SystemsSec 2016W Lecture 11: Difference between revisions

From Soma-notes
No edit summary
Line 12: Line 12:
*Expect 3-5 questions on the midterm.
*Expect 3-5 questions on the midterm.
*This exam will be closed book. Email Anil if writing this midterm via computer is important to you.
*This exam will be closed book. Email Anil if writing this midterm via computer is important to you.
==Under construction==
==Model of a standard attack==
    Let us look at a standard attack. An attacker will do the following:
*Identify a target:    An attacker will select a system or individual to attack
*Surveillence:    An attacker will study the target.
*Get access ("The Attack"):    An attacker at some point will access or breach the system.
*Accomplish his goal:    An attacker will gather what he came for (credit cards, passwords, bank transfer etc)
*Cover his tracks:    An attacker will not want to be identified. They will try to destroy system logs, and any evidence that could point to the attack ever happening. In this sense, the news only reports failed attacks, as the intrusion was detected.
==Example attack Surveillence==
Let's say we are attacking an Ubuntu machine.
What can we gather intelligence wise?
*Ip addresses, Port checking, etc.: These are very noisy approaches, and will alert a system. an attacker will not do this more then absolutely neccessary
*Webserver status: 
**What code is running on the server?
**What version?
**Webserver will usually hand this out
*monitoring the network: Is it possible to monitor this network from another machine?, An attacker may need to compromise another machine first!
*Physical Surveillence:
**Personel, Administrators: Do they have social media that can be accessed, and guess the password from info? **Set up account on another site: Can they convince an employee to make an account, they may use same password.
**Forums: Have they posted about bugs or net problems?
**Wireless network: can they eavesdrop on a signal?
==Example attack==
Let's say we know someone is running wordpress (wahoo, many exploits), and we know the exact version. We can get an exploit to use online.
The next step? Set up the same wordpress version, and test the exploit on our own systems. We don't want to be caught on a failed attempt.
==Tools==
*NMAP: A tool designed to identify system and their versions, by analyzing the responses. Each system implements networks slightly differently, and this tool has a small database to compare to.

Revision as of 18:52, 12 February 2016

Sample Midterm Questions

  • What properties should a secure OS have? Why?
  • Why are production operating systems not constructed like ones designed for security first? Be specific
  • To what extent are security tools (for attack and defense) hard to use? Are these difficulties inherent to the technology or are other factors in play? Give examples from your personal experience.
  • Describe three threat models and explain what entities these threat models apply to.


Midterm Layout

  • Expect each question to be a small essay, that draws upon the information acquired through class, and through the readings to form a conclusion.
  • Expect 3-5 questions on the midterm.
  • This exam will be closed book. Email Anil if writing this midterm via computer is important to you.

Under construction

Model of a standard attack

   Let us look at a standard attack. An attacker will do the following:
  • Identify a target: An attacker will select a system or individual to attack
  • Surveillence: An attacker will study the target.
  • Get access ("The Attack"): An attacker at some point will access or breach the system.
  • Accomplish his goal: An attacker will gather what he came for (credit cards, passwords, bank transfer etc)
  • Cover his tracks: An attacker will not want to be identified. They will try to destroy system logs, and any evidence that could point to the attack ever happening. In this sense, the news only reports failed attacks, as the intrusion was detected.

Example attack Surveillence

Let's say we are attacking an Ubuntu machine.

What can we gather intelligence wise?

  • Ip addresses, Port checking, etc.: These are very noisy approaches, and will alert a system. an attacker will not do this more then absolutely neccessary
  • Webserver status:
    • What code is running on the server?
    • What version?
    • Webserver will usually hand this out
  • monitoring the network: Is it possible to monitor this network from another machine?, An attacker may need to compromise another machine first!
  • Physical Surveillence:
    • Personel, Administrators: Do they have social media that can be accessed, and guess the password from info? **Set up account on another site: Can they convince an employee to make an account, they may use same password.
    • Forums: Have they posted about bugs or net problems?
    • Wireless network: can they eavesdrop on a signal?

Example attack

Let's say we know someone is running wordpress (wahoo, many exploits), and we know the exact version. We can get an exploit to use online.

The next step? Set up the same wordpress version, and test the exploit on our own systems. We don't want to be caught on a failed attempt.



Tools

  • NMAP: A tool designed to identify system and their versions, by analyzing the responses. Each system implements networks slightly differently, and this tool has a small database to compare to.