introduction to ict security - polito.itsecurity.polito.it/~lioy/02krq/intro_en_3x.pdf ·...

Introduction to ICT security (intro - oct'17)

1© Antonio Lioy - Politecnico di Torino (2005-2017)

Introduction to the security of ICT systems

Antonio Lioy

< lioy @ polito.it >

Politecnico di Torino

Dip. Automatica e Informatica

Agenda

introduction to information security:

evolution of ICT systems and the security problem

problems and vocabulary of ICT security

technological attacks (sniffing, spoofing, …)

non-technological attacks (social engineering)

Why security is “hot” today?



Traditional paradigms

centralised information and processing

access to data from “dumb” terminals

“unicast” communication over dedicated lines

concentrator

EDP center

terminals

New paradigms

distributed information and processing

access from distributed intelligent terminals

“broadcast” communication and/or shared lines

new application paradigms (web, SMS, …)

LAN

WAN

INNOVATION

Technology as innovation engine

communication network

personaldevices

(PC, tablet, …)

security



A definition of ICT security

It is the set of products, services, organization rules andindividual behaviours that protect the ICT system of acompany.

It has the duty to protect the resources from undesiredaccess, guarantee the privacy of information, ensure theservice operation and availability in case of unpredictableevents (C.I.A. = Confidentiality, Integrity, Availability).

The objective is to guard the information with the sameprofessionalism and attention as for the jewels anddeposit certificates stored in a bank caveau.

The ICT system is the safe of our most valuableinformation; ICT security is the equivalent of the locks,combinations and keys required to protect it.

EVENTS

ASSET

Risk estimationSERVICE

ICT resourceshuman

resources

location

data

vulnerabilities threats

RISK ESTIMATION

impactevent

probability

Terms

ASSET = the set of goods, data and people needed for an IT service

VULNERABILITY = weakness of an asset

e.g. pwd = login; sensible to flooding

THREAT = deliberate action / accidental event that can produce the loss of a security property exploiting a vulnerability

ATTACK = threat occurrence (deliberate action)

(NEGATIVE) EVENT = threat occurrence (accidental event)



management

analysis

Analysis and management of security

vulnerabilities

asset threatsrisks

selectcountermeasures

implementcountermeasures

audit

Security in the lifecycle of a system

requirementsanalysis

risk assessment

technical options

identify securityproducts

design

integratesecurity

develop implement

designsecurityservices

set-up security

livesystem

manage security

security policy &

procedures

test

testsecurity

Relations in the security field

threats vulnerabilities

security risks assets

asset valuesand potential

impacts

exploit

reduce devalue

underwrite

securitycontrol

securityrequirements



window of exposure

protectionpublicationdiscovery

Window of exposure

new vulnerabilitydiscovered

vulnerabilityis made public

vendor informedof vulnerability

vendor notifiesits customers(sometimes) security tools updated

(e.g. IDS signatures)

a patchis published

patch iswidelyknown

patchinstalled

t

risk

exploit (!)

State of the art: new attacks (malware)

WOE: average value for browser 2008-10

http://www.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=browser_window_of_exposure



WOE: server web (2010)

What is security?

Security is a process,not a product

(Bruce Schneier, Crypto-Gram, May 2005)

Computer Security: Will We Ever Learn?

If we've learned anything from the past couple of years, it’s that computer security flaws are inevitable. Systems break, vulnerabilities are reported in the press, and still many people put their faith in the next product, or the next upgrade, or the next patch. “This time it’s secure,” they say. So far, it hasn’t been.

Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.

European Central Bank

ECB Recommendations for the security of Internet payments (31/1/2013)

application to:

payment schemes governance authorities

payment service providers (PSP)

merchants (optional)

main recommendations:

protect the initiation of Internet payments, as well as access to sensitive payment data, by strong customer authentication

(continue)



European Central Bank

limit the number of log-in or authentication attempts, define rules for Internet payment services session “time out” and set time limits for the validity of authentication

establish transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions

implement multiple layers of security defences in order to mitigate identified risks

provide assistance and guidance to customers about best online security practices, set up alerts and provide tools to help customers monitor transactions

(abstract) security properties

autenticazione( semplice / mutua ) authentication ( simple / mutual )

autenticazione della controparte peer authentication

autenticazione dei dati data / origin authentication

autorizzazione,controllo accessi

authorization,access control

integrità integrity

riservatezza, confidenzialità confidentiality, privacy, secrecy

non ripudio non repudiation

disponibilità availability

tracciabilità accountability

Peer authentication (single)

Barbara

Hi, I’m Alice

Prove it!



