Soma-notes - User contributions [en]

SystemsSec 2016W Lecture 5

2016-04-17T01:29:35Z

Sultani: /* Physical attacker, authenticated */

Class discussion: threat models and attacker goals

==Local attacker==

=== Group 1 ===
==== Members ====
* Abdulrahman Mufti
* Josiah Konrad
* William forest
* Andrew Belu
* Agheil Fazeli
* Brandon Hurley

==== Scenarios ====

* '''Scenario #1:'''
** Targeted System:
*** home computer - parent computer
*** > Windows 7
** Attackers:
*** sibling
*** someone who lives in the house
** Goals:
*** the little brother wants to access big brother's account
*** to access programs that the little brother doesn't have
*** play games for a loner time
** Means:
*** watching them typing the password
*** using safe mode to change the parents' password
*** change clock (to be able to play for a longer time)
*** take down security through the registry

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==== Scenarios ====

* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.

* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #4: This Wiki'''
** Targeted System: MediaWiki CMS
** Attackers: Students with editor privilege on the wiki.
** Goals:
*** Modify or delete other groups' entries.
** Means: Full access to edit the page using credentials given by the professor.

==== Attack Strategies ====

* '''Weaknesses'''
** Employee turnover
** Disgruntled current and ex-employees
** Economically vulnerable administrators (easy to bribe)
** Blackmail
** System Administrator neglect and/or incompetence

* '''How to Attack?'''
** Social Engineering
** If there are no safeguards in place, simply having admin access is enough to wreak havoc
** Installing backdoors to keep access to system
** Installing malicious updates and programs on users computers to siphon data and/or monitor.
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
** Denial of Access

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Lutaaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==
Members:

- Matthew Preston
- Jon Simpson
- Allan Luke
- Chang Xu
- Nilofar Mansourzadeh
- Noor sabri
- Haamed Sultani

- Targeted system
- Place of work’s system
- server(remote/local)
- Attacker
- anyone who has the “attacker goals"
- employee
- pretend to be employee
- Goals
- remotely look at data
- deny access
- destroy data
- corrupt
- social engineering
- Means
- If data is on a server, attacker needs some level of access to the data (some way to connect to the data)
- Put a physical key logger
- physically freeze system
- could look over your shoulder
- pull the plug
- physically disable verification points
- slow down system
- get admin access
- steal employee's hardware
- can get data by looking at camera feed
- steal mobile phone

- Attack strategies
- could put a physical key logger
- could take out the RAM(live)
- infect hardware and reconnect it to the system
- sell the stolen hardware
- stolen employee’s computer has auto-login
- most hardware is portable now so it’s easier to steal
- disable cameras
- record their behaviours
- accessible weaknesses
- isolated computers
- points of least physical security
- on/off devices
- somewhat easier to attack powered-on devices

==Physical attacker, unauthenticated==
* Abdul Bin Asif Niazi
* Dusan Rozman
* Sam Whiteley
* Jake Brown
* Nicholas Laws
* Miran Mirza

Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines.

'''Attack strategies:'''
* Duplicated cards
* Card Readers
* RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems
* Radio-Frequency generator used to unlock different cards

'''Sort of attacks that can happen:'''
* Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline.
* Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges.
* Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data.
* For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable.
* Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data.

'''Scenarios:'''
* A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack).
* An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change
* A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.

==Remote attacker, unauthenticated==
=== Group 6 ===
==== Members ====
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou
* Abdulkadir Addulkadir

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''

SystemsSec 2016W Lecture 8

2016-02-05T00:48:16Z

Sultani: Created page with "- Designing and Coding Secure Systems by Kenneth Ingham & Anil Somayaji - Chapter 6: Cryptography Fundamentals - Classic Crypto - Enigma Cipher/Alan Tu..."

