SystemsSec 2016W Lecture 5: Difference between revisions

Class discussion: threat models and attacker goals

Local attacker

Group 1

Members

• Abdulrahman Mufti
• Josiah Konrad
• William forest
• Andrew Belu
• Agheil Fazeli
• Brandon Hurley

Scenarios

• Scenario #1:
  • Targeted System:
    • home computer - parent computer
    • > Windows 7
  • Attackers:
    • sibling
    • someone who lives in the house
  • Goals:
    • the little brother wants to access big brother's account
    • to access programs that the little brother doesn't have
    • play games for a loner time
  • Means:
    • watching them typing the password
    • using safe mode to change the parents' password
    • change clock (to be able to play for a longer time)
    • take down security through the registry

Administrative attacker

Group 2

Members

• Kyle T.
• Tarek K.
• Jakub L.
• Stefan C.
• Matt G.
• Remi G.
• Ibrahim M.

Scenarios

• Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack
  • Targeted System: Service & Database servers
  • Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
  • Goals:
    • Full client information specifically financial billing information.
    • Showcase that Sony does not take security seriously.
    • Denial of service for PSN users.
  • Means: It is rumored that ex-employees with active logins managed to access the data.

• Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack
  • Targeted System: Service & Database servers
  • Attackers: Employees with active administrative access.
  • Goals:
    • Force Ashley Madison to shut down.
    • Expose the true ratios of male/female user base and fake accounts.
  • Means: Ex-employees with full administrative access to databases.

• Scenario #3: Military and Government Secrets
  • Targeted System: Service & Database servers
  • Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
  • Goals:
    • Publicize and expose questionable practices and information to the general public.
    • Sway public opinion
  • Means: Ex-employees with full administrative access to databases.

• Scenario #4: This Wiki
  • Targeted System: MediaWiki CMS
  • Attackers: Students with editor privilege on the wiki.
  • Goals:
    • Modify or delete other groups' entries.
  • Means: Full access to edit the page using credentials given by the professor.

Attack Strategies

• Weaknesses
  • Employee turnover
  • Disgruntled current and ex-employees
  • Economically vulnerable administrators (easy to bribe)
  • Blackmail
  • System Administrator neglect and/or incompetence

• How to Attack?
  • Social Engineering
  • If there are no safeguards in place, simply having admin access is enough to wreak havoc
  • Installing backdoors to keep access to system
  • Installing malicious updates and programs on users computers to siphon data and/or monitor.
  • Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
  • Denial of Access

Remote attacker, authenticated

Group 3

Members

• Dania Ghazal
• Ankush Varshneya
• Olivier Hamel
• Michael Lutaaya
• Ryan Morfield
• Daniel Vanderveen
• Jess Johnson

Example Scenario

Targeted System

• CIA database - find out who killed Kennedy?

Attackers

• remote authenticators
• contractors (non CIA)

Goals

• “exfiltrating data”
• exfiltrate the CIA database to find out who killed Kennedy

Means

• someone at the CIA left a node.js server running in the background :)
• ssh credentials
• use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
• look around the system for more vulnerable/outdated services to exploit
• generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
• social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason

Attack Strategies

Where are the Accessible Weaknesses?

• outdated services
• any service that lets attacker execute a task as another user

How Do You Attack Them?

• user privilege escalation
• abusing service vulnerabilities

Physical attacker, authenticated

Members:

- Matthew Preston - Jon Simpson - Allan Luke - Chang Xu - Nilofar Mansourzadeh - Noor sabri - Haamed Sultani

- Targeted system

   - Place of work’s system
   - server(remote/local)

- Attacker

   - anyone who has the “attacker goals"
       - employee
       - pretend to be employee

- Goals

   - remotely look at data
   - deny access
   - destroy data
   - corrupt
   - social engineering

- Means

   - If data is on a server, attacker needs some level of access to the data (some way to connect to the data)
   - Put a physical key logger
   - physically freeze system
       - could look over your shoulder
   - pull the plug
   - physically disable verification points
   - slow down system
   - get admin access
   - steal employee's hardware
   - can get data by looking at camera feed
   - steal mobile phone

- Attack strategies

   - could put a physical key logger
   - could take out the RAM(live)
   - infect hardware and reconnect it to the system
   - sell the stolen hardware
   - stolen employee’s computer has auto-login
   - most hardware is portable now so it’s easier to steal
   - disable cameras
   - record their behaviours

- accessible weaknesses

   - isolated computers
   - points of least physical security
   - on/off devices
       - somewhat easier to attack powered-on devices

Physical attacker, unauthenticated

• Abdul Bin Asif Niazi
• Dusan Rozman
• Sam Whiteley
• Jake Brown
• Nicholas Laws
• Miran Mirza

Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines.

Attack strategies:

• Duplicated cards
• Card Readers
• RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems
• Radio-Frequency generator used to unlock different cards

Sort of attacks that can happen:

• Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline.
• Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges.
• Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data.
• For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable.
• Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data.

Scenarios:

• A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack).
• An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change
• A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.

Remote attacker, unauthenticated

Group 6

Members

• Samuel Prashker
• Daniel Lehman
• Roman Chametka
• Derek Aubin
• Gilbert Lavergne-Shank
• Xiusan Zhou
• Abdulkadir Addulkadir

Scenarios

• #1 - DDOS
  • Scenario
    • Targeted System: Web servers, or any machine connected to a network
    • Attackers: Angry trolls, political warriors
    • Goals: Denials of service, anger your target, hurt their financials, prove a point
    • Means: LOIC, Chinese Botnet with Bitcoin
  • Attack strategies
    • Accessible weaknesses
      • Exploitable communication paths (example: ping, login spam)
      • In the case of a router, overpowering a signal by replacing it with your own higher powered signal
    • How do you access them?
      • Over the network
      • Over the air (wireless signals)
• #2 - Packet Sniffing
  • Scenario
    • Targeted System: Phones, servers, any networked device that can be sniffed
    • Attackers: Exfiltrators who want getting data, corrupting data
    • Goals: Exfiltration of data, snooping for data over the air
    • Means: Packet sniffing tools, Wireshark,
  • Attack strategies
    • Accessible weaknesses
      • Wireless signals would be easy to monitor
      • Mission security (Msec)
    • How do you access them?
      • Wireless: Network cards, monitoring tools for over the air analysis
      • Wired: Anywhere along the line to be able to hook in a middleman
• #3 - Remote program already running on their service/server
  • Scenario
    • Targeted System: People (social engineering), known exploits (0days)
    • Attackers: Blackhat hackers, whitehat hackers
    • Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
    • Means: Exploitable software, social engineering
  • Attack strategies
    • Accessible weaknesses?
      • Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
    • How do you access them?
      • Social networks, email, phone calls, deployed payload
  • Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system