Net Sec

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Tcp: Random initial sequence numbers

If SNs weren't random initially, the attacker could easily create a tcp session for some source (victim) and then send commands on its behalf. If an attacker could guess the tcp SN, then they could send a command to end the connection, causing DoS if they do this with all traffic.

Crime: Characteristics of spam

Inappropriate or irrelevant large number of recipients.

Browser: Execution model

1 Load content 2 Render content (process html, javascript) 3 Responds to events Events: user actions, clicking rendering: loading, timing

Crime: Spamers

>90% email sent is spam Have lists of people send messages for other people Send malware or phish Use botnets to send spam, need many IPs or will easily get blocked Typically part of a scam campaign. Legit looking websites or customer service

Botnet: Bot

A bot is often called a zombie because it is a compromised compromised computer controlled by malware without the consent and knowledge of the user.

Browser: Browsing Context

A frame with its dom A web worker (thread, javascript running in background independent of ui) which does not have a dom Every context has an origin (protocol host port) Isolated from other by same origin policy May communicate to others using postMessage, Can make network requests using XHR (XML HTTP request) or tags (<image...>) OS Process context Separation/isolation of different programs. Similar to how browser isolates different web sessions. Modern structuring mechanisms

BC: Hash pointer

A pointer to where the data is stored, and its hash so you can tell the data hasn't changed.

Session: Session

A sequence of requests and responses from one browser to N sites. Session can be long or short Without sessions, users would have to reauthenticate. Authorize user once; all subsequent requests are tied to the user.

Tcp: Routing protocol security

ARP: Malicious node can lie to gateway and say "I"M THE GUY YOU"RE LOOKING FOR" and send his MAC address. If it gets there before the actual node, the malicious node gets the data. Traffic can be read or injected into The other nodes session. BGP:

MbMal: Android Malware

Accutrack - hidden gps tracker Ackposts - steals contact info Acknetdoor - opens backdoor to infected device and sens ip to remote server. Steek/fatakr - steal privacy info/send sms Tapsnake/droisnake - posts phones location to web service. Zertsecurity/zitmo/citmo - steals banking info Risk of android malware is low

Tcp: Protocols

Address resolution protocol (ARP): Protocol designed to map ip network addressees to the hardware addresses used by a data link protocol. Gets mac address of computer with requested IP address. Reply says, "HERE I AM. Heres my Mac." Open shortest path first(OSPF): Protocol uses a link state routing algorithm and falls into the group of interior routing protocols. Looks for lowest cost path between nodes. Border gateway protocol(BGP) : Protocol designed to exchange routing and reachability information among autonomous systems (AS). AS's exchange/learn the IP address prefixes of all computers in each connected network, so they know how to send information around, and they work together to do so. Basically these are lower and lower routing algorithms. BGP is the highest, OSFP is lower, and ARP is the lowest. Routing among domains is determined by BGP. routing inside each domain is determined by OSPF (or similar things).

CC: Processing infrastructure

Adv: Ability to secure masters and push out secure images to shards Challenges: Application multi-tenancy, reliance on hypervisors, process isolation/application sanboxes.

CC: Network/Perimeter Security

Adv: DDoS protection, VLAN capabilities, perimeter security (IDS, firewall, authentication). Challenges: Virtual zoning with application mobility, creating different areas where applications run is hard.

CC: Support services

Adv: ON demand security controls (auth, logging, firewalls) Challenges: Additional risk when integrated with customer applications (can customer apps cause security risks?), needs certification and accreditation as separate application, code updates.

CC: Provisioning services

Adv: rapid reconstitution of services, enables availability, advanced honeynet capabilities Challenges: impact of compromising the provisioning service (if the cloud is compromised, you have a problem).

CCSec: Frequency analysis attack

An attack on equlity preserving encryption. Compare the histograms (distribution) of encrypted data to the distribution of public available data. If histograms match, then we can know what cyphertext value is the raw text value. lp-optimized attack: find minimum cost assignment from cyphertext distribution to plain text distribution. (use some cost metric).

CCSec: Cumulative attack

An attack on order preserving encryption. Can find mapping of plain text to cyphertext.

DA: Data Analysis Detection types Quiz

Anomoly: Model normal network and system behavior and identify deviations from the norm Hybrid: combination of misuse and anomaly detection Misuse: can detect known attacks using signatures of those attacks Misuse: Can detect known types of attacks without generating a lot of false positives Anomaly: Have the ability to detect zero-day attacks.

MbMal: Information leakage detection

App may not be intentionally malicious but could be leaking private information. One compares an apps description against its permissions to determine if its malware. (are expectations aligned with permissions), Uses NLP.

DA: Mining patterns

Association of features, (eg service=http, flag = 20) Basic algorithm association rules. Sequential patters in activity records. Designating "essential" features to compute "relevant" patterns. Relevant patterns must describe the essential features - axis attributes, reference attributes.

Tcp: Tcp Protocol stack

At each layer information gets added to the data. Tcp layer adds tcp header to data that needs to be sent. Ip layer adds ip header to tcp packet link layer adds link header to create a frame. Ip information cannot be protected by the transport layer Network layer controls can protect the data within the packet as well as the ip information for each packet. A higher layer cannot protect the information of a lower layer. But a lower layer can protect the information from a higher layer. Data link layer controls cannot protect connections comprised of multiple links.

ML: Polymorphic attacks components

Attack vector used for exploiting vulnerability. Some parts can be modified but there is always a set of invariant parts (starting point of execution). Invarant parts must be small and exist in legitimate traffic. Attack body - malicious code for the attackers purpose; shell code. Typically transformed or encrypted. Polymorphic decryptor - Decryptes the shell code, can be transformed. Byte frequencies tend to be anomalous

Session: hijacking

Attacker can steal users session token if listening to network traffic (if https for login but http for subsequent requests) Can calculate the counter and view sessions of other users if they login, or if the crypto MAC is weak. We want to use some randomly created session tokens. Can embed machine specific data into session id. But there isn't a good choice for machine information that isn't guessable. So just use random crypto session ids.

Session: Fixation

Attacker could set session token for url and trick user to clicking url. Set token using xss exploit. Get anonymous browsing session token for site.com Sends url to user with attackers session token. User clicks url to login Attacker uses now elevated session token to hijack users session. Website should always use new session token when elevating user from anonymous to logged in.

BC: Sybil attack quiz

Attacker creates a lot of fake identities and uses them to change voting outcomes or control the network. Attack is designed to attack reputation systems in a peer-to-peer network. Users giving up anonymity doesn't help to stop the attack.

Dns: Poisoning Attack In-depth

Attacker has a machine which initiates a request for a domain. Another machine floods the resolver with forged responses, trying to guess the query id. If they don't guess the right one, they wait for TTL then try again. If success, then the local resolver now has a cached incorrect/malicious IP address for the domain for the TTL. Kaminsky: Send request for a random domain (83.google.com). And flood the resolver with responses. If this fails just try another random prefix. Wash, rinse, repeat. What makes this work is listing other sibling records in the response to the actual domain that you want to poison, so along with 83.google.com ###.###.###.### you'd list www.google.com 192.168.1.1 This has shown to work in seconds.

Https: Http downgrading

Attacker intercepts traffic to an https site and presents a forwarded page to the user which only uses HTTP. So when the user logs in or does backing, the attacker sees all the information, but from the attacker to the server the connection is https. Now the attacker has all your info. Fix this by using HSTS (strict transport security). Header tells browser to always connect over https? All following visits must be over https. Refuses http. HSTS flag deleted when user clears private data or after some expiry.

Dns: Rebinding quiz

Attacker registers a domain and delegates it to a server under its control. Attackers server responds with a short ttl record. Short ttl record ensures that it can be rebound to another IP very quickly. Attacker exploits the same origin policy

ATS: Redundancy quiz

Availability: Probability the system operates correctly at any given moment Reliability: ability to run correctly for a long interval of time Safety: failure to operate correctly does not lead to catastrophic events. Maintainability: ability to easily repair a failed system.

ATS: Node connectedness quiz

Average node degree: nodes with the largest number of nodes connected to them. Node persistence: during a snapshot of internet traffic, these nodes are the ones most likely to appear Temporal closeness: nodes that interact with the largest number of nodes.

Browser: same origin policy for cookies

Based on scheme, domain and path. Scope: domain and path HttpOnly -> Do not allow client scripts to read SameSite -> restricts cross site requests (CSRF). also has a secure flag, requiring https protocol

Dns: Cache poisoning

Basic idea: give dns servers false records and get it chached. Dns uses a 16-bit request identifier to pair queries wtih answers. Cache may be poisoned when a name server: disregards identifiers has predictable ids accepts unsolicited dns records.

