Net Sec
Tcp: Random initial sequence numbers
If SNs weren't random initially, the attacker could easily create a tcp session for some source (victim) and then send commands on its behalf. If an attacker could guess the tcp SN, then they could send a command to end the connection, causing DoS if they do this with all traffic.
Crime: Characteristics of spam
Inappropriate or irrelevant large number of recipients.
Browser: Execution model
1 Load content 2 Render content (process html, javascript) 3 Responds to events Events: user actions, clicking rendering: loading, timing
Crime: Spamers
>90% email sent is spam Have lists of people send messages for other people Send malware or phish Use botnets to send spam, need many IPs or will easily get blocked Typically part of a scam campaign. Legit looking websites or customer service
Botnet: Bot
A bot is often called a zombie because it is a compromised compromised computer controlled by malware without the consent and knowledge of the user.
Browser: Browsing Context
A frame with its dom A web worker (thread, javascript running in background independent of ui) which does not have a dom Every context has an origin (protocol host port) Isolated from other by same origin policy May communicate to others using postMessage, Can make network requests using XHR (XML HTTP request) or tags (<image...>) OS Process context Separation/isolation of different programs. Similar to how browser isolates different web sessions. Modern structuring mechanisms
BC: Hash pointer
A pointer to where the data is stored, and its hash so you can tell the data hasn't changed.
Session: Session
A sequence of requests and responses from one browser to N sites. Session can be long or short Without sessions, users would have to reauthenticate. Authorize user once; all subsequent requests are tied to the user.
Tcp: Routing protocol security
ARP: Malicious node can lie to gateway and say "I"M THE GUY YOU"RE LOOKING FOR" and send his MAC address. If it gets there before the actual node, the malicious node gets the data. Traffic can be read or injected into The other nodes session. BGP:
MbMal: Android Malware
Accutrack - hidden gps tracker Ackposts - steals contact info Acknetdoor - opens backdoor to infected device and sens ip to remote server. Steek/fatakr - steal privacy info/send sms Tapsnake/droisnake - posts phones location to web service. Zertsecurity/zitmo/citmo - steals banking info Risk of android malware is low
Tcp: Protocols
Address resolution protocol (ARP): Protocol designed to map ip network addressees to the hardware addresses used by a data link protocol. Gets mac address of computer with requested IP address. Reply says, "HERE I AM. Heres my Mac." Open shortest path first(OSPF): Protocol uses a link state routing algorithm and falls into the group of interior routing protocols. Looks for lowest cost path between nodes. Border gateway protocol(BGP) : Protocol designed to exchange routing and reachability information among autonomous systems (AS). AS's exchange/learn the IP address prefixes of all computers in each connected network, so they know how to send information around, and they work together to do so. Basically these are lower and lower routing algorithms. BGP is the highest, OSFP is lower, and ARP is the lowest. Routing among domains is determined by BGP. routing inside each domain is determined by OSPF (or similar things).
CC: Processing infrastructure
Adv: Ability to secure masters and push out secure images to shards Challenges: Application multi-tenancy, reliance on hypervisors, process isolation/application sanboxes.
CC: Network/Perimeter Security
Adv: DDoS protection, VLAN capabilities, perimeter security (IDS, firewall, authentication). Challenges: Virtual zoning with application mobility, creating different areas where applications run is hard.
CC: Support services
Adv: ON demand security controls (auth, logging, firewalls) Challenges: Additional risk when integrated with customer applications (can customer apps cause security risks?), needs certification and accreditation as separate application, code updates.
CC: Provisioning services
Adv: rapid reconstitution of services, enables availability, advanced honeynet capabilities Challenges: impact of compromising the provisioning service (if the cloud is compromised, you have a problem).
CCSec: Frequency analysis attack
An attack on equlity preserving encryption. Compare the histograms (distribution) of encrypted data to the distribution of public available data. If histograms match, then we can know what cyphertext value is the raw text value. lp-optimized attack: find minimum cost assignment from cyphertext distribution to plain text distribution. (use some cost metric).
CCSec: Cumulative attack
An attack on order preserving encryption. Can find mapping of plain text to cyphertext.
DA: Data Analysis Detection types Quiz
Anomoly: Model normal network and system behavior and identify deviations from the norm Hybrid: combination of misuse and anomaly detection Misuse: can detect known attacks using signatures of those attacks Misuse: Can detect known types of attacks without generating a lot of false positives Anomaly: Have the ability to detect zero-day attacks.
MbMal: Information leakage detection
App may not be intentionally malicious but could be leaking private information. One compares an apps description against its permissions to determine if its malware. (are expectations aligned with permissions), Uses NLP.
DA: Mining patterns
Association of features, (eg service=http, flag = 20) Basic algorithm association rules. Sequential patters in activity records. Designating "essential" features to compute "relevant" patterns. Relevant patterns must describe the essential features - axis attributes, reference attributes.
Tcp: Tcp Protocol stack
At each layer information gets added to the data. Tcp layer adds tcp header to data that needs to be sent. Ip layer adds ip header to tcp packet link layer adds link header to create a frame. Ip information cannot be protected by the transport layer Network layer controls can protect the data within the packet as well as the ip information for each packet. A higher layer cannot protect the information of a lower layer. But a lower layer can protect the information from a higher layer. Data link layer controls cannot protect connections comprised of multiple links.
ML: Polymorphic attacks components
Attack vector used for exploiting vulnerability. Some parts can be modified but there is always a set of invariant parts (starting point of execution). Invarant parts must be small and exist in legitimate traffic. Attack body - malicious code for the attackers purpose; shell code. Typically transformed or encrypted. Polymorphic decryptor - Decryptes the shell code, can be transformed. Byte frequencies tend to be anomalous
Session: hijacking
Attacker can steal users session token if listening to network traffic (if https for login but http for subsequent requests) Can calculate the counter and view sessions of other users if they login, or if the crypto MAC is weak. We want to use some randomly created session tokens. Can embed machine specific data into session id. But there isn't a good choice for machine information that isn't guessable. So just use random crypto session ids.
Session: Fixation
Attacker could set session token for url and trick user to clicking url. Set token using xss exploit. Get anonymous browsing session token for site.com Sends url to user with attackers session token. User clicks url to login Attacker uses now elevated session token to hijack users session. Website should always use new session token when elevating user from anonymous to logged in.
BC: Sybil attack quiz
Attacker creates a lot of fake identities and uses them to change voting outcomes or control the network. Attack is designed to attack reputation systems in a peer-to-peer network. Users giving up anonymity doesn't help to stop the attack.
Dns: Poisoning Attack In-depth
Attacker has a machine which initiates a request for a domain. Another machine floods the resolver with forged responses, trying to guess the query id. If they don't guess the right one, they wait for TTL then try again. If success, then the local resolver now has a cached incorrect/malicious IP address for the domain for the TTL. Kaminsky: Send request for a random domain (83.google.com). And flood the resolver with responses. If this fails just try another random prefix. Wash, rinse, repeat. What makes this work is listing other sibling records in the response to the actual domain that you want to poison, so along with 83.google.com ###.###.###.### you'd list www.google.com 192.168.1.1 This has shown to work in seconds.
Https: Http downgrading
Attacker intercepts traffic to an https site and presents a forwarded page to the user which only uses HTTP. So when the user logs in or does backing, the attacker sees all the information, but from the attacker to the server the connection is https. Now the attacker has all your info. Fix this by using HSTS (strict transport security). Header tells browser to always connect over https? All following visits must be over https. Refuses http. HSTS flag deleted when user clears private data or after some expiry.
Dns: Rebinding quiz
Attacker registers a domain and delegates it to a server under its control. Attackers server responds with a short ttl record. Short ttl record ensures that it can be rebound to another IP very quickly. Attacker exploits the same origin policy
ATS: Redundancy quiz
Availability: Probability the system operates correctly at any given moment Reliability: ability to run correctly for a long interval of time Safety: failure to operate correctly does not lead to catastrophic events. Maintainability: ability to easily repair a failed system.
ATS: Node connectedness quiz
Average node degree: nodes with the largest number of nodes connected to them. Node persistence: during a snapshot of internet traffic, these nodes are the ones most likely to appear Temporal closeness: nodes that interact with the largest number of nodes.
Browser: same origin policy for cookies
Based on scheme, domain and path. Scope: domain and path HttpOnly -> Do not allow client scripts to read SameSite -> restricts cross site requests (CSRF). also has a secure flag, requiring https protocol
Dns: Cache poisoning
Basic idea: give dns servers false records and get it chached. Dns uses a 16-bit request identifier to pair queries wtih answers. Cache may be poisoned when a name server: disregards identifiers has predictable ids accepts unsolicited dns records.
