Computer Security Fundamentals PDF

Summary

This document provides a basic overview of computer security fundamentals, including confidentiality, integrity, and availability, along with examples of how these concepts are applied in real-world scenarios. It covers topics like encryption, hashing, and authentication.

Full Transcript

Computer security

Security fundamentals
Certainly! Here’s a deeper dive into each computer security topic, along with
examples to help illustrate their importance and applications:

1. Confidentiality

- **Description**: Confidentiality ensures that sensitive information is
accessible only to those who have the authorization to access it. It prevents
unauthorized parties from reading or seeing sensitive data.

- **Example**: Encryption is a common method to achieve confidentiality.
When you send a private message over an app, encryption scrambles your
message so only the intended recipient (who has the decryption key) can read
it.
- **Real-world Example**: Online banking systems use SSL/TLS encryption to
protect your login credentials and financial data as it travels over the internet,
ensuring it can’t be intercepted and read by unauthorized individuals.

2. Integrity

- **Description**: Integrity means that data remains accurate and unaltered
unless changed by an authorized entity in an authorized way. It prevents
unauthorized users from tampering with or corrupting data.

- **Example**: Hash functions help check data integrity. A hash function
converts data into a fixed-size hash (a kind of “fingerprint”). If the data
changes, even by one bit, the hash will change, signaling potential tampering.

- **Real-world Example**: When downloading software, you often see a
checksum (a hash value). After downloading, you can run the hash on the file. If
the result matches the original checksum, the file wasn’t corrupted or altered
during download.

3. Availability

- **Description**: Availability ensures that information, resources, or services
are accessible to authorized users whenever needed. It’s essential for services
that require continuous operation, such as healthcare or finance systems.

- **Example**: To maintain availability, systems implement redundancy (e.g.,
multiple servers) and backups, protecting against potential service
interruptions.
 - **Real-world Example**: An online retailer, like Amazon, ensures high
availability by having multiple data centers across the globe. If one data
center experiences issues, the traffic can be redirected to others, so customers
can still shop.

4. Authentication

- **Description**: Authentication verifies that a user or system is who it claims
to be. It’s the process of proving identity, often through credentials like
passwords or biometric data.

- **Example**: Multi-factor authentication (MFA) adds layers to authentication.
You might log in with a password, then confirm your identity with a code sent
to your phone.

- **Real-world Example**: Logging into a secure website often requires both a
password (something you know) and a code sent to your mobile device
(something you have), which provides a higher level of security.

5. Authorization

- **Description**: Authorization defines what an authenticated user is allowed
to do within a system. It controls access levels and permissions for various
resources.

- **Example**: In a company’s file-sharing system, an employee may have
access to certain project files but not HR files, depending on their role.

- **Real-world Example**: When a customer logs into their bank account,
they’re authorized to view their own account details but not other customers’
accounts. Authorization policies enforce this restriction.

6. Accounting (Auditing)

- **Description**: Accounting, or auditing, tracks what actions users take
within a system. Logs record activities like logins, file access, or changes to
data, which is useful for monitoring and forensic analysis.

- **Example**: A web application keeps logs of who logs in, what they
accessed, and any changes they made, providing a trail if suspicious activity
needs investigation.

- **Real-world Example**: If a data breach occurs, the company can review
logs to see if there were any unauthorized logins or data changes, helping to
trace the breach.
7. Symmetric Encryption

- **Description**: Symmetric encryption uses a single key to both encrypt and
decrypt data. It’s fast and efficient but requires secure sharing of the key
between the sender and receiver.

- **Example**: AES (Advanced Encryption Standard) is a widely used
symmetric encryption algorithm.

- **Real-world Example**: A company might use symmetric encryption to
encrypt files shared internally, as all employees have a shared key to decrypt
them.

1. Symmetric Encryption
Scenario: Secure communication between two parties (e.g., encrypting files).

Process:

1. Key Sharing: Both parties agree on a secret key in advance (e.g.,
using a secure channel).

2. Encryption: The sender encrypts data using the shared key.

3. Transmission: The encrypted data is sent to the receiver.

4. Decryption: The receiver decrypts the data using the same shared
key.

Challenge: Securely sharing the key without it being intercepted.
Example:
Alice wants to send Bob a file. Both use a pre-shared key to encrypt and decrypt
the file.

8. **Asymmetric Encryption

- **Description**: Asymmetric encryption uses two keys: a public key for
encryption and a private key for decryption. It’s used for secure
communication and digital signatures.

- **Example**: When you send an email encrypted with the recipient’s public
key, only they can decrypt it with their private key.

- **Real-world Example**: Websites use asymmetric encryption with SSL/TLS
certificates. The server has a public key that anyone can use to encrypt data,
but only the server’s private key can decrypt it, securing communication.

2. Asymmetric Encryption
Scenario: Secure communication with no prior key exchange (e.g., sending
sensitive data over the internet).
 Process:

1. Key Generation: Each party generates a key pair (public and private).

2. Public Key Sharing: The sender uses the receiver’s public key to
encrypt the data.

3. Encryption: Only the receiver can decrypt the data with their private
key.

4. Decryption: The receiver uses their private key to retrieve the original
data.

Strength: No need to pre-share keys; public keys can be shared openly.
Example:
Alice wants to send Bob a secure message:

Alice encrypts the message with Bob’s public key.

