network threats: social engineering · information from their target in order to confirm their...

www.telkomuniversity.ac.id

Tipe Serangan

Instructor : Team

Course : TTH3K3 - Network Security

As Taught In : 2nd semester 2017-2018

Level : Undergraduate

CLO : 1

Week : 3

Sub-Topic : Types of Attack

http://www.telkomuniversity.ac.id/






Social Engineering







Introduction to Social Engineering

• Older than computers

• Targets the human component of a network

• Goals

– Obtain confidential information (passwords)

– Obtain personal information







Tactics

– Persuasion

– Intimidation

– Coercion

– Extortion/blackmailing







Introduction to Social Engineering (continued)

• The biggest security threat to networks

• Most difficult to protect against

• Main idea:

– “Why to crack a password when you can simply ask for it?”

– Users divulge their passwords to IT personnel







Studies human behavior

– Recognize personality traits

– Understand how to read body language







Types of Social Engineering

1. Phishing

2. Pretexting

3. Baiting

4. Quid Pro Quo

5. Tailgating

source: tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/







Types of Social Engineering: Phising

1. Phishing Phishing scams might be the most common types of social engineering attacks used today. Most phishing scams demonstrate the following characteristics:

• Seek to obtain personal information, such as names, addresses and social security numbers.

• Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate.

• Incorporates threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly.

• Some phishing emails are more poorly crafted than others to the extent that their messages oftentimes exhibit spelling and grammar errors but these emails are no less focused on directing victims to a fake website or form where they can steal user login credentials and other personal information.







Types of Social Engineering: Pretexting

2. Pretexting Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity.

More advanced attacks will also try to manipulate their targets into performing an action that enables them to exploit the structural weaknesses of an organization or company. A good example of this would be an attacker who impersonates an external IT services auditor and manipulates a company’s physical security staff into letting them into the building.

Unlike phishing emails, which use fear and urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target.







Types of Social Engineering: Baiting

3. Baiting Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.

Baiting attacks are not restricted to online schemes, either. Attackers can also focus on exploiting human curiosity via the use of physical media.







Types of Social Engineering: Quid pro Quo

4. Quid pro Quo Similarly, quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting frequently takes the form of a good.

One of the most common types of quid pro quo attacks involve fraudsters who impersonate IT service people and who spam call as many direct numbers that belong to a company as they can find. These attackers offer IT assistance to each and every one of their victims. The fraudsters will promise a quick fix in exchange for the employee disabling their AV program and for installing malware on their computers that assumes the guise of software updates.

It is important to note, however, that attackers can use much less sophisticated quid pro quo offers than IT fixes. As real world examples have shown, office workers are more than willing to give away their passwords for a cheap pen or even a bar of chocolate.







Types of Social Engineering: Tailgaiting

5. Tailgaiting Another social engineering attack type is known as tailgating or “piggybacking.” These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area.

In a common type of tailgating attack, a person impersonates a delivery driver and waits outside a building. When an employee gains security’s approval and opens their door, the attacker asks that the employee hold the door, thereby gaining access off of someone who is authorized to enter the company.

Tailgating does not work in all corporate settings, such as in larger companies where all persons entering a building are required to swipe a card. However, in mid-size enterprises, attackers can strike up conversations with employees and use this show of familiarity to successfully get past the front desk.







Preventing Social Engineering

• Train user not to reveal any information to outsiders

• Verify caller identity

– Ask questions

– Call back to confirm

• Security drills







Social Engineering: Other Techniques

• Urgency

• Status quo

• Kindness

• Position

• Shoulder Surfing

• Dumpster Diving







The Art of Shoulder Surfing

• Shoulder surfer

– Reads what users enter on keyboards

• Logon names

• Passwords

• PINs







Tools for Shoulder Surfing

• Binoculars or telescopes or cameras in cell phones

• Knowledge of key positions and typing techniques

• Knowledge of popular letter substitutions

– s equals $, a equals @







The Art of Shoulder Surfing (continued)

