summary Flashcards
Phishing
• Social engineering with a touch of spoofing
– Often delivered by email, text, etc.
– Very remarkable when well done
• Don’t be fooled
– Check the URL
• Usually there’s something not quite right
– Spelling, fonts, graphics
Tricks and misdirection
• How are they so successful?
– Digital slight of hand - it fools the best of us
• Typosquatting
– A type of URL hijacking - https://professormessor.com
– Prepending: https://pprofessormesser.com
• Pretexting
– Lying to get information
– Attacker is a character in a situation they create
– Hi, we’re calling from Visa regarding an automated
payment to your utility service…
Pharming
• Redirect a legit website to a bogus site
– Poisoned DNS server or client vulnerabilities
• Combine pharming with phishing
– Pharming - Harvest large groups of people
– Phishing - Collect access credentials
• Difficult for anti-malware software to stop
– Everything appears legitimate to the user
Phishing with different bait
• Vishing (Voice phishing) is done over the phone or voicemail – Caller ID spoofing is common – Fake security checks or bank updates Smishing (SMS phishing) is done by text message – Spoofing is a problem here as well – Forwards links or asks for personal information • Variations on a theme – The fake check scam, phone verification code scam, – Boss/CEO scam, advance-fee scam – Some great summaries on https://reddit.com/r/Scams
Finding the best spot to phish
• Reconnaissance – Gather information on the victim • Background information – Lead generation sites – LinkedIn, Twitter, Facebook, Instagram – Corporate web site • Attacker builds a believable pretext – Where you work – Where you bank – Recent financial transactions – Family and friends
Spear phishing
• Targeted phishing with inside information
– Makes the attack more believable
• Spear phishing the CEO is “whaling”
– Targeted phishing with the possibility of a large catch
– The CFO (Chief Financial Officer) is commonly speared
• These executives have direct access to
the corporate bank account
– The attackers would love to have those credentials
1.1 - Impersonation The pretext
• Before the attack, the trap is set
– There’s an actor and a story
• “Hello sir, my name is Wendy and I’m from Microsoft
Windows. This is an urgent check up call for your
computer as we have found several problems with it.”
• Voice mail: “This is an enforcement action executed by
the US Treasury intending your serious attention.”
• “Congratulations on your excellent payment history! You
now qualify for 0% interest rates on all of your credit
card accounts.”
1.1 - Impersonation
• Attackers pretend to be someone they aren’t
– Halloween for the fraudsters
• Use some of those details from reconnaissance
– You can trust me, I’m with your help desk
• Attack the victim as someone higher in rank
– Office of the Vice President for Scamming
• Throw tons of technical details around
– Catastrophic feedback due to the
depolarization of the differential magnetometer
• Be a buddy
– How about those Cubs?
1.1 - Impersonation Eliciting information
• Extracting information from the victim
– The victim doesn’t even realize this is happening
– Hacking the human
• Often seen with vishing (Voice Phishing)
– Can be easier to get this information over the phone
• These are well-documented psychological techniques
– They can’t just ask, “So, what’s your password?”
1.1 - Impersonation Identity fraud
• Your identity can be used by others
– Keep your personal information safe!
• Credit card fraud
– Open an account in your name, or use your credit card information
• Bank fraud
– Attacker gains access to your account or opens a new account
• Loan fraud
– Your information is used for a loan or lease
• Government benefits fraud
– Attacker obtains benefits on your behalf
1.1 - Impersonation Protect against impersonation
• Never volunteer information – My password is 12345 • Don’t disclose personal details – The bad guys are tricky • Always verify before revealing info – Call back, verify through 3rd parties • Verification should be encouraged – Especially if your organization owns valuable information
1.1 - Impersonation Identity fraud
• Your identity can be used by others
– Keep your personal information safe!
• Credit card fraud
– Open an account in your name, or use your credit card information
• Bank fraud
– Attacker gains access to your account or opens a new account
• Loan fraud
– Your information is used for a loan or lease
• Government benefits fraud
– Attacker obtains benefits on your behalf
1.1 - Shoulder Surfing
• You have access to important information – Many people want to see – Curiosity, industrial espionage, competitive advantage • This is surprisingly easy – Airports / Flights – Hallway-facing monitors – Coffee shops • Surf from afar – Binoculars / Telescopes – Easy in the big city – Webcam monitoring
1.1 - Shoulder Surfing • Preventing shoulder surfing
• Control your input – Be aware of your surroundings • Use privacy filters – It’s amazing how well they work • Keep your monitor out of sight – Away from windows and hallways • Don’t sit in front of me on your flight – I can’t help myself
1.1 - Hoaxes Computer hoaxes
• A threat that doesn’t actually exist – But they seem like they COULD be real • Still often consume lots of resources – Forwarded email messages, printed memorandums, wasted time • Often an email – Or Facebook wall post, or tweet, or... • Some hoaxes will take your money – But not through electronic means • A hoax about a virus can waste as much time as a regular virus
De-hoaxing
• It’s the Internet. Believe no one. – Consider the source • Cross reference – http://www.hoax-slayer.net – http://www.snopes.com • Spam filters can help – There are so many other ways... • If it sounds too good to be true... – So many sad stories
1.1 - Watering Hole Attacks
• What if your network was really secure? – You didn’t even plug in that USB key from the parking lot • The attackers can’t get in – Not responding to phishing emails – Not opening any email attachments • Have the mountain come to you – Go where the mountain hangs out – The watering hole – This requires a bit of research
1.1 - Watering Hole Attacks Executing the watering hole attack
• Determine which website the victim group uses
– Educated guess - Local coffee or sandwich shop
– Industry-related sites
• Infect one of these third-party sites
– Site vulnerability
– Email attachments
• Infect all visitors
– But you’re just looking for specific victims
– Now you’re in!
