system security - gadjah mada...
TRANSCRIPT
WEB DEFACEMENT
http://polri.go.id
Wednesday, December 29, 2010
Security: why it’s very important Internet is now part our everyday life Important data transfer through internet Some people choose to be a bad people, take benefit from the others Therefore: system security, particularly internet security, is very important
aspect to be studied, even for non-IT student. How to learn:
understand how important security is know how security is threaten if itʼs possible, know how to do security threat (but youʼre not supposed
to use it for any illegal usage in real-life) know how to solve always do any important transaction with careful consideration
Protect ourselves, be aware to security threats
Wednesday, December 29, 2010
Today’s Discussion
The Security Problem Program Threats System and Network Threats Cryptography as a Security Tool SSL Implementation Firewalling to Protect Systems and Networks Some demos
Wednesday, December 29, 2010
The Security Problem
Security must consider external environment of the system, and protect the system resources
Intruders (crackers) attempt to breach security Threat is potential security violation Attack is attempt to break security Attack can be accidental or malicious (intentional) Easier to protect against accidental than malicious misuse
Wednesday, December 29, 2010
Security Violations Categories
Breach of confidentiality : unauthorized reading of data (CC fraud) Breach of integrity : unauthorized modification of data Breach of availability : unauthorized destruction of data (defacement) Theft of service : unauthorized use of resource Denial of service : preventing legitimate use of system
Methods Masquerading (breach authentication) Replay attack (malicious repeat of valid data transmission)
Message modification (privilege escalation, asking username or password using email, sent by ʻfakeʼ administrator)
Man-in-the-middle attack (ex. session hijacking)
Wednesday, December 29, 2010
Security Measure Levels Security must occur at four levels to be effective:
Physical: securing the computer or terminal access Human
social engineering phishing (kilkbca.com case, imitate klikbca.com) dumpster diving (digging the thrashed data, phonebook, etc.)
Operating System protect the system from accidental security breaches Network : data travels over shared lines like the internet, wireless
connections, or dial-up lines. Data interception is as harmful as breaking into the computer
Wednesday, December 29, 2010
Program Threats Writing program to change the behavior of ʻprocessʼ Trojan Horse
Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to be executed
by other users Spyware : stealing information from the target
Trap Door Created by the developer Specific user identifier or password that circumvents normal security
procedures Could be included in a compiler
Logic Bomb Program that initiates a security incident under certain circumstances
Stack and Buffer Overflow The most common security attack Exploits a bug in a program (overflow either the stack or memory buffers)
Wednesday, December 29, 2010
Stack or Buffer Overflow Find a bug in a program by examining the source code (vulnerability
searching) The attacker writes program to do the following:
Overflow an input field, command-line argument, or input buffer - for example on a network daemon until it writes into the stack
Overwrite the current return address on the stack with the address of the exploit code
Write a simple set of code for the next space in the stack that includes the commands that the attacker wishes to execute -- for instances: release a shell.
Result: executing shell using root privileges.
Wednesday, December 29, 2010
C Program with Buffer-overflow Condition#include <stdio.h>
#define BUFFER SIZE 10
int main(int argc, char *argv[])
{
char buffer[BUFFER SIZE];
if (argc < 2)
return -1;
else {
strcpy(buffer,argv[1]);
return 0;
}
}
What’s happened if I execute this program in linux?
Let see...
Wednesday, December 29, 2010
Modified Shell Code
#include <stdio.h>
int main(int argc, char *argv[])
{
execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL);
return 0;
}
Goal of buffer overflow:Replace the return address in the stack frame, so that it now points to the code segment containingthe attacking program
What program will be attacked/overflowed?The one that uses system-wide privileges (example: network-daemon, always run on rootprivilege
ModifiedShell-code
Wednesday, December 29, 2010
Hypothetical Stack Frame
Before attack After attack
./mybuff <modified shell code+NO_OP+address of modified shell code>
Wednesday, December 29, 2010
Program Threats (Cont.)
Viruses Self-replicating and infect other programs Code fragment embedded in legitimate program Very specific to CPU architecture, operating system, applications Usually borne via email or as a macro
Visual Basic Macro to reformat hard driveSub AutoOpen()
Dim oFS
Set oFS = CreateObject(’’Scripting.FileSystemObject’’)
vs = Shell(’’c:command.com /k format c:’’,vbHide)
End Sub
Wednesday, December 29, 2010
Program Threats (Cont.) Virus dropper inserts virus onto the system
Many categories of viruses, literally many thousands of viruses File Boot Macro Source code Polymorphic Encrypted Stealth Tunneling Multipartite Armored
Wednesday, December 29, 2010
System and Network Threats Program threat: use a breakdown in the protection mechanisms of a
system to attack a program System and network threats: involves the misuse of service and network
connections, ex.: network attack is used to launch program, or vice versa Worms – use spawn mechanism to attack system
Internet worm Exploited UNIX networking features (remote access) and bugs in finger
and sendmail programs Grappling hook program uploaded main worm program (see next picture)
Port scanning Automated attempt to connect to a range of ports on one or a range of IP
addresses (ex.: nmap or nessus)
Denial of Service Overload the targeted computer preventing it from doing any useful work Distributed denial-of-service (DDOS) come from multiple sites at once
Wednesday, December 29, 2010
Cryptography as a Security Tool When a computer is connected in the network, it receives bits from wire
with no immediate way to know what machine or application sent those bits.
