SystemsSec 2016W Lecture 5: Difference between revisions
(11 intermediate revisions by 5 users not shown) | |||
Line 2: | Line 2: | ||
==Local attacker== | ==Local attacker== | ||
=== Group 1 === | |||
==== Members ==== | |||
* Abdulrahman Mufti | |||
* Josiah Konrad | |||
* William forest | |||
* Andrew Belu | |||
* Agheil Fazeli | |||
* Brandon Hurley | |||
==== Scenarios ==== | |||
* '''Scenario #1:''' | |||
** Targeted System: | |||
*** home computer - parent computer | |||
*** > Windows 7 | |||
** Attackers: | |||
*** sibling | |||
*** someone who lives in the house | |||
** Goals: | |||
*** the little brother wants to access big brother's account | |||
*** to access programs that the little brother doesn't have | |||
*** play games for a loner time | |||
** Means: | |||
*** watching them typing the password | |||
*** using safe mode to change the parents' password | |||
*** change clock (to be able to play for a longer time) | |||
*** take down security through the registry | |||
==Administrative attacker== | ==Administrative attacker== | ||
Line 36: | Line 64: | ||
* '''Scenario #3: Military and Government Secrets''' | * '''Scenario #3: Military and Government Secrets''' | ||
** Targeted System: Service & Database servers | ** Targeted System: Service & Database servers | ||
** Attackers: | ** Attackers: Whistleblowers (Chelsea Manning, Edward Snowden) | ||
** Goals: | ** Goals: | ||
*** Publicize and expose questionable practices and information to the general public. | *** Publicize and expose questionable practices and information to the general public. | ||
*** Sway public opinion | *** Sway public opinion | ||
** Means: Ex-employees with full administrative access to databases. | ** Means: Ex-employees with full administrative access to databases. | ||
* '''Scenario #4: This Wiki''' | |||
** Targeted System: MediaWiki CMS | |||
** Attackers: Students with editor privilege on the wiki. | |||
** Goals: | |||
*** Modify or delete other groups' entries. | |||
** Means: Full access to edit the page using credentials given by the professor. | |||
==== Attack Strategies ==== | |||
* '''Weaknesses''' | |||
** Employee turnover | |||
** Disgruntled current and ex-employees | |||
** Economically vulnerable administrators (easy to bribe) | |||
** Blackmail | |||
** System Administrator neglect and/or incompetence | |||
* '''How to Attack?''' | |||
** Social Engineering | |||
** If there are no safeguards in place, simply having admin access is enough to wreak havoc | |||
** Installing backdoors to keep access to system | |||
** Installing malicious updates and programs on users computers to siphon data and/or monitor. | |||
** Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...) | |||
** Denial of Access | |||
==Remote attacker, authenticated== | ==Remote attacker, authenticated== | ||
Line 79: | Line 131: | ||
==Physical attacker, authenticated== | ==Physical attacker, authenticated== | ||
Members: | |||
- Matthew Preston | |||
- Jon Simpson | |||
- Allan Luke | |||
- Chang Xu | |||
- Nilofar Mansourzadeh | |||
- Noor sabri | |||
- Haamed Sultani | |||
- Targeted system | |||
- Place of work’s system | |||
- server(remote/local) | |||
- Attacker | |||
- anyone who has the “attacker goals" | |||
- employee | |||
- pretend to be employee | |||
- Goals | |||
- remotely look at data | |||
- deny access | |||
- destroy data | |||
- corrupt | |||
- social engineering | |||
- Means | |||
- If data is on a server, attacker needs some level of access to the data (some way to connect to the data) | |||
- Put a physical key logger | |||
- physically freeze system | |||
- could look over your shoulder | |||
- pull the plug | |||
- physically disable verification points | |||
- slow down system | |||
- get admin access | |||
- steal employee's hardware | |||
- can get data by looking at camera feed | |||
- steal mobile phone | |||
- Attack strategies | |||
- could put a physical key logger | |||
- could take out the RAM(live) | |||
- infect hardware and reconnect it to the system | |||
- sell the stolen hardware | |||
- stolen employee’s computer has auto-login | |||
- most hardware is portable now so it’s easier to steal | |||
- disable cameras | |||
- record their behaviours | |||
- accessible weaknesses | |||
- isolated computers | |||
- points of least physical security | |||
- on/off devices | |||
- somewhat easier to attack powered-on devices | |||
