Uploaded by rteng

Security+

advertisement
1.1 Phishing
-
-
-
Spoofing is a malicious practice in which someone imitates information in order to
deceive or gain unauthorized access.
- IP spoofing: Attacker disguises their true IP address
- Email spoofing: The creation of email messages with a fake sender address to
deceive the recipient
- Called ID spoofing: A practice in which the caller ID information displayed on the
recipient’s phone is altered to hide the true identity of the caller
Phishing is social engineering with a touch of spoofing
- This is often delivered by email, text, etc
- They sometimes make the website look as close to the original as possible and
will almost always ask you to enter your email address and password.
You can mitigate this by always checking the url and make sure you are on the right url
You can also mitigate this by checking spelling, fonts, and graphics of the screen being
presented
Tricks and misdirections
-
-
Typosquatting
- A practice of registering misspelled domain names closely resembling other well
established and popular domain names in hopes of getting Internet traffic from
users who would make errors while typing in the URL in their web browsers.
- A type of URL hijacking: https://professormessor.com
- Prepending is used in URL phishing: https://pprofessormesser.com
Pretexting
- Lie in order to get information
- Attacker is a character in a situation they create
- For example, “Hi, we are calling from Visa regarding an automated payment to
your utility service…”
Pharming
-
-
-
Attackers may use pharming to attack a group of people
This can be done by redirecting a legit website to a bogus website
- This redirection can be done by poisoning DNS server or client vulnerabilities
- Or when an attacker is able to take over the entire website
Combination of pharming and phishing
- Pharming: Harvests large groups of people
- Phishing: Collect access credentials
Pharming is more difficult for anti-malware and anti-virus software to stop
- Because everything appears legitimate to the user
-
Characteristics of pharming include:
- Traffic redirection
- Fraudulent website
- Credential harvesting
Phishing with different bait
-
-
-
Vishing (Voice phishing) is done over the phone or voicemail
- Caller ID spoofing is common
- Fake security checks or bank updates
Smishing (SMS phishing) is done by text message
- Spoofing is a problem here as well
- Messages usually contain links or asks for personal information
Other variations
- The fake check scam, phone verification code scam, Boss/CEO scam, advancefee scam
- You can find more information on https://reddit.com/r/Scams
Finding the best spot to phish
-
-
Reconnaissance
- Gather information on the victim
Background information
- Lead generation sites
- LinkedIn, Twitter, Facebook, Instagram
- Corporate websites
With those information, attackers can then build a believable pretext
- Where you work
- Where you bank
- Where you shop
- Recent financial transactions
- Family and friends
Spear Phishing
-
-
Spear phishing is the type of phishing that is targeted for specific individual(s) with
inside information
Spear phishing the CEO is called “whaling”
- Targeted phishing with the possibility of a large catch
- The CFO is also commonly speared
These C suites have access to corporate bank accounts that potentially hold a lot of
money or sensitive information
- And attackers would love to have those credentials
1.1 Impersonation
Impersonation
-
-
Impersonation is when attackers pretend to be someone they aren’t
- Like Halloween for the fraudsters
Attacker pick the person to impersonate based on the details they have got from recon
Attack the victim as someone higher in rank
- Office of the VP for Scamming, for example
Throw tons of technical details around to try to confuse the victim
- For example, catastrophic feedback due to the depolarization of the differential
magnetometer
Be a buddy and super friendly
Eliciting information
-
Eliciting = Extract information from the victim
Often seen with vishing
- Easier to get this information over the phone
They usually employ psychological techniques to make you feel comfortable or at ease
so you are more likely to reveal sensitive information
Identity Fraud
-
Your identity can be used by others
Credit card fraud
-
-
-
Open an account in your name, or use your credit card information to make
purchases
Bank fraud
- Attacker gains access to your account to transfer money out of your account
- Attackers open a new account using your name
Loan fraud
- Attackers use your information to open a loan or lease using your name
Government benefits fraud
- Attacker obtain benefits on your behalf by changing the address
Mitigation against impersonation
-
Never volunteer information
Don’t disclose personal details
Always verify before revealing info
- Can ask to call back and verify through 3rd parties
Verification should be encouraged, especially if your organization owns valuable
information
1.1 Dumpster Diving
-
-
Mobile garbage bin
- United states brand name dumpster
- Similar to a rubbish skip
Important information thrown out with the trash
Gather details that can be used for attacks
- Impersonate names, use phone numbers
Timing is important
- Just after the end of month, end of quarter
- Based on pick up schedule
Is it legal to dive in a dumpster?