• Prevention

– Avoid typing when someone is nearby

– Avoid typing when someone nearby is talking on cell phone

– Computer monitors should face away from door or cubicle entryway

– Immediately change password if you suspect someone is observing you







Dumpster Diving

• Attacker finds information in victim’s trash

– Discarded computer manuals

• Notes or passwords written in them

– Telephone directories

– Calendars with schedules

– Financial reports

– Interoffice memos

– Company policy

– Utility bills

– Resumes of employees







The Art of Dumpster Diving (continued)

• Prevention – Educate your users about

dumpster diving

– Proper trash disposal

– Use “disk shredder” software to erase disks before discarding them • Software writes random bits

• Done at least seven times

– Discard computer manuals offsite

– Shred documents before disposal

19







The Art of Piggybacking

• Trailing closely behind an employee cleared to enter restricted areas

• How it works:

– Watch authorized personnel enter an area

– Quickly join them at security entrance

– Exploit the desire of other to be polite and helpful

– Attacker wears a fake badge or security card







The Art of Piggybacking (continued)

• Prevention – Use turnstiles

– Train personnel to notify the presence of strangers

– Do not hold secured doors for anyone

• Even for people you know

– All employees must use secure cards







Sample Phishing







Network Attack Theoretical Perspective







Tipe Network Attack

1. Eavesdropping

2. Data Modification

3. Identity Spoofing (IP Address Spoofing)

4. Password-Based Attacks

5. Denial-of-Service Attack

6. Man-in-the-Middle Attack

7. Compromised-Key Attack

8. Sniffer Attack

9. Application-Layer Attack

source: technet.microsoft.com/en-us/library/cc959354.aspx






https://technet.microsoft.com/en-us/library/cc959354.aspx




Tipe Network Attack: Eavesdropping

1. Eavesdropping In general, the majority of network communications occur in an unsecured or "cleartext" format, which allows an attacker who has gained access to data paths in your network to "listen in" or interpret (read) the traffic. When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise. Without strong encryption services that are based on cryptography, your data can be read by others as it traverses the network.







Tipe Network Attack: Data Modification

2. Data Modification After an attacker has read your data, the next logical step is to alter it. An attacker can modify the data in the packet without the knowledge of the sender or receiver. Even if you do not require confidentiality for all communications, you do not want any of your messages to be modified in transit. For example, if you are exchanging purchase requisitions, you do not want the items, amounts, or billing information to be modified.







Tipe Network Attack: Identity Spoofing

3. Identity Spoofing (IP Address Spoofing) Most networks and operating systems use the IP address of a computer to identify a valid entity. In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An attacker might also use special programs to construct IP packets that appear to originate from valid addresses inside the corporate intranet.

After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete your data. The attacker can also conduct other types of attacks, as described in the following sections.







Tipe Network Attack: Password-based Attacks

4. Password-Based Attacks A common denominator of most operating system and network security plans is password-based access control. This means your access are determined using user name and password.

When an attacker finds a valid user account, the attacker has the same rights as the real user, even an administrator-level rights. After gaining access to your network with a valid account, an attacker can do any of the following: • Obtain lists of valid user and computer names and network information.

• Modify server and network configurations, including access controls and routing tables.

• Modify, reroute, or delete your data.







Tipe Network Attack: Denial-of-Service Attack

5. Denial-of-Service Attack Unlike a password-based attack, the denial-of-service attack prevents normal use of your computer or network by valid users.

After gaining access to your network, the attacker can do any of the following: • Randomize the attention of your internal Information Systems staff so that

they do not see the intrusion immediately, which allows the attacker to make more attacks during the diversion.

• Send invalid data to applications or network services, which causes abnormal termination or behavior of the applications or services.

• Flood a computer or the entire network with traffic until a shutdown occurs because of the overload.

• Block traffic, which results in a loss of access to network resources by authorized users.







Tipe Network Attack: Man-in-the-Middle Attack

6. Man-in-the-Middle Attack As the name indicates, a man-in-the-middle attack occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently. For example, the attacker can re-route a data exchange.

Man-in-the-middle attacks are like someone assuming your identity in order to read your message. The person on the other end might believe it is you because the attacker might be actively replying as you to keep the exchange going and gain more information. This attack is capable of the same damage as an application-layer attack, described later in this section.