Dos: Source Identification

Block attack at source by filtering out requestes which have spoofed their IP. Requires isp to implement this. If one isp doesn't do it though, then the internet can be DoSed from through that ISP. So there is no incentive for deployment. As of 2014, 25% of auto systems are fully spoofable. 13% of announced IP space is spoofable

Dos: Ingress Filtering

Blocking packets with incorrect source ip addresses. Best done at customer networks where traffic load is smallest because its computationally expensive, and harder to verify the further from the source you get. Requires universal deployment to be effective.

Botnet: Detection challenges

Bot is not human. BOts are connected, acitivies are coordinated Distinguish botnets from other attacks. FOr profit resources, frequent updates, net coordination. Enterprise networks, deploy detection at router

Botnet: Bot miner

Botnet detection system that is independent of botnet sturcture and protocols.

Botnet: Detection on internet

Botnet must use internet protocols/services: Look up services (find C&C), hosting services (web servers, storage and distribution/exchange of attack related data), transport(BGP) (route/hide attack from bots to victims), identify the abnormal use of internet services that suggests botnet activities. DNS used by most bots for finding C&C.

Browser: Goals of web security

Browse web safely No stolen info Site a doesn't compromise session in another site Web apps should have same security as stand alone apps

Https: Certificate Transparency

CAs must advertise a log of all certs they issued Browser will only use a cert if it is published on a log server. Efficient implementation using merkle hash trees Companies can scan logs to look for invalid issuance.

Browser: CSP quiz

Can allow inline scripts to be run Can whitelist a thirdparty widget Its better to blacklist everyting then whitelist as you know whats needed.

MbMal: Data flow analysis

Can be used to ensure there is no API misuse or data theft. Can be used to inform users of privacy issues. Very challenging given huge android codebase.

CC: Kernel level sec tool

Can detect and remove user level malware, but cannot remote kernel level rootkit (untrusted driver) since it runs at same privilege level.

Tcp: IP authentication.

Client is trusted to give correct source ip. Can easily forge the wrong source ip and there is no authentication built into IP. This enables anonymous DDos/infection/malware attacks.

Dns: Example

Client looks up www.cc.gatech.edu Local dns resolver does this: 1. Ask root & ude dns servers what ip of www.cc.gatech is. Server says I don't know. But here is the dns server for gatech.edu. 2. asks gatech dns server what ip of cc.gatech.edu is. Server says i don't know but here is the dns server for cc.gatech.edu. 3. Asks cc.gatech.edu server where www.cc..... is . Server responsd with IP.

CCSec: ORAM quiz

Client must have private source of randomness Data does have to be encrypted even though there is no access pattern Each access to the remote storage must have a read and a write.

Tcp: Tcp handshake

Client sends syn request Server sends response with specifically generated numbers. Ack is sent from client to server (which now contains a sequence number). Connection is established. All further packets have their sequence number incremented by 1. Packets with a SN (sequence number) too far outside the expected window are dropped.

CC: Relevant cloud components

Cloud provisioning services cloud data storage services cloud processing infrastructure cloud support services cloud network/perimeter security elastic elements: storage, processing, virtual networks.

Browser: Origin

Combination of URI (uniform resource identifier) scheme, hostname, and port number.

Tcp: IP routing

Connectionless: Its unreliable and a "best effort". Not all packets get from A to B. Results: data corruption, lost packets, duplicate packets, out of order delivery. Ports are not part of IP header. Ip host knows location of router (gateway) Ip gateway knows route to other networks. If user data is too large, it gets fragmented into multiple packets and then reassembled at destination. If destination did not receive a particular packet, it sends a icmp packet to source to indicate packet was dropped. (Internet control message protocol) IP header can contain ttl field. ttl decreases at every hop. And packet is dropped if packet reaches ttl==0. P{revents infinite loops.

Browser: Web attacker

Controls malicious site Can obtain ssl tls certs for site Wait for user to visit site Setup web app and wait for user to download app. Very passive, waits for users to interact. Network attacker: Passive and active attacker. Passive: eavesdropping Active: evil router, dns poisoning (change ip address of legit site to something the attacker controls), traffic injection Malware attacker: Malware installed on users computer. Escapes browsers isolation mechanism. Browsers may have exploitable bugs, and often enable remote execution of code. Other vulnerabilities such as Cross site scripting (XSS) SQLi (SQL injection), CSRF(cross site request forging),... mostly on

Browser: Cors quiz

Cors allows cross-domain communication from the browser Corrs requires coordination between server and client Cors is widely supported Cors header cannot be used (is no substitute for good security) to secure resources on a website.

BC: Double spending attack

Create a chain of transfers which you give a coin to more than one person. Each person looks as if they own the coin. Main design challenge in digital currency.

BC: Transfer coins

Create a new statement that says pay this to person B. This message is signed by person A since he owns the coin. The message contains a reference to the coin which was transferred. Each transfer adds a new link to the list. So each coin contains all the transfers.

Crime: Botnet master

Create operate malicious network of compromised computers. Rent out botnets to other actors

Crime: Crowdturfers

Create, verify, and manage fake accounts. Crowdsourcing to solve captchas for a fee.

Crime: Hosting providers

Criminals need bulletproof hosting providers which typically operate in lawless parts of the internet. Offers dedicated servers to other actors.

Browser: Crypto Checksums

Cryptographic has functions that are one-way are less vulnerable to preimage attacks Hash functions should not take a long time to calculate Good cryptographic hash functions should employ an avalanche effect

CC: Cloud sec Advantages

Data fragmentation/dispersal, dedicated security team, greater investment in security infrastructure, fault tolerance and reliability, greater resiliency, hypervisor protection against network attacks, possible reduction of Cert & auth activities (pre accredited clouds), simplification of compliance analysis, data held by unbiased party, low cost disaster recovery, on demand security controls, real time detection of system tampering, rapid reconstitution of services, advanced honeynet capabilities.

DA: Decision tree quiz

Decision trees can... Supplement honeypot analysis and penetration testing. Can highlight malicious activity Can characterize known scanning activity. Can detect previously unknown network anomalies.

Crime: Deep web Dark web Surface web

Deep web is not indexed by search engines. Dark web is only on peer to peer networks, commonly using nonstandard protocols and ports Surface web: the web as we know it, via search engines.

CCSec: Property preserving encryption (PPE)

Deployability: no change to application and database servers. Expressiveness: supports most common sql queries Efficiency: ~25% overhead. Secure We can use different types of encryption to encrypt data that we want to preserver order to preserver equality so we can still analyze the data while its encrypted.

ATS: Secret sharing

Distributes shares of secret among participants. Individual shares of no use on their own. Can only reconstruct secret when shares are combined together. Even if a single share has been compromised, the attacker cannot do anything with it.

ATS: Secret sharing math

Divide data into N pieces Dn (k,n) threshold scheme. with k=n all participants are required together to reconstruct the secret. Shamirs secret sharing: Choose at random k-1 coefficients, a1...ak-1. And let Secret be a0. q(x) = a0 + a1x + a2x^2.... ak-1x^k-1 We make the secret share a set of points q(yi) where yi is randomly chosen. Since k points uniquely determining a polynomial of degree k-1, once q(x) is determined then evaluate S=q(0) = a0 which is the secret. So given any k shares we can reconstruct the secret. Any fewer k and there are an infinite set of polynomials that would work for the set of k-1 points. There is also a modulo prime number p somewhere in there. Given (xi,yi) where yi=q(xi), use lagrange interpolation to compute q(x) We could create many shares (n) but only have a degree k = n/2 polynomial. So this would require k shares before you could determine the secret. Shares can be added or deleted without affecting others. Easy to create new shares without changing secret. Easy to create hierarchichal schemes, Some people might have more shares than others. Regardless of computing power of attacker, the best you can do with less than k shares is a random guess.

Dns: DNSSEC Signing

Dns resolving steps sign each step with the servers private key. So we can decrypt with the public key and know that the ip address indeed came from the authentic server.

Dos: Client Puzzles

During DoS attack, every client solves a puzzle to slow down DoS traffic. This will slowdown everyone. But the legitimate requests will be small in comparison to the DoS traffic so real clients less effected. Puzzle hard to compute answer (2^n) easy to check (O(n)). Ie in NP Hardness of puzzle (n) can be decided based on attack volume. Hurts low power computing devices a lot. Memory bound functions scale better for machines with low cpu power like cell phones.

Dos: Scanning Random Scanning Permutation Scanning Signpost Scanning Hitlist Scanning

Each compromised computer probes random addresses All Compromised computers share a common psuedo-random permutation of the ip address space. Uses the communication patterns of the compromised computer to find new target A portion of a list of targets is supplied to a compromised computer.

