The document discusses the stages of a network attack from an attacker's perspective. It describes how attackers first perform reconnaissance to gather information about a target network such as open ports, services and vulnerabilities. It then discusses how attackers use this information to directly attack systems using exploits or malware. Finally, it mentions how attackers aim to maintain access and cover their tracks after gaining entry. The goal is to provide an overview of the attack process and challenges for network defense.
This document summarizes a talk given by Dr. Markku-Juhani O. Saarinen on custom penetration testing (pentest) tools he developed called HAGRAT to simulate advanced persistent threats (APTs). Some key points:
- HAGRAT includes a Windows remote access tool (RAT) and Linux command and control server to remotely control Windows systems and conduct intelligence gathering.
- It was developed over 3 months for $30,000 specifically to test organizations' defenses against APTs in a safe, controlled manner.
- HAGRAT remains undetected after 18 months due to limited and controlled usage. It penetrates firewalls using HTTP and looks like normal browser traffic to avoid detection
This document provides an overview of hacking and computer security. It defines hacking as intruding on someone else's information space for malicious purposes. It then discusses the brief history of hacking from the 1980s to present day. Next, it profiles some famous hackers throughout history and outlines the typical hacker attitude. The document concludes by describing basic hacking skills, the process of hacking, and common hacking tools and techniques such as port scanning and denial of service attacks.
This document provides an overview of hacking and computer security. It defines hacking as intruding on someone else's information space for malicious purposes. It then discusses the brief history of hacking from the 1980s to present day. Next, it profiles some famous hackers throughout history and outlines the typical hacker attitude. The document concludes by describing basic hacking skills, the process of hacking, and common hacking tools and techniques such as port scanning and denial of service attacks.
Point of Sale (POS) Malware: Easy to Spot, Hard to StopSymantec
Most organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.”
The real concern isn’t if you will be breached, but when will you be breached—and if you’ll know it happened before you read it in the press along with your customers.
The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty.
Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.
The document provides an overview of web hacking, including:
1. An agenda that outlines reconnaissance, scanning, exploitation, maintaining access, and covering tracks in a web hacking process.
2. Descriptions of different types of hackers like white hat and black hat hackers, and classifications like script kiddies and hacktivists.
3. Explanations of the reconnaissance, scanning, and exploitation phases of web hacking, including common tools used in each phase like Whois, Nmap, and Nessus.
This document discusses various security issues that can arise in source control systems. It describes buffer overflow attacks, where a program writes data past the end of a memory buffer. It also discusses citizen/casual programmers who may not follow proper security practices. Covert channels that can transfer data in violation of security policies are described. The document outlines controls and best practices around these issues like parameter checking, memory protection, and auditing and logging.
This document discusses various threats to information security, including denial of service attacks, buffer overflows, malware, password cracking, spoofing, sniffing, shoulder surfing, data remnants, social engineering, and theft. It provides details on how each threat works and potential ways to carry out attacks using different threats. The document is part of a CISSP certification training on understanding security threats and their impacts on confidentiality, integrity, and availability.
This document provides an overview of cryptography concepts including:
- A brief history of cryptography from early ciphers like the Caesar cipher to modern computer-based cryptography.
- Key cryptography concepts like public/private key algorithms, hashing, and digital signatures.
- Modern applications of cryptography including encryption of data at rest, in transit, and end-to-end encryption.
- Emerging technologies like quantum cryptography are discussed along with notes of skepticism about current real-world applications.
- International regulations and the needs of law enforcement are also covered at a high level.
This document summarizes a talk given by Dr. Markku-Juhani O. Saarinen on custom penetration testing (pentest) tools he developed called HAGRAT to simulate advanced persistent threats (APTs). Some key points:
- HAGRAT includes a Windows remote access tool (RAT) and Linux command and control server to remotely control Windows systems and conduct intelligence gathering.
- It was developed over 3 months for $30,000 specifically to test organizations' defenses against APTs in a safe, controlled manner.
- HAGRAT remains undetected after 18 months due to limited and controlled usage. It penetrates firewalls using HTTP and looks like normal browser traffic to avoid detection
This document provides an overview of hacking and computer security. It defines hacking as intruding on someone else's information space for malicious purposes. It then discusses the brief history of hacking from the 1980s to present day. Next, it profiles some famous hackers throughout history and outlines the typical hacker attitude. The document concludes by describing basic hacking skills, the process of hacking, and common hacking tools and techniques such as port scanning and denial of service attacks.
This document provides an overview of hacking and computer security. It defines hacking as intruding on someone else's information space for malicious purposes. It then discusses the brief history of hacking from the 1980s to present day. Next, it profiles some famous hackers throughout history and outlines the typical hacker attitude. The document concludes by describing basic hacking skills, the process of hacking, and common hacking tools and techniques such as port scanning and denial of service attacks.
Point of Sale (POS) Malware: Easy to Spot, Hard to StopSymantec
Most organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.”
The real concern isn’t if you will be breached, but when will you be breached—and if you’ll know it happened before you read it in the press along with your customers.
The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty.
Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.
The document provides an overview of web hacking, including:
1. An agenda that outlines reconnaissance, scanning, exploitation, maintaining access, and covering tracks in a web hacking process.
2. Descriptions of different types of hackers like white hat and black hat hackers, and classifications like script kiddies and hacktivists.
3. Explanations of the reconnaissance, scanning, and exploitation phases of web hacking, including common tools used in each phase like Whois, Nmap, and Nessus.
This document discusses various security issues that can arise in source control systems. It describes buffer overflow attacks, where a program writes data past the end of a memory buffer. It also discusses citizen/casual programmers who may not follow proper security practices. Covert channels that can transfer data in violation of security policies are described. The document outlines controls and best practices around these issues like parameter checking, memory protection, and auditing and logging.
This document discusses various threats to information security, including denial of service attacks, buffer overflows, malware, password cracking, spoofing, sniffing, shoulder surfing, data remnants, social engineering, and theft. It provides details on how each threat works and potential ways to carry out attacks using different threats. The document is part of a CISSP certification training on understanding security threats and their impacts on confidentiality, integrity, and availability.
This document provides an overview of cryptography concepts including:
- A brief history of cryptography from early ciphers like the Caesar cipher to modern computer-based cryptography.
- Key cryptography concepts like public/private key algorithms, hashing, and digital signatures.
- Modern applications of cryptography including encryption of data at rest, in transit, and end-to-end encryption.
- Emerging technologies like quantum cryptography are discussed along with notes of skepticism about current real-world applications.
- International regulations and the needs of law enforcement are also covered at a high level.
This tutorial is related to Hacking.Key terms: Introduction to Hacking,
History of Hacking,
The Hacker attitude,
Basic Hacking skills,
Hacking Premeasured,
IP Address,
Finding IP Address,
IP Address dangers & Concerns,
Hacking Tutorial
Network Hacking,
General Hacking Methodology,
Port Scanning,
ICMP Scanning,
Security Threats,
Counter-attack strategies,
Host-detection techniques,
Host-detection ping,
Denial of Service attacks, DOS Attacks,
Threat from Sniffing and Key Logging,
Trojan Attacks,
IP Spoofing,
Buffer Overflows,
All other types of Attacks, SMURF attacks, Sniffers, Keylogger, trojans,
Hacking NETBIOS,
Internet application security,
Internet application hacking statistics, Web application hacking reasons,
General Hacking Methods,
Vulnerability,
Hacking techniques,
XPath Injection
For more details visit Tech-Blog: https://msatechnosoft.in/blog/tech-blogs/
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
The document discusses various topics related to computer hacking including definitions of hacking, types of hackers (white hat, black hat, grey hat), reasons for hacking, ethical hacking, steps in hacking (reconnaissance, scanning, gaining access, maintaining access, clearing tracks), and methods for hacking login passwords in Windows 95/98/ME and Windows NT/XP/Vista/7 operating systems. Specific techniques mentioned include using tools like Ophcrack to crack passwords stored in the SAM file without booting into Windows.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Hacking refers to activities aimed at exploiting security flaws to obtain unauthorized access to secured networks and information. Some key points from the document:
- Hacking involves intruding on someone else's information space for malicious purposes. Common hacking techniques include port scanning to find vulnerabilities.
- A brief history of hacking is provided from the 1980s to the present day, including major denial of service attacks and data breaches over time.
- Famous hackers from history are listed, along with an overview of the hacker attitude which values problem solving, sharing information, and avoiding boredom.
- Basic hacking skills discussed include programming, using Unix/Linux, and using the web/HTML. Precautions like hiding
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
The document discusses various techniques for reconnaissance, including searching public information on the internet, using tools to scan for open systems and services, and ways to map out network configurations. It provides details on low-tech methods like searching websites, Whois databases and DNS, as well as technical scanning tools to discover active systems, network topology, and open ports. The document also offers defenses against some of these reconnaissance techniques.
Network traffic analysis with cyber securityKAMALI PRIYA P
We are students from SRM University pursuing B.TECH in Computer Science Department. We took a small initiative to make a PPT about how network traffic can be analyzed through Cyber Security. We have also mentioned the known network analyzers and future scope for network traffic analysis with cyber security.
Snort is an open-source network intrusion detection and prevention system that performs real-time traffic analysis and packet logging on IP networks. It can detect a variety of attacks through protocol analysis, content searching, and matching. Snort functions in sniffer, packet logger, and intrusion detection modes. As a network intrusion detection system, it monitors network traffic and compares it to a database of attack signatures. Snort rules are used to detect suspicious activity and are organized into categories covering web, SQL, shellcode attacks and more.
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
The internet and different computing devices from desktop computers to smartphones have raised many security and privacy concerns, and the need to automate systems that detect attacks on these networks has emerged in order to be able to protect these networks with scale. And while traditional intrusion detection methods may be able to detect previously known attacks, the issue of dealing with new unknown attacks arises and that brings machine learning as a strong candidate to solve these challenges.