1.1 - Watering Hole Attacks Because that’s where the money is
• January 2017
• Polish Financial Supervision Authority, National Banking
and Stock Commission of Mexico, State-owned
bank in Uruguay
– The watering hole was sufficiently poisoned
• Visiting the site would download malicious JavaScript files
– But only to IP addresses matching banks and
other financial institutions
• Did the attack work?
– We still don’t know
Watching the watering hole
• Defense-in-depth
– Layered defense
– It’s never one thing
• Firewalls and IPS
– Stop the network traffic before things get bad
• Anti-virus / Anti-malware signature updates
– The Polish Financial Supervision Authority attack code
was recognized and stopped by generic signatures in
Symantec’s anti-virus software
1.1 - Spam
• Unsolicited messages – Email, forums, etc. – Spam over Instant Messaging (SPIM) • Various content – Commercial advertising – Non-commercial proselytizing – Phishing attempts • Significant technology issue – Security concerns – Resource utilization – Storage costs – Managing the spam
1.1 - Spam Mail gateways
• Unsolicited email
– Stop it at the gateway before it reaches the user
– On-site or cloud-based
Identifying spam
• Allowed list
– Only receive email from trusted senders
• SMTP standards checking
– Block anything that doesn’t follow RFC standards
• rDNS - Reverse DNS
– Block email where the sender’s domain doesn’t match the IP
address
• Tarpitting
– Intentionally slow down the server conversation
• Recipient filtering
– Block all email not addressed to a valid recipient email address
1.1 - Influence Campaigns Hacking public opinion
• Influence campaigns – Sway public opinion on political and social issues • Nation-state actors – Divide, distract, and persuade • Advertising is an option – Buy a voice for your opinion • Enabled through Social media – Creating, sharing, liking – Amplification
1.1 - Influence Campaigns Hybrid warfare
• Military strategy – A broad description of the techniques – Wage war non-traditionally • Not a new concept – The Internet adds new methods • Cyberwarfare – Attack an entity with technology • Influence with a military spin – Influencing foreign elections – “Fake news”
1.1 - Other Social Engineering Attacks Tailgating
• Use an authorized person to gain unauthorized access to a building – Not an accident • Johnny Long / No Tech Hacking – Blend in with clothing – 3rd-party with a legitimate reason – Temporarily take up smoking – I still prefer bringing doughnuts • Once inside, there’s little to stop you – Most security stops at the border
1.1 - Other Social Engineering Attacks Watching for tailgating
• Policy for visitors – You should be able to identify anyone • One scan, one person – A matter of policy or mechanically required • Mantrap / Airlock – You don’t have a choice • Don’t be afraid to ask – Who are you and why are you here?
1.1 - Other Social Engineering Attacks Invoice scams
• Starts with a bit of spear phishing – Attacker knows who pays the bills • Attacker sends a fake invoice – Domain renewal, toner cartridges, etc. – From: address is a spoofed version of the CEO • Accounting pays the invoice – It was from the CEO, after all • Might also include a link to pay – Now the attacker has payment details
1.1 - Other Social Engineering Attacks Credential harvesting
• Also called password harvesting
– Attackers collect login credentials
• There are a lot of stored credentials on your computer
– The attacker would like those
– Chrome, Firefox, Outlook, Windows Credential Manager, etc.
• User receives an email with a malicious Microsoft Word doc
– Opening the document runs a macro
– The macro downloads credential-harvesting malware
• User has no idea
– Everything happens in the background
1.1 - Principles of Social Engineering Effective social engineering
• Constantly changing
– You never know what they’ll use next
• May involve multiple people
– And multiple organizations
– There are ties connecting many organizations
• May be in person or electronic
– Phone calls from aggressive “customers”
– Emailed funeral notifications of a friend or associate
1.1 Social engineering principles
• Authority
– The social engineer is in charge
– I’m calling from the help desk/office of the CEO/police
• Intimidation
– There will be bad things if you don’t help
– If you don’t help me, the payroll checks
won’t be processed
• Consensus / Social proof
– Convince based on what’s normally expected
– Your co-worker Jill did this for me last week
• Scarcity
– The situation will not be this way for long
– Must make the change before time expires
• Urgency
– Works alongside scarcity
– Act quickly, don’t think
• Familiarity / Liking
– Someone you know, we have common friends
• Trust
– Someone who is safe
– I’m from IT, and I’m here to help
1.1 - Principles of Social Engineering Effective social engineering How I Lost My $50,000 Twitter Username
• Naoki Hiroshima - @N
– https://professormesser.link/twittername
• Attacker calls PayPal and uses social engineering to get
the last four digits of the credit card on file
• Attacker calls GoDaddy and tells them he lost the card,
so he can’t properly validate. But he has the last four,
does that help?
– GoDaddy let the bad guy guess the first
two digits of the card
– He was allowed to keep guessing until he got it right
– Social engineering done really, really well
1.1 - Principles of Social Engineering Effective social engineering How to steal a $50,000 Twitter name
• Attacker is now in control of every domain name – And there were some good ones • Attacker extorts a swap – Domain control for @N – Owner agrees • Twitter reviewed the case for a month – Eventually restored access to @N • How I Lost My $50,000 Twitter Username – https://professormesser.link/twittername
1.2 Malware
• Malicious software – These can be very bad • Gather information – Keystrokes • Participate in a group – Controlled over the ‘net • Show you advertising – Big money • Viruses and worms – Encrypt your data – Ruin your day
Malware Types and Methods
- Viruses
- Crypto-malware
- Ransomware
- Worms
- Trojan Horse
- Rootkit
- Keylogger
- Adware/Spyware
- Botnet
How you get malware
• These all work together
– A worm takes advantage of a vulnerability
– Installs malware that includes a remote access
backdoor
– Bot may be installed later
• Your computer must run a program
– Email link - Don’t click links
– Web page pop-up
– Drive-by download
– Worm
• Your computer is vulnerable
– Operating system - Keep your OS updated!