Tipe Network Attack: Compromised-key Attack

7. Compromised-Key Attack A key is a secret code or number necessary to interpret secured information. Although obtaining a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker obtains a key, that key is referred to as a compromised key.

An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack.With the compromised key, the attacker can decrypt or modify data, and try to use the compromised key to compute additional keys, which might allow the attacker access to other secured communications.







Tipe Network Attack: Sniffer Attack

8. Sniffer Attack A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the attacker does not have access to the key.

Using a sniffer, an attacker can do any of the following: • Analyze your network and gain information to eventually cause your

network to crash or to become corrupted.

• Read your communications.







Tipe Network Attack: Application-layer Attack

9. Application-Layer Attack An application-layer attack targets application servers by deliberately causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of your application, system, or network, and can do any of the following: • Read, add, delete, or modify your data or operating system.

• Introduce a virus program that uses your computers and software applications to copy viruses throughout your network.

• Introduce a sniffer program to analyze your network and gain information that can be used to crash or to corrupt your systems and network.

• Abnormally terminate your data applications or operating systems.

• Disable other security controls to enable future attacks.







Distributed Denial of Service







Denial-of-service

• Denial of service (DoS) an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU), memory, bandwidth, and disk space

• Attacks (overload or invalid request services that consume significant resources) – network bandwidth

– system resources

– application resources

• Have been an issue for some time (25% of respondents to an FBI survey)







Classic DoS attacks

• Flooding ping command – Aim of this attack is to overwhelm the capacity of the

network connection to the target organization

– Traffic can be handled by higher capacity links on the path, but packets are discarded as capacity decreases

• Source of the attack is clearly identified unless a spoofed address is used

• Network performance is noticeably affected







Classic DoS attacks







Internet Control Message Protocol (ICMP)

• The Internet Control Message Protocol (ICMP) is one of the main IP protocols; it is used by network devices, like routers, to send error messages indicating (e.g., a requested service is not available or a host or router could not be reached)

The host must respond to all echo requests with an echo reply containing the exact data received in the request message







Source address spoofing

• Use forged source addresses

– Usually via the raw socket interface on operating systems

– Makes attacking systems harder to identify

• Attacker generates large volumes of packets that have the target system as the destination address

• Congestion would result in the router connected to the final, lower capacity link

• Backscatter traffic

– Advertise routes to unused IP addresses to monitor attack traffic







Backscatter traffic

• Security researchers (Honeypot Project) advertise blocks of unused IP addresses (no real/legit uses)

• If ICMP/connection request is made, most likely from attackers

• Monitoring provides valuable info on the type and scale of attack







SYN spoofing

• Common DoS attack

• Attacks the ability of a server to respond to future connection requests by overflowing the tables used to manage them

• Thus legitimate users are denied access to the server

• Hence an attack on system resources, specifically the network handling code in the operating system







TCP connection handshake

syn/ack pkts

y= server seq#

x= client seq#







SYN spoofing attack

assumption: most connections succeed and thus table cleared quickly







SYN spoofing attack: attacker’s source

• Attacker often uses either

– random source addresses (addresses that may not exist)

– or that of an overloaded server (that may not send a RST)

– to block return of (most) reset packets

• Has much lower traffic volume

– attacker can be on a much lower capacity link

• Objective: uses addresses that will not respond to the SYN-ACK with a RST







Types of flooding attacks

• Classified based on network protocol used

• Objective: to overload the network capacity on some link to a server

• Virtually any type of network packet can be used

• ICMP Flood – Uses ICMP packets, eg ping (echo) request

– Typically allowed through, some required

• UDP Flood – Alternative uses UDP packets to random ports (even if no service is

available, attacker achieves its goal)

• TCP SYN Flood (SYN spoof vs SYN flood) – Sends TCP SYN (connection request) packets

– But for volume attack







UDP packet

• User Datagram Protocol (UDP) is a component of the IP suite and allows computer applications to send messages

• A UDP can be directed at practically any service (port); if service is unavailable, the packet is discarded but the attacker objective is achieved







