System Security - Gadjah Mada Universityte.ugm.ac.id/~wibirama/tif206/01/ch14/security-presentation.pdfSecurity Measure Levels Security must occur at four levels to be effective: Physical:

System SecuritySunu Wibirama

Wednesday, December 29, 2010

nowadays, we have a large amount of

security abuses


instead of klikbca.com, there is: kilkbca.com

PHISING


SOCIAL ENGINEERING / MASQUERADING


WEB DEFACEMENT

http://polri.go.id


http://polri.go.id

http://polri.go.id

Security: why it’s very important Internet is now part our everyday life Important data transfer through internet Some people choose to be a bad people, take benefit from the others Therefore: system security, particularly internet security, is very important

aspect to be studied, even for non-IT student. How to learn:

understand how important security is know how security is threaten if itʼs possible, know how to do security threat (but youʼre not supposed

to use it for any illegal usage in real-life) know how to solve always do any important transaction with careful consideration

Protect ourselves, be aware to security threats


Today’s Discussion

The Security Problem Program Threats System and Network Threats Cryptography as a Security Tool SSL Implementation Firewalling to Protect Systems and Networks Some demos


The Security Problem

Security must consider external environment of the system, and protect the system resources

Intruders (crackers) attempt to breach security Threat is potential security violation Attack is attempt to break security Attack can be accidental or malicious (intentional) Easier to protect against accidental than malicious misuse


Security Violations Categories

Breach of confidentiality : unauthorized reading of data (CC fraud) Breach of integrity : unauthorized modification of data Breach of availability : unauthorized destruction of data (defacement) Theft of service : unauthorized use of resource Denial of service : preventing legitimate use of system

Methods Masquerading (breach authentication) Replay attack (malicious repeat of valid data transmission)

Message modification (privilege escalation, asking username or password using email, sent by ʻfakeʼ administrator)

Man-in-the-middle attack (ex. session hijacking)


Standard Security Attacks


Security Measure Levels Security must occur at four levels to be effective:

Physical: securing the computer or terminal access Human

social engineering phishing (kilkbca.com case, imitate klikbca.com) dumpster diving (digging the thrashed data, phonebook, etc.)

Operating System protect the system from accidental security breaches Network : data travels over shared lines like the internet, wireless

connections, or dial-up lines. Data interception is as harmful as breaking into the computer


Program Threats Writing program to change the behavior of ʻprocessʼ Trojan Horse

Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to be executed

by other users Spyware : stealing information from the target

Trap Door Created by the developer Specific user identifier or password that circumvents normal security

procedures Could be included in a compiler

Logic Bomb Program that initiates a security incident under certain circumstances

Stack and Buffer Overflow The most common security attack Exploits a bug in a program (overflow either the stack or memory buffers)


Stack or Buffer Overflow Find a bug in a program by examining the source code (vulnerability

searching) The attacker writes program to do the following:

Overflow an input field, command-line argument, or input buffer - for example on a network daemon until it writes into the stack

Overwrite the current return address on the stack with the address of the exploit code

Write a simple set of code for the next space in the stack that includes the commands that the attacker wishes to execute -- for instances: release a shell.

Result: executing shell using root privileges.


C Program with Buffer-overflow Condition#include <stdio.h>

#define BUFFER SIZE 10

int main(int argc, char *argv[])

{

char buffer[BUFFER SIZE];

if (argc < 2)

return -1;

else {

strcpy(buffer,argv[1]);

return 0;

}

}

What’s happened if I execute this program in linux?

Let see...


Program Aborted! (security protection)10 char

11 char


Layout of Typical Stack Frame


Modified Shell Code

#include <stdio.h>

int main(int argc, char *argv[])

{

execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL);

return 0;

}

Goal of buffer overflow:Replace the return address in the stack frame, so that it now points to the code segment containingthe attacking program

What program will be attacked/overflowed?The one that uses system-wide privileges (example: network-daemon, always run on rootprivilege

ModifiedShell-code


Hypothetical Stack Frame

Before attack After attack

./mybuff <modified shell code+NO_OP+address of modified shell code>


Program Threats (Cont.)

Viruses Self-replicating and infect other programs Code fragment embedded in legitimate program Very specific to CPU architecture, operating system, applications Usually borne via email or as a macro

Visual Basic Macro to reformat hard driveSub AutoOpen()

Dim oFS

Set oFS = CreateObject(’’Scripting.FileSystemObject’’)

vs = Shell(’’c:command.com /k format c:’’,vbHide)

End Sub


Program Threats (Cont.) Virus dropper inserts virus onto the system

Many categories of viruses, literally many thousands of viruses File Boot Macro Source code Polymorphic Encrypted Stealth Tunneling Multipartite Armored


System and Network Threats Program threat: use a breakdown in the protection mechanisms of a

system to attack a program System and network threats: involves the misuse of service and network

connections, ex.: network attack is used to launch program, or vice versa Worms – use spawn mechanism to attack system

Internet worm Exploited UNIX networking features (remote access) and bugs in finger

and sendmail programs Grappling hook program uploaded main worm program (see next picture)

Port scanning Automated attempt to connect to a range of ports on one or a range of IP

addresses (ex.: nmap or nessus)

Denial of Service Overload the targeted computer preventing it from doing any useful work Distributed denial-of-service (DDOS) come from multiple sites at once


The Morris Internet Worm


CryptographyWednesday, December 29, 2010

Cryptography as a Security Tool When a computer is connected in the network, it receives bits from wire

with no immediate way to know what machine or application sent those bits.

