cosc 4p14
play

COSC 4P14 What could possibligh go wrong? Brock University Brock - PowerPoint PPT Presentation

Jan 07, 2024 •314 likes •640 views

COSC 4P14 What could possibligh go wrong? Brock University Brock University What could possibligh go wrong? 1 / 32 Common attacks and exploits Weve talked about how to use individual tools (encryption, authentication, etc.), but theres

  1. COSC 4P14 What could possibligh go wrong? Brock University Brock University What could possibligh go wrong? 1 / 32

  2. Common attacks and exploits We’ve talked about how to use individual tools (encryption, authentication, etc.), but there’s something much larger, and more basic, to consider: Any system is only secure as its weakest point of ingress That is, a dozen great tools and one stupid mistake lead to many sad-faces Let’s talk about some concerns. Brock University What could possibligh go wrong? 2 / 32

  3. Eavesdropping Of course, the problems with eavesdropping are mostly self-evident. The expectation is that communication should normally be readable to the parties involved We’ve already talked about how trivial it is to eavesdrop on broadcast media In other words: stop using open wifi. There are plenty of things that can go wrong! Brock University What could possibligh go wrong? 3 / 32

  4. Session hijacking Remember how cookies work? And how you can authenticate yourself to a web server, and then keep including proof of having identified in the header? Yeah... if someone ’hears’ that header, he or she can become you Fun fact: this was actually another possible way to do your previous lab exercise! A well-designed web server shouldn’t easily fall for session hijacking, though ◮ Why not? It’s also worth noting that this is closely related to various forms of replay attack . (which is part of why nonces are a thing) Brock University What could possibligh go wrong? 4 / 32

  5. Man in the Middle A Man in the Middle attack is not the same thing as eavesdropping or session hijacking! Rather, it relies on the assumption that the attacker can insert him or herself in between two communication parties. That attacker then has several options: Receiving from one party, changing it, and then passing the new version to the other party Establishing secure connections between both parties, so they might not notice that it’s secure, but the wrong party Consider, for example, what happens when you first connect to a network. What’s your DNS? How reliable is it? Perhaps we have time for a demo ? Brock University What could possibligh go wrong? 5 / 32

  6. HTTP Strict Transport Security How can we prevent a server from downgrading us from HTTPS to HTTP? If everyone cared about security, it would already be completely solved as a problem Some versions of Chrome might clue you in; presumably other browsers will eventually follow HSTS allows you to set rules within HTTP headers, indicating that HTTPS must be used for return visits, etc. ◮ Check out chrome://net-internals#hsts Wait, “return visits”? What about the first visit on that device? Ah, for that, we have a whitelist ! (Prepare to be annoyed) Brock University What could possibligh go wrong? 6 / 32

  7. Wireless security To what extent does wireless security really matter? e.g. suppose you aren’t worried about people leeching your bandwidth, and you only use encrypted traffic. Does it still matter? Do you like being arrested? Brock University What could possibligh go wrong? 7 / 32

  8. Wired Equivalent Privacy Ahahahahahahaha. No. Brock University What could possibligh go wrong? 8 / 32

  9. WiFi Protected Access Yes, KRACK didn’t help with WPA security, but that’s not the only concern: WPS (to make pairing easier) introduced vulnerabilities If you have a crappy password, the encryption isn’t really helping much But, besides all that, what about the login password itself? Is that safe? WPA certainly isn’t susceptible to the same exploits as WEP, so we’re cool, right? Brock University What could possibligh go wrong? 9 / 32

  10. While we’re talking about deauthentication attacks... There are several other uses for deauth’ing hosts Suppose you create your own access point (for nefarious reasons) and leave it open ◮ Will people connect? Maybe, maybe not. Suppose you start booting everyone connected to any access point that isn’t yours ◮ Chances are, you’ll get a few more biting Brock University What could possibligh go wrong? 10 / 32

  11. Additional wireless concerns Even though we already covered this on the assignment, do we understand why SSID cloaking and MAC filtering are so ineffective? Also, what’s the password on your router/modem/access point? Brock University What could possibligh go wrong? 11 / 32

  12. Speaking of passwords... Don’t reuse your passwords across sites ◮ No, seriously, don’t ◮ https://m.xkcd.com/792/ ◮ https://m.xkcd.com/1286/ Presumably we know how to pick a good password? ◮ https://m.xkcd.com/936/ Okay, but should we still be choosing passwords? At all? And yes, 2-factor authentication can be great, but don’t trust it too much Also, just to stick with the xkcd trend: https://xkcd.com/538/ Brock University What could possibligh go wrong? 12 / 32