==Physical attacker, unauthenticated== | ==Physical attacker, unauthenticated== | ||
* Abdul Bin Asif Niazi | |||
* Dusan Rozman | |||
* Sam Whiteley | |||
* Jake Brown | |||
* Nicholas Laws | |||
* Miran Mirza | |||
Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines. | |||
'''Attack strategies:''' | |||
* Duplicated cards | |||
* Card Readers | |||
* RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems | |||
* Radio-Frequency generator used to unlock different cards | |||
'''Sort of attacks that can happen:''' | |||
* Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline. | |||
* Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges. | |||
* Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data. | |||
* For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable. | |||
* Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data. | |||
'''Scenarios:''' | |||
* A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack). | |||
* An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change | |||
* A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network. | |||
==Remote attacker, unauthenticated== | ==Remote attacker, unauthenticated== | ||
=== Group 6 === | |||
==== Members ==== | |||
* Samuel Prashker | * Samuel Prashker | ||
* Daniel Lehman | * Daniel Lehman | ||
Line 89: | Line 219: | ||
* Gilbert Lavergne-Shank | * Gilbert Lavergne-Shank | ||
* Xiusan Zhou | * Xiusan Zhou | ||
* Abdulkadir Addulkadir | |||
'''Scenarios''' | '''Scenarios''' |
Latest revision as of 01:29, 17 April 2016
Class discussion: threat models and attacker goals
Local attacker
Group 1
Members
- Abdulrahman Mufti
- Josiah Konrad
- William forest
- Andrew Belu
- Agheil Fazeli
- Brandon Hurley
Scenarios
- Scenario #1:
- Targeted System:
- home computer - parent computer
- > Windows 7
- Attackers:
- sibling
- someone who lives in the house
- Goals:
- the little brother wants to access big brother's account
- to access programs that the little brother doesn't have
- play games for a loner time
- Means:
- watching them typing the password
- using safe mode to change the parents' password
- change clock (to be able to play for a longer time)
- take down security through the registry
- Targeted System:
Administrative attacker
Group 2
Members
- Kyle T.
- Tarek K.
- Jakub L.
- Stefan C.
- Matt G.
- Remi G.
- Ibrahim M.
Scenarios
- Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack
- Targeted System: Service & Database servers
- Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
- Goals:
- Full client information specifically financial billing information.
- Showcase that Sony does not take security seriously.
- Denial of service for PSN users.
- Means: It is rumored that ex-employees with active logins managed to access the data.
- Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack
- Targeted System: Service & Database servers
- Attackers: Employees with active administrative access.
- Goals:
- Force Ashley Madison to shut down.
- Expose the true ratios of male/female user base and fake accounts.
- Means: Ex-employees with full administrative access to databases.
- Scenario #3: Military and Government Secrets
- Targeted System: Service & Database servers
- Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
- Goals:
- Publicize and expose questionable practices and information to the general public.
- Sway public opinion
- Means: Ex-employees with full administrative access to databases.
- Scenario #4: This Wiki
- Targeted System: MediaWiki CMS
- Attackers: Students with editor privilege on the wiki.
- Goals:
- Modify or delete other groups' entries.
- Means: Full access to edit the page using credentials given by the professor.
Attack Strategies
- Weaknesses
- Employee turnover
- Disgruntled current and ex-employees
- Economically vulnerable administrators (easy to bribe)
- Blackmail
- System Administrator neglect and/or incompetence
- How to Attack?
- Social Engineering
- If there are no safeguards in place, simply having admin access is enough to wreak havoc
- Installing backdoors to keep access to system
- Installing malicious updates and programs on users computers to siphon data and/or monitor.
- Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
- Denial of Access
Remote attacker, authenticated
Group 3
Members
- Dania Ghazal
- Ankush Varshneya
- Olivier Hamel
- Michael Lutaaya
- Ryan Morfield
- Daniel Vanderveen
- Jess Johnson
Example Scenario
Targeted System
- CIA database - find out who killed Kennedy?
