi-factor authentication comes from)
Biometrics
Most biometrics are “tunable”
- can adjust sensitivity to reduce false positives/negatives
Evaluated using
- FAR (False Authentication Rate) got in when they shouldn’t have
- FRRC (False Rejection Rate) didn’t get in when they should have
- Cross Over Error Rate - both together
Cryptographic Tokens
Public Key Crypto systems such as RSA use public/private key pairs
Cryptographic Authentication
- One Time Password
- Uses cryptographic hashing to generate a Sequence of numbers.
Two Kinds of Attacks
- Offline
- Attacker has a list of passwords but they are encrypted
- Online
- SSH in and brute force or something to get in
What is “Salt”?
A “salt” is a randomly generated string that is added to the password before encrypting it
Offline password cracking
- Brute force
- Dictionary Attack
- Wordlist Attack - many common passwords
File Security
File: A block of related data stored on permanent media
- organized into “directories”
Partitions
Disk drives are divided up into sections called partitions. Each partition can have its own filesystem
The layout of directories into a logical structure is called the filesystem hierarchy
- In Windows each drive or partition has its own separated directory hierarchy
- each disk or partition gets its own drive letter
- In Unix these are unified into a single virtual filesystem
Programs
Programs are also files
- Processes typically run with the permissions of the user who launched them (all though not always)
Authorization
Authorization is the process of verifying that an entity has access rights to a particular computing resource
- Files
- Access to a computer system
- Devices
- Memory
- VMs/containers
- Network ports
Without Authentication there is no safety - Anyone could access anything
Without Authorization there is no liveness
There are two main types of Authorization Systems
- Discretionary Access Control: permissions on a resource are allowed to change dynamically
- Mandatory Access Control:
Unix File Permissions
In Unix each file is owned by a user AND a group
- The owner is often the creator of the file
File Permissions
Info about permissions is stored in the directory listing
Anyone with raw access to the disk can circumvent these protections
- by booting to a live disk as “root” and changing them
For files
- r: read
- w: write
- x: execute
For directories - r: list
- w: create or delete files
- x: access contents
Special Permissions Bits
SetUid bit
- When program is run runs as the owner of the file rather than the current user
SetGid bit
- When program is run, runs a group owner rather than current group
- On directories, makes files owned by directory owner rather than current user
Sticky bit
- For files: used to “lock” a program into memory to force faster loading no longer used
Initial Permissions
When we create a new file or directory what permissions should it have?
- Executable programs and directories are executable
- Nothing else
What about read and write permissions?
- The “umask” determines the defaults. It lists the permissions to remove from a file
Access Control Lists (ACLs)
Allow more fine-grained control over permissions
- more flexible but much more expensive
- used in windows
- available in linux
- can add new “capabilities” too so not limited to “read”, “write” and “execute”
Linux “Attributes”
Change attributes with the chattr
command
- +a File can only be opened for appending
- +A File access time is not updated when it is edited/read
- +d Don’t backup this file
- +i File is immutable It cannot be deleted
- +s File is erased with 0s when its deleted (doesn’t work on ext systems)
- +u File is NOT overwritten when deleted and can be “un erased” (doesn’t work on ext filesystems)
Mandatory Access Control
MAC - permissions on a resource are governed by a policy
Used by SELinux
- Developed by the NSA
- Uses concept of “labels” and “domains”
- A Label is a bit like a permission (more like ACL)
- Different permissions are available on different systems depending on which “modules” have been loaded
Labels are mapped to files and network sockets using a policy file
SELinux Policies
- Domain: Identifies a group of related processes/programs
- User: Identifies a particular authentication entity
- Role: Identifies different “roles” the user can be preforming
- manager role
- user role
- admin role
- cleanup role
- Type: for processes which other processes can access it
- Label: What can be done to the resource
Example Rule:
- Allow webmin_t web_log_t file perms append_file perms
- Allow the webmaster to read and append to the web server log file but not to erase it
AppArmor
- Another MAC system
- Less rigorous and not as secure
- But MUCH easier to use
Grsecurity:
- Software suite that contains “hardened” programs such as compilers with special security flags enabled
- RBAC: Similar to MAC but easier to work with
- Automated: Can put in “learning mode” and let it build a policy for you
Administrative Rights
Most DAC systems have one or more “Admin users”
- or at least a “root” user
”Root” user can access pretty much any file, reset any permissions (except on network mounted drives), install and remove software create and delete users, and set passwords
Is the super-user a good thing?
