SystemsSec 2016W Lecture 5: Difference between revisions

From Soma-notes
Ibrahim (talk | contribs)
Sultani (talk | contribs)
 
(15 intermediate revisions by 6 users not shown)
Line 2: Line 2:


==Local attacker==
==Local attacker==
=== Group 1 ===
==== Members ====
* Abdulrahman Mufti
* Josiah Konrad
* William forest
* Andrew Belu
* Agheil Fazeli
* Brandon Hurley
==== Scenarios ====
* '''Scenario #1:'''
** Targeted System:
*** home computer - parent computer
***  > Windows 7
** Attackers:
*** sibling
*** someone who lives in the house
** Goals:
*** the little brother wants to access big brother's account
*** to access programs that the little brother doesn't have
*** play games for a loner time
** Means:
*** watching them typing the password
*** using safe mode to change the parents' password
*** change clock (to be able to play for a longer time)
*** take down security through the registry


==Administrative attacker==
==Administrative attacker==


=== Group 2 ===
=== Group 2 ===
Kyle T.
==== Members ====
Tarek K.
* Kyle T.
Jakub L.
* Tarek K.
Stefan C.
* Jakub L.
Matt G.
* Stefan C.
Remi G.
* Matt G.
Ibrahim M.
* Remi G.
* Ibrahim M.
 
==== Scenarios ====
 
* '''Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack'''
** Targeted System: Service & Database servers
** Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
** Goals:
*** Full client information specifically financial billing information.
*** Showcase that Sony does not take security seriously.
*** Denial of service for PSN users.
** Means: It is rumored that ex-employees with active logins managed to access the data.
 
* '''Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack'''
** Targeted System: Service & Database servers
** Attackers: Employees with active administrative access.
** Goals:
*** Force Ashley Madison to shut down.
*** Expose the true ratios of male/female user base and fake accounts.
** Means: Ex-employees with full administrative access to databases.
 
* '''Scenario #3: Military and Government Secrets'''
** Targeted System: Service & Database servers
** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
** Goals:
*** Publicize and expose questionable practices and information to the general public.
*** Sway public opinion 
** Means: Ex-employees with full administrative access to databases.
 
* '''Scenario #4: This Wiki'''
** Targeted System: MediaWiki CMS
** Attackers: Students with editor privilege on the wiki.
** Goals:
*** Modify or delete other groups' entries.
** Means: Full access to edit the page using credentials given by the professor.
 
==== Attack Strategies ====
 
* '''Weaknesses'''
** Employee turnover
** Disgruntled current and ex-employees
** Economically vulnerable administrators (easy to bribe)
** Blackmail
** System Administrator neglect and/or incompetence
 
* '''How to Attack?'''
** Social Engineering
** If there are no safeguards in place, simply having admin access is enough to wreak havoc
** Installing backdoors to keep access to system
** Installing malicious updates and programs on users computers to siphon data and/or monitor.
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
** Denial of Access


==Remote attacker, authenticated==
==Remote attacker, authenticated==
Line 21: Line 101:
* Ankush Varshneya
* Ankush Varshneya
* Olivier Hamel
* Olivier Hamel
* Michael Aaya
* Michael Lutaaya
* Ryan Morfield
* Ryan Morfield
* Daniel Vanderveen
* Daniel Vanderveen
Line 51: Line 131:


==Physical attacker, authenticated==
==Physical attacker, authenticated==
Members:
- Matthew Preston
- Jon Simpson
- Allan Luke
- Chang Xu
- Nilofar Mansourzadeh
- Noor sabri
- Haamed Sultani
- Targeted system
    - Place of work’s system
    - server(remote/local)
- Attacker
    - anyone who has the “attacker goals"
        - employee
        - pretend to be employee
- Goals
    - remotely look at data
    - deny access
    - destroy data
    - corrupt
    - social engineering
- Means
    - If data is on a server, attacker needs some level of access to the data (some way to connect to the data)
    - Put a physical key logger
    - physically freeze system
        - could look over your shoulder
    - pull the plug
    - physically disable verification points
    - slow down system
    - get admin access
    - steal employee's hardware
    - can get data by looking at camera feed
    - steal mobile phone
- Attack strategies
    - could put a physical key logger
    - could take out the RAM(live)
    - infect hardware and reconnect it to the system
    - sell the stolen hardware
    - stolen employee’s computer has auto-login
    - most hardware is portable now so it’s easier to steal
    - disable cameras
    - record their behaviours
- accessible weaknesses
    - isolated computers
    - points of least physical security
    - on/off devices
        - somewhat easier to attack powered-on devices