In this report, we investigate the use of machine learning in detecting network attacks, intrusion detection, by looking at work that has been done in this field. Particularly we look at the work that has been done by Pasocal et al.
1. Ethical hacking involves legally accessing a computer system or network to test security by finding vulnerabilities. It is done with permission and as part of an overall security program.
2. The process of ethical hacking involves preparation, footprinting, identification of vulnerabilities through techniques like port scanning, and then reporting findings to the organization without causing damage.
3. An ethical hacker has the same skills as a hacker but performs security testing in a legal, consensual, and non-destructive manner by obtaining permission and following predefined rules of engagement.
This document discusses intrusion detection techniques. It describes misuse detection, which detects known attacks based on predefined rules, and anomaly detection, which detects deviations from normal behavior. Common misuse detection methods include rule-based, state transition analysis, and expert systems. Anomaly detection methods include statistical methods, machine learning, and data mining. The document also proposes ideas to improve intrusion detection, such as using association rule mining to detect patterns in audit data and discovering new patterns by analyzing existing rulesets.
Intrusion Detection System using AI and Machine Learning AlgorithmIRJET Journal
This document discusses using artificial intelligence and machine learning algorithms to develop an intrusion detection system (IDS). It begins with an abstract that outlines using AI to act as a virtual analyst to concurrently monitor network traffic and defend against threats. It then provides background on IDS and the need for more effective automated threat detection. The document discusses classifying attacks, different types of IDS (host-based and network-based), and detection methods like signature-based and anomaly-based. It aims to develop an IDS using machine learning algorithms that can learn patterns to provide automatic intrusion detection without extensive manual maintenance.
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
Threat intelligence and malware analysis are two sides of the same coin. Threat intelligence involves gathering information from various sources like open source intelligence (OSINT), internal network monitoring, and commercial threat feeds. This information can be used to understand emerging threats and inform an organization's response. Malware analysis involves reverse engineering malware samples to understand how they work and extract indicators like command and control servers and drop zones. Understanding common malware components like packers, loaders, and payloads can help focus analysis. Banking malware often uses dynamic configurations and web injections to target users and steal credentials. Both threat intelligence and malware analysis are important for increasing security awareness and protecting networks from emerging threats.
Kunal - Introduction to backtrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and hacking web servers through techniques like Google hacking.
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Attackers can use these tools along with techniques like ARP poisoning to conduct remote exploits or hack passwords on Windows systems.
The document discusses how to conduct a software exploitation attack using Metasploit Framework against a Windows XP system with Snort installed. It describes exploiting the Microsoft Graphics Rendering Engine vulnerability from 2006 using Metasploit to gain remote system access on the target. Snort's logs show it detected the attack as it occurred. The goal was to see how Snort would react to the attack.
The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.
Security is the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset, such as a person, dwelling, community, nation, or organization.
As noted by the Institute for Security and Open Methodologies (ISECOM) in the OSSTMM 3, security provides "a form of protection where a separation is created between the assets and the threat." These separations are generically called "controls," and sometimes include changes to the asset or the threat
The document presents two solutions for secure internet banking authentication - one based on short-time passwords using hardware security modules, and the other based on certificate-based authentication using smart cards. It discusses current authentication threats like offline credential stealing and online channel breaking attacks. Both proposed solutions offer strong security against these common attacks, with the certificate-based solution being highly attractive for the future due to changing legislation and potential widespread use of electronic IDs.
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
This tutorial is related to Hacking.Key terms: Introduction to Hacking,
History of Hacking,
The Hacker attitude,
Basic Hacking skills,
Hacking Premeasured,
IP Address,
Finding IP Address,
IP Address dangers & Concerns,
Hacking Tutorial
Network Hacking,
General Hacking Methodology,
Port Scanning,
ICMP Scanning,
Security Threats,
Counter-attack strategies,
Host-detection techniques,
Host-detection ping,
Denial of Service attacks, DOS Attacks,
Threat from Sniffing and Key Logging,
Trojan Attacks,
IP Spoofing,
Buffer Overflows,
All other types of Attacks, SMURF attacks, Sniffers, Keylogger, trojans,
Hacking NETBIOS,
Internet application security,
Internet application hacking statistics, Web application hacking reasons,
General Hacking Methods,
Vulnerability,
Hacking techniques,
XPath Injection
For more details visit Tech-Blog: https://msatechnosoft.in/blog/tech-blogs/
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
The document discusses various topics related to computer hacking including definitions of hacking, types of hackers (white hat, black hat, grey hat), reasons for hacking, ethical hacking, steps in hacking (reconnaissance, scanning, gaining access, maintaining access, clearing tracks), and methods for hacking login passwords in Windows 95/98/ME and Windows NT/XP/Vista/7 operating systems. Specific techniques mentioned include using tools like Ophcrack to crack passwords stored in the SAM file without booting into Windows.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
Hacking refers to activities aimed at exploiting security flaws to obtain unauthorized access to secured networks and information. Some key points from the document:
- Hacking involves intruding on someone else's information space for malicious purposes. Common hacking techniques include port scanning to find vulnerabilities.
- A brief history of hacking is provided from the 1980s to the present day, including major denial of service attacks and data breaches over time.
- Famous hackers from history are listed, along with an overview of the hacker attitude which values problem solving, sharing information, and avoiding boredom.
- Basic hacking skills discussed include programming, using Unix/Linux, and using the web/HTML. Precautions like hiding
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
The document discusses various techniques for reconnaissance, including searching public information on the internet, using tools to scan for open systems and services, and ways to map out network configurations. It provides details on low-tech methods like searching websites, Whois databases and DNS, as well as technical scanning tools to discover active systems, network topology, and open ports. The document also offers defenses against some of these reconnaissance techniques.
Network traffic analysis with cyber securityKAMALI PRIYA P
We are students from SRM University pursuing B.TECH in Computer Science Department. We took a small initiative to make a PPT about how network traffic can be analyzed through Cyber Security. We have also mentioned the known network analyzers and future scope for network traffic analysis with cyber security.
Snort is an open-source network intrusion detection and prevention system that performs real-time traffic analysis and packet logging on IP networks. It can detect a variety of attacks through protocol analysis, content searching, and matching. Snort functions in sniffer, packet logger, and intrusion detection modes. As a network intrusion detection system, it monitors network traffic and compares it to a database of attack signatures. Snort rules are used to detect suspicious activity and are organized into categories covering web, SQL, shellcode attacks and more.
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
The internet and different computing devices from desktop computers to smartphones have raised many security and privacy concerns, and the need to automate systems that detect attacks on these networks has emerged in order to be able to protect these networks with scale. And while traditional intrusion detection methods may be able to detect previously known attacks, the issue of dealing with new unknown attacks arises and that brings machine learning as a strong candidate to solve these challenges.
In this report, we investigate the use of machine learning in detecting network attacks, intrusion detection, by looking at work that has been done in this field. Particularly we look at the work that has been done by Pasocal et al.
1. Ethical hacking involves legally accessing a computer system or network to test security by finding vulnerabilities. It is done with permission and as part of an overall security program.
2. The process of ethical hacking involves preparation, footprinting, identification of vulnerabilities through techniques like port scanning, and then reporting findings to the organization without causing damage.
3. An ethical hacker has the same skills as a hacker but performs security testing in a legal, consensual, and non-destructive manner by obtaining permission and following predefined rules of engagement.
This document discusses intrusion detection techniques. It describes misuse detection, which detects known attacks based on predefined rules, and anomaly detection, which detects deviations from normal behavior. Common misuse detection methods include rule-based, state transition analysis, and expert systems. Anomaly detection methods include statistical methods, machine learning, and data mining. The document also proposes ideas to improve intrusion detection, such as using association rule mining to detect patterns in audit data and discovering new patterns by analyzing existing rulesets.
Intrusion Detection System using AI and Machine Learning AlgorithmIRJET Journal
This document discusses using artificial intelligence and machine learning algorithms to develop an intrusion detection system (IDS). It begins with an abstract that outlines using AI to act as a virtual analyst to concurrently monitor network traffic and defend against threats. It then provides background on IDS and the need for more effective automated threat detection. The document discusses classifying attacks, different types of IDS (host-based and network-based), and detection methods like signature-based and anomaly-based. It aims to develop an IDS using machine learning algorithms that can learn patterns to provide automatic intrusion detection without extensive manual maintenance.
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
Threat intelligence and malware analysis are two sides of the same coin. Threat intelligence involves gathering information from various sources like open source intelligence (OSINT), internal network monitoring, and commercial threat feeds. This information can be used to understand emerging threats and inform an organization's response. Malware analysis involves reverse engineering malware samples to understand how they work and extract indicators like command and control servers and drop zones. Understanding common malware components like packers, loaders, and payloads can help focus analysis. Banking malware often uses dynamic configurations and web injections to target users and steal credentials. Both threat intelligence and malware analysis are important for increasing security awareness and protecting networks from emerging threats.
Kunal - Introduction to backtrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and hacking web servers through techniques like Google hacking.
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Attackers can use these tools along with techniques like ARP poisoning to conduct remote exploits or hack passwords on Windows systems.
The document discusses how to conduct a software exploitation attack using Metasploit Framework against a Windows XP system with Snort installed. It describes exploiting the Microsoft Graphics Rendering Engine vulnerability from 2006 using Metasploit to gain remote system access on the target. Snort's logs show it detected the attack as it occurred. The goal was to see how Snort would react to the attack.
The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.
Security is the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset, such as a person, dwelling, community, nation, or organization.
