Summary: Lecture 13 Flashcards
Exam Format
4 Questions - 2 Hours, 10 Minutes Reading Time
Each question comprises a number of parts that together cover all topics, 25 marks each.
Total 100 marks weighted to 30% of the whole module.
Tips:
1) If there are equations, do go through the problems again to familiarise yourself with the equation. E.g. Diffie Hellman
2) If you are looking at protocols such as Cryptographic Protocols, now some of the protocols we have talk about will involve things like saytransposision, now you have seen one example in the lecture which arranges the key in alphabetical order, you have also seen another example in the tutorial that you arrange the key to form a word not necessary alphabetical order, so have to realise there’s a difference, read the question to find out it’s an alphabetical or its a word (no longer alphabetical).
Cryptography and Steganography
1) Understand the main purpose(s) eg. CIA, Privacy
- Main purpose/goal is to achieve a balance mainly in the CIA Triad (Triangle), occasionally for Privacy (when stego & crypto applied)
- To achieve this technique we have to be able to provide a solution to a given problem.
2) Understand the differences (e.g strengths and limitations of each)
- Crypto can be seen after encrypted but harder to reverse/crack as needs key while stego is not seen in plain sight but once known easy to reverse/crack.
3) Apply each or combination to different security use cases
- Sometime we use combination of both for stronger security, secured by encryption and hiding the encrypted text, for example after encryption then hide it in somewhere else.
4) Weakness in digital signature system
- Digital signature system is a form of hashing that can be used to verify integrity, and there was weaknesses if we use hashing function that has low collision resistant like MD5. Results in two sightly different inputs generating same output/hash (low probability). To minimize the chances of this occurring in a digital signature system then it is better to use a stronger hashing function, SHA based ones. Although there might still be collision but chances are lower than MD5.
5) Tutorial problems
Access Control (common real-world techniques)
Focus on those we use in the real-world, fingerprinting, biometrics (Know how to learn to select and apply those criteria for selection that we went through, cost, accuracy, acceptability by people enrolling for it [look for 1-2 Qn in Glasglow paper and tutorial problems]), passwords, tokens. Forget about the graphical, walking gate, typing rates, voice.
1) Understand the strengths and limitations of knowledge, possession, biometrics
2) Select, apply and justify access control technique(s) for the given scenario
3) Understand how / when to apply the principle of least privilege
4) Tutorial problems
Ethical Hacking
To know what are the different stages and how to apply the different stages if you participate in a pentest or engaged to be a pentester. Produce a pentest report at the end. In order to produce a pentest report, you have to go through a systematic process as paid to do this.
Start with reconnaissance (how comprehensive it is, depends on doing Whitebox or Blackbox.
- Whitebox, don’t need to do much reconnaissance as the person that engaged us will tell us which part of the network to pentest, the range of IP addresses to use/test beyond the range don’t touch etc, hence we know.
- Blackbox, the company already has a existing security posture, hence they want us to conduct a Blackbox because they want us to stimulate a real attack where the external attacker do not know much and starts to do more extensive reconnaissance and this could include attacks on call centres staffs to get information from there, so employees will be subjected to Blackbox test.
Beyond reconnaissance, everything is quite standard whether its Black or White box, we have to do Scanning and Enumeration to find the vulnerabilities, then from the knowledge referenced from the vulnerabilities whether using public domain databases or not to Exploit, then may have to Keep/Maintain Access if the engagement period going to last a few days and can’t finish within a single working day. Next, for Covering Tracks, if ethical hacker and not blackhat, restore the state of the pentester’s system, meaning restore the logs and any tools/backdoors installed have to take out and return the system in the original state when we started to the person who engaged us, our employer.
Techniques and tools for each stage not so critical, as Exploits too many to remember so no point, Scanning and Enumeration can just use N-maps/zenmap or some of the links, but don’t need to worry too much on this. So focus more on the applications of the different stages in the process and the difference in the amount of depth of reconnaissance we conduct, Blackbox vs Whitebox.