Bob decrypts it using his private key.

PGP (Pretty Good Privacy)
PGP is an encryption protocol used for securing digital communications and data.
It combines features of both symmetric and asymmetric encryption to provide
confidentiality, authentication, and data integrity.

How PGP Works in Practice

1. Key Pair Generation

Each user generates a public and private key pair.

The public key is shared with others, while the private key is kept
secret.

2. Encrypting a Message

The sender encrypts the message using the recipient’s public key
(asymmetric encryption).

A symmetric key is generated for encrypting the actual message, and
this symmetric key is encrypted with the recipient’s public key.

3. Decrypting a Message

The recipient uses their private key to decrypt the symmetric key.

The symmetric key is then used to decrypt the message.

4. Digital Signatures

To ensure authenticity, the sender can sign the message using their
private key.

The recipient verifies the signature using the sender’s public key,
confirming the sender’s identity and ensuring the message hasn’t been
tampered with.
9. **Hash Functions

- **Description**: A hash function is a one-way function that converts data
into a fixed-length “hash.” Hashes are used to verify data integrity, as any
change in the data results in a different hash.

- **Example**: The SHA-256 algorithm is a popular hash function.

- **Real-world Example**: Passwords are often stored as hashes rather than
plaintext. When you log in, the system hashes the entered password and
compares it to the stored hash to verify your identity without ever storing the
actual password.

10. **Digital Certificates and Certificate Authorities (CAs)

- **Description**: Digital certificates are used to verify identities in secure
communications. A Certificate Authority (CA) is a trusted third party that issues
these certificates.

- **Example**: Websites with HTTPS use SSL certificates issued by CAs to
prove their identity to users, ensuring the site is legitimate.

- **Real-world Example**: When visiting a bank’s website, the browser checks
the site’s SSL certificate, issued by a CA like DigiCert, to confirm you’re visiting
the legitimate site, not a phishing site.

These examples provide a real-world perspective on each concept, helping to
show how these security principles are applied across digital platforms to
protect data and maintain secure interactions. Let me know if you need more
specifics on any of these topics!

Network Security

Information Gathering tools:

### **1. Network Sniffers**

- **Purpose**: These tools capture and analyze network traffic to monitor the
data transmitted over a network.

- **Common Use Cases**:
 - Debugging network issues.

- Monitoring traffic to detect unauthorized activities or data leaks.

- Understanding network protocols in action.

- **How They Work**:

- Sniffers capture "packets" of data transmitted over a network.

- They analyze the contents of packets, such as source/destination IP
addresses, protocols used, and the payload.

- **Popular Tools**:

- **Wireshark**: A widely-used protocol analyzer that provides a graphical
interface for analyzing captured traffic.

- **tcpdump**: A command-line tool for capturing and analyzing packets on
Unix-like systems.

- **Example Application**: Identifying unencrypted sensitive data transmitted
over the network.

---
### **2. Port Mappers**

- **Purpose**: Identify open ports on devices in a network to discover services
running and assess vulnerabilities.

- **Common Use Cases**:

- Scanning for exposed services (e.g., HTTP, FTP).

- Determining which devices are active in a network.

- Aiding penetration testers in mapping attack surfaces.

- **How They Work**:

- Send probes to a range of ports on a target device.

- Analyze the responses to identify open ports and associated services.

- **Popular Tools**:

- **Nmap**: A robust tool that performs port scanning, OS fingerprinting, and
service version detection.

- **Zenmap**: A GUI for Nmap, providing a user-friendly interface.

- **Example Application**: Discovering vulnerable services such as an outdated
FTP server running on a specific port.

---
### **3. Spoofers**

- **Purpose**: Manipulate network traffic by impersonating devices or
identities, often used in penetration testing or attacks.

- **Common Types**:

- **ARP Spoofers**: Fake ARP (Address Resolution Protocol) messages to reroute
traffic through an attacker’s device (e.g., for Man-in-the-Middle attacks).

- **IP Spoofers**: Send packets with forged IP addresses to hide the attacker's
identity or bypass network restrictions.

- **How They Work**:

- Exploit protocols that lack authentication, such as ARP.

- Intercept or redirect traffic by pretending to be a legitimate network
participant.

- **Popular Tools**:

- **Ettercap**: A suite for ARP spoofing and packet manipulation.

- **arpspoof**: A lightweight ARP spoofing tool.

- **Example Application**: Redirecting network traffic to capture sensitive data
during a penetration test.

If a network is uing a switch the Network Snifers are less useful. In order to
gather more information you can use two methods to sniff more efficiently:

MAC flooding

MAC flooding is a network attack that targets the CAM (Content Addressable
Memory) table of a network switch. The CAM table maps MAC addresses to
specific switch ports, enabling the switch to efficiently forward network traffic.
MAC flooding aims to overwhelm this table by sending a large number of fake
MAC addresses, causing the switch to enter "fail-open" mode and act like a
hub. This behavior allows attackers to eavesdrop on network traffic.

