COSC 4P14 What could possibligh go wrong? Brock University Brock - - PowerPoint PPT Presentation

COSC 4P14

What could possibligh go wrong?

Brock University

Brock University What could possibligh go wrong? 1 / 32

Common attacks and exploits

We’ve talked about how to use individual tools (encryption, authentication, etc.), but there’s something much larger, and more basic, to consider: Any system is only secure as its weakest point of ingress That is, a dozen great tools and one stupid mistake lead to many sad-faces Let’s talk about some concerns.

Brock University What could possibligh go wrong? 2 / 32

Eavesdropping

Of course, the problems with eavesdropping are mostly self-evident. The expectation is that communication should normally be readable to the parties involved We’ve already talked about how trivial it is to eavesdrop on broadcast media In other words: stop using open wifi. There are plenty of things that can go wrong!

Brock University What could possibligh go wrong? 3 / 32

Session hijacking

Remember how cookies work? And how you can authenticate yourself to a web server, and then keep including proof of having identified in the header? Yeah... if someone ’hears’ that header, he or she can become you Fun fact: this was actually another possible way to do your previous lab exercise! A well-designed web server shouldn’t easily fall for session hijacking, though

◮ Why not?

It’s also worth noting that this is closely related to various forms of replay attack. (which is part of why nonces are a thing)

Brock University What could possibligh go wrong? 4 / 32

Man in the Middle

A Man in the Middle attack is not the same thing as eavesdropping or session hijacking! Rather, it relies on the assumption that the attacker can insert him or herself in between two communication parties. That attacker then has several options: Receiving from one party, changing it, and then passing the new version to the other party Establishing secure connections between both parties, so they might not notice that it’s secure, but the wrong party Consider, for example, what happens when you first connect to a network. What’s your DNS? How reliable is it? Perhaps we have time for a demo?

Brock University What could possibligh go wrong? 5 / 32

HTTP Strict Transport Security

How can we prevent a server from downgrading us from HTTPS to HTTP? If everyone cared about security, it would already be completely solved as a problem Some versions of Chrome might clue you in; presumably other browsers will eventually follow HSTS allows you to set rules within HTTP headers, indicating that HTTPS must be used for return visits, etc.

◮ Check out chrome://net-internals#hsts

Wait, “return visits”? What about the first visit on that device? Ah, for that, we have a whitelist! (Prepare to be annoyed)

Brock University What could possibligh go wrong? 6 / 32

Wireless security

To what extent does wireless security really matter? e.g. suppose you aren’t worried about people leeching your bandwidth, and you only use encrypted traffic. Does it still matter? Do you like being arrested?

Brock University What could possibligh go wrong? 7 / 32

Wired Equivalent Privacy

Ahahahahahahaha. No.

Brock University What could possibligh go wrong? 8 / 32

WiFi Protected Access

Yes, KRACK didn’t help with WPA security, but that’s not the only concern: WPS (to make pairing easier) introduced vulnerabilities If you have a crappy password, the encryption isn’t really helping much But, besides all that, what about the login password itself? Is that safe? WPA certainly isn’t susceptible to the same exploits as WEP, so we’re cool, right?

Brock University What could possibligh go wrong? 9 / 32

While we’re talking about deauthentication attacks...

There are several other uses for deauth’ing hosts Suppose you create your own access point (for nefarious reasons) and leave it open

◮ Will people connect? Maybe, maybe not.

Suppose you start booting everyone connected to any access point that isn’t yours

◮ Chances are, you’ll get a few more biting Brock University What could possibligh go wrong? 10 / 32

Additional wireless concerns

Even though we already covered this on the assignment, do we understand why SSID cloaking and MAC filtering are so ineffective? Also, what’s the password on your router/modem/access point?

Brock University What could possibligh go wrong? 11 / 32

Speaking of passwords...

Don’t reuse your passwords across sites

◮ No, seriously, don’t ◮ https://m.xkcd.com/792/ ◮ https://m.xkcd.com/1286/

Presumably we know how to pick a good password?