1) Computer Misuse Act; Types of Hackers and Use of Leetspeak
2) Types of pentesting: Blackbox vs Whitebox
3) Process -> Reconnaissance, Scanning and Enumeration, Exploit, Keep Access and Covering Tracks
4) Techniques and tools for each stage
5) Pentest Report
Social Engineering
Go through tutorials, for example all those clips and different examples of these different aspects of social engineering using Authority, Charm, Pretext, Baiting, Reciprocation etc. If you are a business owner, and have a call centre that is staffed and you need your employees to interact with yours clients that is using your products. Having a call centre, you have to be definately aware of social engineering, as social engineers usually attack call centres. So know how to prepare the employees in the call centre to recognise these kind of attacks and how to apply best practises against this. (eg. send employees for training but also as the boss have to know what the training includes.)
1) Know how to recognize a phishing email
2) Know how to recognize the different types of attacks from assessing scenario
(eg. Authority, Charm, Pretext, Baiting, Reciprocation)
3) Know how to recommend appropriate mitigation (eg. appropriate security policy and enforcement; education)
Web Security
Important vulnerabilities: SQLI, XSS, XSRF, there is also a main difference between XSS and XSRF as XSS do not need victim to be locked in while XSRF does. XSS has 3 different types, Persistant, Non-persistant (reflective), DOM-based, go through the examples again to familiarize the differences among the three types and know how to recognize each, and select appropriate mitigations that applies.
1) What are the important vulnerabilities? (OWASP Top 10)
2) Examples of vulnerabilities: SQLI, XSS, XSRF
3) Understand how to recognize vulnerabilities
4) Able to select the appropriate mitigations that apply
Network Security
1) Attacks:
- Network architectures (difference between switched- and hub- networks)
- Vulnerabilities (Ports (apps); Router; Server; Communication channels)
- Port spoofing / scanning (basic and advance scanning)
- Passive and Active sniffing (ARP spoofing techniques and examples)
To find vulnerabilities, for ports we do scanning with zen map which is the GUI version of n map, when we scan we also enumerate to find the application running behind an open port (filtered and closed ports are useless to attackers as they can’t get through) and from the application and the public domain vulnerability databases, they can find the vulnerabilities and exploit it.
For communication channels, if its encrypted its difficult to attack, if not can just sniff it straight away. Communication channels is only part of a network topology / configurations, so network architectures can be hubbed in which case is broadcast or it can be switched in which case is point to point.
- Hubbed network if its promiscuous mode and not encrypted, can just put a sniffer (e.g. Wireshark) there and just sniff it, having access to all the communications cause its broadcast.
- For switched networks not as easy as its point to point, so have to do some poisoning using ARP spoofing (3 different types, look over ARP spoofing examples again and understand them)
2) Defence:
- Firewalls (Policies and rule sets; packet filtering - Windows)
- Stateless vs Stateful Firewalls
- Firewall Configuration Exercise
- IDS and IPS, Proxies
- VPNs (Authentication, Tunnelling and Encryption Vulnebilities of IPSec and TLS)
- Honeypots
Stateless, don’t remember the connection profile. Stateful, remember connection profile, takes longer and higher overhead (look at the table for comparisons between that).
Firewall Configuration won’t come out, as last year tested.
IDS and IPS, the difference is one has to be connected inline while the other one is connected just to detect, it does not stop.
- And if connect to a switched network is different to connect to a hub. For Hubbed network, if connect to IDS, hears everything. For switched network, need to do port mirroring.
VPNs, for vulnerabilities as its complicated so awareness will be sufficient, for VPNs mainly know that there is a system containing the parts for authentications, tunneling and encryption.
Honeypots, more for knowledge, honeypots nowadays in real world people use it with machine learning, so that they can reconfiguration themselves so that attackers won’t keep seeing a fixed honeypot. After some time of keep attacking the same honeypot and it does not change, easy to realised its a honeypot.
Malware Analysis
1) Understand differences among virus (mutex), worm and trojan
- Virus needs a host, worm and trojan don’t need a host. Because virus needs a host, the victim will have to interact with the host, execute the host first in order to execute the virus. This is the reason why virus needs the use of a mutex, to prevent reinfection of the same target as the host is already infected once if infected again without mutex it raises the chances of an exception happening, as the virus run twice; previously does not know there is an infection. Worm and trojan are not critical to have mutex as they don’t need a host.
2) Understand differences between polymorphic vs metamorphic malware
- Polymorphic malware uses encryption, each time it encrypts and decrypts it needs to contact the CNC server for a different key to make it harder to decrypt it the second time, if happen to find the key and decrypt the first infection, the second one won’t be so lucky as the key has been changed.
