Focus on Security. 2 dr. Frank B. Brokken ([email protected]) Center of Information Technology...

Focus on Security

2

Focus on Security

dr. Frank B. Brokken

([email protected])

Center of Information TechnologyUniversity of Groningen

2013

3

ICT Security

Topics: Day 1: General principles. Day 2: System hardening and

integrity. Day 3: Keeping the bad guys out. Day 4: Seeing the invisible; what's

passing through the wires? Day 5: Summary and conclusions

4

ICT Security

General principles. Focusing on security Well-known security risks Defense mechanisms

How can encryption help? Public Key Infrastructures

PGP/GPG, SSL

5

Security Focus

CIA:

6

Security Focus

CIA: Confidentiality

7

Security Focus

CIA: Confidentiality Integrity

8

Security Focus

CIA: Confidentiality Integrity Availability

9

Security Risks

What are the risks when CIA is reduced ?

10

Security Risks

Confidentiality Unauthorized access to confidential

information. Integrity

Abuse of data and/or computers. Availability

Can't use our computers/data

11

Defense Mechanisms

We'll cover: Organization of prevention and

recovery How has `security' been organized at,

e.g., my university

12

Defense Mechanisms


recovery Dangers of commonly used practices

What's wrong with what we've learned to do in the past?

13

Defense Mechanisms


recovery Dangers of commonly used practices Improvements over these practices

What can we do to prevent falling in traps?

14

Defense Mechanisms


recovery Dangers of commonly used practices Improvements over these practices Firewalls: philosophies and setup, DMZs

What's the use of firewalls? How can they be deployed (and abused)?

15

Defense Mechanisms


recovery Dangers of commonly used practices Improvements over these practices Firewalls: philosophies and setup,

DMZs Securing information using encryption

How can encryption be used in real-life?

16

Defense Mechanisms

We'll cover: Organization of prevention and recovery Dangers of commonly used practices Improvements over these practices Firewalls: philosophies and setup, DMZs Securing information using encryption Various tools will be covered during this

week. How can tools help to improve security?

17

Prevention and Recovery

ICT Security: embed activities in larger structures. primarily a question of the right

mentality. rules and documents work to some

extent; foundation to fall back upon.

18

Embedding ICT Security

Considerations: Role models:

who's handling incidents? new developments

The Communication Network Embedding ICT-Security Any activities Promoting ICT-Security?

19

Role models: who's handling incidents?


20

Role models: new developments


21

The Communications Network University:

an organization of faculties and services. Systems managers: more or less `trusted'. The `Outside world':

how does information reach the University? what information reaches the University?


22

SEP: Communications Network University: organization of faculties and

services. Systems managers: more or less `trusted'. `Outside world': how information reaches

the University.

October 2000: The University of Groningen introduced the function of ICT Security Manager.


23

Communications Network Aim: create a communication

structure that is independent of the persons involved.


24

The Communications Network

Primary link between Cert-NL and the University.

cert-nl

[email protected](SEP)

Outside world

Within theUniversity


25

The Communications Network

Primary link between Cert-NL and the University.

SEP is a person, a member of a team.

cert-nl


Outside world



26

Communications

SEP - member of a team The crash-team

technical specialists invoked to fight serious security-related incidents

cert-nl


Outside world



crashteam

27

Embedding ICT-Security

U of GroningenU of GroningenU of Groningen


28

Embedding ICT-Security

The security kernel group represents

the U. of Groningen's accredited

Terena cert team Sec. KernelGroup

director

SecurityManager

U of GroningenU of GroningenU of Groningen

ServicesFaculty Computing CenterFaculty

Unit Unit

...


Terena: Trans European Research and Education Networking Association

29

Activities Promoting ICT-Security WebSite

http://www.rug.nl/cit/security

In particular note (also in English): https://www.rug.nl/cit/security/aup

(the Acceptable Use Policy of the U. of Groningen)


30

Activities Promoting ICT-Security WebSite:

http://www.rug.nl/cit/security `Column' in bimonthly Pictogram

publication


31



publication Security Courses (honeypots,

GPG/PGP, forensics, security awareness, information security)


32



publication Security Courses (honeypots,

GPG/PGP, forensics, security awareness, information security)

Advisories, not just those that are asked-for.


33

Activities Promoting ICT-Security WebSite: http://www.rug.nl/cit/security `Column' in bimonthly Pictogram publication Security Courses (honeypots, GPG/PGP,

forensics, security awareness, information security)

Advisories, not just those that are asked-for. Formal documents and procedures

AUP, shutting down accounts, access to data


34

Activities Promoting ICT-Security WebSite: http://www.rug.nl/cit/security `Column' in bimonthly Pictogram

publication Security Courses (honeypots, GPG/PGP,

forensics, security awareness, information security)

Advisories, not only asked-for. Formal documents (e.g., the AUP) In general: be visible


35

Acceptable Use Policy

...