ATS: Naive Crypto secret sharing quiz

Each of a set of parties keeps a share of the seecret. PROBLEM: The more shares you have of the secret, the less work you have to do to guess the secret Individual shares SHOULD be of no use on their own.

Https: SSL/TLS

Each person has private/public key Get public key from Cert Authority(CA). Users can verify that the certificate was properly certified via a CA Subjects CommonName can be cc.gatech.edu or *.gatech.edu. (* does not match .)

ML: Payload based anomaly detection system (PAYL)

Each service has its own unique network traffic patterns. Features are relative frequency of characters or their std dev. Can score packets based on their anomalous score.

Malw: Analysis Difficulty

Easy to Hard to do Automated analysis Static analysis Interactive behavior anlysis (running in an isolated environment) Manual code reversing (disassembler/decompiler to recreate code) Also in the list above, harder techniques yield more information.

Tcp: Security

Eavesdropping, packet sniffing can occur if packet passes by untrusted host. TCP state easily obtained by eavesdropping. Enabling spoofing and session hijacking (he now knows the SN). Subject to DoS attacks.

Threat: Entropy quiz

Entropy is randomness for use in cryptography or other applications that require random data. two sources of entropy: hardware sources and randomness generators. A lack of entropy will have a negative impact on performance and security.

DA: Entropy/Information Gain

Entropy: The minimum number of bits needed to represent the examples according to their class labels, or roughly how pure the examples are. If the examples are evenly distributed into different classes, the entropy is the maximum, if the examples are all in a single class, the entropy is minimum. Compute information gain and pick decision tree branch based on feature with highest gain.

Dns: Rebinding Attack

Essentially the attacker binds a corporate webserver to look like its on the same network as the malicious website. Now the browser can lookup arbitrary documents since its on the same origin. Dns Pinning mitigates this. It refuses switching to a new IP. Interacts poorly with proxies, vpn, dynamic dns. Not consistently implemented in all browsers. Server-side defenses: Check host header for unrecognized domains Authenticate users with something other than ip. Firewall defenses: External names can't resolve to internal addresses. Protects browsers inside the organization

Pen: Penetration testing

Evalulate strength of all security controls Procedurals operational technological Benefits: Determine security of network, discover vulnerabilities, demonstrate threats. Scope: Can include social engineering, physical access Scale: entire security network.

Botnet: Growth of botnet

Exploit based propogation - infection grows exponentially in initial phase email-based propogation: exponential or linear dry-by egg download: sub linear

ML: Attacks on ML

Exploratory attack, attacker uses examples to find decision boundary of ML model, then crafts attack to avoid detection. Also called evasion attack. Causative attack (data poisoning): Attacker injects malicious examples to affect the ML training process that as a result is not able to produce an effect ML based model.

MbMal: iOS malware

Fairplay Man in the middle Attacker makes the user think he's bought an app from the app store and gets a malicious app installed on the users device.

Dos: Edge Sampling (for traceback)

For traceback, store the starting router (p), ending router(p-1), and distance since starting router There is a formula for how many packets on average are needed to reconstruct the path.

Browser: Frame security

Frame: Rigit division as part of frameset. iFrame floating inline frame. Why use frames? Separation of web content. Delegate screen area from content from another source. Browser provides isolation based on frames. Parent may work even if frame is broken. Frames cant really interact unless they are from the same origin. Frame frame relationships: Is frame allowed to execute script that manipulates abritrary/nontrivial dom elements on frame b? Can frame a change the origin of frame b? Frame principle relationships: Can frame A read/write cookies from site S?

ATS: WWW robustness quiz

Internet has High degree of tolerance towards random failures and low degree of tolerance against attacks. Most successful attacks target the nodes that are most connected.

Tcp: S-Bgp

IpSec: secure point to point router communication. Public key infrastructure authorization for all s-bgp entities. Attestation: digitally-signed authorizations. Address attestations proves authorization to advertise specified address blocks. route attestations: validation of updates based on a new path attribute using pki certicficates and attestations. This requires repositories and tools to manage all this.

MbMal: Detection

Kirin, system that checks for suspicious combinations of permissions. RiskRanker - Static analysis tool - manually defined suspicious features. Droidranger looked for loading native code from suspicious websites. DREBEN - uses an SVM to determine if an app is malicious. Easiest way to develop malware is to repackage popular app with malicious activity. There are some similarity tools to detect repacked malware. Behavior analysis - Some use sys call information.

CCSec: Standard encryption

Leaks nothing except the size of the data.

Https: Certificate Pinning

Let a site declare CAs that are authorized to sign its certificates (similar to hsts). On subsequent https, browser rejects certs issued by other CAs TOFU: Trust on First Use

CCSec: Dont trust cloud

Lets keep application on our side and store data on cloud. But this leaks data access patterns. Can use oblivious ram.

Pen: Social

Liking: Desire to fit in and be more easily influence by someone you like Scarcity: A desire to pursue a limited or exclusive item or service Commitment: A desire to act in a consistent manner Social proof: Looking to others for clues on how to behave.

BC: Block chain

Linked list of hash pointers, with the head at the end(last) element of the list. In order for a hacker to change the data in a blockchain, he must change all the hash values, because one change in the data, causes a rippling change of the hashes all the way back to the root node. And so if we just keep the root node, we can verify the integrity of the whole block chain..

ML: Adversarial ML

ML in the context of attackers.

Browser: Subresource integrity

Many pages pull scripts and styles from many content delivery networks. Page author specifies hash of resources they are loading, browser checks integrity of hash. Browser can report violation and not execute resource. Or can just report the violation and still render the resource.

Browser: Modern Websites

Many parties contribute to the code on a website. Ads, third-party libraries, the content owners, page devs, service providers, data providers, cdns, other users, extension developers. Questions:

CC: Hypervisor sec

Put security tool in a separate virtualization. The security tool in one VM can do introspection into other vm through hypervisor.

CC: Main concern in moving to cloud computing

Security is the main concern

Crime: Spammers

Send out spam (typically from botnets)

ML: Poisoning attack goals

Stays undetected. Continues for a period of time. Causes damage to data.

Threat: Tcp/IP quiz

Tcp is used to break up and reassemble data into packets. IP is used to move packets from router to router.

Dos: target of attack Server Application Network Access Infrastructure

The attack is targeted to a specific application on a server The attack is used to overload or crash the communication mechanism of a network. The motivation of this attack is a crucial service of global internet operation, for example core route.

DA: Generalization

The most important property of machine learning.

Tcp: Network teirs

Tier one: Network can reach every other network through peering Tier two: Network that peers some of its network access and purchases some of it. Tier Three: Network that purchases all transit from other networks

MbMal: Produce stage

Toolchain attacks - codeGhost - infected version of xcode, any app built with it is now infected. Could steal appname, device name/type, network type, system language and country, device uuid.d Attack appstore, review process can't find code which executes evil behavior. But a backdoor allows different control flow than initially seen.

Tcp: Tcp

Transmission control protocol Connection oriented, preserves order of packets. Breaks data into multiple packets. Attaches sequence number. Receiver acknowledges receipt, lost packets are resent. Packets are reassembled in original order.

CC: Security issues

Trust, multi-tenancy, encryption, compliance. Challenging - massive complex systems, simple primitives, and common functional units replicated thousands of times. Tractable problem however - There are both advantages and challenges.

Crime: Profit - Carders, Cashers, mules

Turn stolen bank accounts and credit cards into cash and help launder money.

Dos Syn flood defense

Use a proxy to manage all syn requests. In an attack, it has plenty of power to manage the flood of requests, and it only forwards the completed ones on to their destination.

CC: Active monitoring

Uses hooks (like in libVMI) to know when certain events happen.

MbMal: Stamp

Uses static/dynamic analysis to determine if app is malicious. Intended to be used in app store.' Focuses on data flows.

Https: Disadvantages

You need to buy an ssl certificate. Difficulty loading insecure content on a secure site. Proxy caching problems, public caching cannot occur (since all traffic is encrypted) Browser caching works properly Https doesn't use a lot of resources https doesn't usually, but CAN introduce latencies.

Threat: Zmap vs existing network scanners.

Zmap: eliminates local per conneciton state to keep resources low (others keep all this info). shotgun scanning: some hosts will not respond, but so will only send n probes per host. Send scans as fast as network allows. Probe optimized network stack, bypass inefficiencies by generating ehternet frames. zmap is ~1300 times faster than nmap and has better coverage. Nmap scans timeout, since zmap doesn't keep track of state but has a deterministic response its looking for, it never times out waiting for a response, therefore it has higher coverage.

