Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
4MMSR - Networks Security0 - Introduction
Fabien Duchene1
1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Grenoble INP Ensimag
2011-2012
Fabien Duchene (LIG) 4MMSR-0-Introduction 1/35 2011-2012 1 / 35
Outline
1 Your lecturersFabien DucheneKarim Hossen
2 Pedagogic contractObjectivesPedagogic organizationWhat is expected from you?Some Resources
3 Security?Why?What?Basic definitionsEthics
Fabien Duchene (LIG) 4MMSR-0-Introduction 2/35 2011-2012 2 / 35
Your lecturers Fabien Duchene
Fabien Duchene
Information Security2011: PhD student, LIG, France2010: Implementer, Pentester, Trainer Sogeti-ESEC, France2009: Security Engineering Intern, Microsoft, France
Teaching@Grenoble:
2012: Audit, Forensics, Threats, UJF MSc SAFE, France2011,2012: 4MMSR-Network Security, Ensimag, France2011: 4MMSR-Information Systems Security, Ensimag, France
2011: MS PKI ADCS 2008 R2, Sogeti-ESEC, France2010: Forefront, Microsoft TechDays 2010, Paris, France
http://car-online.fr/en/spaces/fabien duchene/PGP fingerprint: 8C16 9A97 BD01 19DC BA51 7361 60AC 98E9 E77D 3800
Fabien Duchene (LIG) 4MMSR-0-Introduction 3/35 2011-2012 3 / 35
Your lecturers Karim Hossen
Karim Hossen
Career2011: PhD student, LIG, France2010: *** confidential ***2009: Automatic differentiation, INRIA, TROPICS
Teaching2012: Audit, Forensics, Threats, UJF MSc SAFE, France2012: 4MMSR-Network Security, Ensimag, France2011: 4MMSR-Information Systems Security, Ensimag, France2010-2011: 4MMCAWEB - conceiving web application, Ensimag
Fabien Duchene (LIG) 4MMSR-0-Introduction 4/35 2011-2012 4 / 35
Pedagogic contract Objectives
Objectives: after that course...
Some cool stuff you will be able to do:explain how people recently defaced Rihana’s websiteunderstand some parts of how an iranian nuclear power plant wasdeactivated using several Windows XP 0 days, a SCADA virus...[Nicolas Falliere and (Symantec) 2011] W32.Stuxnet Dossierfind and exploit basic vulnerabilities in an application (eg: inmemory, web, networks...)discuss and manipulate various security topics: Wireless security,Identity Federation, three factors authentication, role-based accesscontrol, encryption, IPSec, SOP, XSS, Fuzzing...apprehend new IT security concepts in a large distributed corporateenvironmentread and intelligibly present security research papers
Fabien Duchene (LIG) 4MMSR-0-Introduction 5/35 2011-2012 5 / 35
Pedagogic contract Pedagogic organization
Planning
Lectures1 - Cryptography and cryptanalysis (K. Hossen)2 - Network security related attacks3 - Web Security4 - In memory exploitation and shellcodes5 - TBA (P. Malterre)6 - Web Services Security Testing: some research advances
Ou pas..SeminarsPractical exercices
→ Check the 4MMSR ensiwiki!
Fabien Duchene (LIG) 4MMSR-0-Introduction 6/35 2011-2012 6 / 35
Pedagogic contract What is expected from you?
Review the courses...
4MMSR - Net-work Security
Algorithms:algorithmsand datastructures
LanguageTheories:3MMTL1
OperatingSystems:4MMPS,
4MMSEPC
Assemblylanguages
and C:3MMCEP,C Project
Databases:4MMPSGBD
Networks:3MMRTEL,4MMRES
Fabien Duchene (LIG) 4MMSR-0-Introduction 7/35 2011-2012 7 / 35
Pedagogic contract What is expected from you?
Connect the notions with OTHER courses:
4MMSR - Net-work Security
5MMTLSFTSoftwaretesting
and safety
5MMMSSIModels for
Security4MMCSEOperative
SystemDesign
YOURdaily use ofcomputers!
...
Fabien Duchene (LIG) 4MMSR-0-Introduction 8/35 2011-2012 8 / 35
Pedagogic contract What is expected from you?
What is expected from you?BEFORE a lecture: (30 min / week)
review the ASSUMED knowledge slidesread and understand the slides (prepare questions)read some IT security news
DURING: actively and efficiently participatetake notes (some content is missing in your slide version)ask questions ... but also provide answers!I dun mind people chatting about the lecture... BUT be on time!I accept that people take notes on their laptops BUT: beware somebutterfly effect: Do NOT spend your time reading your mails,doing your very next project..starting from 2 unjustified absences: Mark adjust = (−1) ∗ (Nabsences − 1)
AFTER: (1H30/week)Memorize and perform oral feedback the same day we had lecture!Practical assessments: (1H/week). Not assessed, as it, but the FinalCTF like practical exam is worth 5/20 (see next slide) !update your synthesis notes... useful for an active learning and thefinal exams!
