Soma-notes - User contributions [en]

SystemsSec 2016W Lecture 6

2016-02-04T13:42:06Z

Miranmirza:

'''Topics & Readings'''
*Ethical Hacking
*Security mechanisms in operating systems
*Danger of root

'''Ethical Hacking'''

''Red team'': when you hire a team to formally evaluate the security of a system (or company). For example, penetration testers.
''Blue team'': defence team.

The naming convention comes from US politics where the red team gets it's name from the 'evil' communists and blue represents the 'good' Americans.
Another form of ethical hacking is a person who finds code bounties (a person who actively goes off and finds exploits to make money for companies). They report on bounties to corporations so that they can close off the exploits and improve their systems.

A separate question:
How much does this actually improve security?
The three letter security people try to do attacks to figure out when physical attacks (such as terrorism) occur.
But do actual people doing ethical hacking on software actually improve software then?

'''Security mechanisms in operating systems'''

MULTICS has elaborate security mechanisms but they are largely unused. UNIX on the other hand has much simpler security measures but they end up being used. UNIX however has some downfalls against certain threat models including the rogue root threat models. Another attack model UNIX is vulnerable to is physical attacks.
The idea of a root account is too powerful, what we need in a secure operating systems is using separation of powers (where root is subdivided into various users that have different permissions)
Diagram detailing the separation of root into three roots.

[[File:DiagramOS.png]] 
''Diagram detailing the separation of root into three roots''

'''The Danger of Root'''

Why is root so powerful then? On a UNIX system, the root has the ability to modify files (permissions, metadata and contents, read/write/etc.), the root user can also perform user management, process management , file system management, network management, kernel module injection, boot manager, software management, hardware configuration.
We can subdivide root in terms of capabilities, which is the classic way we deal with the problem of a rogue root. From a practical point of view, this is important to prevent privilege escalation attacks. Modern Linux operating systems will not check for root privilege, rather they would check for specific privileges.

We need even finer grain control though, however most software developers don't want to deal with this which is why Linux has the LSM system (it has a mechanism for doing secure models to extend the operating system). There are hooks added throughout the Linux kernel that will override the default behaviour of the Linux kernel. However, we need to be mindful that any code injected into the kernel can be dangerous. The NSA developed a system called SELInux (Security Enhanced Linux). SELinux had finer grain security measures and they wanted mandatory access control (MAC for Linux). The reason why SELinux is so nasty to deal with is because it bypasses the Linux model of having files and replaces them with entities which allows for much finger grain control but no one seems to understand it.
To what extent do we need customisable security policies? Phones for example have very locked down security policies like iOS is mostly closed off. Android has more flexibility by installing programs. So do we need more customisable security policies?

'''Conclusions'''

Almost everyone gets security policies wrong, most people mess up the permissions, but really if you need that level of fine granularity then just mess with the code. We have security policy languages not because we don't know how to do it, but it's because we don't want to commit to the correct way of doing things which is why it's all ugly, it's like Xwindow which draws windows and elements but delegates the elements to the operating system.

File:DiagramOS.png

2016-02-04T13:41:05Z

Miranmirza:

SystemsSec 2016W Lecture 6

2016-02-04T13:40:50Z

Miranmirza:

'''Topics & Readings'''
*Ethical Hacking
*Security mechanisms in operating systems
*Danger of root

'''Ethical Hacking'''

''Red team'': when you hire a team to formally evaluate the security of a system (or company). For example, penetration testers.
''Blue team'': defence team.

The naming convention comes from US politics where the red team gets it's name from the 'evil' communists and blue represents the 'good' Americans.
Another form of ethical hacking is a person who finds code bounties (a person who actively goes off and finds exploits to make money for companies). They report on bounties to corporations so that they can close off the exploits and improve their systems.

A separate question:
How much does this actually improve security?
The three letter security people try to do attacks to figure out when physical attacks (such as terrorism) occur.
But do actual people doing ethical hacking on software actually improve software then?