  13. How do passwords get compromised? Lots of ways! One common way is when poorly-secured systems are accessed by ne’er-do-wells Or someone misplaces a drive with sensitive data on it (I so wish I was kidding) Or, as referenced earlier, when people reuse passwords, and a compromise of one triggers a domino effect Hopefully, passwords will be salted and hashed, but even that’s not a true guarantee. Also: First, never verify usernames independently from passwords! Do we understand the significance of salting ? e.g. https://hashkiller.co.uk/ or https://crackstation.net/ Brock University What could possibligh go wrong? 13 / 32

  14. Okay, but how else do they get compromised? Outside of key loggers (which, yes, are still a thing), if you assume one can get the (even salted) hash, then there’s still dictionary attacks, and even good old-fashioned brute force. This is part of why you need to change your password so often: so hopefully those salted hashes will be useless by the time they’re cracked. Brock University What could possibligh go wrong? 14 / 32

  15. So, what really matters? Arguably, social engineering is one of the most (if not the most ) significant threats to modern computer systems. You can fix code, but you can’t fix stupid Many attacks rely on tricking humans into bypassing the existing security. Consider some of the more ludicrous spam/phishing attempts you’ve received ◮ Chances are, someone’s fallen for it! Considering banks are screwing up all the time, when you get an email telling you to reset your password, how can you identify whether or not the link is correct? Brock University What could possibligh go wrong? 15 / 32

  16. So, what does this mean? Consider just how much we still rely on human intelligence to keep our information/identities safe How hard do you think it would be to get added as a second user to someone’s phone? To hijack someone’s service? What could one do once they had access to your service? ◮ Oh hey, what was that about two-factor authentication earlier...? I don’t think we have time for storytime, but for a really good read, N is stolen : https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd Brock University What could possibligh go wrong? 16 / 32

  17. I am whatever you say I am If I wasn’t, then why would I say I am? There are quite a few ways we can obfuscate identities. dnsspoof and dnschef can fiddle with DNS and/or DHCP Even though filtering and authentication have improved, spoofing email is still common We’ve already discussed both IP and MAC spoofing We even tried ARP poisoning in the lab! Basically, if there’s no mechanism to detect or prevent spoofing, you’re gonna have a bad time. Brock University What could possibligh go wrong? 17 / 32

  18. Denial of Service Hey, know what would be really nice about now? Listening to a ni- No. No, I just wanted to brow- No. — Denial of service is exactly what it sounds like, any mechanism that interrupts a host’s ability to access a network or service. It comes in many forms, targetting individuals or the services themselves Brock University What could possibligh go wrong? 18 / 32

  19. Traditional Denial of Service Generally speaking, most servers/switches/etc. can only handle so much traffic, or so many requests, at a time. Ideally, services will be provisioned well above their average loads, close to the highest predictable peaks. But what happens if the requests exceed that provisioning? The service becomes unable to continue servicing requests A classic DoS isn’t typically feasible, because a single end-user having higher networking resources than a service is downright screwy. To generate enough traffic to tie up computing resources, or exhaust allocated bandwidth, you need some friends to join in. This is a Distributed Denial of Service, probably the most well-known DoS Brock University What could possibligh go wrong? 19 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

COSC 4P14 What else could we discuss? Brock University Brock University What else could we

COSC 4P14 What else could we discuss? Brock University Brock University What else could we

COSC 4P14 What else could we discuss? Brock University Brock University What else could we discuss? 1 / 28 Theres so much more out there! No matter how much time we spent here, we could never hope to cover every notable networked

673 views • 28 slides
COSC 340: Software Engineering Using the Debugger Michael Jantz COSC 340: Software Engineering

COSC 340: Software Engineering Using the Debugger Michael Jantz COSC 340: Software Engineering

COSC 340: Software Engineering Using the Debugger Michael Jantz COSC 340: Software Engineering 1 Introduction What is it? A tool that supports examination of your program during execution How does it work? User attaches the

793 views • 28 slides
COSC 340: Software Engineering Course Project: Introduction Michael Jantz COSC 340: Software

COSC 340: Software Engineering Course Project: Introduction Michael Jantz COSC 340: Software

COSC 340: Software Engineering Course Project: Introduction Michael Jantz COSC 340: Software Engineering 1 Project Timeline Week(s) Dates Tasks 1 2 1/13 1/27 Form teams, pick a project topic 3 4 1/30 2/10 Write and present

94 views • 8 slides
COSC as Parent Stakeholder Recent decision to have the Council of School Councils (COSC)

COSC as Parent Stakeholder Recent decision to have the Council of School Councils (COSC)

COSC as Parent Stakeholder Recent decision to have the Council of School Councils (COSC) serve as an official CBE parent stakeholder - letters at tables. Board plans to make a decision about what this would look like in December.