-
In the United States, it is legal in general
- Unless there is a local restriction
If it is in the trash and it’s in an open area, then nobody owns it
Dumpster on private property or “No trespassing” sign may be restricted
Protect your rubbish
-
Secure your garbage
- Fence and a lock
Shred your documents
-
- Governments burn the sensitive information
Go look at your trash to ensure no personal information is in there
1.1. Shoulder Surfing
-
-
People can obtain information that you are seeing
- Curiosity, industrial espionage, competitive advantage
This can be done easily
- At an airport
- On a flight
- Hallway-facing monitors
- Coffee shops
Surf from afar
- With binoculars or telescopes
- Webcam monitoring
Preventing shoulder surfing
-
Control your input
- Be aware of your surroundings
Use privacy filters
- Blacks the screen unless you are right in front of the computer
Keep your monitor out of sight
- Away from windows and hallways
Don’t sit in front of someone on your flight
1.1 Hoaxes
-
-
A threat that doesn’t actually exist
- But they seem like they could be real
- From email, message, voice mails, etc
Still often consume lots of resources
- Forwarded email messages, printed memorandums, wasted time
Often an email, facebook post, a tweet, etc
Some hoaxes will take your money
- For example, having the victim purchase a gift card for the attacker
A hoax about a virus can waste as much time as a regular virus
Mitigating hoax
-
-
Believe no one, it is the internet
- By considering the source
Cross reference
- http://www.hoax-slayer.net
- http://www.snopes.com
Spam filters can help
- Email filters
-
If it is sounds too good to be true
- Then it probably is too good to be true
1.1 Watering Hole Attacks
-
-
If you network is really secure, like
- Employees don’t even plugin USB
- Not responding to phishing emails
- Not opening any email attachments
Then, attackers might look for vulnerabilities in your 3rd party vendors, this is called
the watering hole attack
- Hope you will get infected through your trusted 3rd party vendors
Executing the watering hole attack
-
-
-
Determine which website victim group uses or where they go
- They might infect a local coffee or sandwich shop
- They might infect sites that your organization visits a lot
Infect one of these 3rd party sites through:
- Site vulnerabilities
- Email attachments
Infect all visitors
- It will infect all visitors and attackers hope you or your group will be part of the
visitors
Case studies
-
In Jan 2017, Polish financial supervision authority, national banking and stock
commission of mexico, state-owned bank in Uruguay discovered a watering hole attack
Attack was done when IP addresses from these organizations visit a certain site that
would download malicious JavaScript files
Watching the watering hole
-
Defense in depth (Layered defense)
- Firewalls and IPS (Network security)
- Stop network traffic before things get bad
- Anti-virus and anti-malware signature updates (Endpoint security)
- The Polish Supervision Authority discovered and stopped this attack
because the signatures appeared in Symantec’s anti-virus software
- User education
- Web security through patching web servers and to use encryption
1.1 Spam
-
-
-
Unsolicited messages
- Email, forums, etc
- Spam over Instant Messaging from SMS, WeChat, WhatsApp (SPIM)
Various content from these spam
- Commercial advertising
- Non-commercial proselytizing (Worldview, political standpoint, etc)
- Phishing attempts
Spam has significant technology issue
- Security concerns, resource utilization (Network I/O to receive these spam),
storage costs, managing the spam
Mitigating spam
-
Use mail gateways
- Stop it at the gateway
- Could be either physical or cloud-based
-
Email filters or mail gateways identify spam by a couple characteristics:
- Allowed list
- Only receive email from trusted senders (Must be updated constantly)
- SMTP standards checking
-
-
-
- Block anything that doesn’t follow RFC standards
rDNS (Reverse DNS)
- Block email where the sender’s domain doesn’t match the known IP
address.