Dos: Source Identification
Block attack at source by filtering out requestes which have spoofed their IP. Requires isp to implement this. If one isp doesn't do it though, then the internet can be DoSed from through that ISP. So there is no incentive for deployment. As of 2014, 25% of auto systems are fully spoofable. 13% of announced IP space is spoofable
Dos: Ingress Filtering
Blocking packets with incorrect source ip addresses. Best done at customer networks where traffic load is smallest because its computationally expensive, and harder to verify the further from the source you get. Requires universal deployment to be effective.
Botnet: Detection challenges
Bot is not human. BOts are connected, acitivies are coordinated Distinguish botnets from other attacks. FOr profit resources, frequent updates, net coordination. Enterprise networks, deploy detection at router
Botnet: Bot miner
Botnet detection system that is independent of botnet sturcture and protocols.
Botnet: Detection on internet
Botnet must use internet protocols/services: Look up services (find C&C), hosting services (web servers, storage and distribution/exchange of attack related data), transport(BGP) (route/hide attack from bots to victims), identify the abnormal use of internet services that suggests botnet activities. DNS used by most bots for finding C&C.
Browser: Goals of web security
Browse web safely No stolen info Site a doesn't compromise session in another site Web apps should have same security as stand alone apps
Https: Certificate Transparency
CAs must advertise a log of all certs they issued Browser will only use a cert if it is published on a log server. Efficient implementation using merkle hash trees Companies can scan logs to look for invalid issuance.
Browser: CSP quiz
Can allow inline scripts to be run Can whitelist a thirdparty widget Its better to blacklist everyting then whitelist as you know whats needed.
MbMal: Data flow analysis
Can be used to ensure there is no API misuse or data theft. Can be used to inform users of privacy issues. Very challenging given huge android codebase.
CC: Kernel level sec tool
Can detect and remove user level malware, but cannot remote kernel level rootkit (untrusted driver) since it runs at same privilege level.
Tcp: IP authentication.
Client is trusted to give correct source ip. Can easily forge the wrong source ip and there is no authentication built into IP. This enables anonymous DDos/infection/malware attacks.
Dns: Example
Client looks up www.cc.gatech.edu Local dns resolver does this: 1. Ask root & ude dns servers what ip of www.cc.gatech is. Server says I don't know. But here is the dns server for gatech.edu. 2. asks gatech dns server what ip of cc.gatech.edu is. Server says i don't know but here is the dns server for cc.gatech.edu. 3. Asks cc.gatech.edu server where www.cc..... is . Server responsd with IP.
CCSec: ORAM quiz
Client must have private source of randomness Data does have to be encrypted even though there is no access pattern Each access to the remote storage must have a read and a write.
Tcp: Tcp handshake
Client sends syn request Server sends response with specifically generated numbers. Ack is sent from client to server (which now contains a sequence number). Connection is established. All further packets have their sequence number incremented by 1. Packets with a SN (sequence number) too far outside the expected window are dropped.
CC: Relevant cloud components
Cloud provisioning services cloud data storage services cloud processing infrastructure cloud support services cloud network/perimeter security elastic elements: storage, processing, virtual networks.
Browser: Origin
Combination of URI (uniform resource identifier) scheme, hostname, and port number.
Tcp: IP routing
Connectionless: Its unreliable and a "best effort". Not all packets get from A to B. Results: data corruption, lost packets, duplicate packets, out of order delivery. Ports are not part of IP header. Ip host knows location of router (gateway) Ip gateway knows route to other networks. If user data is too large, it gets fragmented into multiple packets and then reassembled at destination. If destination did not receive a particular packet, it sends a icmp packet to source to indicate packet was dropped. (Internet control message protocol) IP header can contain ttl field. ttl decreases at every hop. And packet is dropped if packet reaches ttl==0. P{revents infinite loops.
Browser: Web attacker
Controls malicious site Can obtain ssl tls certs for site Wait for user to visit site Setup web app and wait for user to download app. Very passive, waits for users to interact. Network attacker: Passive and active attacker. Passive: eavesdropping Active: evil router, dns poisoning (change ip address of legit site to something the attacker controls), traffic injection Malware attacker: Malware installed on users computer. Escapes browsers isolation mechanism. Browsers may have exploitable bugs, and often enable remote execution of code. Other vulnerabilities such as Cross site scripting (XSS) SQLi (SQL injection), CSRF(cross site request forging),... mostly on
Browser: Cors quiz
Cors allows cross-domain communication from the browser Corrs requires coordination between server and client Cors is widely supported Cors header cannot be used (is no substitute for good security) to secure resources on a website.
BC: Double spending attack
Create a chain of transfers which you give a coin to more than one person. Each person looks as if they own the coin. Main design challenge in digital currency.
BC: Transfer coins
Create a new statement that says pay this to person B. This message is signed by person A since he owns the coin. The message contains a reference to the coin which was transferred. Each transfer adds a new link to the list. So each coin contains all the transfers.
Crime: Botnet master
Create operate malicious network of compromised computers. Rent out botnets to other actors
Crime: Crowdturfers
Create, verify, and manage fake accounts. Crowdsourcing to solve captchas for a fee.
Crime: Hosting providers
Criminals need bulletproof hosting providers which typically operate in lawless parts of the internet. Offers dedicated servers to other actors.
Browser: Crypto Checksums
Cryptographic has functions that are one-way are less vulnerable to preimage attacks Hash functions should not take a long time to calculate Good cryptographic hash functions should employ an avalanche effect
CC: Cloud sec Advantages
Data fragmentation/dispersal, dedicated security team, greater investment in security infrastructure, fault tolerance and reliability, greater resiliency, hypervisor protection against network attacks, possible reduction of Cert & auth activities (pre accredited clouds), simplification of compliance analysis, data held by unbiased party, low cost disaster recovery, on demand security controls, real time detection of system tampering, rapid reconstitution of services, advanced honeynet capabilities.
DA: Decision tree quiz
Decision trees can... Supplement honeypot analysis and penetration testing. Can highlight malicious activity Can characterize known scanning activity. Can detect previously unknown network anomalies.
Crime: Deep web Dark web Surface web
Deep web is not indexed by search engines. Dark web is only on peer to peer networks, commonly using nonstandard protocols and ports Surface web: the web as we know it, via search engines.
CCSec: Property preserving encryption (PPE)
Deployability: no change to application and database servers. Expressiveness: supports most common sql queries Efficiency: ~25% overhead. Secure We can use different types of encryption to encrypt data that we want to preserver order to preserver equality so we can still analyze the data while its encrypted.
ATS: Secret sharing
Distributes shares of secret among participants. Individual shares of no use on their own. Can only reconstruct secret when shares are combined together. Even if a single share has been compromised, the attacker cannot do anything with it.
ATS: Secret sharing math
Divide data into N pieces Dn (k,n) threshold scheme. with k=n all participants are required together to reconstruct the secret. Shamirs secret sharing: Choose at random k-1 coefficients, a1...ak-1. And let Secret be a0. q(x) = a0 + a1x + a2x^2.... ak-1x^k-1 We make the secret share a set of points q(yi) where yi is randomly chosen. Since k points uniquely determining a polynomial of degree k-1, once q(x) is determined then evaluate S=q(0) = a0 which is the secret. So given any k shares we can reconstruct the secret. Any fewer k and there are an infinite set of polynomials that would work for the set of k-1 points. There is also a modulo prime number p somewhere in there. Given (xi,yi) where yi=q(xi), use lagrange interpolation to compute q(x) We could create many shares (n) but only have a degree k = n/2 polynomial. So this would require k shares before you could determine the secret. Shares can be added or deleted without affecting others. Easy to create new shares without changing secret. Easy to create hierarchichal schemes, Some people might have more shares than others. Regardless of computing power of attacker, the best you can do with less than k shares is a random guess.
Dns: DNSSEC Signing
Dns resolving steps sign each step with the servers private key. So we can decrypt with the public key and know that the ip address indeed came from the authentic server.
Dos: Client Puzzles
During DoS attack, every client solves a puzzle to slow down DoS traffic. This will slowdown everyone. But the legitimate requests will be small in comparison to the DoS traffic so real clients less effected. Puzzle hard to compute answer (2^n) easy to check (O(n)). Ie in NP Hardness of puzzle (n) can be decided based on attack volume. Hurts low power computing devices a lot. Memory bound functions scale better for machines with low cpu power like cell phones.
Dos: Scanning Random Scanning Permutation Scanning Signpost Scanning Hitlist Scanning
Each compromised computer probes random addresses All Compromised computers share a common psuedo-random permutation of the ip address space. Uses the communication patterns of the compromised computer to find new target A portion of a list of targets is supplied to a compromised computer.
