1.1 Phishing - - - Spoofing is a malicious practice in which someone imitates information in order to deceive or gain unauthorized access. - IP spoofing: Attacker disguises their true IP address - Email spoofing: The creation of email messages with a fake sender address to deceive the recipient - Called ID spoofing: A practice in which the caller ID information displayed on the recipient’s phone is altered to hide the true identity of the caller Phishing is social engineering with a touch of spoofing - This is often delivered by email, text, etc - They sometimes make the website look as close to the original as possible and will almost always ask you to enter your email address and password. You can mitigate this by always checking the url and make sure you are on the right url You can also mitigate this by checking spelling, fonts, and graphics of the screen being presented Tricks and misdirections - - Typosquatting - A practice of registering misspelled domain names closely resembling other well established and popular domain names in hopes of getting Internet traffic from users who would make errors while typing in the URL in their web browsers. - A type of URL hijacking: https://professormessor.com - Prepending is used in URL phishing: https://pprofessormesser.com Pretexting - Lie in order to get information - Attacker is a character in a situation they create - For example, “Hi, we are calling from Visa regarding an automated payment to your utility service…” Pharming - - - Attackers may use pharming to attack a group of people This can be done by redirecting a legit website to a bogus website - This redirection can be done by poisoning DNS server or client vulnerabilities - Or when an attacker is able to take over the entire website Combination of pharming and phishing - Pharming: Harvests large groups of people - Phishing: Collect access credentials Pharming is more difficult for anti-malware and anti-virus software to stop - Because everything appears legitimate to the user - Characteristics of pharming include: - Traffic redirection - Fraudulent website - Credential harvesting Phishing with different bait - - - Vishing (Voice phishing) is done over the phone or voicemail - Caller ID spoofing is common - Fake security checks or bank updates Smishing (SMS phishing) is done by text message - Spoofing is a problem here as well - Messages usually contain links or asks for personal information Other variations - The fake check scam, phone verification code scam, Boss/CEO scam, advance-fee scam - You can find more information on https://reddit.com/r/Scams Finding the best spot to phish - - Reconnaissance - Gather information on the victim Background information - Lead generation sites - LinkedIn, Twitter, Facebook, Instagram - Corporate websites With those information, attackers can then build a believable pretext - Where you work - Where you bank - Where you shop - Recent financial transactions - Family and friends Spear Phishing - - Spear phishing is the type of phishing that is targeted for specific individual(s) with inside information Spear phishing the CEO is called “whaling” - Targeted phishing with the possibility of a large catch - The CFO is also commonly speared These C suites have access to corporate bank accounts that potentially hold a lot of money or sensitive information - And attackers would love to have those credentials 1.1 Impersonation Impersonation - - Impersonation is when attackers pretend to be someone they aren’t - Like Halloween for the fraudsters Attacker pick the person to impersonate based on the details they have got from recon Attack the victim as someone higher in rank - Office of the VP for Scamming, for example Throw tons of technical details around to try to confuse the victim - For example, catastrophic feedback due to the depolarization of the differential magnetometer Be a buddy and super friendly Eliciting information - Eliciting = Extract information from the victim Often seen with vishing - Easier to get this information over the phone They usually employ psychological techniques to make you feel comfortable or at ease so you are more likely to reveal sensitive information Identity Fraud - Your identity can be used by others Credit card fraud - - - Open an account in your name, or use your credit card information to make purchases Bank fraud - Attacker gains access to your account to transfer money out of your account - Attackers open a new account using your name Loan fraud - Attackers use your information to open a loan or lease using your name Government benefits fraud - Attacker obtain benefits on your behalf by changing the address Mitigation against impersonation - Never volunteer information Don’t disclose personal details Always verify before revealing info - Can ask to call back and verify through 3rd parties Verification should be encouraged, especially if your organization owns