Distributed DoS attacks

• Have limited volume if single source used

• Multiple systems allow much higher traffic volumes to form a distributed DoS (DDoS) attack

• Often compromised PC’s/workstations

– Zombies with backdoor programs installed

– Forming a botnet

• Example: Tribe Flood Network (TFN), TFN2K

– did ICMP, SYN, UDPF and ICMP floods







DDoS control hierarchy

Attacker sends one command to the handler zombies;

the handler forwards to other handlers, agents







Application-based bandwidth attacks

• Force the victim system to execute resource-consuming operations (e.g., searches, complex DB queries)

• VoIP Session Initiation Protocol (SIP) flood: attacker sends many INVITE requests; major burden on the proxies

– server resources depleted while handling requests

– bandwidth capacity is consumed







HTTP-based attacks

• Attempts to monopolize by sending HTTP requests that never complete

• Eventually consumes Web server’s connection capacity

• Utilizes legitimate HTTP traffic • Spidering: Bots starting from a given HTTP link

and following all links on the provided Web site in a recursive way

• Existing intrusion detection and prevention solutions that rely on signatures to detect attacks will generally not recognize Slowloris







Reflection attacks

• Attacker sends packets to a known service on the intermediary with a spoofed source address of the actual target system

• When intermediary responds, the response is sent to the target

• “Reflects” the attack off the intermediary (reflector)

• Goal is to generate enough volumes of packets to flood the link to the target system without alerting the intermediary

• The basic defense against these attacks is blocking spoofed-source packets







Reflection attacks







Reflection attacks

• Further variation creates a self-contained loop between intermediary and target (attacker spoofs using port 7 requiring echoes)

• Fairly easy to filter and block







DNS amplification attacks

• Use packets directed at a legitimate DNS server as the intermediary system

• Attacker creates a series of DNS requests containing the spoofed source address of the target system

• Exploit DNS behavior to convert a small request to a much larger response (amplification)

• Target is flooded with responses

• Basic defense against this attack is to prevent the use of spoofed source addresses







Amplification attacks

Can take advantage of broadcast address of some network







Four lines of defense against DDoS attacks

• Attack prevention and preemption (before attack)

• Attack detection and filtering (during the attack)

• Attack source traceback and identification (during and after the attack)

• Attack reaction (after the attack)







DoS attack prevention

• Block spoofed source addresses – On routers as close to source as possible

• Filters may be used to ensure path back to the claimed source address is the one being used by the current packet – Filters must be applied to traffic before it leaves the ISP’s network or

at the point of entry to their network

• Use modified TCP connection handling code – Cryptographically encode critical information in a cookie that is sent as

the server’s initial sequence number

– Legitimate client responds with an ACK packet containing the incremented sequence number cookie

– Drop an entry for an incomplete connection from the TCP connections table when it overflows







Attack prevention

• Rate controls in upstream distribution nets – On specific packets types e.g. some ICMP, some

UDP, TCP/SYN

– Impose limits

• Use modified TCP connection handling – Server sends SYN cookies when table full

(reconstruct table data from the cookie from legit clients)

– Sr selective or random drop when table full







Responding to attacks

• Good incidence response plan

– Details on how to contact technical personal for ISP

– Needed to impose traffic filtering upstream

– Details of how to respond to the attack

• Implement anti-spoofing, directed broadcast, and rate limiting filters

• Ideally have network monitors and IDS to detect and notify abnormal traffic patterns







TCP Connection Management: Closing

Step 1: client end system sends TCP

FIN control segment to server

Step 2: server receives FIN, replies with ACK. Closes connection, sends FIN.

Step 3: client receives FIN, replies with ACK.