ATS: Naive Crypto secret sharing quiz
Each of a set of parties keeps a share of the seecret. PROBLEM: The more shares you have of the secret, the less work you have to do to guess the secret Individual shares SHOULD be of no use on their own.
Https: SSL/TLS
Each person has private/public key Get public key from Cert Authority(CA). Users can verify that the certificate was properly certified via a CA Subjects CommonName can be cc.gatech.edu or *.gatech.edu. (* does not match .)
ML: Payload based anomaly detection system (PAYL)
Each service has its own unique network traffic patterns. Features are relative frequency of characters or their std dev. Can score packets based on their anomalous score.
Malw: Analysis Difficulty
Easy to Hard to do Automated analysis Static analysis Interactive behavior anlysis (running in an isolated environment) Manual code reversing (disassembler/decompiler to recreate code) Also in the list above, harder techniques yield more information.
Tcp: Security
Eavesdropping, packet sniffing can occur if packet passes by untrusted host. TCP state easily obtained by eavesdropping. Enabling spoofing and session hijacking (he now knows the SN). Subject to DoS attacks.
Threat: Entropy quiz
Entropy is randomness for use in cryptography or other applications that require random data. two sources of entropy: hardware sources and randomness generators. A lack of entropy will have a negative impact on performance and security.
DA: Entropy/Information Gain
Entropy: The minimum number of bits needed to represent the examples according to their class labels, or roughly how pure the examples are. If the examples are evenly distributed into different classes, the entropy is the maximum, if the examples are all in a single class, the entropy is minimum. Compute information gain and pick decision tree branch based on feature with highest gain.
Dns: Rebinding Attack
Essentially the attacker binds a corporate webserver to look like its on the same network as the malicious website. Now the browser can lookup arbitrary documents since its on the same origin. Dns Pinning mitigates this. It refuses switching to a new IP. Interacts poorly with proxies, vpn, dynamic dns. Not consistently implemented in all browsers. Server-side defenses: Check host header for unrecognized domains Authenticate users with something other than ip. Firewall defenses: External names can't resolve to internal addresses. Protects browsers inside the organization
Pen: Penetration testing
Evalulate strength of all security controls Procedurals operational technological Benefits: Determine security of network, discover vulnerabilities, demonstrate threats. Scope: Can include social engineering, physical access Scale: entire security network.
Botnet: Growth of botnet
Exploit based propogation - infection grows exponentially in initial phase email-based propogation: exponential or linear dry-by egg download: sub linear
ML: Attacks on ML
Exploratory attack, attacker uses examples to find decision boundary of ML model, then crafts attack to avoid detection. Also called evasion attack. Causative attack (data poisoning): Attacker injects malicious examples to affect the ML training process that as a result is not able to produce an effect ML based model.
MbMal: iOS malware
Fairplay Man in the middle Attacker makes the user think he's bought an app from the app store and gets a malicious app installed on the users device.
Dos: Edge Sampling (for traceback)
For traceback, store the starting router (p), ending router(p-1), and distance since starting router There is a formula for how many packets on average are needed to reconstruct the path.
Browser: Frame security
Frame: Rigit division as part of frameset. iFrame floating inline frame. Why use frames? Separation of web content. Delegate screen area from content from another source. Browser provides isolation based on frames. Parent may work even if frame is broken. Frames cant really interact unless they are from the same origin. Frame frame relationships: Is frame allowed to execute script that manipulates abritrary/nontrivial dom elements on frame b? Can frame a change the origin of frame b? Frame principle relationships: Can frame A read/write cookies from site S?
ATS: WWW robustness quiz
Internet has High degree of tolerance towards random failures and low degree of tolerance against attacks. Most successful attacks target the nodes that are most connected.
Tcp: S-Bgp
IpSec: secure point to point router communication. Public key infrastructure authorization for all s-bgp entities. Attestation: digitally-signed authorizations. Address attestations proves authorization to advertise specified address blocks. route attestations: validation of updates based on a new path attribute using pki certicficates and attestations. This requires repositories and tools to manage all this.
MbMal: Detection
Kirin, system that checks for suspicious combinations of permissions. RiskRanker - Static analysis tool - manually defined suspicious features. Droidranger looked for loading native code from suspicious websites. DREBEN - uses an SVM to determine if an app is malicious. Easiest way to develop malware is to repackage popular app with malicious activity. There are some similarity tools to detect repacked malware. Behavior analysis - Some use sys call information.
CCSec: Standard encryption
Leaks nothing except the size of the data.
Https: Certificate Pinning
Let a site declare CAs that are authorized to sign its certificates (similar to hsts). On subsequent https, browser rejects certs issued by other CAs TOFU: Trust on First Use
CCSec: Dont trust cloud
Lets keep application on our side and store data on cloud. But this leaks data access patterns. Can use oblivious ram.
Pen: Social
Liking: Desire to fit in and be more easily influence by someone you like Scarcity: A desire to pursue a limited or exclusive item or service Commitment: A desire to act in a consistent manner Social proof: Looking to others for clues on how to behave.
BC: Block chain
Linked list of hash pointers, with the head at the end(last) element of the list. In order for a hacker to change the data in a blockchain, he must change all the hash values, because one change in the data, causes a rippling change of the hashes all the way back to the root node. And so if we just keep the root node, we can verify the integrity of the whole block chain..
ML: Adversarial ML
ML in the context of attackers.
Browser: Subresource integrity
Many pages pull scripts and styles from many content delivery networks. Page author specifies hash of resources they are loading, browser checks integrity of hash. Browser can report violation and not execute resource. Or can just report the violation and still render the resource.
Browser: Modern Websites
Many parties contribute to the code on a website. Ads, third-party libraries, the content owners, page devs, service providers, data providers, cdns, other users, extension developers. Questions:
CC: Hypervisor sec
Put security tool in a separate virtualization. The security tool in one VM can do introspection into other vm through hypervisor.
CC: Main concern in moving to cloud computing
Security is the main concern
Crime: Spammers
Send out spam (typically from botnets)
ML: Poisoning attack goals
Stays undetected. Continues for a period of time. Causes damage to data.
Threat: Tcp/IP quiz
Tcp is used to break up and reassemble data into packets. IP is used to move packets from router to router.
Dos: target of attack Server Application Network Access Infrastructure
The attack is targeted to a specific application on a server The attack is used to overload or crash the communication mechanism of a network. The motivation of this attack is a crucial service of global internet operation, for example core route.
DA: Generalization
The most important property of machine learning.
Tcp: Network teirs
Tier one: Network can reach every other network through peering Tier two: Network that peers some of its network access and purchases some of it. Tier Three: Network that purchases all transit from other networks
MbMal: Produce stage
Toolchain attacks - codeGhost - infected version of xcode, any app built with it is now infected. Could steal appname, device name/type, network type, system language and country, device uuid.d Attack appstore, review process can't find code which executes evil behavior. But a backdoor allows different control flow than initially seen.
Tcp: Tcp
Transmission control protocol Connection oriented, preserves order of packets. Breaks data into multiple packets. Attaches sequence number. Receiver acknowledges receipt, lost packets are resent. Packets are reassembled in original order.
CC: Security issues
Trust, multi-tenancy, encryption, compliance. Challenging - massive complex systems, simple primitives, and common functional units replicated thousands of times. Tractable problem however - There are both advantages and challenges.
Crime: Profit - Carders, Cashers, mules
Turn stolen bank accounts and credit cards into cash and help launder money.
Dos Syn flood defense
Use a proxy to manage all syn requests. In an attack, it has plenty of power to manage the flood of requests, and it only forwards the completed ones on to their destination.
CC: Active monitoring
Uses hooks (like in libVMI) to know when certain events happen.
MbMal: Stamp
Uses static/dynamic analysis to determine if app is malicious. Intended to be used in app store.' Focuses on data flows.
Https: Disadvantages
You need to buy an ssl certificate. Difficulty loading insecure content on a secure site. Proxy caching problems, public caching cannot occur (since all traffic is encrypted) Browser caching works properly Https doesn't use a lot of resources https doesn't usually, but CAN introduce latencies.
Threat: Zmap vs existing network scanners.
Zmap: eliminates local per conneciton state to keep resources low (others keep all this info). shotgun scanning: some hosts will not respond, but so will only send n probes per host. Send scans as fast as network allows. Probe optimized network stack, bypass inefficiencies by generating ehternet frames. zmap is ~1300 times faster than nmap and has better coverage. Nmap scans timeout, since zmap doesn't keep track of state but has a deterministic response its looking for, it never times out waiting for a response, therefore it has higher coverage.