Tarpitting
- Intentionally slow down the mail server conversation (Makes sending and
receiving actions take excessive amount of time)
Recipient filtering
- Block all email not addressed to a valid recipient email address
- Downside: requires constant update of valid recipient email address
1.1 Influence Campaigns
-
-
Influence campaigns
- Sway public opinion on political and social issues
Nation-state actors
- Divide, distract, and persuade in order change the way how people think, vote,
make a decision
Advertising is an option
- Buy a voice for your opinion
Enabled through social media
- Creating, sharing, and liking on social media
- Amplification through the social media
The influencing process
Hybrid warfare
-
Sometimes, it could be used for military purposes
- Wage war non-traditionally
AKA cyberwarfare
- Attack an entity with technology
Influence foreign elections
- Use fake news
1.1 Other social engineering attacks
Tailgating
-
Use an authorized person to gain unauthorized access to a building
Use methods such as:
- Blend in with clothing
- 3rd party with a legitimate reason (Cleaning, maintenance, etc)
- Temporarily take up smoking and follow an authorized person
- By keeping their hands full with food or drinks so someone will keep the door
open for the attackers
Watching for tailgating
-
Policy for visitors
- Should be able to identify anyone
One scan, one person
- Through company policy or mechanically required to do only one scan at a time
Access control vestibule/airlock
- Only allows one person at a time
Don’t be afraid to ask if someone seems suspicious
- Who and why?
Invoice scams
-
Starts with a bit of spear phishing
- Attacker knows who pays the bills (Financial department)
Attacker sends a fake invoice
- From address that is a spoofed version of the CEO
Accounting pays the invoice because it was from the CEO
Might also include a fake link to pay
- Attackers not only get the payment but also your payment method
Credential Harvesting
-
-
Attackers collect login credentials that are stored on your computer
- Chrome, firefox, outlook, Windows credential manager, etc
What could happen is, user receives an email with a malicious MS Word doc
- Opening the document will run a macro
- The macro downloads credential harvesting malware
Everything could be happening in the background so users might not even realize that
their credentials are harvested
Bracketing
-
Provides a high and low estimate in order to entice a more specific number
Confidential Bait
-
Pretending to divulge confidential information in hopes of receiving confidential
information in return
Deliberate False statements
-
Saying something wrong in the hopes that the person will correct the statement with true
information
Feigned ignorance
-
Pretending to be ignorant of a topic in order to exploit the person’s tendency to educate
Denial of the obvious
-
Saying something wrong in the hopes that the person will correct the statement with true
information
Flattery
-
Using praise to coax a person into providing information
1.1 Principles of Social Engineering
-
Social engineering is constantly changing
This attack may involve multiple people and multiple organizations
- There are ties connecting many organizations
May be in person or electronic
-
For example, phone calls from aggressive customers
For example, funeral notifications emails of a friend or associate
Social Engineering principles
-
-
-
-
-
Authority
- Calling from the help desk or the CEO or the police
Intimidation
- Bad things happen if you don’t help
- The payroll checks won’t be processed if you don’t help me
Consensus or social proof
- Convince based on what is normally expected
- For example, your co-worker Jill did this for me last week, so why can’t
you?
Scarcity
- The situation will not be this way for long
- Must make the change before time expires
Urgency
- Works alongside scarcity
- Doesn’t allow victim time to think
Familiarity or liking
- Someone you know, we have common friends
Trust
- Someone who is safe
- I am from the IT department
- Police
1.2 An overview of Malware
-
-
Malware = Malicious software
Malware gather information
- Keystrokes
Malware causes your machine to be controlled over the internet and participate in a
group
- Turns your machine into a bot and join a group called botnet
- This botnet can be controlled to do a DDoS, mining, etc
Malware that shows you advertising
Malware that are viruses and worms
- Encrypt all of your data and won’t be decrypted until you pay
Malware types and methods
-
Viruses
Crypto-malware
Ransomware
Worms
Trojan Horse
Rootkit
