Transcript Slide 1

Lecture 8
Network Security
Introduction
Cryptography basics
Web Security and Vulnerabilities
Network Security Tools
What is Network Security?
Network security comprises the measures a company takes to protect its computer
system, and it is a prime concern for every company that uses computers.
Compromised network security means a hacker or competitor may gain access to
critical or sensitive data, possibly resulting in data loss, or even complete destruction of
the system.
Appropriate network security is achieved when a user has to go through several layers
of security before being able to access the desired network.
The more layers the system has, the more secure it is.
http://www.wisegeek.com/what-is-network-security.htm
Cryptography
Encryption, decryption
Keys, lengths, and harness
Asymmetric key cryptography
Hash functions
Authentication
PKI and key management
Privacy
The Public Key Method
We generate a special pair of values (e,d). The plaintext message M is encrypted into
the cyphertext message C using modular exponentiation mod n.
e
CM
mod
n
We decrypt C back into M by,
d
MC
mod
n
Before we look at how e and d are generated it is important to understand what is
happening in these two expressions. First of all modular exponentiation does not
involved raising a value to a power.
The possible values for C (and M) are between 0 and n-1. Converting a string of
characters the plaintext message into an integer is fairly straightforward. Once it is in
numeric form modular exponentiation produces a value equal to the remainder after
diving Me by n.
Computing the Key Pair (e,d)
Let's look at how to compute the values of e and d. We start with a pair of values p and
q that must be relatively prime (i.e. they have no common factors). These would
normally be very large but for the purposes of this example we will choose,
p = 47
q = 71
Now we need to find a value e such that the greatest common divisor between e and the
product of (p-1) times (q-1) is 1, or
gcd(e,(p-1)(q-1)) = 1.
Please don't ask why....thanks. The product of p*q will be the modulus n.
n = p*q = 3337
and so (p-1)(q-1) = 3220. We will choose e to be 79 since it is obvious that greatest
common denominator between 79 and 3220 is 1.
Now we Need a d to go with our e
79*d = 1 mod 3220
First use the regular Euclidean Algorithm to find gcd(79,3220). The answer must be
one - otherwise we can't be sure that a solution exists, so we proceed as follows:
3220 = 40*79 + 60
79 = 1*60 + 19
60 = 3*19 + 3
19 = 6*3 + 1
3 = 3*1 + 0
The last nonzero remainder is the gcd. Thus gcd(79,3220) = 1 (as expected). Now
write this gcd (one) as a linear combination of 19 and 3220 by working back up the tree
that we just created:
Thus 1019*79 - 25*3220 = 1 Now do "mod 3220" on both sides to
obtain:
1019*79 = 1 mod 3220
Thus d = 1019.
So the inverse of 79 mod 3220 is 1019. Another way of saying this is that 79*1019 will
be one more than a multiple of 3220.
Modular Exponentiation
procedure mod_exp (b: int, n = (ak-1ak-2 . . . a1a0)2, m : pos_int)
x:=1;
power := b mod m
for i in 0..k-1 loop
if ai = 1 then x := (x*power) mod m
power := (power*power) mod m
end loop
Example:
Find 2644 mod 645
64410 = 10100001002
2644 mod 645 = (2512.2128.24) mod 645 = (2512 mod 645).(2128 mod 645).(24 mod 645)
=1
The Euclidean Totient
If p and q are prime, the number of values x in 0 < x < n for which gcd(x,n)=1 is given
by (n) = (p-1)(q-1).
(n) = (pq) = (p)(q) = (p − 1)(q − 1)
Let's try a really simple example...
p=3
q=5
n=15
so (p-1)(q-1)=(2)(4)=8.
gcd(1,15)=
gcd(2,15)=
gcd(3,15)=
gcd(4,15)=
gcd(5,15)=
gcd(6,15)=
gcd(7,15)=
1
1
3
1
5
3
1
gcd(8,15)= 1
gcd(9,15)= 3
gcd(10,15)= 5
gcd(11,15)= 1
gcd(12,15)= 3
gcd(13,15)= 1
gcd(14,15)= 1
Public Key Cryptography
In 1976, Rivest, Shamir and Adleman introduced a public key cryptosystem, known as the
RSA system.
e
C