'''Security mechanisms in operating systems'''

MULTICS has elaborate security mechanisms but they are largely unused. UNIX on the other hand has much simpler security measures but they end up being used. UNIX however has some downfalls against certain threat models including the rogue root threat models. Another attack model UNIX is vulnerable to is physical attacks.
The idea of a root account is too powerful, what we need in a secure operating systems is using separation of powers (where root is subdivided into various users that have different permissions)
Diagram detailing the separation of root into three roots.

[[File:DiagramOS.png]]

'''The Danger of Root'''

Why is root so powerful then? On a UNIX system, the root has the ability to modify files (permissions, metadata and contents, read/write/etc.), the root user can also perform user management, process management , file system management, network management, kernel module injection, boot manager, software management, hardware configuration.
We can subdivide root in terms of capabilities, which is the classic way we deal with the problem of a rogue root. From a practical point of view, this is important to prevent privilege escalation attacks. Modern Linux operating systems will not check for root privilege, rather they would check for specific privileges.

We need even finer grain control though, however most software developers don't want to deal with this which is why Linux has the LSM system (it has a mechanism for doing secure models to extend the operating system). There are hooks added throughout the Linux kernel that will override the default behaviour of the Linux kernel. However, we need to be mindful that any code injected into the kernel can be dangerous. The NSA developed a system called SELInux (Security Enhanced Linux). SELinux had finer grain security measures and they wanted mandatory access control (MAC for Linux). The reason why SELinux is so nasty to deal with is because it bypasses the Linux model of having files and replaces them with entities which allows for much finger grain control but no one seems to understand it.
To what extent do we need customisable security policies? Phones for example have very locked down security policies like iOS is mostly closed off. Android has more flexibility by installing programs. So do we need more customisable security policies?

'''Conclusions'''

Almost everyone gets security policies wrong, most people mess up the permissions, but really if you need that level of fine granularity then just mess with the code. We have security policy languages not because we don't know how to do it, but it's because we don't want to commit to the correct way of doing things which is why it's all ugly, it's like Xwindow which draws windows and elements but delegates the elements to the operating system.

SystemsSec 2016W Lecture 6

2016-02-04T13:40:19Z

Miranmirza:

'''Topics & Readings'''
*Ethical Hacking
*Security mechanisms in operating systems
*Danger of root

'''Ethical Hacking'''

''Red team'': when you hire a team to formally evaluate the security of a system (or company). For example, penetration testers.
''Blue team'': defence team.

The naming convention comes from US politics where the red team gets it's name from the 'evil' communists and blue represents the 'good' Americans.
Another form of ethical hacking is a person who finds code bounties (a person who actively goes off and finds exploits to make money for companies). They report on bounties to corporations so that they can close off the exploits and improve their systems.

A separate question:
How much does this actually improve security?
The three letter security people try to do attacks to figure out when physical attacks (such as terrorism) occur.
But do actual people doing ethical hacking on software actually improve software then?

'''Security mechanisms in operating systems'''

MULTICS has elaborate security mechanisms but they are largely unused. UNIX on the other hand has much simpler security measures but they end up being used. UNIX however has some downfalls against certain threat models including the rogue root threat models. Another attack model UNIX is vulnerable to is physical attacks.
The idea of a root account is too powerful, what we need in a secure operating systems is using separation of powers (where root is subdivided into various users that have different permissions)
Diagram detailing the separation of root into three roots.

'''The Danger of Root'''

Why is root so powerful then? On a UNIX system, the root has the ability to modify files (permissions, metadata and contents, read/write/etc.), the root user can also perform user management, process management , file system management, network management, kernel module injection, boot manager, software management, hardware configuration.
We can subdivide root in terms of capabilities, which is the classic way we deal with the problem of a rogue root. From a practical point of view, this is important to prevent privilege escalation attacks. Modern Linux operating systems will not check for root privilege, rather they would check for specific privileges.