Keylogger
Adware/Spyware
Botnet
How you get malware
-
-
A worm takes advantage of a vulnerability and installs a malware
That installed malware might include a remote access backdoor
This backdoor can then download other software that might install additional malware
A bot may be installed later
Your computer must run a program so attackers might:
- Send email links
- Web page pop-up that contains links
- Web pages that automatically download software and then encourages you to
run that software, this is called drive-by download
- Worm that attacks a vulnerability
Assume your machine is vulnerable
- OS: Keep your OS updated
- Applications: Check with the publisher
- Email: Don’t click on links
1.2 Viruses and Worms
Virus
-
A virus is a malware that can reproduce itself
-
-
-
It needs you to execute a program ← What differentiates a virus and a worm
Reproduce through file systems or the network
May or may not cause problems
- Some viruses can delete files or encrypt files
- Some are benign, only shows advertisements
- Some collect information
Anit-virus is used against viruses
- Keep your signatures updated
There are different virus types
- Program viruses
- Needs to be executed by you
- Boot sector viruses
- Exists inside the boot sector of your storage device
- Virus launches when you start the computer
- Script viruses
- Script in OS or browser-based
- Macro viruses
- Running inside of an application such as MS office apps
Fileless virus
-
A virus that never saves itself or installs itself on to a system
It avoids detection of anti-virus program
It operates in memory (RAM)
Common way for a fileless virus to infect is through a link on a website or a link from an
email
- After clicking the link, it will download a flash or java file or it takes advantage of a
windows vulnerability
- Once downloaded or exploited, there might be scripts that will run Powershell
and downloads payload to RAM
- Once the script is run and executes in memory, it can exfiltrate data, encrypt your
data, or damage your data
- Since the attacker might want to run this again, they might add an auto-start to
registry
Worms
-
-
A worm is a malware that takes advantage of a vulnerability and can self-replicate
- Doesn’t need you to do anything unlike a virus
- Uses the network as a transmission medium
- Self-propagates and spreads quickly
Worms can take over many systems quickly because it uses network to travel
Mitigating Worms
-
-
Firewalls and IDS/IPS can mitigate many worm infestations
- Creates signatures for the worm
- Also important to put firewalls and IDS/IPS between systems to prevent
spreading
However, they won’t help if worms are already inside
Wannacry Worm
-
Took place back in 2017
1.2 Ransomware and Crypto-malware
-
-
-
Data is valuable
Personal data
- Family pictures and videos
- Important documents
Organization data
- Planning documents
- Employee PII
- Financial information
- Company private data
Data can be taken away or encrypted by ransomware
Ransomware
-
Malicious actors want your money and they do so by using ransomware
However, there may be fake ransom
- Computer locked by the “police”
The ransom might be avoided as a security professional may be able to remove these
kinds of malware
Crypto-malware
-
-
-
A newer generation of ransomware
- Uses public-key cryptography to encrypt all of your information
- Your data is unavailable until you provide cash
Malware encrypts your data files
- Pictures documents, music, movies, etc
- Your OS remain available
You must pay the bad guys to obtain the decryption key
- Untraceable payment system like bitcoin
Mitigating ransomware
-
Always have a backup
- An offline backup ideally
Keep your OS up to date to patch known vulnerabilities
Keep your applications up to date
Keep your anti-virus and anti-malware signatures up to date
Keep everything up to date
1.2 Trojans and RATs
Trojan horse
-
-
-
A software that pretends to be something else so it can gain access to your computer
A type of software that performs unwanted and harmful actions in disguise of a
legitimate and useful program is known as a Trojan horse. This type of malware may act
like a legitimate program and have all the expected functionalities, but apart from that it
will also contain a portion of malicious code that the user is unaware of
A trojan horse circumvents your existing security
- An anti-virus might catch it when it runs but some trojan horses are known to
disable your security measures
Once inside, it has free reign
- May open backdoors for other programs
Potentially Unwanted Program (PUP)
-
What is a PUP?
