Memorize-y stuff! Flashcards
STRIDE
Spoofing (authenticity), Tampering (integrity), Repudiation (accountability), Info Disclosure (confidentiality), escalation of privilege (authorization)
ACL
Access Capability List: answers the question: “what SUBJECTS have access to a specific object” (think: VIP list)
Capability
A row in Access control matrix. Answers the question: “What OBJECTS does a singular subject have access to” (think: what is in my backpack)
What are the 3 reference monitor requirements?
1) Always-invoked
2) Tamper-proof
3) verifiable (simple design + easy to analyze)
RC4
Ron’s Cipher 4. Created in 1987- INSECURE
ChaCha20
Standard cipher algorithm used. SECURE
HMAC-SHA2
Standard SECURE MAC function used
AES-CBC-MAC
Somewhat standard MAC funciton used, but bug prone.
AES (what are its 3 main modes)
Advanced Encryption Standard (a block-cipher). It has 3 modes: GCM= authenticated encyrption (gold standard). ECB= broken mode, CTR&CBC= not broken, but no integrity
MD5
Very broken Hash function
SHA-1
Another very broken hash function (not as broken as MD5)
SHA2, SHA3
standard hash functions! SECURE
RSA
Way to generate PK and SK (uses a lot of special math!)
MAC Address
48 bits, permenantly installed in hardware, used to network on L2 (datalink layer), made for local networks to be addressable
IP Address
32-bits, operates on layer3 (network layer). Prefix = network, suffix = host
Private vs Public IP Address
Private is used for local network communication (starts with 192 or 176), can be duplicated if they are in different local networks. Public is for outside of local network. They cannot be duplicated
CIDR
Classless InterDomain Routing: standard for IP address to have a custom prefix length for their network. Depending on how many hosts are using that network, it might be good to have a larger or smaller mask. Denoted with IPadd xx.xx/26 <- /number = network mask
WEP
Broken form of Wi-Fi encryption (due to reusing nonces). Not used anymore
WPA
Vulnerable form of wi-fi encryption. Not the standard anymore
WPA2 or WPA3
Both secure forms of wifi encryption
Hierarchy of IP Address allocation
Starts with ICANN -> regional internet registeries (like ARIN) -> Large institutions (ISPs, like Qwest) -> smaller institutions (like UChicago) -> individuals
DHCP
Dynamic Host Configuration Protocol: THe way to connect to network to get an IP address
What important components are contained in the IP header?
length in bytes, TTL, protocol, source address, destination address
What is contained in the IP datagram?
IP header - TCP/UDP header - TCP/UDP payload
AS
Autonomous System: A collection of IP prefixes that are under the control of a single entity (like Qwest, AT&T, etc)
Intra-AS routing
All under the same AS domain- uses Link State protocol to take care of all routing
Inter-AS routing
How we route across various AS’s- privacy between each AS. Uses BGP (a type of path vector/distance vector protocol) to route
Link State Routing
Every single node knows the entire network topology of the network. Each node uses Dijkstra’s algorithm to compute the best path towards each node
Distance Vector (Path vector/BDG)
Each node only knows its own neighbors’ closest distances. Sends these tables to their neighbors and updates their own table with information given from their neighbors.
TCP
Transmission Control Protocol: The standard protocol for sending packets back and forth between networks
What are some of the important components in the TCP header?
Source port, desintation port, SEQ #, ACK #, flags
FIN, SYN, RST, ACK
Flags sent in the TCP header. Finish (done sending data), SYN (synchronize), ACK (acknowledge), RST (reset - terminates port connection)
What are the corresponding TCP default port #s for these: SSH, DNS, HTTP, HTTPS
22, 52, 80, 443
3-way handshake (and what happens afterwards)
1) Client sends SYN with c-seq = x
2) Server sends SYN-ACK with s-seq = y, ack = x + 1
3) Client sends ACK with ack = y + 1, seq = x + 1
After, data is sent between them with the seq# being the number of len of bytes sent over
DNS
Domain Name System:How we map from IP addr -> real name
nslookup
A command in the terminal to see the IP address of a domain
ICANN
Internet Corperation for Assigned Names and Numbers: A non-profit org that controls + gives the assignments of IP addresses and domain names
Resource Records (3 main types)
A = Address (IP address)
NS = Name Server (a DNS server)
MX = Mail exchanger (names of mail servers)
Ping of Death
An attack on availability. (in the past) you could send a huge ping larger than the max size to cause a buffer overflow to the server. (server is supposed to respond with a PONG) but instead crashes the server
traceroute
A terminal command to find scan the route that packets would take between your IP address and the target domain. Sends repeated ICMP requests with increasing TTL
Nmap
Not necessarily an attack? but it is a terminal command to discover the various devices/services running on a network.