CC: Storage Services
adv: Data fragmentation/dispersal. automated replication, provision of data zones (by country), encryption at rest and in transit, automated data retention. Challenges: Isolation management/data multi-tenancy, storage contoller (single point of failure/compromise), exposure of data to foreign governments.
Https: SSL/TLS Overview
client sends hello msg Server responds with Public key cert Browser verifies certificate Client exchanges key Now they have shared key that they can send information back and forth with Once this connection is established it means that, browser trusted a CA certificate, and that the cert was valid and not expired and that the domain matched the cert common name (or subject alternative name)
BC: Coin transactions - Scrooge
create coins transaction creates new coins (signed by scrooge) Pay coins, consumes coins, destroys them, and creates new ones resulting in the same total value. Typically with new owners.
BC: Hash function
easy to compute, compute message of data of any size fixed length output. One way function, no way to find m from H(m). Designed to be collision efficient., Weak collision resistance: given m1 it is intractible to find m2!=m1 such that H(m2) = H(m1) Strong collision resistance: intractible to find m1!=m2 such that H(m1) = H(m2)
Dns: Defenses
increase Query id size Randomize source port, additional 11 bits. - Now attack takes several hours.
Browser: COokies - Scope setting rules
login.site.com can set cookies for site.com but not for another site or TLD (other.site.com, nah.com, .com) Path can be anything
Malw: Ether
Malware analyzer that fulfills the malware analysis requirements (see Emulation Analysis Problems) Ether unpack extracts hidden code form obfuscated malware. Ethertrace records sys calls executed by obfuscated malware.
Crime: Underground forums
Many operate in plain site. They can be found in google search. Large volume of illicit goods and services are available. Law enforcement watches, but another can just start up. Useful for security professionals. Give researchers view into underworld. Allow white-hats to observe trends and detect unfolding attacks. Has buyser sellers and rippers (stealing from naive buyers or selling fraudulent goods). mostly ads for request or sale, or trade. Deal done over private message.
ML: Polymorphic blending attacks
Matches the normal profile of legitimate traffic (byte frequency is similar).
CC: Security quiz
Most data in transit is encrypted Only 10% of providers encrypt data at rest. Not all data at rest needs to be encrypted.
CC: Cloud sec challenges
Multiple International privacy laws. Need isolation management, multi-tenancy, logging challenges with distributed programs, data ownership issues (does google or their client own the data produced and used in their app?), quality of service guarantees, dependence on secure hypervisor, attraction to hackers, security of virtual OSs in the cloud, possibility for massive outages. public vs internal cloud security, lack of public SaaS version control. Encryption needs for cc: encrypting access to cloud resource control interface, administrative access to OS instances, access to applications, application data at rest.
Dns: Record types
NS: name server - points to other server A: address - contains ip address MX: address in charge of handling email. TXT: generic text (used to distribute site public keys (DKIM).
Malw: Evolution
Network level protection Firewall - Evaded by C&C protocol congruency (looks like normal traffic) IPS/IDS - Evaded by custom encodings (hard to analyze some made up encoding of data) Host-Level protection - Do you want the following program to make changes? (Uninformed user may click yes) Antivirus SW Traditional signature matching doesn't work well when the code is obfuscated.
Pen: Soc Eng Defense
Never disclose passwords Limit IT information disclosed Limit information in auto-reply emails. Escort guests in sensitive areas Question people we don't know Educate everyone about security Centralized reporting of suspicious behavior
ATS: Asynchronous distributed systems.
No guarantee of system reliability. Nodes may behave arbitrarily. Independent node failure. Attackers cannot indefinitely block a nodes from providing service and cant break crypto.
Malw: Reverse Eng emulator
No knowledge of bytecode program, no knowledge of emulators code. Abstract variable binding, identify pointer variables within raw memory of emulator using access patterns. Identify candidate VPCs (instruction fetching). Identify emulator phases, identify decode-dispatch loop.
CC: Virtual box security
Not safe to share clipboard or allow vm to read/write files on host machine with same privileges as host machine. Safe to disconnect VM from internet when opening questionable files.
ATS: Attack tolerance
Fault tolerance does not imply attack tolerance and requires different methods. Redundancy is not a solution. Diversification: All instances should use a different implementation, across all layers of the stack. Each using a different security protection mechanism or different part of the program. Not all operations are checked all the time (efficiency). Very costly to implement and hard to implement. Moving target: Dynamically change network and system configuration. Many instances of system and network services.
ATS: System properties
Fault tolerance: Has both safety and liveness. Safety: even if system fails nothing serious happens. Livenss: clients can eventually recieve replies to their requests. Need n = 3f + 1 replicas, f is maximum number of faulty replicas. By communicating with n-f replicas we can proceed, since f might be not responding. F replicas that didn't respond may be non-faulty. So f of responses may be faulty. n-2f > f therefore n > 3f.
Pen: Scanning
Find Which machine is up. which ports are open What services running Versions and configs of services Lookup vulnerabilities on web based on this version of software (this version of apache web server). Do research on what would break this software. Focus on most promising avenues of entry. Reduce frequency and volume of scanning and analysis. Randomize ip ports and ip addresses to be scanned in the sequence. Tools: Ping sweep: fping nmap TcpUdp Port scan: nmap fscan OS detection: nmap queso
Dos: Traceback
1 Append all nodes to packet 2 Sample single node with some probability - Takes a lot of samples because order is not obvious. Takes a lot of samples to get a packet which preserved its node mark from the first router that sent it. (p^N where N is routers in the path). 3. Sample edges so that order of routers is known. Now we just need enough packets and the order can be easily inferred. Also keep track of number of hops since the edge was recorded.
Threat: Certificate Chains
A browser trusts some root certificate authorities. Then the roots have a list of people they trust and can sign to trust other authorities and so on. the top certificate is a self signed certificate (the original browser trusted certificate, first list in chain).
Session: Active/passive sess hijack
Active session hijacking involves disconnecting the user from the server once that user is logged on. Social engineering is required to perform this type of hijacking. In Passive session hijacking the attacker silently captures the credentials of a user. Social engineering not required.
ML: Polymorph. attack requirements
Adversary has knowledge of the IDS Advers. can observe some normal packets going from advers. network to victim. Advers has estimation of false positive rate of IDS.
Dns: quiz
All domain names and ip addresses are stored at the central registry It can take several days for information to propogate to all dns servers.
ML: Worm signature generation
Gather normal traffic, traffic clustered and classified, generate signatures from clusters. Store in firewall (NIDS). Traffic based flow classifiers include: Simulated honeynet, double honeynet, port-scanning detection, anomaly IDS.
Session: Overview
Always assume cookie data retrieved from client is adversarial (evil). Session tokens are split across multiple client state mechanisms. Cookies, hidden form fields, URL parameters, Cookies themselves are insecure (csrf, cookie overwrite) Session tokens must be unpredictable and resist theft. Ensure logout invalidates session on server.
Https: Forged Certificates
An attacker has a forged/rogue certificate so the user connects to the attacker via https (because it thinks the cert is good). And the attacker connects over https to the actual server. Now the attacker has established an https only man in the middle attack.
Botnet: Network monitoring
Attacks used to be well defined and obvious - Payload contains exploit to a vulnerability, volume/rate suggests DoS/spam/etc. Firewalls and network intrusion detection systems - Designed to identify attack traffic. Traditional firewalls/nids - Bypassed by mobile devices compromised while outside network perimeter, when brought in, they have bypassed firewall. Attack traffic is now very subtle, C&C traffic looks like normal http web traffic. Need more advanced net mon systems.
Threat: Internet wide security scanning
Benefits: Expose new vulnerabilities, track adoption of defensive mechanisms, probing the ENTIRE ADDRESS SPACE WITH EXISTING TOOLS IS BOYTH DIFFICULT AND SLOW..
Botnet: Botnet
Botnet is a network of bots controlled by a bot master (attacker). Coordinated group of malware instances that are controlled via c&c channels. C&C centralized (IRC, HTTP), distributed (P2P) botnets responsible for: more than 95% of all spam, all ddos attacks, click fraud, phishing & pharming attacks, keylogging & data identity theft, distributing malware/spyware, anonymized terrorist & criminal communication
Botnet: detection challenges
Bots are stealthy on the infected machines, bot infection is usually a multi-faceted and multi-;phased process (looking at specific aspect is likely to fail), bots are dynamically evolving (static/signaturebased approaches may not be effective), botnets can have very flexible design of C&C channels (solution very specific to a botnet instance is not desireable).
