Computer Security Summer Scholars 2018 Matt Vander Werf HPC System Administrator
Security in HPC • HPC is especially a target for hackers and malicious acts Why?
Security in HPC • Prestige • Computing resources – Financial Gain – Break encryption – To facilitate attacks elsewhere • Academic research • DOE/NSF/NIH/DOD funded projects
Common Security Goals • C.I.A. Triad: – Confidentially: keep others from having access to your data without permission – Integrity: keep others from altering your data without permission – Availability: information should be accessible and modifiable in a timely fashion by those with permission to do so
Types of Security • Physical Security • Computer Security • Network Security
Vulnerabilities vs. Threats/Attacks • Vulnerabilities come from inside the system • Threats come from outside the system • A threat is blocked by the removal of a vulnerability • Vulnerabilities allow attacks to take place • An attack is an action to harm the system by exploiting a vulnerability of the system
4 Basic Types of Threats/Attacks • Eavesdropping • Alteration • Denial-of-Service (DoS) • Masquerading
Eavesdropping • The interception of information/data intended for someone else during its transmission • Doesn’t include modification • Examples: – Packet sniffers: monitor nearby Internet traffic – Computer surveillance
Alteration • Unauthorized modification of information • Examples: – Computer viruses which modify critical system files – Man-in-the-middle (MitM) attack: information is modified and retransmitted along a network stream
MitM Attack Example https://www.veracode.com/security/man-middle-attack
Denial-of-Service (DoS) • The interruption or degradation of a data service or information access • Examples: - E-mail spam: to the degree that it is meant to slow down an e-mail server - Denial-of-Service (DoS) attacks • Make a machine or network resource unavailable to its intended users • Overwhelming a web server, bringing down a website • Consume memory or CPU resources of a server • https://www.digitalattackmap.com
Masquerading • The fabrication of information that is purported to be from someone who is not the actual author • Examples: – E-mail spam – Phishing for information that could be used for identify theft or other digital theft – Spoofing of IP addresses, websites, official communication
Phishing • Phishing is a very common occurrence • Over 1.2 million unique e-mail campaigns in 2016, a 65% increase over 2015 • Annual worldwide impact as high as $5 billion (2014) • Can be used by a ransomware attack • https://www.youtube.com/watch?v=AHJzSuW cpOc
Specific Examples of Threats/Attacks • Heartbleed – Vulnerability in the OpenSSL library used by majority of servers, especially web & mail servers, to secure communication & data channels – Discovered/disclosed in April 2014; vulnerability existed for around two years prior; close to 70% of web affected – Allowed hackers to be able to obtain usernames/passwords, encryption keys, and other sensitive information that was stored in the server’s memory – Affected a large majority of the CRC’s servers; All were patched shortly after disclosure – More info: https://heartbleed.com/
Social Engineering • Techniques involving the use of human insiders to circumvent computer security solutions • Social engineering attacks can be powerful! • Often the biggest vulnerability can be the human being who is in charge of administrating the system
Types of Social Engineering • Pretexting: creating a story that convinces an administrator or operator into revealing info • Baiting: offering a kind of “gift” to get a user or agent to perform an insecure action (i.e. free stuff if you download some virus) • Quid pro quo (“something for something”): offering an action or service and then expecting something in return
Pretexting Example
Social Engineering Example • “What is Your Password?”: – https://www.youtube.com/watch?v=opRMrEfAIiI • “What’s Your Password?” (v2): – https://www.youtube.com/watch?v=UzvPP6_LRH c
Ransomware • Type of malicious software that blocks access to the victim's data or threatens to publish or delete it until a ransom is paid (usually in Bitcoins). • Examples: CryptoLocker, WannaCry, Petya/NotPetya • https://www.youtube.com/watch?v=d_dyi9C Wieo
Well-Known Services/Ports • SSH (Secure Shell) – Port 22 over TCP – Used to administer a machine remotely – Also used by SCP (Secure Copy) and SFTP • HTTP/HTTPS (Web) – Port 80 over TCP (HTTP, Unencrypted) – Port 443 over TCP (HTTPS, Encrypted) • FTP/SFTP (File Transfer Protocol) – Port 21 over TCP (FTP, Unencrypted) – Port 115 over TCP (SFTP, Encrypted)
Defending Against Attacks • Firewalls – Can help protect a network by filtering incoming or outgoing network traffic based on a predefined set of rules, called firewall policies – Policies are based on properties of the packets being transmitted, such as: • The protocol being used, such as TCP or UDP • The source and destination IP addresses and ports • The payload of the packet being transmitted
Defending Against Attacks (cont.) • Use of secure, hard-to-guess passwords – Combination of upper-case, lower-case, numbers, and special characters (&, ^, !, ., *, @, etc.) – Do NOT use dictionary words or phrases! – Should be at least 10 characters in length (if not longer!) – Don’t re-use passwords for multiple services/sites – Use a password manager (LastPass, 1Password, etc.)
https://xkcd.com/936/
Defending Against Attacks (cont.) • Employ Access Control Lists (ACLs) – Restrict access to only those who need access • Keep systems/devices patched with the latest security updates ( Important! ) • Use secure communication channels – HTTPS à Use HTTPS Everywhere! • https://www.eff.org/HTTPS-everywhere • Use an Ad Blocker (uBlock Origin, Adblock Plus, etc.)
What Does the CRC Do? • Physical security: Union Station • Firewalls: OIT Border Firewall, iptables on individual machines • Vulnerability Scanning • Secure passwords; limited “root” access • Use of Access Control Lists (ACLs) • Apply security updates & fix vulnerabilities • DenyHosts: block known bad host IPs
Vulnerability Scanning • Nessus Professional Vulnerability Scanner • Scans for vulnerabilities on our systems • Find and patch vulnerabilities before they can get exploited • Weekly scans of our public network infrastructure
Real Life Example • “Stuxnet: Anatomy of a Computer Virus” : – https://vimeo.com/25118844 (2011) • Zero Days (documentary): – http://www.zerodaysfilm.com/ – http://www.imdb.com/title/tt5446858/
Real Life Example • “Hackers Remotely Kill a Jeep on the Highway— With Me in It”: – https://www.youtube.com/watch?v=MK0SrxBC1x s (2015) – https://blog.kaspersky.com/blackhat-jeep- cherokee-hack-explained/9493/
Real Life Example • “Hacking a "Smart" Sniper Rifle | Security”: – https://www.youtube.com/watch?v=BJPCYdjrNWs (2015)
Questions?
Recommend
More recommend