- A type of computer program not explicitly classified as malware by
antivirus/malware
- A type of software that may have adversely affect the computer’s security and
performance, compromise user’s privacy, or display unsolicited ads
- An application downloaded and installed with the user’s consent (Legal app)
-
-
These are identified by anti-virus and anti-malware as:
- Potentially undesirable software
- Often installed along with other software when you install them
These software can include:
- Overly aggressive browser toolbar
- A backup utility that displays ads
- Browser search engine hijacker that redirects you to other websites whenever
you perform a search
Backdoors
-
Backdoors create new way to enter your system
Backdoors circumvents normal authentication methods
Often placed on your computer through malware
Some software includes a backdoor
- Old Linux kernel included a backdoor
- Bad software can have a backdoor as part of the app
Remote Access Trojans (RATs)
-
-
AKA remote administration tool
- Gives 3rd party access to your system
- Has administrative control of a device (Anything can be done)
Malware installs the server/service/host
- Attacker connects with the client software
RATs can take control of a device and do the following
-
Key logging
Screen recording/screenshots
Copy files from your system to another system or the other way around
Embed even more malware
Mitigating trojans and RATs
-
Don’t run unknown software, links in emails or websites
Keep antivirus and antimalware signatures updated
Always have a backup
1.2 Rootkits
-
Originally a Linux/Unix technique
- The root user
Modifies core system files
- Part of the kernel
Can be invisible to the OS because it is part of the OS
- Won’t see it in Task manager
Also invisible to traditional anti-virus utilities
- Can’t stop it if you can’t see it
Kernel drivers
-
Zeus/Zbot malware
-
- Famous for cleaning out bank accounts
Now combined with Necurs rootkit
- Necurs is a kernel-level driver
Necurs makes sure you can’t delete Zbot as you won’t have access to it
Necurs also prevents you from stopping the Windows processes associated with the
malware because you have no access
Finding and removing rootkits
-
Look for the unusual
- Anti-malware scans
Use a remover specific to the rootkit
- But is only built after the rootkit is discovered
Secure boot with UEFI
- Prevents booting of the OS if anything has been changed in the kernel.
Therefore, preventing the rootkit to be installed
1.2 Spyware
Adware
-
If your machine is infected with adware, you will start to see pop-ups
May cause performance issues, especially over the network
May be installed accidentally
- May be included with other software
Be careful of software that claims to remove adware
- Especially if you learned about it from a pop-up
Spyware
-
-
Spyware spies on you
- Identifies and gathers your information
- Where you visit
- Personal information used to ID theft
Spyware can be installed in a number of ways
- Trojan horse like a fake security software
Spyware can examine the type of web pages that you visit
Spyware can also capture keystroke when you type in your password
Why is there so much adware and spyware?
-
Your information is valuable
Your computer time and bandwidth is valuable
-
Your bank account information is valuable
Mitigating adware and spyware
-
Maintain your antivirus and antimalware to latest signatures
Always know what you are installing
Make a backup that is offline
Run some scans with antimalware software
1.2 Bots and Botnets
-
-
Once your machine is infected, it becomes a bot
How does a bot get on your computer?
- Trojan horse
- You run a program that seems to be legit
- OS or application vulnerabilities
A bot usually sits around until it receives instructions from the command and control
server (C&C)
Botnets
-
A group of bots working together
A botnet can perform DDoS attack
A botnet can also relay spam, proxy network traffic, distributed computing tasks
Mitigating bot and botnets
-
-
-
Prevent the initial infection
- OS and application patches
- Antivirus and antimalware has updated signatures
Identify an existing infection
- On-demand scans from antivirus and antimalware
- Network monitoring for unusual traffic pattern
Prevent C&C
- Block at firewall if you know the type of network flows
- Identify at the workstation with a host based firewall or host-based IPS
1.2 Logic bombs
-
A logic bombs is a type of attack that is triggered by a predefined event
- Often left by someone with grudge or disgruntled employee
Types of logic bomb
- Time bomb
-
- Occurs when a time or date is reached
- User event
- For example, someone turns on or off a machine
Difficult to identify
Also difficult to recover the bomb if it goes off because it removes itself after
Mitigating a logic bomb
-
Difficult to recognize
- Each is unique
-
-
- No pre-defined signatures
Can use process and procedures
- Formal change control
Electronic monitoring
- Alert on changes
- Use host-based intrusion detection, tripwire app, etc
Constant auditing
- An admin can circumvent existing systems so always audit someone who
administrative accesses
1.2 Password Attack
Plaintext/Unencrypted passwords
-
Some applications store passwords in plaintext
- No encryption
Do not store passwords as plaintext
- Anyone with access to a password file or database has every credential
Hashing a password
-
-
Best way to store passwords is to use hashing
Hashes represent data as a fixed-length string of text
- A message digest or “fingerprint”
Hashes won’t be duplicated as different inputs will not have the same hash
- Specific to a password
One-way trip
- It is a cryptographic algorithm that cannot be reversed, which means that it is
impossible to recover the original message from the digest
- A common way to store passwords
Hash examples
- SHA-256 hash
The password file
-
Different across OS and applications
- /etc/passwd for Linux
They also use different hash algorithms
Spraying attack
-
Spraying attack tries all of the common passwords
- For example, from the list of most common passwords on wiki
-
Attack an account with the top 3 passwords
- If they don’t work, move to the next account so there are no lockouts, no alarms,
no alerts
Brute Force
-
Try every possible password combination until the a hash is matched against the hash in
the password file they have acquired
A strong hashing algorithm slows things down
Brute force attacks online is slow and most accounts will lockout after a number of failed
attempts
More often, a brute force attack is performed offline once they have downloaded the
password file
- Obtain the list of users and hashes
- Calculate a password has, compare it to the stored hash
- But it requires a large computational resource.