valuable information 1.1 Dumpster Diving - - Mobile garbage bin - United states brand name dumpster - Similar to a rubbish skip Important information thrown out with the trash Gather details that can be used for attacks - Impersonate names, use phone numbers Timing is important - Just after the end of month, end of quarter - Based on pick up schedule Is it legal to dive in a dumpster? - In the United States, it is legal in general - Unless there is a local restriction If it is in the trash and it’s in an open area, then nobody owns it Dumpster on private property or “No trespassing” sign may be restricted Protect your rubbish - Secure your garbage - Fence and a lock Shred your documents - - Governments burn the sensitive information Go look at your trash to ensure no personal information is in there 1.1. Shoulder Surfing - - People can obtain information that you are seeing - Curiosity, industrial espionage, competitive advantage This can be done easily - At an airport - On a flight - Hallway-facing monitors - Coffee shops Surf from afar - With binoculars or telescopes - Webcam monitoring Preventing shoulder surfing - Control your input - Be aware of your surroundings Use privacy filters - Blacks the screen unless you are right in front of the computer Keep your monitor out of sight - Away from windows and hallways Don’t sit in front of someone on your flight 1.1 Hoaxes - - A threat that doesn’t actually exist - But they seem like they could be real - From email, message, voice mails, etc Still often consume lots of resources - Forwarded email messages, printed memorandums, wasted time Often an email, facebook post, a tweet, etc Some hoaxes will take your money - For example, having the victim purchase a gift card for the attacker A hoax about a virus can waste as much time as a regular virus Mitigating hoax - - Believe no one, it is the internet - By considering the source Cross reference - http://www.hoax-slayer.net - http://www.snopes.com Spam filters can help - - Email filters If it is sounds too good to be true - Then it probably is too good to be true 1.1 Watering Hole Attacks - - If you network is really secure, like - Employees don’t even plugin USB - Not responding to phishing emails - Not opening any email attachments Then, attackers might look for vulnerabilities in your 3rd party vendors, this is called the watering hole attack - Hope you will get infected through your trusted 3rd party vendors Executing the watering hole attack - - - Determine which website victim group uses or where they go - They might infect a local coffee or sandwich shop - They might infect sites that your organization visits a lot Infect one of these 3rd party sites through: - Site vulnerabilities - Email attachments Infect all visitors - It will infect all visitors and attackers hope you or your group will be part of the visitors Case studies - In Jan 2017, Polish financial supervision authority, national banking and stock commission of mexico, state-owned bank in Uruguay discovered a watering hole attack Attack was done when IP addresses from these organizations visit a certain site that would download malicious JavaScript files Watching the watering hole - Defense in depth (Layered defense) - Firewalls and IPS (Network security) - Stop network traffic before things get bad - Anti-virus and anti-malware signature updates (Endpoint security) - The Polish Supervision Authority discovered and stopped this attack because the signatures appeared in Symantec’s anti-virus software - User education - Web security through patching web servers and to use encryption 1.1 Spam - - - Unsolicited messages - Email, forums, etc - Spam over Instant Messaging from SMS, WeChat, WhatsApp (SPIM) Various content from these spam - Commercial advertising - Non-commercial proselytizing (Worldview, political standpoint, etc) - Phishing attempts Spam has significant technology issue - Security concerns, resource utilization (Network I/O to receive these spam), storage costs, managing the spam Mitigating spam - Use mail gateways - Stop it at the gateway - Could be either physical or cloud-based - Email filters or mail gateways identify spam by a couple characteristics: - Allowed list - Only receive email from trusted senders (Must be updated constantly) - - - SMTP standards checking - Block anything that doesn’t follow RFC standards rDNS (Reverse DNS) - Block email where the sender’s domain doesn’t match the known IP address. Tarpitting - Intentionally slow down the mail server conversation (Makes sending and receiving actions take excessive amount of time) Recipient filtering - Block all email not addressed to a valid recipient email address - Downside: requires constant update of valid recipient email address 1.1 Influence Campaigns - - Influence campaigns - Sway public opinion on political and social issues Nation-state actors - Divide, distract, and persuade in order change