SystemsSec 2016W Lecture 5
Class discussion: threat models and attacker goals
Local attacker
Administrative attacker
Group 2
Members
- Kyle T.
- Tarek K.
- Jakub L.
- Stefan C.
- Matt G.
- Remi G.
- Ibrahim M.
Scenarios
- Scenario #1: Disgruntled Ex-Employee(s?) - Sony Hack
- Targeted System: Service & Database servers
- Attackers: Disgruntled ex-employees with active administrative access and knowledge of internal system architecture.
- Goals:
- Full client information specifically financial billing information.
- Showcase that Sony does not take security seriously.
- Denial of service for PSN users.
- Means: It is rumored that ex-employees with active logins managed to access the data.
- Scenario #2: Current & Ex-Employee(s?) - Ashley Madison Hack
- Targeted System: Service & Database servers
- Attackers: Employees with active administrative access.
- Goals:
- Force Ashley Madison to shut down.
- Expose the true ratios of male/female user base and fake accounts.
- Means: Ex-employees with full administrative access to databases.
- Scenario #3: Military and Government Secrets
- Targeted System: Service & Database servers
- Attackers: Whistleblowers (Chelsea Manning, Edward Snowden)
- Goals:
- Publicize and expose questionable practices and information to the general public.
- Sway public opinion
- Means: Ex-employees with full administrative access to databases.
- Scenario #4: This Wiki
- Targeted System: MediaWiki CMS
- Attackers: Students with editor privilege on the wiki.
- Goals:
- Modify or delete other groups' entries.
- Means: Full access to edit the page using credentials given by the professor.
Attack Strategies
- Weaknesses
- Employee turnover
- Disgruntled current and ex-employees
- Economically vulnerable administrators (easy to bribe)
- Blackmail
- System Administrator neglect and/or incompetence
- How to Attack?
- Social Engineering
- If there are no safeguards in place, simply having admin access is enough to wreak havoc
- Installing backdoors to keep access to system
- Installing malicious updates and programs on users computers to siphon data and/or monitor.
- Remote monitoring of all users (including those with higher priviledge), using all available peripherals (webcams, microphones, keyboards, etc...)
- Denial of Access
Remote attacker, authenticated
Group 3
Members
- Dania Ghazal
- Ankush Varshneya
- Olivier Hamel
- Michael Lutaaya
- Ryan Morfield
- Daniel Vanderveen
- Jess Johnson
Example Scenario
Targeted System
- CIA database - find out who killed Kennedy?
Attackers
- remote authenticators
- contractors (non CIA)
Goals
- “exfiltrating data”
- exfiltrate the CIA database to find out who killed Kennedy
Means
- someone at the CIA left a node.js server running in the background :)
- ssh credentials
- use outdated emacs (implementing a root privileged mail daemon) to inject a password into etc/passwd to escalate attacker’s privileges
- look around the system for more vulnerable/outdated services to exploit
- generate a race condition to create a file that you know a root user would create, then let the root user put their “sensitive data” into attacker’s file (such as files in /temp)
- social engineering - submit a help ticket to someone within the CIA to gain higher privileges for a seemingly innocent reason
Attack Strategies
Where are the Accessible Weaknesses?
- outdated services
- any service that lets attacker execute a task as another user
How Do You Attack Them?
- user privilege escalation
- abusing service vulnerabilities
Physical attacker, authenticated
Physical attacker, unauthenticated
Abdul Bin Asif Niazi Dusan Rozman Sam Whiteley Jake Brown Nicholas Laws Miran Mirza
Typically targeted systems include: portable systems such as laptops, smartphones, tablets, USB keys, card systems, banking machines.
Attack strategies: • Duplicated cards • Card Readers • RFID readers: can be used to duplicate RFID data and steal NFC enabled bank access systems • Radio-Frequency generator used to unlock different cards
Sort of attacks that can happen: • Man in the middle attack on physical phone lines, people can access phone conversations by inserting some sort of hardware in a SIM card or a landline. • Using the USB auto install feature to spread attacks, exploit this vulnerability to install software. An attacker can plug a USB thumb drive into computer and install software in order to escalate privileges. • Phishing attack, a user can install some sort of software to reroute traffic through their system in order to collect data. A user can physically rewrite the hosts file on system to tamper with the DNS on the system and steal data. • For secured areas such as labs a vulnerability would be the door which requires some sort of card based authentication, since this can be stolen it is vulnerable. • Bank Machines: a lot of bank machines have a USB port in the bank and thus can get software installed on them. People can also install a card reader on top of the card slot to collect card numbers and other sensitive data.
Scenarios: • A user gets physical access to a device using sort of card access and then physically destroys a computer (a literal denial of service attack). • An attacker swaps a keyboard for a keylogging keyboard and uses it to steal sensitive data. They are exploiting the fact that users won't notice the change. A user can exploit the reset feature on a router in order to gain access to it's settings, they can then go on to flash the firmware and infect all connected devices on the network.
Remote attacker, unauthenticated
- Samuel Prashker
- Daniel Lehman
- Roman Chametka
- Derek Aubin
- Gilbert Lavergne-Shank
- Xiusan Zhou
Scenarios
- #1 - DDOS
- Scenario
- Targeted System: Web servers, or any machine connected to a network
- Attackers: Angry trolls, political warriors
- Goals: Denials of service, anger your target, hurt their financials, prove a point
- Means: LOIC, Chinese Botnet with Bitcoin
- Attack strategies
- Accessible weaknesses
- Exploitable communication paths (example: ping, login spam)
- In the case of a router, overpowering a signal by replacing it with your own higher powered signal
- How do you access them?
- Over the network
- Over the air (wireless signals)
- Accessible weaknesses
- Scenario
- #2 - Packet Sniffing
- Scenario
- Targeted System: Phones, servers, any networked device that can be sniffed
- Attackers: Exfiltrators who want getting data, corrupting data
- Goals: Exfiltration of data, snooping for data over the air
- Means: Packet sniffing tools, Wireshark,
- Attack strategies
- Accessible weaknesses
- Wireless signals would be easy to monitor
- Mission security (Msec)
- How do you access them?
- Wireless: Network cards, monitoring tools for over the air analysis
- Wired: Anywhere along the line to be able to hook in a middleman
- Accessible weaknesses
- Scenario
- #3 - Remote program already running on their service/server
- Scenario
- Targeted System: People (social engineering), known exploits (0days)
- Attackers: Blackhat hackers, whitehat hackers
- Goals: Exfiltrate, corrupt, deny access, destroy, ransomware, (whitehat only: protect!)
- Means: Exploitable software, social engineering
- Attack strategies
- Accessible weaknesses?
- Stupid people, exploitable equipment known to be accessible to 0days, leveraging bugs
- How do you access them?
- Social networks, email, phone calls, deployed payload
- Accessible weaknesses?
- Point is you're trying to get someone to install software for you, or exploit software to inject the payload on the targeted system
- Scenario