– Enters “timed wait” - will respond with ACK to received FINs

Step 4: server, receives ACK. Connection closed.

client server

closing

closing

closed ti

med w

ait

closed







Detection Methods (I)

• Utilize SYN-FIN pair behavior

• Or SYNACK – FIN

• Can be both on client or server side

• However, RST violates SYN-FIN behavior – Passive RST: transmitted upon arrival of a packet at a

closed port (usually by servers)

– Active RST: initiated by the client to abort a TCP connection (e.g., Ctrl-D during a telnet session)

• Often queued data are thrown away

– So SYN-RSTactive pair is also normal







SYN – FIN Behavior • Generally every SYN has a FIN

• We can’t tell if RST is active or passive

• Consider 75% active







Detection Method (II)

• SYN – SYN/ACK pair behavior

• Hard to evade for the attacking source

• Problems

– Need to sniff both incoming and outgoing traffic

– Only becomes obvious when really swamped







Password Management







Password Management

• Front line of defense againts intruder

• Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password

– Password serves to authenticate the ID of the individual logging on to the system

– The ID provides security by: • Determining whether the user is authorized to gain access to a system

• Determining the privileges accorded to the user

• Used in discretionary access control







Managing Password

• need policies and good user education

• ensure every account has a default password

• ensure users change the default passwords to something they can remember

• protect password file from general access

• set technical policies to enforce good passwords

– minimum length (>6)

– require a mix of upper & lower case letters, numbers, punctuation

– block known dictionary words







Managing Password

• may reactively run password guessing tools

– note that good dictionaries exist for almost any language/interest group

• may enforce periodic changing of passwords

• have system monitor failed login attempts, & lockout account if see too many in a short period

• do need to educate users and get support

• balance requirements with user acceptance

• be aware of social engineering attacks







Attack Strategies and Countermeasures (1)

Workstation hijacking • The attacker waits until a logged-in workstation is unattended

• The standard countermeasure is automatically logging the workstation out after a period of inactivity

Exploiting user mistakes • Attackers are frequently successful in obtaining passwords by using social

engineering tactics that trick the user or an account manager into revealing a password; a user may intentionally share a password to enable a colleague to share files; users tend to write passwords down because it is difficult to remember them

• Countermeasures include user training, intrusion detection, and simpler passwords combined with another authentication mechanism








Offline dictionary attack • Determined hackers can frequently bypass access controls and gain access

to the system’s password file

• Countermeasures include controls to prevent unauthorized access to the password file, intrusion detection measures to identify a compromise, and rapid reissuance of passwords should the password file be compromised

Specific account attack • The attacker targets a specific account and submits password guesses until

the correct password is discovered

• The standard countermeasure is an account lockout mechanism, which locks out access to the account after a number of failed login








Electronic Monitoring

• sniffing/eavesdropping

• (advanced) encryptions

Password guessing against single user

• User awareness, password policies

Exploiting multiple password use

• Similar password for given user @ diff network

• User awareness, password policie

Popular password attack

• User awareness, password policies,







UNIX Password Scheme







Password Selection Strategies

•The goal is to eliminate guessable passwords while allowing the user to select a password that is memorable

•Four basic techniques are in use: –User education

• Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords –Computer-generated passwords

• Computer-generated password schemes have a history of poor acceptance by users

• Users have difficulty remembering them –Reactive password checking

• A strategy in which the system periodically runs its own password cracker to find guessable passwords –Proactive password checking

• A user is allowed to select his or her own password, however, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it







Passwords…… New Ways

• Use passwords manager applications

• Use passphrase instead of passwords

– Random common words instead of gibberish hard-to-memmorized random word (xkcd #936)







Exercise

•Use wireshark to monitor your network traffic –Save your network traffic for 30 minutes –From your saved traffic file:

• Determine how many is ARP, DNS, and HTTP traffic?

• What’s your IP address?? What’s your DNS server??

•Assume that passwords are selected from four-character combinations of 26 alphabetic characters. Assume that an adversary is able to attempt passwords at a rate of one per second. –Assuming no feedback to the adversary until each attempt has been completed, what

is the expected time to discover the correct password? –Assuming feedback to the adversary flagging an error as each incorrect character is entered, what is the expected time to discover the correct password?







