security presentation - solar decathlon
TRANSCRIPT
![Page 1: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/1.jpg)
Solar Decathlon Cysec
Presentation ILaura Cerrito, Maunil Sanghavi, Alexis
Moore, Daniel Delaney, Assaf Kipnis, Justin Frech
![Page 2: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/2.jpg)
Project Goals
● Construct a zero energy balance self sustaining house
● Give the house "smart" features● Compete successfully in the DOE Solar
Decathlon● Make the house a viable marketable product
○ Competition model○ Home model
![Page 3: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/3.jpg)
Security Goals
● Promote security within all aspects of the project (Beyond CS scope)
● Increase marketability● Provide security mitigation to CIA/P
concerns● Promote security through flexibility
throughout the house's lifecycle● Provide fallback and disaster recovery plans
for both competition and home models
![Page 4: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/4.jpg)
Learning
The house will receive data from environmental sensors and use that information to make decisions on:● Energy conservation
○ Turn appliances on/off○ Window shade control
● Maximizing resident comfort○ Climate control
![Page 5: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/5.jpg)
Learning/Smart Features
Learning:● Weather patterns (Built in weather station)● Time of day / outside light (Sensors)● Room capacity (Sensors)● Power usage (Appliances)
Smart:● Centralized appliance control(Mobile app)● Built in wireless network
![Page 6: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/6.jpg)
High Level Security Concerns
● Confidentiality○ Aggregation of user data○ Mobile app usage (User profiles)
● Integrity○ Sensor/appliance data flow into sensor module
■ Wired■ Wireless
○ Wireless network dependability○ Weather data authentication○ Appliance communication
![Page 7: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/7.jpg)
High Level Security Concerns (cont.)
● Availability○ Weather station data○ Sensor data○ Sensor module ○ Appliance data○ Mobile application○ Wireless network○ Communication with service providers(Power,
internet etc.)
![Page 8: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/8.jpg)
High Level Security Concerns (cont.)
● Privacy○ Power consumption aggregation(smart meter)○ Resident movements and habits○ Personal information on network
![Page 9: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/9.jpg)
CS Team Goals
Create software and infrastructure for learning features and control● Web Server (Windows Server 2008)● DataBase (MongoDB)● Learning algorithm● Alternate website (Main is done by VisTech)● Mobile application (Android)
![Page 10: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/10.jpg)
CS Team Level Security Concerns
● Confidentiality○ Aggregation of usage data (Power, appliances etc.)○ Centralized billing information○ Centralized payment information
● Integrity○ Flow of data from sensor module to webserver○ Flow of data into and within the DB○ Communication with mobile application and website○ Historical data (Weather)
![Page 11: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/11.jpg)
CS Team Level Security Concerns (cont.)
● Availability○ Server data○ DB data○ WiFi communications○ User profiles○ Physical machine (Server/DB)
● Privacy○ Personal information (User profiles)○ Stored learned information (Learning algorithm
output)○ Historical information
![Page 12: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/12.jpg)
Usage and Threat Scenarios
● Decathlon Model○ No outside attackers○ No privacy concerns○ Focus on integrity and availability○ Disaster recovery as a high value○ Marketability - Creates shift in focus towards future
use (Home model)
![Page 13: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/13.jpg)
Usage and Threat Scenarios (Cont.)
