COSC 4P14 What could possibligh go wrong? Brock University Brock University What could possibligh go wrong? 1 / 32
Common attacks and exploits We’ve talked about how to use individual tools (encryption, authentication, etc.), but there’s something much larger, and more basic, to consider: Any system is only secure as its weakest point of ingress That is, a dozen great tools and one stupid mistake lead to many sad-faces Let’s talk about some concerns. Brock University What could possibligh go wrong? 2 / 32
Eavesdropping Of course, the problems with eavesdropping are mostly self-evident. The expectation is that communication should normally be readable to the parties involved We’ve already talked about how trivial it is to eavesdrop on broadcast media In other words: stop using open wifi. There are plenty of things that can go wrong! Brock University What could possibligh go wrong? 3 / 32
Session hijacking Remember how cookies work? And how you can authenticate yourself to a web server, and then keep including proof of having identified in the header? Yeah... if someone ’hears’ that header, he or she can become you Fun fact: this was actually another possible way to do your previous lab exercise! A well-designed web server shouldn’t easily fall for session hijacking, though ◮ Why not? It’s also worth noting that this is closely related to various forms of replay attack . (which is part of why nonces are a thing) Brock University What could possibligh go wrong? 4 / 32
Man in the Middle A Man in the Middle attack is not the same thing as eavesdropping or session hijacking! Rather, it relies on the assumption that the attacker can insert him or herself in between two communication parties. That attacker then has several options: Receiving from one party, changing it, and then passing the new version to the other party Establishing secure connections between both parties, so they might not notice that it’s secure, but the wrong party Consider, for example, what happens when you first connect to a network. What’s your DNS? How reliable is it? Perhaps we have time for a demo ? Brock University What could possibligh go wrong? 5 / 32
HTTP Strict Transport Security How can we prevent a server from downgrading us from HTTPS to HTTP? If everyone cared about security, it would already be completely solved as a problem Some versions of Chrome might clue you in; presumably other browsers will eventually follow HSTS allows you to set rules within HTTP headers, indicating that HTTPS must be used for return visits, etc. ◮ Check out chrome://net-internals#hsts Wait, “return visits”? What about the first visit on that device? Ah, for that, we have a whitelist ! (Prepare to be annoyed) Brock University What could possibligh go wrong? 6 / 32
Wireless security To what extent does wireless security really matter? e.g. suppose you aren’t worried about people leeching your bandwidth, and you only use encrypted traffic. Does it still matter? Do you like being arrested? Brock University What could possibligh go wrong? 7 / 32
Wired Equivalent Privacy Ahahahahahahaha. No. Brock University What could possibligh go wrong? 8 / 32
WiFi Protected Access Yes, KRACK didn’t help with WPA security, but that’s not the only concern: WPS (to make pairing easier) introduced vulnerabilities If you have a crappy password, the encryption isn’t really helping much But, besides all that, what about the login password itself? Is that safe? WPA certainly isn’t susceptible to the same exploits as WEP, so we’re cool, right? Brock University What could possibligh go wrong? 9 / 32
While we’re talking about deauthentication attacks... There are several other uses for deauth’ing hosts Suppose you create your own access point (for nefarious reasons) and leave it open ◮ Will people connect? Maybe, maybe not. Suppose you start booting everyone connected to any access point that isn’t yours ◮ Chances are, you’ll get a few more biting Brock University What could possibligh go wrong? 10 / 32
Additional wireless concerns Even though we already covered this on the assignment, do we understand why SSID cloaking and MAC filtering are so ineffective? Also, what’s the password on your router/modem/access point? Brock University What could possibligh go wrong? 11 / 32
Speaking of passwords... Don’t reuse your passwords across sites ◮ No, seriously, don’t ◮ https://m.xkcd.com/792/ ◮ https://m.xkcd.com/1286/ Presumably we know how to pick a good password? ◮ https://m.xkcd.com/936/ Okay, but should we still be choosing passwords? At all? And yes, 2-factor authentication can be great, but don’t trust it too much Also, just to stick with the xkcd trend: https://xkcd.com/538/ Brock University What could possibligh go wrong? 12 / 32
How do passwords get compromised? Lots of ways! One common way is when poorly-secured systems are accessed by ne’er-do-wells Or someone misplaces a drive with sensitive data on it (I so wish I was kidding) Or, as referenced earlier, when people reuse passwords, and a compromise of one triggers a domino effect Hopefully, passwords will be salted and hashed, but even that’s not a true guarantee. Also: First, never verify usernames independently from passwords! Do we understand the significance of salting ? e.g. https://hashkiller.co.uk/ or https://crackstation.net/ Brock University What could possibligh go wrong? 13 / 32
Okay, but how else do they get compromised? Outside of key loggers (which, yes, are still a thing), if you assume one can get the (even salted) hash, then there’s still dictionary attacks, and even good old-fashioned brute force. This is part of why you need to change your password so often: so hopefully those salted hashes will be useless by the time they’re cracked. Brock University What could possibligh go wrong? 14 / 32
So, what really matters? Arguably, social engineering is one of the most (if not the most ) significant threats to modern computer systems. You can fix code, but you can’t fix stupid Many attacks rely on tricking humans into bypassing the existing security. Consider some of the more ludicrous spam/phishing attempts you’ve received ◮ Chances are, someone’s fallen for it! Considering banks are screwing up all the time, when you get an email telling you to reset your password, how can you identify whether or not the link is correct? Brock University What could possibligh go wrong? 15 / 32
So, what does this mean? Consider just how much we still rely on human intelligence to keep our information/identities safe How hard do you think it would be to get added as a second user to someone’s phone? To hijack someone’s service? What could one do once they had access to your service? ◮ Oh hey, what was that about two-factor authentication earlier...? I don’t think we have time for storytime, but for a really good read, N is stolen : https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd Brock University What could possibligh go wrong? 16 / 32
I am whatever you say I am If I wasn’t, then why would I say I am? There are quite a few ways we can obfuscate identities. dnsspoof and dnschef can fiddle with DNS and/or DHCP Even though filtering and authentication have improved, spoofing email is still common We’ve already discussed both IP and MAC spoofing We even tried ARP poisoning in the lab! Basically, if there’s no mechanism to detect or prevent spoofing, you’re gonna have a bad time. Brock University What could possibligh go wrong? 17 / 32
Denial of Service Hey, know what would be really nice about now? Listening to a ni- No. No, I just wanted to brow- No. — Denial of service is exactly what it sounds like, any mechanism that interrupts a host’s ability to access a network or service. It comes in many forms, targetting individuals or the services themselves Brock University What could possibligh go wrong? 18 / 32
Traditional Denial of Service Generally speaking, most servers/switches/etc. can only handle so much traffic, or so many requests, at a time. Ideally, services will be provisioned well above their average loads, close to the highest predictable peaks. But what happens if the requests exceed that provisioning? The service becomes unable to continue servicing requests A classic DoS isn’t typically feasible, because a single end-user having higher networking resources than a service is downright screwy. To generate enough traffic to tie up computing resources, or exhaust allocated bandwidth, you need some friends to join in. This is a Distributed Denial of Service, probably the most well-known DoS Brock University What could possibligh go wrong? 19 / 32
Recommend
More recommend