How MAC Flooding Works
 1. Switch Normal Operation:
○ A switch uses its CAM table to forward packets to the correct
destination based on their MAC addresses.
○ The CAM table has a finite size, storing entries for known MAC
addresses and their associated switch ports.
2. Flooding the CAM Table:
○ The attacker sends a high volume of packets with randomly
generated, spoofed MAC addresses.
○ The CAM table fills up quickly with these fake entries, reaching its
capacity.
3. Fail-Open Mode:
○ Once the CAM table is full, the switch can no longer map packets
to specific ports.
○ It defaults to broadcasting all incoming packets to every port,
mimicking a hub's behavior.
4. Traffic Sniffing:
○ The attacker connects a network sniffer (e.g., Wireshark) to their
switch port.
○ They can now capture all traffic broadcast across the network,
potentially including sensitive data.

ARP Spoofing

ARP (Address Resolution Protocol) Spoofing is a network attack where an
attacker sends fake ARP messages to trick devices on a local network into
associating the attacker’s MAC address with the IP address of a legitimate
device. This allows the attacker to intercept, modify, or disrupt network traffic.

How ARP Spoofing Works
1. Fake ARP Replies:
○ The attacker sends ARP responses to devices on the network,
claiming that their MAC address corresponds to the IP of a
legitimate device (e.g., the gateway or a server).
○ Since ARP has no authentication mechanism, devices accept
these false mappings and update their ARP cache.
2. Traffic Redirection:
○ Victim devices unknowingly send their traffic to the attacker
instead of the legitimate destination.
○ The attacker can now intercept, modify, or block the traffic.
3. Man-in-the-Middle (MitM) Attack:
○ By positioning themselves between two communicating devices,
the attacker can:
Eavesdrop on sensitive information.
Alter data in transit (e.g., injecting malicious content).
Disrupt communication (e.g., dropping packets).
### **4. SQL Explorers**

- **Purpose**: Interact with SQL databases to retrieve or manipulate data. In
security, often used to identify SQL injection vulnerabilities.

- **Common Use Cases**:

- Discovering database schema and structures.

- Extracting sensitive data via SQL injection.

- Testing databases for misconfigurations or weak permissions.

- **How They Work**:

- Execute SQL queries to interact with the database.

- Exploit improperly sanitized input fields to perform unauthorized actions.

- **Popular Tools**:

- **sqlmap**: An automated SQL injection tool for database exploitation.

- **SQL Ninja**: Targets Microsoft SQL Server for injection attacks.

- **Example Application**: Identifying and exploiting a vulnerable web form that
directly queries a database.

User Information Retrieval Password Recovery tools
John the Ripper is an open-source password-cracking tool widely used for
security testing and recovering lost passwords. It is designed to identify weak
passwords by attempting to crack hashed password files. Its versatility and
efficiency make it a popular tool among security professionals and ethical
hackers.

How John the Ripper Works
1. Input Files:
○ Accepts hashed password files as input (e.g., Unix/Linux password
files: /etc/shadow).
○ Requires access to both the password (passwd) and shadow files in
Unix/Linux systems for cracking.
/etc/passwd: Contains usernames and user IDs (publicly
readable).
 /etc/shadow: Stores hashed passwords (accessible only to
privileged users).
2. Cracking Methods:
○ Uses various algorithms to generate potential passwords and
compare them to the hashed passwords.
○ Can target a wide range of hashing algorithms (e.g., MD5,
SHA-256, bcrypt).
3. Modes of Operation:
○ Wordlist Mode: Tests potential passwords from a pre-defined
wordlist.
○ Single-Crack Mode: Uses information about the user (e.g.,
username) to create password guesses with mangling rules.
○ Incremental Mode: Performs a brute-force attack by testing every
possible combination of characters.
○ External Mode: Custom mode that allows users to write their
cracking rules in code.
4. Output:
○ Displays cracked passwords in plaintext alongside their
corresponding usernames or accounts.

System Security Vulnerabilities Vulnerability Scanners
Fuzzing Tools

System security vulnerabilities are weaknesses or flaws in software, hardware,
or network configurations that attackers can exploit to compromise a system.
These vulnerabilities may arise from insecure coding, outdated software,
misconfigurations, or inadequate security policies.

Automated tools designed to detect security vulnerabilities in systems,
applications, and networks.

How They Work:

Scanning: The tool probes systems for known vulnerabilities, such as
open ports, outdated software, or weak configurations.
Databases: They use extensive vulnerability databases like CVE
(Common Vulnerabilities and Exposures) to identify threats.
Reporting: Results are displayed as detailed reports categorizing
vulnerabilities by severity.

Fuzzing Tools
Definition:
Fuzzing tools test applications by feeding them malformed, unexpected, or
random inputs to uncover security vulnerabilities like crashes, memory leaks,
or unhandled exceptions.

