PF3,4,12 W 2 - Summary Security in Computing PDF

Preview

Summary

Summary of Chapters 3,4 and 12 along with work from 2nd Textbook - Principles of Information Security By Michael E. Whitman and Herbert J. Matford....

Description

Pfleeger 3 + Witman 2 1. Types of Malware

Pfleeger 4 



1. Browser attacks Done for a purpose, this may be to access secret information such as bank details or data stored on the computer, etc. There are mainly three ways to attack browser. o Firstly, it may be to attack the operating system of the computer and thus the attacker is able to change the browser’s functionality or code, providing them with the data they want when you make use of the browser in any way. o Secondly, the attacker may go for the browser or the components such as addons or plugins. This allows the attacker to control the browser as it has been compromised. o Lastly, the attacker may try to intercept or modify the communication between the browser and the end. This may mean that if the user tried to do a purchase online that the attacker may intercept this information and thus send the money to himself rather than the specified company or person. Browsers are software which provides a gateway to the internet. A browser connects to several locations to obtain data. Browsers support addons which provides extra functionality. A browser can access data on the user’s computer. 1.1. Types of Browser Attacks and Countermeasures: 1.1.1. Man-in-the-browser within this attack, the attacker makes use of a trojan horse to intercept any intercept or modify communication made within the browser. The purpose of this attack is to perform financial fraud by altering the amount given by the user which thus sends a different amount to be confirmed by the bank as well as changing the account details to the attackers. 1.1.2. Keystroke logger This form of attack is used to gain secret information such as passwords, pins or account numbers etc. Keyloggers track the keys pressed on the keyboard and stores this data to send back to the attacker, Keyloggers can be installed by two means, either hardware or software. Malicious code is inserted into software and once the user download and installs the software, the keylogger is then activated. Concerning hardware, a USB stick may be inserted into the computer which activates the keylogger and thus stores the data on the flash drive. 1.1.3. Page-in-the-middle This attack will redirect the user to a different web page which then allows the attacker to intercept or modify any data that has been capture by the browser. It is very similar to manin- the-middle although man-in- the-middle does not alter sites visited by the user but rather altering the browser to receive the information. 1.1.4. Program download substitution The attacker uses this method to get the user to download software which contains malicious code. The attacker may create a fancy site which is rather appealing for its software and you download and install this malicious code on your computer within the software. This is a common way for keyloggers/spyware to be installed. 1.1.5. User-in-the-middle CAPTCHAS are being used around every website when a user needs to login, this is to prevent automated bots from accessing the website and its data. A captcha is an image of jumbled up letters and numbers which are not text, the user will have to identify and type what is seen. Attackers may make use of users to complete captchas so that they are able to gain access.

1.2. Countermeasures Authentication failure is the cause of most attacks and therefore users need to be consistently aware of their security measures and vulnerabilities. 1.2.1. Shared Secret This is something that only the user may know and it is a means of an extra security protocol towards authentication. One may use your first pet or movie. Credit card companies use the number behind the card to verify the card is indeed with the user. 1.2.2. One – Time password This is a password which may be sent to you via email or SMS, this password will expire after a few minutes, even seconds. This is a reliable security measure as it is constantly changing so the attacker would find it difficult to obtain. 1.2.3. Out – of – Band Communication, This means is to make sure that the pin number for a bank card isn’t obtained along with the card, sending it separately from each other.

2. Web attacks against users 2.1. Fake Web Site A fake website is developed by using the exact same images that the original site uses to generate its website which the victim will not be able to identify that it is fake. All the attacker needs to do is change the values associated within links to the points where the attacker can obtain something from the victim. 2.2. Fake Code This attack tricks the user into installing software which is advertised but turns out to be something completely different. The attackers code is then distributed through the software which the victim has installed. 2.3. Tracking Bug Tiny action points called web bugs can report page traversal patterns to central collecting points, compromising privacy. It can be placed on a website as a 1x1 pixel which cannot be seen to the user and this is loaded each time along with the page. 2.4. Clickjacking Tricking a user into clicking a link by disguising what the link points to. A clickjacking attack succeeds because of what the attacker can do:  Choose and load a page with a confirmation box that commits the user to an action with one or a small number of mouse clicks (for example, “Do you want to install this program? [Yes] [Cancel]”).  Change the image’s colouring to transparent.  Move the image to any position on the screen.  Superimpose a benign image underneath the malicious image with what looks like a button directly under the real (but invisible) button for the action the attacker wants  Induce the victim to click what seems to be a button on the benign image 2.5. Drive-By Download Code is downloaded, installed, and executed on a computer without the user’s knowledge May be the result of clickjacking, fake code, program download substitution, etc.