Sertifikat Server: SSL







Virtual Communication between Layers

76

Transport layer

Network layer

Data Link layer

Network layer

Data Link layer

Network layer

Data Link layer Data Link layer

Network layer

Transport layer

Application layer Application layer Application Data

Transport payload

Network

Payload

Data Link

Payload

Host A Router Router Host B







TCP/IP Secutiry Protocol

77

Application Layer

Transport Layer

Internetwork Layer

Network Access Layer

PGP, SSH

SSL/TLS

IPsec

IEEE 802.11 (WEP, WPA)







Security in what layer?

• Depends on the purpose…

– How are keys provisioned/shared?

– Should the (human) user be involved?

– Semantics: authenticate user-to-user, or host-to-host?








• Depends on what’s available – E.g., consider a user connecting to a website from

a café (over a wireless network)

– End-to-end encryption might be unavailable (e.g., if website does not support encryption)

– Eavesdropping on Internet backbone less likely than eavesdropping on wireless link in café

– Encrypt link from user to wireless router

– Link-layer encryption more appropriate • Link-layer authentication also possible








• Depends on the threat model/what threats are being addressed

– What information needs to be protected? (Ports, IP addresses?)

– e.g. network-layer authentication will not prevent DoS attacks at link level (e.g., ARP spoofing, replay disconnect messages, overloading access point)

– e.g. an application-layer protocol cannot protect IP header information

– End-to-end or hop-by-hop?








• Security interactions with various layers

– e.g. if TCP accepts a packet which is rejected by the application above it, then TCP will reject the “correct” packet (detecting a replay) when it arrives!

– e.g. if higher-layer header data is used by a firewall to make decisions, this is incompatible with network-layer encryption (if it encrypts headers)







Generally…

• When security is placed at lower levels, it can provide automatic, “blanket” coverage… – …but it can take a long time before it is widely

adopted – Can be inefficient to encrypt everything

• When security is placed at higher levels,

individual users can choose when to use it… – …but users who are not security-conscious may not

take advantage of it – Can encrypt only what is necessary







Example: PGP vs. SSL vs. IPsec

• PGP is an application-level protocol for “secure email”

– Can provide security over insecure networks

– Users choose when to use PGP; user must be involved

– Alice’s signature on an email proves that Alice actually generated the message, and it was received unaltered; also non-repudiation • In contrast, SSL secures “the connection” from Alice’s computer;

would need additional mechanisms to authenticate the user

– Communication with off-line party (i.e., email)








• SSL sits at the transport layer, “above” TCP

– Packet stream authenticated/encrypted

– End-to-end security, best for connection-oriented sessions (e.g., http traffic)

– User does not need to be involved

– The OS does not have to change, but applications do if they want to communicate securely








• IPsec sits at the network layer

– Individual packets authenticated/encrypted

– End-to-end or hop-by-hop security

– Need to modify OS

– All applications “protected” by default, without requiring any change to applications or actions on behalf of users

– Only authenticates hosts, not users

– User can be completely unaware that IPsec is running







Application Layer

• Provides services for an application to send and recieve data over the network, e.g., telnet (port 23), mail (port 25), finger (port 79)

• Interface to the transport layer: Operating system dependent Socket interface

86







Application Layer Security

Advantages: • Most flexible

• Executing in the context of the user easy access to user’s credentials

• Complete access to data easier to ensure nonrepudation and small security granularity

• Application-based security

Disadvantages: • Most intrusive

• Implemented in end hosts

• Need for each application

• Expensive

• Greated probability of making mistake

87







Providing Security

• Provide security system that can be used by different applications

– Develop authentication and key distribution models

• Enhance application protocol with security features

– Need to enhance each application

88







Web Security

• HTTP is not a secure protocol – Simple and stateless client/server application running

over TCP/IP

• Added security measures needed – We will see SSL (Socket Secure Layer) and TLS

(Transport Layer Security) – HTTPS

• Secure HTTP Protocol

• Actually SSL support is provided for several other TCP/IP application as well – POP, SMTP, FTP, …