Purpose:

Detects flaws in how software handles unexpected inputs.
Identify potential exploits such as buffer overflows or improper input
validation.

How They Work:

1. Input Generation: The tool creates random or malformed inputs to
simulate real-world attacks.
2. Execution: These inputs are sent to the application or system under test.
3. Observation: The tool monitors for abnormal behavior, such as crashes,
errors, or memory corruption.
4. Reporting: Issues are logged for further analysis.

Common Fuzzing Tools:

AFL (American Fuzzy Lop): Highly efficient fuzzing tool for applications.
Peach Fuzzer: Designed for testing complex software and protocols.
zzuf: Focuses on generating corrupted files for testing software
robustness.

Use Case Example:

A security team uses AFL to test a custom web application. The fuzzer
identifies a buffer overflow vulnerability caused by improper handling of
long input strings, which could allow an attacker to execute arbitrary
code.

Firewalls and attacks
Various network vulnerabilities and attacks that necessitate firewall protection:

Eavesdropping on network segments
Denial of Service (DoS) attacks using SYN flooding
Session hijacking (both client and server-side)
DNS cache poisoning and pharming attacks
IP fragmentation attacks

1. Eavesdropping on Network Segments
This is a passive attack where an attacker monitors network traffic
without modifying it
 Example from the slides: In a Telnet connection, an attacker can:
○ Position themselves between the client and server
○ Listen to all traffic passing through
○ Capture sensitive information like passwords since Telnet sends
data in plaintext
This is particularly dangerous on unsecured networks (like public WiFi)

2. Denial of Service (DoS) using SYN Flooding
Exploits the TCP three-way handshake process:
○ Client sends SYN packet
○ Server responds with SYN-ACK
○ Client should respond with ACK to complete connection
In a SYN flood attack:
○ Attacker sends many SYN packets but never completes the
handshake
○ Each incomplete connection stays in server's SYN buffer for ~4
minutes
○ Server's SYN buffer fills up
○ Legitimate users can't establish new connections
○ Server becomes unavailable for normal service
 3. Session Hijacking There are two types:

Client-side Hijacking:

Attacker targets an established session (e.g., admin using Telnet)
Attacker intercepts and takes over the legitimate client's session
Can then impersonate the original client to the server
Server-side Hijacking:

Attacker spoofs (fakes) IP addresses
Targets services that use unauthenticated messages
Example in slides shows NFS (Network File System) being targeted
Attacker can send counterfeit requests appearing to come from
legitimate clients

4. DNS Cache Poisoning and Pharming Attacks
This attack exploits vulnerabilities in DNS (Domain Name System):
Normal DNS Process:
○ Client asks DNS server to translate domain name to IP address
○ DNS server caches responses to improve performance
In Cache Poisoning:
○ Attacker intercepts legitimate DNS request
○ Races to send fake response before real server
○ If successful, client gets directed to wrong IP address
○ Cache gets "poisoned" with incorrect mapping
Pharming variation:
○ Attacker sends crafted DNS responses
○ Can include additional malicious records
○ Can redirect multiple domains to attacker's servers
○ More sophisticated than simple cache poisoning

Key vulnerability: DNS responses are matched to requests only by:

ID number (16 bits)
 UDP port number
No built-in authentication

5. IP Fragmentation Attack
Networks have a maximum transmission unit (MTU)
Large packets must be broken into smaller fragments
In a fragmentation attack:
○ Attacker sends intentionally fragmented packets
○ Creates overlapping fragments when reassembled
○ Can confuse:
Routers
Firewalls
Servers

Firewalls may fail to inspect all fragments properly, allowing malicious
payloads to bypass them.
 How to protect your inner network Part 1: Firewalls

Firewalls are tools used to protect networks by filtering incoming and outgoing
traffic based on predefined rules. They act as barriers between secure internal
networks and untrusted external environments, such as the internet.
Firewall Fundamentals

Types and Placement

Firewalls can be either host-based or network-based
Often implemented in a DMZ (Demilitarized Zone) architecture
Can work alongside IDS (Intrusion Detection Systems)

Core Functionality

1. Rule Sets
○ Firewalls operate based on defined rule sets
○ Rules specify criteria for:
Incoming/outgoing traffic
Network interfaces
IP addresses (source/destination)
TCP ports (source/destination)
2. Target Actions
○ Forward: Allow packet to proceed to recipient
○ Drop: Silently discard packet without notification
○ Reject: Discard packet with notification
○ Log: Record packet information
○ Alarm: Trigger alert system
Default Rules and Security

Every firewall must have a default rule (last rule in set)
Two approaches:
○ ALLOW ALL: Permits everything not explicitly denied
○ DENY ALL: Blocks everything not explicitly allowed
○ DENY ALL is generally considered more secure

Firewall Types

1. Stateless Firewalls
○ Evaluate each packet independently
○ Don't consider previous packet history
○ Make decisions based solely on current packet and rules
2. Stateful Firewalls
○ Can track connection states
○ Make decisions based on packet history
○ Can associate responses with requests
○ Generally more secure but resource-intensive