Peer authentication (mutual)

BarbaraSteal & Rob Ltd.

Is that mye-bank?

Sure!How can you doubt?

Hi, I’m Barbara

Hi Barbara, nice to meet you!

Data authentication

Increase by 30% the salary of Prof. Lioy

The Dean

Non repudiation

formal proof – acceptable by a court of justice –that gives undeniable evidence of the data creator

several facets:

(sender/author) authentication

integrity

(sender/author) identification

. . .



Non repudiation - example

let’s consider non-repudiation of an electronic signature:

syntax (is that your signature?)

semantics (did you understand what you were signing?)

will (have you signed voluntarily?)

identification (was really YOU the signer?)

time (when did you sign?)

place (where did you sign?)

Authorization (access control)

Barbara

Gimme Alice’s car!

Did she authorizedyou to borrow it?

Pyramid of security

authentication

authorization

privacy

integrity

log

$$$

auth.

authorization

privacy

integrity

log

$$$



Privacy (communication)

Do you know that Laurais NOT a natural blonde?

What a shame!

Laura

Bloody *?%$#”!

Privacy (data, actions, position)

black_money.xls

www.playboy.com

Torino, cell 2455

Integrity (data modification)

Pay 1,000 Euroto Antonio Lioy

Pay 10,000 Euroto Antonio Lioy

computernetwork



Integrity (data filtering)

Transfer 2500 Euro from AntonioLioy’s account to the Rolex’s one

computernetwork

computernetworkPay 1,000 EURO

to Antonio Lioy.

Replay attack

Pay 1,000 EUROto Antonio Lioy

Pay 1,000 EUROto Antonio Lioy.Pay 1,000 EURO

to Antonio Lioy.

Where is the enemy? outside our organization

boundary / perimeter defence (firewall) outside our organization, with the exception of our

partners Extranet protection (VPN)

inside our organization LAN / Intranet protection (?!)

everywhere! application-level protection data protection



Attack origin (2016)

percentage of external / internal attacks:

internal 20%

external 80%

note: biased statistics due to the type of survey, the CSI/FBI one (last published on 2011) had more internal attacks

(from Verizon Data Breach Investigation Report 2016)

Temporal evolution of the main attackslisted in the annual

CSI/FBI survey

Scoop of a Global Post reporter in the town between Pakistanand Afghanistan

US PCs sold at the Peshàwar market Computers of the US army with restricted data sold for 650$along the road where Nato troops are attacked by the talebans.… Still full of classified informations, such as names, sites, andweak points. (corriere.it, 9/2/09)

Stolen laptop / smartphone

not only an economic loss to replace the stolen device …

but also the loss of data that become unavailable (backup?) …

or the spreading of restricted information



Insecurity: the deep roots (I)

“Attack technology is developing in a open-source environment and is evolving rapidly”

“Defensive strategies are reactionary”

“Thousands - perhaps millions - of system with weak security are connected to the Internet”

“The explosion in use of the Internet is straining our scarce technical talent. The average level of system administrators … has decreased dramatically in the last 5 years”

Insecurity: the deep roots (II)

“Increasingly complex sw is being written by programmers who have no training in writing secure code”

“Attacks and attack tools transcend geography and national boundaries”

“The difficulty of criminal investigation of cybercrime coupled with the complexity of international law means that … prosecution of computer crime is unlikely”

from “Roadmap for defeating DDOS attacks”(feb. 2000, after Clinton meeting at White House)updates on www.sans.org/dosstep/roadmap.php

Basic problems (technological)

the networks are insecure:

(most) communications are made in clear

LANs operate in broadcast

geographical connections are NOT made through end-to-end dedicated lines but:

through shared lines

through third-party routers

weak user authentication (normally password-based)

there is no server authentication

the software contains many bugs!