==Physical attacker, unauthenticated==
==Physical attacker, unauthenticated==
* Abdul Bin Asif Niazi
* Dusan Rozman
* Sam Whiteley
* Jake Brown
* Nicholas Laws
* Miran Mirza
Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines.
'''Attack strategies:'''
* Duplicated cards
* Card Readers
* RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems
* Radio-Frequency generator used to unlock different cards
'''Sort of attacks that can happen:'''
* Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline.
* Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges.
* Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on  system to tamper with the DNS on the system and steal data.
* For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable.
* Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data.
'''Scenarios:'''
* A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack).
* An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change
* A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.


==Remote attacker, unauthenticated==
==Remote attacker, unauthenticated==
=== Group 6 ===
==== Members ====
* Samuel Prashker
* Samuel Prashker
* Daniel Lehman
* Daniel Lehman
Line 61: Line 219:
* Gilbert Lavergne-Shank
* Gilbert Lavergne-Shank
* Xiusan Zhou
* Xiusan Zhou
* Abdulkadir Addulkadir


'''Scenarios'''
'''Scenarios'''

Latest revision as of 01:29, 17 April 2016

Class discussion: threat models and attacker goals

Local attacker

Group 1

Members

  • Abdulrahman Mufti
  • Josiah Konrad
  • William forest
  • Andrew Belu
  • Agheil Fazeli
  • Brandon Hurley

Scenarios

  • Scenario #1:
    • Targeted System:
      • home computer - parent computer
      • > Windows 7
    • Attackers:
      • sibling
      • someone who lives in the house
    • Goals:
      • the little brother wants to access big brother's account
      • to access programs that the little brother doesn't have
      • play games for a loner time
    • Means:
      • watching them typing the password
      • using safe mode to change the parents' password
      • change clock (to be able to play for a longer time)
      • take down security through the registry

Administrative attacker

Group 2

Members

  • Kyle T.
  • Tarek K.
  • Jakub L.
  • Stefan C.
  • Matt G.
  • Remi G.
  • Ibrahim M.

Scenarios

  • Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack
    • Targeted System: Service & Database servers
    • Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
    • Goals:
      • Full client information specifically financial billing information.
      • Showcase that Sony does not take security seriously.
      • Denial of service for PSN users.
    • Means: It is rumored that ex-employees with active logins managed to access the data.
  • Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack
    • Targeted System: Service & Database servers
    • Attackers: Employees with active administrative access.
    • Goals:
      • Force Ashley Madison to shut down.
      • Expose the true ratios of male/female user base and fake accounts.
    • Means: Ex-employees with full administrative access to databases.
  • Scenario #3: Military and Government Secrets
    • Targeted System: Service & Database servers
    • Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
    • Goals:
      • Publicize and expose questionable practices and information to the general public.
      • Sway public opinion
    • Means: Ex-employees with full administrative access to databases.
  • Scenario #4: This Wiki
    • Targeted System: MediaWiki CMS
    • Attackers: Students with editor privilege on the wiki.
    • Goals:
      • Modify or delete other groups' entries.
    • Means: Full access to edit the page using credentials given by the professor.

Attack Strategies

  • Weaknesses
    • Employee turnover
    • Disgruntled current and ex-employees
    • Economically vulnerable administrators (easy to bribe)
    • Blackmail
    • System Administrator neglect and/or incompetence
  • How to Attack?
    • Social Engineering
    • If there are no safeguards in place, simply having admin access is enough to wreak havoc
    • Installing backdoors to keep access to system
    • Installing malicious updates and programs on users computers to siphon data and/or monitor.
    • Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
    • Denial of Access

Remote attacker, authenticated

Group 3

Members

  • Dania Ghazal
  • Ankush Varshneya
  • Olivier Hamel
  • Michael Lutaaya
  • Ryan Morfield
  • Daniel Vanderveen
  • Jess Johnson

Example Scenario

Targeted System

  • CIA database - find out who killed Kennedy?