As noted by the Institute for Security and Open Methodologies (ISECOM) in the OSSTMM 3, security provides "a form of protection where a separation is created between the assets and the threat." These separations are generically called "controls," and sometimes include changes to the asset or the threat
The document presents two solutions for secure internet banking authentication - one based on short-time passwords using hardware security modules, and the other based on certificate-based authentication using smart cards. It discusses current authentication threats like offline credential stealing and online channel breaking attacks. Both proposed solutions offer strong security against these common attacks, with the certificate-based solution being highly attractive for the future due to changing legislation and potential widespread use of electronic IDs.
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
Network security involves protecting computer networks from unauthorized access. It aims to achieve access control, confidentiality, authentication, integrity, and non-repudiation. Throughout history, as hacking and crimes emerged in the 1980s and the Internet became public in the 1990s, security concerns increased tremendously. Network security employs multiple layers including physical security, perimeter protection, user training, encryption, and firewalls among other hardware and software components. As threats continue to evolve, the field of network security must also evolve rapidly to protect information and system resources.
The document provides tips for keeping a network secure, including always keeping virus software and Windows updates enabled, using firewalls, backing up data regularly, and using strong passwords. It warns about common password risks like using obvious words or writing passwords down. The document also covers securing laptops, email, wireless networks, and avoiding risks from open networks. Proper authentication, surge protection, and password protecting are emphasized as important security best practices.
1. Formulate a testing plan with the client to identify systems to evaluate and the scope of testing allowed.
2. Remotely or locally access the target systems to find vulnerabilities by simulating common attacks.
3. Report any found vulnerabilities to the client along with recommendations on how to remedy security issues.
Network security threats are increasing as more people and devices connect to networks. The document identifies ten major network security threats: viruses and worms, Trojan horses, spam, phishing, packet sniffers, maliciously coded websites, password attacks, hardware loss and data fragments, shared computers, and zombie computers/botnets. Each threat is described and potential solutions are provided, such as using security software to block viruses, encryption to prevent packet sniffing, and intrusion prevention systems to counter botnets. Network security managers face ongoing challenges due to the variety of threats and lack of solutions for some issues like password attacks.
As conversation starter for Climate Change and Disaster Risk Reduction as well as Environmental Health, komiks can be a very effective instructional material. Thunder Bubuli for example tackles leptospirosis and vector-borne diseases and can also start discussions on natural pest control. Cricketers can start discussions on persistent organic pollutants (POPs) and mutation as well as the importance of insects in the ecosystem. The Komiks Guild of The Philippines is open to collaborations with educational institutions and educational game developers.
This document provides advice on how to succeed in work social networks by focusing on three key themes: perceptions skills, social networks both online and offline, and generational differences. It emphasizes developing authentic relationships, focusing on your strengths, giving credit to others, and being aware of different generational experiences and communication styles.
PR professionals are split on their views toward and treatment of "brand journalists" - content creators employed by brands rather than traditional media outlets. The survey of 174 PRs found that about two-thirds have worked with brand journalists in the past, but opinions are polarized. Around 40% of PRs treat brand journalists the same as traditional journalists, while a similar proportion do not. High-touch activities like press trips are more common with traditional journalists. There is no consensus on when, if ever, brand journalists will be viewed equally to traditional journalists. Reasons for skepticism include concerns about conflicts of interest compared to the independence of traditional media. However, brands continue investing in content marketing by hiring content creators, and those that emphasize quality content
Transcarga es una plataforma en línea que conecta generadores de carga con transportistas para facilitar el transporte oportuno de bienes de manera segura y rentable. La plataforma permite que los usuarios publiquen detalles de envíos, encuentren transporte a través de un mapa interactivo, realicen negociaciones y califiquen los servicios recibidos. Transcarga ha recibido reconocimientos por su modelo de negocio innovador que mejora la eficiencia de la logística.
This document discusses the labor market participation of young people in Europe. It notes that youth unemployment has risen significantly since the economic crisis, with only 34% of young people employed in 2011, the lowest figure on record. While youth are an important asset, many European countries currently struggle to integrate young people into education and the job market. The crisis has hit young people especially hard, increasing the urgency for policies to improve their labor market participation and engagement.
Upgrading blackboard academic_suite_to_blackboard_learn_release_9Selva G Kumar
The document provides information to help administrators and instructors upgrade to Blackboard Learn Release 9, including reference materials, compatibility matrixes, performance improvements, and update instructions for Windows and UNIX. It outlines what the upgrade kit contains, supported server configurations and browsers, enhanced features in Release 9, and steps for running the updater. Administrators are warned to obtain a Release 9 license key before installing.
Presentación de la Fundación Telefónica, la Universidad de Navarra y la Organización Universitaria Interamericana acerca de su proyecto de investigación sobre niños, adolescentes y pantallas. En línea en http://www.generacionesinteractivas.org/?p=2052
The document discusses the concept of Domain Driven Security (DDSec), which applies principles from Domain-Driven Design (DDD) to address security concerns. DDSec helps improve security by modeling the problem domain more accurately and defining explicit security-related domain concepts. This approach helps prevent vulnerabilities like SQL injection and cross-site scripting by validating all data according to the domain model. The document provides examples of how DDSec can help secure an online book purchasing system and prevent accidental data leakage. It also discusses challenges in applying DDSec across microservices.
Convocatoria: Eventos de Formación eTwinning 2016eTwinning España
Se convocan plazas de asistencia a eventos de formación dentro del marco de la acción eTwinning en los países participantes en el programa, para profesorado de centros públicos y privados que impartan docencia de enseñanzas oficiales no universitarias, para el año 2016.
WSUS (Windows Server Update Services) es una herramienta gratuita de Microsoft que automatiza el proceso de gestión de actualizaciones de software. Los servidores WSUS descargan actualizaciones de Microsoft Update y las distribuyen a los clientes de Windows asignados a grupos de destino. Los administradores aprueban qué actualizaciones se instalarán y cuándo. WSUS mejora la gestión de parches y proporciona escalabilidad para la distribución de actualizaciones.
The document provides information on inspecting and servicing various components of the power steering system on a vehicle, including:
- Checking fluid level and for leaks in the power steering system.
- Inspecting the steering wheel for play, neutral position, and turning force.
- Removing and installing the steering wheel.
- Removing and installing the steering column and inspecting it.
- Inspecting the power steering gear and linkage, including checking for proper movement and sliding force.
- Removing and installing the power steering gear.
- Checking the operation of the power steering oil pump.
This will give you knowledge about basics of what ethical hacking is and few attacks. This document edited in Ubuntu. Types of hackers explained in detail. what kind of language is used by the hacker. How attacks happen with the help of scanning and access point for the system which is helpfull for the hacker after doing attacks gaining the access and maintaining the access. how to protect the system from the attackers and what to do after the attack happened.
This document discusses various methods for securing a single host or system from both external and internal security threats. It covers topics such as installing the operating system securely, hard disk encryption, access control, and configuring services with limited privileges. Sandboxing techniques like chroot, virtual machines, and Sandboxie are also introduced as methods for isolating compromised applications and limiting damage from successful attacks. Overall the document provides an overview of the key aspects to consider when securing a single system from a host security perspective.
Criminals carefully plan cyberattacks by first gathering information through passive reconnaissance like online searches. They then actively scan systems to confirm details and identify vulnerabilities. Next, criminals scrutinize the information to enumerate valid user accounts and network resources. Finally, they launch attacks by cracking passwords, exploiting systems, installing malware, and hiding their activities. Cybercafes present risks as criminals frequently use their computers that often have outdated security, allowing attacks without detection. Regulations and monitoring of cybercafes are needed to reduce their potential for cybercrimes.
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
Deep Dive into Adversary Emulation - Ransomware Edition
This talk covers the Garmin July 2020 hack by a group called Evil Corp that leveraged a newer ransomware called WastedLocker. We cover Cyber Threat Intelligence, creating an adversary emulation plan for ransomware, demo the emulation, and discuss how to defend against these attacks.
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
Keynote de 8.8 Las Vegas 2020: https://www.8dot8.org/8-8-las-vegas/
La presentacion es una combinacion de mis presentaciones de Blackhat 2020 Arsenal - C2 Matrix y DEF CON Red Team Village de Adversary Emulation.
https://twitter.com/jorgeorchilles
Andrew Morris introduced GreyNoise, a system that collects and analyzes internet-wide scan and attack traffic to identify background noise. GreyNoise provides a free web interface and API to query its database using the GreyNoise Query Language (GNQL) to determine if activity is widespread or targeted. This helps identify actual threats by filtering out common background traffic. Future plans include an "Analyze" tool and alerts to notify users about their own networks' activity.
This document provides a summary of 47 different security tools, including their main purposes and capabilities. It covers tools for tasks like system monitoring (ProcessExplorer, Autoruns), network scanning (Nmap, Nessus, Retina), password cracking (L0phtcrack, John the Ripper), packet analysis (Wireshark, TCPDump), vulnerability assessment (Nessus, WebInspect), and more. Many of the tools are open source while others like Core Impact are commercial products. The document serves as a reference guide for penetration testers and security researchers.
The project entitled with “Network Security System” is related to hacking attacks in computer systems over internet. In today’s world many of the computer systems and servers are not secure because of increasing the hacking attacks or hackers with growing information, so information security specialist’s requirement has gone high.
This document discusses various network security issues and methods. It covers topics like unauthorized access, malware, denial of service attacks, security methods like access rights and firewalls, and ways to protect against threats such as encryption, backups, and anti-virus software. Network security is important because when computers are connected, there are increased risks from other devices gaining access without permission. Hackers, viruses, and other threats can read or damage data if networks are not properly secured.
This document discusses incident response and preparing for security incidents. It covers topics like preparing systems and networks, establishing response processes, creating an incident response team and toolkit. The document outlines the steps for initial response, including assessing the incident and gathering volatile evidence. It then discusses formulating a response strategy, performing detailed analysis, and using the results to fix vulnerabilities and improve security. The goal is to properly handle incidents while preserving evidence and learning from what happened.
