Focus on Security. 2 dr. Frank B. Brokken ([email protected]) Center of Information Technology...
-
Upload
gervais-tate -
Category
Documents
-
view
213 -
download
0
Transcript of Focus on Security. 2 dr. Frank B. Brokken ([email protected]) Center of Information Technology...
Focus on Security
2
Focus on Security
dr. Frank B. Brokken
Center of Information TechnologyUniversity of Groningen
2013
3
ICT Security
Topics: Day 1: General principles. Day 2: System hardening and
integrity. Day 3: Keeping the bad guys out. Day 4: Seeing the invisible; what's
passing through the wires? Day 5: Summary and conclusions
4
ICT Security
General principles. Focusing on security Well-known security risks Defense mechanisms
How can encryption help? Public Key Infrastructures
PGP/GPG, SSL
5
Security Focus
CIA:
6
Security Focus
CIA: Confidentiality
7
Security Focus
CIA: Confidentiality Integrity
8
Security Focus
CIA: Confidentiality Integrity Availability
9
Security Risks
What are the risks when CIA is reduced ?
10
Security Risks
Confidentiality Unauthorized access to confidential
information. Integrity
Abuse of data and/or computers. Availability
Can't use our computers/data
11
Defense Mechanisms
We'll cover: Organization of prevention and
recovery How has `security' been organized at,
e.g., my university
12
Defense Mechanisms
We'll cover: Organization of prevention and
recovery Dangers of commonly used practices
What's wrong with what we've learned to do in the past?
13
Defense Mechanisms
We'll cover: Organization of prevention and
recovery Dangers of commonly used practices Improvements over these practices
What can we do to prevent falling in traps?
14
Defense Mechanisms
We'll cover: Organization of prevention and
recovery Dangers of commonly used practices Improvements over these practices Firewalls: philosophies and setup, DMZs
What's the use of firewalls? How can they be deployed (and abused)?
15
Defense Mechanisms
We'll cover: Organization of prevention and
recovery Dangers of commonly used practices Improvements over these practices Firewalls: philosophies and setup,
DMZs Securing information using encryption
How can encryption be used in real-life?
16
Defense Mechanisms
We'll cover: Organization of prevention and recovery Dangers of commonly used practices Improvements over these practices Firewalls: philosophies and setup, DMZs Securing information using encryption Various tools will be covered during this
week. How can tools help to improve security?
17
Prevention and Recovery
ICT Security: embed activities in larger structures. primarily a question of the right
mentality. rules and documents work to some
extent; foundation to fall back upon.
18
Embedding ICT Security
Considerations: Role models:
who's handling incidents? new developments
The Communication Network Embedding ICT-Security Any activities Promoting ICT-Security?
19
Role models: who's handling incidents?
Embedding ICT Security
20
Role models: new developments
Embedding ICT Security
21
The Communications Network University:
an organization of faculties and services. Systems managers: more or less `trusted'. The `Outside world':
how does information reach the University? what information reaches the University?
Embedding ICT Security
22
SEP: Communications Network University: organization of faculties and
services. Systems managers: more or less `trusted'. `Outside world': how information reaches
the University.
October 2000: The University of Groningen introduced the function of ICT Security Manager.
Embedding ICT Security
23
Communications Network Aim: create a communication
structure that is independent of the persons involved.
Embedding ICT Security
24
The Communications Network
Primary link between Cert-NL and the University.
cert-nl
[email protected](SEP)
Outside world
Within theUniversity
Embedding ICT Security
25
The Communications Network
Primary link between Cert-NL and the University.
SEP is a person, a member of a team.
cert-nl
[email protected](SEP)
Outside world
Within theUniversity
Embedding ICT Security
26
Communications
SEP - member of a team The crash-team
technical specialists invoked to fight serious security-related incidents
cert-nl
[email protected](SEP)
Outside world
Within theUniversity
Embedding ICT Security
crashteam
27
Embedding ICT-Security
U of GroningenU of GroningenU of Groningen
Embedding ICT Security
28
Embedding ICT-Security
The security kernel group represents
the U. of Groningen's accredited
Terena cert team Sec. KernelGroup
director
SecurityManager
U of GroningenU of GroningenU of Groningen
ServicesFaculty Computing CenterFaculty
Unit Unit
...