CC: Storage Services

adv: Data fragmentation/dispersal. automated replication, provision of data zones (by country), encryption at rest and in transit, automated data retention. Challenges: Isolation management/data multi-tenancy, storage contoller (single point of failure/compromise), exposure of data to foreign governments.

Https: SSL/TLS Overview

client sends hello msg Server responds with Public key cert Browser verifies certificate Client exchanges key Now they have shared key that they can send information back and forth with Once this connection is established it means that, browser trusted a CA certificate, and that the cert was valid and not expired and that the domain matched the cert common name (or subject alternative name)

BC: Coin transactions - Scrooge

create coins transaction creates new coins (signed by scrooge) Pay coins, consumes coins, destroys them, and creates new ones resulting in the same total value. Typically with new owners.

BC: Hash function

easy to compute, compute message of data of any size fixed length output. One way function, no way to find m from H(m). Designed to be collision efficient., Weak collision resistance: given m1 it is intractible to find m2!=m1 such that H(m2) = H(m1) Strong collision resistance: intractible to find m1!=m2 such that H(m1) = H(m2)

Dns: Defenses

increase Query id size Randomize source port, additional 11 bits. - Now attack takes several hours.

Browser: COokies - Scope setting rules

login.site.com can set cookies for site.com but not for another site or TLD (other.site.com, nah.com, .com) Path can be anything

Malw: Ether

Malware analyzer that fulfills the malware analysis requirements (see Emulation Analysis Problems) Ether unpack extracts hidden code form obfuscated malware. Ethertrace records sys calls executed by obfuscated malware.

Crime: Underground forums

Many operate in plain site. They can be found in google search. Large volume of illicit goods and services are available. Law enforcement watches, but another can just start up. Useful for security professionals. Give researchers view into underworld. Allow white-hats to observe trends and detect unfolding attacks. Has buyser sellers and rippers (stealing from naive buyers or selling fraudulent goods). mostly ads for request or sale, or trade. Deal done over private message.

ML: Polymorphic blending attacks

Matches the normal profile of legitimate traffic (byte frequency is similar).

CC: Security quiz

Most data in transit is encrypted Only 10% of providers encrypt data at rest. Not all data at rest needs to be encrypted.

CC: Cloud sec challenges

Multiple International privacy laws. Need isolation management, multi-tenancy, logging challenges with distributed programs, data ownership issues (does google or their client own the data produced and used in their app?), quality of service guarantees, dependence on secure hypervisor, attraction to hackers, security of virtual OSs in the cloud, possibility for massive outages. public vs internal cloud security, lack of public SaaS version control. Encryption needs for cc: encrypting access to cloud resource control interface, administrative access to OS instances, access to applications, application data at rest.

Dns: Record types

NS: name server - points to other server A: address - contains ip address MX: address in charge of handling email. TXT: generic text (used to distribute site public keys (DKIM).

Malw: Evolution

Network level protection Firewall - Evaded by C&C protocol congruency (looks like normal traffic) IPS/IDS - Evaded by custom encodings (hard to analyze some made up encoding of data) Host-Level protection - Do you want the following program to make changes? (Uninformed user may click yes) Antivirus SW Traditional signature matching doesn't work well when the code is obfuscated.

Pen: Soc Eng Defense

Never disclose passwords Limit IT information disclosed Limit information in auto-reply emails. Escort guests in sensitive areas Question people we don't know Educate everyone about security Centralized reporting of suspicious behavior

ATS: Asynchronous distributed systems.

No guarantee of system reliability. Nodes may behave arbitrarily. Independent node failure. Attackers cannot indefinitely block a nodes from providing service and cant break crypto.

Malw: Reverse Eng emulator

No knowledge of bytecode program, no knowledge of emulators code. Abstract variable binding, identify pointer variables within raw memory of emulator using access patterns. Identify candidate VPCs (instruction fetching). Identify emulator phases, identify decode-dispatch loop.

CC: Virtual box security

Not safe to share clipboard or allow vm to read/write files on host machine with same privileges as host machine. Safe to disconnect VM from internet when opening questionable files.

ATS: Attack tolerance

Fault tolerance does not imply attack tolerance and requires different methods. Redundancy is not a solution. Diversification: All instances should use a different implementation, across all layers of the stack. Each using a different security protection mechanism or different part of the program. Not all operations are checked all the time (efficiency). Very costly to implement and hard to implement. Moving target: Dynamically change network and system configuration. Many instances of system and network services.

ATS: System properties

Fault tolerance: Has both safety and liveness. Safety: even if system fails nothing serious happens. Livenss: clients can eventually recieve replies to their requests. Need n = 3f + 1 replicas, f is maximum number of faulty replicas. By communicating with n-f replicas we can proceed, since f might be not responding. F replicas that didn't respond may be non-faulty. So f of responses may be faulty. n-2f > f therefore n > 3f.

Pen: Scanning

Find Which machine is up. which ports are open What services running Versions and configs of services Lookup vulnerabilities on web based on this version of software (this version of apache web server). Do research on what would break this software. Focus on most promising avenues of entry. Reduce frequency and volume of scanning and analysis. Randomize ip ports and ip addresses to be scanned in the sequence. Tools: Ping sweep: fping nmap TcpUdp Port scan: nmap fscan OS detection: nmap queso

Dos: Traceback

1 Append all nodes to packet 2 Sample single node with some probability - Takes a lot of samples because order is not obvious. Takes a lot of samples to get a packet which preserved its node mark from the first router that sent it. (p^N where N is routers in the path). 3. Sample edges so that order of routers is known. Now we just need enough packets and the order can be easily inferred. Also keep track of number of hops since the edge was recorded.

Threat: Certificate Chains

A browser trusts some root certificate authorities. Then the roots have a list of people they trust and can sign to trust other authorities and so on. the top certificate is a self signed certificate (the original browser trusted certificate, first list in chain).

Session: Active/passive sess hijack

Active session hijacking involves disconnecting the user from the server once that user is logged on. Social engineering is required to perform this type of hijacking. In Passive session hijacking the attacker silently captures the credentials of a user. Social engineering not required.

ML: Polymorph. attack requirements

Adversary has knowledge of the IDS Advers. can observe some normal packets going from advers. network to victim. Advers has estimation of false positive rate of IDS.

Dns: quiz

All domain names and ip addresses are stored at the central registry It can take several days for information to propogate to all dns servers.

ML: Worm signature generation

Gather normal traffic, traffic clustered and classified, generate signatures from clusters. Store in firewall (NIDS). Traffic based flow classifiers include: Simulated honeynet, double honeynet, port-scanning detection, anomaly IDS.

Session: Overview

Always assume cookie data retrieved from client is adversarial (evil). Session tokens are split across multiple client state mechanisms. Cookies, hidden form fields, URL parameters, Cookies themselves are insecure (csrf, cookie overwrite) Session tokens must be unpredictable and resist theft. Ensure logout invalidates session on server.

Https: Forged Certificates

An attacker has a forged/rogue certificate so the user connects to the attacker via https (because it thinks the cert is good). And the attacker connects over https to the actual server. Now the attacker has established an https only man in the middle attack.

Botnet: Network monitoring

Attacks used to be well defined and obvious - Payload contains exploit to a vulnerability, volume/rate suggests DoS/spam/etc. Firewalls and network intrusion detection systems - Designed to identify attack traffic. Traditional firewalls/nids - Bypassed by mobile devices compromised while outside network perimeter, when brought in, they have bypassed firewall. Attack traffic is now very subtle, C&C traffic looks like normal http web traffic. Need more advanced net mon systems.

Threat: Internet wide security scanning

Benefits: Expose new vulnerabilities, track adoption of defensive mechanisms, probing the ENTIRE ADDRESS SPACE WITH EXISTING TOOLS IS BOYTH DIFFICULT AND SLOW..

Botnet: Botnet

Botnet is a network of bots controlled by a bot master (attacker). Coordinated group of malware instances that are controlled via c&c channels. C&C centralized (IRC, HTTP), distributed (P2P) botnets responsible for: more than 95% of all spam, all ddos attacks, click fraud, phishing & pharming attacks, keylogging & data identity theft, distributing malware/spyware, anonymized terrorist & criminal communication

Botnet: detection challenges

Bots are stealthy on the infected machines, bot infection is usually a multi-faceted and multi-;phased process (looking at specific aspect is likely to fail), bots are dynamically evolving (static/signaturebased approaches may not be effective), botnets can have very flexible design of C&C channels (solution very specific to a botnet instance is not desireable).

Botnet: Traditional security fails

Bots user packer, rootkit, frequent updating to easily defeat anti virus tools. IDS/IPS - look at only specific aspect (payload of exploit), do not have a big picture (bots are for long term use). Honeypot: not scalable, passively waiting, bots can detect/discover honeypot/net, not good botnet detection tool.