36

Some Sections in an Acceptable Use Policy: User responsibilities Responsibilities of Systems Managers Topics: passwords, facilities, privileges Consequences of abuse Legal framework

Framework for the AUP itself: BS 7799, ISO 27001.


37

Attack Profiles

38

Falkland war: HMS Sheffield

Who can be trusted ?

39

Unhappy Employees

Who can be trusted ?

40

Thrilling and yet: simple Script kiddies:

Who is the hacker ?

sub storeHdr{ return if !@{$_[0]};

push (@headers, [ @{$_[0]}

$subject = $headers[-1] if !$subject && ${ @{$_

if (${ @{$_[0]} }[0] =~ /^re push (@received, ${ @{$_ } }

41

Professionals....

Dangers from unexpected corners

42

Information Security

If you spend more on coffee than on IT security,

then you will be hacked.

What's more, you deserve to be hacked.

Richard Clarke

Former Special Advisor to the US President on Cybersecurity

But also....

43

Serious Incidents: Medical faculty, Space Research

Center, Child Pornography, `February 2007' hack

Communicate the incident to law-enforcement agencies

What is the response ?

44

Dangers of Common Practices

Clear-text protocols Main danger: password sniffing

45


Clear-text protocols Outdated Software

Main danger: well-known exploits allow hackers to intrude into your system

46


Clear-text protocols Outdated Software Sleepy System Administrators

Main danger: Intrusions are not detected when they have occurred

47


Clear-text protocols Outdated Software Sleepy System Administrators Too liberally configured systems

Main danger: Intruders may use many approach routes, serious system management becomes too time-consuming

48


Clear-text protocols Outdated Software Sleepy System Administrators Too liberally configured systems Weak Passwords

Main danger: intruders gain access through guessed or probed passwords.

49

Clear Text Protocols

Internet traffic uses routes: traceroute to 221.117.40.249 (221.117.40.249),

1 129.125.3.252 2 Gi11-0.AR5.Groningen1.surf.net 3 PO6-0.CR2.Amsterdam1.surf.net 4 PO1-0.CR1.Amsterdam1.surf.net 5 P0-0.BR1.Amsterdam1.surf.net 6 ge-2-1-0.ar1.AMS1.gblx.net 7 so4-0-0-2488M.cr2.AMS2.gblx.net 8 pos1-0-2488M.cr2.WDC2.gblx.net 9 so5-1-0-2488M.ar1.DCA3.gblx.net 10 208.51.6.34 11 p16-0-1-2.r20.plalca01.us.bb.verio.net 12 xe-0-2-0.r21.plalca01.us.bb.verio.net 13 p64-0-0-0.r21.mlpsca01.us.bb.verio.net 14 p16-6-0-0.r80.mlpsca01.us.bb.verio.net 15 p16-0-2-0.r20.tokyjp01.jp.bb.verio.net 16 xe-1-0-0.a21.tokyjp01.jp.ra.verio.net 17 61.213.161.90 18 61.122.114.93 19 61.122.113.6 20 usen-221x112x21x130.ap-US01.usen.ad.jp 21 usen-221x117x40x249.ap-US01.usen.ad.jp

50


Information is often sent using clear text:

e-mail WWW telnet File sharing (smb) RPC

Hackers may intercept this information anywhere along the route using sniffers.

51


Hackers may intercept this information anywhere along the route using sniffers:

Hackers uses tools to read the information:

ICCE Hexadecimal Byte Dump Utility. Version 1.20.Copyright ICCE (c), 1989 - 1996. All rights reserved.

00000000: D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 ................00000010: DC 05 00 00 01 00 00 00 2B A6 1F 40 A2 6E 0A 00 [email protected]: 3C 00 00 00 3C 00 00 00 FF FF FF FF FF FF 00 07 <...<...........00000030: E9 D9 4E DF 00 2C E0 E0 03 FF FF 00 28 00 01 00 ..N..,......(...00000040: 10 80 22 FF FF FF FF FF FF 04 53 00 10 80 22 00 ..".......S...".00000050: 07 E9 D9 4E DF 04 53 00 02 9A AA 78 25 00 02 00 ...N..S....x%...

52


53


The hacker now looks for something promising, like e-mail ...

54


55


Next, the hacker retrieves the whole e-mail text...

56


How clear-text is e-mail anyway? When encryption is used, the information

is unreadable. Intercepting e-mail between MTA's using TLS results in illegible stream contents.

Mail Transfer Agents (MTAs) often use TLS: Transport Layer Security.

57

Abusing Clear Text Protocols

TLS in the Open System Interconnection (OSI) model:

58

An Aside: the OSI model

Examples of the OSI layers: 7 Application: SSH, DHCP, HTTP, DNS, LDAP,

SMTP 6 Presentation: encryption, serialization 5 Session: authorization, authentication,

restoration 4 Transport: End-to-end, TCP, UDP 3 Network: Internet address (IP), routing 2 Data Link: Ethernet, MAC, error correction 1 Physical: cables and signal transmission

59

Clear Text Protocols?