Implementation Examples

1. Linux netfilter/iptables
○ Kernel-level framework (netfilter)
○ User-space configuration tool (iptables)
○ Key components:
Tables (Filter, NAT, Mangle, Raw, Security)
Chains (Input, Forward, Output, Prerouting, Postrouting)
Commands for rule management
2. BSD pf (Packet Filter)
○ Features:
Stateful packet filtering
NAT capabilities
 Traffic normalization
OS fingerprinting
Failover support for redundancy
○

Policy and Management

Rule sets should be derived from security policies
Policies typically defined by IT security managers
Implementation handled by system administrators
Both policies and rule sets should be reviewed periodically

Best Practices

1. Regular review and updates of rule sets
2. Clear documentation of security policies
3. Implementation of least-privilege principle
4. Regular monitoring and logging
5. Proper configuration of default rules

How iptables Works with Netfilter Hooks

Netfilter hooks are points in the Linux kernel where packets are intercepted.
Each hook corresponds to a specific stage:

Prerouting: Before routing decisions are made.
Input: After routing, for packets destined for the machine.
Forward: For packets being routed through the machine.
Output: For locally generated packets.
Postrouting: Before the packets leave the machine.
When a packet hits a hook, iptables evaluates the chain of rules associated
with it to decide the packet's fate (accept, drop, modify, etc.)

Key Components of iptables
1. Tables:
○ Filter: The default table, used for standard packet filtering (allow
or block traffic).
○ NAT: For network address translation (e.g., redirecting traffic to
specific IPs).
○ Mangle: For altering packet headers (e.g., modifying Quality of
Service).
○ Raw: For rules applied before connection tracking.
 ○ Security: Used for Mandatory Access Control (MAC) rules.
2. Chains:
○ Input: For packets destined for the local machine.
○ Output: For packets originating from the local machine.
○ Forward: For packets routed through the machine (e.g., a gateway).
○ Prerouting: For modifying packets as they arrive.
○ Postrouting: For modifying packets before they leave.
3. Targets:
○ Accept: Allow the packet.
○ Drop: Silently discard the packet.
○ Reject: Discard the packet and notify the sender.
○ Log: Record packet details for analysis.
Why Use iptables?

Fine-grained control over network traffic.
Supports a wide range of use cases, from simple firewalls to advanced
NAT and routing configurations.
Integrated directly into the Linux kernel for high performance

Simplified Alternative: UFW

For simpler configurations, ufw (Uncomplicated Firewall) is often used. It's a
wrapper around iptables with a more user-friendly interface, ideal for
straightforward use cases.

pf Failover

pf failover refers to a redundancy setup where multiple firewalls work together
to ensure high availability. If one firewall fails, another seamlessly takes over,
maintaining network protection without interruption.

How pf Failover Works

1. Active and Backup Firewalls:
○ There are typically two firewalls: FW1 (active) and FW2 (backup).
○ FW1 handles all traffic under normal operation.
2. Synchronization:
○ FW1 regularly syncs its state table (e.g., open connections) with
FW2. This ensures that FW2 is aware of all active sessions.
3. Failover Process:
○ If FW1 becomes unavailable (e.g., hardware failure), FW2 detects the
failure and takes over the firewall's responsibilities seamlessly.
○ Existing connections are preserved because of the synchronized
state table.
 Intrusion Detection
1. Introduction to IDS
- Designed to detect attacks against network hosts or networks
- Act like a network's "anti-virus"
- Four main objectives: detect various intrusions, analyze in simple format,
detect in timely fashion, and be accurate

2. IDS Functionalities
- Log and report detected attacks
- Can send alerts, discard packets, reset connections
- Special features include:
* IP defragmentation
* TCP stream reassembly
* SSL terminators
* Automated failover
3. Types of Inspection
- Packet filter (looks at packets like a bunch of bytes)
- Application filter (knows that there is HTTP, FTP,...)
- Stateful filter (track connections and their states)
- Deep packet inspection (analyses packet payload)

4. NIDS Network Placement
- In-Band: NIDS in traffic flow
- Out-of-Band: NIDS receives mirrored traffic copy
5. Detection Models
- Heuristics (Pattern Matching)
* Signature-based systems
* Misuse and specification modeling
- Anomaly Detection
* Detect abnormal behavior
* Uses machine learning, statistics, information theory

6. Learning Approaches
- Learning by Example: Using labeled training data
- Self-learning: Models built independently

7. Challenges
- Modeling normality
- Minimizing false positives/negatives
- Handling encrypted traffic
- Performance under high network speeds

8. Case Study: Great Firewall of China
- Distributed Deep Packet Inspection system
- Filters multiple protocols
- Uses techniques like DNS poisoning, IP blocking, keyword detection

9. Base Rate Fallacy
- Highlighted the importance of understanding false positive/negative rates in
context of rare events

Web Security

1. Browser and Web Interaction
- Historical Evolution:
* Originally, browsers just fetched static content
* Now, browsers are complex platforms running JavaScript, plug-ins, and
sandboxed environments

When you trust a webbpage Eve can send malicious plug-ins SSH….
To prevent malicious SSH, NetBIOS and FTP the browser uses sandboxing

* Sandboxing is a security mechanism used by modern web browsers and
operating systems to isolate code execution environments, ensuring that
potentially harmful code cannot affect the host system or other applications.
It is a critical layer of defense in web security, especially given the increasing
complexity of web applications and the risks they present.