M
mod
n
Example: Encrypt the message STOP with p = 43 and q = 59, so that n = 43.59 = 2537 and
e = 13.
gcd(e,(p-1)(q-1)) = gcd(13, 42.58) = 1.
S T O P
18 19 14 15
M1
M2
13
C

M
mod
2537
13
C

1819
mod
2537

2081
13

1415
mod
2537

2182
To decrypt we need d, which is an inverse of e mod (p-1)(q-1)
d
C

2081
mod
2537

1819
d

2182
mod
2537

1415
SAFER+ Algorithm Details
Pseudo-Hadamard Transform
Armenian Shuffle
9 12 13 16 3 2 7 6 11 10 15 14 1 8 5 4
Diffie-Hellman
An algorithmic method For Key Agreement allows two hosts to create and share a
secret key. VPNs operating on the IPSec standard use the Diffie-Hellman method for
key management.
Key management in IPSec begins with the overall framework called the Internet
Security Association and Key Management Protocol (ISAKMP). Within that framework
is the Internet Key Exchange (IKE) protocol.
IKE relies on yet another protocol known as OAKLEY and it uses Diffie-Hellman.
Diffie-Hellman Key Exchange
http://philipfox.net/dh/dh.html
http://www.sans.org/reading_room/whitepapers/vpns/review-diffie-hellman-algorithm-secure-internet-protocols_751
Kerberos
Created by MIT as a solution to network security problems. The Kerberos protocol uses
strong cryptography so that a client can prove its identity to a server (and vice versa)
across an insecure network connection. After client and server have used Kerberos to
prove their identity, they can encrypt all of their communications to assure privacy.
When users log in to a Kerberos system,
their password is encrypted and sent to the
authentication service in the Key Distribution
Center (KDC). If successfully authenticated,
the KDC creates a master ticket that is sent back to the user's machine. Each time the user
wants access to a service, the master ticket is presented to the KDC in order to obtain a
service ticket for that service. The master-service ticket method keeps the password more
secure by sending it only once at logon. From then on, service tickets are used, which
function like session keys. After users are authenticated, they are granted a master ticket
that is used to obtain service tickets. Service tickets act like session keys in other security
systems.
http://www.answers.com/topic/kerberos-protocol-1
Network & IT
Security Threats
and
Countermeasures
BD_ADDR Attacks
Bluetooth Vulnerability
The BD_ADDR spoofing attack allows an attacker to masquerade as some
trusted/paired device and use the credentials to gain access to profiles requiring
authorization/authentication in one another remote device.
The BD_ADDR spoofing attack can be
perfomed in two ways:
(1) Spoofing the BD_ADDR of a trusted
device to access profiles requiring
authorization.
(2) Spoofing the BD_ADDR and obtaining
the shared secret link key created during
the pairing procedure to access profiles
requiring authentication.
http://www.seguridadmobile.com/bluetooth/bluetooth-security/BD_ADDR-spoofing.html
Bluetooth Device Address (BD_ADDR)
Each Bluetooth device is allocated a unique 48-bit Bluetooth device address
(BD_ADDR). This number is obtained by contacting the IEEE to get an OUI that forms
24bits of the 48bit address. You can apply for a further OUI when more BD_ADDR
values are required.
4.2.1 Authentication
The authentication procedure is based on a challenge-response scheme […]. The
verifier sends […] a random number (the challenge) to the claimant. The claimant
calculates a response, that is a function of this challenge, the claimant’s BD_ADDR
and a secret key. The response is sent back to the verifier, that checks if the response
was correct or not. […] A successful calculation of the authentication response
requires that two devices share a secret key.
www.bluetooth.org
The BD_ADDR Attack
Assume that the attacker eavesdropped on an entire pairing and
authentication process, and saved all the messages
The attacker can now use a brute force algorithm to find the PIN
used.
The attacker enumerates all possible values of the PIN. Knowing
IN_RAND and the BD_ADDR, the attacker runs E22 with those
inputs and the guessed PIN, and finds a hypothesis for Kinit.
The attacker can now use this hypothesis of the initialization key, to
decode messages 2 and 3. Messages 2 and 3 contain enough
information to perform the calculation of the link key Kab, giving the
attacker a hypothesis of Kab.
The attacker now uses the data in the last 4 messages to test the
hypothesis: Using Kab and the transmitted AU_RANDA (message 4),
the attacker calculates SRES and compares it to the data of
message 5.
If necessary, the attacker can use the value of messages 6 and 7 to
re-verify the hypothesis Kab until the correct PIN is found.