- Metamorphic malware can change its code to change its signature but still do the same thing. We have seen the addition of code that does nothing like a NOP, no operation, but its changes the hexadecimal signature of the software. We can change the jump instruction inside the malware to jump to a different location but still keep the same sequential execution order and therefore the same functionality in the malware. So metamorphic malware does not use encryption but it involves changing its code to change its signature, but when it changes its code it still does the same thing, the malicious function is keep just that it makes you think its a different malware because of the change in instructions causing its signature to be different. So signature-based solutions antivirus will fail to detect such malware types.
3) Why are some modern malware multi-staged eg. Shifu
- Why are some modern malware multi-staged? eg. Shifu (banking trojan, means theft in Japanese). We did a demo with VirusTotal, we have different stages, the loader we get the highest hit then after that the secondary injector and then the last one the main payload we get no hits. So it’s multi-staged because the very first stage is probably the simplest, like putting one finger or one toe into your defence, to test your defence, if catch it so be it just replace the loader. So it does not want to sacrifice its most important part which is the main payload so that’s why the main payload is the most heavily camouflaged and unlikely to discover it. But its need to test our defence stage by stage. If it is ok it gets away it goes into the next stage. If it is not ok you catch it, it lets your keep the loader and replaces it with a different loader. Hence, it is multi-staged as it will not sacrifice the entire payload by injecting the whole thing at one go, as what if you catch it then everything will get caught, so it does in stages or parts.
4) Safe analysis environment (determine IoCs used to characterize malware)
- Is to have a VM with suitable tools, we didn’t do that much so don’t have to worry about what type of tools, but just the general concept of having a sandbox that can be automated to analyse the malware either statically using certain tools or by running it and profiling it using some other tools, and the reason for this is so that the malware that is being analysed in these safe environments can be characterized by determining or finding indicators of compromise or clues that the malware in executing leaves behind (like signatures but not, so even if it changes, for example, metamorphic, it can change the signature but as long as the function don’t change and executed in the same malicious way, the same kind of clues or IoCs will be dropped) that can help you characterize the malware so that if you find IoCs for these subsequent infections and you compare to what you have determined earlier and if they match then that gives us a strong hint that these subsequent infections involve the same malware.
5) Preliminary (is malware compressed; decompress and submit for analysis)
- Malware analysis stage, it starts off with basic static analysis, advanced, then dynamic. Basic static analysis using some tools to extract out some strings or IoCs. Advanced means have to reverse it using suitable tools to look at the source code. Then followed by dynamic analysis where you can run it with a debugger step by step. Before even carrying out all these, 4 different stages, some malware are compressed, compressed malware is not encrypted malware they are different, compressed is just using an archiver or package to pack it so that some spaces/delimiters between instructions are removed so that you are not able to see or distinguish individual instructions. If malware is compressed, even if you submit it to VirusTotal its not going to be very helpful because chances are the AV solutions in VirusTotal will not be able to detect anything useful as everything is packed together. So before submitting any payload to be analysed first check whether it’s compressed then decompress it first, don’t have to know how to compress it but know that if it’s compressed you can’t get accurate information in the analysis.
IoT Security
All these different parts are linked together. Vulnerabilities and exploits is probably the most important, but to understand this part we need to also understand the first 2 parts. By the time of reaching part 3, the first 2 parts should be a default already. Things like what mode is it operating on, storing or non-storing mode, what kind of protocol is it using at the time, does it involve the timer or not, all these things should be known by the time of reaching vulnerabilities and exploits. There are examples for each type of vulnerability and exploits pair, there are examples given to illustrate these particular scenarios, so do look at this part and try to understand it well.
1) Configuration and characteristics of RPL network
2) Operating modes and protocols
3) Vulnerabilities and exploits —> examples
Digital Forensics
1) What is an appropriate investigative environment?
2) How important is acquired digital evidence? (integrity, admissibility)
- It’s not just about using the tools to craft out the information, it’s not just about providing an electrostatically neutral environment, it’s more of keeping the evidence intact that means there must be integrity and this must be demonstratable because the evidence is eventually used to prove a hypothesis and this needs to be admissible in a court of law. (integrity and admissibility of evidence is important) What takes care of these is the Chain-of-Custody
3) Chain-of-Custody (purpose and importance)
- Each time evidence changes hands, different people take it at different times, different location, do different things on it, these have to be tracked, hash has to be computed to show the hash remains unchanged throughout, proving that nobody tried to change the evidence. Will be challenged by the other side when admitting the evidence in court to prove that evidence is not forged or tampered with.