Botnet: Traditional security fails
Bots user packer, rootkit, frequent updating to easily defeat anti virus tools. IDS/IPS - look at only specific aspect (payload of exploit), do not have a big picture (bots are for long term use). Honeypot: not scalable, passively waiting, bots can detect/discover honeypot/net, not good botnet detection tool.
CC: Secure In-VM Monitoring (SIM)
Bring sec to traditional in-vm approaches. Addresses sec and performance requirements together (same sec as out of vm approaches, performance close to traditional in vm approaches). Utilize hardware virtualization features ( no hypervisor intervention during monitoring invocation, untrusted vm read/writes are at native speed). Monitors execution should not rely on untrusted code and data. Need isolation of security tool from untrusted VM.
Session: Storing session tokens
Browser cookies are insecure Url links with embedded session ids could be accidentally shared Hidden form fields must result in form submission for every user action. Must choose combination of these options.
Browser: How Cors Works
Browser sends origin header with xmlhttprequest request Server can inspect origin header and respond with Access-control-allow-origin header for specific urls (or all)
CCSec: Oblivious Ram
Can hide access patterns. For any fixed size request sequence, the associated storage accesses observed by the cloud are statistically independent of the request. (hide access pattern from cloud provider) Techniques: Operates on fixed size data blocks, encrypts blocks with ciphertext indistinguishability, dummy accesses/re-encryption/shuffling/etc.
Threat: Zmap probing
Can just probe ip addresses numericlaly. Must do in psuedo random way. Zmap uses current_num * generator % prime, generator = 5 and prime = 7 will loop through numbers 1->6 in a random order. Generate a new generator (aka primitive root), and a new random starting address. Once the starting address is reached again, we know we're done.
Threat: Zmap
Can scan 98% of ipv4 address space on gigabit ethernet within 45 minutes. ( for a single port).
Browser: Cookies client read/write
Can set or read cookie attributes or delete. Http only cannot be accessed by client side scripts
BC: bitcoin safegaurds
Cannot steal bitcoins. But preventing double spending is only via probability. The more consensus you see that a bitcoin has been spent the more likely it is that it has indeed been spent.
DA: Feature construction from patterns
Compare and identify intrusion-only patterns. Parse each intrusion pattern. Identify the anatomy (reference and axis) and invariant information of an attack. Apply count, percent, and average operations to add temporal and statistical features.
Dos: Syn Flood alteration
Complete the tcp request. Then send request for a page over and over to take down website. With this the actual ip of the bots is revealed.
Dos: Captcha
Completely Automated Public Turing test to tell Computers and Humans Apart Only process requests with valid captcha solution.
Malw: Packing
Compressing/encrypting/obfuscating/transforming the executable in some way to hide its purpose. Code that reverses the pre-runtime transformation is included in the executable A signature scanner that tries to identify malware by its unique strings would not be effective.
Dns: Dnssec
Gaurentees: Authenticity of Dns answer origin Integrity of reply Authenticity of denial of existence Accomplisheds this guarantee by signing Dns replies at each step of the way Uses public-key cryptography to sign responses Typically use trust anchors, entries in the operating system to bootstrap the process.
Dos: Spoofing Subnet spoofing random spoofing fixed spoofing
Generate random addresses within a given address space Generate 32 bit numbers and stamp packets with them Spoofed address is the address of the target
Pen: Escalating privelege
Get higher level access Password cracking: john the ripper Known exploits: Lc_messages, Getadmin, sechole
Tcp: Bgp Attacks
Create false route or kill legitimate one causes DoS Attacker controls device along the victims communication path is SNIFFING Hijack traffic from a legitimate host for routing to endpoints in a malicious network. Creating route instabilities has not been used by hackers yet because damage cannot be contained. It can blowback to the attacker. Unmasking the AS relationships by hacking the routing table is revelation of network topologies. Solutions Autonomous system(AS) obtains certificate (ROA) from regional authority (RIR) and attaches ROA to path advertisement. Adverts without valid ROA are ignored. Defends against malicious AS but not a network attacker.
BC: Hash function quiz
Hash functions do not have a key Its hard to find two messages with the same hash value Hash functions are pirmarily used for message integrity.
Pen: Soc Enge Impersonation
Help desk: Attacker pretends to be an employee who needs help from helpdesk. Recover password, etc. Helpdesk doesn't usually require much info. Third-party authorization: Claim that third party has authorized access to sensitive information. More effective if the third party is not present/cannot be reached. Tech support: Attacker claims that company needs to reconfigure system and asks for user credentials. Roaming halls/tailgating: Passwords on stickynotes, important papers, etc confidential conversations. Repairman: typically allowed access to facility. Plant listening devices. Users typically do not question people in uniform. Trusted authority figure: Pretends to be medical personnel, home inspector, school superintendent. Impersonate via phone or in person. Trust is perceived authority Snail mail: Attacker sends mail asking for personal information, pretending to be authority. users tend to trust printed material.
CC: Vm Monitoring challeneges
High overhead, Invocation cost: requires switching to hypervisor when sec tool is invoked, especially for fine-grained monitoring, (control flow goes from VM to hypervisor to VM (running sec tool). Introspection cost: Accessing memory VM is slow.
Threat: Validating responses (zmap)
How can we validate packet responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses. Encode a hash of something deterministic into the sequence number. So we can calculated the returned ack number.
Malw: Emulation Analysis Problems
Emulation falls short. Attacks exploit the difference in execution between real machine and emulator and switch off their evil behavior when they know they are being watched. Identical notion of time Network based timing measurements Impossible to identify all Equivalent to the problem of detecting and removing covert channels - which is undecidable.
Https: Https
Encrypted using SSL/TLS Allows secure channels over insecure network Reasonable protection against man in the middle attacks. Can still provide security even when only one side of the communication is secure. Https can slow down web servers if its not implemented correctly. Designed to thwart network sniffers/observers.
Browser: html sandbox
Ensures iframe has unique origin and cannot execute javascript, no form submission, disable APIs, prevent content from using plugins,etc
Dos: Traceback
Idea: Store the ip of a router along a path into the packet. If we do this probalistically, then under a dos attack, the majority of the packets are coming along some similar paths, then you can tell where the DoS attack is coming from because very quickly you get all the IPs along the path.
Browser: Cookies identified
Identified by name (userid), domain(login.site.com), path(/home/introduction)
Pen: Gaining Access
Identify a vulnerability of target from scanning and exploit it. Often done with preexisting tool/script. may need modification. May need to develop exploit yourself. Password eaves dropping: tcpdump ssldump Fileshare brute forcing, NAT legion Password file grab: tftp pwddump2 Buffer overflow: ttdb, bind
Pen: Enumeration
Identify valid user accounts or poorly protected resource shares (filesharing). More intrusive probing than scanning step.. Tools: List user accounts: Null sessions, dumpacl, sid2usre, onsiteAdmin List file shares: Showmount, NAT Identify applications: Banner, telnet, netcat, rpcinfo
ML: Misleading worm signature quiz
If we can completely control the training data gathering process and determine the authenticity and integrity of the data. then we don't have to worry about data poisoning. If the training data is obtained in an open environment, there is always the potential risk of poisoning attacks.
Pen: Social engineering techniques
Impersonation: Helpdesk third party authorization tech support roam halls/tailgate Trusted authority/repairman figure snail mail Computer based techniques popup windows instant messages and IRC email attachments email scams chain letters and hoaxes phishing websites
Tcp: Address Attestation
Indicates that the final AS listed in the UPDATE is authorized by the owner of those address blocks. Contains information about: owner's certificate AS to be advertising the address blocks address blocks expiration These are digitally encrypted by the private key of the server. Protect BGPs from erroneous updates.
Tcp: route Attestation
Indicates that the speaker or its AS authorizes the listener's AS to use the route in the UPDATE. Contains information about: AS's or BGP speakers certificate issued by owner of the AS the address blocks and the list of ASes in the UPDATE the neighbor expiration date To verify a route, address attestation from each organization owning an address. address allocation certificate from each organization route attestation from every AS along the path certificate for each AS all relevant CRLs must have been checked.
Crime: Botnets
Infected computers Have spare cpu cycles, Unique ip address and bandwidth. Botnets allow criminals aggregate control of infected machines. Command and Control C&C infrastructure for controlling bots. Often rented out.
Crime Botnet:
Irc channels (internet relay chat) are easy way to send commands. Single command gets broadcast over twitter count. Peer 2 peer botnets also Most popular: Create command control website and all bots connect to it. Domain name Can be shut down by isp. Can move domain to different ip every few seconds. Fast flux: moving to different ip very quickly (every few seconds). Random domain generation, Botmaster and botnets generate random domains using the same algorithm (so they are the same) and try to connect.. Bot master registers a few of these domains.