– Applications - Check with the publisher
Virus
• Malware that can reproduce itself
– It needs you to execute a program
• Reproduces through file systems or the network
– Just running a program can spread a virus
• May or may not cause problems
– Some viruses are invisible, some are annoying
• Anti-virus is very common
– Thousands of new viruses every–
Is your signature file updated?
Virus types
Program viruses – It’s part of the application • Boot sector viruses – Who needs an OS? • Script viruses – Operating system and browser-based • Macro viruses – Common in Microsoft Office Fileless virus • A stealth attack – Does a good job of avoiding anti-virus detection • Operates in memory – But never installed in a file or application
Fileless virus
infection process
Malicious link to website- Website exploits flash/java/windows vulnerabilty-launches powershell and downloads payload in RAM- Runs Powershell Scripts and executables in memory, exfiltrates data, damages files- Adds Autostart to Registry
Worms
• Malware that self-replicates
– Doesn’t need you to do anything
– Uses the network as a transmission medium
– Self-propagates and spreads quickly
• Worms are pretty bad things
– Can take over many systems very quickly
• Firewalls and IDS/IPS can mitigate
many worm infestations
– Doesn’t help much once the worm gets inside
Worm Process
Infected Computer searches for vulnerable system-vulnerable system exploited-Backdoor installed and downloads worm.
1.2 - Ransomware and Crypto-malware
our data is valuable • Personal data – Family pictures and videos – Important documents • Organization data – Planning documents – Employee personally identifiable information (PII) – Financial information – Company private data • How much is it worth? – There’s a number
Ransomware
• The attackers want your money
– They’ll take your computer in the meantime
• May be a fake ransom
– Locks your computer “by the police”
• The ransom may be avoided
– A security professional may be able to remove
these kinds of malware
Crypto-malware
• A newer generation of ransomware
– Your data is unavailable until you provide cash
• Malware encrypts your data files
– Pictures, documents, music, movies, etc.
– Your OS remains available
– They want you running, but not working
• You must pay the bad guys to obtain the decryption key
– Untraceable payment system
– An unfortunate use of public-key cryptography
Protecting against ransomware
• Always have a backup – An offline backup, ideally • Keep your operating system up to date – Patch those vulnerabilities • Keep your applications up to date – Security patches • Keep your anti-virus/anti-malware signatures up to date – New attacks every hour • Keep everything up to date
Trojan horse
Used by the Greeks to capture
– Troy from the Trojans
– A digital wooden horse
• Software that pretends to be something else
– So it can conquer your computer
– Doesn’t really care much about replicating
• Circumvents your existing security
– Anti-virus may catch it when it runs
– The better Trojans are built to avoid and disable AV
• Once it’s inside it has free reign
– And it may open the gates for other programs
Potentially Unwanted Program (PUP)
• Identified by anti-virus/anti-malware – Potentially undesirable software – Often installed along with other software • Overly aggressive browser toolbar • A backup utility that displays ads • Browser search engine hijacker
Backdoors
Backdoors
• Why go through normal authentication methods?
– Just walk in the back door
• Often placed on your computer through malware
– Some malware software can take advantage of
backdoors created by other malware
• Some software includes a backdoor (oops)
– Old Linux kernel included a backdoor
– Bad software can have a backdoor as part of the app
Remote Access Trojans (RATs)
• Remote Administration Tool – The ultimate backdoor – Administrative control of a device • Malware installs the server/service/host – Attacker connects with the client software • Control a device – Key logging – Screen recording /screenshots – Copy files – Embed more malware
Protecting against Trojans and RATs
• Don’t run unknown software – Consider the consequences • Keep anti-virus/anti-malware signatures updated – There are always new attacks • Always have a backup – You may need to quickly recover
Rootkits
• Originally a Unix technique – The “root” in rootkit • Modifies core system files – Part of the kernel • Can be invisible to the operating system – Won’t see it in Task Manager • Also invisible to traditional anti-virus utilities – If you can’t see it, you can’t stop it
Kernel drivers
• Zeus/Zbot malware – Famous for cleaning out bank accounts • Now combined with Necurs rootkit – Necurs is a kernel-level driver • Necurs makes sure you can’t delete Zbot – Access denied • Trying to stop the Windows process? – Error terminating process: Access denied
Finding and removing rootkits
• Look for the unusual – Anti-malware scans • Use a remover specific to the rootkit – Usually built after the rootkit is discovered • Secure boot with UEFI – Security in the BIOS
Adware
• Your computer is one big advertisement – Pop-ups with pop-ups • May cause performance issues – Especially over the network • Installed accidentally – May be included with other software • Be careful of software that claims to remove adware – Especially if you learned about it from a pop-up
Spyware
• Malware that spies on you – Advertising, identity theft, affiliate fraud • Can trick you into installing – Peer to peer, fake security software • Browser monitoring – Capture surfing habits • Keyloggers - Capture every keystroke – Send it back to the mother ship
Why is there so much adware and spyware?
• Money – Your eyeballs are incredibly valuable • Money – Your computer time and bandwidth is incredibly valuable • Money – Your bank account is incredibly valuable – Yes, even your bank account
Protecting against adware/spyware
• Maintain your anti-virus / anti-malware – Always have the latest signatures • Always know what you’re installing – And watch your options during the installation • Where’s your backup? – You might need it someday – Cleaning adware isn’t easy • Run some scans - Malwarebytes
Bots (Robots)
• Once your machine is infected, it becomes a bot
– You may not even know
• How does it get on your computer?