- MAC advocates say “No”
On most systems network ports 0-1023 are reserved ports - Can only be used by the super-user
- Or users specifically granted permissions using Linux capabilities
The sudo command
- grants limited access to admin privileges
- visudo command safely edits the letc/sudoers policy file
The su command
- Allows one user to elevate privileges “into” another users
The newgrp command
- Allows a user to elevate group privileges “into” another group
Capabilities
Can be managed with the capget and setcap commands
Or by running a program using the setpriv command
Example:
- setcap cap_net_admin=tep /usr/bin/my_server
Sandboxes
Software that isolates a program or part of a program from the rest of the OS is called a Sandbox
- Used by web browsers to prevent JS code on a website from infecting the rest of the computer
- Used by OS’s to isolate dangerous processed like FTP servers
- A chroot jail restricts the files a program can access to those under one particular directory
Containers
A chroot jail only limits which files a program can access. Linux lets you limit software in other ways using “Linux Container Namespaces”
- Resource limits
- Access to other running processes
- Network isolation
- A program can have a different IP address than the rest of the system or only use a few ports
- Separate user and group accounts
- we can isolate the program to only see certain users
- Access to drivers and devices
We can isolate each process in any of these ways independently
However we can also use tools like Docker, LXC, or CoreOS to run programs in an environment that uses all of these to isolate software
This accomplishes many of the same goals as a VM
Enumeration
In order to break into a network we need to id potentially vulnerable systems and services
Port Scanning
http: 80
https: 443
ssh: 22
Nmap (by insecure.org)
- GUI: pen map
Angry IP Scanner (angryip.org)
- written in Java
Port scanning has many legitimate uses
- testing wether a network service is up
Basic idea of port scanning
- Send a packet to each port and check for a reply
- Takes a long time to scan 65536 legal TCP ports
- Takes even longer when scanning 65536 UDP ports as well
- Attackers can focus on well known ports
- or at least 1-1023 the “privileged” ports
- Defenders have to scan ALL ports which may be used by malware, backdoors, or rootkits
Port scanner tools report
- Open: Allows access
- Closed: Doesn’t allow access
- Filtered: Access is restricted - it may be blocked by firewall
Types of port scans
Ping Scan
- Use ICMP echo request to “ping” a system
Connect Scan
- Send a complete three-way TCP handshake connecting to the service then disconnect
- Often this connection will be logged
SYN Scan
- Port scanner sends packets with a SYN flag use to initiate TCP connection
- If we get a SYN/ACK packet we send back a RST/ACK to avoid being logged
- considered a “stealth scan” or “stealth attack”
NULL Scan
- A null packet is one with no TCP flags turned on
- If we send one to a closed port we get a RST packet back
- If we don’t get one the port might be open
- Windows systems don’t always send RST packets back
XMAS Scan
- A “Christmas Tree” packet is one that has ALL the TCP flags set
- Used in Some DoS attacks
- However, for scanning we only use the FIN, PSH, and URG flag
- Like NULL scan we expect an RST packet if port = closed
ACK Scan / ACK Attack
- Most firewalls filter out only new connections not established ones
- A packet with only ACK flag set looks like an established connection so it may bypass firewalls
- Expect a RST if port is closed
Fin Scan
- Sends packet with only FIN flag set. Expect RST flag
UDP Scan
- Use UDP packets instead of TCP packets expect “port unreachable”
nmap {compSciServer}.longwood.edu (I didn’t want to put the actual URL online)
- Scans 1000 most common ports then reports if they are in open, closed, filtered, unfiltered, open|filtered, or closed|filtered
- Uses a SYN scan if you are root a connect scan if not