the way how people think, vote, make a decision Advertising is an option - Buy a voice for your opinion Enabled through social media - Creating, sharing, and liking on social media - Amplification through the social media The influencing process Hybrid warfare - Sometimes, it could be used for military purposes - Wage war non-traditionally AKA cyberwarfare - Attack an entity with technology Influence foreign elections - Use fake news 1.1 Other social engineering attacks Tailgating - Use an authorized person to gain unauthorized access to a building Use methods such as: - Blend in with clothing - 3rd party with a legitimate reason (Cleaning, maintenance, etc) - Temporarily take up smoking and follow an authorized person - By keeping their hands full with food or drinks so someone will keep the door open for the attackers Watching for tailgating - Policy for visitors - Should be able to identify anyone One scan, one person - Through company policy or mechanically required to do only one scan at a time Access control vestibule/airlock - Only allows one person at a time Don’t be afraid to ask if someone seems suspicious - Who and why? Invoice scams - Starts with a bit of spear phishing - Attacker knows who pays the bills (Financial department) Attacker sends a fake invoice - From address that is a spoofed version of the CEO Accounting pays the invoice because it was from the CEO Might also include a fake link to pay - Attackers not only get the payment but also your payment method Credential Harvesting - - Attackers collect login credentials that are stored on your computer - Chrome, firefox, outlook, Windows credential manager, etc What could happen is, user receives an email with a malicious MS Word doc - Opening the document will run a macro - The macro downloads credential harvesting malware Everything could be happening in the background so users might not even realize that their credentials are harvested Bracketing - Provides a high and low estimate in order to entice a more specific number Confidential Bait - Pretending to divulge confidential information in hopes of receiving confidential information in return Deliberate False statements - Saying something wrong in the hopes that the person will correct the statement with true information Feigned ignorance - Pretending to be ignorant of a topic in order to exploit the person’s tendency to educate Denial of the obvious - Saying something wrong in the hopes that the person will correct the statement with true information Flattery - Using praise to coax a person into providing information 1.1 Principles of Social Engineering - Social engineering is constantly changing This attack may involve multiple people and multiple organizations - There are ties connecting many organizations May be in person or electronic - For example, phone calls from aggressive customers For example, funeral notifications emails of a friend or associate Social Engineering principles - - - - - Authority - Calling from the help desk or the CEO or the police Intimidation - Bad things happen if you don’t help - The payroll checks won’t be processed if you don’t help me Consensus or social proof - Convince based on what is normally expected - For example, your co-worker Jill did this for me last week, so why can’t you? Scarcity - The situation will not be this way for long - Must make the change before time expires Urgency - Works alongside scarcity - Doesn’t allow victim time to think Familiarity or liking - Someone you know, we have common friends Trust - Someone who is safe - I am from the IT department - Police 1.2 An overview of Malware - - Malware = Malicious software Malware gather information - Keystrokes Malware causes your machine to be controlled over the internet and participate in a group - Turns your machine into a bot and join a group called botnet - This botnet can be controlled to do a DDoS, mining, etc Malware that shows you advertising Malware that are viruses and worms - Encrypt all of your data and won’t be decrypted until you pay Malware types and methods - Viruses Crypto-malware Ransomware Worms Trojan Horse Rootkit Keylogger Adware/Spyware Botnet How you get malware - - A worm takes advantage of a vulnerability and installs a malware That installed malware might include a remote access backdoor This backdoor can then download other software that might install additional malware A bot may be installed later Your computer must run a program so attackers might: - Send email links - Web page pop-up that contains links - Web pages that automatically download software and then encourages you to run that software, this is called drive-by download - Worm that attacks a vulnerability Assume your machine is vulnerable - OS: Keep your OS updated - Applications: Check with the publisher - Email: Don’t click on links 1.2 Viruses and Worms Virus - - A virus is a malware that can reproduce itself - It