CC: Secure In-VM Monitoring (SIM)

Bring sec to traditional in-vm approaches. Addresses sec and performance requirements together (same sec as out of vm approaches, performance close to traditional in vm approaches). Utilize hardware virtualization features ( no hypervisor intervention during monitoring invocation, untrusted vm read/writes are at native speed). Monitors execution should not rely on untrusted code and data. Need isolation of security tool from untrusted VM.

Session: Storing session tokens

Browser cookies are insecure Url links with embedded session ids could be accidentally shared Hidden form fields must result in form submission for every user action. Must choose combination of these options.

Browser: How Cors Works

Browser sends origin header with xmlhttprequest request Server can inspect origin header and respond with Access-control-allow-origin header for specific urls (or all)

CCSec: Oblivious Ram

Can hide access patterns. For any fixed size request sequence, the associated storage accesses observed by the cloud are statistically independent of the request. (hide access pattern from cloud provider) Techniques: Operates on fixed size data blocks, encrypts blocks with ciphertext indistinguishability, dummy accesses/re-encryption/shuffling/etc.

Threat: Zmap probing

Can just probe ip addresses numericlaly. Must do in psuedo random way. Zmap uses current_num * generator % prime, generator = 5 and prime = 7 will loop through numbers 1->6 in a random order. Generate a new generator (aka primitive root), and a new random starting address. Once the starting address is reached again, we know we're done.

Threat: Zmap

Can scan 98% of ipv4 address space on gigabit ethernet within 45 minutes. ( for a single port).

Browser: Cookies client read/write

Can set or read cookie attributes or delete. Http only cannot be accessed by client side scripts

BC: bitcoin safegaurds

Cannot steal bitcoins. But preventing double spending is only via probability. The more consensus you see that a bitcoin has been spent the more likely it is that it has indeed been spent.

DA: Feature construction from patterns

Compare and identify intrusion-only patterns. Parse each intrusion pattern. Identify the anatomy (reference and axis) and invariant information of an attack. Apply count, percent, and average operations to add temporal and statistical features.

Dos: Syn Flood alteration

Complete the tcp request. Then send request for a page over and over to take down website. With this the actual ip of the bots is revealed.

Dos: Captcha

Completely Automated Public Turing test to tell Computers and Humans Apart Only process requests with valid captcha solution.

Malw: Packing

Compressing/encrypting/obfuscating/transforming the executable in some way to hide its purpose. Code that reverses the pre-runtime transformation is included in the executable A signature scanner that tries to identify malware by its unique strings would not be effective.

Dns: Dnssec

Gaurentees: Authenticity of Dns answer origin Integrity of reply Authenticity of denial of existence Accomplisheds this guarantee by signing Dns replies at each step of the way Uses public-key cryptography to sign responses Typically use trust anchors, entries in the operating system to bootstrap the process.

Dos: Spoofing Subnet spoofing random spoofing fixed spoofing

Generate random addresses within a given address space Generate 32 bit numbers and stamp packets with them Spoofed address is the address of the target

Pen: Escalating privelege

Get higher level access Password cracking: john the ripper Known exploits: Lc_messages, Getadmin, sechole

Tcp: Bgp Attacks

Create false route or kill legitimate one causes DoS Attacker controls device along the victims communication path is SNIFFING Hijack traffic from a legitimate host for routing to endpoints in a malicious network. Creating route instabilities has not been used by hackers yet because damage cannot be contained. It can blowback to the attacker. Unmasking the AS relationships by hacking the routing table is revelation of network topologies. Solutions Autonomous system(AS) obtains certificate (ROA) from regional authority (RIR) and attaches ROA to path advertisement. Adverts without valid ROA are ignored. Defends against malicious AS but not a network attacker.

BC: Hash function quiz

Hash functions do not have a key Its hard to find two messages with the same hash value Hash functions are pirmarily used for message integrity.

Pen: Soc Enge Impersonation

Help desk: Attacker pretends to be an employee who needs help from helpdesk. Recover password, etc. Helpdesk doesn't usually require much info. Third-party authorization: Claim that third party has authorized access to sensitive information. More effective if the third party is not present/cannot be reached. Tech support: Attacker claims that company needs to reconfigure system and asks for user credentials. Roaming halls/tailgating: Passwords on stickynotes, important papers, etc confidential conversations. Repairman: typically allowed access to facility. Plant listening devices. Users typically do not question people in uniform. Trusted authority figure: Pretends to be medical personnel, home inspector, school superintendent. Impersonate via phone or in person. Trust is perceived authority Snail mail: Attacker sends mail asking for personal information, pretending to be authority. users tend to trust printed material.

CC: Vm Monitoring challeneges

High overhead, Invocation cost: requires switching to hypervisor when sec tool is invoked, especially for fine-grained monitoring, (control flow goes from VM to hypervisor to VM (running sec tool). Introspection cost: Accessing memory VM is slow.

Threat: Validating responses (zmap)

How can we validate packet responses without local per-target state? Encode secrets into mutable fields of probe packets that will have recognizable effect on responses. Encode a hash of something deterministic into the sequence number. So we can calculated the returned ack number.

Malw: Emulation Analysis Problems

Emulation falls short. Attacks exploit the difference in execution between real machine and emulator and switch off their evil behavior when they know they are being watched. Identical notion of time Network based timing measurements Impossible to identify all Equivalent to the problem of detecting and removing covert channels - which is undecidable.

Https: Https

Encrypted using SSL/TLS Allows secure channels over insecure network Reasonable protection against man in the middle attacks. Can still provide security even when only one side of the communication is secure. Https can slow down web servers if its not implemented correctly. Designed to thwart network sniffers/observers.

Browser: html sandbox

Ensures iframe has unique origin and cannot execute javascript, no form submission, disable APIs, prevent content from using plugins,etc

Dos: Traceback

Idea: Store the ip of a router along a path into the packet. If we do this probalistically, then under a dos attack, the majority of the packets are coming along some similar paths, then you can tell where the DoS attack is coming from because very quickly you get all the IPs along the path.

Browser: Cookies identified

Identified by name (userid), domain(login.site.com), path(/home/introduction)

Pen: Gaining Access

Identify a vulnerability of target from scanning and exploit it. Often done with preexisting tool/script. may need modification. May need to develop exploit yourself. Password eaves dropping: tcpdump ssldump Fileshare brute forcing, NAT legion Password file grab: tftp pwddump2 Buffer overflow: ttdb, bind

Pen: Enumeration

Identify valid user accounts or poorly protected resource shares (filesharing). More intrusive probing than scanning step.. Tools: List user accounts: Null sessions, dumpacl, sid2usre, onsiteAdmin List file shares: Showmount, NAT Identify applications: Banner, telnet, netcat, rpcinfo

ML: Misleading worm signature quiz

If we can completely control the training data gathering process and determine the authenticity and integrity of the data. then we don't have to worry about data poisoning. If the training data is obtained in an open environment, there is always the potential risk of poisoning attacks.

Pen: Social engineering techniques

Impersonation: Helpdesk third party authorization tech support roam halls/tailgate Trusted authority/repairman figure snail mail Computer based techniques popup windows instant messages and IRC email attachments email scams chain letters and hoaxes phishing websites

Tcp: Address Attestation

Indicates that the final AS listed in the UPDATE is authorized by the owner of those address blocks. Contains information about: owner's certificate AS to be advertising the address blocks address blocks expiration These are digitally encrypted by the private key of the server. Protect BGPs from erroneous updates.

Tcp: route Attestation

Indicates that the speaker or its AS authorizes the listener's AS to use the route in the UPDATE. Contains information about: AS's or BGP speakers certificate issued by owner of the AS the address blocks and the list of ASes in the UPDATE the neighbor expiration date To verify a route, address attestation from each organization owning an address. address allocation certificate from each organization route attestation from every AS along the path certificate for each AS all relevant CRLs must have been checked.

Crime: Botnets

Infected computers Have spare cpu cycles, Unique ip address and bandwidth. Botnets allow criminals aggregate control of infected machines. Command and Control C&C infrastructure for controlling bots. Often rented out.

Crime Botnet:

Irc channels (internet relay chat) are easy way to send commands. Single command gets broadcast over twitter count. Peer 2 peer botnets also Most popular: Create command control website and all bots connect to it. Domain name Can be shut down by isp. Can move domain to different ip every few seconds. Fast flux: moving to different ip very quickly (every few seconds). Random domain generation, Botmaster and botnets generate random domains using the same algorithm (so they are the same) and try to connect.. Bot master registers a few of these domains.