We need even finer grain control though, however most software developers don't want to deal with this which is why Linux has the LSM system (it has a mechanism for doing secure models to extend the operating system). There are hooks added throughout the Linux kernel that will override the default behaviour of the Linux kernel. However, we need to be mindful that any code injected into the kernel can be dangerous. The NSA developed a system called SELInux (Security Enhanced Linux). SELinux had finer grain security measures and they wanted mandatory access control (MAC for Linux). The reason why SELinux is so nasty to deal with is because it bypasses the Linux model of having files and replaces them with entities which allows for much finger grain control but no one seems to understand it.
To what extent do we need customisable security policies? Phones for example have very locked down security policies like iOS is mostly closed off. Android has more flexibility by installing programs. So do we need more customisable security policies?

'''Conclusions'''

Almost everyone gets security policies wrong, most people mess up the permissions, but really if you need that level of fine granularity then just mess with the code. We have security policy languages not because we don't know how to do it, but it's because we don't want to commit to the correct way of doing things which is why it's all ugly, it's like Xwindow which draws windows and elements but delegates the elements to the operating system.

SystemsSec 2016W Lecture 6

2016-02-04T04:23:48Z

Miranmirza:

'''Topics'''
*Ethical Hacking
*Security mechanisms in operating systems
*Danger of root

'''Ethical Hacking'''

''Red team'': when you hire a team to formally evaluate the security of a system (or company). For example, penetration testers.
''Blue team'': defence team.

The naming convention comes from US politics where the red team gets it's name from the 'evil' communists and blue represents the 'good' Americans.
Another form of ethical hacking is a person who finds code bounties (a person who actively goes off and finds exploits to make money for companies). They report on bounties to corporations so that they can close off the exploits and improve their systems.

A separate question:
How much does this actually improve security?
The three letter security people try to do attacks to figure out when physical attacks (such as terrorism) occur.
But do actual people doing ethical hacking on software actually improve software then?

'''Security mechanisms in operating systems'''

MULTICS has elaborate security mechanisms but they are largely unused. UNIX on the other hand has much simpler security measures but they end up being used. UNIX however has some downfalls against certain threat models including the rogue root threat models. Another attack model UNIX is vulnerable to is physical attacks.
The idea of a root account is too powerful, what we need in a secure operating systems is using separation of powers (where root is subdivided into various users that have different permissions)
Diagram detailing the separation of root into three roots.

'''The Danger of Root'''

Why is root so powerful then? On a UNIX system, the root has the ability to modify files (permissions, metadata and contents, read/write/etc.), the root user can also perform user management, process management , file system management, network management, kernel module injection, boot manager, software management, hardware configuration.
We can subdivide root in terms of capabilities, which is the classic way we deal with the problem of a rogue root. From a practical point of view, this is important to prevent privilege escalation attacks. Modern Linux operating systems will not check for root privilege, rather they would check for specific privileges.

We need even finer grain control though, however most software developers don't want to deal with this which is why Linux has the LSM system (it has a mechanism for doing secure models to extend the operating system). There are hooks added throughout the Linux kernel that will override the default behaviour of the Linux kernel. However, we need to be mindful that any code injected into the kernel can be dangerous. The NSA developed a system called SELInux (Security Enhanced Linux). SELinux had finer grain security measures and they wanted mandatory access control (MAC for Linux). The reason why SELinux is so nasty to deal with is because it bypasses the Linux model of having files and replaces them with entities which allows for much finger grain control but no one seems to understand it.
To what extent do we need customisable security policies? Phones for example have very locked down security policies like iOS is mostly closed off. Android has more flexibility by installing programs. So do we need more customisable security policies?