– Trojan Horse (I just saw a funny video of you! Click here.) or…
– You run a program or click an ad you THOUGHT was legit,
but…
– OS or application vulnerability
• A day in the life of a bot
– Sit around. Check in with the Command and Control (C&C)
server. Wait for instructions.
Botnets
• A group of bots working together – Nothing good can come from this • Distributed Denial of service (DDoS) – The power of many • Relay spam, proxy network traffic, distributed computing tasks • Botnets are for sale – Rent time from the botnet owner – Not a long-term business proposition
Stopping the bot
• Prevent the initial infection – OS and application patches – Anti-virus/anti-malware and updated signatures • Identify an existing infection – On-demand scans, network monitoring • Prevent command and control (C&C) – Block at the firewall – Identify at the workstation with a host-based firewall or host-based IPS
Logic Bomb
• Waits for a predefined event
– Often left by someone with grudge
• Time bomb
– Time or date
• User event
– Logic bomb
• Difficult to identify
– Difficult to recover if it goes off
Real-world logic bombs
• March 19, 2013, South Korea
– Email with malicious attachment sent to
– South Korean organizations
– Posed as a bank email
– Trojan installs malware
• March 20, 2013, 2 p.m. local time
– Malware time-based logic-bomb activates
– Storage and master boot record deleted, system
reboots
– Boot device not found.
– Please install an operating system on your hard disk.
• December 17, 2016, 11:53 p.m.
– Kiev, Ukraine, high-voltage substation
– Logic bomb begins disabling electrical circuits
– Malware mapped out the control network
– Began disabling power at a predetermined time
– Customized for SCADA networks
(Supervisory Control and Data Acquisition)
Preventing a logic bomb
• Difficult to recognize – Each is unique – No predefined signatures • Process and procedures – Formal change control • Electronic monitoring – Alert on changes – Host-based intrusion detection, Tripwire, etc. • Constant auditing – An administrator can circumvent existing systems
1.2 - Password Attacks - Plaintext / unencrypted passwords
• Some applications store passwords “in the clear”
– No encryption. You can read the stored password.
– This is rare, thankfully
• Do not store passwords as plaintext
– Anyone with access to the password file or database
has every credential
• What to do if your application saves
passwords as plaintext:
– Get a better application
1.2 - Password Attacks-Hashing a password
• Hashes represent data as a fixed-length string of text
– A message digest, or “fingerprint”
• Will not have a collision (hopefully)
– Different inputs will not have the same hash
• One-way trip
– Impossible to recover the original message
from the digest
– A common way to store passwords
The password file
• Different across operating systems and applications
– Different hash algorithms
1.2 password attacks- Spraying attack
Spraying attack
• Try to login with an incorrect password
– Eventually you’re locked out
• There are some common passwords
– https://en.wikipedia.org/wiki/List_of_the_most_
common_passwords
• Attack an account with the top three (or more) passwords
– If they don’t work, move to the next account
– No lockouts, no alarms, no alerts
1.2 password attacks-Brute force
• Try every possible password combination
until the a hash is matched
• This might take some time
– A strong hashing algorithm slows things down
• Brute force attacks - Online
– Keep trying the login process
– Very slow
– Most accounts will lockout after a number
of failed attempts
• Brute force the hash - Offline
– Obtain the list of users and hashes
– Calculate a password hash, compare it to a stored hash
– Large computational resource requirement
1.2 password attacks-Dictionary attacks
• Use a dictionary to find common words
– Passwords are created by humans
• Many common wordlists available on the ‘net
– Some are customized by language or line of work
• The password crackers can substitute letters
– p&ssw0rd
• This takes time
– Distributed cracking and GPU cracking is common
• Discover passwords for common words
– This won’t discover random character passwords
1.2 password attacks-Rainbow tables
• An optimized, pre-built set of hashes – Saves time and storage space – Doesn’t need to contain every hash – Contains pre-calculated hash chains • Remarkable speed increase – Especially with longer password lengths • Need different tables for different hashing methods – Windows is different than MySQL
1.2 password attacks-Adding some salt
• Salt
– Random data added to a password when hashing
• Every user gets their own random salt
– The salt is commonly stored with the password
• Rainbow tables won’t work with salted hashes
– Additional random value added to the
original password
• This slows things down the brute force process
– It doesn’t completely stop the reverse engineering
• Each user gets a different random hash
– The same password creates a different hash
1.2 password attacks-When the hashes get out
• January 2019 - Collection #1 – A collection of email addresses and passwords – 12,000+ files and 87 GB of data • 1,160,253,228 unique emails and passwords – A compilation of data breach results • 772,904,991 unique usernames – That’s about 773 million people • 21,222,975 unique passwords – You really need a password manager • https://haveibeenpwned.com/
1.2 - Physical Attacks-Malicious USB cable
• It looks like a normal USB cable
– It has additional electronics inside
• Operating system identifies it as a HID
– Human Interface Device
– It looks like you’ve connected a keyboard or mouse
– A keyboard doesn’t need extra rights or permissions
• Once connected, the cable takes over
– Downloads and installs malicious software
• Don’t just plug in any USB cable
– Always use trusted hardware
1.2 - Physical Attacks-Malicious flash drive
• Free USB flash drive!