Security manner: From the sender side: the message can be sent to unintended

computer in the network. How to ʻprotectʼ the message sent across the network?

From the receiver side: the message / request can be sent with fake or falsified IP address of the sender. How to decide whether OS can grant request when it cannot trust the named source of request?

Broadest security tool available Source and destination of messages cannot be trusted without

cryptography Means to constrain potential senders (sources) and / or receivers

(destinations) of messages Based on secrets (keys):

Receiver can verify messages using keys Sender can encode messages, only certain computer with keys can

decode Wednesday, December 29, 2010

Encryption

From the sender perspective: constraining possible receiver Encryption algorithm consists of

Set of K keys Set of M Messages Set of C ciphertexts (encrypted messages) A function E : K → (M→C). That is, for each k ∈ K, E(k) is a function for

generating ciphertexts from messages Both E and E(k) for any k should be efficiently computable functions

A function D : K → (C → M). That is, for each k ∈ K, D(k) is a function for generating messages from ciphertexts Both D and D(k) for any k should be efficiently computable functions

Two kinds of encryption: symmetric and asymmetric Symmetric: same key is used to encrypt and decrypt, therefore

E(k) can be derived from D(k) and vice versa Asymmetric: different encryption and decryption key


Asymmetric Encryption

Public-key encryption based on each user having two keys: public key – published key used to encrypt data private key – key known only to individual user used to decrypt data

Must be an encryption scheme that can be made public without making it easy to figure out the decryption scheme Most common is RSA block cipher Efficient algorithm for testing whether or not a number is prime


Encryption and Decryption using RSA Asymmetric Cryptography

encryptionand decryptionkey is computedfrom defined algorithm

message: 69ciphered: 62 public key ke = k5, 91

private key kd = k29, 91

Modulus based algorithm7mod3 = 18mod3 = 29mod2 = ......?11mod4 = ..... ?


Cryptography (Cont.)

Note symmetric cryptography based on transformations, asymmetric based on mathematical functions Asymmetric much more compute intensive Typically not used for large data encryption Much faster to compute symmetric algorithm Only for small data, ex: authentication

Other examples: digital signature, SSL, etc. (*more, you can refer to page 644 in file: security-updated.pdf )

More about cryptography theory and its mathematical implementation, join “Teori Penyandian” course with Bu Sri Suning Kusumawardhani.


Encryption Example - SSL Insertion of cryptography at one layer of the ISO network model (the

transport layer)

SSL – Secure Socket Layer

Cryptographic protocol that limits two computers to only exchange messages with each other Very complicated, with many variations

Used between web servers and browsers for secure communication (credit card numbers transaction, email, etc)

The server is verified with a certificate assuring client is talking to correct server

Asymmetric cryptography used to establish a secure session key (symmetric encryption) for bulk of communication during session

Communication between each computer then uses symmetric key cryptography


Our email is secured using HTTPS (HTTP + SSL)


Firewalling to Protect Systems and Networks

A network firewall is placed between trusted and untrusted hosts The firewall limits network access between these two security

domains

Can be tunneled or spoofed Tunneling allows disallowed protocol to travel within allowed

protocol (i.e., telnet inside of HTTP) Firewall rules typically based on host name or IP address which

can be spoofed

Personal firewall is software layer on given host Can monitor / limit traffic to and from the host

Application proxy firewall understands application protocol and can control them (i.e., SMTP)

System-call firewall monitors all important system calls and apply rules to them (i.e., this program can execute that system call)


DEMO 1: TUNNELING

Some firewall block site that potentially harmful or take a large of bandwidth consumption

In this part, I will demonstrate you how to bypass firewall by tunneling. Note that this demonstration is for educational purpose only. I will not be responsible for any misuse of this demonstration.

In this tutorial, a blockage of firewall is represented by a blocking policy from our proxy server. Site blocked: http://wibirama.com (this is my blog, actually)


http://wibirama.com

http://wibirama.com

What is tunneling?

Tunneling (also called port forwarding) is a method to bypass a blocked/restricted TCP application connection through another allowed TCP application. Example: bypassing a blocked HTTP (port: 80) connection through SSH (port:22) connection (SSH = Secure Shell, similar as telnet but itʼs encrypted)

In this demonstration, a remote computer is used as a proxy to connect to http://wibirama.com. We use port 22 from our terminal to access remote computer, and use that computer to browse the internet


http://wibirama.com

http://wibirama.com

Scenario I will connect to remote machine : ilab.te.ugm.ac.id using SSH client

application. Normally, SSH application (port:22) is not blocked as itʼs usually only used by network administrator.

The remote machine acts like SSH server, with bind address: 127.0.0.1:1080

The browser in laptop accesses the targeted server (wibirama.com), but it firstly jumps to the remote machine.


DEMO 1: TUNNELING


DEMO 2: Sniffing using Wireshark Wireshark: network analyzer software for Windows, Linux, and Mac. You

can download it for free: http://wireshark.org/

It can ʻsniffʼ data and extract TCP stream, which is transferred between all connected clients and gateway server.

All data, including, username, password, your personal information, credit card number will be easily revealed if they are not encrypted

Wireless network is easy to be sniffed


http://wireshark.org

http://wireshark.org

DEMO 2: Sniffing FTP password


There are so many aspects in network security to be learned. If you want to find more, you

can do ‘googling’ by this keyword:

“Certified Ethical Hacker”


Thank You(*don’t forget to collect the

final assignment)


Documents

System Security - Gadjah Mada Universityte.ugm.ac.id/~wibirama/tif206/01/ch14/security-presentation.pdfSecurity Measure Levels Security must occur at four levels to be effective: Physical: