Month: July 2017

What needs to be secured?
Who is responsible for it?
What technical/non-technical control should be deployed?
How are people supported to do what they need to do?
What if somthing goes wrong?
Response and recovery
Accountability and consequences

What needs to be secured?
Hardware, software and services
– servers, routers, switches, laptops and mobile devices
– OS, databases, services and applications
– Data stored in databases or files
From whom?
– Remote hackers?
– Insiders?

Identify and access management(IAM)
– Credentialing, account creation and deletion
– password policies
Network and host defenses
– firewall, IDS, IPS
– Anti-virus
VPN and BYOD
Vulnerability patching
User awareness and education
– Pishing attack awareness(Phishme)

High level articulation of security objectives and goals
– legal, business or regulatory rationale
– Do’s and don’ts for users
password length
Web and email policies
Response to security events
– Address prevention, detection, response and remediation as it concerns/impact users

Management Security
-Technical controls(authentication, access control etc.) are used to reduce the risk of attacks on valuable asset.
What assets need to be secured and from whom.

Organization Context
legal and compliance drivers for cyber cecurity
financial and health data
what technical control should be deployed?
must understand risks posed by threats
costs and benefits of security measures

Key Challenges
what assets are under risk?
What are the threats and how serious is the risk posed by them?
likelihood of successful attack and its impact

What technological solutions/controls exist to counter threats?
How can we address risk in a cost-effective manner?
cost is less than reduction in risk
How do we understand people and process aspects of cyber security management?

$selecteduser = $_GET['user'];
$sql = "SELECT Username, Key FROM Key"."WHERE Username='$selecteduser'";
$rs = $db->executeQuery($sql);

What if ‘user’ is a malicious string that changes the meaning of the query?

Web browser -> Enter Username & password -> Web server -> SELECT password FROM USERS WHERE uname IS ‘smith’ -> Database

Example SQL Injection Attack
DROP TABLE USERS; –, Eliminates all user accounts, Everything after — is ignored by DB

<form name=BillPayForm
action=http://bank.com/BillPay.php>
<input name=recipient value=badguy>
...
<script>
document.BillPayForm.submit();
</script>

cross-site scripting
– user trusts a badly implemented website
– attacker injects a script into the trusted website
– User’s browser execute attacker’s script

cross-site request forgery
– a badly implemented website trusts the user
– Attacker tricks user’s browser into issuing request
– website executes attacker’s requests

Structured Query Language(SQL)
widely used database query language
retrieve a set of records, e.g.,
SELECT * FROM Person WHERE Username=’Lee’

Web and security vulnerabilities
cross site scripting
cross site request forgery
SQL injection

How the web works
Browser client -> url request -> server machine -> files, resources:php, servlets, jsp, script…

Cookies
Used to store state on user’s machine
if expires= NULL; this session only
GET.. cookie: name = value e.g., sessionToken = abc123

Web page contains both static and dynamic contents, e.g., JavaScript
– sent from a web site(s)
– Run on the user’s browser/machine

Web sites run applications(e.g., PHP) to generate response/page
– according to requests from a user/browser
– often communicate with back-end servers

Cross-Site Scripting(XSS)
if a website allows users to input content without controls, the attackers can insert malicious code as well
– social networking site, blogs, forums, wikis
– suppose a website echoes user-supplied data
e.g., his name, back to user on the html page

Suppose the browser sends to the site script type=”text/javascript” alert “Helloworld” /script as his “name”

A browser runs a script from a “good” site and a malicious script from a “bad” site
Malicious script can make forged requests to “good” site with user’s cookie

Basic Idea
establish session, send forged request, visit server, receive malilcious page

Stack and Heap are not executable
W^X policy enforced on code pages
Prevents code-injection attacks

Passcodes and Touch ID
– touch ID provides convenience
– passcode enables data protection
– Maximum failed attempts
– Progressive passcode timeout

Android Security Overview
Applications, Application Framework, Libraries, Android Runtime, Linux Kernel

Each application runs with its UID in its own Dalvik virtual machine
– provides CPU protection, memory protection
Applications announces permission requirement
– create a whitelist model -user grant access
ask user at install time
– Inter – component communication reference monitor checks permissions

Android
App announces permission requirement
Installation-time approval
App may have more powerful permissions

Code Signing
All apps self-signed by developers
Code signing is used for
facilitating application upgrades
code/data sharing between applications
lets apps run in the same process