needs you to execute a program ← What differentiates a virus and a worm Reproduce through file systems or the network May or may not cause problems - Some viruses can delete files or encrypt files - Some are benign, only shows advertisements - Some collect information Anit-virus is used against viruses - Keep your signatures updated There are different virus types - Program viruses - Needs to be executed by you - Boot sector viruses - Exists inside the boot sector of your storage device - Virus launches when you start the computer - Script viruses - Script in OS or browser-based - Macro viruses - Running inside of an application such as MS office apps Fileless virus - A virus that never saves itself or installs itself on to a system It avoids detection of anti-virus program It operates in memory (RAM) Common way for a fileless virus to infect is through a link on a website or a link from an email - After clicking the link, it will download a flash or java file or it takes advantage of a windows vulnerability - Once downloaded or exploited, there might be scripts that will run Powershell and downloads payload to RAM - Once the script is run and executes in memory, it can exfiltrate data, encrypt your data, or damage your data - Since the attacker might want to run this again, they might add an auto-start to registry Worms - - A worm is a malware that takes advantage of a vulnerability and can self-replicate - Doesn’t need you to do anything unlike a virus - Uses the network as a transmission medium - Self-propagates and spreads quickly Worms can take over many systems quickly because it uses network to travel Mitigating Worms - - Firewalls and IDS/IPS can mitigate many worm infestations - Creates signatures for the worm - Also important to put firewalls and IDS/IPS between systems to prevent spreading However, they won’t help if worms are already inside Wannacry Worm - Took place back in 2017 1.2 Ransomware and Crypto-malware - - - Data is valuable Personal data - Family pictures and videos - Important documents Organization data - Planning documents - Employee PII - Financial information - Company private data Data can be taken away or encrypted by ransomware Ransomware - Malicious actors want your money and they do so by using ransomware However, there may be fake ransom - Computer locked by the “police” The ransom might be avoided as a security professional may be able to remove these kinds of malware Crypto-malware - - - A newer generation of ransomware - Uses public-key cryptography to encrypt all of your information - Your data is unavailable until you provide cash Malware encrypts your data files - Pictures documents, music, movies, etc - Your OS remain available You must pay the bad guys to obtain the decryption key - Untraceable payment system like bitcoin Mitigating ransomware - Always have a backup - An offline backup ideally Keep your OS up to date to patch known vulnerabilities Keep your applications up to date Keep your anti-virus and anti-malware signatures up to date Keep everything up to date 1.2 Trojans and RATs Trojan horse - - - A software that pretends to be something else so it can gain access to your computer A type of software that performs unwanted and harmful actions in disguise of a legitimate and useful program is known as a Trojan horse. This type of malware may act like a legitimate program and have all the expected functionalities, but apart from that it will also contain a portion of malicious code that the user is unaware of A trojan horse circumvents your existing security - An anti-virus might catch it when it runs but some trojan horses are known to disable your security measures Once inside, it has free reign - May open backdoors for other programs Potentially Unwanted Program (PUP) - What is a PUP? - A type of computer program not explicitly classified as malware by antivirus/malware - A type of software that may have adversely affect the computer’s security and performance, compromise user’s privacy, or display unsolicited ads - An application downloaded and installed with the user’s consent (Legal app) - - These are identified by anti-virus and anti-malware as: - Potentially undesirable software - Often installed along with other software when you install them These software can include: - Overly aggressive browser toolbar - A backup utility that displays ads - Browser search engine hijacker that redirects you to other websites whenever you perform a search Backdoors - Backdoors create new way to enter your system Backdoors circumvents normal authentication methods Often placed on your computer through malware Some software includes a backdoor - Old Linux kernel included a backdoor - Bad software can have a backdoor as part of the app Remote Access Trojans (RATs) - - AKA remote administration tool - Gives 3rd party access to your system - Has administrative control of a device (Anything can be