Many nmap options require privileged access
nmap flags
- -sS SYN scan
- -sT TCP scan
- -sU UDP scan
- -sN Null scan
- -sF FIN scan
- -sX XMAS Tree scan
- -sA ACK scan
- -sC script scan
The -T option adjusts nmaps timing parameters
- Shorter delays between packets are faster
- But more likely to be detected
- Also more likely to inadvertently crash the target system
In addition to scanning for open ports nmap can be used to
- Id which systems are online without running port deteching
nmap -sn
- Run port detection without pining the system first
nmap -Pn
Host Enumeration
Fping
- can ping multiple systems in parallel
- use -g flag to specify address
Ping sweeps don’t always Succeed
- Some admins configure their systems to block ICMP echo requests (ping)
- If a system is rebooting we miss it
Ping sweeps can be dangerous
- If you accidentally hit a broadcast you could take everything down accidentally
nmap comes with a bunch of scripts these are written in LUA
Port scanning is only one enumeration step
In addition to identifying available services we need to know
- Which of these services can actually be exploited to give us access
- The topology of the network
- Which OS, servers, and software are being used
- usernames and passwords
NetBIOS
- Microsoft file sharing protocol
- First introduced in ‘83 by Sytek then adopted by MS in ‘85
- Also called NetBOUI
- Originally designed for NBF, Token Ring, and IPX/SPX protocols
- Ported to TCP/IP in ‘87 as NBT (NetBIOS over TCP)
Provides three services
- Name service: advertises available resources on UDP port 137
- Datagram Distribution Service: to exchange messages
- Session Service: allows to connect to each other on port 139
The “NbtScan” tool can be used to find systems running NetBIOS and list which resources they provide
- The -r flag does this
The SMB (Server Message Block) how to share printers and such
Every Windows computer gets a “network name” not related to DNS or its IP address this is to Id it on the SMB network
Many NetBIOS Systems allowed “null session”
- You can login with no username and passwords
Windows Vista and following eliminate null sessions
Gain access even without null sessions using vulnerabilities in the protocol
- The enum4linux does this
Pass-the-hash (PTH)
When clients connect they give us their credentials
- We can crack passwords with “John the ripper” (This is a password cracking tool)
Software Vulnerabilities
Many exploits rely on poor design or bugs
Design issues
- Missing or poor authentication
- Bad default credentials
- Not clearing credentials from memory
- Predictable random number generation
- Use of weak cryptographic algorithms
Static Analysis tools
- Splint
- Jsling/eslint/cpplint
Dynamic Analysis tools:
- valgrind
Compiler Features
- Don’t ignore compiler warnings?
DLL Injection
Even if your software is free from bugs and injection attacks
- The libraries you use may be vulnerable
- In Unix, libraries are also files and are stored in protected directories
- This can sometimes be bypassed
- In Windows libraries are in .dll files and can in various places
- System Folder
- 16-bit System Folder
- Windows Folder
- The “current folder”
Preventing Injection Attacks
Sanitize your inputs
- Don’t allow control characters like quotes
- Three approaches
- Black listing - excluding “bad” characters
- but what if you miss one
- Whitelisting - allowing only “good” characters
- but what if ß or ü is a good character
- Escaping
- Encoding special characters with codes that render them harmless
- But if the document passes through several rendering steps you could miss one
- Example: Blog posted with embedded JS that is stored in a SQL db using PHP backend
- Black listing - excluding “bad” characters
HTML Injection Example
HTML Injection
- Add malicious links by embedding <a> tags in a document
- Can be prevented by encoding < and > using entity tags
Javascript injection is also something you need to watch out for.