Conclusions: almost everyone gets security policies wrong, most people mess up the permissions, but really if you need that level of fine granularity then just mess with the code. We have security policy languages not because we don't know how to do it, but it's because we don't want to commit to the correct way of doing things which is why it's all ugly, it's like Xwindow which draws windows and elements but delegates the elements to the operating system.

SystemsSec 2016W Lecture 6

2016-02-04T04:05:23Z

Miranmirza: Blanked the page

SystemsSec 2016W Lecture 6

2016-02-04T04:05:04Z

Miranmirza: Created page with "'''Topics & Readings''' *Ethical Hacking *Security mechanisms in operating systems *Danger of root '''Ethical Hacking''' ''Red team'': when you hire a team to formally eval..."

'''Topics & Readings'''
*Ethical Hacking
*Security mechanisms in operating systems
*Danger of root

'''Ethical Hacking'''

''Red team'': when you hire a team to formally evaluate the security of a system (or company). For example, penetration testers.
''Blue team'': defence team.

The naming convention comes from US politics where the red team gets it's name from the 'evil' communists and blue represents the 'good' Americans.
Another form of ethical hacking is a person who finds code bounties (a person who actively goes off and finds exploits to make money for companies). They report on bounties to corporations so that they can close off the exploits and improve their systems.

A separate question:
How much does this actually improve security?
The three letter security people try to do attacks to figure out when physical attacks (such as terrorism) occur.
But do actual people doing ethical hacking on software actually improve software then?

'''Security mechanisms in operating systems'''

MULTICS has elaborate security mechanisms but they are largely unused. UNIX on the other hand has much simpler security measures but they end up being used. UNIX however has some downfalls against certain threat models including the rogue root threat models. Another attack model UNIX is vulnerable to is physical attacks.
The idea of a root account is too powerful, what we need in a secure operating systems is using separation of powers (where root is subdivided into various users that have different permissions)
Diagram detailing the separation of root into three roots.

'''The Danger of Root'''

Why is root so powerful then? On a UNIX system, the root has the ability to modify files (permissions, metadata and contents, read/write/etc.), the root user can also perform user management, process management , file system management, network management, kernel module injection, boot manager, software management, hardware configuration.
We can subdivide root in terms of capabilities, which is the classic way we deal with the problem of a rogue root. From a practical point of view, this is important to prevent privilege escalation attacks. Modern Linux operating systems will not check for root privilege, rather they would check for specific privileges.

We need even finer grain control though, however most software developers don't want to deal with this which is why Linux has the LSM system (it has a mechanism for doing secure models to extend the operating system). There are hooks added throughout the Linux kernel that will override the default behaviour of the Linux kernel. However, we need to be mindful that any code injected into the kernel can be dangerous. The NSA developed a system called SELInux (Security Enhanced Linux). SELinux had finer grain security measures and they wanted mandatory access control (MAC for Linux). The reason why SELinux is so nasty to deal with is because it bypasses the Linux model of having files and replaces them with entities which allows for much finger grain control but no one seems to understand it.
To what extent do we need customisable security policies? Phones for example have very locked down security policies like iOS is mostly closed off. Android has more flexibility by installing programs. So do we need more customisable security policies?

Conclusions: almost everyone gets security policies wrong, most people mess up the permissions, but really if you need that level of fine granularity then just mess with the code. We have security policy languages not because we don't know how to do it, but it's because we don't want to commit to the correct way of doing things which is why it's all ugly, it's like Xwindow which draws windows and elements but delegates the elements to the operating system.

SystemsSec 2016W Lecture 5

2016-01-22T03:32:32Z

Miranmirza: /* Physical attacker, unauthenticated */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==== Scenarios ====

* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.

* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #4: This Wiki'''
** Targeted System: MediaWiki CMS
** Attackers: Students with editor privilege on the wiki.
** Goals:
*** Modify or delete other groups' entries.
** Means: Full access to edit the page using credentials given by the professor.