done) Malware installs the server/service/host - Attacker connects with the client software - RATs can take control of a device and do the following - Key logging - Screen recording/screenshots - Copy files from your system to another system or the other way around - Embed even more malware Mitigating trojans and RATs - Don’t run unknown software, links in emails or websites Keep antivirus and antimalware signatures updated Always have a backup 1.2 Rootkits - Originally a Linux/Unix technique - The root user Modifies core system files - Part of the kernel Can be invisible to the OS because it is part of the OS - Won’t see it in Task manager Also invisible to traditional anti-virus utilities - Can’t stop it if you can’t see it Kernel drivers - Zeus/Zbot malware - Famous for cleaning out bank accounts Now combined with Necurs rootkit - Necurs is a kernel-level driver Necurs makes sure you can’t delete Zbot as you won’t have access to it Necurs also prevents you from stopping the Windows processes associated with the malware because you have no access Finding and removing rootkits - Look for the unusual - Anti-malware scans Use a remover specific to the rootkit - But is only built after the rootkit is discovered Secure boot with UEFI - Prevents booting of the OS if anything has been changed in the kernel. Therefore, preventing the rootkit to be installed 1.2 Spyware Adware - If your machine is infected with adware, you will start to see pop-ups May cause performance issues, especially over the network May be installed accidentally - May be included with other software Be careful of software that claims to remove adware - Especially if you learned about it from a pop-up Spyware - - Spyware spies on you - Identifies and gathers your information - Where you visit - Personal information used to ID theft Spyware can be installed in a number of ways - Trojan horse like a fake security software Spyware can examine the type of web pages that you visit Spyware can also capture keystroke when you type in your password Why is there so much adware and spyware? - Your information is valuable Your computer time and bandwidth is valuable Your bank account information is valuable Mitigating adware and spyware - Maintain your antivirus and antimalware to latest signatures Always know what you are installing Make a backup that is offline Run some scans with antimalware software 1.2 Bots and Botnets - - Once your machine is infected, it becomes a bot How does a bot get on your computer? - Trojan horse - You run a program that seems to be legit - OS or application vulnerabilities A bot usually sits around until it receives instructions from the command and control server (C&C) Botnets - A group of bots working together A botnet can perform DDoS attack A botnet can also relay spam, proxy network traffic, distributed computing tasks Mitigating bot and botnets - - - Prevent the initial infection - OS and application patches - Antivirus and antimalware has updated signatures Identify an existing infection - On-demand scans from antivirus and antimalware - Network monitoring for unusual traffic pattern Prevent C&C - Block at firewall if you know the type of network flows - Identify at the workstation with a host based firewall or host-based IPS 1.2 Logic bombs - - A logic bombs is a type of attack that is triggered by a predefined event - Often left by someone with grudge or disgruntled employee Types of logic bomb - Time bomb - Occurs when a time or date is reached - User event - For example, someone turns on or off a machine Difficult to identify Also difficult to recover the bomb if it goes off because it removes itself after Mitigating a logic bomb - - - Difficult to recognize - Each is unique - No pre-defined signatures Can use process and procedures - Formal change control Electronic monitoring - Alert on changes - Use host-based intrusion detection, tripwire app, etc Constant auditing - An admin can circumvent existing systems so always audit someone who administrative accesses 1.2 Password Attack Plaintext/Unencrypted passwords - Some applications store passwords in plaintext - No encryption Do not store passwords as plaintext - Anyone with access to a password file or database has every credential Hashing a password - - Best way to store passwords is to use hashing Hashes represent data as a fixed-length string of text - A message digest or “fingerprint” Hashes won’t be duplicated as different inputs will not have the same hash - Specific to a password One-way trip - It is a cryptographic algorithm that cannot be reversed, which means that it is impossible to recover the original message from the digest - A common way to store passwords Hash examples - SHA-256 hash The password file - Different across OS and applications - /etc/passwd for Linux They also use different hash algorithms Spraying attack - Spraying attack tries all of the common passwords - For