Other Inputs to sanitize
- Command line arguments
- Environment Variables
- Including the PWD
- FileNames
- File Content
- Web forms / CGI script input
Sanitizing URLs
URLs / Links
- Especially “javascript” and “mailto” links
- usernames and passwords in links
- userscores in URLs
- ../ in a URL
- URL Escape sequences like %20 for a space
- Query strings that start with ?
One way to defeat many functions that sanitize inputs is to split output over many lines
Preventing Injection Attacks
TESTING !!!
- Test your program for invalid input
- And for logic errors
- Fuzzing: Inserting millions of random inputs into a program to see if any of them cause
- Crashing
- Error Messages
- Differences in behavior
Formal Methods
- Model Checking
- Static Analysis
- Code Review
- Software Theorem Provers
Using Established Libraries
- Don’t reinvent the wheel
- Existing code has been well tested and is safer
System Solutions
NX/XD bit
- Can prevent some buffer overflow attacks
- Marks some parts of memory as “no execute” segments
- Allow us to Separate data from code
Stack Canaries
- Write a special value onto the stack between the inputs and the return address
- Compiler inserts code at the end of every function that checks that value is still there before returning
- Buffer overflow exploits will overload the canary and we will know
Stack Randomization
- Buffer overflow exploits depend on the return address being predictable
- Randomly adding empty arrays of varying sizes moves the return address around and makes this harder
- However, attackers can now use a NO-OP sled
Exploit tools
Metasploit
- Enormous database of known software vulnerabilities and code for exploiting them
Armitage
Nmap
Ghidra
IDA Pro
Fuzzers
Webfuzzers
- Web scarab
- Jbro Fuzz
- Ws Fuzzer
Database Security
Database Security: Use of vulnerabilities in a DB to circumvent security controls
Threats against DB Security
- misconfiguration
- No authentication / poor authentication
We can use ’ to test wether injection is possible
- If we get an error the ’ is probably not being escaped
We can use — to prevent the final ’ from causing an error
Some Injection Tricks:
- Adding “OR 1” since 1 means “true” this can be used to bypass certain checks
We could leak info using UNION
Blind SQL injection attack
- If we can’t leak data directly, we might be able to leak it indirectly by modifying the behaviour of the database.
- For example by makes a query take a long time by using “SLEEP” or “WAIT FOR” or “DELAY” commands
Protecting DB Security
Proper input validation
- whitelist or escape all user input
- Both on client AND on server
Don’t reinvent the wheel
- Use library functions for processing input
- Use stored procedures
Verify database config not just the SQL queries
Web Security
Attacks against web security
- Snooping
- Pharming / Typo squatting
- Enumeration Attacks
- XSS (Cross-site scripting)
- CSRF (Cross-site request forgery)
- vulnerable web applications
Snooping
Web traffic is transmitted using either the HTTP or HTTPS protocol
- HTTPS is encrypted using TLS/SSL
- A Crypto hash to ensure message integrity
- A public key cipher to exchange cipher keys and digitally sign a host certificate
- A symmetric cipher to encrypt info
- HTTP is not encrypted but is faster
- If info is sent using http, it is sent in clear text. Anyone that can intercept the web session can see passwords, credit card numbers, social security numbers, and other PII
When does a connection use HTTPS?