Some classes of attacks

IP spoofing / shadow serversomeone takes the place of a (legitimate) host

packet sniffingpasswords and/or sensitive data are read by (unauthorized) third parties

connection hijacking / data spoofingdata inserted / modified during their transmission

denial-of-service (distributed DoS)the functionality of a service is limited or disrupted (e.g. ping bombing)

IP spoofing (masquerading)

forging the source network address

typically the level 3 (IP) address is forged, but it is equally easy to forge the level 2 address (e.g. ETH, TR, ...)

a better name would be source address spoofing

attacks:

data forging

(unauthorized) access to systems

countermeasures:

do NEVER useaddress-based authentication

Packet sniffing (eavesdropping)

reading the packets addressed to another network node

easy to do in broadcast networks (e.g. LAN) or at the switching nodes (e.g. router, switch)

attacks:

allows to intercept anything (password, data, ...)

countermeasure:

non-broadcast networks (!?)

encryption of packet payload

011010 10010100 01



Denial-of-service (DoS)

keeping a host busy so that it can’t provide its services

examples:

mail / log saturation

ping flooding (“ping bombing”)

SYN attack

attacks:

block the use of a system / service

countermeasures:

none!

monitoring and oversizing can mitigate the effects

Distributed denial-of-service (DDOS)

software for DoS installed on many nodes (named daemon, zombie or malbot) to create a Botnet

daemons remotely controlled by a master

C&C (command & control) infrastructure

C/S or P2P communications

encrypted or "covert" channels (e.g. UDP over ICMP)

auto-update capability

effect of the base DoS attack multiplied by the number of daemons

DDoS attack

attacker

VICTIM

controlattack

master master master

daemon daemon daemon daemon daemon



DDoS: improving the attack

use a "reflector"

to hide the attacker's tracks

to multiply the attackers (e.g. smurfing, fraggle)

use an amplification factor N:1

depends on the attack protocol used, look for a refelector server with |response| >> |request|

easy with datagram (e.g. ICMP, UDP) but possible also with stream under certain conditions (e.g. self-attack HTTP)

e.g. typical DNS amplification 70:1 but NTP amplification 20-200:1

Feb 8th 2000, 10.30am (PST) @ Yahoo Server Farm

“the initial flood of packets, which we later realized was in excess of 1G bits/sec, took down one of our routers …”

“… after the router recovered we lost all routing to our upstream ISP …”

“… it was somewhat difficult to tell what was going on, but at the very least we noticed lots of ICMP traffic …”

“… at 1.30pm we got basic routing back up and then realized that we were under a DDoS attack”

http://packetstorm.decepticons.org/distributed/yahoo.txt

The lawyer said ...

“There is a distinct probability that if your sitehas been hijacked for a denial of service attack,

then you could be liable for damages.

I would definitely advise clientsthey have grounds to sue.”

Nick Lockett,e-commerce lawyer at Sidley & Austin

“Be Secure or Be Sued”Silicon.com, 16 Nov 2000

http://www.silicon.com/a40900



DDoS towards "Krebs on security" blog

27 September 2016

665 Gbps

botnet of IoT devices (or claiming to be such)

no use of reflectors or amplification factors, just millions of devices performing perfectly valid requests

blog protected by Akamai, but on 27/9 it gave up (double of its sustainable traffic) and decided to make the blog unreachable

unkown reason of the attack (perhaps connected to Krebs' analysis of similar attacks against on-line game servers)

Shadow server

host that manages to show itself (to victims) as a service provider without having the right to do so

requires address spoofing and packet sniffing

shadow server must be faster than the real one, or the real one must be unable to respond (due to a failure or because is under attack, e.g. DoS)

attacks:

issue wrong answers, providing thus a “wrong” service to victims instead of the real one

capture victim’s data provided to the wrong service

countermeasures:

server authentication

Connection hijacking / MITM

also named data spoofing

attacker takes control of a communication channel to insert, delete, or manipulate the traffic

logical or physical MITM (Man In The Middle)

attacks:

reading, insertion of false data, deletion or modification of data exchanged between two parties

countermeasure:

authentication, integrity and serialization of each single network packet



Trojan / MITB

Trojan (horse)