Botnet: BOthunter signature engine

Looks for specific signatures of malware

Botnet: Bothunter SLADE

Looks for unusual payload (egg download)

Dos: syn flood

Lots of tcp connection requests are sent to a server but the source is spoofed. Server tries to send back next part of handshake but they get no response. They must keep the state of the handshake in memory. Fulls up server with backlogged handshakes. Defense: remove state from server small performance overhead

BC: Scrooge/append only

Make history append only and an authority is the only one allowed to sign for transfer of coins. This prevents double spending.

CC: libVMI

OPen source introspection library, access to virt addresses, kernal sybmols, and more. Features: Read/write vm memory, virtual memory translation, find/map guest OS data structs, place monitoring event-hooks into guest (catch exceptions/page faults), pause guest and transfer control to callback function (hook), memory rwx events, rw events on registers, interrupt events, single step through instructions.

Browser: browser vs os

OS: Primitives: sys calls, processes, disk Principles: Users discretionary access controll Vulnerab: Buffer overflow root exploit Browser: primitives: document, object model, frames, cookie/local storage Principles: origins, mandatory access, control Vulnerab: Cross site scripting, cross site request forgery, cache history attacks.

Malware: Malware emulators

Obfuscate (pack) a binary emulator which runs some bytecode in an arbitrary language L. When running static analysis or automated tools, the emulator is what is analyzed (which has no malicious behavior), where as the data in the program is whats malicious. manual reverse engineering doesn't scale. In theory automated reverse engineering this is undecidable problem. However, emulators fetch-decode-execute behavior can be identified at runtime.

ML: Evasion tactics

Obfuscating internal data: uses a number of tricks to run code that cannot be detected by the analysis system. Confusing automated tools: allows malware to avoid detection by technologies such as signature based antivirus software. Environmental awareness: allows malware samples to detect underlying runtime environment of the system it is trying to infect. Timing based evasion: used by malware to run at certaintimes or following certain actions taken by the user.

ML: Blending steps poly.

Observe traffic from A to B. Using IDS algo, generate estimated artificial normal profile. Create attack instance that matches normal art. profile (using shellcode encrypt, and padding). Launch attack, IDS should not detect these packets.

CC: Cloud comp characteristics

On demand self service Broad/wide network access resource pooling or sharing measured service rapid elasticity.

Pen: cover tracks

Once total ownership of the target is secured, hiding this fact from sys admins becomes paramount, lest they quickly close off the avenue of attack. Clear logs: zap, event log gui Hide tools: rootkits, file streaming

ATS: Redundant services

One method, multiple services which vote for an output, given that non faulty systems can come to a consensus this will work.

CC: VM sec, monitor memory

Only reliable source to know current state of a running computer. Can find, running/killed processes, encrypt keys, network socket data, os level acct info, user input, screen captures, more...

Dos: Syn cookies

Only used during dos attack Does not modify TCP Server must reject all tcp options because server discards the syn queue entry

CCSec: Order preserving encryption

Order is leaked as well as frequency of the data (equality of data<->encrypted data)

CC: Security - Privacy

PII: Personal identifiable information. Privacy impact assessment suggested requirements for cloud SLAs (security level agreements). Proof that SLAs have been satisfied. Contingency planning and disaster recovery for cloud, handling compliance. (HIPAA, PCI)

Malw: Packing in-depth

Packing tool is run on compiled binary, each packed binary looks different because different encrypt key is used. Encrypted code looks like data, so any malware analysis will miss it. Server side polymorphism: Malware can constantly update itself, forcing malware defenders to start over their process to understand the malwares behavior.

CC: Monitoring types

Passive monitoring: viewing memory of application vMs from the security tool running on hypervisor without any timing synchronization between the two vms. Active monitoring: viewing memory in an app VM from sec tool in hypervisor with event notification being sent from app VM to sec tool to permit monitoring at relevant times. goal of monitoring: locate valuable data : find critical data structs within the raw memory view for the monitoring task.

Crime: Malware distribution model

Pay per install model

Threat: Certificate authorities

Places that vouch for a website's identity (he is who he says). Any CA can vouch for any website. No central repository of CAs, Don't know who to trust until you see a CA in the wild.

BC: Proof of work

PoW is costly/time consuming to produce, but easy/quick to verify. To earn a coin, miners of bitcoins do not have to complete some of the work in the block. Changing block requires regenerating all successors and redoing the work they contain.

ML: Polymorphism quiz

Polymorphic attack can change its appearance with every instance. Polymorphic attack has no predictable signature for the attack. Each instance of polymorphic code does not havae a different or normal appearance.

Pen: Attacks

Popup window: Popup window that looks like windows login credentials. IM & IRC: Imitate technical support desk. Redirect users to malicious sites. Trojan horse downloads installs surveillance programs. Email attachments: Malicious software in attachment. Programs can be hidden. Executable pdfs, or confusing .docx.exe files. Email scams: More prevalent over time Request basic information at beginning Leads to financial scams. Chain emails: More of a nuisance than threat Spread using social engineering techniques Productivity and resource cost. Websites: Offer prizes but require a created login. Attacker harvests likely reused credentials/passwords Reuse this information on other websites.

CCSec: Equality preserving encryption

Preserves equality (two equal values which are encrypted are still equal in their encrypted form). Leaks the frequency.

Browser: CSP Content sec policy

Prevent damage of XSS (cross site scripting) Restricts resource loading to a white-list (no dynamic loading). Prohibits inline scripts embedded in script tags, inline event handlers, and javascript, URLs Disable js eval(), new Function() CSP HTTP header allows site to create whitelist, instructs the browser to only execute or render resources from those sources.

Session: Logout

Prevent others form abusing content. Steps 1 Delete session token from client 2 mark server side session token as expired on server. many sites do 1 but not 2.. Risky for sites who fall back to http after login. Network sniffers (man in middle) could see cleartext http request and use the session after its expired.

CC: (NIST) Deployment models

Private, cloud Inf. is operated soley for internal org. Cloud inf is shared by several orgs and supports specific community that has shared concerns. Public cloud inf is made available ot public or large industry group. Hybrid is some combination of other three. Common characteristics among the four models. Massive scale, homogeneity, virtualization, resilient computing, low cost software, geographic distribution, service orientation, advanced security technologies.

ML: Polymorphic blending attack quiz

Process should not result in abnormally large attack size. Blending needs to be economical in time and space Attacks don't need to collect a lot of data to learn normal stats.

MbMal: Lifetime of iOS malware

Produce - Distribute - Do Evil - Make profit

CCSec: Encryption Quiz

Property preserving: Encrypted data is in the same order as the plain text Searchable: Encrypted data that can be searched using encrypted keywords, Secure computation: Several parties can compute a function using inputs that are kept private Homomorphic: Computations performed on encrypted data matches the result of the computations on the plaintext. Functional: A secret key that allows someone to learn the function that is being encrypted.

BC: Distributed consensus

Protocol terminates when all correct nodes decide on the same value and value must have been proposed by some correct node. Peer to peer, broadcast transfer to all nodes. Implicit consensus, in each round random node is picked. This node proposes the next block in the chain. Other nodes implicitly accept/reject this block, by either extending it or ignoring it and extending chain from an earlier block. Every block contains hash of the block it extends. So... each node colelcts the new transactions into a block. In each round a random node gets to broadcast its block. Other nodes accept the block only if all transactions in it are valid. Nodes express their acceptance of the block by including its hash in the next block they create.

BC: Incentive

Provide monetary value to nodes that act honestly. OR transaction fees, creator of transaction can have cost.

Pen: Footprinting

Rconnaissance/information gathering: network ip addresses phone#s, namespace acquisition, network tropology. Tools: Open source search: google domain name/admin/ipaddresses: whois, arin Dns zone transfer: nslookup, dig, Sam Spade

Dos: Capability based defense

Receiver can specify what packets they want. Sender requests capability in Syn Packet (which should be rate limited). Receiver responds with capability. Reject packets without valid capability

Dns: Caching

Recods are cached on a local server to save time on DNS lookups. NS records for domains are also cached. Also caches negative results (does not exist). Each record has a TTL to state how long a record can be kept

Botnet: Dns services

Recursive dns monitoring at isp. Analyze dns traffic from internal hosts to a recursive dns server of the network. Detect abnormal patters/growth of populatrity of a domain name, identify botnet c&C domain and bots, Common means of botnet propogation: (worm-like) exploit-based, email-based, and dry-by egg download.

ATS: Defense method, replication

Replicate the data and store at N different servers (shard). Confidentiality is now weaker. Attacker can get data from N servers now. Integrity and availability are better protected. Attacker needs to compromise majority of the N servers to damage integrity and availability.

Https: Whats Encrypted

Request URL Query params Headers Cookies NOT: host address, port numbers, amount of data, length of session.