SYN scan
Attack adjacent: send a SYN and figure out some stuff based on a response:
SYN-ACK = port is open
RST = port is closed
— (nothing) = filtered (ex: firewall)
Side Channels (2 main ones)
Under TLS you can still patch together information about packets sent over network. These are namely the size of packets (# bytes sent over) and research has been done to show that timing is also a somewhat feasible side channel
Blind Spoofing
Attack: Sending a SYN with a spoofed src IP address. Server will respond with a SYN-ACK to this separate IP address and in order to open up the forged connection, you have to guess the server’s SEQ number in return to send an appropriate ACK number in response.
RST Hijacking
Attack: Spoofing a src IP address and sending a RST flag at a certain port to close the connection at the port. Used for censorship
BGP Prefix Hijacking (2 main goals from this)
Attack: Falsely advertising a BGP network route as “more desireable” to purposefully direct traffic through that route.
1- route the traffic through a specific route with networks that you control to snoop on the traffic
2- an attack on availability (DoS) by sending a ton of traffic to a specific person
S-BGP or BGPsec
Defense: A way to defend against BGP prefix hijacking by including digital signatures on the BGP prefixes. Not widly adopted because it’s costly
DNS Cache Posioning
Attack: An attacker can give a local DNS server a falsely mapped IP address to map a user to a malicious site
QID
Query ID: A QID is sent in the DNS packet header. This QID must match when the DNS server returns an IP address. Randomizing the QIDs is a way to defend against DNS cache poisoning, but you can also brute force try to guess the QID (it is 16 bits)
Kaminsky Attack (2008)
You can spoof an entire xxx.domain.com zone by making a ton of DNS queries to the subdomains and trying to guess the QIDs. If any one of these QIDs is correctly guessed, you poison the DNS cache for the entire .bank.com domain.
DNSSEC
Defense: A defense for trying to get DNS responses signed. Hard to adpot (costly and slow)
DDoS
Distributed Denial of Service (attack): Many botnets or volunteers create a DoS attack by overloading one specific server.
SYN Flood
Attack: DDoS attack that sends a ton of SYN packets. Whenever a server recieves a SYN, it needs to open a corresponding TCB (tranmission control block) on the kernel memory. If you flood the victim with SYN packets, you will crash the OS by exhausting kernel memry.
Smurf Attack
DDos Attack: attacker sends many ping requests with spoofed victim IP address. PONG gets sent back to this victim many times over
Smurf Attack Amp Factor
Defined as the total response size/request size. The larger response size compared to the request size the attacker needs to send will increase attack’s strength
DNS Reflection Attack
A type of DDos attack: Spoof DNS requests to a ton of DNS resolvers. Will overwhelm the victim IP address with responses of DNS.
CDNs
Content Delivery Networks: these are sort of intermediate servers that are connected to the root server. Is a nice defence against DDoS because now each large domain will have multiple servers without access to the master server.
BotNets
These are specific attack machines that are used/created specifically by attackers. They have unique IP addresses. They are even monotized.
DOM
Document Object Model: How a webpage is defined. Built up of various HTML components.
HTTP
Hypertext Transfer Protocol: Message sent by a client to a server asking for a specific resource or action.
HTTPS
HTTP request but sent over TLS (request and response are encrypted)
Same-Origin Policy (SOP)
Web defense: prevents malicious DOM access. Only the origin who loaded the script can access the DOM. (not where the script comes from , but where it LOADS from)
Iframes
Inline frames: allow you to embed a webpage inside another webpage.
CORS
Cross Origin Resource Sharing: relaxes SOP- basically a set of rules you can put in the header that will specify when other origins can violate SOP on your origin. Include crossorigin=”” in the script header
CSRF
Attack- Cross-Site Request Forgery: When a user is validly logged on, trick them into doing something (like sending a request).
CRSF Token
Defense against CRSF: A random input value “token” is known to the main website (not to the attacker). It is inserted into a hidden field in any forms that get sent. In order for any HTTP request to be valid, the CRSF token must be sent over.
