System SecuritySunu Wibirama

nowadays, we have a large amount of

security abuses

instead of klikbca.com, there is: kilkbca.com

PHISING

SOCIAL ENGINEERING / MASQUERADING

WEB DEFACEMENT

http://polri.go.id

Email Hacking

Fake Email

Security: why it’s very important Internet is now part our everyday life Important data transfer through internet Some people choose to be a bad people, take benefit from the others Therefore: system security, particularly internet security, is very important

aspect to be studied, even for non-IT student. How to learn:

understand how important security is know how security is threaten if itʼs possible, know how to do security threat (but youʼre not supposed

to use it for any illegal usage in real-life) know how to solve always do any important transaction with careful consideration

Protect ourselves, be aware to security threats

Today’s Discussion

The Security Problem

Program Threats

System and Network Threats

Cryptography as a Security Tool

SSL Implementation

Firewalling to Protect Systems and Networks

Video demo

The Security Problem

Security must consider external environment of the system, and protect the system resources

Intruders (crackers) attempt to breach security

Threat is potential security violation

Attack is attempt to break security

Attack can be accidental or intentional (malicious)

Easier to protect against accidental than malicious misuse

Security Violations Categories

Breach of confidentiality : unauthorized reading of data (CC fraud) Breach of integrity : unauthorized modification of data Breach of availability : unauthorized destruction of data (defacement) Theft of service : unauthorized use of resource Denial of service : preventing legitimate use of system

Methods Masquerading (breach authentication) Replay attack (malicious repeat of valid data transmission)

Message modification (privilege escalation, asking username or password using email, sent by ʻfakeʼ administrator)

Man-in-the-middle attack (ex. session hijacking)

Standard Security Attacks

Security Measure Levels Security must occur at four levels to be effective:

Physical: securing the computer or terminal access Human

social engineering phishing (kilkbca.com case, imitate klikbca.com) dumpster diving (digging the thrashed data, phonebook, etc.)

Operating System: protect the system from accidental security breaches

Network : data travels over shared lines like the internet, wireless connections, or dial-up lines. Data interception is as harmful as breaking into the computer

Program Threats Writing program to change the behavior of ʻprocessʼ Trojan Horse

Code segment that misuses its environment Exploits mechanisms for allowing programs written by users to be executed

by other users Spyware : stealing information from the target

Trap Door Created by the developer Specific user identifier or password that circumvents normal security

procedures Could be included in a compiler

Logic Bomb Program that initiates a security incident under certain circumstances

Stack and Buffer Overflow The most common security attack Exploits a bug in a program (overflow either the stack or memory buffers)

Stack or Buffer Overflow Bug observation :

Choose a program that uses system-wide privilege (example: network daemon, web server daemon, database server daemon)

Vulnerability searching: studying program manual, examining the code, trial and error, getting information from security forum, etc.

Writing program to do the following: Overflow an input field / command-line argument / input buffer until it

writes into the stack. Overwrite the current return address on the stack with the address of

the exploit code Write a simple set of code for the next space in the stack that includes

the commands that the attacker wishes to execute -- for instances: release a shell.

Result: executing shell using root privileges.

C Program with Buffer-overflow Condition#include <stdio.h>

#define BUFFER SIZE 10

int main(int argc, char *argv[])

{

char buffer[BUFFER SIZE];

if (argc < 2)

return -1;

else {

strcpy(buffer,argv[1]);

return 0;

}

}

What’s happened if I execute this program in linux?

Let see...

Program Aborted! (security protection)10 char

11 char

Virtual Memory Layout

Previous code:Buffer Size[10]

Stack frame is very precious, so that it should

be correctly protected

Layout of Typical Stack Frame

LIFOLast In First Out

jump to func()back to main()

Modified Shell Code

#include <stdio.h>

int main(int argc, char *argv[])

{

execvp(‘‘\bin\sh’’,‘‘\bin \sh’’, NULL);

return 0;

}

Goal of buffer overflow:Replace the return address in the stack frame, so that it now points to the code segment containingthe attacking program

What program will be attacked/overflowed?The one that uses system-wide privileges (example: network-daemon, always run on rootprivilege

ModifiedShell-code

Imagine, if operating system does not protect

the stack frame....

Attacked Stack Frame

Before attack After attack

./mybuff <modified shell code+NO_OP+address of modified shell code>

Program Threats (Cont.)

Viruses Self-replicating and infect other programs Code fragment embedded in legitimate program Very specific to CPU architecture, operating system, applications Usually borne via email or as a macro

Visual Basic Macro to reformat hard driveSub AutoOpen()

Dim oFS

Set oFS = CreateObject(’’Scripting.FileSystemObject’’)

vs = Shell(’’c:command.com /k format c:’’,vbHide)

End Sub

Program Threats (Cont.) Virus dropper inserts virus onto the system

Many categories of viruses, literally many thousands of viruses File Boot Macro Source code Polymorphic Encrypted Stealth Tunneling Multipartite Armored

System and Network Threats Program threat - use a breakdown in the protection mechanisms of a

system to attack a program System and network threats: involves the misuse of service and network

connections, ex.: network attack is used to launch program, or vice versa Worms – use spawn mechanism to attack system

Internet worm Exploited UNIX networking features (remote access) and bugs in finger

and sendmail programs Grappling hook program uploaded main worm program (see next picture)

Port scanning Automated attempt to connect to a range of ports on one or a range of IP

addresses (ex.: nmap or nessus)

Denial of Service Overload the targeted computer preventing it from doing any useful work Distributed denial-of-service (DDOS) come from multiple sites at once

Port Scanning (Vulnerability Searching)

Testing site

Internal target

The Morris Internet Worm

Distributed Denial of Service

How to protect internet data transfer ?