Botnet: BOthunter signature engine
Looks for specific signatures of malware
Botnet: Bothunter SLADE
Looks for unusual payload (egg download)
Dos: syn flood
Lots of tcp connection requests are sent to a server but the source is spoofed. Server tries to send back next part of handshake but they get no response. They must keep the state of the handshake in memory. Fulls up server with backlogged handshakes. Defense: remove state from server small performance overhead
BC: Scrooge/append only
Make history append only and an authority is the only one allowed to sign for transfer of coins. This prevents double spending.
CC: libVMI
OPen source introspection library, access to virt addresses, kernal sybmols, and more. Features: Read/write vm memory, virtual memory translation, find/map guest OS data structs, place monitoring event-hooks into guest (catch exceptions/page faults), pause guest and transfer control to callback function (hook), memory rwx events, rw events on registers, interrupt events, single step through instructions.
Browser: browser vs os
OS: Primitives: sys calls, processes, disk Principles: Users discretionary access controll Vulnerab: Buffer overflow root exploit Browser: primitives: document, object model, frames, cookie/local storage Principles: origins, mandatory access, control Vulnerab: Cross site scripting, cross site request forgery, cache history attacks.
Malware: Malware emulators
Obfuscate (pack) a binary emulator which runs some bytecode in an arbitrary language L. When running static analysis or automated tools, the emulator is what is analyzed (which has no malicious behavior), where as the data in the program is whats malicious. manual reverse engineering doesn't scale. In theory automated reverse engineering this is undecidable problem. However, emulators fetch-decode-execute behavior can be identified at runtime.
ML: Evasion tactics
Obfuscating internal data: uses a number of tricks to run code that cannot be detected by the analysis system. Confusing automated tools: allows malware to avoid detection by technologies such as signature based antivirus software. Environmental awareness: allows malware samples to detect underlying runtime environment of the system it is trying to infect. Timing based evasion: used by malware to run at certaintimes or following certain actions taken by the user.
ML: Blending steps poly.
Observe traffic from A to B. Using IDS algo, generate estimated artificial normal profile. Create attack instance that matches normal art. profile (using shellcode encrypt, and padding). Launch attack, IDS should not detect these packets.
CC: Cloud comp characteristics
On demand self service Broad/wide network access resource pooling or sharing measured service rapid elasticity.
Pen: cover tracks
Once total ownership of the target is secured, hiding this fact from sys admins becomes paramount, lest they quickly close off the avenue of attack. Clear logs: zap, event log gui Hide tools: rootkits, file streaming
ATS: Redundant services
One method, multiple services which vote for an output, given that non faulty systems can come to a consensus this will work.
CC: VM sec, monitor memory
Only reliable source to know current state of a running computer. Can find, running/killed processes, encrypt keys, network socket data, os level acct info, user input, screen captures, more...
Dos: Syn cookies
Only used during dos attack Does not modify TCP Server must reject all tcp options because server discards the syn queue entry
CCSec: Order preserving encryption
Order is leaked as well as frequency of the data (equality of data<->encrypted data)
CC: Security - Privacy
PII: Personal identifiable information. Privacy impact assessment suggested requirements for cloud SLAs (security level agreements). Proof that SLAs have been satisfied. Contingency planning and disaster recovery for cloud, handling compliance. (HIPAA, PCI)
Malw: Packing in-depth
Packing tool is run on compiled binary, each packed binary looks different because different encrypt key is used. Encrypted code looks like data, so any malware analysis will miss it. Server side polymorphism: Malware can constantly update itself, forcing malware defenders to start over their process to understand the malwares behavior.
CC: Monitoring types
Passive monitoring: viewing memory of application vMs from the security tool running on hypervisor without any timing synchronization between the two vms. Active monitoring: viewing memory in an app VM from sec tool in hypervisor with event notification being sent from app VM to sec tool to permit monitoring at relevant times. goal of monitoring: locate valuable data : find critical data structs within the raw memory view for the monitoring task.
Crime: Malware distribution model
Pay per install model
Threat: Certificate authorities
Places that vouch for a website's identity (he is who he says). Any CA can vouch for any website. No central repository of CAs, Don't know who to trust until you see a CA in the wild.
BC: Proof of work
PoW is costly/time consuming to produce, but easy/quick to verify. To earn a coin, miners of bitcoins do not have to complete some of the work in the block. Changing block requires regenerating all successors and redoing the work they contain.
ML: Polymorphism quiz
Polymorphic attack can change its appearance with every instance. Polymorphic attack has no predictable signature for the attack. Each instance of polymorphic code does not havae a different or normal appearance.
Pen: Attacks
Popup window: Popup window that looks like windows login credentials. IM & IRC: Imitate technical support desk. Redirect users to malicious sites. Trojan horse downloads installs surveillance programs. Email attachments: Malicious software in attachment. Programs can be hidden. Executable pdfs, or confusing .docx.exe files. Email scams: More prevalent over time Request basic information at beginning Leads to financial scams. Chain emails: More of a nuisance than threat Spread using social engineering techniques Productivity and resource cost. Websites: Offer prizes but require a created login. Attacker harvests likely reused credentials/passwords Reuse this information on other websites.
CCSec: Equality preserving encryption
Preserves equality (two equal values which are encrypted are still equal in their encrypted form). Leaks the frequency.
Browser: CSP Content sec policy
Prevent damage of XSS (cross site scripting) Restricts resource loading to a white-list (no dynamic loading). Prohibits inline scripts embedded in script tags, inline event handlers, and javascript, URLs Disable js eval(), new Function() CSP HTTP header allows site to create whitelist, instructs the browser to only execute or render resources from those sources.
Session: Logout
Prevent others form abusing content. Steps 1 Delete session token from client 2 mark server side session token as expired on server. many sites do 1 but not 2.. Risky for sites who fall back to http after login. Network sniffers (man in middle) could see cleartext http request and use the session after its expired.
CC: (NIST) Deployment models
Private, cloud Inf. is operated soley for internal org. Cloud inf is shared by several orgs and supports specific community that has shared concerns. Public cloud inf is made available ot public or large industry group. Hybrid is some combination of other three. Common characteristics among the four models. Massive scale, homogeneity, virtualization, resilient computing, low cost software, geographic distribution, service orientation, advanced security technologies.
ML: Polymorphic blending attack quiz
Process should not result in abnormally large attack size. Blending needs to be economical in time and space Attacks don't need to collect a lot of data to learn normal stats.
MbMal: Lifetime of iOS malware
Produce - Distribute - Do Evil - Make profit
CCSec: Encryption Quiz
Property preserving: Encrypted data is in the same order as the plain text Searchable: Encrypted data that can be searched using encrypted keywords, Secure computation: Several parties can compute a function using inputs that are kept private Homomorphic: Computations performed on encrypted data matches the result of the computations on the plaintext. Functional: A secret key that allows someone to learn the function that is being encrypted.
BC: Distributed consensus
Protocol terminates when all correct nodes decide on the same value and value must have been proposed by some correct node. Peer to peer, broadcast transfer to all nodes. Implicit consensus, in each round random node is picked. This node proposes the next block in the chain. Other nodes implicitly accept/reject this block, by either extending it or ignoring it and extending chain from an earlier block. Every block contains hash of the block it extends. So... each node colelcts the new transactions into a block. In each round a random node gets to broadcast its block. Other nodes accept the block only if all transactions in it are valid. Nodes express their acceptance of the block by including its hash in the next block they create.
BC: Incentive
Provide monetary value to nodes that act honestly. OR transaction fees, creator of transaction can have cost.
Pen: Footprinting
Rconnaissance/information gathering: network ip addresses phone#s, namespace acquisition, network tropology. Tools: Open source search: google domain name/admin/ipaddresses: whois, arin Dns zone transfer: nslookup, dig, Sam Spade
Dos: Capability based defense
Receiver can specify what packets they want. Sender requests capability in Syn Packet (which should be rate limited). Receiver responds with capability. Reject packets without valid capability
Dns: Caching
Recods are cached on a local server to save time on DNS lookups. NS records for domains are also cached. Also caches negative results (does not exist). Each record has a TTL to state how long a record can be kept
Botnet: Dns services
Recursive dns monitoring at isp. Analyze dns traffic from internal hosts to a recursive dns server of the network. Detect abnormal patters/growth of populatrity of a domain name, identify botnet c&C domain and bots, Common means of botnet propogation: (worm-like) exploit-based, email-based, and dry-by egg download.
ATS: Defense method, replication
Replicate the data and store at N different servers (shard). Confidentiality is now weaker. Attacker can get data from N servers now. Integrity and availability are better protected. Attacker needs to compromise majority of the N servers to damage integrity and availability.