Dos: Route Hijacking

Rerouting traffic to prevent site from getting traffic

Dns: Query/response

Response contains IP addresses of next NS server (called "glue"). Response contains series of records. Final authoritative result contians the ip address of the requested domain (or verifies it doesn't exist).

Crime: Exploit devs

Reverse engineer software, find exploits, bugs that can be exploited. Sell for profit

Malw: Obfuscation Purposes

Rootkits help hide malware from u sers Thoroughly mapping security sites and honey pots so as to avoid them - Hides from antivirus security Nuance based encryption methods hides malware from reasearchers.

Tcp: BGP Security

Routing information and updates are not authenticated. Someone can lie about a route change and redirect traffic to their own address. This happened in the Youtube-Pakistan mishap. Essentially anyone can hijack route. Each node in the network has information on how to get to any node. Anyone can inject advertisements for arbitrary routes. These false advertisements propagate everywhere. Used for DoS, spam, and eavesdropping. Paths might be changed such that inbound traffic is eavesdropped but outbound traffic is not. So the victim can't see that his inbound packets are being watched.

Browser: Web worker

Run in an isolated thread, loaded from a separate file Has same origin as frame that creates it, but no dom. Communicate using postMessage

CC: Nist RISK

SaaS - Lost control, data sec, data locality risks, unauthorized access, over privileged admin, no accounting & provider support, provider go broke, disaster PaaS - Interop among cloud providers and legacy systems, service provider lock-in, soa related issues, api related issues. IaaS - VM boundaries, trusting vendors security equipment, identification of data sources, vm security, vm images repository, hypervisor security.

Browser: Sandbox

Safely execute javascript code provided by remote website. No direct file system access, limited access to os network, browser data, content that came from other websites. Same origin policy: Active code can only read properties from same origin. Users can grant privileges to signed scripts (microsoft/google/apple scripts). Data not saved is lost when app closes. Lightweight easy to set up. Changes not visible beyond boundaires VM: Changes not visible beyond boundaires Machine within machine Disk space must be allocated.

Crime: Phishers

Scam sites to steal information. Work with spammers to spread attack

Botnet: Bothunter SCADE

Scan detection: inbound scan Uses different weights for different types of scanning. Also cans outbound scans

Threat: Attacker intelligence

Scanning: Attacker uses the internet to obtain information on specific ip addresses. The kind of information gathered is: OS, services, and architecture of the target system Footprinting: The attacker gathers information about a target. The kind of information gathered is DNS, email, servers, and the ip address range. Enumeration: The attacker gathers information on network user and group names, routing tables and simple network management protocol.

BC: Scrooge core problem

Scrooge has all the power, could require payment to publish transaction. We desire: single published blockchain with a history of all transactions. Agreement on which transactions are valid. Which transactions have occurred. Decentralized id assignment Decentralized mining of new coins.

CC: SIM Design

Security isolation by separating paged virtual address space. We run the sec tool on the same VM, but create virtual address spaces to provide security but keep the speed. SIM much faster than out of vm approach

BC: Cryptocurrency quiz

Security of crypto currency ledgers depends on the honesty of its miners. Most cryptocurrencies are not designed to maintain production to keep inflation in check. Cryptocurrencies are psuedo anonymous and less susceptible to law enforcement seizure.

Crime: Counterfeiters

Sell fake goods Must be able to clear credit cards.

Dos: Amplification Bug Flood

Send a few packets and get a big result. For example sending a small request packet and requiring a big response. Spoof the destination IP and now you've got a ton of data heading to somewhere. Take advantage of bug in the system to take down the system Command botnet to generate flood of requests.

Dos: Reflector

Send spoofed request to some service (such as DNS), the DNS sends not spoofed authentic (it thinks) response to the victim (which ends up flooding the victim). A traceback shows the traffic coming from the DNS servers but stops there because that is where the traffic originated (the service probably wont store where it actually got the request from).

Threat: Zmap packet transmission

Sends all packets at ethernet layer. No correlation between how fast we scan and the hit rate of a scan attempt. Slower scanning does not reveal additional hosts. Coverage: The more packets we send, since some fail, the more likely we are to receive a response from a host if indeed one exists. So we expect a platue where at some point sending more packets returns practically the same number of hosts and provides no additional benefit.

Browser: Cookie sec problems

Server does not see all cookie attributes. Cannot see what server set cookie attribute. Malicious site could set session cookie to something else for another site. Network attacker can intercept and re-write https cookies. Path separation of cookies is only done for efficiency (scope), not security. Cookies have no integrity. User can change cookies. Can use cryptographic hashes made by server to ensure cookie has not changed.

Browser: Reading cookies on server

Server only sees cookies in its own scope, ie domain is right for that given site page, and secure if needed. A given site page gets all cookies that meet the minimum specs.

CC: Advantages/Challenges

Shifting public data to an external cloud reduces the exposure of the internal sensitive data. Cloud homogeneity makes security auditing/testing simpler. Clouds enable automated security management. Redundancy /disaster recover. Challenges: Must trust vendors security model. Customer inability to respond to audit findings. Obtaining support for investigations indirect administrator accountability. Propriety implementations can't be examined. Loss of physical control.

CC: cloud service models

Software as a service: provides an application running on cloud. Platform as a service: Consumer created applications using programming langs/tools supported by provider. Infrastructure as a service: Capability provided to consumer to provision processing, storage, networks , and other fundamental computing resources. Examples: SaaS - Knowledge Tree PaaS - Google apps, salesforce IaaS - AWS, Microsoft Azure.

MbMal: Data flows

Sources, Sinks, flows By analyzing the app description we can see that certain types of flows are expected. But by analyzing the actual data flow we can see that other flows occur that are not expected, and this is leakage.

Session: Http referrer header

States where the last site you were was (before coming here) This could leak url session tokens to third parties. Must supress url referral.

Malw: Analysis defenses

Static analysis was fought with polymorphism/metamorphism/packing/opaque predicates/anti-disassembly, which researchers fought back with dynamic malware analysis, which was fought with trigger-based behavior (logic bombs, time bombs, anti-debugging, anti-emulation, etc) which was fought with dynamic multipath exploration/forced execution.

Pen: Pilfering

Steal valuable information. Further Gather info to allow access to trusted systems. So you can further exploit a system. Evaluate trusts: rhosts Search for cleartext passwords: user data, configuration files, registry

Pen: Pen testing methodology

Steps from first to last Footprinting: General information about network Scanning: Finding more detailed information about network (services available) Enumeration: Finds more targeting information such as user accounts Gaining access: Finds vulnerabilities associated with network services, then exploits Escalating privilege: Get root or sudo access Pilfering: Steal information from network Covering tracks: Hide evidence of breakin so its hard to find out network was compromised Create backdoors: Easy access for future malicious activities. (Loops back to gaining access).

Browser: Cookie types

Super: cookie with origin of top-level domain Zombie: cookie that is regenerated after its deleted SameSite: can only be sent in requests originating from same origin as target domain HttpOnly: Cannot be accessed by client-side APIs Third-party: Belongs to domain that is different from one shown in address bar Session: In-memory cookie. Does not have expiration date, deleted when browser is closed Persistent: Has expiration date. AKA tracking cookies Secure: Only transmitted over an encrypted connection.

Browser: Cross origin resource sharing (CORS)

Technique for relaxing the same-origin policy, allowing js on a webpage to consume content from a different origin. A website whitelists domains

Dos: Link testing

Test upstream links to see where attack is coming from. Attacker could change behavior or attack intermittently. Must determine common part of packet and use that to determine where traffic is coming from at each router. Requires cooperation of multiple ISPs when the attack crosses isp boundaries. Try flooding a link and repeat until you find which upstream link attack is coming from, then repeat at the next upstream set of links. All link testing only work while the attack is in progress.

ML: Polygraph

The flow classification technique was not specified. Signature generation for polymorphic worms. Authors assumed that flow was not perfect and noise could be stored in the suspicious pool. CLaimed that Even with noise, it generates good signatures. Flows get classified into suspicious flows and innocuous flows. Conjunction and token-subsequences are not resilient to noise in the suspicious flow pool. Before creating ML signatures, it ran clustering, so it took out all the fake flows and created a model specifically for them. This can be fooled by creating pieces of data that are consistent between the worm and fake anomalous flow. this way clustering puts them together because they seem more similar. Also uses a bayesian model to detect worms. Defeat this by Injecting normal substrings into fake anomalous flows so that polygraph cannot find a good threshold. No good way to filter noise and prevent data poisoning.

DA: Axis attribute

The most important attribute, eg service. Patters must contain axis attribute values. So we can eliminate associations to non-essential attributes. Compute sequential patterns in two phases, associations using the axis attributes, sequential patterns from the associations.