Embedding ICT Security
Terena: Trans European Research and Education Networking Association
29
Activities Promoting ICT-Security WebSite
http://www.rug.nl/cit/security
In particular note (also in English): https://www.rug.nl/cit/security/aup
(the Acceptable Use Policy of the U. of Groningen)
Embedding ICT Security
30
Activities Promoting ICT-Security WebSite:
http://www.rug.nl/cit/security `Column' in bimonthly Pictogram
publication
Embedding ICT Security
31
Activities Promoting ICT-Security WebSite:
http://www.rug.nl/cit/security `Column' in bimonthly Pictogram
publication Security Courses (honeypots,
GPG/PGP, forensics, security awareness, information security)
Embedding ICT Security
32
Activities Promoting ICT-Security WebSite:
http://www.rug.nl/cit/security `Column' in bimonthly Pictogram
publication Security Courses (honeypots,
GPG/PGP, forensics, security awareness, information security)
Advisories, not just those that are asked-for.
Embedding ICT Security
33
Activities Promoting ICT-Security WebSite: http://www.rug.nl/cit/security `Column' in bimonthly Pictogram publication Security Courses (honeypots, GPG/PGP,
forensics, security awareness, information security)
Advisories, not just those that are asked-for. Formal documents and procedures
AUP, shutting down accounts, access to data
Embedding ICT Security
34
Activities Promoting ICT-Security WebSite: http://www.rug.nl/cit/security `Column' in bimonthly Pictogram
publication Security Courses (honeypots, GPG/PGP,
forensics, security awareness, information security)
Advisories, not only asked-for. Formal documents (e.g., the AUP) In general: be visible
Embedding ICT Security
35
Acceptable Use Policy
...
Embedding ICT Security
36
Some Sections in an Acceptable Use Policy: User responsibilities Responsibilities of Systems Managers Topics: passwords, facilities, privileges Consequences of abuse Legal framework
Framework for the AUP itself: BS 7799, ISO 27001.
Embedding ICT Security
37
Attack Profiles
38
Falkland war: HMS Sheffield
Who can be trusted ?
39
Unhappy Employees
Who can be trusted ?
40
Thrilling and yet: simple Script kiddies:
Who is the hacker ?
sub storeHdr{ return if !@{$_[0]};
push (@headers, [ @{$_[0]}
$subject = $headers[-1] if !$subject && ${ @{$_
if (${ @{$_[0]} }[0] =~ /^re push (@received, ${ @{$_ } }
41
Professionals....
Dangers from unexpected corners
42
Information Security
If you spend more on coffee than on IT security,
then you will be hacked.
What's more, you deserve to be hacked.
Richard Clarke
Former Special Advisor to the US President on Cybersecurity
But also....
43
Serious Incidents: Medical faculty, Space Research
Center, Child Pornography, `February 2007' hack
Communicate the incident to law-enforcement agencies
What is the response ?
44
Dangers of Common Practices
Clear-text protocols Main danger: password sniffing
45
Dangers of Common Practices
Clear-text protocols Outdated Software
Main danger: well-known exploits allow hackers to intrude into your system
46
Dangers of Common Practices
Clear-text protocols Outdated Software Sleepy System Administrators
Main danger: Intrusions are not detected when they have occurred
47
Dangers of Common Practices
Clear-text protocols Outdated Software Sleepy System Administrators Too liberally configured systems
Main danger: Intruders may use many approach routes, serious system management becomes too time-consuming
48
Dangers of Common Practices
Clear-text protocols Outdated Software Sleepy System Administrators Too liberally configured systems Weak Passwords
Main danger: intruders gain access through guessed or probed passwords.