◮ https://m.xkcd.com/936/

Okay, but should we still be choosing passwords? At all? And yes, 2-factor authentication can be great, but don’t trust it too much Also, just to stick with the xkcd trend: https://xkcd.com/538/

Brock University What could possibligh go wrong? 12 / 32

How do passwords get compromised?

Lots of ways! One common way is when poorly-secured systems are accessed by ne’er-do-wells Or someone misplaces a drive with sensitive data on it (I so wish I was kidding) Or, as referenced earlier, when people reuse passwords, and a compromise of one triggers a domino effect Hopefully, passwords will be salted and hashed, but even that’s not a true

• guarantee. Also:

First, never verify usernames independently from passwords! Do we understand the significance of salting? e.g. https://hashkiller.co.uk/ or https://crackstation.net/

Brock University What could possibligh go wrong? 13 / 32

Okay, but how else do they get compromised?

Outside of key loggers (which, yes, are still a thing), if you assume one can get the (even salted) hash, then there’s still dictionary attacks, and even good old-fashioned brute force. This is part of why you need to change your password so often: so hopefully those salted hashes will be useless by the time they’re cracked.

Brock University What could possibligh go wrong? 14 / 32

So, what really matters?

Arguably, social engineering is one of the most (if not the most) significant threats to modern computer systems. You can fix code, but you can’t fix stupid Many attacks rely on tricking humans into bypassing the existing security. Consider some of the more ludicrous spam/phishing attempts you’ve received

◮ Chances are, someone’s fallen for it!

Considering banks are screwing up all the time, when you get an email telling you to reset your password, how can you identify whether

• r not the link is correct?

Brock University What could possibligh go wrong? 15 / 32

So, what does this mean?

Consider just how much we still rely on human intelligence to keep our information/identities safe How hard do you think it would be to get added as a second user to someone’s phone? To hijack someone’s service? What could one do

• nce they had access to your service?

◮ Oh hey, what was that about two-factor authentication earlier...?

I don’t think we have time for storytime, but for a really good read, N is stolen:

https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd

Brock University What could possibligh go wrong? 16 / 32

I am whatever you say I am

If I wasn’t, then why would I say I am?

There are quite a few ways we can obfuscate identities. dnsspoof and dnschef can fiddle with DNS and/or DHCP Even though filtering and authentication have improved, spoofing email is still common We’ve already discussed both IP and MAC spoofing We even tried ARP poisoning in the lab! Basically, if there’s no mechanism to detect or prevent spoofing, you’re gonna have a bad time.

Brock University What could possibligh go wrong? 17 / 32

Denial of Service

Hey, know what would be really nice about now? Listening to a ni- No. No, I just wanted to brow- No. — Denial of service is exactly what it sounds like, any mechanism that interrupts a host’s ability to access a network or service. It comes in many forms, targetting individuals or the services themselves

Brock University What could possibligh go wrong? 18 / 32

Traditional Denial of Service

Generally speaking, most servers/switches/etc. can only handle so much traffic, or so many requests, at a time. Ideally, services will be provisioned well above their average loads, close to the highest predictable peaks. But what happens if the requests exceed that provisioning? The service becomes unable to continue servicing requests A classic DoS isn’t typically feasible, because a single end-user having higher networking resources than a service is downright screwy. To generate enough traffic to tie up computing resources, or exhaust allocated bandwidth, you need some friends to join in. This is a Distributed Denial of Service, probably the most well-known DoS

Brock University What could possibligh go wrong? 19 / 32

DoS Fun Facts!

(Fun not guaranteed)

Many DDoS attacks are either:

◮ From cheap computing resources on a farm, or ◮ Performed without the hosts’ owners’ knowledge, because their

computers have become compromised by malware, creating an army of zombies

There are different attacks centred around pings:

◮ A classic ping attack simply organizes enough pings to flood the target ◮ A ping of death uses a massive IP packet, which can also trigger

• verflows

◮ A smurf attack is a sneaky bit of ventriloquism: send out a broadcast

• n a large network, spoofing your target’s IP address. Keep sending

those broadcasts. When the responses come in, the target gets flooded

There are also attacks at different network layers, e.g. SYN floods, etc.