Fabien Duchene (LIG) 4MMSR-0-Introduction 9/35 2011-2012 9 / 35
Pedagogic contract What is expected from you?
How is your grade computed?
Check out the 4MMSR wiki page !Documents: only 1 two-sided A4 pageallowed
Final CTF like practical exam: 5/20knowledge from the practicalassessments required (individual)Written examination: 10/20(individual)
Security Research Paper talk: 5/20up to +− 1 point regarding thequestions you asked as a public (2persons groups)
Fabien Duchene (LIG) 4MMSR-0-Introduction 10/35 2011-2012 10 / 35
Pedagogic contract Some Resources
Some Resources
At EnsimagYour lecturersEnsiwiki:
4MMSR, 5MMSSISecurIMAGA career in information security
Several tools / information sources“MISC ED Diamond” french infosec magazineRSS, twitter: @SecurIMAGTwitte, @fabien duchene#IRC chans
Fabien Duchene (LIG) 4MMSR-0-Introduction 11/35 2011-2012 11 / 35
Security? Why?
Cyberwarfare
1
suspected chinese attack for Paris G20 files 2
200+ non-legitimate certificates certificates issued by Diginotar CAs 34
Stuxnet targeted industrial iranian nuclear plants 5 6
1[Wikipedia 2011a] cyberwarfare2[BBC 2011] Cyber attack on France targeted Paris G20 files3[F-Secure 2011] DigiNotar Hacked by Black.Spook and Iranian Hackers4[community 2011] Chromium Code Reviews5[Wikipedia 2011b] Stuxnet6[Nicolas Falliere and (Symantec) 2011] W32.Stuxnet Dossier
Fabien Duchene (LIG) 4MMSR-0-Introduction 12/35 2011-2012 12 / 35
Security? Why?
Underground economy I
7
Fabien Duchene (LIG) 4MMSR-0-Introduction 13/35 2011-2012 13 / 35
Security? Why?
Underground economy II
“Cybercrime is costing more than the drugs trade” 8
cybercrime in 2011worldwide: $114 billion ; 431 million victimsUSA: $32 billion, china: $25 billionFrance e1 billion (9 million victims)
porn:botnet: . 9,4 million USD for the Zeus botnet 9 Such botnets usuallycombine spam and phishing.underground shops: credit cards, millions of email addresses, rootaccess to some websites, fake drugs
107[Wired 2011] Crime, organized8[Symantec 2011] Norton Cybercrime report 20119[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010
10[Learning from LulzSec: For hackers, automated attacks reign 2011]Learning from LulzSec: For hackers, automated attacks reign
Fabien Duchene (LIG) 4MMSR-0-Introduction 14/35 2011-2012 14 / 35
Security? Why?
Business survivability I
Threats to business reputationSony Pictures: Lulzsec published usernames, passwordsYale university got 43.000 social security number stolen
Figure: Average number of identities exposed per data breach
Fabien Duchene (LIG) 4MMSR-0-Introduction 15/35 2011-2012 15 / 35
Security? Why?
Business survivability II
RevengeEmployes: fired ones, hating their boss
LegalsPCI-DSS: electronic transactions a
Sarbanes-Oxley actb: auditor independenceCalifornia lawc : notify individual when Personally IdentifiableInformation know or believed to have been stolen
a[LLC 2010] PCI-DSS v2b[Sarbanes-Oxley Act] Sarbanes-Oxley Actc[Senator 2002] California law - amending SB 1386
Fabien Duchene (LIG) 4MMSR-0-Introduction 16/35 2011-2012 16 / 35
Security? Why?
Hacktivism I
11
Some actions (2009..2011)Wikileaks:Anonymous: a
DDoS: paypal, mastercard, twitter, Tunisian gvtRiotsInformation release “leakflood”
Lulzsec: CIA website DDos, Sony passwords leakage (Memory Vuln+ SQLi), Nintendo, X-Factor, pron.com
a[Anonymous (hacktivist group)] Anonymous (hacktivist group)
Fabien Duchene (LIG) 4MMSR-0-Introduction 17/35 2011-2012 17 / 35
Security? Why?
Hacktivism II
12
Is this bad?Militantism, protestsDangerous by some aspects:
some actions considered as cyber-criminalitygovernments fear civil disobedience
11[Hacktivism] Hacktivism12[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010
Fabien Duchene (LIG) 4MMSR-0-Introduction 18/35 2011-2012 18 / 35
Security? What?