- When the server supports it
- When the browser supports it
- When the client requests it
A misconfigured server can sometimes fall back to plain-text HTTP if it is unable to agree on the correct HTTPS ciphers
Furthermore even if we use HTTPS:
- We might be using weak ciphers that are easily cracked such as RC4 or SSL
- There might be a bug in the browser or the server
- The “Heartbleed” attack took advantage of a bug in OpenSSL to leak info like ciphers and passwords
Pharming and Typo Squatting
A pharming website is a duplicate of another web page set up by an attacker
Different ways of getting users to visit the site
- Spam email banner ads, XSS, or CSRF attacks
- Typo squatting: Registering a domain name that is similar to the cloned site but off by just one or two letters
- Ex. amzon.com
To prevent typo squatting companies buy a bunch of similar domain names
Enumeration Attacks
Enumeration is part of the process of gathering intelligence on a site
Attackers often need to know
- Usernames
- Directories
- API Endpoints
- Potential Passwords
Misconfigured web servers can leak some of this info
- By allowing a user to view a list of home directories
- Or providing a site map
- By listing directories
Enumeration Tools
Dirbuster
- Brute force search for common directories
Cewl
- Scrapes a web page for likely passwords
Nikto
- Examines a web server for common misconfigurations
Robots.txt
- File on many websites containing info you don’t want bots to see
Salmap
- Automates many SQL injection attacks
Vulnerable Web Applications
Performing authentication or input validation on the client instead of the server
Storing sensitive info in cooking
Storing sensitive info in URL’s
Using poor encryption
Using insecure 3rd party libraries
Not using secure 3rd party libraries
Not logging/monitoring for attacks
Logging reporting to much
Cross site Scripting
Cross site scripting (XSS) is a form of injection attack
- If website includes user input as part of the content of a page
- The user can inject malicious HTML tags
Cross Site Request Forgery
CSRF
- Many sites record logging by storing a “session key” that records that you have logged in
Wireless Security
Wireless networks have unique security challenges
- All communication is being broadcast by nature
- Inherently less safe
- Authentication is more difficult because we have little control over who is communicating
Solution
- Use encryption to limit access and provide authentication
Problem
- Not all encryption is strong encryption
Wireless Encryption Standard
WEP
- Notoriously weak standard
- Uses the deprecated RC4 cipher
- A passphrase is used to seed a random number generator
- Originally key was only 10 hex (40 bits) or 26 hex digits (104 bits)
- Because us. had laws forbidding strong encryption
- Eventually upgraded to 32-digit (128 bit)
Attacking WEP
- Fragmentation attack
- Takes advantage of poorly generated init vectors in the RC4 implementation
- No longer widely used
Wifi Protected Access
Replaced WEP as a standard in 2003
- Intended as a quick temp patch
- Only “secure” if you use the full 64-character (256 bit) key
Wifi Protected Access 2 (electric boogaloo)
WPA2 a.k.a. RSN
- Based on IEEE 802.11i amendment to 802.11
- Not compatible with WEP hardware
Cracking WPA/WPA2
Attacker causes a client to become deauthenticated
When client reconnects, it sends the encrypted password
Attacker captures packets in the four-way wireless handshake used to reconnect
Attacker uses a dictionary or brute force attack to decrypt the packets
PSK and Enterprise
WPA/WPA2 are modular
- They allow for other, more secure ciphers, to be used
- WPA PSK
- PSK: Pre-shared key
- Default mode
- Every client that connects uses the same key
WPA PSK
Traffic is encrypted using either TKIP(Temporal Key Integrity Protocol) or AES-CCMP (Counter Mode (BC-MAC) Encryption)
Using a long enough password or passphrase makes the key much harder to crack
In WPA, TKIP is the default, designed to replace WEP
- like WEP
WPA Enterprise
WPA Enterprise provides RADIUS-based authentication using the IEEE 802.11 protocol
RADIUS (Remote Authentication Dial-in User Service)
- Provides Authentication, Authorization and Accounting (AAA) for network
EAP(Extensible Authentication Protocol)
- Uses RADIUS for authentication
- Has some security flaws
LEAP (Lightweight Extensible Protocol)
- Based on 802.1x
- Uses WEP and a sophisticated key management system
- Not considered secure
- Used by some Cisco devices
PEAP (Protected EAP)
- Used by Longwood
- Developed by Cisco, Microsoft, and RSA security
- Allows for secure data exchange without a certificate server
Common Wireless attacks
DoS (Denial of Service)