Https: Whats Encrypted
Request URL Query params Headers Cookies NOT: host address, port numbers, amount of data, length of session.
Dos: Route Hijacking
Rerouting traffic to prevent site from getting traffic
Dns: Query/response
Response contains IP addresses of next NS server (called "glue"). Response contains series of records. Final authoritative result contians the ip address of the requested domain (or verifies it doesn't exist).
Crime: Exploit devs
Reverse engineer software, find exploits, bugs that can be exploited. Sell for profit
Malw: Obfuscation Purposes
Rootkits help hide malware from u sers Thoroughly mapping security sites and honey pots so as to avoid them - Hides from antivirus security Nuance based encryption methods hides malware from reasearchers.
Tcp: BGP Security
Routing information and updates are not authenticated. Someone can lie about a route change and redirect traffic to their own address. This happened in the Youtube-Pakistan mishap. Essentially anyone can hijack route. Each node in the network has information on how to get to any node. Anyone can inject advertisements for arbitrary routes. These false advertisements propagate everywhere. Used for DoS, spam, and eavesdropping. Paths might be changed such that inbound traffic is eavesdropped but outbound traffic is not. So the victim can't see that his inbound packets are being watched.
Browser: Web worker
Run in an isolated thread, loaded from a separate file Has same origin as frame that creates it, but no dom. Communicate using postMessage
CC: Nist RISK
SaaS - Lost control, data sec, data locality risks, unauthorized access, over privileged admin, no accounting & provider support, provider go broke, disaster PaaS - Interop among cloud providers and legacy systems, service provider lock-in, soa related issues, api related issues. IaaS - VM boundaries, trusting vendors security equipment, identification of data sources, vm security, vm images repository, hypervisor security.
Browser: Sandbox
Safely execute javascript code provided by remote website. No direct file system access, limited access to os network, browser data, content that came from other websites. Same origin policy: Active code can only read properties from same origin. Users can grant privileges to signed scripts (microsoft/google/apple scripts). Data not saved is lost when app closes. Lightweight easy to set up. Changes not visible beyond boundaires VM: Changes not visible beyond boundaires Machine within machine Disk space must be allocated.
Crime: Phishers
Scam sites to steal information. Work with spammers to spread attack
Botnet: Bothunter SCADE
Scan detection: inbound scan Uses different weights for different types of scanning. Also cans outbound scans
Threat: Attacker intelligence
Scanning: Attacker uses the internet to obtain information on specific ip addresses. The kind of information gathered is: OS, services, and architecture of the target system Footprinting: The attacker gathers information about a target. The kind of information gathered is DNS, email, servers, and the ip address range. Enumeration: The attacker gathers information on network user and group names, routing tables and simple network management protocol.
BC: Scrooge core problem
Scrooge has all the power, could require payment to publish transaction. We desire: single published blockchain with a history of all transactions. Agreement on which transactions are valid. Which transactions have occurred. Decentralized id assignment Decentralized mining of new coins.
CC: SIM Design
Security isolation by separating paged virtual address space. We run the sec tool on the same VM, but create virtual address spaces to provide security but keep the speed. SIM much faster than out of vm approach
BC: Cryptocurrency quiz
Security of crypto currency ledgers depends on the honesty of its miners. Most cryptocurrencies are not designed to maintain production to keep inflation in check. Cryptocurrencies are psuedo anonymous and less susceptible to law enforcement seizure.
Crime: Counterfeiters
Sell fake goods Must be able to clear credit cards.
Dos: Amplification Bug Flood
Send a few packets and get a big result. For example sending a small request packet and requiring a big response. Spoof the destination IP and now you've got a ton of data heading to somewhere. Take advantage of bug in the system to take down the system Command botnet to generate flood of requests.
Dos: Reflector
Send spoofed request to some service (such as DNS), the DNS sends not spoofed authentic (it thinks) response to the victim (which ends up flooding the victim). A traceback shows the traffic coming from the DNS servers but stops there because that is where the traffic originated (the service probably wont store where it actually got the request from).
Threat: Zmap packet transmission
Sends all packets at ethernet layer. No correlation between how fast we scan and the hit rate of a scan attempt. Slower scanning does not reveal additional hosts. Coverage: The more packets we send, since some fail, the more likely we are to receive a response from a host if indeed one exists. So we expect a platue where at some point sending more packets returns practically the same number of hosts and provides no additional benefit.
Browser: Cookie sec problems
Server does not see all cookie attributes. Cannot see what server set cookie attribute. Malicious site could set session cookie to something else for another site. Network attacker can intercept and re-write https cookies. Path separation of cookies is only done for efficiency (scope), not security. Cookies have no integrity. User can change cookies. Can use cryptographic hashes made by server to ensure cookie has not changed.
Browser: Reading cookies on server
Server only sees cookies in its own scope, ie domain is right for that given site page, and secure if needed. A given site page gets all cookies that meet the minimum specs.
CC: Advantages/Challenges
Shifting public data to an external cloud reduces the exposure of the internal sensitive data. Cloud homogeneity makes security auditing/testing simpler. Clouds enable automated security management. Redundancy /disaster recover. Challenges: Must trust vendors security model. Customer inability to respond to audit findings. Obtaining support for investigations indirect administrator accountability. Propriety implementations can't be examined. Loss of physical control.
CC: cloud service models
Software as a service: provides an application running on cloud. Platform as a service: Consumer created applications using programming langs/tools supported by provider. Infrastructure as a service: Capability provided to consumer to provision processing, storage, networks , and other fundamental computing resources. Examples: SaaS - Knowledge Tree PaaS - Google apps, salesforce IaaS - AWS, Microsoft Azure.
MbMal: Data flows
Sources, Sinks, flows By analyzing the app description we can see that certain types of flows are expected. But by analyzing the actual data flow we can see that other flows occur that are not expected, and this is leakage.
Session: Http referrer header
States where the last site you were was (before coming here) This could leak url session tokens to third parties. Must supress url referral.
Malw: Analysis defenses
Static analysis was fought with polymorphism/metamorphism/packing/opaque predicates/anti-disassembly, which researchers fought back with dynamic malware analysis, which was fought with trigger-based behavior (logic bombs, time bombs, anti-debugging, anti-emulation, etc) which was fought with dynamic multipath exploration/forced execution.
Pen: Pilfering
Steal valuable information. Further Gather info to allow access to trusted systems. So you can further exploit a system. Evaluate trusts: rhosts Search for cleartext passwords: user data, configuration files, registry
Pen: Pen testing methodology
Steps from first to last Footprinting: General information about network Scanning: Finding more detailed information about network (services available) Enumeration: Finds more targeting information such as user accounts Gaining access: Finds vulnerabilities associated with network services, then exploits Escalating privilege: Get root or sudo access Pilfering: Steal information from network Covering tracks: Hide evidence of breakin so its hard to find out network was compromised Create backdoors: Easy access for future malicious activities. (Loops back to gaining access).
Browser: Cookie types
Super: cookie with origin of top-level domain Zombie: cookie that is regenerated after its deleted SameSite: can only be sent in requests originating from same origin as target domain HttpOnly: Cannot be accessed by client-side APIs Third-party: Belongs to domain that is different from one shown in address bar Session: In-memory cookie. Does not have expiration date, deleted when browser is closed Persistent: Has expiration date. AKA tracking cookies Secure: Only transmitted over an encrypted connection.
Browser: Cross origin resource sharing (CORS)
Technique for relaxing the same-origin policy, allowing js on a webpage to consume content from a different origin. A website whitelists domains
Dos: Link testing
Test upstream links to see where attack is coming from. Attacker could change behavior or attack intermittently. Must determine common part of packet and use that to determine where traffic is coming from at each router. Requires cooperation of multiple ISPs when the attack crosses isp boundaries. Try flooding a link and repeat until you find which upstream link attack is coming from, then repeat at the next upstream set of links. All link testing only work while the attack is in progress.
ML: Polygraph
The flow classification technique was not specified. Signature generation for polymorphic worms. Authors assumed that flow was not perfect and noise could be stored in the suspicious pool. CLaimed that Even with noise, it generates good signatures. Flows get classified into suspicious flows and innocuous flows. Conjunction and token-subsequences are not resilient to noise in the suspicious flow pool. Before creating ML signatures, it ran clustering, so it took out all the fake flows and created a model specifically for them. This can be fooled by creating pieces of data that are consistent between the worm and fake anomalous flow. this way clustering puts them together because they seem more similar. Also uses a bayesian model to detect worms. Defeat this by Injecting normal substrings into fake anomalous flows so that polygraph cannot find a good threshold. No good way to filter noise and prevent data poisoning.