594 views • 5 slides
The Essence of the Course COSC 404 Database System Implementation If you walk out of this course

The Essence of the Course COSC 404 Database System Implementation If you walk out of this course

COSC 404 - Dr. Ramon Lawrence The Essence of the Course COSC 404 Database System Implementation If you walk out of this course with nothing else you should: Course Introduction Understand database algorithms and techniques in order to: 1) Be

2.14k views • 147 slides
Trees CoSc 450: Programming Paradigms 08 The definition of a tree CoSc 450: Programming

Trees CoSc 450: Programming Paradigms 08 The definition of a tree CoSc 450: Programming

CoSc 450: Programming Paradigms 08 Trees CoSc 450: Programming Paradigms 08 The definition of a tree CoSc 450: Programming Paradigms 08 The definition of a tree The empty tree is a tree. A nonempty tree tree has three parts. root

348 views • 23 slides
CoSc 450: Programming Paradigms Paradigm A pattern of thinking that is frequently difficult to

CoSc 450: Programming Paradigms Paradigm A pattern of thinking that is frequently difficult to

CoSc 450: Programming Paradigms Paradigm A pattern of thinking that is frequently difficult to change. A world view. CoSc 450: Programming Paradigms Objective To learn three major programming models that complement the procedural and OO

245 views • 9 slides
Lists CoSc 450: Programming Paradigms 07 The definition of a list CoSc 450: Programming

Lists CoSc 450: Programming Paradigms 07 The definition of a list CoSc 450: Programming

CoSc 450: Programming Paradigms 07 Lists CoSc 450: Programming Paradigms 07 The definition of a list CoSc 450: Programming Paradigms 07 The definition of a list The empty list is a list. A nonempty list lst has two parts. (car

1.33k views • 85 slides
Decision Trees I Dr. Alex Williams August 24, 2020 COSC 425: Introduction to Machine Learning

Decision Trees I Dr. Alex Williams August 24, 2020 COSC 425: Introduction to Machine Learning

Decision Trees I Dr. Alex Williams August 24, 2020 COSC 425: Introduction to Machine Learning Fall 2020 (CRN: 44874) COSC 425: Intro. to Machine Learning 1 COSC 425: Intro. to Machine Learning 2 Todays Agenda We will address: 1. What

472 views • 34 slides
Monitors CoSc 450: Programming Paradigms 07 Monitor Purpose: To consolidate the wait and signal

Monitors CoSc 450: Programming Paradigms 07 Monitor Purpose: To consolidate the wait and signal

CoSc 450: Programming Paradigms Chapter 7 Monitors CoSc 450: Programming Paradigms 07 Monitor Purpose: To consolidate the wait and signal operations in a single class. Instead of having semaphores and critical sections spread throughout the

889 views • 87 slides
COSC 340: Software Engineering Design and Architecture Michael Jantz (adapted from slides by

COSC 340: Software Engineering Design and Architecture Michael Jantz (adapted from slides by

COSC 340: Software Engineering Design and Architecture Michael Jantz (adapted from slides by Ravi Sethi, University of Arizona) COSC 340: Software Engineering 1 Concepts from Building Architecture Draw on centuries old traditions of

1.43k views • 95 slides
Higher-Order Procedures CoSc 450: Programming Paradigms 05 In the functional paradigm,

Higher-Order Procedures CoSc 450: Programming Paradigms 05 In the functional paradigm,

CoSc 450: Programming Paradigms 05 Higher-Order Procedures CoSc 450: Programming Paradigms 05 In the functional paradigm, functions themselves can be processed as data. CoSc 450: Programming Paradigms 05 In the functional paradigm,

1.21k views • 73 slides
COSC 340: Software Engineering Validation & Verification Prepared by Michael Jantz (adapted

COSC 340: Software Engineering Validation & Verification Prepared by Michael Jantz (adapted

COSC 340: Software Engineering Validation & Verification Prepared by Michael Jantz (adapted from slides by Ravi Sethi, University of Arizona) COSC 340: Software Engineering 1 Software Quality Questions to consider What is software

1.06k views • 105 slides
Compound Data and Data Abstraction CoSc 450: Programming Paradigms 06 The Game of Nim Rules:

Compound Data and Data Abstraction CoSc 450: Programming Paradigms 06 The Game of Nim Rules:

CoSc 450: Programming Paradigms 06 Compound Data and Data Abstraction CoSc 450: Programming Paradigms 06 The Game of Nim Rules: There are two piles of items. Players take turns. You take as many as you want from a single pile.