49
Clear Text Protocols
Internet traffic uses routes: traceroute to 221.117.40.249 (221.117.40.249),
1 129.125.3.252 2 Gi11-0.AR5.Groningen1.surf.net 3 PO6-0.CR2.Amsterdam1.surf.net 4 PO1-0.CR1.Amsterdam1.surf.net 5 P0-0.BR1.Amsterdam1.surf.net 6 ge-2-1-0.ar1.AMS1.gblx.net 7 so4-0-0-2488M.cr2.AMS2.gblx.net 8 pos1-0-2488M.cr2.WDC2.gblx.net 9 so5-1-0-2488M.ar1.DCA3.gblx.net 10 208.51.6.34 11 p16-0-1-2.r20.plalca01.us.bb.verio.net 12 xe-0-2-0.r21.plalca01.us.bb.verio.net 13 p64-0-0-0.r21.mlpsca01.us.bb.verio.net 14 p16-6-0-0.r80.mlpsca01.us.bb.verio.net 15 p16-0-2-0.r20.tokyjp01.jp.bb.verio.net 16 xe-1-0-0.a21.tokyjp01.jp.ra.verio.net 17 61.213.161.90 18 61.122.114.93 19 61.122.113.6 20 usen-221x112x21x130.ap-US01.usen.ad.jp 21 usen-221x117x40x249.ap-US01.usen.ad.jp
50
Clear Text Protocols
Information is often sent using clear text:
e-mail WWW telnet File sharing (smb) RPC
Hackers may intercept this information anywhere along the route using sniffers.
51
Clear Text Protocols
Hackers may intercept this information anywhere along the route using sniffers:
Hackers uses tools to read the information:
ICCE Hexadecimal Byte Dump Utility. Version 1.20.Copyright ICCE (c), 1989 - 1996. All rights reserved.
00000000: D4 C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 ................00000010: DC 05 00 00 01 00 00 00 2B A6 1F 40 A2 6E 0A 00 [email protected]: 3C 00 00 00 3C 00 00 00 FF FF FF FF FF FF 00 07 <...<...........00000030: E9 D9 4E DF 00 2C E0 E0 03 FF FF 00 28 00 01 00 ..N..,......(...00000040: 10 80 22 FF FF FF FF FF FF 04 53 00 10 80 22 00 ..".......S...".00000050: 07 E9 D9 4E DF 04 53 00 02 9A AA 78 25 00 02 00 ...N..S....x%...
52
Clear Text Protocols
53
Clear Text Protocols
The hacker now looks for something promising, like e-mail ...
54
Clear Text Protocols
55
Clear Text Protocols
Next, the hacker retrieves the whole e-mail text...
56
Clear Text Protocols
How clear-text is e-mail anyway? When encryption is used, the information
is unreadable. Intercepting e-mail between MTA's using TLS results in illegible stream contents.
Mail Transfer Agents (MTAs) often use TLS: Transport Layer Security.
57
Abusing Clear Text Protocols
TLS in the Open System Interconnection (OSI) model:
58
An Aside: the OSI model
Examples of the OSI layers: 7 Application: SSH, DHCP, HTTP, DNS, LDAP,
SMTP 6 Presentation: encryption, serialization 5 Session: authorization, authentication,
restoration 4 Transport: End-to-end, TCP, UDP 3 Network: Internet address (IP), routing 2 Data Link: Ethernet, MAC, error correction 1 Physical: cables and signal transmission
59
Clear Text Protocols?
60
Countermeasures against clear-text communication:
TLS is nice, but verifiability is better Cleartext storage of sensitive
information is suboptimal GPG/PGP solves both verifiability and
sensitivity problems. In general: clear text transport and
storage of sensitive information should be avoided and/or prohibited.
Countermeasures
61
Unreadable for the man in the middle Example of intercepted SSH
communication:
Defenses: Don't Use Clear Text
62Defenses: Don't Use Clear Text
63
Countermeasures Encryption:
Encryption is used for TLS, SSL, and thus SMTP, SSH, HTTPS, SFTP, ....