Security? I
Some security definitions“situation in which sbdy feels protected from dangerousness” ...relative!absolute security does not exist“security is a journey not a destination”“”“The only truly secure system is one that is powered off, cast in ablock of concrete and sealed in a lead-lined room with armed guards -and even then I have my doubts” a
a[Spafford 1989] Quotable Spaf
Fabien Duchene (LIG) 4MMSR-0-Introduction 19/35 2011-2012 19 / 35
Security? What?
Security? II
Security is not about technologies ONLY[(Microsoft) 2004] Notions fondamentales de securite
Fabien Duchene (LIG) 4MMSR-0-Introduction 20/35 2011-2012 20 / 35
Security? What?
Security? III
The attacker vs defender unevenness1. The defender has to protect all assets ; the attacker is free tochoose the weakest one2. the defender can only protect what he knows / is aware of ; theattacker can search for any vulnerable assets3. the defender has to be constantly vigilante ; the attacker canattack at any time4. the defender has to respect the rules (esp. law, money limits) ; theattacker can do anything
Fabien Duchene (LIG) 4MMSR-0-Introduction 21/35 2011-2012 21 / 35
Security? What?
The 10 security laws
If a bad guy ... 13
1. can persuade you to run his program on...2. can alter the operating system on...3. has unrestricted physical access to ...4. can upload programs to
... your computer/website, it is not yours anymore!5: Weak passwords trump strong security6: A computer is only as secure as the administrator is trustworthy7: Encrypted data is only as (if not less) secure as the decryption key8: An out-of-date malware scanner is only marginally better than noscanner at all9: Absolute anonymity isn’t practical, in real life or on the Web10: Technology is not a panacea: ..people and procedures
13[The 10 immuable security laws] The 10 immuable security lawsFabien Duchene (LIG) 4MMSR-0-Introduction 22/35 2011-2012 22 / 35
Security? Basic definitions
security goals/objectives/properties I
confidentiality (data): 14
availability (system):integrity (data):authenticity (data):freshness (data):traceability (action):non-repudiation (action):privacy (identity):
14[SPaCiOS 2011] Analysis of the relevant concepts used in the case studies:applicable security concepts, security goals and attack behaviors
Fabien Duchene (LIG) 4MMSR-0-Introduction 23/35 2011-2012 23 / 35
Security? Basic definitions
threat related vocabulary
threat: if happens invalidate at least one security goalvulnerability: property of a system that permits a threat to happenexploit(ation): of a vulnerabilityattack: 1+ exploit(s)countermeasure: protects from threatshardening: implementing countermeasures in a systemsecurity policy:
Fabien Duchene (LIG) 4MMSR-0-Introduction 24/35 2011-2012 24 / 35
Security? Basic definitions
Vulnerabilities impact classification
From the STRIDE classification15 16 .. in terms of impact!spoofing: usurpation of a legitimate user credentialtampering: alteration (modification or destruction) of data or systemrepudiation: unability to prove that an action has been performedinformation disclosure: leak of information (data, or systemconfiguration)denial of service: inability of the system to serve legitimate userselevation of privilege: gain of additional rights allowing the attackerto perform additional actions
15STRIDE = enjambee16[Microsoft 2005] STRIDE threat model
Fabien Duchene (LIG) 4MMSR-0-Introduction 25/35 2011-2012 25 / 35
Security? Ethics
Ethics
If you find a vulnerability in an application/system/network that is NOTyours...:
Do not exploit it (prosecution)Report it responsiblyBe patient and comprehensive.Patching or correcting a configuration isa matter of risk management
Fabien Duchene (LIG) 4MMSR-0-Introduction 26/35 2011-2012 26 / 35
Appendix 0 - introduction summary
0 - introduction summary
pedagogic contrat: students’ behavior, practical assessments,seminarsinfosec motivations: cybercrime, cyberwar, competitors, businessreputation, hacktivismsecurity properties: confidentiality, integrity, availability, freshness..basic security definitions: security policy, threat, vulnerability,exploit, attack ...
Fabien Duchene (LIG) 4MMSR-0-Introduction 27/35 2011-2012 27 / 35
Appendix For Further Reading
Ari Takanen Jared DeMott, Charlie Miller (2008). Fuzzing for SoftwareSecurity Testing and Quality Assurance.BBC (2011). Cyber attack on France targeted Paris G20 files.http://www.bbc.co.uk/news/business-12662596.CLUSIF (2011). Panorama de la Cyber-criminalite - Annee 2010. http://www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Panorama-Cybercriminalite-annee-2010.pdf.community, Open source (2011). Chromium Code Reviews.http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.cc.Ensiwiki (2011). A career in information security.http://ensiwiki.ensimag.fr/index.php/A_career_in_Information_Security.F-Secure (2011). DigiNotar Hacked by Black.Spook and Iranian Hackers.http://www.f-secure.com/weblog/archives/00002228.html.