example, from the list of most common passwords on wiki Attack an account with the top 3 passwords - If they don’t work, move to the next account so there are no lockouts, no alarms, no alerts Brute Force - Try every possible password combination until the a hash is matched against the hash in the password file they have acquired A strong hashing algorithm slows things down Brute force attacks online is slow and most accounts will lockout after a number of failed attempts More often, a brute force attack is performed offline once they have downloaded the password file - Obtain the list of users and hashes - Calculate a password has, compare it to the stored hash - But it requires a large computational resource. Dictionary Attacks - Use a dictionary to find common words - - Passwords are created by humans Many common wordlists available on the internet The password crackers can substitute letters - p@ssw0rd However, dictionary attacks also take time. Attackers use these methods to speed up - Distributed cracking: Multiple systems are used - GPU cracking: Using GPU from graphics card since they are faster Rainbow tables - - An optimized pre-built set of hashes - Saves time and storage space - Doesn’t need to contain every hash - Contains pre-calculated hash chains Remarkable speed increase, especially with longer password lengths Downside is: - Need different tables for different hashing methods Best practices - Salt - Salt is random data added to a password when before it is hashed Every user gets their own random salt so the same password creates a different hash This protects against rainbow tables since a random value is added to the original password This also slows down a brute force attack Example 1.2 Physical Attacks Malicious USB cable - - - It looks like a normal USB cable - But in fact, it has additional electronics inside OS identifies it as a HID - A HID is a human interface device like a keyboard or a mouse - A keyboard or a mouse doesn’t need extra rights or permissions Once connected, the cable takes over - Downloads and installs malicious software by typing and executing commands on its own Don’t plug in any USB cable Malicious Flash drives - A malicious flash drive can contain malicious software when you plug it in Older OS would automatically run files - This has now been removed or disabled by default Could still act as a HID - Start a command prompt and type anything without your intervention Attackers can load malware in documents - - - PDFs, spreadsheets, etc Can be configured as a boot device - Infect the computer after a reboot if a user forgot to remove the USB from the machine Acts as an ethernet adapter - Redirects or modifies internet traffic requests - Acts as a wireless gateway for other devices Skimming - - Stealing credit card information during a normal transaction - Copy data from the magnetic stripe such as card number, expiration date, card holder’s name, etc ATM skimming - Includes a small camera to watch for your PIN Fraud can be performed after skimming Always check the card reader before using it to see if there is anything suspicious in place Card cloning - - Get card details from a skimmer Create a duplicate of a card - Looks and feels like the original card - Often includes the printed CVC Can only be used with magnetic stripe cards - The chip cannot be cloned Cloned gift cards are common as well because it uses a magnetic stripe technology 1.2 Adversarial AI Machine Learning - Machine learning allows our computers to become smarter - They identify patterns in data and improve their predictions This requires a lot of training data - For example, face recognition requires analyzing a lot of faces Many benefits from ML, we can use ML to: - Stop spam - Recommend products from an online retailer - Understand movie tastes - Prevent car accidents by training cars Poisoning the training data - Confuse the AI - Attackers send modified training data that causes the AI to behave incorrectly An example is a MS AI Evasion Attacks - The AI is only as good as the training - Attackers find the holes and limitations An AI that knows what spam looks like can be fooled by a different approach - By changing the number of good and bad words in the message An AI that uses real-world information can release confidential information - Trained with data that includes social security numbers - AI can be fooled into revealing those numbers How to secure the learning algorithms? - Check the training data Constantly retrain with new data Train the AI with possible poisoning - What would the attacker try to do? 1.2 Supply Chain attacks - - The supply chain contains many moving parts - Raw materials, suppliers, manufacturers, distributors, customers, consumers - They can all be attacked Attackers can infect any step along the way - Infect different parts of the chain without suspicion One exploit can infect the entire