Dictionary Attacks
-
Use a dictionary to find common words
- Passwords are created by humans
Many common wordlists available on the internet
The password crackers can substitute letters
- p@ssw0rd
However, dictionary attacks also take time. Attackers use these methods to speed up
- Distributed cracking: Multiple systems are used
- GPU cracking: Using GPU from graphics card since they are faster
Rainbow tables
-
-
An optimized pre-built set of hashes
- Saves time and storage space
- Doesn’t need to contain every hash
- Contains pre-calculated hash chains
Remarkable speed increase, especially with longer password lengths
Downside is:
- Need different tables for different hashing methods
Best practices
-
Salt
-
Example
Salt is random data added to a password when before it is hashed
Every user gets their own random salt so the same password creates a different
hash
This protects against rainbow tables since a random value is added to the
original password
This also slows down a brute force attack
1.2 Physical Attacks
Malicious USB cable
-
-
-
It looks like a normal USB cable
- But in fact, it has additional electronics inside
OS identifies it as a HID
- A HID is a human interface device like a keyboard or a mouse
- A keyboard or a mouse doesn’t need extra rights or permissions
Once connected, the cable takes over
- Downloads and installs malicious software by typing and executing commands
on its own
Don’t plug in any USB cable
Malicious Flash drives
-
-
A malicious flash drive can contain malicious software when you plug it in
Older OS would automatically run files
- This has now been removed or disabled by default
Could still act as a HID
- Start a command prompt and type anything without your intervention
Attackers can load malware in documents
- PDFs, spreadsheets, etc
Can be configured as a boot device
- Infect the computer after a reboot if a user forgot to remove the USB from the
machine
Acts as an ethernet adapter
- Redirects or modifies internet traffic requests
- Acts as a wireless gateway for other devices
Skimming
-
-
Stealing credit card information during a normal transaction
- Copy data from the magnetic stripe such as card number, expiration date, card
holder’s name, etc
ATM skimming
- Includes a small camera to watch for your PIN
Fraud can be performed after skimming
Always check the card reader before using it to see if there is anything suspicious in
place
Card cloning
-
-
Get card details from a skimmer
Create a duplicate of a card
- Looks and feels like the original card
- Often includes the printed CVC
Can only be used with magnetic stripe cards
- The chip cannot be cloned
Cloned gift cards are common as well because it uses a magnetic stripe technology
1.2 Adversarial AI
Machine Learning
-
Machine learning allows our computers to become smarter
- They identify patterns in data and improve their predictions
This requires a lot of training data
- For example, face recognition requires analyzing a lot of faces
Many benefits from ML, we can use ML to:
- Stop spam
- Recommend products from an online retailer
- Understand movie tastes
- Prevent car accidents by training cars
Poisoning the training data
-
Confuse the AI
- Attackers send modified training data that causes the AI to behave incorrectly
An example is a MS AI
Evasion Attacks
-
The AI is only as good as the training
- Attackers find the holes and limitations
An AI that knows what spam looks like can be fooled by a different approach
- By changing the number of good and bad words in the message
An AI that uses real-world information can release confidential information
- Trained with data that includes social security numbers
- AI can be fooled into revealing those numbers
How to secure the learning algorithms?
-
Check the training data
Constantly retrain with new data
Train the AI with possible poisoning
- What would the attacker try to do?