Sending AT commands to mobile phones
The execution of AT commands is one of the main goals in hypothetical attacks to
mobile phones. AT commands are a set of instructions that allow remote configuration
and operation in a GSM device, such as mobile phones. Like a "remote shell". However,
not all the AT commands are always implemented by manufacturers in their devices:
• Basic operations: voice and data calls, set call divert, manufacturer
info, model info, IMEI, battery status, signal status.
• Address book operations: read, add and delete contacts from the
address book and also get the last dialed/missed/received calls list.
• SMS operations: list, read, write, send and delete SMS messages.
http://www.brics.dk/~jones/sms/packed/dg_at_r3a.pdf
Sending / Getting files from mobile phones
The capability of sending files and even getting files is another important goal when it
comes to attack mobile phones. Bluetooth supports file exchange through the OBEX
protocol. Two profiles can be used for this, among all defined by the Bluetooth SIG:
Object Push Profile: requires Authorization.
This profile allows you to send files.
You can use ussp-push tool, available after installing ussp-push package in Ubuntu.
Or either you can use Obexftp, available after installing obexftp package in Ubuntu.
It's important to force it to use the channel associated to the Object Push Profile.
File Transfer Profile: requires Authentication and Authorization.
Allows you to send files, get files and list directories.
You
canyou
usecan
Obexftp
to from
sendthe
files.
If notochannel
Finally,
get files
phone
the PC.is specified, it will use the one associated to
the File Transfer Profile by default.
Dictionary (Brute-Force) Password Attacks
A method of accessing an obstructed device through attempting multiple combinations of
numeric and/or alphanumeric passwords.
Cain and Abel - Password recovery tool for Windows. Recover passwords by sniffing the
network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis
attacks, recording VoIP conversations, decoding scrambled passwords, revealing
password boxes, uncovering cached passwords and analyzing routing protocols.
John the Ripper - A multi-platform password hash cracker currently available for many
flavors of Unix (11 are officially supported, not counting different architectures), DOS,
Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It
supports several crypt(3) password hash types which are most commonly found on
various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes.
Several other hash types are added with contributed patches.
THC Hydra - A network authentication cracker which supports different services. It can
perform rapid dictionary attacks against telnet, ftp, http, https, smb, and several
databases.
Aircrack - A suite of cracking tools for WEP/WPA 802.11a/b/g WEP and WPA cracking. It
can recover a 40 through 512-bit WEP key once enough encrypted packets have been
gathered, as well as attack WPA 1 or 2 networks using cryptographic methods or by brute
force.
http://sectools.org/crackers.html
L0phtcrack - Windows password auditing and recovery application attempts to crack
Windows passwords from hashes which it can obtain (given proper access) from standalone Windows workstations, networked servers, primary domain controllers, or Active
Directory. In some cases it can sniff the hashes off the wire, includes methods for
generating password guesses (dictionary, brute force, etc).
Airsnort - 802.11 WEP Encryption Cracking Tool, a wireless LAN (WLAN) tool that
recovers encryption keys. It was developed by the Shmoo Group and operates by
passively monitoring transmissions, computing the encryption key when enough packets
have been gathered. Similar to Aircrack.
SolarWinds - A suite of network discovery/monitoring/attack tools targeted at systems
administrators. Security-related tools include network discovery scanners, an SNMP bruteforce cracker, router password decryption, a TCP connection reset program, and a set of
router config download/upload applications.
Pwdump - A Windows password recovery tool to extract NTLM and LanMan hashes from
a Windows target, whether or not Syskey is enabled. It can display password histories if
they are available, and output or write to a log file the data in L0phtcrack-compatible form.
RainbowCrack - A hash cracker that makes use of a time-memory trade-off to do all the
cracking-time computation in advance and store the results in "rainbow tables".
RainbowCrack can be hundreds of times faster than a brute force cracker once the
precomputation is finished.