MITB = man-in-the-browser

network channels more protected …

… but user terminals less protected

Smartphone, smart-TV, …

IoT (Internet-of-Things)

"ignorant" users

classic attack tools (e.g. keylogger as part of a game) and modern ones (e.g. browser extension)

Zeus

also know as Zbot

currently a major malware + botnet

discovered (born?) on 2007, sold (?) on 2010

can be used:

directly(e.g. MITB for keylogging or form grabbing)

indirectly, to load other malware(e.g. the CryptoLocker ransomware)

very difficult to discover and remove

hides itself with stealth techniques

about 3.6 M active copies just in the USA

Software bug

even the best software (either off-the-shelf or custom) contains bugs that can be used for various aims

easiest exploit: DoS

example: WinNT server (3.51, 4.0)

telnet to TCP port 135

send 10 random characters, then CR

server unavailable!(CPU load at 100% even though no useful work is done)

solution: install SP3. . . . . .



Some typical application-level problems

buffer overflow

allows the execution of arbitrary code injected through a specially crafted input

store sensible information in the cookies

readable by third parties (in transit o locally on the client)

store passwords in clear in a DB

readable by third parties (e.g. backup operator)

“invent” a protection system

risk of inadequate protection

Virus & Co. (malware) virus

damages the target and replicates itself

propagated by humans (involuntarily)

worm

damages the target because replicates itself (resource saturation)

automatic propagation

Trojan (horse) = malware vector

backdoor = unauthorized access point

rootkit = privileged access tools, hidden (modified program, library, driver, kernel module, hypervisor) and stealth

Virus and worm (malware)

requires complicity (may be involuntary) from:

the user (gratis, free, urgent, important, …)

the sys manager (wrong configuration)

the producer (automatic execution, trusted, …)

countermeasures:

user awareness

correct configuration / secure sw

install antivirus (and keep updated!)



Malware food chain

business opportunity(vulnerability)

malicious codevulnerabilitymarketplace

malware toolkit market

malware distributors (spam, web, …)

Hall of fame. . .. . .

VICTIM

Zeus

source: http://en.wikipedia.org/wiki/File:FBI_Fraud_Scheme_Zeus_Trojan.jpg





Ransomware

ransomware = malware oriented to get a ransom

on desktop and laptop (disk content made unreadable) …

… but also for tablet and smartphone (made unusable)

unblocked (not always) after paying a certainamount of money

Ransomware-as-a-service

TOX malware (server in the TOR anonymous network)

ask for the ransom and handles the payment (with a 20% service fee)

the "customer" has only the task to distribute it to the victims

fast grwoth (1000 customers/week, 100 infections/hour)



Ransomware: not only technologybut also procedures and organization

encrypted data? no problem, I have a backup!

how old is the backup?

the case of the TV archive …

off-line or network backup?

the case of the digital dentist …

verified or "trusted" backup?

the silent ransomware …

Technology and human beings

http://jklossner.com/computerworld/images/security26.gif

Basic problems (non technological)

low problem understanding (awareness)

mistakes of human beings (especially when overloaded, stressed, …)

human beings have a natural tendency to trust

complex interfaces / architectures can mislead the user and originate erroneous behaviours

performance decrease due to the application of security measures

…



Social engineering

ask for the (involuntary) user’s participation to the attack action

usually naive users are targeted (e.g. “do change immediately your password with the following one, because your PC is under attack”) ...

… but experienced users are targeted too (e.g. by copying an authentic mail but changing its attachment or URL)

via mail, phone or even paper

Social engineering: examples

phishing (~ fishing):

“dear Internet banking user, please fill in the attached module and return it to us ASAP according to the privacy law 675 …”

psychological pressure:

“help me, otherwise I’ll be in troubles …”

“do it, or I’ll report it to your boss …”

showing acquaintance with the company’s procedures, habits and personnel helps in gaining trust and make the target lower his defences

Fake mail / IM

it's easy to create false mail messages

… but it's difficult to use the correct tone

… it's better to use the original mail with a differentattachment

… but also to create false SMS or IM

false cash withdrawal warning

false kidnapping alarm!