● Home Model○ Outside attackers ○ Privacy as a high value target○ Flexibility of interchangeable parts
■ Hardware■ Software■ Appliances■ Sensors
![Page 14: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/14.jpg)
Attacker Models
● Honest but Curious○ Users with low access levels○ Users of a potential outside mobile application
■ Judges (competition model)● Malicious
○ Identity thieves ○ Disgruntled employees (Utility companies)○ Recreational hackers○ DoS networks○ Burglars (Gather information from smart features)
![Page 15: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/15.jpg)
Solar Decathlon Cysec
Presentation IILaura Cerrito, Maunil Sanghavi, Alexis
Moore, Daniel Delaney, Assaf Kipnis, Justin Frech
![Page 16: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/16.jpg)
Asset Identification (Back End)
● Operating System○ Windows Server 2008 R2
● Web Server○ Windows Server 2008 R2
● Database○ MongoDB
● Wireless Router ○ NetGear N750
● Programming Languages○ Java and PHP
![Page 17: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/17.jpg)
Identified Vulnerabilities
● NoSQL injection(DB)● Script injection attacks(DB)● No encryption of data files (DB)● No encryption in transit or rest (DB)● No auditing ability (DB)● Passwords and usernames stored in MD5
hash by default (DB)● Privilege escalation(OS)● Directory Traversal attack(OS)● XSS(server)
![Page 18: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/18.jpg)
Mitigation
● Explicitly encrypt sensitive info in the DB● Must "hide" traffic behind HTTP proxy for in
transit encryption(Server)● Define permissions on HTTP proxy● All user input must be sanitized ● Change MD5 hash to SHA256● Create detached audit table ● Access control lists● Disallow users to upload any documents● Disallow any user input on the app or site
![Page 19: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/19.jpg)
Asset Identification (Front End)
● Additional server (Disconnected from Internet) (in discussion)○ Jurors
● Programming languages○ HTML5○ JSON - Mobile app○ Java - Android
![Page 20: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/20.jpg)
Identified Vulnerabilities
● NoSQL injections● JavaScript injections● Session Hijacking● Fuzzing attacks● Certificate Spoofing
![Page 21: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/21.jpg)
Mitigations
● Input sanitation● Access control lists● Encrypt server communications
○ Incoming ○ outgoing
● Preemptive fuzzing
![Page 22: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/22.jpg)
Identification of chokepoints
● Central module (EE control)○ All house communications
● Sensor module (EE control)○ All sensor communications
● CS module (server)● Mobile application
![Page 23: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/23.jpg)
Mitigation
● Discuss with EE's replacement modules○ Fallback to wired connection to Server module
(Xbee)● Secondary server
○ Competition model: Outside the house○ Home Model: Seamless replacement
● Secondary mobile app○ Competition model: Replacement tablet/web app○ Home model: Web app fallback
![Page 24: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/24.jpg)
User Groups
● Competition model○ Superuser
■ All rights ○ Juror
■ View limited data (high level power usage)■ Limited usability (Turn lights on/off)
● Home model○ Superuser
■ All rights○ Visitor
■ Malleable access rights
![Page 25: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/25.jpg)
Solar Decathlon Cysec
Presentation IIILaura Cerrito, Maunil Sanghavi, Alexis
Moore, Daniel Delaney, Assaf Kipnis, Justin Frech
![Page 26: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/26.jpg)
Threat Profile
● Spoofing○ Man in the middle attacks○ Cross site request forgery
● Tampering○ Session hijacking○ Virtual defacement○ Cross Site Scripting (XSS)
● Repudiation○ Modification attacks ○ Certificate spoofing/expiration
![Page 27: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/27.jpg)
Threat Profile (cont.)
● Information Disclosure○ Resident/user data exposure
● DoS○ SYN Spoofing○ Floods (ICMP, UDP, SYN)○ Reflection/amplification attacks
● 0-Day attacks○ Previously unknown attack vectors
![Page 28: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/28.jpg)
Security Strategy4 Layer Defense in Depth
1. Perimeter defense○ Firewall (traffic filtering) ○ Proxy servers○ DoS attacks
2. OS and application security○ Physical access○ Patching○ Service packs
![Page 29: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/29.jpg)
Security Strategy4 Layer Defense in Depth (cont.)
3. Host protection○ Attacks from within the network○ HIDS (Host based IDS)○ Internal firewalls○ Anti-Virus software○ Access policy
4. Data/Information protection ○ Data encryption
■ Transit■ Rest
![Page 30: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/30.jpg)
Security Architecture Model
● Detection○ Identify intrusion○ Follow intrusion path○ IDS (Intrusion Detection System)
● Prevention○ Prevent unauthorized access○ Prevent and control changes○ IPS
● Monitoring○ Security policy and assessments
● Management○ Allow flexibility of the above for future changes
![Page 31: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/31.jpg)
Test Plan
Viewpoints:● Black Box (External)
○ External testing○ Reconnaissance (social engineering)○ Enumeration (nmap)○ Abuse of web protocols
● White Box (Internal)○ Internal testing (attack from within the network)○ Privilege escalation○ Configuration changes
![Page 32: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/32.jpg)
Test Plan (cont.)
Techniques:● Review (Documents, procedures, logs)● Target identification (Network discovery, port
scan, vulnerability scan, wireless scan)● Target vulnerability validation (Password
cracking, penetration testing)● Fuzzing ● Buffer overflow
![Page 33: Security presentation - Solar Decathlon](https://reader031.vdocument.in/reader031/viewer/2022020218/55a224541a28ab9e168b45d3/html5/thumbnails/33.jpg)
Questions?