DA: Axis attribute
The most important attribute, eg service. Patters must contain axis attribute values. So we can eliminate associations to non-essential attributes. Compute sequential patterns in two phases, associations using the axis attributes, sequential patterns from the associations.
DA: Reference attributes
The reference subject of a sequence of related actions, eg, connections to the same destination host.
Botnet: Apt quiz
The wost quiz ever. https://youtu.be/DBukHMJzO8g Which info should be considered in order to identify source of an apt attack: source ip of tcp-based attacks packets. coding style of malware, inclusion of special libraries with known authors, motives of the attack, language encoding.
DA: Considerations for selecting a dataset for training (quiz)
There is no perfect way of labeleing data, therefore there is no perfect IDS dataset. Selecting a correct baseline dataset for your network. Selecting a dataset that has a range of intrusion attacks.
Malw: Analysis
Understand malware behavior - Network/host level detection/blocking - Threat analysis Malware can change its behavior if it detects its being observed. Need transparency to the malware. Malware analyzer should be at a higher priviledge level than the malware. No non-priveleged side effects. Same instruction execution semantics, exception handling, notion of time as if analyzer not present. In-Guest Tools have no higher privilege, non-privileged side effects, and exception handling issues. Reduced privilege guests (VMWARE) non privileged side effects. Emulation (QEMU, SIMICS) No identical instruction execution semantics.
Botnet: Use of Dynamic DNS
Use dyn dns so that they can change the C&C server at any time. Can detect anomolies such as the site not showing up on google search but the botnets can get it. Can have isps disable the site.
ML: Countermeasures to poly blend attacks
Use more complex models which use syntax/meanings of web contents instead of just statistics. Use multiple simple IDS. Use randomness in IDS model.
DA: Feature Construction Problem
Use temporal/statistical patterns, (lots of S0 connections to same service/host within short time window).
Dns: Vulnerability
User/host must trust the host-address mapping given by dns. Used for many security policies such as same origin policy. Interception of requests or compromise of dns servers can result in malicious responses. Can use cryptography to prevent this. DNSsec is an example solution.
Pen: Social engineering
Users are weakest link in security. How vulnerable is the user population? which are more vulnerable than others? Find policy gaps/ fix / create new policies Users can be manipulated to undermining their own security system. Abuses the trusted relationships between employees. Very cheap for the attacker. Attacker does not need any specialized tools/skills/equipment.
Dns: Packets
Usual IP and UDP header. Payload is dns data: contains query id Response to packet has the same query id. RD - recursion desired - do recursive lookups on my behalf OP=0 - standard query QR=0 - this is a query QR=1 - this is a response AA=0 - not authoritative - I don't know the ip adress, but here is someone who should. AA=1 - authoritative - here is the thing you asked for. RA=0 - recursion unavailable - i'm not going to continue looking for your, here are your results.
Botnet: Domain used for C&C
Usually domains are bought in chunks so that the attacker can reduce leaving financial information about who he is. DNS lookup behavior of botnets: Bots lookup C&C as soon as they boot/get internet. huge spike in dns requests because of time zones (9am to 5pm). NOrmal dns lookup behavior is a lot smoother, humans dont immediately go tto the same site. Source ip dispersion in DNS lookups (local or global popularity of the domain), distributed in many networks, and ip changes a number of times.
CC: Virtualization quiz
Virtualization requires at least one instance of application or resource thats shared by different organizations. Sharing between organizations is accomplished by assigning a logical name to the resource and then giving each request a pointer to the resource. Virtualization involves creating a virtual machine using existing hardware and operating systems. The virtual machine is logically isolated from the host hardware. Type 1 hypervisor, does not have host operating system because they are installed on a bare system. Type 2 hypervisor, emulates the devices with which a system normally interacts.
CC: Foundational elements
Virtualization, grid technology, service oriented architectures, distributed computing, broadband networks, browser as a platform, free and open source software.
Pen: create backdoors
Want subsequent access to be easy. Layout backdoors in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides to return. Make these doors to make the activity look normal and inconspicuous Create rogue user accounts: schedule batch jobs: infect startup files: plant remote control services: install monitoring mechanism: replace apps with trojan:
BC: Digital signatures
We want signatures from owner only, but anyone can verify. Signature is tied to a particular document and can't be cut-pasted to another document. Signature has private signing key, and public verification key. Can use the public key as an identity. Identities are called addresses in bitcoin.
Browser: Threat model
Web sec threat model Attacker sets up malicious website. Waits for users to visit site. Attacker does not control the network. Network security threat model: Attacker intercepts and controls the network. Could intercept data, man in middle. Inject malicious traffic.
Crime: Pay per install Doorway page Crypters Blackhat search engine optimizer Trojan download manager
Webpage lists many keywords hoping search engine lists this as result, but scripts redirect to compromised pages. Hides malicious code from anti-virus software increases traffic to attackers site by manipulating search engines. Allows attacker to upload or install malware on victim computer
Botnet: detection quiz
What behaviors would indicate a botnet. LInking to established c&C server, generating internet relay chat (IRC) traffic using a specific port range, (generating dns requests is not a good indicator), generating smtp emails/traffic, reducing workstation performance/internet access to the level that it is noticeable to users.
Botnet: Botminer
What can botnets do to evade c-plane clustering - Manipulate communication patterns, introduce noise in the form of random packets to reduce similarity between c&c flows. What can botnets do to evade a-plane monitoring? - Perform slow spamming, use undetectable activies (spam sent with gmail, download exe from https server).
Pen: When should I penetration test
When infrastructure is changed applications are changed end-user policies are changed security patches installed.
Threat: Public key sharing
When a public key is comprised of n = p * q, if p is shared between machines, (but q is different), it becomes very easy to compute the GCD of two different machines to come up with p, and then you can calculate the private key very easily, computing the GCD is trivial. Many embedded systems don't have access to a realtime clock or other sources of randomness. So the randomness is a deterministic type of randomness. Urandom may be predictable for a short time after boot.
ML: Noise Injection attack
Worm regularly sends out worm traffic to spread, but it also sends out fake anomalous flows (can be benign, but looks like a worm). The fake data makes it difficult for the ML algo to find the real signatures or has difficulty generating good signatures. This affects all traffic based flow classifiers.
Browser: Browsing context
a frame with its dom a web worker (thread), which does not have a dom browsing context separated by same-origin policy. can call postmessage to intercommunicate.
Botnet: DNS names
botnet domains typically have random domain strings. Sensible/real domain names have been registered for legitimate use. Look for growth of these suspicious domains.
CC: cloud computing
convenient, on-demand shared configurable resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
BC: Cryptocurrency Create coin
create a coin string based on a unique coin id. Computes signature of the coin using private key. String together with signature is a coin. Anyone can verify that the coin is valid by decrypting the signature with the public key (which is the identity of the person who owns the key).
BC: Wallet quiz
hot wallet is connected to internet cold wallet is offline desktop wallet is used on laptops or pcs mobile wallets are qr code capable with instant payments online wallets provided on the cloud hardware wallet: developers make use of top grade cryptography.
Pen: Persistence
install backdoor or malware to create Permanent foothold in network malware placed in specific place. Insertion of proxies or man in middle systems to record/listen Can capture user creditials and valuable information Can move all this around to different users to hide tracks.
CC: Platform virtualization
key is the hypervisor or vm monitor. Enables guest oS to run in isolation of other OSs. Run multiple types of OSs. Increases utilization of physical servers, enables portability of virtual servers between physical servers. Increases security of physical host server.
Browser: Same origin policy (SOP)
protocol://domain:port/path?params SOP for DOM: A can access origin B's DOM if A and B ave the same protocol domain and port SOP for cookies: Generally based on protocol domain and path, protocol is optional.
Crime: Exploits as service
some people develop exploits, others buy and use them. Can buy an eploit kit and deploy themselves or can rent access to exploit servers that hosts exploit kits. Spam/phishing to attract traffic to exploit server to get malware installed. Pay per install is a variant where you bundle a traffic acquisition system and exploit server, and you pay per install.
Session: Session token
token must be stored somewhere Tokens expire, but there should be a way to revoke them if needed. token size is a concern.
Botnet: bot hunter
vertical dialog correlation Correlates multiple events that belong to lifecycle of a bot. Scan network, send exploit, egg download (malware download), IRC (connect to c&c) -> more scanning to compromise more systems. Egress point (internal - external), search for duplex comm sequences that map to infection lifecycle model, stimulus does not require strict ordering, but does require temporal locality. Dialog based correlation - Probability that a host is a bot increases as more suspicious events occur during a given time period, (some events are more heavily weighted)