3. Obtaining User or Website Data 3.1. Cross-Site Scripting (XSS) Scripting attack: forcing the server to execute commands (a script) in a normal data fetch request.  Tricking a client or server into executing scripted code by including the code in data inputs.  Scripts and HTML tags are encoded as plaintext just like user inputs, so they can take over web pages similarly to the way buffer overflow attacks can take over programs. Coolstory.KCTVBigFan 3.2. SQL Injection Injecting SQL code into an exchange between an application and its database server Example:  Loading an SQL query into a variable, taking the value of acctNum from an arbitrary user input field:  QUERY = "SELECT * FROM trans WHERE acct = '" + acctNum + " '; "  The same query with malicious user input:  QUERY = "SELECT * FROM trans WHERE acct = '2468' OR '1'='1'; " 3.3. Dot-Dot-Slash  

Also known as “directory traversal,” this is when attackers use the term “../” to access files that are on the target web server but not meant to be accessed from outside Most commonly entered into the URL bar but may also be combined with other attacks, such as XSS

3.4. Server-Side Include (SSI)  SSI is an interpreted server-side scripting language that can be used for basic web server directives, such as including files and executing commands.  As is the case with XSS, some websites are vulnerable to allowing users to execute SSI directives through text input. 3.5. Countermeasures to Injections  Filter and sanitize all user input  Need to account for every potentially valid encoding  Make no assumptions about the range of possible user inputs—trust nothing, check everything  Use access control mechanisms on backend servers, such as “stored procedures”

4. Email Attacks 4.1. Email Spam Experts estimate that 60% to 90% of all email is spam, types of spam:  Advertising  Pharmaceuticals  Stocks  Malicious code  Links for malicious websites Spam countermeasures:  Laws against spam exist but are generally ineffective  Email filters have become very effective for most spam  Internet service providers use volume limitations to make spammers’ jobs more difficult 4.2. Phishing  A message that tries to trick a victim into providing private information or taking some other unsafe action.  Spear phishing: A targeted attack that is personalized to a particular recipient or set of recipients

4.3. Countermeasures  User education o Limited effectiveness and very subject to co-evolution with attacks.  PGP and S/MIME o Cryptographic solutions that have seen very limited adoption after years on the market.

Pfleeger 12 1. Methods of Cryptanalysis  Break (decrypt) a single message  Recognize patterns in encrypted messages  Infer some meaning without even breaking the encryption, such as from the length or frequency of messages  Easily deduce the key to break one message and perhaps subsequent ones  Find weaknesses in the implementation or environment of use of encryption by the sender  Find general weaknesses in an encryption algorithm 2. Cryptanalysis Inputs  Ciphertext only a. Look for patterns, similarities, and discontinuities among many messages that are encrypted alike  Plaintext and ciphertext, so the cryptanalyst can see what transformations occurred a. Known plaintext b. Probable plaintext c. Chosen plaintext 3. Cryptographic Primitives a. Substitution i. One set of bits is exchanged for another b. Transposition i. Rearranging the order of the ciphertext to break any repeating patterns in the underlying plaintext c. Confusion i. An algorithm providing good confusion has a complex functional relationship between the plaintext/key pair and the ciphertext, so that changing one character in the plaintext causes unpredictable changes to the resulting ciphertext d. Diffusion i. Distributes the information from single plaintext characters over the entire ciphertext output, so that even small changes to the plaintext result in broad changes to the ciphertext 4. Shannon’s Characteristics of Good Ciphers  The amount of secrecy needed should determine the amount of labor appropriate for the encryption and decryption  The set of keys and the enciphering algorithm should be free from complexity  The implementation of the process should be as simple as possible  Errors in ciphering should not propagate and cause corruption of further information in the message  The size of the enciphered text should be no larger than the text of the original message 5. Properties of a Trustworthy Cryptosystem a. It is based on sound mathematics b. It has been analyzed by competent experts and found to be sound c. It has stood the test of time 6. DES (Data Encryption Standard) Algorithm...