– Plug it in and see what’s on it
– That’s a bad idea
• Older operating systems would automatically run files
– This has now been disabled or removed by default
• Could still act as a HID (Human Interface Device) /
Keyboard
– Start a command prompt and type anything
without your intervention
• Attackers can load malware in documents
– PDF files, spreadsheets
• Can be configured as a boot device
– Infect the computer after a reboot
• Acts as an Ethernet adapter
– Redirects or modifies Internet traffic requests
– Acts as a wireless gateway for other devices
• Never connect an untrusted USB device
1.2 - Physical Attacks-Skimming
• Stealing credit card information,
usually during a normal transaction
– Copy data from the magnetic stripe:
– Card number, expiration date, card holder’s name
• ATM skimming
– Includes a small camera to also watch for your PIN
• Attackers use the card information for other financial
transactions
– Fraud is the responsibility of the seller
• Always check before using card readers
1.2 - Physical Attacks-Card cloning
• Get card details from a skimmer – The clone needs an original • Create a duplicate of a card – Looks and feels like the original – Often includes the printed CVC (Card Validation Code) • Can only be used with magnetic stripe cards – The chip can’t be cloned • Cloned gift cards are common – A magnetic stripe technology
Machine learning
• Our computers are getting smarter
– They identify patterns in data and improve
their predictions
• This requires a lot of training data
– Face recognition requires analyzing a lot of faces
– Driving a car requires a lot of road time
• In use every day
– Stop spam
– Recommend products from an online retailer
– What movie would you like to see? This one.
– Prevent car accidents
Poisoning the training data
• Confuse the artificial intelligence (AI)
– Attackers send modified training data that causes
the AI to behave incorrectly
• Microsoft AI chatter bot named Tay
• (Thinking About You)
– Joins Twitter on March 23, 2016
– Designed to learn by interacting with Twitter users
– Microsoft didn’t program in anti-offensive behavior
– Tay quickly became racist, sexist, and inappropriate
Evasion attacks
• The AI is only as good as the training
– Attackers find the holes and limitations
• An AI that knows what spam looks like can be
fooled by a different approach
– Change the number of good and bad words in the
message
• An AI that uses real-world information can release
confidential information
– Trained with data that includes social security
numbers
– AI can be fooled into revealing those numbers
Securing the learning algorithms
• Check the training data – Cross check and verify • Constantly retrain with new data – More data – Better data • Train the AI with possible poisoning – What would the attacker try to do?
1.2 - Supply Chain Attacks
• The chain contains many moving parts
– Raw materials, suppliers, manufacturers,
distributors, customers, consumers
• Attackers can infect any step along the way
– Infect different parts of the chain without suspicion
– People trust their suppliers
• One exploit can infect the entire chain
– There’s a lot at stake
Supply chain security
• Target Corp. breach - November 2013
– 40 million credit cards stolen
• Heating and AC firm in Pennsylvania was infected
– Malware delivered in an email
– VPN credentials for HVAC techs was stolen
• HVAC vendor was the supplier
– Attackers used a wide-open Target network to
infect every cash register at 1,800 stores
• Do these technicians look like an IT security issue?
• Can you trust your new
server/router/switch/firewall/software?
– Supply chain cybersecurity
• Use a small supplier base
– Tighter control of vendors
• Strict controls over policies and procedures
– Ensure proper security is in place
• Security should be part of the overall design
– There’s a limit to trust
1.2 - Cloud-based vs. On-Premises Attacks
Attacks can happen anywhere
• Two categories for IT security
– The on-premises data is more secure!
– The cloud-based data is more secure!
• Cloud-based security is centralized and costs less
– No dedicated hardware, no data center to secure
– A third-party handles everything
• On-premises puts the security burden on the client
– Data center security and infrastructure costs
• Attackers want your data
– They don’t care where it is
1.2 - Cloud-based vs. On-Premises Attacks - On-premises security
• Customize your security posture
– Full control when everything is in-house
• On-site IT team can manage security better
– The local team can ensure everything is secure
– A local team can be expensive and difficult to staff
1.2 - Cloud-based vs. On-Premises Attacks
• Local team maintains uptime and availability
– System checks can occur at any time
– No phone call for support
• Security changes can take time
– New equipment, configurations, and additional costs
1.2 - Cloud-based vs. On-Premises Attacks - Security in the cloud
• Data is in a secure environment
– No physical access to the data center
– Third-party may have access to the data
• Cloud providers are managing large-scale security
– Automated signature and security updates
– Users must follow security best-practices
• Limited downtime
– Extensive fault-tolerance and 24/7/365 monitoring
• Scalable security options
– One-click security deployments
– This may not be as customizable as necessary
1.2 - Cryptographic Attacks
• You’ve encrypted data and sent it to another person
– Is it really secure? How do you know?
• The attacker doesn’t have the combination (the key)
– So they break the safe (the cryptography)
• Finding ways to undo the security
– There are many potential cryptographic shortcomings
– The problem is often the implementation
1.2 - Cryptographic Attacks - Birthday attack
• In a classroom of 23 students, what is the chance of
two students sharing a birthday? About 50%.
– For a class of 30, the chance is about 70%
• In the digital world, this is a hash collision
– A hash collision is the same hash value for two
different plaintexts
– Find a collision through brute force
• The attacker will generate multiple versions of
plaintext to match the hashes
– Protect yourself with a large hash output size
1.2 - Cryptographic Attacks - Collisions
• Hash digests are supposed to be unique
– Different input data should never create the same hash
• MD5 hash
– Message Digest Algorithm 5
– Published in April 1992, Collisions identified in 1996
• December 2008: Researchers created CA certificate
that appeared legitimate when MD5 is checked
– Built other certificates that
1.2 - Cryptographic Attacks - Downgrade attack
• Instead of using perfectly good encryption, use
something that’s not so great
– Force the systems to downgrade their security
• 2014 - TLS vulnerability - POODLE (Padding Oracle
On Downgraded Legacy Encryption)
– On-path attack
– Forces clients to fall back to SSL 3.0
– SSL 3.0 has significant cryptographic vulnerabilities
– Because of POODLE, modern browsers won’t fall back
to SSL 3.0
1.3 - Privilege escalation
• Gain higher-level access to a system
– Exploit a vulnerability - Might be a bug or design flaw
• Higher-level access means more capabilities
– This commonly is the highest-level access
– This is obviously a concern
• These are high-priority vulnerability patches
– You want to get these holes closed very quickly
– Any user can be an administrator
• Horizontal privilege escalation
– User A can access user B resources
1.3 - Privilege escalation - Mitigating privilege escalation
• Patch quickly – Fix the vulnerability • Updated anti-virus/anti-malware software – Block known vulnerabilities • Data Execution Prevention – Only data in executable areas can run • Address space layout randomization – Prevent a buffer overrun at a known memory address
1.3 - Cross-site Scripting
• XSS
– Cascading Style Sheets (CSS) are something else entirely
• Originally called cross-site because of browser security flaws
– Information from one site could be shared with another
• One of the most common web application
development errors
– Takes advantage of the trust a user has for a site
– Complex and varied
• Malware that uses JavaScript - Do you allow scripts? Me too.