1.2 Supply Chain attacks
-
-
The supply chain contains many moving parts
- Raw materials, suppliers, manufacturers, distributors, customers, consumers
- They can all be attacked
Attackers can infect any step along the way
- Infect different parts of the chain without suspicion
One exploit can infect the entire chain
Supply chain security
-
Use a small supplier base
- Tighter control of vendors
Strict controls over policies and procedures
- Ensure proper security is in place
Security should be part of the overall design
1.2 Cloud-based vs. On-prem attacks
-
-
Attacks can happen anywhere
Cloud-based security is centralized and costs less
- No dedicated hardware, no data center to secure
- A 3rd party handles everything
On-prem puts the security burden on the client
- Incurs data center security and infrastructure costs
On-prem security
-
-
Full control when everything is in house
On-site IT team can manage security better
- A local team can ensure everything is secure but can also be expensive and
difficult to staff
Local team maintains uptime and availability
- System checks can occur at any time
However, security changes can take time
- New equipment, configurations, and additional costs
Cloud Security
-
-
-
Data is in a secure environment
- No physical access to the data center
- 3rd party may have access to the data
Cloud providers are managing large-scale security
- Automated signature and security updates
- Users must follow security best-practices
Can maintain higher uptime more easily
- Extensive fault tolerance and 24/7/365 monitoring
Scalable security options
- One click away from security deployments
- May not be as customizable as necessary
1.2 Cryptographic Attacks
-
Since attackers don’t have the keys, so they try to break the cryptography
- Oftentimes, this is done during the implementation of the cryptography that
allows the attackers to gain access to the data
Birthday attack
-
A birthday attack can take place when there is a hash collision
A hash collision is the same hash value for two different plaintexts
A collision may be found through brute force attacks
The attacker will generate multiple versions of plaintexts to match the hashes
- You can protect yourself with a larger hash output size (Decreases the chance of
having a collision)
Collisions
-
Hash digests are supposed to be unique
- Different input data should never create the same hash
MD5 hash
- Message digest algorithm version 5 that was originally published in 1992
- Collision identified in 1996
Downgrade attack
-
Instead of using perfectly good encryption, use something that is not so great
- Force the systems to downgrade their security
An example took place in 2014 called TLS vulnerability POODLE
- This attack was able to sit between the conversations (AKA on-path attack)
- Forces clients to fallback to SSL 3.0, which has significant crypto vulnerabilities
- Since then, modern browsers won’t fallback to SSL 3.0 anymore
1.3 Privilege Escalation
-
-
Gain higher-level access to a system
- Exploit a vulnerability
- Might be a bug or design flaw
Higher level access means more capabilities
- This is commonly the highest level access
There are high priority vulnerability patches
There is also the horizontal privilege escalation
- User A can access user B resources
Mitigating privilege escalation
-
Patch vulnerability quickly
Update antivirus/malware software to block know vulnerabilities
Data execution prevention
- Only data in executable areas can run (Such as certain areas of memory)
Address space layout randomization
- OS can randomize where information is stored in memory
- Prevent a buffer overrun at a known memory address
- Which means if an attacker finds the memory address on one system,
they won’t be able to duplicate that on another system
Example
1.3 Cross-site Scripting
-
-
AKA XSS
- Not to be confused with Cascading style sheets (CSS)
Originally called XSS because of browser security flaws
- Allows information from one site to be shared with another
One of the most common web application development errors
- Takes advantage of the trust a user has for a site
- Complex and varied
We use javascript to automate and add functionalities but so do attackers too
- Attackers can use vulnerabilities and javascript to gather information
Non-persistent (reflected) XSS attack
-
-
-
Found on website allows script to run in user input
- Search box is a common source of the vulnerability
Attacker emails a limit that takes advantage of this vulnerability
- Runs a script that sends the victim’s credentials, session IDs, cookies to the
attacker
Victim runs the script that is then embedded in the URL and executes in the victim’s
browser
- The result or payload gathered from the script is sent to the attacker
- This script
Attacker uses credentials, session IDs, cookies gathered to steal victim’s information
without their knowledge
- By authenticating to the website as if they were the victim
Example of non-persistent XSS attack
-
A script might be embedded in the credit card section which alerts the attacker on the
information that the script was acquiring.
