Transcript Attacks - School of Computing and Engineering

Security Attacks
cs490ns - cotter
1
Objectives
•
•
•
•
•
Identify attacker profiles
Describe basic attacks
Describe identity attacks
Identify denial of service attacks
Define malicious code (malware)
cs490ns - cotter
2
Attacker Profiles
Attacker
Skill Level
Motivation
Hacker
High
Improve Security
Cracker
High
Harm Systems
Script Kiddie
Low
Gain Recognition
Spy
High
Earn Money
Employee
Varies
Varies
Cyberterrorist
High
Support Ideology
cs490ns - cotter
3
Understanding Basic Attacks
• Today, the global computing infrastructure is
most likely target of attacks
• Basic Attacks
–
–
–
–
–
–
Physical Attacks
Social Engineering
Password Attacks
Weak Cryptographic Keys
Mathematical Attacks
Birthday Attacks
cs490ns - cotter
4
Environmental Attacks
• Electricity. Computing equipment requires electricity to
function; hence, it is vital that such equipment has a
steady uninterrupted power supply.
• Temperature. Computer chips have a natural operating
temperature and exceeding that temperature significantly
can severely damage them.
• Limited conductance. Because computing equipment
is electronic, it relies on there being limited conductance
in its environment. If random parts of a computer are
connected electronically, then that equipment could be
damaged by a short circuit (e.g., in a flood).
cs490ns - cotter
5
5
Eavesdropping
• Eavesdropping is the process of secretly listening in on another
person’s conversation.
• Protection of sensitive information must go beyond computer security
and extend to the environment in which this information is entered
and read.
• Simple eavesdropping techniques include
– Using social engineering to allow the attacker to read information over the
victim’s shoulder
– Installing small cameras to capture the information as it is being read
– Using binoculars to view a victim’s monitor through an open window.
• These direct observation techniques are commonly referred to as
shoulder surfing.
cs490ns - cotter
6
6
Wiretapping
• Many communication networks employ the use of inexpensive coaxial
copper cables, where information is transmitted via electrical impulses that
travel through the cables.
• Relatively inexpensive means exist that measure these impulses and can
reconstruct the data being transferred through a tapped cable, allowing an
attacker to eavesdrop on network traffic.
• These wiretapping attacks are passive, in that there is no alteration of
the signal being transferred, making them extremely difficult to detect.
cs490ns - cotter
7
7
Signal Eminations
• Computer screens emit radio frequencies that
can be used to detect what is being displayed.
• Visible light reflections can also be used to
reconstruct a display from its reflection on a wall,
coffee mug, or eyeglasses.
• Both of these require the attacker to have a
receiver close enough to detect the signal.
cs490ns - cotter
8
8
Acoustic Emissions
• Dmitri Asonov and Rakesh Agrawal published a paper in
2004 detailing how an attacker could use an audio
recording of a user typing on a keyboard to reconstruct
what was typed.
– Each keystroke has minute
differences in the sound it
produces, and certain keys
are known to be pressed
more often than others.
– After training an advanced
neural network to recognize
individual keys, their software
recognized an average 79%
of all keystrokes.
cs490ns - cotter
sound recording
device
microphone to
capture keystroke
sounds
9
9
Hardware Keyloggers
• A keylogger is any means of recording a victim’s keystrokes, typically
used to eavesdrop passwords or other sensitive information.
• Hardware keyloggers are typically small connectors that are installed
between a keyboard and a computer.
• For example, a USB keylogger is a device containing male and female
USB connectors, which allow it to be placed between a USB port on a
computer and a USB cable coming from a keyboard.
cs490ns - cotter
10
10
TEMPEST
• TEMPEST is a U.S. government code word for a set of standards for
limiting information-carrying electromagnetic emanations from
computing equipment.
• TEMPEST establishes three zones or levels of protection:
1.
2.
3.
An attacker has almost direct contact with the equipment, such as
in an adjacent room or within a meter of the device in the same
room.
An attacker can get no closer than 20 meters to the equipment or
is blocked by a building to have an equivalent amount of
attenuation.