==== Attack Strategies ====

* '''Weaknesses'''
** Employee turnover
** Disgruntled current and ex-employees
** Economically vulnerable administrators (easy to bribe)
** Blackmail
** System Administrator neglect and/or incompetence

* '''How to Attack?'''
** Social Engineering
** If there are no safeguards in place, simply having admin access is enough to wreak havoc
** Installing backdoors to keep access to system
** Installing malicious updates and programs on users computers to siphon data and/or monitor.
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
** Denial of Access

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Lutaaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==
* Abdul Bin Asif Niazi
* Dusan Rozman
* Sam Whiteley
* Jake Brown
* Nicholas Laws
* Miran Mirza

Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines.

'''Attack strategies:'''
* Duplicated cards
* Card Readers
* RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems
* Radio-Frequency generator used to unlock different cards

'''Sort of attacks that can happen:'''
* Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline.
* Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges.
* Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data.
* For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable.
* Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data.

'''Scenarios:'''
* A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack).
* An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change
* A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''

SystemsSec 2016W Lecture 5

2016-01-22T03:30:42Z

Miranmirza: /* Physical attacker, unauthenticated */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==== Scenarios ====

* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.

* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #4: This Wiki'''
** Targeted System: MediaWiki CMS
** Attackers: Students with editor privilege on the wiki.
** Goals:
*** Modify or delete other groups' entries.
** Means: Full access to edit the page using credentials given by the professor.

==== Attack Strategies ====

* '''Weaknesses'''
** Employee turnover
** Disgruntled current and ex-employees
** Economically vulnerable administrators (easy to bribe)
** Blackmail
** System Administrator neglect and/or incompetence

* '''How to Attack?'''
** Social Engineering
** If there are no safeguards in place, simply having admin access is enough to wreak havoc
** Installing backdoors to keep access to system
** Installing malicious updates and programs on users computers to siphon data and/or monitor.
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
** Denial of Access

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Lutaaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==
Abdul Bin Asif Niazi 
Dusan Rozman 
Sam Whiteley 
Jake Brown 
Nicholas Laws 
Miran Mirza 

Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines. 

'''Attack strategies:''' 
• Duplicated cards 
• Card Readers 
• RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems 
• Radio-Frequency generator used to unlock different cards 

'''Sort of attacks that can happen:''' 
• Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline. 
• Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges. 
• Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data. 
• For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable. 
• Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data. 

'''Scenarios:''' 
• A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack). 
• An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change. 
• A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''

SystemsSec 2016W Lecture 5

2016-01-22T03:27:46Z

Miranmirza: /* Physical attacker, unauthenticated */

Class discussion: threat models and attacker goals

==Local attacker==

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==== Scenarios ====

* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.

* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #4: This Wiki'''
** Targeted System: MediaWiki CMS
** Attackers: Students with editor privilege on the wiki.
** Goals:
*** Modify or delete other groups' entries.
** Means: Full access to edit the page using credentials given by the professor.

==== Attack Strategies ====

* '''Weaknesses'''
** Employee turnover
** Disgruntled current and ex-employees
** Economically vulnerable administrators (easy to bribe)
** Blackmail
** System Administrator neglect and/or incompetence

* '''How to Attack?'''
** Social Engineering
** If there are no safeguards in place, simply having admin access is enough to wreak havoc
** Installing backdoors to keep access to system
** Installing malicious updates and programs on users computers to siphon data and/or monitor.
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
** Denial of Access

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Lutaaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==

==Physical attacker, unauthenticated==
Abdul Bin Asif Niazi
Dusan Rozman
Sam Whiteley
Jake Brown
Nicholas Laws
Miran Mirza

Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines.

'''Attack strategies:'''
• Duplicated cards
• Card Readers
• RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems
• Radio-Frequency generator used to unlock different cards

'''Sort of attacks that can happen:'''
• Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline.
• Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges.
• Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data.
• For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable.
• Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data.

'''Scenarios:'''
• A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack).
• An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change.
A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''