This document discusses ethical hacking and provides information on various types of hackers, why people hack, and the hacking process. It defines ethical hacking as legal hacking done with permission to identify vulnerabilities. The hacking process involves preparation, footprinting, enumeration and fingerprinting, vulnerability identification, gaining access, escalating privileges, covering tracks, and creating backdoors. It also discusses how to protect systems and what to do if hacked, such as restoring from backups and patching security holes.
This document discusses various types of software vulnerabilities such as memory corruption attacks, command injection attacks, access privilege attacks, SQL injections, format string vulnerabilities, and insecure error reports. It provides examples of buffer overflows, unsigned to signed conversion errors, and SQL injections. It emphasizes the importance of considering security early in the software development process through secure architectural design, implementation, testing, and code reviews.
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
This document discusses various application security topics such as downloading files securely, handling secrets and temporary tokens, implementing third-party sites securely, privacy risks of third-party monitoring and analytics on sensitive pages, push notifications versus SMS, securely using FFmpeg and ImageMagick, serving user content securely, implementing cryptography securely, and applying rate limits. It provides advice on how to address each topic securely, such as only allowing certain schemes, ports and domains for file downloads, short expiration times for temporary tokens, sandboxing or isolating third-party components, and not implementing one's own crypto.
Tools and Mechanisms for Network Security in an Organization.
Physical Security, Administrative Security and Technical Security measures have been described.
Security Testing Tools are Nessus, THC Hydra, Kismet, Nikto, WireShark and NMAP.
Network Vulnerabilities And Cyber Kill Chain EssayKaren Oliver
This document discusses several networking tools, beginning with Wireshark. Wireshark is described as an open-source packet sniffer that allows users to capture and analyze network traffic passing through their computer. It started development in 1998 under the name Ethereal, and was renamed in 2006. The document then moves on to briefly describe Nmap, TCPDump, and Netcat. Nmap is a port scanning tool used for network discovery and security auditing. TCPDump is a command line packet analyzer that prints out network traffic. Netcat is a networking utility that reads and writes data across network connections using TCP or UDP.
This document discusses ethical hacking. It begins by defining hacking and distinguishing between black hat, white hat, and grey hat hackers. White hat hackers, also known as ethical hackers, hack systems with permission to identify vulnerabilities. The document outlines the different phases of ethical hacking including footprinting, scanning, enumeration, gaining access, and maintaining access. It provides examples of tools used in each phase and types of attacks like social engineering and SQL injection. The document emphasizes that for hacking to be ethical, hackers must have permission and respect privacy. It concludes by discussing how organizations can prevent hacking by closing vulnerabilities identified through ethical hacking activities.
To secure a network, someone in the organization must know exactly where the network needs to be secured. Although this step may sound simple and obvious, many companies skip it. They install a perimeter firewall and then relax, lulled into a sense of security by this single layer of defense. To truly assess the risks within a computing environment, you must deploy technical controls using a strategy of defense in depth, which is likely to include IDPSs, active vulnerability scanners, passive vulnerability scanners, automated log analyzers, and protocol analyzers (commonly referred to as sniffers).
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
2. 2
This is NOT what this course is about
Jarno Niemelä Jargon@iki.fi
3. 3
Lecture Introduction
●
In the next two lectures we concentrate on
–
Network attacks
–
How to build network so that it is secure by default
–
Securing the network
–
Detecting attacks and misbehavior
–
Network security tools and applications
Jarno Niemelä Jargon@iki.fi
5. 5
What The Attacker Wants To Do
●
Attacker is outside the local network
–
To get inside the intranet
–
0wn those computers that are visible to outside
–
Knock your servers out with DOS or DDOS
–
Spoof or inject some of your services to outside customers
–
Listen and manipulate your outside traffic
–
Get your users to execute backdoor or other trojan
–
Fool your users with E-Mail or other social engineering
–
Get your users to visit trojanized web sites
Jarno Niemelä Jargon@iki.fi
6. 6
What The Attacker Wants To Do
●
Attacker is inside the local network
–
Own one or several computers in the local network
–
Access confidential information (files,email,intraweb)
–
Leak the stolen information back to attacker
–
Listen traffic in the local net and capture information, sessions,
cookies, etc
–
Corrupt, delete or modify information or break systems
–
Join the computers into botnet
–
Erase traces of attack
Jarno Niemelä Jargon@iki.fi
7. 7
What The Attacker Wants To Get
●
Just to own the system
–
To use for further attacks (step stone or botnet)
–
Use for making money
●
Deface the web site
●
Attack your customers
●
Credit card information or other customer records
●
Revenge or otherwise express his opinion
●
Confidential company documents, source code
●
Anything that can be used to make money
Jarno Niemelä Jargon@iki.fi
8. 8
What Attacker Needs To Succeed
●
A server or client vulnerability to give a way in
●
A way to access things in compromised host
●
●
A way to move to other hosts if current does not have the
goods
A communication channel for commands, additional attack
components and downloading whatever he is stealing
Jarno Niemelä Jargon@iki.fi
9. 9
Who Is Your Enemy
●
Hobbyists, activists (criminals in training)
–
–
●
“Scipt kiddies” trying to break in out of curiosity using ready
made tools or public information
Small minority of total attacks, but usually most visible
Professional criminals
–
–
●
Attack anything that can be converted to income
Either target you directly, or just want to use your systems
Corporate spies
–
●
Mostly state actors (China, USA), intent on commercial gain
Malware (automated enemy)
–
Viruses, worms, trojans, etc that do the criminals dirty work
Jarno Niemelä Jargon@iki.fi
10. 10
Typical Attacks That Have Made News
●
RSA breach and security token keys being leaked
–
–
Infected document dropped a backdoor for further access
–
●
Attack over trojanized document file
Used as stepping stone to do industrial espionage to RSA clients
Sony Playstation network breach
–
–
●
Massive leak of customer information
Classical attack to unpatched chat server and from there onwards
Stratfor customer information leak
–
Yet another leak of customer information and credit card details
–
Done over SQL injection to stratfor server
–
No onwards attack needed, public server contained the goods
Jarno Niemelä Jargon@iki.fi
11. 11
Stages Of Attack
●
Recon the target
–
–
Find alternate routes to network
–
Find out what OS/Software versions are installed
–
●
Find out what targets are visible to Internet
Find vulnerabilities or other weak links in defenses
Attack the system
–
–
●
Get into any system in the target network
Continue to further targets
Get the loot and erase traces
–
Find out any log files, and erase all traces of attack
Jarno Niemelä Jargon@iki.fi
12. 12
Finding Information About Target Network
●
Get DNS information
–
Misconfigured DNS can reveal all host names in system
●
●
Especially effective against internal DNS
●
●
Anything that has 'test' in it's name is interesting target
DNS names also usually reveal good targets for DOS
Map the network
–
Send Ping packets to local address range and see from
which addresses you get answer
●
Search network for misconfigured proxy servers
●
Scan the local network for unpatched services
●
Dig GOOGLE and other public sources
Jarno Niemelä Jargon@iki.fi
13. 13
Snooping Over DNS
●
●
With zone transfer attackers get to read internal names
But just being able to query over DNS they can use
timing to see which domains are in cache
–
http://304geeks.blogspot.co.uk/2013/01/dns-scraping-forcorporate-av-detection.html
●
So what good this does?
●
Well for one attackers can figure out what AV you are using
●
Also any other external service is obvious
●
Any AV can be circumvented provided you know what target
is using
Jarno Niemelä Jargon@iki.fi
14. 14
Port Scanning
●
Goes through range of addresses looking for services
–
–
Listen target answer
–
●
Sends connection requests to ports in target
Usually services are very open on what they are :)
Used for getting a map of network
–
–
●
What services are available and where
Which server programs are used and on what versions
A very noisy but still commonly used method
Jarno Niemelä Jargon@iki.fi
15. 15
Port Scanning Example
●
●
Probing a port with telnet (so you see the result)
Telnet www.drivermuseum.com 80
Trying 212.226.165.105...
Connected to www.drivermuseum.com.
Escape character is '^]'.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
helo to /index.html not supported.<P>
Invalid method in request helo<P>
<HR>
<ADDRESS>Apache/1.3.26 Server at drivermuseum.com Port 80
</ADDRESS></BODY></HTML>
Connection closed by foreign host.
Jarno Niemelä Jargon@iki.fi
17. 17
Obverse Your Target From Distance
●
●
Port scanning is a dangerous technique because it leaves
tracks in the routers and firewalls
So what if attacker could find out things about your network
from public source
–
Then he doesn't even touch your network-> no traces!
–
It would be nice if there is a search engine for such work
Jarno Niemelä Jargon@iki.fi
18. 18
Shodan
●
http://www.shodanhq.com/
●
Shodan gives what Google doesn't want to
●
Shodan indexes systems, services, versions
●
●
With right searches you can find just about any
misconfiguration or vulnerability that can be indexed
https://www.defcon.org/images/defcon-18/dc-18presentations/Schearer/DEFCON-18-SchearerSHODAN.pdf
Jarno Niemelä Jargon@iki.fi
19. 19
Surely This Kind Of Thing Is Harmless?