A sandbox creates a restricted environment where code is executed with
limited access to:

1. File Systems: The sandboxed code cannot read, write, or modify files
outside its environment.
2. Operating System Resources: Access to system-level resources such as
memory, processes, and device drivers is restricted.
3. Network Access: Code running in a sandbox can only communicate over
predefined channels.
4. Browser Data: It isolates browser tabs, preventing one tab's scripts or
data from interacting with another.

Isolation Between Tabs:

Each browser tab operates in its sandboxed process.
If one tab encounters malicious code or a crash, other tabs and the
browser itself remain unaffected.
To prevent code from different websites to interact same Origin policy is used

2. Same Origin Policy
- Prevents code from different websites from interacting
- Three conditions must be met for code to interact:
* Same domain
* Same application protocol
* Same TCP port
3. Cookies
- Used to store information in browsers
- Types:
* Session cookies (temporary)
* Persistent cookies (long-lasting)
* First-party cookies (same domain)
* Third-party cookies (Other domain)
- Security flags:
* HttpOnly (only available for HTTP/HTTPS)
* Secure (only available over HTTPS)

4. OWASP Top 10 Web Security Vulnerabilities (2021)
(Open Web Application Security Project)

Top 10 web security vulnerability classes

1. Broken Access Control:

Failures in restricting user permissions can lead to privilege escalation
and unauthorized access.
Example: Path traversal or Cross-Site Request Forgery (CSRF).
2. Cryptographic Failures:

Issues like transmitting data in clear text, weak encryption protocols (e.g.,
MD-5), and reusing cryptographic keys.
A salt is a random, unique value added to a password before hashing to enhance
security. For example:

Without salt: hash(password)

With salt: hash(password + salt)

3. Injection Attacks:

Includes SQL injection, system command injection, and remote file
inclusion.
Prevention: Parameterized queries, escaping input, and minimizing
database privileges.

Data Injection is a broader term that refers to injecting unexpected or
malicious data into an application. The goal is to exploit weaknesses in how
the application processes data, potentially leading to unauthorized actions,
system compromise, or data corruption. SQL Injection is a specific type of data
injection targeting SQL queries, but data injection can affect other systems,
such as file uploads, command-line inputs, or API calls.

SQL Injection: Manipulating SQL queries to gain unauthorized access or
retrieve data.

Command Injection: Executing system-level commands through web
application vulnerabilities.

Shellshock: Exploits a vulnerability in the Unix Bash shell, allowing multiply
command execution.
Cross-Site Scripting (XSS):

Exploits involve injecting malicious scripts into web pages. Types:
○ Stored XSS: Code stored on the server (e.g., in comments).
○ Reflected XSS: Code injected into a request and executed in the
response.
Stored XSS: Malicious scripts saved on a server and executed when users
access the data.

Reflected XSS: Scripts injected into requests and reflected in server responses.

4. Insecure Design

5. Security Misconfigurations:
Weak or improperly configured settings, e.g., exposing unnecessary services.

6. Vulnerable and Outdated Components:
Risks from outdated libraries or frameworks.

7. Identification and Authentication Failures:
Problems like weak passwords, session hijacking, and predictable tokens.
8. Software and Data Integrity Failures:
Untrusted code execution or data manipulation.
9. Security Logging and Monitoring Failures:
Lack of proper logging can prevent detection of malicious activity.

10. Server-Side Request Forgery (SSRF):
Exploits occur when servers fetch resources based on unvalidated user input.

Prevention Strategies
- Key principles:
* Never trust user input
* Use parameterized statements
* Escape special characters
* Minimize database user privileges
* Implement multi-factor authentication
* Use secure APIs
* Implement proper session management

Authentication and Session Management
- Challenges:
* Weak password storage
* Single-factor authentication
* Exposed session IDs
* Predictable tokens

Practical Recommendations:
- Use secure authentication APIs
- Implement multi-factor authentication
- Avoid default passwords
- Regularly update and patch systems
- Use prepared statements for database queries
- Implement proper input validation

Educational Resources Mentioned:
- OWASP (Open Web Application Security Project)
- Damn Vulnerable Web Application (DVWA) - A training tool for security
professionals

Key Takeaway:
"Don't ever trust user input!" - This is the main message emphasizing the
importance of rigorous input validation and security measures in web
applications.

The document serves as an educational resource for understanding web
security vulnerabilities, their mechanisms, and prevention strategies.