- Designing and Coding Secure Systems by Kenneth Ingham & Anil Somayaji
- Chapter 6: Cryptography Fundamentals
- Classic Crypto
- Enigma Cipher/Alan Turing/Purple
- Tried to break codes with very complex mechanisms with math. Therefore, computing was created to break codes
- Codes can be arbitrarily secure if the code book is good enough
- The “perfect” cipher
- One Time Pad
- length of the key = length of the message (also known as the plaintext)
- we do an exclusive-or between the key and the plaintext to get our ciphertext
- The assumption is that the attacker cannot predict the bits of the key. This can be done with randomization.
- The important thing here is that the key can only be used once, hence, “one-time” pad
- Randomness
- The requirements: looks statistically random & unpredictable
- pseudorandom number generators(PRNG)
- produces numbers that are statistically random
- Using a seed generates a stream of “random” numbers
- but if we know the seed, we can produce the same sequence of numbers
- we can also reverse engineer the stream of numbers to get the seed
- Cryptographically-secure PRNG (stream cipher)
- is a one-time pad using a seed generated by the PRNG
- Block Ciphers
- doing multiple runs of a cipher to encrypt
- block sizes varies depending on the block cipher used
- DES: 64 bit block size
- AES: 256 bit block size
- Electronic Code Book (ECB)
- uses the same key for each iteration of the encryption
- we can find 2 ciphertexts that are equal and find the key
- Cryptography alone does not guarantee that your data will not be modified/corrupted
- Checksums can detect if things have been corrupted but there are still ways the attacker can get around
- Secure Hash Functions
- turns data into random data
- hash functions can be very efficient but being more efficient makes it easier to break
- Hash Function
- takes any data and turns it into 256 bits
- Rules:
- pre-image resistance
- given a hash value h, it is hard to find any message m such that h = hash(k, m), where k is the hash key.
- collision resistance
- computationally infeasible to find two inputs that hash to the same output; that is, two inputs a and b such that H(a) = H(b), and a≠b
- one way to try to attack this type of security: birthday attack
- Message Authentication Code (MAC)
- is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed in transit (its integrity)

Note: We can check for integrity by comparing the hash of what you’re supposed to get with the hash that you got but this can be thwarted if the attacker controls the network

- Public Key Cryptography
- can be paired with crypto from above to fix many of the problems
- but has to be used with some type of crypto mentioned above
- 2 keys that form a matched pair
- one key inverts operations of the other
- encrypt with Key1(public) & decrypt with Key2(private)
- people encrypt messages with key1 and only you can decrypt with private key
- these keys are very very large
- Digital Signatures
- ensure who sent the data and that it’s integrity isn’t compromised
- Certificate Authority
- an entity that issues digital certificates

- GNU privacy guard
- only trusts your keys
- we can add other peoples’ keys and sign them
- creating a Web of Trust

SystemsSec 2016W Lecture 5

2016-01-26T15:16:05Z

Sultani: /* Physical attacker, authenticated */

Class discussion: threat models and attacker goals

==Local attacker==

=== Group 1 ===
==== Members ====
* Abdulrahman Mufti
* Josiah Konrad
* William forest
* Andrew Belu
* Agheil Fazeli
* Brandon Hurley

==== Scenarios ====

* '''Scenario #1:'''
** Targeted System:
*** home computer - parent computer
*** > Windows 7
** Attackers:
*** sibling
*** someone who lives in the house
** Goals:
*** the little brother wants to access big brother's account
*** to access programs that the little brother doesn't have
*** play games for a loner time
** Means:
*** watching them typing the password
*** using safe mode to change the parents' password
*** change clock (to be able to play for a longer time)
*** take down security through the registry

==Administrative attacker==

=== Group 2 ===
==== Members ====
* Kyle T.
* Tarek K.
* Jakub L.
* Stefan C.
* Matt G.
* Remi G.
* Ibrahim M.

==== Scenarios ====

* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.

* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion
** Means: Ex-employees with full administrative access to databases.

* '''Scenario #4: This Wiki'''
** Targeted System: MediaWiki CMS
** Attackers: Students with editor privilege on the wiki.
** Goals:
*** Modify or delete other groups' entries.
** Means: Full access to edit the page using credentials given by the professor.

