1.2 Compare and contrast types of attacks. Flashcards
Clickjacking
Normal web page underneath
• Invisible layer on the top
Clickjacking your phone
Invisible information drawn over the screen
• Monitor keystrokes and record user input
Cookies
Information stored on your computer by the browser
• Used for tracking, personalization, session management
• Not executable, not generally a security risk
• Unless someone gets access to them
• Could be considered be a privacy risk
Session IDs
Maintains sessions across multiple browser sessions
Header manipulation
Information gathering • Wireshark, Kismet • Exploits • Cross-site scripting • Modify headers • Tamper, Firesheep, Scapy • Modify cookies • Cookies Manager+ (Firefox add-on)
Prevent session hijacking
Encrypt end-to-end
• They can’t capture your session ID if they can’t see it
• Additional load on the web server (HTTPS)
• Firefox extension: HTTPS Everywhere, Force-TLS
• Encrypt end-to-somewhere
At least avoid capture over a local wireless network
• Still in-the-clear for part of the journey
• Personal VPN (OpenVPN, VyprVPN, etc.)
• Use session ID monitors
Blacksheep
• Application-specific
Malware hide-and-go seek
There are still ways to infect and hide
• It’s a constant war
• Zero-day attacks, new attack types, etc.
drivers
The interaction between the hardware and
your operating system
Hardware interactions contain sensitive information
• Video, keyboard, mouse
Shimming
Filling in the space between two objects • A middleman • Windows includes it’s own shim • Backwards compatibility with previous Windows versions • Application Compatibility Shim Cache • Malware authors write their own shims • Get around security (like UAC)
Refactoring
Metamorphic malware
• A different program each time it’s downloaded
• Make it appear different each time
• Add NOP instructions
• Loops, pointless code strings
• Can intelligently redesign itself
• Reorder functions
• Modify the application flow
• Reorder code and insert unused data types
• Difficult to match with signature-based detection
• Use a layered approach
Spoofing
Pretend to be something you aren’t
• Fake web server, fake DNS server, etc.
Email address spoofing
• Caller ID spoofing
Man-in-the-middle attacks
The person in the middle of the conversation
pretends to be both endpoints
MAC spoofing
• Very difficult to detect
Circumvent MAC-based ACLs
• Fake-out a wireless address filter
IP address spoofing
- Take someone else’s IP address
- Pretend to be somewhere you are not. Easier to identify than MAC address spoofing
- Actual device ARP poisoning
- DNS amplification / DDoS
IP address spoofing prevention
Apply rules to prevent invalid traffic,enable switch security
Wired vs. wireless replay
Similar to a wired replay attacks • Wireless doesn’t change those attacks • Wireless adds some additional capabilities • This is a big concern for the security professional • Much easier to capture the data • Hotspots are generally in the clear • Just like tuning in to a radio station
Cracking WEP - Wired Equivalent Privacy
• A broken security protocol
• Could not stop the replay of 802.11 packets
• ARP request replay attack
• Cracking WEP requires thousands of
Initialization Vector (IV) packets
• Wait all day to collect IV information
• Or replay a ton of ARPs and collect the IV packets
• Now you have many thousands of IV packets
• You can crack WEP in seconds
Rogue Access Points
- A significant potential backdoor
- Huge security concerns
- Very easy to plug in a wireless AP
- Or enable wireless sharing in your OS
Rogue Access Points prevention
• Schedule a periodic survey • Walk around your building/campus • Use third-party tools / WiFi Pineapple • Consider using 802.1X (Network Access Control) • You must authenticate, regardless of the connection type
Wireless Evil Twins
• Buy a wireless access point
• -Less than $100 US
• Configure it exactly the same way as an existing network
Overpower the existing access points
• -May not require the same physical location
Wireless Evil Twins prevention
- You encrypt your communication, right?