Blockchain
1) How are they different from centralized systems? (immutability and anonymity)
- A blockchain is a decentralized system, here we are not talking about networks and the configurations, by centralized and decentralized we are talking about whether for centralized we have one single company and entity in charge or responsible for the whole business, so it’s a business model. So the decentralized model is that every participant or business participant be it a client or supplier have some stake in the system, so they can contribute by participating directing in the system in the form of for example checking and computing the Proof of Work (PoW) they can contribute computing power.
- Main strengths or advantages of blockchain would be immutability, no one person can just go in and change the transaction because they are all chained up, if change one got to change all the rest and each time you do it you are slowed down because of the PoW (takes about 10mins). Another advantage is anonymity, because now you have different stakeholder participating to find a particular transaction in a particular block and who it belongs to it is going to be difficult because everything inside is encrypted.
- Anonymity can be a disadvantage in certain applications, for example, if Harry sells a house to Tom and Tom buys the house from Harry, both Harry and Tom cannot be anonymous otherwise Harry will not know who to sell the house to and Tom will not know who to pay, so this needs to be known. Which are limitations of blockchain. Second disadvantage is the data overheads and computation overheads in the blockchain are tremendous, a lot of hashing, rehashing, checking where hashes are linked to from one block to another.
2) What is the purpose of PoW (examples)?
3) Main purpose(s) of Merkle Tree
- As the data overheads and computation overheads in the blockchain are tremendous, a lot of hashing, rehashing, checking where hashes are linked to from one block to another. So the Merkle Tree (basically a Binary Search Tree) organises the information in a more efficient way so it reduces the amount of search time to a log2N (base 2/binary). It makes the verification of change much more efficient if the data that are inside the blocks are organised in the form of a Merkle Tree.
4) Vulnerabilities of blockchain system and mitigation techniques
- The 51% attack, double spending is vulnerabilities to DOS
- And there are several mitigation techniques, so will do well to look through this again and familiarize ourselves with this.
Side Channel Attacks
1) New vs Existing Threat Models
- First, it is important to realise that there are two different threat models. The differences are:
- Before side channels, we dealt with an existing threat model looking at channels, protocols, what are the weaknesses: channels no encryption, looking for vulnerabilities in protocols, look for ways to bypass authentications and so forth to get into a system. (Typical existing threat models).
- While the new threat models is different and does not worry about the things in existing threat models, because it depends on signal leakages from the hardware technologies that are used.
2) Passive vs Invasive Attacks
- Passive attacks are merely monitoring, eg. motoring thermal lights, electromagnetic radiation, voltages. Just passive monitoring.
- While Invasive attacks mean doing some soldering, desoldering, breakage of connections etc. This is damaging as once an invasive attack is done the device cannot be restored to its original form.
3) Power Consumption Analysis —> Simple Power Analysis and Differential Power Analysis; Applications
- There are many types of side channel attacks but we only concentrated on two types the Power Consumption Analysis and Timing Analysis.
- For Power Consumption Analysis, we only did 2, Simple Power Analysis and Differential Power Analysis and their applications.
- The difference is that Differential each time you are taking two readings it could be at two different points, the input and output of a block and compare. So in both, you need to make many samples to reduce the effect of noise, especially in Differential as the differences are in the micro or even nano range, so at this kind of difference if there is background noise it will be subsumed by the noise and will be obscured. Hence, needs many many samples so that the effect of noise will be averaged out. And in the case of Differential need to do statistics, and to do statistics you need some software statistical tools to help.
4) Timing Analysis
- For Timing Analysis, just take time and is more effective as an attack because it does not care where you keep the target, can be in VMs, can have tampered proof shielding. As it is just measuring input and output response time.
- There are ways to counteract this, some anti-timing analysis countermeasures are more effective than the others. Familiarise yourself with that.
Questions & Others
- All topics coming out, even though some topics have already been tested in the quiz.
- Equations need to memorise, eg. Diffie Hellman. Protocol is more of awareness and not really memorisation. Transposition, for example, there are different examples of transposition, one in which the keyword needs to be in the alphabetical order, the other example in tutorial does not need to but it need to form an English word.