1.3 - Cross-site Scripting - Non-persistent (reflected) XSS attack
• Web site allows scripts to run in user input
– Search box is a common source
• Attacker emails a link that takes advantage of this
vulnerability
– Runs a script that sends credentials/session IDs/cookies
to the attacker
• Script embedded in URL executes in the victim’s browser
– As if it came from the server
• Attacker uses credentials/session IDs/cookies to steal
victim’s information
1.3 - Cross-site Scripting - Persistent (stored) XSS attack
• Attacker posts a message to a social network
– Includes the malicious payload
• It’s now “persistent” - Everyone gets the payload
• No specific target - All viewers to the page
• For social networking, this can spread quickly
– Everyone who views the message can have it
posted to their page
– Where someone else can view it and propagate it further…
1.3 - Cross-site Scripting - Hacking a Subaru
• June 2017, Aaron Guzman
– Security researcher
• When authenticating with Subaru, users get a token
– This token never expires (bad!)
• A valid token allowed any service request
– Even adding your email address to someone
else’s account
– Now you have full access to someone else’s car
• Web front-end included an XSS vulnerability
– A user clicks a malicious link, and you have
their token
1.3 - Cross-site Scripting - Protecting against XSS
• Be careful when clicking untrusted links
– Never blindly click in your email inbox. Never.
• Consider disabling JavaScript
– Or control with an extension
– This offers limited protection
• Keep your browser and applications updated
– Avoid the nasty browser vulnerabilities
• Validate input
– Don’t allow users to add their own scripts to an
input field
1.3 - Injection Attacks - Code injection
• Code injection – Adding your own information into a data stream • Enabled because of bad programming – The application should properly handle input and output • So many different data types – HTML, SQL, XML, LDAP, etc.
1.3 - Injection Attacks - SQL injection
• SQL - Structured Query Language – The most common relational database management system language • SQL Injection – Modifying SQL requests – Your application shouldn’t really allow this
1.3 - Injection Attacks -XML injection and LDAP injection
• XML - Extensible Markup Language
– A set of rules for data transfer and storage
• XML injection
– Modifying XML requests - a good application will validate
• LDAP - Lightweight Directory Access Protocol
– Created by the telephone companies
– Now used by almost everyone
• LDAP injection
– Modify LDAP requests to manipulate application results
1.3 - Injection Attacks - DLL injection
• Dynamic-Link Library
– A Windows library containing code and data
– Many applications can use this library
• Inject a DLL and have an application run a program
– Runs as part of the target process
1.3 - Buffer Overflows
Overwriting a buffer of memory
– Spills over into other memory areas
• Developers need to perform bounds checking
– The attackers spend a lot of time looking for openings
• Not a simple exploit
– Takes time to avoid crashing things
– Takes time to make it do what you want
• A really useful buffer overflow is repeatable
– Which means that a system can be compromised
1.3 - Replay Attacks
• Useful information is transmitted over the network
– A crafty hacker will take advantage of this
• Need access to the raw network data
– Network tap, ARP poisoning, malware on the victim computer
• The gathered information may help the attacker
– Replay the data to appear as someone else
• This is not an on-path attack
– The actual replay doesn’t require
the original workstation
• Avoid this type of replay attack with a salt
– Use a session ID with the password hash to
create a unique authentication hash each time
1.3 - Replay Attacks - Pass the Hash
Client Authenticates to server with username and hashed password - During Authentication the attacker captures the username and password hash - Attacker sends his own authentication request using the captured credentials.
1.3 - Replay Attacks - Header manipulation
• Information gathering – Wireshark, Kismet • Exploits – Cross-site scripting • Modify headers – Tamper, Firesheep, Scapy • Modify cookies – Cookies Manager+ (Firefox add-on)
1.3 - Replay Attacks - Prevent session hijacking
• Encrypt end-to-end
– They can’t capture your session ID if they can’t see it
– Additional load on the web server (HTTPS)
– Firefox extension: HTTPS Everywhere, Force-TLS
– Many sites are now HTTPS-only
• Encrypt end-to-somewhere
– At least avoid capture over a local wireless network
– Still in-the-clear for part of the journey
– Personal VPN (OpenVPN, VyprVPN, etc.)
1.3 - Replay Attacks - Browser cookies and session IDs
• Cookies
– Information stored on your computer by the browser
• Used for tracking, personalization, session management
– Not executable, not generally a security risk
– Unless someone gets access to them
• Could be considered be a privacy risk
– Lots of personal data in there
• Session IDs are often stored in the cookie
– Maintains sessions across multiple browser sessions
1.3 - Replay Attacks - Session hijacking (Sidejacking)
Victim Authenticates to Server - Server provides a Session ID to Client - Attacker intercepts the session ID and uses it to access the server with the victims credentials.
