Soma-notes - User contributions [en]

SystemsSec 2016W Lecture 5

2016-01-21T19:45:06Z

Ibrahim: /* Administrative attacker */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==== Scenarios ====

* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.

* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #4: This Wiki'''
** Targeted System: MediaWiki CMS
** Attackers: Students with editor privilege on the wiki.
** Goals:
*** Modify or delete other groups' entries.
** Means: Full access to edit the page using credentials given by the professor.

==== Attack Strategies ====

* '''Weaknesses'''
** Employee turnover
** Disgruntled current and ex-employees
** Economically vulnerable administrators (easy to bribe)
** Blackmail
** System Administrator neglect and/or incompetence

* '''How to Attack?'''
** Social Engineering
** If there are no safeguards in place, simply having admin access is enough to wreak havoc
** Installing backdoors to keep access to system
** Installing malicious updates and programs on users computers to siphon data and/or monitor.
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
** Denial of Access

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Lutaaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''

SystemsSec 2016W Lecture 5

2016-01-21T19:41:23Z

Ibrahim: /* Administrative attacker */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==== Scenarios ====

* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.

* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #4: This Wiki'''
** Targeted System: MediaWiki CMS
** Attackers: Students with editor privilege on the wiki.
** Goals:
*** Modify or delete other groups' entries to make them look bad.
** Means: Full access to edit the page using credentials given by the professor.

==== Attack Strategies ====

* '''Weaknesses'''
** Employee turnover
** Disgruntled current and ex-employees
** Economically vulnerable administrators (easy to bribe)
** Blackmail
** System Administrator neglect and/or incompetence

* '''How to Attack?'''
** Social Engineering
** If there are no safeguards in place, simply having admin access is enough to wreak havoc
** Installing backdoors to keep access to system
** Installing malicious updates and programs on users computers to siphon data and/or monitor.
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
** Denial of Access

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Lutaaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''

SystemsSec 2016W Lecture 5

2016-01-21T19:41:11Z

Ibrahim: /* Administrative attacker */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==== Scenarios ====

* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.

* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #4: This Wiki'''
** Targeted System: MediaWiki CMS
** Attackers: Students with editor privilege on the wiki.
** Goals:
*** Modify or delete other groups' entries to make them look bad.
** Means: Full access to edit the page using credentials given by the professor.

==== Attack Strategies ====

* '''Weaknesses'''
** Employee turnover
** Disgruntled current and ex-employees
** Economically vulnerable administrators (easy to bribe)
** Blackmail
** System Administrator neglect and/or incompetence

* '''How to Attack?'''
** Social Engineering
** If there are no safeguards in place, simply having admin access is enough to wreak havoc
** Installing backdoors to keep access to system
** Installing malicious updates and programs on users computers to siphon data and/or monitor.
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
** Denial of Access

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Lutaaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''

SystemsSec 2016W Lecture 5

2016-01-21T19:32:43Z

Ibrahim: /* Administrative attacker */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==== Scenarios ====

* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.

* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistle blowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion
** Means: Ex-employees with full administrative access to databases.

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Lutaaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''

SystemsSec 2016W Lecture 5

2016-01-21T16:39:45Z

Ibrahim: /* Group 2 */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Aaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''

SystemsSec 2016W Lecture 5

2016-01-21T16:39:19Z

Ibrahim: /* Group 2 */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Aaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''

SystemsSec 2016W Lecture 5

2016-01-21T16:38:20Z

Ibrahim: /* Administrative attacker */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
Kyle T.
Tarek K.
Jakub L.
Stefan C.
Matt G.
Remi G.
Ibrahim M.

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Aaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''