587 views • 45 slides
COSC 340: Software Engineering Design Patterns Michael Jantz Recommended text: Design Patterns:

COSC 340: Software Engineering Design Patterns Michael Jantz Recommended text: Design Patterns:

COSC 340: Software Engineering Design Patterns Michael Jantz Recommended text: Design Patterns: Elements of Reusable Object-Oriented Software by Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides COSC 340: Software Engineering 1 Why

1.88k views • 156 slides
Defining Machine Learning Dr. Alex Williams August 21, 2020 COSC 425: Introduction to Machine

Defining Machine Learning Dr. Alex Williams August 21, 2020 COSC 425: Introduction to Machine

Defining Machine Learning Dr. Alex Williams August 21, 2020 COSC 425: Introduction to Machine Learning Fall 2020 (CRN: 44874) COSC 425: Intro. to Machine Learning 1 Syllabus Clarifications #1: No textbook requirement. (See Daume in Canvas.)

708 views • 53 slides
CSE543 Computer and Network Security Module: Internet Malware Professor Trent Jaeger Fall 2010

CSE543 Computer and Network Security Module: Internet Malware Professor Trent Jaeger Fall 2010

560 views • 51 slides
Our Climate Crisis What we can do about climate change and global warming PDA Albuquerque Aug

Our Climate Crisis What we can do about climate change and global warming PDA Albuquerque Aug

Our Climate Crisis What we can do about climate change and global warming PDA Albuquerque Aug 8, 2018 PDA Action Team STOP GLOBAL WARMING Join our community crew of climate crisis responders! Email: KarenBentrup@yahoo.com did you

535 views • 37 slides
Logistics for Upcoming Debate on Divestment Each of you delivers an opening statement,

Logistics for Upcoming Debate on Divestment Each of you delivers an opening statement,

Logistics for Upcoming Debate on Divestment Each of you delivers an opening statement, wed ask that they not exceed 10 minutes apiece As far as the framing of the debate goes, Id ideally like you two to focus on

1.17k views • 87 slides
What Am I Looking At? Low Power Radio-Optical Beacons For In-View Recognition Ashwin Ashok

What Am I Looking At? Low Power Radio-Optical Beacons For In-View Recognition Ashwin Ashok

What Am I Looking At? Low Power Radio-Optical Beacons For In-View Recognition Ashwin Ashok aashok@winlab.rutgers.edu with Chenren Xu, Tam Vu, Wenjia Yuan, Richard Howard, Marco Gruteser, Kristin Dana, Narayan Mandayam WINLAB IAB, 15 th May

361 views • 18 slides
Single-phase TPS Warm Interface Some thoughts E. Hazen, M. Johnson, R. Van Berg 2016-02-08 E.

Single-phase TPS Warm Interface Some thoughts E. Hazen, M. Johnson, R. Van Berg 2016-02-08 E.

Single-phase TPS Warm Interface Some thoughts E. Hazen, M. Johnson, R. Van Berg 2016-02-08 E. Hazen - DUNE Warm Interface 1/18 Focus on... 1. Slow Controls 2. Clock and synchronous controls 3. DAQ 2016-02-08 E. Hazen - DUNE Warm

356 views • 18 slides
Trigger for Phase 1 Marco Bellato, Fabio Montecassiano, Andrea Triossi, Sandro Ventura CMS Week,

Trigger for Phase 1 Marco Bellato, Fabio Montecassiano, Andrea Triossi, Sandro Ventura CMS Week,

Trigger for Phase 1 Marco Bellato, Fabio Montecassiano, Andrea Triossi, Sandro Ventura CMS Week, CERN, 11 Nov 2012 1 DT Layout after Relocation UXC USC Cu OF Sector Server Board DTTF OF Cu Collector TwinMux DTTF No schedule

226 views • 9 slides
Chapter 4: Files and Directories CMPS 105: Systems Programming Prof. Scott Brandt T Th 2-3:45

Chapter 4: Files and Directories CMPS 105: Systems Programming Prof. Scott Brandt T Th 2-3:45

Chapter 4: Files and Directories CMPS 105: Systems Programming Prof. Scott Brandt T Th 2-3:45 Soc Sci 2, Rm. 167 Files and Directories Chapter 3 covered basic file I/O Chapter 4 covers more details stat File attributes

441 views • 41 slides
The Case for Dumb Requirements Engineering Tools Daniel M. Berry 1 , Ricardo Gacitua 2 , Pete

The Case for Dumb Requirements Engineering Tools Daniel M. Berry 1 , Ricardo Gacitua 2 , Pete

The Case for Dumb Requirements Engineering Tools Daniel M. Berry 1 , Ricardo Gacitua 2 , Pete Sawyer 2,3 , Sri Fatimah Tjong 4 , 1 Univ. of Waterloo, CA; 2 Lancaster Univ., UK; 3 INRIA Paris Rocquencourt, FR; 4 Univ. of Nottingham Malaysia, MY

844 views • 60 slides

More recommend