An attacker can get no closer than 100 meters to the equipment or
is blocked by a building to have an equivalent amount of
attenuation.
cs490ns - cotter
11
11
Emanation Blockage
• To block visible light emanations, we can enclose
sensitive equipment in a windowless room.
• To block acoustic emanations, we can enclose sensitive
equipment in a room lined with sound-dampening
materials.
• To block electromagnetic emanations in the electrical
cords and cables, we can make sure every such cord
and cable is well grounded and insulated.
cs490ns - cotter
12
12
Faraday Cages
• To block electromagnetic
emanations in the air, we can
surround sensitive equipment
with metallic conductive
shielding or a mesh of such
material, where the holes in
the mesh are smaller than the
wavelengths of the
electromagnetic radiation we
wish to block.
• Such an enclosure is known as
a Faraday cage.
cs490ns - cotter
13
13
Social Engineering
• Not limited to telephone calls or dated credentials
• Dumpster diving: digging through trash receptacles to
find computer manuals, printouts, or password lists that
have been thrown away
• Phishing: sending people electronic requests for
information that appear to come from a valid source.
Now includes social networking sites (Facebook, Twitter,
etc.)
– Often generated by organized attackers. In 2009, ¼ of all
phishing believed to be done by “Avalanche”.
cs490ns - cotter
14
Social Engineering
• Unauthorized access to offices
–
–
–
–
–
–
Proper preparation.
Fake credentials
“Tailgating”
Build Relationships (cookies & chocolate)
USB Drops
Reflections off of nearby objects
cs490ns - cotter
15
Social Engineering (soln.)
• Develop strong instructions or company
policies regarding:
– When passwords are given out
– Who can enter the premises
– What to do when asked questions by another
employee that may reveal protected information
• Educate all employees about the policies and
ensure that these policies are followed
cs490ns - cotter
16
How a password is stored?
User
Password file
Dog124
hash function
cs490ns - cotter
Butch:ASDSA
21QW3R50E
ERWWER323
…
…
17
Strong Passwords
• What is a strong password
– UPPER/lower case characters
– Special characters
– Numbers
• When is a password strong?
– Seattle1
– M1ke03
– P@$$w0rd
– TD2k5secV
cs490ns - cotter
18
18
Password Complexity
• A fixed 6 symbols password:
– Numbers
106 = 1,000,000
– UPPER or lower case characters
266 = 308,915,776
– UPPER and lower case characters
526 = 19,770,609,664
– 32 special characters (&, %, $, @, “, |, ^, }, etc.)
326 = 1,073,741,824
• 94 practical symbols available
– 946 = 689,869,781,056
• ASCII standard 7 bit 27 =128 symbols
– 1286 = 4,398,046,511,104
Odd characters make passwords safer
cs490ns - cotter
19
19
Password Length
•
•
•
•
26 UPPER/lower case characters = 52 characters
10 numbers
32 special characters
=> 94 characters available
•
•
•
•
•
5 characters: 945 =
6 characters: 946 =
7 characters: 947 =
8 characters: 948 =
9 characters: 949 =
7,339,040,224
689,869,781,056
64,847,759,419,264
6,095,689,385,410,816
572,994,802,228,616,704
Longer passwords are better
cs490ns - cotter
20
20
Password Validity: Brute Force Test
• Password does not change for 60 days
• how many passwords should I try for each second?
– 5 characters:
1,415 PW /sec
– 6 characters:
133,076 PW /sec
– 7 characters:
12,509,214 PW /sec
– 8 characters: 1,175,866,008 PW /sec
– 9 characters: 110,531,404,750 PW /sec
cs490ns - cotter
21
21
Secure Passwords
• A strong password includes characters from at
least three of the following groups:
• Use pass phrases eg. "I re@lly want to buy 11
Dogs!"