●
Gemnet a subsidiary of big Dutch operator KPN was hacked
●
Gemnet is a CA, their business is issuing SSL certs
●
●
●
Attackers were able to access information in backend DB,
but were not able to issue own certs
The attack happened over open PHP/Myadmin portal, which
allowed database access over web
http://webwereld.nl/nieuws/108815/weercertificatenleverancier-overheid-gehackt.html
Jarno Niemelä Jargon@iki.fi
20. 20
Vulnerability Scanners
●
Advanced port map tool that knocks on ports at host and
finds out who's answering
–
●
Scanners are used to detect vulnerable services and to get
other host information
–
●
Most services tell their name and version at connect
Scanner gets the service version numbers and compares
them to database of vulnerable services
Scanners are used both by hackers and system
administrators
Jarno Niemelä Jargon@iki.fi
22. 22
Rapid7 Metasploit
●
●
●
Metasploit is a combine vulnerability discovery and
penetration testing (=attack) toolkit
With metasploit attacker can quickly find known
vulnerabilities, and almost every vulnerability has metasploit
module for easy exploit development
Which means that even basic coding skills are enough for
very effective attacks
●
http://null-byte.wonderhowto.com/how-to/hack-like-pro-getting-started-with-metasploit-0134442/
●
http://www.rapid7.com/products/metasploit/editions-and-features.jsp
Jarno Niemelä Jargon@iki.fi
23. 23
Social Engineering
●
Attacks the human element of the system
–
–
Obtain user name and password from user or admin
by deception
For example call user and pretend to be sysadmin and
request password for 'maintenance'
–
Or just get user to tell what software he is using
–
Also many other schemes are used
●
●
●
Fake warning or patch Emails that contain virus or trojan
Web pages with misleading addresses
WWW.LlNKEDlN.COM
Fake customer service remote access links, for example
using Teamviewer or other legit RA software
Jarno Niemelä Jargon@iki.fi
24. 24
War walking
●
War walking (or driving,flying, etc)
–
–
Use powerful WIFI (WLAN) antenna and scanning software to
locate unsecured WLAN networks
For example even if company doesn't have WIFI network,
some employee may still use it at home and has a bad config
Jarno Niemelä Jargon@iki.fi
25. 25
After Recon: ATTACK
●
Now the attacker has gathered enough info
–
–
It's time to attack the system
Usually at this stage the attacker knows exactly what attacks
to use and where
–
The attackers goal is to get in with minimum moves
–
And minimum fuss
–
If attacker is good enough, you never know that you were hit.
Until it is too late, if you ever find out that is.
Jarno Niemelä Jargon@iki.fi
26. 26
Attack Types
●
Use open service/account or know password
●
Listen/manipulate network traffic
–
–
●
Manipulate traffic (injection, playback, corruption)
–
●
Get interesting information just by listening and recording
Hook application or update downloads and inject backdoor
Exploit a vulnerable service or network device
Spoof service or host to get past authentication based on
host identification
●
Find way around the security measures
●
Denial Of Service, knock em out
Jarno Niemelä Jargon@iki.fi
27. 27
Using Holes In The System
●
Many times no actual 'hacking' is necessary
–
–
Find service that has default password
–
●
Find open service that has no authentication
Find router or switch that has default password
Exploiting weaknesses in service authentications
–
Try to access content directly bypassing authentication
–
Know addresses of 'deep' pages and access them directly
–
–
Many web pages store session information in the hidden fields
of forms, that can be easily manipulated.
Find public FTP that allows anonymous upload
Jarno Niemelä Jargon@iki.fi
28. 28
Exploiting Found Vulnerabilities
●
Attacker has found service that has a vulnerability
–
For example unpatched version of MS IIS or Apache
–
Or unpatched web application, such as Wordpress
–
–
Attacker finds an exploit program for the vulnerability, or
makes his own
Attacker executes the attack program
●
–
Depending on the service attacker either gets direct root
access or by some non-root account and he needs to find
way to get root account (further exploits)
After successful attack the attacker has control over the
system
Jarno Niemelä Jargon@iki.fi
29. 29
Sometimes The Target Is Your Customers
●
●
Council Of Foreign Relations website was hacked
Instead of trying to find something in server
attackers injected exploit payload to the site
●
Thus anyone who visited the site was under attack
●
CSR site is favored among US Political heavy weights
●
F.ex Hillary Clinton
●
This type of attack is called watering hole attack
●
http://freebeacon.com/chinese-hackers-suspected-in-cyberattack-on-council-on-foreign-relations/
Jarno Niemelä Jargon@iki.fi
30. 30
Get User To Help In Breaking The System
●
If Computer system doesn't have vulnerability there's always
the user
–
Get password from user with social engineering
–
Get user to disable security on the target
–
Get user to install spyware/backdoor sent over E-Mail or web
–
Get user to visit web site that uses vulnerability in the browser
–
–
●
Send user document that contains exploit and installs a
backdoor
Fool user to send the information attacker wants
Today most breaches happen by exploiting workstations
over email or web based exploits
Jarno Niemelä Jargon@iki.fi
31. 31
One Computer Taken Over Now What?
●
What attacker can do depends on the host
–
A host may contain interesting information by itself
–
Any host can be used as step stone for further attacks
●
●
●
–
Listen the local traffic to catch authentication information
Many times security in the local network is quite lax. The
only firewall may be the one protecting from internet
Baked Alaska network: Hard on the outside soft in the
inside
Many computers contain interesting credentials
●
Has domain admin may be found from the local cache
Jarno Niemelä Jargon@iki.fi
32. 32
Spoofing
●
●
Spoofing is a general name for forging address information
to fool the receiver about sender
IP spoofing
–
–
Requires guessing the TCP sequence number
–
●
Sending packets with forged source IP address
Blind attack outside own subnet
ARP spoofing
–
Fools the receiver to believe that the spoofed IP address has
the attackers MAC address instead of correct one
Jarno Niemelä Jargon@iki.fi
33. 33
Spoofing
●
DHCP spoofing
–
–
●
Used when new host requests IP address
Attacker sends reply to host before the real DHCP server to
give own answer to host
DNS spoofing
–
–
–
Attacker compromises DNS tables in the target
Requires either hacking of the authoritative DNS or poisoning
the local DNS cache with false reply to query to the
authoritative server
Nowadays known as Pharming
Jarno Niemelä Jargon@iki.fi
34. 34
What Spoofing Can Do
●
Spoofing is very useful when you are inside target network
–
Get access into systems that rely on sender identify as
authentication
●
FTP accounts, Rlogin and other services that 'identify' by
IP address
●
Poorly protected intra servers
●
Shared network drives
–
Hijack existing session to take control of it
–
Send fake email or other communication that cannot be traced
Jarno Niemelä Jargon@iki.fi
35. 35
Spoofing and Problem Of Trust
●
Spoofing is successful because most companies implicitly
trust their internal “secure” network
–
–
–
●
On many protocols the IP address or DNS name is taken as
host identification
But as seen on previous slides, these information can be
forged
So the host information cannot be trusted
The solution is to require extra authentication
–
–
User authentication with passwords or kerberos
Host authentication with host certificates, or other reliable
method
Jarno Niemelä Jargon@iki.fi
36. 36
WLAN Evil Twin Attacks
●
●
●
●
●
Evil twin attack is based on setting up access point that has
identical SSID to company access point
Evil twin waits for victim to search for access points and accept
new connection because the name is familiar
Usually used to fake pay for use access points to capture login
information or credit card numbers
But how about targeting company laptops that are connected by
cable, but still look for WLAN connection
If connection is made attacker has network connection to target,
which with any luck has default routing or can be exploited
Jarno Niemelä Jargon@iki.fi
37. 37
Man In The Middle
●
●
●
MITM means manipulating traffic between victim and server
Most classic case would be redirecting user to a fake site
instead of real one
But content injection is currently in fashion by NSA,etc TLAs
–
Modify downloaded binaries to contain a backdoor
–
Add exploit to otherwise clean web traffic
–
Show authentication dialog to fool password out of user
–
Or just about anything else imagination gives to
Jarno Niemelä Jargon@iki.fi
38. 38
Sniffers
●
Passively listen physical or wireless network
–
–
●
Use network adapter in mode that it receives all traffic
Then filter out the stuff that you find interesting
Any plaintext connection is goldmine of information
–
–
–
–
In many protocols passwords are in cleartext or are easily
crackable, so attacker can get user logins
While connections over internet are SSL protected, it is very
typical that internal communication is totally insecure
Also as almost everything is web based, you don't need to
crack the password, just steal the cookies
Also many clients are very 'chatty' and reveal a lot of
information
Jarno Niemelä Jargon@iki.fi
40. 40
Communicating Back To Home
●
Attacker needs to be able to command the host
–
–
●
Compromised host is no good unless it can be commanded
Communication is also needed for uploading attack
components and downloading stolen info
Communication happens over normal protocols and ports
–
–
–
HTTP, IRC, SIP, ICMP, P2P
Bots use either fixed IP/DNS or fast flux where contact
address changes all the time
Bots contact C&C node to get instructions and upload stolen
info either to C&C or separate dump site
Jarno Niemelä Jargon@iki.fi
41. 41
Denial Of Service
●
DOS attack aims to prevent anyone from using the target
service
–
●
The aim is not the penetrate the system, just to take it down
There are two types of DOS
–
Malformatted attack
●
–
Send corrupted packet/request that crashes the target
Flooding attack
●
Send perfectly valid requests, but at such numbers that the
target is overloaded by them
Jarno Niemelä Jargon@iki.fi
42. 42
Malformatted DOS Attack
●
Malformatted attack relies on a vulnerability on the target
service
–
–
–
Typically the target cannot handle packet that is corrupted in a
special way
Instead of trying to exploit the vulnerability the attacker sends
corrupted packet that crashes the service
Example: Ping Of Death attack sends ICMP ECHO (ping)
packet that is larger than maximum allowed.