Would you like me to elaborate on any specific section or topic from the
document?
 Risk Analysis

Summary and Explanation of the PDF: “Introduction to Risk Analysis”
The document provides an introduction to risk analysis, focusing on its role in
security management and the methodologies used to identify, analyze, and
evaluate risks. Here’s a detailed explanation of the topics covered, with examples
for clarity:
1. Security Management
Purpose: Ensures that risks remain within acceptable bounds through proactive
measures.
Key Components:

1. Risk Mitigation:

Implementation of safeguards and controls to reduce risks.

Example: Applying security patches to fix software vulnerabilities.

2. Security Risk Assessment:

Identifying threats, vulnerabilities, and potential impacts to assets.

Example: Assessing the risk of unauthorized access to a database.

3. Testing and Review:

Regularly evaluating security measures for effectiveness.

Example: Conducting penetration tests to identify weaknesses.

4. Operational Security:

Handling incidents and providing ongoing training.

Example: Training employees on phishing email identification.
2. What is Risk Assessment?
Risk assessment involves determining the probability and potential impact of
asset losses based on:

1. Asset Valuation:

Identifying the value of assets, both tangible and intangible.

Example: A company determines the cost of losing customer data is
$500,000 due to fines and reputational damage.

2. Threat Analysis:

Analyzing potential threats that could exploit vulnerabilities.

Example: Identifying ransomware as a significant threat to IT systems.

3. Effectiveness of Security Controls:

Reviewing existing controls to evaluate their adequacy.

Example: Testing firewall configurations to ensure they block
unauthorized traffic.
3. What is Risk?
Risk is tied to future events and their potential consequences. It involves two main
factors:

1. Uncertainty:

Events may or may not occur, and their outcomes are unpredictable.

Example: A natural disaster might disrupt a company’s supply chain.

2. Impact:

The consequences of these events if they materialize.

Example: A data breach leads to loss of customer trust and financial
penalties.
4. What is Risk Analysis?
Risk analysis is the process of understanding risks through modeling. This
involves:

1. Understanding the World:

Events and their probabilities are modeled based on historical data,
expert opinions, and probability forecasts.

Example: Using historical data on cyberattacks to predict the
likelihood of future breaches.

2. Building a World Model:

Constructing a simplified version of reality to evaluate risks
effectively.

Example: A model that evaluates the risk of insider threats based on
employee behavior metrics.
5. What is Risk Evaluation?
Risk evaluation involves prioritizing risks based on their potential impact and
likelihood, often guiding decision-making on which risks to address first. It answers
questions such as:

Which risks are critical?

How much effort should be allocated to mitigate a specific risk?

Example: Evaluating whether the risk of a distributed denial-of-service (DDoS)
attack is higher than the risk of insider fraud and prioritizing defenses
accordingly.

6. Risk Analysis vs. Risk Evaluation
The document asks this as an assignment question. Here’s the distinction:

1. Risk Analysis:

Focuses on understanding and modeling risks by determining
probabilities and consequences.

Example: Using historical data to calculate the likelihood of server
downtime.

2. Risk Evaluation:

Focuses on assessing and prioritizing risks based on their analyzed
data.

Example: Deciding to invest in backup systems due to the high
likelihood and severe impact of server downtime.
7. Knowledge Base in Risk Analysis
The knowledge base in risk analysis includes:

1. Historical Data:

Past incidents provide insights into potential future risks.

Example: Data on previous malware infections informs the likelihood
of future attacks.

2. Probability Forecasts:

Statistical models predict the likelihood of events.

Example: Predicting a 20% chance of network failure in the next
quarter.

3. Expert Opinions:

Subject matter experts provide qualitative insights.

Example: Cybersecurity professionals estimate the risk of a new
zero-day exploit.
Key Takeaways
Risk is about uncertainty and consequences of future events.
 Risk Assessment includes identifying, analyzing, and evaluating risks to
manage them effectively.

Risk Analysis focuses on understanding risks, while Risk Evaluation
prioritizes them for action.

Security Management integrates risk mitigation, testing, and operational
strategies to minimize risks.

Would you like further details or examples on any specific topic?

Privacy, Security and Ethics
Summary and Explanation of the PDF: “Ethics and Privacy”
The document introduces Ethics and Privacy concepts, discussing their relevance
in cybersecurity and society. It highlights ethical dilemmas, privacy concerns, and
legal frameworks surrounding data protection. Below is a detailed explanation of
each topic, with examples.
1. Ethics in Cybersecurity
Definition: Ethics deals with concepts of right and wrong, guiding behavior and
decision-making in complex scenarios.
Key Areas in Ethics:

1. Meta-Ethics: Explores abstract questions like What is goodness?

2. Normative Ethics: Examines how to distinguish right from wrong in
general terms. What should i do?

Example: Deontological ethics (duty-based) vs. consequentialism
(outcome-based).
3. Applied Ethics: Focuses on practical ethical dilemmas in specific
fields like technology or bioethics. What do I do in this specific case?

Example: Ethical hacking or privacy concerns in surveillance systems.
Examples of Ethical Dilemmas

1. Project Raven (Darknet Diaries, Ep. 47):

Ethical Issue: Cybersecurity professionals were hired to fight
terrorism but were later tasked with spying on journalists and human
rights activists.