* -Use HTTPS and a VPN
Radio frequency (RF) jamming
Denial of Service • Jamming is intentional • Someone wants your network to not work • Prevent wireless communication • Transmit interfering wireless signals • Decrease the signal-to-noise ratio at the receiving device • The receiving device can’t hear the good signal
Wireless jamming
- Many different types
- Constant, random bits / Constant, legitimate frames
- Data sent at random times
- Random data and legitimate frames
- Needs to be somewhere close
- Difficult to be effective from a distance
- Time to go fox hunting
- You’ll need the right equipment to hunt down the jam
- Directional antenna, attenuator
Reactive jamming
• Only when someone else tries to communicate
Using WPS
- Wi-Fi Protected Setup
- Originally called Wi-Fi Simple Config
- Allows “easy” setup of a mobile device
- A passphrase can be complicated to a novice
Other WPS Attacks
- Walk up to the access point
- Default PIN may be written on the device
- Or just push the WPS button on the front
Bluejacking
Sending of unsolicited messages to
another device via Bluetooth
• No mobile carrier required!
Bluesnarfing
• Access a Bluetooth-enabled device and transfer data
• Contact list, calendar, email, pictures, video, etc.
• Serious security issue
• If you know the file, you can
download it without authentication
RFID Attacks
- Data capture
- View communication
- Replay attack
- Spoof the reader
- Write your own data to the tag
- Denial of service
- Signal jamming
Near field communication (NFC)
- Two-way wireless communication
- Builds on RFID, which was one-way
- Payment systems
NFC Security Concern
- Remote capture
- It’s a wireless network
- 10 meters for active devices
- Frequency jamming
- Denial of service
- Relay / Replay attack
- Man in the middle
- Loss of RFC device control
- Stolen/lost phone
It started as a normal day
Surfing along on your wireless network • And then you’re not - intermittent • You may not be able to stop it • There’s (almost) nothing you can do • Time to get a long patch cable
• Wireless disassociation
• A significant wireless denial of service (DoS) attack
802.11 management frames
• Frames that make everything work
• Important for the operation of 802.11 wireless
• How to find access points, manage QoS, associate/
disassociate with an access point, etc.
• Original wireless standards did not add
protection for management frames
• Sent in the clear w/ No authentication or validation
Cryptographic attacks
The bad guy doesn’t have the combination (the key)
• So they break the safe (the cryptography)
• Finding ways to undo the security
• There are many potential
cryptographic shortcomings
Birthday attack
A hash collision is the same hash value
for two different plaintexts
• Find a collision through brute force
• The attacker will generate multiple versions of
plaintext to match the hashes
• Protect yourself with a large hash output size
Known plaintext attack (KPA)
• Attacker has both the plaintext and the encrypted data
• If you know the original plaintext, you may be able to
find a “wedge” that is revealed in the ciphertext
• The known plaintext is the crib
Rainbow tables
An optimized, pre-built set of hashes
• Doesn’t need to contain every hash
• The calculations have already been done
• Remarkable speed increase
• Especially with longer password lengths
• Need different tables for different hashing methods
• Windows is different than MySQL
• Rainbow tables won’t work with salted hashes
• Additional random value added to the original hash
Dictionary attacks
People use common words as passwords
• You can find them in the dictionary
• If you’re using brute force, you should start
with the easy ones
Many common wordlists available on the ‘net
• Some are customized by language or line of work
Brute force
The password is the key
• Secret phrase
• Stored hash
Brute force attacks - Online
Keep trying the login process
• Very slow
• Most accounts will lockout after a number of failed attempts
Brute force the hash - Offline
- Obtain the list of users and hashes
- Calculate a password hash, compare it to a stored hash
- Large computational resource requirement
The password file
Different across operating systems
• Different hash methods
Collisions
Hash digests are supposed to be unique
• Different input data should never
create the same hash
• MD5 hash
Message Digest Algorithm 5
• First published in April 1992
• Collisions identified in 1996
Replay attacks
• Some cryptographic algorithms are more susceptible
than others to a replay attack
• A hash with no salt, no session ID tracking, no encryption
• Replay countermeasure may be part of the cryptography
• Kerberos and Kerberos derivatives include time stamps
• Anything after the time to live (TTL) is discarded
Weak implementations
Weak encryption
• One weak link breaks the entire chain
• 802.11 WEP
• The RC4 key can be recovered by gathering enough packets
• The algorithm didn’t sufficiently protect the key
• DES - Data Encryption Standard
• Relatively small 56-bit keys
• Modern systems can brute force this pretty quickly