Attackers

  • remote authenticators
  • contractors (non CIA)

Goals

  • “exfiltrating data”
  • exfiltrate the CIA database to find out who killed Kennedy

Means

  • someone at the CIA left a node.js server running in the background :)
  • ssh credentials
  • use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
  • look around the system for more vulnerable/outdated services to exploit
  • generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
  • social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason

Attack Strategies

Where are the Accessible Weaknesses?

  • outdated services
  • any service that lets attacker execute a task as another user

How Do You Attack Them?

  • user privilege escalation
  • abusing service vulnerabilities

Physical attacker, authenticated

Members:

- Matthew Preston - Jon Simpson - Allan Luke - Chang Xu - Nilofar Mansourzadeh - Noor sabri - Haamed Sultani

- Targeted system

   - Place of work’s system
   - server(remote/local)

- Attacker

   - anyone who has the “attacker goals"
       - employee
       - pretend to be employee

- Goals

   - remotely look at data
   - deny access
   - destroy data
   - corrupt
   - social engineering

- Means

   - If data is on a server, attacker needs some level of access to the data (some way to connect to the data)
   - Put a physical key logger
   - physically freeze system
       - could look over your shoulder
   - pull the plug
   - physically disable verification points
   - slow down system
   - get admin access
   - steal employee's hardware
   - can get data by looking at camera feed
   - steal mobile phone

- Attack strategies

   - could put a physical key logger
   - could take out the RAM(live)
   - infect hardware and reconnect it to the system
   - sell the stolen hardware
   - stolen employee’s computer has auto-login
   - most hardware is portable now so it’s easier to steal
   - disable cameras
   - record their behaviours

- accessible weaknesses

   - isolated computers
   - points of least physical security
   - on/off devices
       - somewhat easier to attack powered-on devices

Physical attacker, unauthenticated

  • Abdul Bin Asif Niazi
  • Dusan Rozman
  • Sam Whiteley
  • Jake Brown
  • Nicholas Laws
  • Miran Mirza

Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines.

Attack strategies:

  • Duplicated cards
  • Card Readers
  • RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems
  • Radio-Frequency generator used to unlock different cards

Sort of attacks that can happen:

  • Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline.
  • Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges.
  • Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data.
  • For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable.
  • Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data.

Scenarios:

  • A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack).
  • An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change
  • A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.

Remote attacker, unauthenticated

Group 6

Members

  • Samuel Prashker
  • Daniel Lehman
  • Roman Chametka
  • Derek Aubin
  • Gilbert Lavergne-Shank
  • Xiusan Zhou
  • Abdulkadir Addulkadir


Scenarios

  • #1 - DDOS
    • Scenario
      • Targeted System: Web servers, or any machine connected to a network
      • Attackers: Angry trolls, political warriors
      • Goals: Denials of service, anger your target, hurt their financials, prove a point
      • Means: LOIC, Chinese Botnet with Bitcoin
    • Attack strategies
      • Accessible weaknesses
        • Exploitable communication paths (example: ping, login spam)
        • In the case of a router, overpowering a signal by replacing it with your own higher powered signal
      • How do you access them?
        • Over the network
        • Over the air (wireless signals)
  • #2 - Packet Sniffing
    • Scenario
      • Targeted System: Phones, servers, any networked device that can be sniffed
      • Attackers: Exfiltrators who want getting data, corrupting data
      • Goals: Exfiltration of data, snooping for data over the air
      • Means: Packet sniffing tools, Wireshark,
    • Attack strategies
      • Accessible weaknesses
        • Wireless signals would be easy to monitor
        • Mission security (Msec)
      • How do you access them?
        • Wireless: Network cards, monitoring tools for over the air analysis
        • Wired: Anywhere along the line to be able to hook in a middleman
  • #3 - Remote program already running on their service/server
    • Scenario
      • Targeted System: People (social engineering), known exploits (0days)
      • Attackers: Blackhat hackers, whitehat hackers
      • Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
      • Means: Exploitable software, social engineering
    • Attack strategies
      • Accessible weaknesses?
        • Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
      • How do you access them?
        • Social networks, email, phone calls, deployed payload
    • Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system