Brutus - A Windows-only network brute-force authentication cracker. Attacks network
services of remote systems trying to guess passwords by using a dictionary with
permutations. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, etc.
Buffer Overflow Attack
Also known as stack overflow attack, works by exploiting a known bug in one of the
applications running on a server. It then causes the application to overlay system areas,
such as the system stack, thus gaining administrative rights.
void function (char *str)
{
char buffer[16];
strcpy (buffer, str);
}
int main ()
{
char *str = “XXXXXXXXX...
...XXXXX....
...XXXXXXXX”;
function (str);
}
http://www.thehackerslibrary.com/?p=488
Cache Cramming
The technique of tricking a browser to run cached Java code from the local disk, instead
of the internet zone, so it runs with less restrictive permissions.
The Java Security Manager usually disallows port-scanning behavior, but crackers
use the trick of placing Java code (e.g. a port scanner) into the browser's cache
(only works with MS Explorer) and later executing it through a file: URL (using
frames in the usual way). This attack works because Microsoft's cache layout is
transparent.
http://www.securingjava.com/chapter-five/chapter-five-13.html
Cache Poisoning
Malicious or misleading data from a remote name server is saved [cached] by another
name server. Typically used with DNS cache poisoning attacks.
see also DNS Bug, DNS Spoofing
http://courses.csail.mit.edu/6.857/2010/
Denial of service attack
A user or program takes up all the system resources by launching a multitude of
requests, leaving no resources and thereby "denying" service to other users. Typically,
denial-of-service attacks are aimed at bandwidth control. (see Flooding Attack)
Detecting DDoS attacks
Simply blocking the attacker does not work because there are too many zombies and to
recognize them you usually have to receive and decrypt the incoming packets.
Tupakula and Varadharajan suggest a Packet Marking Technique that reduces the number of
packets needed to tag, identify and block suspicous requests to as few as a single packet.
http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group2/index.html
Easter Egg
Hidden functionality within an application program, which becomes activated when an
undocumented, and often convoluted, set of commands and keystrokes are entered.
Easter eggs are typically used to display the credits for the development team and are
intended to be non-threatening.
Hidden inside Google Earth is a secret
flight simulator game that uses Google's
satellite imagery.
To get to the game, you need to open
Google Earth and hit
Cmd+Option+capitalA
or
Ctrl+Alt+A
if you’re using a Windows Machine.
http://www.pocket-lint.com/news/9889/google-earth-flight-sim-game
Emanations Analysis
Gaining direct knowledge of communicated data by monitoring and resolving a signal
that is emitted by a system and that contains the data but is not intended to
communicate the data.
https://www.ntt-review.jp/archive/ntttechnical.php?contents=ntr200810sf2.html
TEMPEST
Eavesdropping on PC displays.
Information on a PC screen can be remotely reconstructed exactly as it appeared on the
display by monitoring and appropriately demodulating the weak emanations generated by
the PC and its peripheral equipment
Such an eavesdropping technique had been researched by some military organizations
since around 1960, but most of the results were classified and not disclosed to the public.
It came to public attention in 1985 when Wim van Eck pointed out that information on a
cathode ray tube display can easily be reconstructed.
Since his work, research on information leakage of this kind has been conducted by many
organizations.
The National Security Agency (NSA) in the USA refers to this type of threat by the
covername TEMPEST, and this term is now in general use.
Fragment Overlap Attack
A TCP/IP attack that is possible because IP allows packets to be broken down into
fragments for more efficient transport across various media. The TCP packet (and its
header) are carried in the IP packet. In this attack the second fragment contains incorrect
offset. When packet is reconstructed, the port number will be overwritten.
An attacker can construct a packet with
acceptable headers in the first fragment
but then overlap the next fragment so that
it also has headers in it.
Since packet filters don't expect TCP
headers in non-first fragments, they won't
filter on them, and the headers don't need
to be acceptable.
The figure on the right shows examples of
overlapped fragments.
http://baishui.info/orelly/networking_2ndEd/fire/ch04_02.htm
Honey pot
