SystemsSec 2016W Lecture 9

From Soma-notes
Jump to navigation Jump to search

Topics

Many security solutions are unusable because they are too complicated. Focusing around a good threat model is important. There is a trade off between good security and cost. Better security means more restrictions and lower usability. The people who use security software often don't understand the types of threats they are defending against. Email is a large security hole as it is the "key" to many different accounts related to that person.

Defensive Security Technologies

  • OpenSSL
  • Anti-virus (commercial) + suites (can you set off/engage AV? - potentially dangerous)
  • Password managers (key chains)
  • Web validation libraries
  • Whole disk encryption (basic usage, recovery, forensics/security analysis - is it actually encrypting your drive, what key is it using?)
  • Host firewall
  • Network firewall
  • Application firewall (web proxy, maybe get Tor running as a client/node)
  • 2-factor authentication
  • Captcha
  • SSO, kerberos, OpenID, OAuth
  • Network file systems
  • Biometrics
  • Intrusion detection systems - snort, log analysis

Notes

  • People make a threat model and security mechanisms and provide others with their security mechanisms, but people who use it don't understand the attacks/defenses as they are not security experts, and then they undermine the security technology for easy use.
  • Not applying enough defensive technologies in hacking journals.
  • Phones have 2 OS, one is the on you interact with, the other is the phone's baseband processor OS, created by the telecom companies which has legacy code and hard to change or run a security audit.
  • Facebook/google don't just provide SSO to be nice, they track where you sign on.
  • Facebook creates shadow profile of you if you are not on facebook but are being referred to.
  • System security is about the mindset.
  • People who are good at breaking into systems are not necessarily good at securing systems.


Hacking Opportunities

  • Can you engage/set off your anti virus?
  • Try using whole disk encryption, recovering from forgetting your password, forensics/security analysis - is it actually encrypting your drive, what key is it using?
  • Use Tor as a client or node - although don't use Tor and a regular web browser, web browser will track you.
  • Play with 2-factor auth on gmail, text authentication, app authenticator, recover from cellphone being lost, where are recovery passwords stored? If you don't like it, how would you protect against what it's trying to protect?
  • Captcha - set up use, crack captcha.
  • Setup a SSO system on some VM's.
  • Setup a network file system with authentication, SMB/CIFS.
  • Biometrics - use fingerprint scanner on phone, break it.
  • Perform log analysis of system logs/application logs (i.e. snort logs), setup tools to filter and monitor logs
  • PGP/GPG - sign + encrypt documents, verify software.
  • S/MIME - use in email service for encrypting email, need to get email certificate, how to get one and installing it on your email application?
  • SSL/TLS certs - let's encrypt - new service for getting well supported SSL certs for everyone (valid for only 30 days but can be auto-renewed), use a self-sign cert - how does it work/how is it different.
  • Just setting up defensive security technologies can take a few weeks of your hacking journal.