(Repubblica, 30/9/2017)

Mr. Confindustria a Bruxelles truffato da unhacker: persi 500mila euro. Licenziato.

"Sposta subito mezzo milione su questo conto estero".Ma la mail era di un hacker. E i soldi sono spariti.Il finto ordine a firma della direttrice Panucci:"Esegui e non mi chiamare che sto fuori col presidente".

A mail from CIA …

From: [email protected]: Tue, 22 Nov 2005 17:51:14 UTCX-Original-Message-ID: <[email protected]>Subject: You_visit_illegal_websites

Dear Sir/Madam,we have logged your IP-address on more than 30 illegal Websites.Important: Please answer our questions!The list of questions are attached.

Yours faithfully,Steven Allison

++++ Central Intelligence Agency -CIA-++++ Office of Public Affairs++++ Washington, D.C. 20505++++ phone: (703) 482-0623++++ 7:00 a.m. to 5:00 p.m., US Eastern time

the attachment isthe SOBER worm!



Phishing using mail or IM to attract a network service user

to a fake server (shadow server) for:

acquiring her authentication credentials or other personal information

persuading her to install a plugin or extension which actually is a virus or a Trojan

specialized variants:

spear phishing (include several personal data to disguise the fake message as a good one, e.g. mail address, name of Dept/Office, phone no.)

whaling (targeted to VIP such as CEO or CIO, e.g. the 20,000 hit on April 08 that then installed a Trojan related to the servers of Piradius)

Pharming

term of controversial use

set of several techniques to re-direct a user towards a shadow server

changing the "hosts" file at the client

changing the nameserver pointers at the client

changing the nameservers at a DHCP server (e.g. an ADSL / wireless router)

poisoning the cache of a nameserver

via:

direct attack (vulnerability or malconfiguration)

indirect attack (virus or worm)

Social engineering techniques

(74%) solicitation / bribery

(44%) pretexting

(16%) counterfeiting / forgery

(11%) *ing

(4%) hoax / scam

(4%) influence tactics

(3%) extortion / blackmail

Note: percentage of use in social engineering attacks according to the Verizon/USSS 2011 survey.



Social engineering channels

(78%) in-person

(14%) documents

(10%) e-mail

(6%) web / Internet

(5%) phone

(4%) SMS / texting

Note:

percentage of use in social engineering attacks according to the Verizon/USSS 2011 survey

new techniques are under development for the future …

Report Verizon DBIR 2014

nine main categories:

POS (point-of-sale) intrusions

web app attacks

insider and privilege misuse

physical theft and loss

miscellaneous errors

crimeware

payment card skimmers

DoS attacks

cyber-espionage

http://www.verizonenterprise.com/DBIR/2014/

Report Verizon DBIR2014

incident

a security event that compromises the integrity, confidentiality, or availability of an information asset

(data) breach

an incident that results in the disclosure or potential exposure of data

(data) disclosure

a breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party



Report Verizon DBIR 2014 (fig.16)

Report Verizon DBIR 2016DDOS attacks

yearbandwidth(average)

packets(average)

2011 4.7 Gbps 0.4 Mpps

2012 7.0 Gbps 2.6 Mpps

2013 10.0 Gbps 7.8 Mpps

2014 15-59 Gbps 3-15 Mpps

2015 5.5 Gbps 1.9 Mpps

T.J.Maxx attack (2007)

45 M credit/debit card numbers stolen

in a period of 18 months (up to January 2007)

a 10 M USD legal class action started by 300 banks (e.g. Massachusetts Bankers Association, Maine and Connecticut Associated Banks)

attack succeed due to use of WEP rather than WPA

attack performed by 10 people (3 USA, 3 UKR, 2 CHN, 1 BEL, 1 EST + "Delpiero")

one ex-cracker hired by the US secret service

blog.wired.com/27bstroke6/2008/08/11-charged-in-m.htmlwww.wired.com/politics/law/news/2007/06/secret_service#