cs490ns - cotter
22
22
Bypass Password
• Software exploitation: takes advantage of any
weakness in software to bypass security
requiring a password
– Buffer overflow: occurs when a computer program
attempts to stuff more data into a temporary storage
area than it can hold
cs490ns - cotter
23
Cryptography
• Science of transforming information so it is
secure while being transmitted or stored
• Does not attempt to hide existence of data;
“scrambles” data so it cannot be viewed by
unauthorized users
• Encryption: changing the original text to a
secret message using cryptography
• Success of cryptography depends on the
process used to encrypt and decrypt messages
• Process is based on algorithms
cs490ns - cotter
24
Weak Keys
• Algorithm is given a key that it uses to encrypt
the message
• Any mathematical key that creates a detectable
pattern or structure (weak keys) provides an
attacker with valuable information to break the
encryption
cs490ns - cotter
25
Mathematical Attacks
• Cryptanalysis: process of attempting to break an
encrypted message
• Mathematical attack: analyzes characters in an
encrypted text to discover the keys and decrypt
the data
cs490ns - cotter
26
Birthday Attacks
• Birthday paradox:
– When you meet someone for the first time, you
have a 1 in 365 chance (0.027%) that he has
the same birthday as you
– If you meet 60 people, the probability leaps to
over 99% that you will share the same birthday
with one of these people
• Birthday attack: attack on a cryptographical
system that exploits the mathematics
underlying the birthday paradox
cs490ns - cotter
27
Examining Identity Attacks
• Category of attacks in which the attacker
attempts to assume the identity of a valid user
– Man-in-the-middle
– Replay
cs490ns - cotter
28
Man-in-the-Middle Attacks
• Make it seem that two computers are
communicating with each other, when
actually they are sending and receiving data
with a computer between them
• Can be active or passive:
– Passive attack: attacker captures sensitive data
being transmitted and sends it to the original
recipient without his presence being detected
– Active attack: contents of the message are
intercepted and altered before being sent on
cs490ns - cotter
29
Replay
• Similar to an active man-in-the-middle attack
• Whereas an active man-in-the-middle attack
changes the contents of a message before
sending it on, a replay attack only captures the
message and then sends it again later
• Takes advantage of communications between a
network device and a file server
cs490ns - cotter
30
TCP/IP Hijacking
• With wired networks, TCP/IP hijacking uses
spoofing, which is the act of pretending to be the
legitimate owner
• One particular type of spoofing is Address
Resolution Protocol (ARP) spoofing
• Computers on a network keep a table that links
an IP address with the corresponding MAC
address
• In ARP spoofing, a hacker changes the table so
packets are redirected to his computer
cs490ns - cotter
31
Identifying Denial of Service
Attacks
• Denial of service (DoS) attack attempts to make
a server or other network device unavailable by
flooding it with requests
• After a short time, the server runs out of
resources and can no longer function
• SYN attack
– Exploits the SYN/ACK “handshake”
cs490ns - cotter
32
Identifying Denial of Service
Attacks (cont)
• Another DoS attack tricks computers into
responding to a false request
• An attacker can send a request to all computers
on the network making it appear a server is
asking for a response
• Each computer then responds to the server,
overwhelming it, and causing the server to crash
or be unavailable to legitimate users
cs490ns - cotter
33
Identifying Denial of Service
Attacks (cont)
cs490ns - cotter
34
Identifying Denial of Service
Attacks (cont)
• Distributed denial-of-service (DDoS) attack:
– Instead of using one computer, a DDoS may use
hundreds or thousands of computers
– DDoS works in stages
cs490ns - cotter
35
Understanding Malicious Code
(Malware)
• Consists of computer programs designed to
break into computers or to create havoc on
computers
• Most common types:
–
–
–
–
–
Viruses
Worms
Logic bombs
Trojan horses
Back doors
cs490ns - cotter
36
Summary
• Attackers
–
–
–
–
–
–
Hacker
Cracker
Script Kiddie
Spy
Employee
Cyberterrorist
cs490ns - cotter
• Attacks
–
–
–
–
–
–
Physical Attacks
Password Guessing
Cryptography
Identity Attacks
DoS Attacks
Malware
37