HTTPS

• HTTPS (HTTP over SSL/TLS) – combination of HTTP & SSL/TLS to secure

communications between browser & web server • documented in RFC2818

• no fundamental change using either SSL or TLS; both are referred as HTTPS

• use https:// URL rather than http:// – use port 443 rather than 80

• encrypts – URL, document contents, form data, cookies, HTTP

headers







HTTPS Connection Initiation

• SSL/TLS handshake is first done

– HTTP client (browser) acts as SSL/TLS client

• After the handshake HTTP request(s) are sent

– Actually all HTTP data should be sent through SSL/TLS record protocol







HTTPS Connection Closure

• connection closure

– have “Connection: close” in HTTP headers

• which normally causes to close the TCP connection

• but there is SSL/TLS protocols between HTTP and TCP

• thus, SSL/TLS should control connection closure at TCP level

– SSL/TLS level exchange close_notify alerts

– can then close TCP connection







Sample HTTPS







EXPERIMENTS







Experiment 1

• Objective:

• Sniffing password using wireshark

• https://www.wireshark.org/download.html







What to do

1.Launch Wireshark

2.From the wireshark menu bar, select capture interfaces (Ctrl+I)







3. In the Wireshark capture interfaces dialog box, find and select the Ethernet Driver Interface that is connected to the system, and then click start.

4. Switch to virtual machine and login to your email.

5. You may save the captured packets from file save as.

6. In Find by...







QUESTION

1.Evaluate the protocols that are involved in the activity that captured by wireshark

2. Evaluate the result of the activity







Experiment 2

• Objective:

• Scan, detect, protect and attack computer on LANs







What you need :

• PC with windows server 2012 as host machine

• Windows2008 running on virtual maschine as target machine

• Installed-version of WinPcap driver

• Double click WinArpAttacker.exe







What to do

1.Launch Windows server 8 Virtual Machine

2.Launch WinArpAttacker in the host machine







3. Click the scan option from toolbar menu, select Scan LAN. The scan the active host on the LAN.

4. Select a victim host (window server 2008) from the display list. Select attack -> flood. Scanning acts as another gateway or IP-forwarder without other user recognition on the LAN, while spoofing ARP tables.







• 5. All data sniffed by spoofing and forwarded by WinArpAttackerIP-forward functions are counted, as shown in the main interface. The BanGateway option tells the gateway wrong MACaddresses of target computer, so the target can’t receive packets from the internet.







6. Click save to save the report







QUESTION

• Analize and document the scanned, attacked IP address.







Experiment 3

• Install nessus

• Then use nessus to scan your home network (or other network appropriate) and report the vulnerabilities discovered. You can use the standard policy defined in Nessus 4.2 or modify the policies are you like. Everyone should try this and may get different output from their own machines. So I expect this group exercises will have reports from every one (i.e., 4 to 5 reports depending on the size of the group)







Experiment 3

• There are two parts for the submission:

• Please include a cover page with the group name. Then for each member, the amount of vulnerabilities found in three categories: high, medium and low. Here is an example. John Smith Number of vulnerabilities Open ports : 21 High : 0 Medium : 4 Low : 44







Experiment 3

• For each member, you should have a summary page from the Nessus scan results which show the list of vulnerabilities found. Please submit that page as a pdf or html file. You don't need to output the detailed report from Nessus.

• Please concatenate all the results into one file for submission if possible







Soal

• Describe the three main concerns with the use of passwords for authentication.

• Explain what is meant by a social engineering attack on a password.

• Explain how malicious software threats and attacks are broadly classified.

• Describe what a virus, worm, trojan horse, and spyware are.







Soal

• The Internet is, slowly, transitioning from the version of the TCP/IP protocol suite currently in use IPv4 to a new version, IPv6. Unlike IPv4 IP addresses, which are 32 bits long (e.g., 192.168.10.1), IPv6 IP addresses are 128 bits long (e.g., 2001:1890:1112:0001:0000:0000:0000:0020).

• a. Consider random-scanning Internet worms. These worms spread by choosing a random IP address, connecting to any host answering to that address, and attempting to infect it. Is the random-scanning strategy feasible if the Internet switches from IPv4 to IPv6? Why or why not?

• b. On the IPv6 Internet, try to give three different ways that a worm, executing on a compromised computer, can discover IP addresses of other hosts to try to infect.







Next Chapter: Attack Phase






network threats: social engineering · information from their target in order to confirm their...

Documents