chain Supply chain security - Use a small supplier base - Tighter control of vendors Strict controls over policies and procedures - Ensure proper security is in place Security should be part of the overall design 1.2 Cloud-based vs. On-prem attacks - - Attacks can happen anywhere Cloud-based security is centralized and costs less - No dedicated hardware, no data center to secure - A 3rd party handles everything On-prem puts the security burden on the client - Incurs data center security and infrastructure costs On-prem security - - Full control when everything is in house On-site IT team can manage security better - A local team can ensure everything is secure but can also be expensive and difficult to staff Local team maintains uptime and availability - - System checks can occur at any time However, security changes can take time - New equipment, configurations, and additional costs Cloud Security - - - Data is in a secure environment - No physical access to the data center - 3rd party may have access to the data Cloud providers are managing large-scale security - Automated signature and security updates - Users must follow security best-practices Can maintain higher uptime more easily - Extensive fault tolerance and 24/7/365 monitoring Scalable security options - One click away from security deployments - May not be as customizable as necessary 1.2 Cryptographic Attacks - Since attackers don’t have the keys, so they try to break the cryptography - Oftentimes, this is done during the implementation of the cryptography that allows the attackers to gain access to the data Birthday attack - A birthday attack can take place when there is a hash collision A hash collision is the same hash value for two different plaintexts A collision may be found through brute force attacks The attacker will generate multiple versions of plaintexts to match the hashes - You can protect yourself with a larger hash output size (Decreases the chance of having a collision) Collisions - Hash digests are supposed to be unique - Different input data should never create the same hash MD5 hash - Message digest algorithm version 5 that was originally published in 1992 - Collision identified in 1996 Downgrade attack - Instead of using perfectly good encryption, use something that is not so great - Force the systems to downgrade their security An example took place in 2014 called TLS vulnerability POODLE - This attack was able to sit between the conversations (AKA on-path attack) - Forces clients to fallback to SSL 3.0, which has significant crypto vulnerabilities - Since then, modern browsers won’t fallback to SSL 3.0 anymore 1.3 Privilege Escalation - - Gain higher-level access to a system - Exploit a vulnerability - Might be a bug or design flaw Higher level access means more capabilities - This is commonly the highest level access There are high priority vulnerability patches There is also the horizontal privilege escalation - User A can access user B resources Mitigating privilege escalation - Patch vulnerability quickly Update antivirus/malware software to block know vulnerabilities Data execution prevention - Only data in executable areas can run (Such as certain areas of memory) Address space layout randomization - OS can randomize where information is stored in memory - Prevent a buffer overrun at a known memory address - Which means if an attacker finds the memory address on one system, they won’t be able to duplicate that on another system Example 1.3 Cross-site Scripting - - AKA XSS - Not to be confused with Cascading style sheets (CSS) Originally called XSS because of browser security flaws - Allows information from one site to be shared with another One of the most common web application development errors - Takes advantage of the trust a user has for a site - Complex and varied We use javascript to automate and add functionalities but so do attackers too - Attackers can use vulnerabilities and javascript to gather information Non-persistent (reflected) XSS attack - - Found on website allows script to run in user input - Search box is a common source of the vulnerability Attacker emails a limit that takes advantage of this vulnerability - Runs a script that sends the victim’s credentials, session IDs, cookies to the attacker Victim runs the script that is then embedded in the URL and executes in the victim’s browser - The result or payload gathered from the script is sent to the attacker - This script - Attacker uses credentials, session IDs, cookies gathered to steal victim’s information without their knowledge - By authenticating to the website as if they were the victim Example of non-persistent XSS attack - A script might be embedded in the credit card section which alerts the attacker on the information that the script was acquiring. Persistent (Stored) XSS Attack - Attacker posts a message to a social network - This includes the malicious payload