Attackers
- remote authenticators
- contractors (non CIA)
Goals
- “exfiltrating data”
- exfiltrate the CIA database to find out who killed Kennedy
Means
- someone at the CIA left a node.js server running in the background :)
- ssh credentials
- use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
- look around the system for more vulnerable/outdated services to exploit
- generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
- social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
Attack Strategies
Where are the Accessible Weaknesses?
- outdated services
- any service that lets attacker execute a task as another user
How Do You Attack Them?
- user privilege escalation
- abusing service vulnerabilities
Physical attacker, authenticated
Members:
- Matthew Preston - Jon Simpson - Allan Luke - Chang Xu - Nilofar Mansourzadeh - Noor sabri - Haamed Sultani
- Targeted system
- Place of work’s system - server(remote/local)
- Attacker
- anyone who has the “attacker goals" - employee - pretend to be employee
- Goals
- remotely look at data - deny access - destroy data - corrupt - social engineering
- Means
- If data is on a server, attacker needs some level of access to the data (some way to connect to the data) - Put a physical key logger - physically freeze system - could look over your shoulder - pull the plug - physically disable verification points - slow down system - get admin access - steal employee's hardware - can get data by looking at camera feed - steal mobile phone
- Attack strategies
- could put a physical key logger - could take out the RAM(live) - infect hardware and reconnect it to the system - sell the stolen hardware - stolen employee’s computer has auto-login - most hardware is portable now so it’s easier to steal - disable cameras - record their behaviours
- accessible weaknesses
- isolated computers - points of least physical security - on/off devices - somewhat easier to attack powered-on devices
Physical attacker, unauthenticated
- Abdul Bin Asif Niazi
- Dusan Rozman
- Sam Whiteley
- Jake Brown
- Nicholas Laws
- Miran Mirza
Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines.
Attack strategies:
- Duplicated cards
- Card Readers
- RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems
- Radio-Frequency generator used to unlock different cards
Sort of attacks that can happen:
- Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline.
- Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges.
- Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data.
- For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable.
- Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data.
Scenarios:
- A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack).
- An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change
- A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.
Remote attacker, unauthenticated
Group 6
Members
- Samuel Prashker
- Daniel Lehman
- Roman Chametka
- Derek Aubin
- Gilbert Lavergne-Shank
- Xiusan Zhou
- Abdulkadir Addulkadir
Scenarios
- #1 - DDOS
- Scenario
- Targeted System: Web servers, or any machine connected to a network
- Attackers: Angry trolls, political warriors
- Goals: Denials of service, anger your target, hurt their financials, prove a point
- Means: LOIC, Chinese Botnet with Bitcoin
- Attack strategies
- Accessible weaknesses
- Exploitable communication paths (example: ping, login spam)
- In the case of a router, overpowering a signal by replacing it with your own higher powered signal
- How do you access them?
- Over the network
- Over the air (wireless signals)
- Accessible weaknesses
- Scenario
- #2 - Packet Sniffing
- Scenario
- Targeted System: Phones, servers, any networked device that can be sniffed
- Attackers: Exfiltrators who want getting data, corrupting data
- Goals: Exfiltration of data, snooping for data over the air
- Means: Packet sniffing tools, Wireshark,
- Attack strategies
- Accessible weaknesses
- Wireless signals would be easy to monitor
- Mission security (Msec)
- How do you access them?
- Wireless: Network cards, monitoring tools for over the air analysis
- Wired: Anywhere along the line to be able to hook in a middleman
- Accessible weaknesses
- Scenario
- #3 - Remote program already running on their service/server
- Scenario
- Targeted System: People (social engineering), known exploits (0days)
- Attackers: Blackhat hackers, whitehat hackers
- Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
- Means: Exploitable software, social engineering
- Attack strategies
- Accessible weaknesses?
- Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
- How do you access them?
- Social networks, email, phone calls, deployed payload
- Accessible weaknesses?
- Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system
- Scenario