XSS
Attack: Cross-Site Scripting: You can inject javascript into another page to make them run something without their knowing
Reflected XSS
A type of XSS where the javascript is only there temporarily- the user gets tricked into clicking the link or navigating to the script
Stored XSS
A type of XSS where the Javascript is there for everyone all the time (like the comments section of a page)
CSP
Content Security Policies: A defense against XSS attack. It specifies where certain content is allowed to be loaded from
Prepared Statements
A defense against SQL injection. It separates the data from the SQL query itself.
CMS
Content Management System: Softwares used to create/publish websites without too much technical knowledge (ex: wordpress, drupal, etc)
First-Party Tracking
Tracking via the site you currently on (on search engines or shopping sites). Can use cookies, javascript or URL parameters to do the tracking. Examples: website analytics, session data
Third-party tracking
As a result of your visiting a certain page, other sites (origins) are contacted as a result. (Ex: 3rd party ads that show up)
Browser Fingerprinting
A way to track users without using cookies. Identifies features of the browswer that are unique to the user’s machine (fonts, user-agent string- NOT IP address)
FLoC
Federated Learning of Cohorts: A privacy focused proposal from Google. It tried to replace third-party cookies by instead using a sort of browser-fingerprinting (but via clusters of cohorts)
Topics API
An alternative by Google from their FLoC initiative to try and walk away from third-party cookies. Addresses criticisms of FLoC
“Enterprise”
A company/organization/instituation. (Ex: Google, Microsoft, American Red Cross, University of Chicago)
“Enterprise Security”
Large scale security systems to protect enterprises. Specifically- corporate machines/devices, money/trade secrets, specific datasets
Enterprise Network
Set of all devices + assets under an enterprise (devices, cloud services, datasets, etc)
Any connections that are from external IP (not inside of enterprise network) must go through firewall- sort of like a filter.
Conti Ransomeware Attack on Ireland HSE
In 2021 there was a major 700 GB data breach ransomware attack (locked out the victim/encrypted their data and then demanded ransom for restored access) Steps:
1) Attacker was able to download malware on an employee’s machine via a suspiscious email attachment
2) Attacker got SSH key added to verified key, created SSH connection outside of the enterprise network
Command and Control (C2)
Attacker needs to establish a C&C base inside of the enterprise network to allow the outside attacker from communicating inside. Attacker cannot communicate outisde in, the C2 base needs to innitiate communcation inside-out. Also, attacks take a long time- cannot just have a single network session open for a super long time.
Beaconing
A C2 protocol where the infected machine conitnuously contacts the outside attacker for new instructions (since the outside attacker cannot initiate instructions on its own)
Internal (local, active directory) Reconnaissance (reconn) + network scanning
In an enterprise attack, process of identifying other machines in the enterpriss.
Local: looking through the infected machine itself (browser/shell/app history etc)
Active Directory: queries to the central authentication + directory databases
Network scanning: probing IP addresses to ifnd machines + vulnerable services
Cyber “Killchain” (4 steps)
A typical enterprise attack structure
1. Initial Reconn to find vulnerabilities
2. Initial access + foothold (access to C2 base inside)
3. Internal expansion (gain extra privileges, more reconn)
4. Complete mission (data encryption/stealing, launch ransomware… etc)
Network Segmentation & Bastion hosts
A defense for enterprise security: Further internal firewalling to strengthen isolation. Certain similar machines are grouped together and protected with an aditional firewall
Zero Trust Model
Enterprise security defense: requires every piece of data to be authetnicated. Minimum permissions needed. (2FA, time of request checks, checking network properties + requesting device, checking if the device has been recently anti-virus scan etc)
Network Intrusion Detection (NIDS)
Enterprise security defese: A combination of software + hardware (in between firewall and enterprise network) to detect + terminate bad traffic
PROS
HIDS/EDR (Host-Based Intrustion Detection)
Individual software installed on each enterprise machine to detect + terminate malicious seeming activity (basically Anti Virus, rebranded to be Endpoint Detection & Response)
SIEM
Security Information and Event Management System: aggragate logs from NIDS and HIDS to analyze data to detect any trends etc (security purposes)
Signature-based Detection
A way of determining if an activity is an attack by writing specfic rules about what is and is not attack
Specification-Based Detection
Ways to determine if something is an attack via writing only rules on legitimate behavior. Anything else = attack
Supervised Detection
Form of ML based detection: learn the characteristics of attacks + train model based on prior attacks
Anomaly Detection
ML-Based Detection- training the model on BENIGN behavior. Everything else = attack
Explicit Authentication
Either single-factor or multi-factor authentication (explicitly Y or N)
Implicit Authentication
Continuously determining authentication based on behavior of the user.