- Attacker bombards access points
- Often abused weakness in EAP
- Used to cause wireless hosts to timeout/deauthenticate clients
Key Cracking
- Tools such as “Aircrack-ng” can crack a weak passphrase in less then 1 minute other software = Airsnort/Auditor Security Coll
Access Point Spoofing (Evil Twin)
- Attacker sets the SSID on their on their wireless device to look like a legit access point
- Victim associates with the attackers system instead of the AP
Man-In-The-Middle (MitM) attacks
- LANjack and AirJack automate MitM attacks
- Hotspots at hotels and restaurants are particularly vulnerable to attack since they often have little security
Network Injection
- Attacker inserts bogus network control packets onto the network causing network devices to reconfigure their connections
Caffe Latte Attack
- Attack against WEP
- targets the windows network stack
- Allows remote exploitation of a wireless client
- Attacker sends a flood of ARP Packets
Krack attack
- Tricks OS into setting the encryption key to all zero’s
Hole 196
- Uses WPA2 Group Temporal Key (GTK)
- This is a shared key among all users of the same ESSID
- Launches attacks on other users of the ESSID
ESSID Hiding
- ordinarily the SSID for a network is broadcast
- turning off this feature makes it slightly harder to id a network
RF shielding
- special paint or glass can block wireless signals
Reducing TX Power
- reduce the range of wifi
MAC ID Filtering
- Whitelist a MAC address
- Blacklist unwanted MAC addresses
- neither of these is really effective because attackers can spoof MAC addresses
Static IP Addressing
- Instead of using DHCP to assign IP addresses automatically to specific clients
- makes attacks slightly more difficult
- spoofing can run into IP conflicts resulting in connections being torn down
- But only if the other system is online at the same time
End-to-End Encryption
- WPA2 is a form of point-to-point encryption
- it only encrypts data between the client and the access point
- Any traffic forwarded to other systems
VPN
- Form of end-to-end encryption where all traffic is encrypted
- All data to the proxy is encrypted
- However this makes traffic analysis very difficult
- And encrypts ALL network sent to the proxy
Black holing
- Dropping all IP Packets from an attacker
- Somewhat effective at stopping DoS attacks
Validating the four way handshake
- create a ‘false open’
Rate limiting
- Capping the amount of traffic someone can use
Invented in the early days of the internet
Not designed for security
Conglomeration of many different protocols
- SMTP: Sending mail
- POP: downloading mail
- IMAP: Accessing server-side mailboxes
- MIME: Format for encoding different formats so they can be transmitted portably across different types of computers with different operating systems
MUA: Mail User Agent
- Email client can send/receive messages
MTA: Mail Transport Agent
- Server that sends messages
MRA: Mail Relay Agent
- Server that passes emails to the next “hop” in the chain
MDA: Mail Delivery Agent
- Server that stores email until its ready to download
Problems with email
Authentication
- Often done in plaintext
- password snooping is possible
- subject to replay attacks
Message Transmission
- Almost always done in plaintext
- message snooping is possible
Message Storage
Traffic Analysis
- even if it is encrypted the sender/receiver and other info can’t be encrypted
Spam
- unsolicited email, phishing, spear phishing
SPAM
CAN-SPAM Act of 2003
Classifies SPAM into two categories
- Unsolicited Commercial Email
- Unsolicited Bulk Email
Requires all commercial email come with an unsubscribe link
Prohibits misleading “FROM” headers
Bans emailing address harvesting
Mechanisms for Preventing SPAM
Enforcing basic system/network security best practices
- Secure the server
- Secure the client
- Use VPNs
- Use end-to-end encryption
Filtering
- Naive Bayesian classifiers
- Label messages as either SPAM or HAM
Bayesian Filter are Fairly easy to circumvent
- Misspell words or addition characters
- Add lots of legitimate text to reduce the overall spamicity
Graylisting
- Don’t accept messages until the server has verified the sender
- Requires making a network connection for each incoming message
- Slow and subject to DoS attacks
- But pretty effective
Tarpitting / Delays
- A spammer needs to send millions of messages
- Normal users only send a few
- Introducing random delays into sending messages can really mess up spammers
- However it could cause problems for legit users
Sender Verification
- SPF
- Matches domain name in from with DNS records
- DKIM
- Uses digital signature keys distributed over DNS
- DMARC: Domain-based Message Authentication, Reporting, and Conformance.