Generally: all those `S' protocols, and PGP/GPG
All are using a Public Key Infrastructure (PKI).
64
Countermeasures Problem: the man-in-the-middle (MIM):
MIM: acts asthe Recipient forthe Sender, and as the Sender for
the Recipient
Clear text
MIM's private/public keys
65
Countermeasures Solving the MIM-problem (1)
Sender/Recipient verify their identities
And exchange the identifications of their public keys (the key's fingerprint)
66
Countermeasures Solving the MIM-problem (2)
Use a trusted third party to verify the other party's identity
67
What is a fingerprint? A cryptographically strong hash-value of
an electronic document (like a public key) How to verify an ssh-host's certificate?
A host's ssh-key usually is found here:
/etc/ssh/ssh_host_rsa_key. To compute its fingerprint:
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
Countermeasures
68
Countermeasures Encryption:
Use encryption when transporting sensitive data (e.g., https, secure http)
69
Encryption: Inspect and
verify thecertificate:
Countermeasures
70
Encryption using Public Key Infrastructure (PKI) Widely known public key Privately kept private (or secret) key Passphrase to use private key Software is free No known practically feasible way to
subvert
PGP/GPG
71
Facilities: Encrypt your own sensitive data Ensure the authenticity of a sender
(maybe yourself to somebody else) Ensure that nobody but the intended
sender is able to read confidential information
PGP/GPG
72
GPG/PGPPretty Good Privacy/Gnu's Privacy
Guard
73
Software often contains (serious) bugs:
Buggy Software
http://cve.mitre.org/cve/cve.html
74
Most problems are caused by a bad security mentality: indifference, lack of knowledge
Irrespective of those serious psychological defects, hackers try to exploit (not so)well-known weaknesses in software.
But ...
Update Software
75
Most problems are caused by a bad security mentality: indifference, lack of knowledge Irrespective of those serious psychological
defects, hackers try to exploit (not so) well-known weaknesses in software.
How do you know the update itself is not distributed by the hacker? Use signatures!
Update Software
Frank B. Brokken Computing Center, University of Groningen (+31) 50 363 9281 Public PGP key: http://pgp.surfnet.nl:11371 Key Fingerprint: DF32 13DE B156 7732 E65E 3B4D 7DB2 A8BE EAE4 D8AA
76
Password files may often be grabbed By local users Using XSS and friends, e.g., web-forms
Using brute force password-cracking, dictionary attacks, or rainbow tables the hacker searches until a match is found. Various tools for password cracking exist
(e.g. john)
Weak Passwords
77
IP addresses Cf: street and house-numbers
(129.125.xxx.yyy) Ports:
cf. rooms inside a hotel Services are often found at standard
ports: 25: smtp (e-mail) 80: http (www) 137/138: Windows RPC
Liberally configured Systems
78
Services are often found at standard ports:
Hacker scans the (well-known) ports; Hacker exploits well-known
weaknesses:Starting nmap V. 5.00 ( http://nmap.org ) at 2010-10-14 13:46 CESTInteresting ports on pc-128.rc.rug.nl (129.125.3.143):(The 1552 ports scanned but not shown below are in state: closed)Port State Service135/tcp open loc-srv 139/tcp open netbios-ssn
Remote opeRunning (JUST GUESSING) : Microsoft Windows XP|2000|2003 (95%)
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
Liberally configured Systems
79
Virtual Machines VMWare, VirtualBox
Widely known and great way to nest operating systems in your computer
But there is more than merely Virtual Machines:
Disposable VMs Be sure to follow up on Joanna Rutkowska's
invisible things lab, and the Qubes OS.
Countermeasures
http://invisiblethingslab.com/itl/Welcome.html
80
Day 2: Hardening the local system Basic principles behind `System
Hardening' Deploying a File Integrity Scanner
(Stealth)
ICT Security
81
Focus on SecurityGeneral Principles
dr. Frank B. Brokken
Center of Information TechnologyUniversity of Groningen
2013