Risk-based Authentication
When you vary the authenticaiton requirments based on the estimated risk
Phishing attack
Password-based attack: tricking the user into giving up their credentials, thinks that you are a legitimate, trusted system. Spear phishing is a subset of this where a specific user or target is pinpointed- these attacks are much more personalized
Shoulder Surfing
An attack against passwords: simply physically observing someone entering their credentials
bycrypt and scrypt
the best password hashing algorithms! takes forever to unhash them
Salting
A defense against password attacks: passwords are hashed with a “salt” string to make it more difficult to unhash. These are stored alongside the password. Defends against rainbow tables. The more accounts in the database, the more difficult it becomes to crack the passwords with salting
Pepper
A form of password salting where the salt is stored secretly and is the same for every single password. Not commonly seen
Online Password Attack
An attacker will try to enter multiple passwords online. Rate-limited, not very effective
Offline Password Attacks
Attacker obtains the password database of hashed passwords (maybe via SQL injection) + username combos and tries to crack them
Shannon Entropy + a-guesswork
A statistical approach to measure passwords. Shannon entropy uses entropy of password- this does not consider real, human tendencies when creating passwords. Also requires a large sample in order for it to be accurate
Parametaized Guessability
A way of analyzing password strength: given a particular cracking algorithm, how many guesses would it take to crack it?
Wordlist
Password cracking technique to simply hash a set of predetermined words to try and find matches
Mangled Wordlist Attack
Password Cracking attack: Take a simple wordlist, then modify it using a rulelist (ex: replace a->4) for every combination
John the Ripper
A password cracking software. Iterates each rule over the entire wordlist until the rules are exhausted
Hashcat
A password cracking software: iterates each word over each rule until the words are exhausted
Mask attack
A brute force password cracking attack that finds every single combination of characters that satisfy the mask.
Markov Model
A password cracking model that predicts the next character of a password based on the probability it had from the entire password base
Probabilistic Context Free Grammar
PCFG: a type of slow password cracking that uses grammatical rules to crack passwords
Password Composition Rules
A method to get users to make better passwords: defines certain rules their passwords must comply to (ex: needs to have a number). In practice, this is pretty predictable though
Single Sign-On: Shibboleth
A way to allow access to many types of domains when you are already signed in
FIDO2
A passwordless authentication mechanism that uses public-key cyrpto.
Passkeys
A FIDO2 / web Authn method that syncs your private key across your devices
Out-of-order exectuion
The CPU will execute code instructions out of order compared to the code. This speeds up the process if you’re waiting on a certain value to be computed but can still sort of “multitask” with other instructions
Speculative (predictive/eager) Execution
When at a conditional branch, instead of waiting to figure out which branch to take, just take it. Either: predictive (guess which one) or eager: taking both branches
Spectre Attack
An attack that takes advantage of the CPU speculative exectuion. If an instruction was mistakenly, speculatively executed, it will be cached in the CPU no matter what. The most common way: reading data that is not typically allowed to be accessed. With speculative execution, a conditional branch might end up reading data from an array offset that is not typcially permitted, but the CPU will cache this data no matter what. You can measure the time it takes to input data into the cache (cannot actually read it) and slowly read memory byte by byte. Time-based attack. Can leak browser cache, session key, sensitive information.
Meltdown Attack
You can attempt to access memory that is not allowed at a conditional branch. Due to speculative execution, the CPU will access this memory anyway and cache it. They can figure out what this memory is via a timing side channel- they will read each page of memory, and almost all of them will be slow. If one is slightly faster, it means it was cached!
KAISER/KTPI
Kernel Page Table Isolation: A way to mitigate against meltdown attacks. It separates the kernal page tables from other parts of memory. This does impact performance though
Heartbleed
A bug found in the OpenSSL code. Mainly a result of no code review/underfunded non profit projects
Zoom Crypto Bug
From reading
It was found that zoom used AES-ECB which is a widly known AES method that has been deprecated because it is insecure. The cipher text reveals information about the plaintext in this mode
Terrapin Attack
From reading
A MiTM attack on SSH channel that uses prefix truncation to intercept the very beginning of the SSH handshake
Let’s Encrypt ACME Protocol
From the reading (also mentioned in slides though)
ACME protocol automates the process of obtaining a valid certificate. When a domain requests a certificate, Let’s Encrypt sends back a “challenge” request for the domain to prove themselves. Ie- this can be either in the form of a special DNS query or putting a certain piece of data on their server