States of a stateful firewall
A Connection can be in the following states
- NEW: The two hosts have exchanged SYN Packets but the three-way handshake has not been completed
- ESTABLISHED: The two hosts completed the three-way handshake
- RELATED: The connection hasn’t been established yet but is related to an established connection
- INVALID: Something is wrong with the connection
About iptables firewalls
- There are 3 main tables
- Filter table: Decides which packets to accept/deny
- Nat table: Modifies addresses and port numbers
- Mangle table: Modifies other portions of the packet header
- In the filter table there are 3 chains
- INPUT: packets sent to the pc
- OUTPUT: packets sent from the pc
- FORWARD: packets sent through the firewall
- To add a rule, we use
iptables -A
- To remove a rule, we use
iptables -D
- To set the default policy we use
iptables -P
Two kinds of firewalls
- Hast firewall: Run on endpoint such as work station
- Edge firewall: Runs on a network boundary
Other Network Security Controls
Network Intrusion Detection System (NIDS) Program that monitors traffic on a network for malicious activity
- Signature: Identifies known patterns of network traffic
- Heuristic: Identifies suspicious behavior. looks for anomalies on a network
- Generates alerts when it detects something
Network Intrusion Prevention System (NIPS): Software that detects malicious traffic and blocks it
SIM/SEIM/SIEM System information and events manager
- Collects log files from devices on the network and analyzes them for security events
- Bro/Rita are log analysis tools
Cryptography
Cryptography is the art of “secret writing”
Two kinds of Cryptography
- codes
- ciphers
Codes
A Code is a simple system where characters are replaced one-to-one with other characters
Codes are often used for non security purposes
- Base 64 codes allow binary data to be encoded
Base 64
In the early internet not all systems supported 8-bit chars
- most text was transferred using 7-bit ASCII codes
- 8th bit was a control character
- This means if you used all 8 bits the thing would get corrupted
- Solution: Encode the data in a format that used fewer than 8 bits
Split the binary message into blocks of three bytes each block is 24 bits long
Now divide the block into 4 6-bit digits
- 0-25 = A-Z
- 26-51 = a-z
- 52-61 = 0-9
- 62 = +
- 63 = /
Problem what if the length of the message isn’t a multiple of 3 bytes?
- Solution pad the message with 0’s but keep track of how many bytes to remove
- Represent each byte of padding with an = at the end of the message
Ciphers
A Cipher is a function which maps a plaintext message to an encoded message in such a way that it is difficult to retrieve the original message without knowledge of the secret key
Types of Ciphers
- NULL Ciphers
- Add additional symbols to try to conceal the message
- The “key” is the position of the added symbols
- Example: Railfence cipher
- Taking the first letter of each word is a null cipher
- Substitution Ciphers
- Each symbol in the message is replaced by another symbol
- Example ROT-13 cipher
- Other shift cipher ROT-3
- Caesars Cipher
- Instead of shifting right by 3 shift left by 3
- Transposition Ciphers
- Change the order of the symbols
Modern Ciphers
Public Key Ciphers
- Two Keys
- Anything encrypted by the public key can only be decrypted by the private key and vice versa
- Certificates
- Special documents digitally signed using a private key
Rivest-Shamir-Adleman
- public key cipher
- uses the fact multiplying is easy but factoring is hard
- used by TLS/SSL
Elliptic Curve Cryptography
- Rivest Cipher Four
- Stream cipher invented by Ron Rivest
- Digital Encryption Standard
- used in the 70’s with a 56-bit key
- the small key size was easily brute forced
- Advanced Encryption Standard
- replaced DES
- used keys of 128, 192, or 256 bits