Third party app -> Guidelines -> App Store -> End users
Third-party apps have to be reviewed by Apple. The apps that passed the review are signed by Apple
iOS devices are only allowed to download apps through the App store

Sandboxing
App -> MyApp.app, Documtents, Library, tmp
Each app has a unique home directory for its files
Apps are restricted from accessing files stored by other apps or from making changes to the device

Address Space Layout Randomization
stack, heap, main executable, and dynamic libraries
Lib A, Lib B, Lib C: Memory Layout

Data Execution Prevention
Stack <- execute, Code <- write

WIFI security
iOS security
Android security

Introduction to WiFi
– no inherent physical protection
– Broadcast communications

Early solution was based on WEP
seriously flawed
not recommended to use
New security standard for WiFi is 802.11i, implemented as WiFi Protected Access II(WPA2)

Overview of 802.11i
Main advantages over WEP
access control model is based on 802.1X
flexible authentication framework(based on EAP – Extensible Authentication Protocol)
– Carrier protocol designed to transport the messages of real authencitation protocols(e.g., TLS -Transport Layer Security)

authentication process result in a shared session key
different functions(encryption, integrity) use different keys derived from the session key using a one-way function
integrity protection is improved
encryption function is improved

Overview of iOs security
Software
Hardware and Firmware (crypto engine, device key, group key, apple root cerftificate)

Data protection class, app sandbox, user partition, os partition, encrypted file system, kernel, Hardware and firmware

Each iOS device has a dedicated AES-256 crypto engine
Manufacture keys
apple provides the Device ID(UID) and the device group ID(GID) as AES 256 bit keys
while the UID is unique to each device, the GID represents a processor class (e.g, Apple A5 processor)
The UID and GID keys are directly burned into the silicon and can only be accessed by the Crypto Engine

iOS Trusted Bootchain
Bootrom -> LLB -> iBoot -> Kernel

File Data Encryption
Hardware key -> file system key
passcode key -> class key -> file metadata -> file content

Every file is encrypted with a unique file key, that is generated when the file is created
The file key is wrapped with a class key and stored in the file’s metadata
The metadata is encrypted with the File System Key
The Class key is protected by the Device UID and (if configured for some files) the User passcode

Mandatory Code Signing
All executable code has to be signed by a trusted party
– Apps from App Store are signed by Apple
– No dynamic code generation or self-modifying

code signing check
– enforced by kernel, handled by a user-space daemon
– mandatory code signing

Negotiate protection suite, crypto algorithms
Establish shared secret
e.g., use Diffie-Hellman
Authenticate the shared secret, IKE SA
e.g., using pre-shared secret key, public-key encryption or digital signatures

Secure Socket Layer(ssl) and transport layer security
-one of the most widely used security services
-general-purpose service implemented as a set of protocols that rely on TCP
-subsequently became internet standard: Transport layer security

IPSec and the Internet key exchange protocol
Transport layer security protocol

IP spoofing is a common technique in cyber attacks
– bots spoof the an IP address of a victim web site
– then send DNS queries to DNS servers
– the DNS servers respond, sending large amounts of data to the victim
– Result: a denial-of-service attack

Goals of IPSec
– Verify sources of IP packets
Provide authentication that is lacking in IPv4
protect integrity and/or confidentiality of packets
prevent replaying of old packets
provide security automatically for upper layer protocols and applications

IPSec Modes
transport mode
gateway <-> gateway

New IP Header -> AH or ESP Header -> Orig IP Header -> TCP -> Data

ESP(Encapsulating security payload) <-> AH(Authentication Header)

Encapsulated Security Payload(ESP)
– encrypt and authenticate each packet
– encryption is applied to packet payload
– autentication is applied to data in the IPSec header as well as the data contained as payload, after encryption is applied

ESP in Transport Mode
orig IP Hdr -> TCP Hdr -> Data

Authentication is applied to the entire packet, with the mutable fields in the IP header “zeroed out”

If both ESP and AH are applied to a packet, AH follows ESP

Internet Key Exchange
Exchange and negotiate security policies

Establish parameters
security associations
Key exchange

One-way relationship between a sender and a receiver, defined by IPSec parameters
one SA for inbound traffic, another SA for outbound
Security Association Database(SADB)
Security Parameter Index(SPI)
Security Policy Database(SPD)

Anti-Replay
sequence number checking
anti-replay is used only if authentication is selected
window should not be advanced until the packet has been authenticated
Duplicates are rejected!