60

Countermeasures against clear-text communication:

TLS is nice, but verifiability is better Cleartext storage of sensitive

information is suboptimal GPG/PGP solves both verifiability and

sensitivity problems. In general: clear text transport and

storage of sensitive information should be avoided and/or prohibited.

Countermeasures

61

Unreadable for the man in the middle Example of intercepted SSH

communication:

Defenses: Don't Use Clear Text

62Defenses: Don't Use Clear Text

63

Countermeasures Encryption:

Encryption is used for TLS, SSL, and thus SMTP, SSH, HTTPS, SFTP, ....

Generally: all those `S' protocols, and PGP/GPG

All are using a Public Key Infrastructure (PKI).

64

Countermeasures Problem: the man-in-the-middle (MIM):

MIM: acts asthe Recipient forthe Sender, and as the Sender for

the Recipient

Clear text

MIM's private/public keys

65

Countermeasures Solving the MIM-problem (1)

Sender/Recipient verify their identities

And exchange the identifications of their public keys (the key's fingerprint)

66

Countermeasures Solving the MIM-problem (2)

Use a trusted third party to verify the other party's identity

67

What is a fingerprint? A cryptographically strong hash-value of

an electronic document (like a public key) How to verify an ssh-host's certificate?

A host's ssh-key usually is found here:

/etc/ssh/ssh_host_rsa_key. To compute its fingerprint:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key

Countermeasures

68

Countermeasures Encryption:

Use encryption when transporting sensitive data (e.g., https, secure http)

69

Encryption: Inspect and

verify thecertificate:

Countermeasures

70

Encryption using Public Key Infrastructure (PKI) Widely known public key Privately kept private (or secret) key Passphrase to use private key Software is free No known practically feasible way to

subvert

PGP/GPG

71

Facilities: Encrypt your own sensitive data Ensure the authenticity of a sender

(maybe yourself to somebody else) Ensure that nobody but the intended

sender is able to read confidential information

PGP/GPG

72

GPG/PGPPretty Good Privacy/Gnu's Privacy

Guard

73

Software often contains (serious) bugs:

Buggy Software

http://cve.mitre.org/cve/cve.html

74

Most problems are caused by a bad security mentality: indifference, lack of knowledge

Irrespective of those serious psychological defects, hackers try to exploit (not so)well-known weaknesses in software.

But ...

Update Software

75

Most problems are caused by a bad security mentality: indifference, lack of knowledge Irrespective of those serious psychological

defects, hackers try to exploit (not so) well-known weaknesses in software.

How do you know the update itself is not distributed by the hacker? Use signatures!

Update Software

Frank B. Brokken Computing Center, University of Groningen (+31) 50 363 9281 Public PGP key: http://pgp.surfnet.nl:11371 Key Fingerprint: DF32 13DE B156 7732 E65E 3B4D 7DB2 A8BE EAE4 D8AA

76

Password files may often be grabbed By local users Using XSS and friends, e.g., web-forms

Using brute force password-cracking, dictionary attacks, or rainbow tables the hacker searches until a match is found. Various tools for password cracking exist

(e.g. john)

Weak Passwords

77

IP addresses Cf: street and house-numbers

(129.125.xxx.yyy) Ports:

cf. rooms inside a hotel Services are often found at standard

ports: 25: smtp (e-mail) 80: http (www) 137/138: Windows RPC

Liberally configured Systems

78

Services are often found at standard ports:

Hacker scans the (well-known) ports; Hacker exploits well-known

weaknesses:Starting nmap V. 5.00 ( http://nmap.org ) at 2010-10-14 13:46 CESTInteresting ports on pc-128.rc.rug.nl (129.125.3.143):(The 1552 ports scanned but not shown below are in state: closed)Port State Service135/tcp open loc-srv 139/tcp open netbios-ssn

Remote opeRunning (JUST GUESSING) : Microsoft Windows XP|2000|2003 (95%)

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

Liberally configured Systems

79

Virtual Machines VMWare, VirtualBox

Widely known and great way to nest operating systems in your computer

But there is more than merely Virtual Machines:

Disposable VMs Be sure to follow up on Joanna Rutkowska's

invisible things lab, and the Qubes OS.

Countermeasures

http://invisiblethingslab.com/itl/Welcome.html

80

Day 2: Hardening the local system Basic principles behind `System

Hardening' Deploying a File Integrity Scanner

(Stealth)

ICT Security

81

Focus on SecurityGeneral Principles

dr. Frank B. Brokken

Center of Information TechnologyUniversity of Groningen

2013

Focus on Security. 2 dr. Frank B. Brokken ([email protected]) Center of Information Technology...

Documents

Transcript of Focus on Security. 2 dr. Frank B. Brokken ([email protected]) Center of Information Technology...