DA: Reference attributes

The reference subject of a sequence of related actions, eg, connections to the same destination host.

Botnet: Apt quiz

The wost quiz ever. https://youtu.be/DBukHMJzO8g Which info should be considered in order to identify source of an apt attack: source ip of tcp-based attacks packets. coding style of malware, inclusion of special libraries with known authors, motives of the attack, language encoding.

DA: Considerations for selecting a dataset for training (quiz)

There is no perfect way of labeleing data, therefore there is no perfect IDS dataset. Selecting a correct baseline dataset for your network. Selecting a dataset that has a range of intrusion attacks.

Malw: Analysis

Understand malware behavior - Network/host level detection/blocking - Threat analysis Malware can change its behavior if it detects its being observed. Need transparency to the malware. Malware analyzer should be at a higher priviledge level than the malware. No non-priveleged side effects. Same instruction execution semantics, exception handling, notion of time as if analyzer not present. In-Guest Tools have no higher privilege, non-privileged side effects, and exception handling issues. Reduced privilege guests (VMWARE) non privileged side effects. Emulation (QEMU, SIMICS) No identical instruction execution semantics.

Botnet: Use of Dynamic DNS

Use dyn dns so that they can change the C&C server at any time. Can detect anomolies such as the site not showing up on google search but the botnets can get it. Can have isps disable the site.

ML: Countermeasures to poly blend attacks

Use more complex models which use syntax/meanings of web contents instead of just statistics. Use multiple simple IDS. Use randomness in IDS model.

DA: Feature Construction Problem

Use temporal/statistical patterns, (lots of S0 connections to same service/host within short time window).

Dns: Vulnerability

User/host must trust the host-address mapping given by dns. Used for many security policies such as same origin policy. Interception of requests or compromise of dns servers can result in malicious responses. Can use cryptography to prevent this. DNSsec is an example solution.

Pen: Social engineering

Users are weakest link in security. How vulnerable is the user population? which are more vulnerable than others? Find policy gaps/ fix / create new policies Users can be manipulated to undermining their own security system. Abuses the trusted relationships between employees. Very cheap for the attacker. Attacker does not need any specialized tools/skills/equipment.

Dns: Packets

Usual IP and UDP header. Payload is dns data: contains query id Response to packet has the same query id. RD - recursion desired - do recursive lookups on my behalf OP=0 - standard query QR=0 - this is a query QR=1 - this is a response AA=0 - not authoritative - I don't know the ip adress, but here is someone who should. AA=1 - authoritative - here is the thing you asked for. RA=0 - recursion unavailable - i'm not going to continue looking for your, here are your results.

Botnet: Domain used for C&C

Usually domains are bought in chunks so that the attacker can reduce leaving financial information about who he is. DNS lookup behavior of botnets: Bots lookup C&C as soon as they boot/get internet. huge spike in dns requests because of time zones (9am to 5pm). NOrmal dns lookup behavior is a lot smoother, humans dont immediately go tto the same site. Source ip dispersion in DNS lookups (local or global popularity of the domain), distributed in many networks, and ip changes a number of times.

CC: Virtualization quiz

Virtualization requires at least one instance of application or resource thats shared by different organizations. Sharing between organizations is accomplished by assigning a logical name to the resource and then giving each request a pointer to the resource. Virtualization involves creating a virtual machine using existing hardware and operating systems. The virtual machine is logically isolated from the host hardware. Type 1 hypervisor, does not have host operating system because they are installed on a bare system. Type 2 hypervisor, emulates the devices with which a system normally interacts.

CC: Foundational elements

Virtualization, grid technology, service oriented architectures, distributed computing, broadband networks, browser as a platform, free and open source software.

Pen: create backdoors

Want subsequent access to be easy. Layout backdoors in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides to return. Make these doors to make the activity look normal and inconspicuous Create rogue user accounts: schedule batch jobs: infect startup files: plant remote control services: install monitoring mechanism: replace apps with trojan:

BC: Digital signatures

We want signatures from owner only, but anyone can verify. Signature is tied to a particular document and can't be cut-pasted to another document. Signature has private signing key, and public verification key. Can use the public key as an identity. Identities are called addresses in bitcoin.

Browser: Threat model

Web sec threat model Attacker sets up malicious website. Waits for users to visit site. Attacker does not control the network. Network security threat model: Attacker intercepts and controls the network. Could intercept data, man in middle. Inject malicious traffic.

Crime: Pay per install Doorway page Crypters Blackhat search engine optimizer Trojan download manager

Webpage lists many keywords hoping search engine lists this as result, but scripts redirect to compromised pages. Hides malicious code from anti-virus software increases traffic to attackers site by manipulating search engines. Allows attacker to upload or install malware on victim computer

Botnet: detection quiz

What behaviors would indicate a botnet. LInking to established c&C server, generating internet relay chat (IRC) traffic using a specific port range, (generating dns requests is not a good indicator), generating smtp emails/traffic, reducing workstation performance/internet access to the level that it is noticeable to users.

Botnet: Botminer

What can botnets do to evade c-plane clustering - Manipulate communication patterns, introduce noise in the form of random packets to reduce similarity between c&c flows. What can botnets do to evade a-plane monitoring? - Perform slow spamming, use undetectable activies (spam sent with gmail, download exe from https server).

Pen: When should I penetration test

When infrastructure is changed applications are changed end-user policies are changed security patches installed.

Threat: Public key sharing

When a public key is comprised of n = p * q, if p is shared between machines, (but q is different), it becomes very easy to compute the GCD of two different machines to come up with p, and then you can calculate the private key very easily, computing the GCD is trivial. Many embedded systems don't have access to a realtime clock or other sources of randomness. So the randomness is a deterministic type of randomness. Urandom may be predictable for a short time after boot.

ML: Noise Injection attack

Worm regularly sends out worm traffic to spread, but it also sends out fake anomalous flows (can be benign, but looks like a worm). The fake data makes it difficult for the ML algo to find the real signatures or has difficulty generating good signatures. This affects all traffic based flow classifiers.

Browser: Browsing context

a frame with its dom a web worker (thread), which does not have a dom browsing context separated by same-origin policy. can call postmessage to intercommunicate.

Botnet: DNS names

botnet domains typically have random domain strings. Sensible/real domain names have been registered for legitimate use. Look for growth of these suspicious domains.

CC: cloud computing

convenient, on-demand shared configurable resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

BC: Cryptocurrency Create coin

create a coin string based on a unique coin id. Computes signature of the coin using private key. String together with signature is a coin. Anyone can verify that the coin is valid by decrypting the signature with the public key (which is the identity of the person who owns the key).

BC: Wallet quiz

hot wallet is connected to internet cold wallet is offline desktop wallet is used on laptops or pcs mobile wallets are qr code capable with instant payments online wallets provided on the cloud hardware wallet: developers make use of top grade cryptography.

Pen: Persistence

install backdoor or malware to create Permanent foothold in network malware placed in specific place. Insertion of proxies or man in middle systems to record/listen Can capture user creditials and valuable information Can move all this around to different users to hide tracks.

CC: Platform virtualization

key is the hypervisor or vm monitor. Enables guest oS to run in isolation of other OSs. Run multiple types of OSs. Increases utilization of physical servers, enables portability of virtual servers between physical servers. Increases security of physical host server.

Browser: Same origin policy (SOP)

protocol://domain:port/path?params SOP for DOM: A can access origin B's DOM if A and B ave the same protocol domain and port SOP for cookies: Generally based on protocol domain and path, protocol is optional.

Crime: Exploits as service

some people develop exploits, others buy and use them. Can buy an eploit kit and deploy themselves or can rent access to exploit servers that hosts exploit kits. Spam/phishing to attract traffic to exploit server to get malware installed. Pay per install is a variant where you bundle a traffic acquisition system and exploit server, and you pay per install.

Session: Session token

token must be stored somewhere Tokens expire, but there should be a way to revoke them if needed. token size is a concern.

Botnet: bot hunter

vertical dialog correlation Correlates multiple events that belong to lifecycle of a bot. Scan network, send exploit, egg download (malware download), IRC (connect to c&c) -> more scanning to compromise more systems. Egress point (internal - external), search for duplex comm sequences that map to infection lifecycle model, stimulus does not require strict ordering, but does require temporal locality. Dialog based correlation - Probability that a host is a bot increases as more suspicious events occur during a given time period, (some events are more heavily weighted)


Ensembles d'études connexes

Jáma a kyvadlo a jiné povídky

View Set

Interpersonal Communication-Final

View Set

Renal & Urinary - Adult Health - NCLEX

View Set

HESI Prep Pregnancy, Labor, Childbirth, Postpartum-uncomplicated

View Set