It is now persistent as everyone who visits will get the payload No specific target - All viewers to the page For social network, this can spread quickly - Everyone who views the message can have it posted to their page Example of persistent XSS attack Mitigating against XSS attacks - - - Be careful when clicking untrusted links in messages and emails - Should manually type in the website or bookmark a website and use that to login to your account Consider disabling javascript - Or control with an extension - This only offers limited protection Keep your browser and application updated Validate your input - Don’t allow users to add their own scripts to an input field 1.3 Injection attacks Code injection - Code injection attack by adding information into a data stream Enabled because of bad programming - The application should properly handle input and output Many different data types - HTML, SQL, XML, LDAP, etc SQL Injection - SQL injection modifies SQL requests Always validate your queries to prevent this from happening Example of SQL injection - If no validation is done, one can add in their own SQL queries such as OR ‘1’=’1’, which means everything else that is true. XML and LDAP injection - XML = Extensible Markup Language - A set of rules for data transfer and storage XML injection modifies XML requests - Can prevent this by using validation LDAP = Lightweight directory access protocol - Used for authentication of users LDAP injection modifies LDAP requests to manipulate application results DLL injection - - DLL = Dynamic Link Library - It is a windows library containing code and data - Many applications can use this library Inject a DLL and have an application run a program - The program runs as part of the target process Example of DLL injection - Process B is the attacker, process A is the victim 1.3 Buffer overflows - - A buffer overflow attack overwrites a buffer (Another section) of memory - Spills over into other memory areas If the attack is successful, then the attacker will be able to gain access to the system or make applications run in ways that the attacker would like Developers need to perform bounds checking, which is to make sure that no one is able to overwrite different sections of the memory Not a simple exploit - Takes time to avoid crashing things - Takes time to make it do what you want A really useful buffer overflow is repeatable and controllable Example of buffer overflow - With variable A empty and if there is a vulnerability, one can use buffer overflow attack by injecting variable A with the word excessiv but spill the last e over to B to change the value of B - This might allow the attacker to get elevated rights or sections of OS that were not accessible 1.3 Replay Attacks - - Useful information is transmitted over the network - Session ID - Login credentials Attackers need access to the raw network data by performing: - Network tap, ARP poisoning, malware on the victim’s machine The data captured or gathered can then be replayed Although the initial stage might require the attacker to be on-path between two devices, the actually replay attack doesn’t require the original workstation Pass the hash Mitigating pass the hash - Can be avoided with a encryption (SSL or TLS) when authenticating - Use a salt or a session ID with the password has to create a unique authentication hash each time Browser cookies and session IDs - Cookies might contain info that can be used for replay attacks - Used for tracking, personalization, session management Could be considered be a privacy risk - Lots of personal data in there Session IDs are often stored in the cookie as well - When a session is controlled by the attacker, they can pose as you when communicating Session Hijacking (Sidejacking) - Occurs when the attacker acquires the session ID - Can prevent session hijacking by using SSL or TLS when communicating so the attacker won’t be able to obtain the session ID Header Manipulation - - For the session hijacking to work, information needs to be gathered first from the network using - Wireshark, Kismet Exploits - XSS in order to send session ID to the attacker Modify headers - Once the attacker has the session ID, they will need to modify the headers that are sent to the server - Tamper, Firesheep, Scapy - An attacker can also modify cookies so they appear to have come from the original sender by using: - Cookies Manager+ (A Firefox add-on) Mitigating session hijacking - - Encrypt your end to end communication - They can’t capture your session ID if they can’t see it - Additional load on the web server (HTTPS) - There are extensions that will force you to use HTTPS (Force-TLS, HTTPS Everywhere) - Many sites are now HTTPS-only Encrypt end to somewhere - Use an encrypted tunnel to at least avoid capture over a local wireless network - Use personal VPN (OpenVPN, VyprVPN, etc) 1.3 Request Forgeries Cross-site requests