Cryptography

Cryptography as a Security Tool When a computer is connected in the network, it receives bits from wire

with no immediate way to know what machine or application sent those bits.

Security manner: From the sender side: the message can be sent to unintended

computer in the network. How to ʻprotectʼ the message sent across the network?

From the receiver side: the message / request can be sent with fake or falsified IP address of the sender. How to decide whether OS can grant request when it cannot trust the named source of request?

Broadest security tool available Source and destination of messages cannot be trusted without

cryptography Means to constrain potential senders (sources) and / or receivers

(destinations) of messages Based on secrets (keys):

Receiver can verify messages using keys Sender can encode messages, only certain computer with keys can

decode

Encryption

From the sender perspective: constraining possible receiver Encryption algorithm consists of

Set of K keys Set of M Messages Set of C ciphertexts (encrypted messages) An encryption function E : K → (M→C). That is, for each k ∈ K, E(k) is a

function for generating ciphertexts from messages Both E and E(k) for any k should be efficiently computable functions

A decryption function D : K → (C → M). That is, for each k ∈ K, D(k) is a function for generating messages from ciphertexts Both D and D(k) for any k should be efficiently computable functions

Two kinds of encryption: symmetric and asymmetric Symmetric: same key is used to encrypt and decrypt, therefore

E(k) can be derived from D(k) and vice versa Asymmetric: different encryption and decryption key

Asymmetric Encryption

Public-key encryption based on each user having two keys: public key – published key used to encrypt data private key – key known only to individual user used to decrypt data

Must be an encryption scheme that can be made public without making it easy to figure out the decryption scheme Most common is RSA block cipher Efficient algorithm for testing whether or not a number is prime

RSA Asymmetric Cryptography

encryption and decryption key is computed from defined algorithm

message: 69ciphered: 62 public key ke = k5, 91

private key kd = k29, 91

Modulus based algorithm7mod3 = 18mod3 = 2

9mod2 = ......?11mod4 = ..... ?

Cryptography (Cont.)

Note symmetric cryptography based on transformations, asymmetric based on mathematical functions Asymmetric much more compute intensive Typically not used for large data encryption Much faster to compute symmetric algorithm Only for small data, ex: authentication

Other examples: digital signature, SSL, etc. (*more, you can refer to page 644 in file: security-updated.pdf )

More about cryptography theory and its mathematical implementation, join “Teori Penyandian” course with Bu Sri Suning Kusumawardhani.

Encryption Example - SSL Insertion of cryptography at one layer of the ISO network model (the

transport layer)

SSL – Secure Socket Layer

Cryptographic protocol that limits two computers to only exchange messages with each other Very complicated, with many variations

Used between web servers and browsers for secure communication (credit card numbers transaction, email, etc)

The server is verified with a certificate assuring client is talking to correct server

Asymmetric cryptography used to establish a secure session key (symmetric encryption) for bulk of communication during session

Communication between each computer then uses symmetric key cryptography

Our email is secured using HTTPS (HTTP + SSL)

How to protect a computer system

with large architecture?

Firewalling to Protect Systems and Networks

A network firewall is placed between trusted and untrusted hosts The firewall limits network access between these two security

domains

Can be tunneled or spoofed Tunneling allows disallowed protocol to travel within allowed

protocol (i.e., telnet inside of HTTP) Firewall rules typically based on host name or IP address which

can be spoofed

Personal firewall is software layer on given host Can monitor / limit traffic to and from the host

Application proxy firewall understands application protocol and can control them (i.e., SMTP)

System-call firewall monitors all important system calls and apply rules to them (i.e., this program can execute that system call)

DEMO 1: TUNNELING

Some firewall block site that potentially harmful or take a large of bandwidth consumption

In this part, I will demonstrate you how to bypass firewall by tunneling. Note that this demonstration is for educational purpose only. I will not be responsible for any misuse of this demonstration.

In this tutorial, a blockage of firewall is represented by a blocking policy from our proxy server. Site blocked: http://wibirama.com (this is my blog, actually)

What is tunneling?

Tunneling (also called port forwarding) is a method to bypass a blocked/restricted TCP application connection through another allowed TCP application. Example: bypassing a blocked HTTP (port: 80) connection through SSH (port:22) connection (SSH = Secure Shell, similar as telnet but itʼs encrypted)

In this demonstration, a remote computer is used as a proxy to connect to http://wibirama.com. We use port 22 from our terminal to access remote computer, and use that computer to browse the internet

Scenario I will connect to remote machine : ilab.te.ugm.ac.id using SSH client

application. Normally, SSH application (port:22) is not blocked as itʼs usually only used by network administrator.

The remote machine acts like SSH server, with bind address: 127.0.0.1:1080

The browser in laptop accesses the targeted server (wibirama.com), but it firstly jumps to the remote machine.

DEMO 1: TUNNELING

DEMO 2: Sniffing using Wireshark Wireshark: network analyzer software for Windows, Linux, and Mac. You

can download it for free: http://wireshark.org/

It can ʻsniffʼ data and extract TCP stream, which is transferred between all connected clients and gateway server.

All data, including, username, password, your personal information, credit card number will be easily revealed if they are not encrypted

Wireless network is easy to be sniffed

DEMO 2: Sniffing using Wireshark Sniffing username and password from FTP connection FTP server on local network: 192.168.0.105

FTP client on local network: 192.168.0.106 If you are on a wireless network, you should be able to “stand”

between the client and the server, then use wireshark to extract information (remember man-in-the-middle attack)

DEMO 2: Sniffing FTP password

There are so many aspects in network security to be learned. If you

want to find more, you can do ‘googling’ by this keyword:

Certified Ethical Hacker

Useful resource (1)

http://www.securityfocus.com/

Useful resource (2)

http://jasakom.com/

Thank You