●
The result is target crash or reboot
●
Effective only on really old systems, but good example
Jarno Niemelä Jargon@iki.fi
43. 43
Flooding DOS attack
●
The traffic sent by the attacker is perfectly valid
–
–
Bandwidth consumption
–
Resource saturation
–
●
There's just too much of it
System or application crash
Flooding attack can be simply sending just session
initiations at enormous rate
–
–
●
Leaves server with huge amount of unclosed sessions
Each open session consumes system resources
Or the attacker a actually maintains session and just
overloads the server by downloading
Jarno Niemelä Jargon@iki.fi
45. 45
Defending The Network
●
●
Lets try to figure out some ways to defend the network
As with building security everything starts from the design
and layout
–
–
–
–
–
Limit access so that hosts have access only to where they need to
Limit the user and group access, so that if attacker manages to get
in with some user account, the exposure is limited
Control the network traffic, packets need to travel only from source
to destination, no need to be visible elsewhere
Good security design has many layers, so that breaking one wont
compromise everything
Assume that attacker always has control of at least one workstation
and plan your security by that
Jarno Niemelä Jargon@iki.fi
46. 46
What Is Needed From A Secure Network?
●
Confidentiality
–
●
Only the sender and receiver can see the communication
Integrity
–
–
●
No one can tamper with communication
No one can tamper with hosts of network devices
Authentication
–
Users and hosts are reliably identified
Jarno Niemelä Jargon@iki.fi
47. 47
What Is Needed From A Secure Network?
●
Auditing/Monitoring
–
–
There is monitoring that can detect anomalies
–
●
Normal state of network is known
Log history of network activity is being maintained
Access control
–
Workstations can access only those servers they need
–
Users have access to only those network resources they need
Jarno Niemelä Jargon@iki.fi
48. 48
How To Ruin Attackers Day
●
Prevent Attacker from getting in
–
●
Prevent attacker from moving to other hosts
–
●
No way in, means no way to attack
Even if attacker gets in the the damage is limited
Prevent attacker from communicating with exploited hosts
–
If infected host cannot communicate outside, it is relatively
harmless
–
No communication means, no commands, no stolen data
–
Assuming that attacker is not using some exotic C&C
Jarno Niemelä Jargon@iki.fi
49. Building Network So That It Is Easy To
Secure
●
●
Cheapest way to make secure network is build it to be
secure in the first place
Most important security decisions are about network
architecture, layout and what traffic is allowed
–
Divide network into isolated areas
–
Allow only necessary access between areas
–
Preferably control the traffic at host level
–
Allow only the traffic that is needed, block the rest
–
Users should have easy access to what they need
●
–
But no access to want they don't
Remember, access is easy to grant but hard to revoke!
Jarno Niemelä Jargon@iki.fi
49
50. 50
Tools To Build Secure Network
●
Trained users and administrators
●
Properly administrated user and group permissions
●
Up to date operating systems and services
●
Well configured services, including web applications
●
Well planned network layout
●
Properly maintained switches and routers
●
Network filters (Firewalls and content scanners)
●
Tunneled connections over VPN, SSH,SSL,etc
●
Intrusion Detection Systems
●
Anti-Virus
Jarno Niemelä Jargon@iki.fi
51. 51
Network Implementations From Outside
Point of View
Open network
Masked network
Public IP
Public IP
Router
NAT Router
Fully open
Everything can be seen
and attacked from outside
●
●
Public IP
Private IP
WWWW
WWWW
MASKED with DMZ
Hosts in the intra are invisible to outside
Thus they cannot be targeted with direct
attacks
●Ideally offers total protected from network
based attacks from outside
●If it works properly...
●
●
Public IP
NAT Router
Public IP
S S
Private IP
WWWW
Public Servers
Servers are protected by firewall
But still outside the intra so they cant access
/attack any computers on intra
●
●
Jarno Niemelä Jargon@iki.fi
52. Network Implementations Seen From
Inside
Open
52
Segmented
Only own and allowed segments visible
Access control between sections
●Limits compromise to own segment and
segments to which host has access to
●
●
Router
Router
WW
WWWW
WW
Development
SS
Servers
Finance
All hosts are fully visible
●Any compromise can affect
whole network
●AKA baked Alaska network
Hard on the outside soft and
sweet on the inside
●
Isolated
Each host has it's own 'segment'
Only allowed hosts visible (servers)
●Limits compromise to allowed connections
●Very popular with broaddband operators
●
●
Router
W
S
W
Jarno Niemelä Jargon@iki.fi
53. 53
From Castle To Airport
●
The previous layouts were based on so called 'castle' model
–
–
●
Single entrance
Easily seen routes of attack
Unfortunately the modern network is more like an
airport
–
Remote users over modem and xDSL lines
–
Employees using laptops outside firewall
–
PDAs syncing files and calendars with workstations
–
Unsecured WLAN terminals connected to network
Jarno Niemelä Jargon@iki.fi
54. 54
'Castle' View Of Network
Router
WW
Development
WW
SS
Servers
Finance
Simple example, easy to explain. Mostly seen in books
and lecture slides
Jarno Niemelä Jargon@iki.fi
56. 56
'Airport' View Of Network
Real life example, no one knows all routes to network.
Much harder to defend
Infected laptop
●
Remote user
Router
WW
Development
WW
SS
Servers
Finance
Web site exploit
Modem or xDSL
Floppy
WLAN
Outlook sync
Phone mail sync WLAN terminal
Jarno Niemelä Jargon@iki.fi
USB autorun or other
“Adidas” network
57. 57
Switches And Routers As Security Tools
●
Proper switch makes sniffing difficult
●
Ideal switch prevents hosts from seeing other traffic
●
But switches can be fooled, for example by ARP spoofing
●
Many switches also offer remote configuration, with default
passwords.
●
●
●
Like any servers also switches have vulnerabilities!
In other words, make sure that a switch is up to date
Routers allow to segment network
●
Using routers the network can be split into segments
●
Most routers also have firewall functionality
●
Like switches routers need to have their OS up to date!
Jarno Niemelä Jargon@iki.fi
58. 58
Filtering The Network Traffic
●
●
●
●
●
●
Proper network layout and segmenting limit access between
segments, but doesn't care what the actual traffic is
To limit network traffic into accepted form (ports, protocols
and content) you need to use some form of network traffic
filtering
Network filters remove unwanted traffic from the network at
the filter point (gateway,router,host)
Network equipment are like PCs, they need updates and
must be checked once in a while
http://www.spiegel.de/international/world/catalog-revealsnsa-has-back-doors-for-numerous-devices-a-940994.html
http://www.informationweek.com/security/vulnerabilities/barr
acuda-security-equipment-contains-ha/240146890
Jarno Niemelä Jargon@iki.fi
59. 59
Placing Firewalls In The Network
At the gateway router
Firewall
WW WW
Private network
Internal network protected by NAT both
from outside and from DMZ
●
Servers are placed in DMZ and
S S protected both from outside and from inside
●
Servers in the DMZ have no direct
access to intra, intra looks same from
DMZ as it looks from outside
●
Thus if a server in DMZ is compromised
the intra is still safe
●
Remember use only packet filter at gateway
fancy stuff will only make DOS easy
●
Jarno Niemelä Jargon@iki.fi
60. 60
Placing Firewalls
●
Between segments
Segments isolated from each
other
●For example no access from
development to marketing
●Only accepted hosts can
access between segments
●Each segment can have
servers that are in the server
segment, but access allowed
only to that segment
●Limits exposure to one
segment
●
Router
Firewall
SS
WW
Marketing
WW WW
Development
Private network
Jarno Niemelä Jargon@iki.fi
Servers
61. 61
Firewalls At Each Host
●
So called 'personal' firewalling
●
Each host has firewall software installed
–
–
●
Third layer of defense if dedicated firewalls fail
Personal firewall protects laptop when out of office
Most personal firewall products also provide application
filtering
–
–
Allows to control which applications can use network
Prevents many spyware, backdoors and trojans from
working
Jarno Niemelä Jargon@iki.fi
62. So What Do You Want To Do With
Firewalls?
●
62
Protect your systems from unauthorized outside traffic
–
–
So modern attacks do not come as inbound TCP/IP attacks
–
●
Everyone knows this and everyone does this
Unless you neglect your network security that is
Use firewalls for damage control and containment
–
If a single workstation gets infected, it must not be able to
bring down the whole network
–
Treat every host and server in your network as untrusted
–
Switch your thinking from CIA to FBI
–
There will be bad guys in the network, how do I locate and
isolate them?
Jarno Niemelä Jargon@iki.fi
63. So What Do You Want To Do With
Firewalls?
●
63
Make sure only right servers are allowed to send traffic
–
Only mail server should be allowed to send mail
–
Only HTTP proxy should be allowed to send HTTP/S
–
Only IT workstations should be allowed to use remote desktop
–
No remote login from one workstation to another
–
Do your users need IRC,SSH,etc at work? If not don't allow it
Jarno Niemelä Jargon@iki.fi
64. 64
Firewalls And Logs
●
Firewalls provide extensive logging capabilities
–
What traffic was sent to this host
–
What traffic was forwarded from a gateway
–
Source/destination, protocol, port, etc
–
Remember firewall logs are problematic in privacy issues!
●
●
Record only the traffic headers, not content
By monitoring firewall logs its possible to notice
problems and attacks
–
–
Someone running a port scan
Why that marketing host tries to access development source code
server?
Jarno Niemelä Jargon@iki.fi
65. 65
Application and Database Firewalls
●
IDS and Network filtering give only limited protection
●
The problem is that almost all new services are HTTP based
●
And these services have DB connections to DB servers
●
So use protocol specific Firewalls to filter actual traffic
●
●
●
These firewalls can inspect traffic and match it against
profile of allowed behavior and filter out the rest
https://www.owasp.org/index.php/Web_Application_Firewall
http://www.imperva.com/products/dsc_databasefirewall.html
Jarno Niemelä Jargon@iki.fi
66. 66
So If I Do Network Security Right That's
All I Need!