Phishing via Transformers3 (apr 2010)

Andersen Air Force Base (Guam island)

ORE (Operational Readiness Exercise)

phishing message

“the movie Transformers-3 will be filmed on Guam”

“looking for 20 airmen to be part of the movie”

application required disclosing sensitive information

event leaked on the web because one airman disclosed that on Transformer fans’ blog

journalists called to confirm movie location

www.networkworld.com/news/2010/043010-us-air-force-phishing-test.html

Stuxnet (2010)

prototype of a new kind of attack

worm + virus for Windows

attempt to propagate to other systems

attempt to damage the SCADA systems (of a specific manufacturer) attached to the infected nodes

malware for cyberphysical systems

attack and propagation vectors:

1 known vulnerability (patch available)

1 known vulnerability (no patch)

2 “zero-day” vulnerabilities

Stuxnet: timing and location 17/6/10 first encounter

24/6/10 noted use of a digital signature certificate

revoked on 17/7/10

… then a second certificate appears!

14-15-16/7/10 security advisories by CERT and MS

gradual release of various patches until October’10

self-stopped its propagation on 24/6/2012

geographic location:

52% Iran

17% Indonesia

11% India



Stuxnet: mechanisms

distribution and propagation:

USB key

shared disks (network share)

MS-RPC and MS-spool bugs

likely first infection vector a USB key of a maintenance technician

disguised as a driver

with a digital signature validated by Microsoft!!!

uses two different certificates

access from the infected node to the back-end DB thanks to a shared default pwd on every node

Stuxnet: lessons learnt

systems protected with physical separation(air gap) ... but without other standard protections:

no anti-virus

no patch

no firewall

unnecessary services active:

MS-RPC

shared network print queues

shared network disks

validation list for sw to be installed

Stuxnet's brothers

same development platform (tilded)

Duqu (sep'11)

not a worm or virus

gathers and send system info for attack preparation (reconnaissance & intelligence)

Flame (may'12)

system spyware (may record network traffic, audio, video, keyboard)

spreads via USB or network, no physical damage

backdoor (remote configuration and update)

active since two years before its recognition



Sauron – one malware to rule them all

disclosed on August 2016 but active since 2011

Strider group

Remsec malware = stealthy backdoor + logger

selective targets (e.g. individuals in Russia, an airline in China, an organization in Sweden, and an embassy in Belgium) only 36 infections since 2011

Loader + LUA modules (net loader, host loader, keylogger, net listener, basic/advanced pipe and HTTP back-door)

can also collect data from air-gapped computers and export them to Internet-connected nodes via hidden file system on approved USB keys

The three pillars of security

3. Investigation(forensic analysis,internal audit, …)

2. Detection(IDS, monitor, …)

1. Avoidance(FW, VPN, PKI, …)

0. Planning(security policy, …)

Hacker & C.

wannabe lamer

script kiddie

cracker

hacker



Hacker (I)

hacker: /n./ [originally, someone who makes furniture with an axe]

1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.

2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming.

3. A person capable of appreciating {hack value}.

4. A person who is good at programming quickly.

Hacker (II)

5. An expert at a particular program, or one who frequently does work using it or on it; as in “a Unix hacker”. (Definitions 1 through 5 are correlated, and people who fit them congregate.)

6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example.

7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.

8. [deprecated] A malicious meddler who tries todiscover sensitive information by poking around. Hence “password hacker”, “network hacker”. The correct term for this sense is {cracker}.

Cracker

cracker: /n./ One who breaks security on a system.Coined ca. 1985 by hackers in defense againstjournalistic misuse of {hacker} (q.v., sense 8).An earlier attempt to establish “worm” in thissense around 1981-82 on Usenet was largelya failure.



Kevin Siers, NC, USA (cartoon from the Charlotte Observer)

introduction to ict security - polito.itsecurity.polito.it/~lioy/02krq/intro_en_3x.pdf ·...

Documents