==== Attack Strategies ====

* '''Weaknesses'''
** Employee turnover
** Disgruntled current and ex-employees
** Economically vulnerable administrators (easy to bribe)
** Blackmail
** System Administrator neglect and/or incompetence

* '''How to Attack?'''
** Social Engineering
** If there are no safeguards in place, simply having admin access is enough to wreak havoc
** Installing backdoors to keep access to system
** Installing malicious updates and programs on users computers to siphon data and/or monitor.
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
** Denial of Access

==Remote attacker, authenticated==

=== Group 3 ===
====Members====
* Dania Ghazal
* Ankush Varshneya
* Olivier Hamel
* Michael Lutaaya
* Ryan Morfield
* Daniel Vanderveen
* Jess Johnson

====Example Scenario====
'''Targeted System'''
* CIA database - find out who killed Kennedy?
'''Attackers'''
* remote authenticators
* contractors (non CIA)
'''Goals'''
* “exfiltrating data”
* exfiltrate the CIA database to find out who killed Kennedy
'''Means'''
* someone at the CIA left a node.js server running in the background :)
* ssh credentials
* use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
* look around the system for more vulnerable/outdated services to exploit
* generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
* social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
====Attack Strategies====
'''Where are the Accessible Weaknesses?'''
* outdated services
* any service that lets attacker execute a task as another user
'''How Do You Attack Them?'''
* user privilege escalation
* abusing service vulnerabilities

==Physical attacker, authenticated==
Members:

- Matthew Preston
- Jon Simpson
- Allan Luke
- Chang Xu
- Nilofar Mansourzadeh
- Noor sabri

- Targeted system
- Place of work’s system
- server(remote/local)
- Attacker
- anyone who has the “attacker goals"
- employee
- pretend to be employee
- Goals
- remotely look at data
- deny access
- destroy data
- corrupt
- social engineering
- Means
- If data is on a server, attacker needs some level of access to the data (some way to connect to the data)
- Put a physical key logger
- physically freeze system
- could look over your shoulder
- pull the plug
- physically disable verification points
- slow down system
- get admin access
- steal employee's hardware
- can get data by looking at camera feed
- steal mobile phone

- Attack strategies
- could put a physical key logger
- could take out the RAM(live)
- infect hardware and reconnect it to the system
- sell the stolen hardware
- stolen employee’s computer has auto-login
- most hardware is portable now so it’s easier to steal
- disable cameras
- record their behaviours
- accessible weaknesses
- isolated computers
- points of least physical security
- on/off devices
- somewhat easier to attack powered-on devices

==Physical attacker, unauthenticated==
* Abdul Bin Asif Niazi
* Dusan Rozman
* Sam Whiteley
* Jake Brown
* Nicholas Laws
* Miran Mirza

Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines.

'''Attack strategies:'''
* Duplicated cards
* Card Readers
* RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems
* Radio-Frequency generator used to unlock different cards

'''Sort of attacks that can happen:'''
* Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline.
* Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges.
* Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data.
* For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable.
* Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data.

'''Scenarios:'''
* A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack).
* An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change
* A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.

==Remote attacker, unauthenticated==
* Samuel Prashker
* Daniel Lehman
* Roman Chametka
* Derek Aubin
* Gilbert Lavergne-Shank
* Xiusan Zhou
* Abdulkadir Addulkadir

'''Scenarios'''
* '''#1 - DDOS'''
** Scenario
*** Targeted System: Web servers, or any machine connected to a network
*** Attackers: Angry trolls, political warriors
*** Goals: Denials of service, anger your target, hurt their financials, prove a point
*** Means: LOIC, Chinese Botnet with Bitcoin
** Attack strategies
*** Accessible weaknesses
**** Exploitable communication paths (example: ping, login spam)
**** In the case of a router, overpowering a signal by replacing it with your own higher powered signal
*** How do you access them?
**** Over the network
**** Over the air (wireless signals)
* '''#2 - Packet Sniffing'''
** Scenario
*** Targeted System: Phones, servers, any networked device that can be sniffed
*** Attackers: Exfiltrators who want getting data, corrupting data
*** Goals: Exfiltration of data, snooping for data over the air
*** Means: Packet sniffing tools, Wireshark,
** Attack strategies
*** Accessible weaknesses
**** Wireless signals would be easy to monitor
**** Mission security (Msec)
*** How do you access them?
**** Wireless: Network cards, monitoring tools for over the air analysis
**** Wired: Anywhere along the line to be able to hook in a middleman
* '''#3 - Remote program already running on their service/server'''
** Scenario
*** Targeted System: People (social engineering), known exploits (0days)
*** Attackers: Blackhat hackers, whitehat hackers
*** Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
*** Means: Exploitable software, social engineering
** Attack strategies
*** Accessible weaknesses?
**** Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
*** How do you access them?
**** Social networks, email, phone calls, deployed payload
** '''Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system'''