...

Saturday, February 26, 2011

NETSEC 05

Attacks can be classified into 4 types:-Interruption (Availability)
-Modification (Integrity, Availability)
-Interception (Confidentiality)
-Fabrication (None, or Authentication/Authenticity)

Visually, the attacks look like this:
IMAGES OF THESE

These only categorizes Active Attacks, as at least one of the goals are harmed.

Attacks can be classified further. The most common class of attack is the MITM attack (Man-in-the-Middle). In MITM attacks, the attacker sits between the victim transparently. The attacker may then capture and/or modify the data before it reaches the victim. (As in a modification attack, or an interception attack).

Examples of MITM attacks are SSL Stripping and ARP Poison Routing (APR).

Another type of attack can be the Spoofing Attack. Spoofing attacks spoof a field in the protocol (such as source IP or MAC) to appear to be coming from a trusted vector. IP spoofing exists because certain services authenticate based on IP address. The existence itself is a vulnerability.

Defenses are to use 2FA, and to perform egress filtering to make sure that a router's originating LAN is not the source of spoofing. (e.g. Only allow source addresses that correspond to the company LAN to go out to the Internet).

Another type of spoofing can be web site spoofing, in case of a phishing attack. The attacker creates an authentic-looking page (such as a Bank Login Page) and lures the victim into the site by other means (e.g. Authentic-looking Email).

Finally we have the well-known ARP spoofing.

Another type of attack is the DoS attack (Denial of Service). DoS is primarily aimed at the Availability of the network/services. It is the simplest of attacks. Typically DoS attacks are done if the hacker fails to gain access to a computer (e.g. If he can't own it, no one else can).

DoS attacks are used to kill business competition. It is also used for revenge, for fun, or may be accidental (e.g. Janitor trips over a wire).

DoS attacks result in decreased productivity, lost revenue, and damaged reputation.

The types of DoS attacks are:
1) Consumption of network or computational resources
2) Disruption of configuration information
3) Physical damage

When it comes to consuming resources, typically a single attacker is not enough. It may sometimes take multiple attackers to bring a victim down. Therefore, we need to employ Distributed DoS or simply DDoS.

DoS relies on zombies or a botnet (infected hosts) which has either a server (listens for incoming commands) or a reverse client (connects to a server which it receives commands from) installed in it. It is difficult to trace who the real attacker is since the attack appears to be coming from multiple vectors, sometimes even from trusted hosts.

Session hijacking is the act of taking control of a session. Hackers get around sophisticated authentication schemes by taking over a victim's existing session AFTER it has been established and authenticated.

Password attacks are primarily brute force attacks. Brute-force attacks involve a systematic guessing of the password until a correct one is found. However, as most passwords contain common words, a dictionary brute-force attack (or simply, dictionary attack) can allow the attacker to resolve a password in a shorter time.

Passwords can be weak or strong. A strong password is one that is difficult to discover. Strong passwords are made up of:
1) Long strings
2) A large mix of character types in no apparent order (e.g. AbCd13!@ is bad, !A1C@b3e is good)
3) Words not found in dictionaries (Even H3ll0 may be bad, because of 1337 brute-force methods)

A weak password is the other way round:
1) Uses a word found in the dictionary, or a word
2) Uses very little mix of characters, such as all lowercase alphabets

The theory behind brute-force is that by definition, it is able to crack EVERY password encryption scheme EVENTUALLY. It is the feasibility of such an attack that makes it fail.

There are two types of brute-force targets. You can either brute-force the key (in case of encryption), or brute-force the plaintext (in case of hash).

Here's a practical example:
If a computer can try 72000 keys in a second, find the time it takes to brute-force...

The formula, by the way, is radix^characters/speed.

"test"

Since this is all in lower-case, then 26^4/72000 is the time-maximum (t-max) of the attack. On average, passwords are cracked in half the time-maximum (t-max).

"12345"

Since this only involves numbers, then it takes 10^5/72000.

"Passw0rd"

Since there is lower-case (26), upper-case (26) and numbers (10), the radix is 62. Therefore it takes 62^8/72000 to crack. Much longer.

"P@ssw0rd"

Now, there's the previous 62, AND all symbols. I don't know how many there are, but let's assume there's 16 symbols. You'll have 78^8/72000.

Sniffing is the easiest done in Token Ring networks, followed by Ethernet networks. Sniffing is the act of promiscuously inspecting every packet received by the NIC even if it is not intended for the computer. Sniffing can also be described as simply the act of intercepting packets traveling over a network. It is equivalent of eavesdropping.

A sniffer can be a program/device or the person using such a program. It can be used both for network management/troubleshooting (detect bottlenecks, programmers checking their program's packets, logging traffic) as well as malicious activities (stealing information off networks).

These three prerequisites must be met before sniffing can occur:
1) NIC must be in promiscuous mode
2) Hub is used to connect nodes (or ARP poisoning would be required)
3) Sniffer must be in the same LAN segment

By default, NICs are in non-promiscuous mode. That means that it will ignore packets not destined for its own MAC. However, NICs can capture and save packets not intended for itself when it is in promiscuous mode.

Information can be obtained through sniffing include: Email traffic, login usernames and passwords, and information useful for other attacks (including sequence numbers of TCP sessions). Any cleartext protocols such as HTTP, FTP, SMTP and POP3 can be sniffed.

Defenses for sniffing include:
-Replacing hubs with switches that can perform ARP snooping
-Physically check networks to ensure no unregistered hosts
-Use encryption to hide sensitive data

No matter how strong a password, once sniffed, is broken.

It is very difficult to detect sniffing because it is passive, but if the sniffing software makes use of the DNS for reverse-lookup, then it may be possible to identify suspicious hosts.

Phishing is a form of social engineering that makes use of fraudulent techniques to obtain sensitive information such as password and credit card details.

A web site phishing technique involves creating an authentic-looking site of a well-known company (such as a banking company). The phishers then create authentic-looking emails to trick recipients into accessing the phishing site. The victims would then divulge information as passwords, credit card numbers, usernames, and other things into a form on the website (e.g. When they try to log in).

Defenses for phishing include:
-Be skeptical of email with urgent requests
-Verify the emails with the company it "supposedly" came from
-Don't click on links in an email if it is suspicious
-Visit phishing guides like http://www.antiphishing.org

All the attacks described thus far are technical attacks. Technical attacks require the assailant to have good knowledge of computers, networking, programming and so on. His knowledge is used to identify vulnerabilities (he is the threat) and to carry out the attacks.

Non-technical attacks involve very little technical knowledge. These are the different non-technical attacks:

Dumpster diving - this involves digging into rubbish bins to look for sensitive data that has not been properly disposed off. Defenses include shredding of documents, credit cards and CDs.

Shoulder surfing - this involves looking over the victim's shoulders when he/she is inputting sensitive data into the computer (such as during logins).

Social Engineering is the most powerful attack in the world. It relies heavily on human interaction and is designed to exploit the natural helpfulness of humans. Social engineering works because people are not aware of the value of the information they hold, so they are careless in protecting it.

Social engineering can be performed through:
-appeal to Vanity (praises and such)
-appeal to Authority (appear to be an authoritative individual)
-eavesdropping (e.g. Shoulder Surfing, or eavesdropping for information to be used in the above two)

Social Engineering attacks can be classified under online and offline. (Or rather, technical or non-technical).

Emails containing tempting subject lines (e.g. "Nude XXX") but containing a trojan can be classified as an online social engineering attack. It can also cause damage by making people delete innocent operating-system critical files, such as the example given in the seminar where people are told to delete jdbgmgr.exe, claiming that it's a virus.

No comments :

Post a Comment

<