Programs that simulate one or more network services that you designate on your
computer's ports. An attacker assumes you're running vulnerable services that can be used
to break into the machine. A honey pot can be used to log access attempts to those ports
including the attacker's keystrokes. This could give you advanced warning of a more
concerted attack.
A Honeypot allows you to capture and analyze
suspect activities. For example, assume you
have an ADSL connection, with only one public
IP address. The ISP modem is configured to
perform a network address translation (NAT) on
all incoming packets (destination: public IP
address) to the private honeypot address.
The Honeywall is connected to the Vmnet0
interface which is bridged to the eth0 device. It is
also connected to the Vmnet1 interface like the
honeypot. This configuration allows us to have
an independent network between the two virtual
OS's. Vmnet2 is a host-only interface used for
the Honeywall administration.
Note that the Wifi connection is outside the
Honewall.
http://stankiewicz.free.fr/Wikka/wikka.php?wakka=HowtoHoneypot
Protocol Attacks
When the characteristics of network services are exploited by the attacker. Examples include
the creation of infinite protocol loops which result in denial of services (e.g., echo packets
under IP), the use of information packets under the Network News Transfer Protocol to map
out a remote site, and use of the Source Quench protocol element to reduce traffic rates
through select network paths. (a type of DoS Attack)
IRPAS (Internet Routing Protocol Attack Suite)
itrace - traceroute(1) by ICMP echo request
tctrace - traceroute(1) by TCP SYN packets
netenum - enumeration/ping-sweep tool
netmask - ICMP netmask request
protos - IP protocol scanner
hsrp - HSRP takeover tool
cdp - for sending CDP (Cisco router
Discovery Protocol) messages to the wire.
igrp - for sending Interior Gateway Routing
Protocol messages.
irdp - for sending ICMP router discovery protocol messages.
irdpresponder - waits for IRDP requests and sends out response packets to fool clients.
ass - Autonomous System Scanner, a TCP port scanner that knows more than one protocol.
file2cable - sends out raw ethernet frames from files.
http://www.ferzip.com/?p=286
http://www.phenoelit-us.org/irpas/
Tiny Fragment Attack
With many IP implementations it is possible to impose an unusually small fragment size on
outgoing packets. If the fragment size is made small enough to force some of a TCP
packet's TCP header fields into the second fragment, filter rules that specify patterns for
those fields will not match. If the filtering implementation does not enforce a minimum
fragment size, a disallowed packet might be passed because it didn't hit a match in the
filter.
This attack can be used to circumvent user-defined filtering rules. The attacker hopes that
a filtering router will examine only the first fragment and allow all other fragments to pass.
This attack can be prevented at the router by enforcing rules, which govern the minimum
size of the first fragment. This first fragment should be made large enough to ensure it
contains all the necessary header information.
http://www.ouah.org/fragma.html
Web Bug
Tiny images, invisible to a user, placed on web sites in such a way that they allow third
parties to track use of web servers and collect information about the user, including IP
address, Host name, browser type and version, operating system name and version, and
web browser cookie.
Example, Two Web Bugs found on Quicken's home page www.quicken.com
<img src="http://ad.doubleclick.net/ad/pixel.quicken/NEW" width=1 height=1 border=0>
<IMG WIDTH=1 HEIGHT=1 border=0
SRC="http://media.preferences.com/ping?ML_SD=IntuitTE_Intuit_1x1_RunOfSite_Any
&db_afcr=4B31-C2FB-10E2C&event=reghome&group=register& time=1999.10.27.20.5 6.37">
What Information is returned by a Web Bug ?
The IP address of the computer that fetched the Web Bug
The URL of the page that the Web Bug is located on
The URL of the Web Bug image
The time the Web Bug was viewed
The type of browser that fetched the Web Bug image
A previously set cookie value
http://w2.eff.org/Privacy/Marketing/web_bug.html
Terminology & Information Sources
http://www.ssimail.com/Glossary.htm
http://www.sans.org/security-resources/glossary.php
http://csrc.nist.gov/publications/nistir/NISTIR-7298_Glossary_Key_Infor_Security_Terms.pdf
http://csrc.nist.gov/publications/
http://www.itl.nist.gov/fipspubs/
http://www.itl.nist.gov/fipspubs/by-num.htm
http://www.symantec.com/business/security_response/threatexplorer/
http://glossary.spamlaws.com/
http://www.ssimail.com/Glossary.htm