Security manner: From the sender side: the message can be sent to unintended
computer in the network. How to ʻprotectʼ the message sent across the network?
From the receiver side: the message / request can be sent with fake or falsified IP address of the sender. How to decide whether OS can grant request when it cannot trust the named source of request?
Broadest security tool available Source and destination of messages cannot be trusted without
cryptography Means to constrain potential senders (sources) and / or receivers
(destinations) of messages Based on secrets (keys):
Receiver can verify messages using keys Sender can encode messages, only certain computer with keys can
decode Wednesday, December 29, 2010
Encryption
From the sender perspective: constraining possible receiver Encryption algorithm consists of
Set of K keys Set of M Messages Set of C ciphertexts (encrypted messages) A function E : K → (M→C). That is, for each k ∈ K, E(k) is a function for
generating ciphertexts from messages Both E and E(k) for any k should be efficiently computable functions
A function D : K → (C → M). That is, for each k ∈ K, D(k) is a function for generating messages from ciphertexts Both D and D(k) for any k should be efficiently computable functions
Two kinds of encryption: symmetric and asymmetric Symmetric: same key is used to encrypt and decrypt, therefore
E(k) can be derived from D(k) and vice versa Asymmetric: different encryption and decryption key
Wednesday, December 29, 2010
Asymmetric Encryption
Public-key encryption based on each user having two keys: public key – published key used to encrypt data private key – key known only to individual user used to decrypt data
Must be an encryption scheme that can be made public without making it easy to figure out the decryption scheme Most common is RSA block cipher Efficient algorithm for testing whether or not a number is prime
Wednesday, December 29, 2010
Encryption and Decryption using RSA Asymmetric Cryptography
encryptionand decryptionkey is computedfrom defined algorithm
message: 69ciphered: 62 public key ke = k5, 91
private key kd = k29, 91
Modulus based algorithm7mod3 = 18mod3 = 29mod2 = ......?11mod4 = ..... ?
Wednesday, December 29, 2010
Cryptography (Cont.)
Note symmetric cryptography based on transformations, asymmetric based on mathematical functions Asymmetric much more compute intensive Typically not used for large data encryption Much faster to compute symmetric algorithm Only for small data, ex: authentication
Other examples: digital signature, SSL, etc. (*more, you can refer to page 644 in file: security-updated.pdf )
More about cryptography theory and its mathematical implementation, join “Teori Penyandian” course with Bu Sri Suning Kusumawardhani.
Wednesday, December 29, 2010
Encryption Example - SSL Insertion of cryptography at one layer of the ISO network model (the
transport layer)
SSL – Secure Socket Layer
Cryptographic protocol that limits two computers to only exchange messages with each other Very complicated, with many variations
Used between web servers and browsers for secure communication (credit card numbers transaction, email, etc)
The server is verified with a certificate assuring client is talking to correct server
Asymmetric cryptography used to establish a secure session key (symmetric encryption) for bulk of communication during session
Communication between each computer then uses symmetric key cryptography
Wednesday, December 29, 2010
Firewalling to Protect Systems and Networks
A network firewall is placed between trusted and untrusted hosts The firewall limits network access between these two security
domains
Can be tunneled or spoofed Tunneling allows disallowed protocol to travel within allowed
protocol (i.e., telnet inside of HTTP) Firewall rules typically based on host name or IP address which
can be spoofed
Personal firewall is software layer on given host Can monitor / limit traffic to and from the host
Application proxy firewall understands application protocol and can control them (i.e., SMTP)
System-call firewall monitors all important system calls and apply rules to them (i.e., this program can execute that system call)
Wednesday, December 29, 2010
DEMO 1: TUNNELING
Some firewall block site that potentially harmful or take a large of bandwidth consumption
In this part, I will demonstrate you how to bypass firewall by tunneling. Note that this demonstration is for educational purpose only. I will not be responsible for any misuse of this demonstration.
In this tutorial, a blockage of firewall is represented by a blocking policy from our proxy server. Site blocked: http://wibirama.com (this is my blog, actually)
Wednesday, December 29, 2010
What is tunneling?
Tunneling (also called port forwarding) is a method to bypass a blocked/restricted TCP application connection through another allowed TCP application. Example: bypassing a blocked HTTP (port: 80) connection through SSH (port:22) connection (SSH = Secure Shell, similar as telnet but itʼs encrypted)
In this demonstration, a remote computer is used as a proxy to connect to http://wibirama.com. We use port 22 from our terminal to access remote computer, and use that computer to browse the internet
Wednesday, December 29, 2010
Scenario I will connect to remote machine : ilab.te.ugm.ac.id using SSH client
application. Normally, SSH application (port:22) is not blocked as itʼs usually only used by network administrator.
The remote machine acts like SSH server, with bind address: 127.0.0.1:1080
The browser in laptop accesses the targeted server (wibirama.com), but it firstly jumps to the remote machine.
Wednesday, December 29, 2010
DEMO 2: Sniffing using Wireshark Wireshark: network analyzer software for Windows, Linux, and Mac. You
can download it for free: http://wireshark.org/
It can ʻsniffʼ data and extract TCP stream, which is transferred between all connected clients and gateway server.
All data, including, username, password, your personal information, credit card number will be easily revealed if they are not encrypted
Wireless network is easy to be sniffed
Wednesday, December 29, 2010
There are so many aspects in network security to be learned. If you want to find more, you
can do ‘googling’ by this keyword:
“Certified Ethical Hacker”
Wednesday, December 29, 2010