1.3 - Request Forgeries Cross-site requests
• Cross-site requests are common and legitimate
– You visit ProfessorMesser.com
– Your browser loads text from the
ProfessorMesser.com server
– Your browser loads a video from YouTube
– Your browser loads pictures from Instagram
• HTML on ProfessorMesser.com directs
requests from your browser
– This is normal and expected
– Most of these are unauthenticated requests
1.3 - Request Forgeries The client and the server
• Website pages consist of client-side code and server-side code – Many moving parts • Client side – Renders the page on the screen – HTML, JavaScript • Server side – Performs requests from the client - HTML, PHP – Transfer money from one account to another – Post a video on YouTube
1.3 - Request Forgeries Cross-site request forgery
• One-click attack, session riding - XSRF, CSRF (sea surf)
• Takes advantage of the trust that a web application
has for the user
– The web site trusts your browser
– Requests are made without your consent or your knowledge
– Attacker posts a Facebook status on your account
• Significant web application development oversight
– The application should have anti-forgery techniques added
– Usually a cryptographic token to prevent a forgery
1.3 Cross-site request forgery process
Attacker creates fund transfer request- request is sent as a hyperlink to a user who may already be logged into the bank website - Visitor Clicks link and unknowingly sends the transfer request to the bank website-Bank validates the transfer and sends the visitors funds to the attacker
1.3 Request Forgeries- Server-side request forgery (SSRF)
• Attacker finds a vulnerable web application – Sends requests to a web server – Web server performs the request on behalf of the attacker • Caused by bad programming – Never trust the user input – Server should validate the input and the responses – These are rare, but can be critical vulnerabilities
1.3 Request Forgeries - Capital One SSRF breach - March 201
• Attacker is able to execute commands
on the Capital One website
– This is normally stopped by a WAF
(Web Application Firewall)
– The WAF was misconfigured
• Attacker obtained security credentials for the WAF role
• WAF-Role account listed the buckets on Amazon S3
• Attacker retrieved the data from the Amazon buckets
• Credit card application data from 2005 through 2019
– 106 million names, address, phone, email, DoB
– 140,000 Social Security numbers,
80,000 bank accounts
1.3 Server-side request forgery (SSRF) process
attacker sends request that controls a web application- web server sends request to another service, such as cloud storage- cloud storage sends response to web server- web server forwards response to attacker
1.3 - Driver Manipulation-Malware hide-and-go-seek
• Traditional anti-virus is very good at identifying
known attacks
– Checks the signature
– Block anything that matches
• There are still ways to infect and hide
– It’s a constant war
– Zero-day attacks, new attack types, etc.
our drivers are powerful
• The interaction between the hardware and your
operating system
– They are often trusted
– Great opportunity for security issues
• May 2016 - HP Audio Drivers
– Conexant audio chips
– Driver installation includes audio control software
– Debugging feature enables a keylogger
• Hardware interactions contain sensitive information
– Video, keyboard, mouse
1.3 - Driver Manipulation-Shimming
• Filling in the space between two objects – A middleman • Windows includes it’s own shim – Backwards compatibility with previous Windows versions – Application Compatibility Shim Cache • Malware authors write their own shims – Get around security (like UAC) • January 2015 Microsoft vulnerability – Elevates privilege
1.3 - Driver Manipulation-Refactoring
• Metamorphic malware – A different program each time it’s downloaded • Make it appear different each time – Add NOP instructions – Loops, pointless code strings • Can intelligently redesign itself – Reorder functions – Modify the application flow – Reorder code and insert unused data types • Difficult to match with signature-based detection – Use a layered approach problem – Works on SSL and TLS
1.3 - SSL Stripping - SSL stripping / HTTP downgrade
• Combines an on-path attack with a downgrade attack
– Difficult to implement, but big returns for the attacker
• Attacker must sit in the middle of the conversation
– Must modify data between the victim and web server
– Proxy server, ARP spoofing, rogue Wi-Fi hotspot, etc.
• Victim does not see any significant problem
– Except the browser page isn’t encrypted
– Strips the S away from HTTPS
• This is a client and serve
1.3 - SSL Stripping - SSL and TLS
SSL and TLS • SSL (Secure Sockets Layer) 2.0 - Deprecated in 2011 • SSL 3.0 – Vulnerable to the POODLE attack – Deprecated in June 2015 • Transport Layer Security (TLS) 1.0 – Upgrade to SSL 3.0, and a name change from SSL to TLS – Can downgrade to SSL 3.0 • TLS 1.1 – Deprecated in January 2020 by modern browsers • TLS 1.2 and TLS 1.3 - The latest standards
1.3 - Race Conditions
• A programming conundrum
– Sometimes, things happen at the same time
– This can be bad if you’ve not planned for it
• Time-of-check to time-of-use attack (TOCTOU)
– Check the system
– When do you use the results of your last check?
– Something might happen between the check
and the use
Race conditions can cause big problems
• January 2004 - Mars rover “Spirit”
– Reboot when a problem is identified
– Problem is with the file system, so reboot because
of the file system problem
– Reboot loop was the result
• GE Energy - Energy Management System
– Three power lines failed at the same time
– Race condition delayed alerts
– Caused the Northeast Blackout of 2003
• Therac-25 radiation therapy machine in the 1980s
– Used software interlocks instead of hardware
– Race condition caused 100 times the normal dose of radiation
– Six patients injured, three deaths
1.3 - Other Application Attacks - Memory vulnerabilities
• Manipulating memory can be advantageous
– Relatively difficult to accomplish
• Memory leak
– Unused memory is not properly released
– Begins to slowly grow in size
– Eventually uses all available memory
– System crashes
• NULL Pointer dereference
– Programming technique that references a
portion of memory
– What happens if that reference points to nothing?
– Application crash, debug information displayed, DoS
• Integer overflow
– Large number into a smaller sized space
– Where does the extra number go?
– You shouldn’t be able
1.3 - Other Application Attacks - Directory traversal
• Directory traversal / path traversal – Read files from a web server that are outside of the website’s file directory – Users shouldn’t be able to browse the Windows folder • Web server software vulnerability – Won’t stop users from browsing past the web server root • Web application code vulnerability – Take advantage of badly written code
1.3 - Other Application Attacks - Improper error handling
• Errors happen – And you should probably know about it • Messages should be just informational enough – Avoid too much detail – Network information, memory dump, stack traces, database dumps • This is an easy one to find and fix
1.3 - Other Application Attacks - Improper input handling
• Many applications accept user input
– We put data in, we get data back
• All input should be considered malicious
– Check everything. Trust nobody.
• Allowing invalid input can be devastating
– SQL injections, buffer overflows,
denial of service, etc.
• It takes a lot of work to find input that
can be used maliciously
– But they will find it
1.3 - Other Application Attacks - API attacks
• API - Application Programming Interface
• Attackers look for vulnerabilities in this new
communication path
– Exposing sensitive data, DoS, intercepted
1.3 - Other Application Attacks - Resource exhaustion
• A specialized DoS (Denial of Service) attack
– May only require one device and low bandwidths
• ZIP bomb
– A 42 kilobyte .zip compressed file
– Uncompresses to 4.5 petabytes (4,500 terabytes)
– Anti-virus will identify these
• DHCP starvation
– Attacker floods a network with IP address requests
– MAC address changes each time
– DHCP server eventually runs out of addresses
– Switch configurations can rate limit DHCP requests
1.4 - Rogue Access Points and Evil Twins- Rogue access points
• An unauthorized wireless access point – May be added by an employee or an attacker – Not necessarily malicious – A significant potential backdoor • Very easy to plug in a wireless AP – Or enable wireless sharing in your OS • Schedule a periodic survey – Walk around your building/campus – Use third-party tools / WiFi Pineapple • Consider using 802.1X (Network Access Control) – You must authenticate, regardless of the connection type
1.4 - Rogue Access Points and Evil Twins - Wireless evil twins
• Looks legitimate, but actually malicious
– The wireless version of phishing
• Configure an access point to look like an existing network
– Same (or similar) SSID and security settings/captive portal
• Overpower the existing access points
– May not require the same physical location
• WiFi hotspots (and users) are easy to fool
– And they’re wide open
• You encrypt your communication, right?
– Use HTTPS and a VPN
1.4 - Bluejacking and Bluesnarfing - Bluejacking
Bluejacking
• Sending of unsolicited messages to another
device via Bluetooth
– No mobile carrier required!
• Typical functional distance is about 10 meters
– More or less, depending on antenna and interference
• Bluejack with an address book object
– Instead of contact name, write a message
– “You are Bluejacked!”
– “You are Bluejacked! Add to contacts?”
• Third-party software
1.4 - Bluejacking and Bluesnarfing - Bluesnarfing
• Access a Bluetooth-enabled device and transfer data
– Contact list, calendar, email, pictures, video, etc.
• First major security weakness in Bluetooth
– Marcel Holtmann in September 2003 and
– Adam Laurie in November 2003
– This weakness was patched
• Serious security issue
– If you know the file, you can download it without
authentication
1.4 - Wireless Disassociation Attacks
• Surfing along on your wireless network – And then you’re not • And then it happens again – And again • You may not be able to stop it – There’s (almost) nothing you can do – Time to get a long patch cable • Wireless disassociation – A significant wireless denial of service (DoS) attack
1.4 - Wireless Disassociation Attacks - 802.11 management frames
• 802.11 wireless includes a number of
management features
– Frames that make everything work
– You never see them
• Important for the operation of 802.11 wireless
– How to find access points, manage QoS, associate/
disassociate with an access point, etc.
• Original wireless standards did not add
protection for management frames
– Sent in the clear
– No authentication or validation
1.4 - Wireless Disassociation Attacks - Protecting against disassociation
• IEEE has already addressed the problem
– 802.11w - July 2014
• Some of the important management frames
are encrypted
– Disassociate, deauthenticate,
channel switch announcements, etc.
• Not everything is encrypted
– Beacons, probes, authentication, association
• 802.11w is required for 802.11ac compliance
– This will roll out going forward
1.4 - Wireless Jamming - Radio frequency (RF) jamming
• Denial of Service – Prevent wireless communication • Transmit interfering wireless signals – Decrease the signal-to-noise ratio at the receiving device – The receiving device can’t hear the good signal • Sometimes it’s not intentional – Interference, not jamming – Microwave oven, fluorescent lights • Jamming is intentional – Someone wants your network to not work
1.4 - Wireless Jamming -
• Many different types
– Constant, random bits / Constant, legitimate frames
• Data sent at random times
– Random data and legitimate frames
• Reactive jamming
– Only when someone else tries to communicate
• Needs to be somewhere close
– Difficult to be effective from a distance
• Time to go fox hunting
– You’ll need the right equipment to hunt down the jam
– Directional antenna, attenuator
1.4 - RFID and NFC Attacks - RFID (Radio-frequency identification)
• It’s everywhere – Access badges – Inventory/Assembly line tracking – Pet/Animal identification – Anything that needs to be tracked • Radar technology – Radio energy transmitted to the tag – RF powers the tag, ID is transmitted back – Bidirectional communication – Some tag formats can be active/powered
1.4 - RFID and NFC Attacks - RFID Attacks
• Data capture – View communication – Replay attack • Spoof the reader - Write your own data to the tag • Denial of service - Signal jamming • Decrypt communication – Many default keys are on Google
1.4 - RFID and NFC Attacks - Near field communication (NFC)
• Two-way wireless communication – Builds on RFID, which is mostly one-way • Payment systems – Many options available • Bootstrap for other wireless – NFC helps with Bluetooth pairing • Access token, identity “card” – Short range with encryption support