Fabien Duchene (LIG) 4MMSR-0-Introduction 28/35 2011-2012 28 / 35
Appendix For Further Reading
Learning from LulzSec: For hackers, automated attacks reign (2011).http://venturebeat.com/2011/07/28/hacker-lulzsec-imperva/.LLC, PCI Security Standards Council (2010). PCI-DSS v2. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf.Microsoft (2005). STRIDE threat model.http://msdn.microsoft.com/library/ms954176.aspx.(Microsoft), Cyril Voisin (2004). Notions fondamentales de securite.(Microsoft), Technet. The 10 immuable security laws.http://technet.microsoft.com/en-us/library/cc722487.aspx.Nicolas Falliere, Liam O Murchu and Eric Chien (Symantec) (2011).W32.Stuxnet Dossier.http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.Nikam, Rajesh (2011). Introduction to Malware & Malware Analysis.http://chmag.in/article/sep2011/introduction-malware-malware-analysis.
Fabien Duchene (LIG) 4MMSR-0-Introduction 29/35 2011-2012 29 / 35
Appendix For Further Reading
Senator (2002). California law - amending SB 1386.http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.SPaCiOS (2011). Analysis of the relevant concepts used in the casestudies: applicable security concepts, security goals and attack behaviors.http://www.spacios.eu.Spafford, Eugene H. (1989). Quotable Spaf.http://spaf.cerias.purdue.edu/quotes.html.Symantec (2011). Norton Cybercrime report 2011.http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16.Wikipedia. Anonymous (hacktivist group). https://secure.wikimedia.org/wikipedia/en/wiki/Anonymous(group).wikipedia. Hacktivism.https://secure.wikimedia.org/wikipedia/en/wiki/Hacktivism.
Fabien Duchene (LIG) 4MMSR-0-Introduction 30/35 2011-2012 30 / 35
Appendix For Further Reading
Wikipedia. Sarbanes-Oxley Act.https://secure.wikimedia.org/wikipedia/en/wiki/Sarbanes\OT1\textendashOxley_Act.— (2011a). cyberwarfare.https://secure.wikimedia.org/wikipedia/en/wiki/Cyberwarfare.— (2011b). Stuxnet.https://secure.wikimedia.org/wikipedia/en/wiki/Stuxnet.Wired (2011). Crime, organized. Available athttp://www.wired.com/magazine/2011/01/ff_orgchart_crime/.
Fabien Duchene (LIG) 4MMSR-0-Introduction 31/35 2011-2012 31 / 35
Bonus slides
Some Information Security jobs
hacker 17
security researcher / vulnerability analystspenetration tester / auditors 18
software security testersIT security:
IT security mechanisms implementerCISO (Chief Information Security Officer)
17[Ari Takanen 2008] Fuzzing for Software Security Testing and QualityAssurance
18[Ensiwiki 2011] A career in information securityFabien Duchene (LIG) 4MMSR-0-Introduction 32/35 2011-2012 32 / 35
Bonus slides
Common misconceptions - best dummies quotes
“Our corporation is secure because...”firewall, IDS/IPSchecksums thus integrity guaranteedno networks connected to the internet
Fabien Duchene (LIG) 4MMSR-0-Introduction 33/35 2011-2012 33 / 35
Bonus slides
MALicious softWARES (malwares) categorization I
19
virus: self-replicating program injecting into a “host” (script,process...)worm: autonomous self-replicating programtrojan hose: apparently useful software but with hidden maliciousfunctionalitiesspyware: gathers personal or confidential information without theuser consent and sends them to a remote serverbackdoor: permits remote code execution on the victim’s computerand opens a communication channel to which the attacker connectshacktool: tools used by attackers to get access to the system.hacktools try to exploit vulnerabilities
Fabien Duchene (LIG) 4MMSR-0-Introduction 34/35 2011-2012 34 / 35
Bonus slides
MALicious softWARES (malwares) categorization II
rootkit: actively hides from the OS, usually has the ability to interactat a low level (I/O such as keyboard, mouse, display..)rogue application: “fake” application which pose themselves assecurity solutions (eg: faking malware detections). Usually misleaduser to pay for a pretended removal of malwares.
19[Nikam 2011] Introduction to Malware & Malware AnalysisFabien Duchene (LIG) 4MMSR-0-Introduction 35/35 2011-2012 35 / 35