Brock University What could possibligh go wrong? 20 / 32

DoS Less Fun Fact!

One problem with combatting DDoSes is that it can be hard to confirm it’s happening. If you start getting battered by one IP address, just block it Filtering based on the odd behaviours of multiple is possible, but trickier How do you differentiate between a DDoS and a ’reddit hug of death’? Back in my day, Google was a thing to be feared! If filtering isn’t enough, you may need to overprovision, or look into elastic load balancing.

Brock University What could possibligh go wrong? 21 / 32

DoS afterthought

It’s also worth noting that the deauth attack from earlier can be applied as effectively a local DoS. Just ramp it up to 11, and nobody gets to talk to anyone What you end up with is a de facto WiFi jammer Do I need to say this is illegal? Question: how complicated do you think it’d be to make a jammer? How expensive? How portable would it be?

Brock University What could possibligh go wrong? 22 / 32

Shocking news: bad people aren’t above taking shortcuts

Many malicious attacks target known vulnerabilities in software or

• protocols. For example:

Buffer overflows Heartbleed was a slight variation

◮ https://xkcd.com/1354/

Malware almost exclusively looks to either trick the user into installing it, or to find hooks into libraries that shouldn’t have been allowed

Brock University What could possibligh go wrong? 23 / 32

Keeping yourself (and others) safe

What do I do?

The first step is professional vigilance. Install updates when available; be aware of notable recent vulnerabilities/exploits when not Routinely seek out exploits, like code injection

◮ Sanitization of inputs is really important ◮ To some extent, good design can mitigate this ⋆ e.g. one server can make requests of another (even deeper) server,

providing a measure of isolation

There are lots of challenges you could add

◮ And obviously, one way or another, replays shouldn’t be viable Brock University What could possibligh go wrong? 24 / 32

What else?

Remember the botnets mentioned earlier? Those generally rely on exploiting not just software, but people. For example, if you set up a home server, and make that server available outside your home network, you will have many people trying to gain access to it If your devices have default usernames/passwords, change them Look into software that will monitor failed attempts, and cut them off at the source For a great example of this, let’s google “three weeks of bots” Also, if you ever use a guest network (especially a widely-shared one, like at a hotel), then be keenly aware of what services you currently have running.

Brock University What could possibligh go wrong? 25 / 32

What if I want to get serious?

The only way you have a chance at knowing if you’re safe or not is to attack yourself. Penetration testing software is used to find exploits in services, and attempt to take advantage of them

◮ Everything from SQL injection, to MitM ◮ Basically, all of the fun script-kiddie stuff

These are valuable tools, because it’s the first step others will use to try to gain access Interesting tools include metasploit, ettercap/bettercap, wifite, etc. You might want to look into something called Kali Linux.

Brock University What could possibligh go wrong? 26 / 32

But remember what’s important

Don’t forget that meatspace is a thing, too! Wardriving Exposed USB/ethernet ports Keyloggers and USB rubber duckies “Lost” flash drives Of course, much of this relates back to social engineering.

Brock University What could possibligh go wrong? 27 / 32

What if I want to get super-paranoid?

Perhaps look into honeypots?

Brock University What could possibligh go wrong? 28 / 32

Additional thoughts

Have you given much consideration to the many ways you’re tracked

• nline?

Even just on the web alone: Of course, traditional cookies (google ads, etc) Though this is slowly phasing out, web bugs Flash cookies Fingerprinting the OS, etc. Basically, someone doesn’t need to know who you are to still recognize that you’re you.

Brock University What could possibligh go wrong? 29 / 32

Final advice

Whenever possible to avoid it, don’t bake your own solutions. Whatever security task arises, whatever secrets that need hiding, someone’s already made a tool for it Their peer-reviewed, time-tested solution has a decent chance of being more reliable than whatever you cobble together

Brock University What could possibligh go wrong? 30 / 32

Do we have time for a thought experiment?

Brock University What could possibligh go wrong? 31 / 32

Questions?

Comments?

Songs stuck in your head?

Brock University What could possibligh go wrong? 32 / 32