Category: Security

White: complete trust in this IP address
Black: No trust in this IP address
Grey: This IP address is not directly involved in spamming but is associated with spam-like behaviors
Yellow: This IP address is known to produce spam and non-spam email
NoBL: This IP address does not send spam, and should not be blacklisted. But it is not fully trustworthy.

SPAM ip address is black listed.
New IP addresses are trusted with the static blacklist model.
Static Blacklist Model: Innocent until proven guilty

Need a dynamic, comprehensive reputation system outputs reputation scores for domains
Extra temporal and statistical features from DNS traffic, compute/learn models

Kopis: Passive monitoring in the upper levels of the DNS hierarchy; internet-visibility

h(w) = (length of word w) mod 5
Given H(m), no easy way to find m
one-way function

Hash pointer contains:
-pointer to where some info is stored
-(cryptographic) hash of the info

Hash pointe
Hash of the data, Pointer to data

A Bot is often called a zombie because it is a compromised computer controlled by malware without the consent and knowledge of the user.

A Botnet is a network of bots controlled by a Bot Master

It is a key platform for fraud and other for-profit exploits.

Traditional Anti-Virus Tools, Traditional IDS/IPS, Honeypot

Bots are stealthy on the infected machines
Bot infection is usually a multi-faceted and multi-phased process
Bot are dynamically evolving
Botnets can have very flexible design of C&C channels

Recursive DNS Monitoring at ISP
Analyze DNS traffic from internal hosts to a recursive DNS server of the network

send password – encrypted- e.g. “Xu587Fyis)” -Encrypted – Receives password

-create a sesure channel over an insecure network
-is reasonable protection against man-in-the-middle attacks
-can still provide security even when only one side of the communiction is secure

Crypto slow down web server
some ad-networks do not support HTTPS
– reduced revenue for publishers

Request URL, Query parameters, Headers, Cookies

SSL/TLS
You need to buy an SSL certificate
Mixed modes issue-loading insecure content on a secure site
Proxy caching problems-public caching cannot occure

Upgrade from HTTP to HTTPS
forged certs

mobile device
– smart phone held by person, self driving car, robot

A sequence of requests and responses from one browser to one site
– session can be long or short
– without session management, users would constantly re-authenticate

Storing session tokens
-browser cookie, embed in URL, hidden form field

Prevent and limit damage of XSS
->
XSS attacks bypass the same origin policy by tricking a site into delivering malicious code along with intended content

Approach: restrict resource loading to a white-list
script-src, connect-src, font-src, frame-src, img-src, media-src, object-src, style-src, default-src

CSP will allow third party widgets(e.g. Google +1 button) to be embedded on your site

Cross origin resource sharing
-A technique for relaxing the same-origin policy, allowing JavaScript on a web page to consume content from a different origin.
-server can inspect origin header and respond with Access-Control-Allow-Origin header

definition of an origin
A combination of URI(UniformResource Identification) scheme hostname, and port number.

Same origin policy for DOM.

Cryptographic Checksums
generate tag: T MACsign(k, SID || name || value)

Malware Attacker:
Attacker escapes browser isolation mechanisms and runs separately under control of OS
Browsers may contain exploitable bugs
often enable remote code execution by web site
even if browsersd were bug-free, still lots of vulnerabilities on the web
XSS, SQLi, CSRF, …

Web Threat Models
Malware Attacker, Network Attacker, Web Attacker

Basic Execution Model
1. Loads content
2. Renders
Processes HTML and scripts to display the page. May involve images, subframes, etc.
3. Response to event

Frame Security
windows may contain frames from different sources
Frame:Rigid division as part of frameset
iFrame: floating inline frame

readCookie, writeCookie

Browsing Context
-A frame with its DOM
-A web worker, which does not have a DOM

Modern structuring mechanisms
-HTML5 iframe sandbox
-content security policy
-cross-origin resource sharing
-HTML5 web workers
-sub resource integrity

DNS: Hierarchical Name Space

root
org, net, edu, com, uk, ca
wisc, ucb, gt, cmu, mit

Client -> locak DNS Resolver -> root&edu DNS server, gatech.edu DNS Server, cc.gatech.edu DNS Server

DNS record types(partial list)
NS: name server
A: address record
MX: address in charge of handling email

DNS responses are cached
DNS negative queries are cached
Cached data periodically times out

Users/hosts trust the host-address mapping provided by DNS

DNS Packet
IP Header, UDP Header, DNS data
Query ID: 16 bit random value

Internet infrastructure
– local and inter-domain routing
– TCP/IP for routing and messaging
– BGP for routing announcements

@Domain name system
find ip address from symbolic name
(www.cc.gatech.edu)

AT&T, CenturyLink, KPN International, NTT Communications, Sprint, Telecom Italia Sparkle, Telia Carrier, Zayo Group, Cogent Communications, Deutsche Telekom AG, Level 3 communications, Orange, Tata Comuunications, Telefonica Global Solutions, Verizon Enterprise Solutions

IP Provides only best effort delivery, it is not guaranteed
Due the connectionless nature of IP, data corruption, packet loss, duplication, and out-of-order delivery can occur.

IP Authentication
– Easy to override using raw sockets
– Libnet: a library for formatting raw packets with arbitrary IP headers

Transmission Control Protocol
Connectiion-oriented, preserves order
Acknowledge receipt; lost packets are resent

Random Initial Sequence Numbers
TCP SYN, ACK, Command, SYN/ACK

Address Resolution Protocol(ARP)
Open Shortest Path First(OSPF)
Border Gateway Protocol(BGP)

Methodology

footprinting: whois, nslookup
scanning: nmap, fping
enumeration: dumpACL, showmount legion, rpcinfo
gaining access: Tcpdump, Lophtcrack NAT
escalating privilege: Johntheripper, getadmin
Pilfering: Rhosts, user data, Config files, registry
Covering tracks: zap, rootkits
Creating back door: cron, at, startup folder netcat, keystroke logger, remote desktop

Target on cyber attacks
defense contractor, restaurant, software

botnets
credit card and bank account theft, ddos and ransomware extortion, click fraud and ad injection, spam, bitcoin mining
carder and cashiers, phishing, counterfeit goods, malware attachments

Deep web(96% of WWW content): it is not indexed by standard search engines
Dark web: web content that exists on darknets
surface web(4% of WWW content): readily available to the public, and searchable with standard search engines

Test to evaluate
-strengths of all security controls