Persistent (Stored) XSS Attack
-
Attacker posts a message to a social network
- This includes the malicious payload
It is now persistent as everyone who visits will get the payload
No specific target
- All viewers to the page
-
For social network, this can spread quickly
- Everyone who views the message can have it posted to their page
Example of persistent XSS attack
Mitigating against XSS attacks
-
-
-
Be careful when clicking untrusted links in messages and emails
- Should manually type in the website or bookmark a website and use that to login
to your account
Consider disabling javascript
- Or control with an extension
- This only offers limited protection
Keep your browser and application updated
Validate your input
- Don’t allow users to add their own scripts to an input field
1.3 Injection attacks
Code injection
-
Code injection attack by adding information into a data stream
Enabled because of bad programming
- The application should properly handle input and output
Many different data types
-
HTML, SQL, XML, LDAP, etc
SQL Injection
-
SQL injection modifies SQL requests
Always validate your queries to prevent this from happening
Example of SQL injection
-
If no validation is done, one can add in their own SQL queries such as OR ‘1’=’1’, which
means everything else that is true.
XML and LDAP injection
-
XML = Extensible Markup Language
- A set of rules for data transfer and storage
XML injection modifies XML requests
- Can prevent this by using validation
LDAP = Lightweight directory access protocol
- Used for authentication of users
LDAP injection modifies LDAP requests to manipulate application results
DLL injection
-
DLL = Dynamic Link Library
- It is a windows library containing code and data
-
- Many applications can use this library
Inject a DLL and have an application run a program
- The program runs as part of the target process
Example of DLL injection
-
Process B is the attacker, process A is the victim
1.3 Buffer overflows
-
-
A buffer overflow attack overwrites a buffer (Another section) of memory
- Spills over into other memory areas
If the attack is successful, then the attacker will be able to gain access to the system or
make applications run in ways that the attacker would like
Developers need to perform bounds checking, which is to make sure that no one is able
to overwrite different sections of the memory
Not a simple exploit
- Takes time to avoid crashing things
- Takes time to make it do what you want
A really useful buffer overflow is repeatable and controllable
Example of buffer overflow
-
With variable A empty and if there is a vulnerability, one can use buffer overflow attack
by injecting variable A with the word excessiv but spill the last e over to B to change the
value of B
- This might allow the attacker to get elevated rights or sections of OS that were
not accessible
1.3 Replay Attacks
-
-
Useful information is transmitted over the network
- Session ID
- Login credentials
Attackers need access to the raw network data by performing:
- Network tap, ARP poisoning, malware on the victim’s machine
The data captured or gathered can then be replayed
Although the initial stage might require the attacker to be on-path between two devices,
the actually replay attack doesn’t require the original workstation
Pass the hash
Mitigating pass the hash
-
Can be avoided with a encryption (SSL or TLS) when authenticating
-
Use a salt or a session ID with the password has to create a unique authentication hash
each time
Browser cookies and session IDs
-
Cookies might contain info that can be used for replay attacks
- Used for tracking, personalization, session management
Could be considered be a privacy risk
- Lots of personal data in there
Session IDs are often stored in the cookie as well
- When a session is controlled by the attacker, they can pose as you when
communicating
Session Hijacking (Sidejacking)
-
Occurs when the attacker acquires the session ID
-
Can prevent session hijacking by using SSL or TLS when communicating so the attacker
won’t be able to obtain the session ID
Header Manipulation
-
-
For the session hijacking to work, information needs to be gathered first from the
network using
- Wireshark, Kismet
Exploits
- XSS in order to send session ID to the attacker
Modify headers
- Once the attacker has the session ID, they will need to modify the headers that
are sent to the server
- Tamper, Firesheep, Scapy
-
An attacker can also modify cookies so they appear to have come from the original
sender by using:
- Cookies Manager+ (A Firefox add-on)
Mitigating session hijacking
-
-
Encrypt your end to end communication
- They can’t capture your session ID if they can’t see it
- Additional load on the web server (HTTPS)
- There are extensions that will force you to use HTTPS (Force-TLS, HTTPS
Everywhere)
- Many sites are now HTTPS-only
Encrypt end to somewhere
- Use an encrypted tunnel to at least avoid capture over a local wireless network
- Use personal VPN (OpenVPN, VyprVPN, etc)
1.3 Request Forgeries
Cross-site requests
Download
Study collections