●
Not quite, if your users can use the net so can attackers
●
Even best filtering will not solve all your problems
●
The compromised host has at least the access it's user has
●
Thus you have to make sure that also user access is limited
●
●
●
Remember that even if you would be able to close all
unauthorized access
The attacker can always use Facebook or Twitter for
communication. And it is already being done
http://ddos.arbornetworks.com/2009/08/twitter-basedbotnet-command-channel/
Jarno Niemelä Jargon@iki.fi
67. 67
What About The Cloud?
●
Cloud is the buzzword of the day, everyone wants cloud
●
When implemented improperly cloud is quite a risk
●
Best way to treat cloud is like a server in remote office
–
–
●
Limit network access only to your company
Don't store critical material in external servers
By itself cloud adds only one additional risk
–
–
Which is that someone who manages to break virtualization
used by cloud provider can access other instances in same
physical box
But this is not different from someone breaking into hosting
facility and accessing physical server
Jarno Niemelä Jargon@iki.fi
68. 68
Selecting A Cloud Provider
●
Ask your Cloud service provider following questions, before
taking signing any contract:
–
–
Other than people I authenticate, who else can access my
information? What about governmental access?
Will the service provider in any way use my data and
information?
–
What happens in case of data loss or corruption?
–
Would my competitor be able to see my data and information?
–
●
If I wish to move to a different service provider, how easy that
would be? Are there any hidden legal bits that I am not aware
of?
http://www.afsheenjafry.com/cloud-computing
Jarno Niemelä Jargon@iki.fi
69. 69
Prevent Attacker From Communicating
Prevent inbound traffic to disable server type backdoors
●
Client type backdoors need to find C&C node
●
●
This means they need to use DNS query to find current C&C
●
So block, .info,.biz, .cc and other TLDs that your users don't need
Simpler attacks use static C&C in China, Russia, etc
●
●
Block outbound IP ranges to countries that your users don't need
Make sure there is no direct way out
●
●
Allow only HTTP over proxy, check user agent
●
Do not allow direct email out, only through company mailserver
●
Some self updating apps do not understand proxy, so make exception
for iTunes, etc that are allowed for users
Jarno Niemelä Jargon@iki.fi
70. 70
Using DNS Filtering For Security
●
Why your DNS should resolve every domain in the world?
●
Your users need only very small fraction for business use
●
●
●
●
●
So set your DNS server to resolve only top 1M most
common domains. For example by Alexa rank
Thus your users get to just about any page that they need
But malware which by their very nature use new and
unknown domains will be unable to communicate
I did a test of comparing Alexa top 1M domains and 300K of
malware domains, and overlap was only 0,4%
Which gives 99,6% protection rate
Jarno Niemelä Jargon@iki.fi
71. 71
Content Scanners
●
●
Unlike firewalls content scanners filter network traffic based
on the content of the traffic
Content scanner is an application that monitors network
traffic for forbidden content
–
–
●
SPAM, unwanted email attachments, exploits, etc
Each type of content needs a scanner that supports that
content type
Content scanners are placed in gateway points
–
–
All traffic is directed through scanner
Content scanner inspects and tells gateway whether to block
the traffic
Jarno Niemelä Jargon@iki.fi
72. 72
Types Of Content Scanners
●
SPAM filters
–
●
Analyzes E-MAIL text and tries to filter SPAM mail
EMAIL filters
–
Filters E-Mail by it's properties
●
●
Anti-Virus
–
●
Sender, attachment types, size, encoding, scripts
Filters malware out from E-Mail, HTTP,or other stream
Content classification controls
–
Filter web pages based on unwanted content
●
Racism, porn, politics, religion, recruitment and other
touchy issues
Jarno Niemelä Jargon@iki.fi
73. 73
Tunneling Protocols
●
IP based protocols have several problems
–
–
●
Integrity
–
●
Confidentiality
Authentication
Now the problem is protecting content, not filtering
Tunneling protocols solve the problem by creating encrypted
tunnel
–
–
All parties in the communication are authenticated
The communication is encrypted so that is cannot be
eavesdropped or modified
Jarno Niemelä Jargon@iki.fi
74. 74
Ideal tunneling
Traffic without tunneling
Alice
Router
Hacker
Traffic with tunneling
Alice
Encrypted tunnel
Network
Router
Router
Bob
Jarno Niemelä Jargon@iki.fi
Bob
75. 75
Tunneling For Security
●
●
Tunneling protocols provide secure transmission over
untrusted network
Secure tunnel is provided by encryption and authentication
–
What attacker cannot decode he cant understand
●
–
Listening traffic is useless as security attack
Authentication provides reliable detection for modifications
●
Even if attacker can decode the transmission he cannot
alter it without it being detected and rejected
Jarno Niemelä Jargon@iki.fi
76. 76
SSL/TLS
●
TLS is the most commonly used tunneling nowadays
●
Both web apps and Android/iOS use TLS for protection
●
Setting up TLS feels simple
–
–
●
Install server
–
●
Get certificate
Give user HTTPS link or make your app use TLS for comms
However doing TLS right is a good bit more difficult
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_
Best_Practices_1.3.pdf
Jarno Niemelä Jargon@iki.fi
77. 77
TLS Problem 1: MITM
●
If attacker is between you and user, he can fudge things
–
User tries to go to web bank http://bank.com
–
Bank redirects user to https://bank.com
–
Attacker makes the TLS connection to bank.com
–
But to user attacker gives http://bank.com no crypto!
–
Thus user thinks he is banking safe, but in reality only traffic
from attacker to bank is protected
●
Solution: Always check that traffic is protected by TLS
●
However it is difficult to get the users to verify this
Jarno Niemelä Jargon@iki.fi
78. 78
TLS Problem 2: Certificate Spoofing
●
Attacker can TLS forwarded traffic to avoid being discovered
–
Also encrypt the traffic forwarded to user with TLS
–
Thus user will not notice anything out of the ordinary
–
But browser will alarm for invalid or self generated cert
–
–
●
So either attacker is government who can force CA to make a
bogus cert that is still accepted by the web browser
Or attacker has installed his on CA key to users OS
Solution: Use certificate pinning to make sure that certificate
cannot be changed even to another valid CA generated cert
without alarm. Unfortunately again requires client mod
Jarno Niemelä Jargon@iki.fi
79. 79
TLS Problem 3: Algorithm Choosing
●
Attacker can affect session setup and choose crypto
–
–
–
●
Web servers typically allow large set of encryption algorithms
and protocols
Sometimes the default list contains very weak options such as
DES, which is easily crackable nowadays
So if attacker can affect session creation, he can force weak
implementation to make job easier
Solution: Configure your server right
–
Have best and strongest options first in the list
–
Remove weak and obsolete options from the list
●
Drop SSL v2 and SSL v3, Drop all obsolete crypto
Jarno Niemelä Jargon@iki.fi
80. TLS Problem 4: Record And Get Keys
Later
80
●
Governments are patient, and they have plenty of storage
●
Thus they can easily record all encrypted traffic
●
And when they find something interesting enough
●
They simply send police to seize the servers
–
●
●
●
And recover the certificate from the server
Thus all previously recorded traffic is now readable
Solution: Use PFS (perfect forward secrecy) option in TLS
which uses Diffie Hellman key exchange which guarantees
that session key cannot be recovered even if attacker gets
cert later
http://ggramaize.wordpress.com/2013/08/02/tls-perfectforward-secrecy-support-with-apache/
Jarno Niemelä Jargon@iki.fi
81. 81
Virtual Private Networks
●
VPN forms general purpose tunnel
–
–
–
●
Applications sending traffic over VPN don't even know that it
exists
Using VPN any traffic can be protected without any application
modifications
With VPN you can be your own CA and thus be safe from
certificate spoofing and thus from MITM attacks
Using VPN, admin can create virtual networks
–
–
Joining two office networks into over protected tunnel
Protecting traffic in the company intra, so that each connection
goes over its own virtual 'cable'
Jarno Niemelä Jargon@iki.fi
82. 82
Uses For VPN
●
Automatically secure unprotected protocols
–
●
Reliable host identification
–
●
No snooping, just being able to connect to LAN doesn't help
Better control over the computer on the intranet
–
●
IP address can be forged, host certificate can't
Secure connections inside company intranet
–
●
As VPN is transparent, all traffic can be routed over it
If the host doesn't have certificate, it cant use the net
Secure connections to remote offices
–
Connect two networks transparently
Jarno Niemelä Jargon@iki.fi
83. 83
Dangers Of VPN
●
●
VPN provides safe tunnel for traffic but it does not provide
any security over end points
There are several cases where company network has been
hacked or received a worm over VPN
–
●
Users laptop gets compromised and offers direct route to
company intra over VPN right past all firewalls
Thus any connections over VPN should be limited
–
VPN access to own special segment
–
Firewalls and IDS between VPN segment and intra
–
Limited access to company servers only what VPN users need
●
Remember to update your tunneling software and it's config
●
http://www.nta-monitor.com/files/whitepapers/VPN-Flaws-Whitepaper.pdf
Jarno Niemelä Jargon@iki.fi
84. 84
Protecting WIFI
●
Safest WIFI is to be without one at all
–
●
●
So don't use it unless you really need wireless net
The key problem in WIFI is that since it is radio it can always
be listened and attacks can be done without physical
presence
Key points in implementing secure WIFI are
–
Updated and well configured WIFI access points
–
Well configured WIFI terminals (laptops etc)
–
Well placed WIFI access points
–
Protecting all traffic over WIFI (WPA2 preferably also VPN)
Jarno Niemelä Jargon@iki.fi
85. 85
Placing WIFI terminal
●
Place access point physically so that it has minimum
coverage outside the office walls
–
●
Place the WIFI access point into it's own segment in
company network architecture
–
●
Place the access points at center and measure outside
Each segment that needs WIFI must be filtered
Basically all connections over WIFI should be treated with
same distrust as VPN connections
Jarno Niemelä Jargon@iki.fi
86. 86
Protecting WIFI Traffic
●
Switch the access point security ON!
