Transcript 12-secure-networks-2

MORE NETWORK DEFENSE
EN.600.424
Lecture Notes
Spring 2016
NETWORKS CHANGE EVERYTHING
•
Without near instantaneous connectivity, there would still be attacks
•
But global, instantaneous connectivity changes everything
• First, there is a direct connection between the bad guys and you… always.
• Second, there is no concept of “spaces”
• Third, much of what connects us must, by necessity, be automated
• Fourth, all of our services are connected on the same networks
• Fifth, the high speed makes “chaining” attacks viable
VULNERABILITIES IN NETWORK PROTOCOL
•
Our Internet is largely TCP+IP (using DNS)
• All three of these have little or no authentication whatsoever
•
Common problems
• Hard to track the bad guy, MAC addresses don’t map to IP (plus, forgeable)
• DNS can be fed faulty information
• Change the default password on your home router (it can be used to do this)
•
Playground equivalents?
VULNERABILITIES IN LANS
•
If a bad guy gets onto the LAN, most defenses are in trouble
• Can trivially eavesdrop
• Can hijack TCP sessions
• Can generate false information (e.g., ARPs or DHCP)
•
Remember that (at least implicitly) the LAN is more-or-less trusted.
VULNERABILITIES IN DATA!
•
“Pathological Case”
• For example, a SPAM filter that have O(n) in the average case!
• What if it has O(n-cubed) in a pathological case?
• You could do a denial of service by sending crafted messages
•
Another example is in the book with crafted compressed messages
HOW MALWARE PROPAGATES
•
First, a physical communication channel
• In the old days, modems and disks
• Now, we have the Internet
•
Second, a delivery mechanism
• Email attachments (promising porn or other “incentives”)
• Unpatched vulnerabilities in software
• Poorly configured hardware/software
PARALLELIZATION OF MALWARE
•
Botnets are a serious problem
•
Some Botnets control as many machines as Google… think about that
NETWORK TOPOLOGY
•
As previously stated, malware needs a channel over which to propagate
•
The propagation of malware is largely determined by network topology
•
Network topology is much more complicated in the last 10 years because of overlays
• Obviously there are the routers of the Internet, etc
• But then we overlay new networks on top
• The oldest example is email… email is a kind of separate network on top
• But now we have Facebook and other social media
THROW-AWAY SYSTEMS
•
Use a virtual machine as a throw-away system
• Load up a minimal virtual machine
• Install a browser and an email client
• Surf the web from the VM
• Check all downloads carefully before moving to your main system
• Check email from the VM
• Check all attachments carefully
•
If you get infected, revert to snapshot
PROPER MANAGEMENT
•
You can avoid a lot of problems by simply having your software up-to-date
•
Worms, in particular, exploit existing faults. Keeping up-to-date reduces this threat
•
Also, make sure that your configuration is safe
• Defaults should not be trusted
• Change passwords
• Check online to see if there are dangerous network configuration issues
PROPER TRAINING
•
Teach others (professionally and personally) to not click on attachments
•
Teach others to verify emails with links
• A friend of mine did this to me just the other day… “clever girl”
•
Teach others not to go looking for “Free Mp3’s”
• The unfortunate truth is, if you go looking for free stuff, you’ll always get in trouble
CENTRAL ENFORCEMENT ADVANTAGES
•
The firewall can do signature analysis
•
The firewall can also do some IDS
•
The firewall can block “dangerous” protocols
•
The firewall can be updated regularly with new signatures
DISADVANTAGES
•
The biggest problem is the processing time
• Industrial strength firewalls (costing upwards of $20,000) have dedicated hardware
•
Another problem is proper configuration
• Systems this complex have a lot of beeps, bells, and whistles
• Easy to make mistakes in configuration; difficult to diagnose
ANOTHER DISADVANTAGE: SPLIT PATHS
•
Many large institutions have multiple connections to the Internet
•
For reasons beyond the scope of this class, they may split up incoming/outgoing packets
•
Firewalls cannot decode sessions if they only see one-half of the stream
•
Advanced firewalls have a mechanism whereby two firewalls can share state
PART 2: PASSWORDS AGAIN
•
From a 2013 Wired Article: http://www.wired.co.uk/news/archive/2013-05/28/passwordcracking
•
See also this 2010 article: http://lifehacker.com/5505400/how-id-hack-your-weakpasswords
• I don’t like it so much, he’s wrong about some things
• But it has a lot of good points.
CRACKING 90% OF PASSWORDS
•
Stage 0
• Nate Anderson of Ars Technica downloaded 16,000 passwords
• Password cracking “Newbie”
• Cracked nearly 50% in a few hours
•
Wired asked 3 password cracking experts to have a try
• Best: Jeremi Gosney of Stricture Consulting Group (90% in 20 hours)
• Jens Steube of oclHashcat Plus (82% in one hour+)
• Radix (62% in one hour)
STAGE 1: THE EASY STUFF
•
The “common” passwords:
• 123456
• 1234567
• Password
• Letmein
• Destiny21
• pizzapizza
•
Brute Force
• 2 minutes 32 seconds for every possible 6-letter password
• 1300 passwords cracked
HOW TO NOT GET HACKED IN STAGE 1
•
Your password really needs to be at least 8 characters long
•
Your password cannot be the common passwords
•
If you’re the website, hash the passwords using SHA256 or better
• This significantly slows down how many guesses a second (for now)
STAGE 1.5: INTELLIGENT BRUTE FORCE
•
7 and 8 character all uppercase passwords (708)
•
7 and 8 character all lowercase passwords (1618)
•
Up to twelve digit all-number passwords (312)
•
Personally maintained Wordlist + “Best64” rules (6,228)
•
All cracked passwords + another ruleset known as “D3adOne” (51)
BEST64 RULE
•
As of 4/21/2012
• https://www.question-defense.com/2012/04/21/hashcat-best64-rule-details-updatedafter-the-best64-challenge
• Obvious: Add numbers, “s”, etc
• Rotates: “increment the sixth char by one ascii value, delete the last char, move the
last char to the first position four times, and cut the word off at the fifth char”
• Others rules remove characters, apply suffixes, and “leetify”
•
May have a newer set. This was what came up on my first Google search
CRACKING WEAK PASSWORDS FIRST
•
Apparently, a lot of sites use a fixed salt list
•
By hacking the weak passwords (brute force) salts are exposed
•
Now you can simply take each checked word multiplied by the known salts
•
For this reason, crack weak passwords first
HOW NOT TO GET HACKED IN STAGE 1.5
•
You really need a password that is 10 characters or longer
•
Or you need a password that is a mix of upper/lower/special characters
• AND not crackable by wordlist/rules
STAGE 2
•
5 hours to get 2700 passwords
•
Stage 2.1: Dictionary + Brute Force
• All words + all 2 char digit/symbols – 600 passwords in 11 minutes
• All words + all 3 char digit/symbols – 500 passwords in 1 hour
• All words + all 4 digit numbers – 400 passwords in 25 minutes
• All words + all 3 char lowercase/digit – 450 passwords in ? minutes?
• Could have been more thorough with more hardware
•
Other details not provided, but said to be similar. 13,000 passwords in 5.5 hours
HOW NOT TO GET HACKED AT STAGE 2
•
Don’t append extra characters to words.
•
It just doesn’t add enough entropy
•
And really, passwords need to be at least 10 characters long.
STAGE 3: “GOD” LEVEL
•
Crackers notice that passwords at the same site are self-similar
•
Analyze the cracked passwords and develop models for prediction
•
Hashcat
• looks at the list of passwords that already have been cracked
• performs probabilistically ordered, per-position brute-force attacks
• Uses Markov Chains
• Example: a length of 7, threshold of 65 tries all possible 7-char passwords with
the 65 most likely characters for each position
•
1700 passwords in 12 hours
HOW NOT TO GET HACKED AT STAGE 3
•
Don’t pick words with meaning. Think randomly
•
Don’t be influenced by what’s going on around you.
• For example, don’t use words/quotes about money at banks
• Don’t use inspirational thoughts about education for JHU
WHAT ABOUT THE FOUR-RANDOM WORDS?
•
“Combinator” attacks can defeat
•
Mentioned in this article
•
What the article didn’t say is that the combinatory attack fails
• With enough words, four is a good start, five or six for a more secure site
• The words MUST BE INDEPENDENT FROM EACH OTHER.
LOOKING FOR A RESEARCH TOPIC?
•
I’m interested in trying to study just how independent selected words are.
•
If you pick four random words, were you subconsciously influenced by the first?
•
Capstone project?