–
Most access points ship with no security settings on
–
Enable WPA2 crypto and authentication
–
Disable WEP crypto, don't allow connections over it
–
●
●
Set access point so that it doesn't allow unknown WIFI cards
to connect it
Use RADIUS or WPA2 authentication
For anything requiring real security use VPN over WIFI
connections
–
If WIFI gets hacked attacker still needs to fight VPN
Jarno Niemelä Jargon@iki.fi
87. 87
WIFI And Laptops
●
●
●
Almost ever employee has a laptop nowadays
And every laptop has WIFI card almost all the time that WIFI
is connected to some open network
And all traffic in open WIFI is visible to everyone
–
–
–
–
This means that attacker can do whatever they wish to any
unencrypted connection
Free services tend to do authentication over SSL and rest of
the traffic in plaintext. Even Gmail used to do this
Also just connecting to WIFI gives huge amount of information
on what the laptop is and what software is has
As soon as you connect to WIFI, skype, Outlook, Messengers
and whatnot, try to find their servers.
Jarno Niemelä Jargon@iki.fi
88. 88
Safe WIFI Access While On The Move
●
●
●
●
●
Treat any open WIFI with high suspicion
Especially in cafes or airports there can always be someone
listening on all traffic
So the only safe way to use public WIFI is to take VPN
connection to company server, and route all traffic to
company network and from there to rest of the world
Or at least make sure that you are not using any web
services that don't have encryption on all pages after
authentication
And if you are in a hacker conference, even that is probably
not enough. So don't bring your laptop in the first place.
Jarno Niemelä Jargon@iki.fi
89. 89
Make Reconnaissance Difficult
●
Use separate DNS for inside and outside
●
Make sure that internal network is properly NAT isolated
●
Don't place any servers that offer internal services on DMZ
●
Don't give descriptive names to you Web or VPN proxy
●
Place only public stuff on public servers
–
●
Place robots.txt on all directories and tag all pages
–
●
Make sure that all php,perl,etc cannot be downloaded
<META name="robots" content="noindex, nofollow">
Check what GOOGLE shows about your domain!
Jarno Niemelä Jargon@iki.fi
90. 90
Detecting Intrusions
●
Even the best protections can be defeated with time
–
–
–
Thus it is very important to monitor the network to catch any
intrusions when they happen
Follow the type of traffic in the network and be alert for
anything unusual
There are many high level automatic tools available, but it
helps to understand how they work
●
–
Remember the best IDS is trained admin, IDS tools are
just tools they need a skilled admin and well behaving
network
NOTE! Finland has extensive personal privacy protection
laws, be careful what you monitor...
Jarno Niemelä Jargon@iki.fi
91. 91
What To Look For in Network Traffic?
●
Look for anything unusual
–
Unusually large amounts of traffic
–
Connections to unusual or new ports
–
New type of traffic or new protocol
–
Large amount of failed logins, or from unusual sources
–
●
Traffic from unexpected hosts (why development test
computer is accessing finance network)
For this you need to know what is normal traffic
–
And design your network so that the normal traffic is well
behaving (network is segmented and filtered)
Jarno Niemelä Jargon@iki.fi
92. 92
Tools For Network Monitoring
●
Log files
–
●
Firewall, routers, servers, workstations
Sniffers placed at strategic locations in the network
–
Look for packet headers for
●
●
Source, Destination, Port, Protocol
Network status displays
–
–
●
Show current load and traffic by type
Gives nice overview what's going on at the moment
IDS systems and other automatic intrusion detection tools
Jarno Niemelä Jargon@iki.fi
93. 93
Intrusion Detection Systems
●
Scans network traffic for attacks or anomalies
–
●
Signature based IDSes scan for known attacks
–
●
Either all traffic like sniffers or directed to this host
Signature IDS looks for known forms of misuse
Anomaly IDSes monitor for suspicious activity
–
–
Doesn't look for any specific attack. Anomaly IDS searches for
alarming exceptions in the traffic that it sees, such as MS SQL
server access in UNIX network
Needs very careful configuration, and still probably causes
false alarms
Jarno Niemelä Jargon@iki.fi
94. 94
Signature Based IDS
●
Signature based IDS scans traffic for patterns that match for
some known attack
–
–
Traffic passing trough the IDS is compared against database
of signature rules
f.ex signature for the root kit dropped by Code Red II looks for
'scripts/root.exe?' in the request
–
Each known attack needs it's own signature
–
When signature matches it will trigger alarm in the IDS
–
When new attacks appear signatures must be updated
Jarno Niemelä Jargon@iki.fi
95. 95
Anomaly based IDS
●
Anomaly IDS looks for exceptions and new trends in the
network traffic
–
–
When anomaly IDS is installed it needs to be taught what the normal
traffic in the net looks like
First two weeks the IDS analyzes and learns about the normal traffic
●
–
When active the IDS will alarm when it encounters new type of traffic
●
–
Sources/Destinations, destination ports, protocols
For example port scan or SQL traffic to new destination
Thus anomaly IDS will cause a lot of false alarms, especially at the
beginning
Jarno Niemelä Jargon@iki.fi
96. 96
IDS Terms
●
Sensor
–
●
Database
–
●
Single machine logging traffic and matching rules
Collection point where sensors send information about
rule matches
Controller
–
Analysis and output unit which collects the data,
analyzes and reacts or warns
Jarno Niemelä Jargon@iki.fi
97. 97
IDS Structure
●
Sensors capture and analyze traffic
–
●
Information is saved into DB
Console reads the DB
–
–
–
Alarms on alert cases
Provides report on other
activity
Sensor
Public IP
NAT Router
Sensor
Private IP
W Console
Many IDS systems can be configured to react
by blocking the attacker at the firewall
Jarno Niemelä Jargon@iki.fi
Sensor
Public IP
S S
Public Servers
98. 98
Where To Place IDS sensors
●
At gateway
–
●
'Weather report' on whats coming to
your gateway
After gateway
Sensor
Public IP
NAT Router
Sensor
Private IP
W
W
–
–
●
Check on the firewall effectiveness
Concentrate on ports and protocols that firewall lets through
To the mirroring port of a switch
–
●
Inspect the traffic going in the network
To critical hosts
–
Internal DHCP, file servers and other critical resources
Jarno Niemelä Jargon@iki.fi
Sensor
Public IP
S S
Public Servers
Sensor
99. 99
What To Do With IDS
●
Collect information on the network activity
–
–
●
Basically advanced version of logging
Tells administrator when to investigate
React automatically to attack
–
Add firewall rule that block traffic from attacker
–
Log all traffic from attacker to special log
–
Disconnect host from the network
–
Shut down attacked service
–
Close partitions that have critical files
Jarno Niemelä Jargon@iki.fi
100. 100
Snort
●
Snort is a free open source signature based IDS
–
●
Available for both Unix and Windows
Based on the sensor/database/controller design
–
–
●
Uses MySQL database
Several user interfaces and report tools available
Supports plug-in extensions
–
SnortSAM adds interface with firewalls for automatic
blocking
Jarno Niemelä Jargon@iki.fi
102. 102
Defending From DOS
●
First analyze and understand the attack
–
Where is it coming from
●
–
What the attack is based on?
●
●
–
Is there only one attacker, or is it DDOS?
If it's malformatted attack what type of packets they are
sending?
If it's a flooding attack, is it just session open commands,
or do they actually download stuff?
Why are you being attacked?
●
Some kind of protest? Or random attack?
Jarno Niemelä Jargon@iki.fi
103. 103
Fighting DOS
●
Try to filter the traffic
–
If all DOS packets are identical it's easier to filter
–
Block the DOSing hosts
–
–
–
–
If there are several attackers make firewall rule that blocks
attackers that send too many requests
If possible try to move the blocking upstream, by asking the
your ISP to block the DOS traffic for you
It might be a good idea to verify the willingness and ability of
you ISP for DOS blocking beforehand
http://resources.infosecinstitute.com/the-red-spike-ddosmitigation-strategies/
Jarno Niemelä Jargon@iki.fi
104. 104
Move Out Of The Way
●
Find out is the attack targeted at fixed IP address or some
other information you can change
–
–
●
If so change the server IP address
If you have several domains make sure that those that are not
targeted by DOS are able to work
If the attack cannot be dodged, minimize load
–
–
Replace the main page with text that directs to alternate page
Give priority to to hosts that are in countries where you have
customers
Jarno Niemelä Jargon@iki.fi
105. 105
Conclusion
●
In this topic we covered
–
Network attacks
–
How network infrastructure helps on preventing attacks
–
Tools to make the network infrastructure safe
Jarno Niemelä Jargon@iki.fi
106. 106
References
●
General firewall whitepaper
–
●
Firewalls And Internet Security, Second Edition
–
●
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
Maximum Linux Security
–
●
Addison-Wesley, Cheswick, Bellowin, Rubin
Netfilter Packet filtering HOWTO
–
●
http://secinf.net/firewalls_and_VPN/General_Firewall_White_Paper.html
SAMS, Anonymous Hacker
Understanding Virtual Private Networks (VPN)
–
http://www.giac.org/certified_professionals/practicals/gsec/0561.php
Jarno Niemelä Jargon@iki.fi
107. 107
References
●
A short overview of IP spoofing
–
●
Netfilter IPtables firewall
–
●
–
www.snort.org
Google hacking
–
●
www.netfilter.org
Snort IDS tool
–
●
http://staff.washington.edu/dittrich/papers/IP-spoof-1.txt
http://johnny.ihackstuff.com/
Taxonomy of botnets
http://www.cs.northwestern.edu/~ychen/classes/msit458-
Jarno Niemelä Jargon@iki.fi