Dilemma: Is it ethical to prioritize government directives over human
rights?

Example Conflict: Targeting U.S. computers upon government
request.

2. Elliot (Ep. 49):

Ethical Issue: A security researcher finds vulnerabilities in a dating
app and publicly discloses them.
 Dilemma: Is it ethical to disclose vulnerabilities in systems you weren’t
authorized to test, even if it helps users?

3. Victor (Ep. 88):

Ethical Issue: Actively finding and reporting vulnerabilities in systems
without prior permission.

Dilemma: Is it ethical if the work is done voluntarily and without
malicious intent?
2. Privacy
Definition: Privacy refers to individuals’ control over their personal information
and how it is shared with others.
Key Aspects:

1. Subjectivity:

Privacy is culturally and socially subjective, with no universal
standard.

Example: Expectations of privacy differ between societies, such as
Europe’s strict GDPR rules vs. less stringent frameworks elsewhere.

2. Informational Self-Determination:

Defined by Westin (1967) as the ability to control when, how, and to
what extent personal information is communicated to others.

Example: Deciding whether to share your location with a mobile app.

3. Legal Frameworks:

Laws and regulations ensure privacy and data protection.

Example: GDPR mandates informed consent and transparency in
data collection.
Enhancing Privacy

1. Privacy-Enhancing Technologies (PETs):

Tools and techniques designed to protect user privacy.

Example: Encrypted messaging apps like Signal.

2. Data Minimization:

Collecting only the data that is strictly necessary.

Example: A website requesting your email but not your phone
number unless required.
3. Data Protection
Definition: Legal and technical measures for securely handling personal data.
Scope:

1. Data Collection and Processing:

Rules for obtaining user consent and ensuring transparency.
 Example: Consent forms for apps that explain how personal data will
be used.

2. Security:

Protecting data from unauthorized access or breaches.

Example: Implementing encryption to safeguard stored user data.
Assignment Questions

1. Q1: Ethical Dilemma in Project Raven

The protagonist faces the dilemma of working for a government that
transitions from combating terrorism to targeting journalists and human
rights activists. The ethical question arises: Should the protagonist
continue supporting such operations?

2. Q2: Scope of Data Protection

Data protection encompasses:

1. Legal compliance (e.g., GDPR).

2. Privacy rights, including consent and transparency.

3. Security measures to prevent breaches.

4. Risk analysis to identify potential vulnerabilities in data handling.
Key Takeaways
Ethics in cybersecurity often involve navigating gray areas where laws and
personal values may conflict.

Privacy is a fundamental but subjective concept, with legal and technical
frameworks offering guidance.

Data protection combines privacy rights with security measures to ensure
individuals’ data is handled responsibly.

Would you like deeper insights or examples for specific topics?

Design Principles
Summary and Explanation of the PDF: "Design Principles for
Security Mechanisms"

The document explains eight design principles proposed by Saltzer and
Schroeder in 1975 for building secure systems. It describes how these
principles are applied, their importance, and examples of where they are (or
aren't) implemented in real-world scenarios.
1. The Eight Design Principles

1. Least Privilege

Definition: Each subject (user or process) gets the minimum privileges
needed to perform a task.
Key Aspects:
○ Rights should be tied to tasks, not identities.
○ Extra privileges should be removed immediately after use.
○ Large systems should be divided into smaller components with
well-defined rights.
Example:
○ A service runs with non-root privileges unless root access is
explicitly required.
Vulnerability: TOCTTOU (Time of Check to Time of Use) exploits violate
this principle by altering a resource between its validation and use.
○ Example: A program checks if a file is writable, but an attacker
swaps the file with another (e.g., /etc/shadow) before it is written
to.

2. Fail-Safe Defaults

Definition: Deny access by default unless explicitly granted.
Key Aspects:
○ If a security mechanism fails, it should revert to a secure state.
○ Changes to the system should be undone if tasks fail.
Example:
○ File permissions default to "no access" until explicitly set.
Common Issue:
 ○ Exceptions in security functions can create vulnerabilities.

Example:
is_admin = true;
try {
is_admin = isUserInRole("admin");
} catch (Exception ex) {
log.write(ex.toString());
}

○
If isUserInRole() throws an exception, the fallback
is_admin = true creates a privilege escalation risk.

3. Economy of Mechanism

Definition: Security mechanisms should be as simple as possible.
Key Aspects:
○ Simplicity reduces errors, misunderstandings, and attack vectors.
○ Complex designs lead to overlooked vulnerabilities.
Example:
○ OpenSSL’s Heartbleed bug occurred due to a subtle vulnerability
in a complex protocol implementation.
○ Unexpected Input(Always verify the input, never assume them
correct )
Practice: Simplify module interfaces and verify all external inputs.

4. Complete Mediation

Definition: Every access to a resource must be checked for
authorization, without relying on cached decisions.
Key Aspects:
○ Prevents changes to permissions after an initial access check.
Example:
○ Unix grants access to a file by returning a file descriptor. If
permissions change after the descriptor is issued, it could still
allow unauthorized access.
Extra Info

Verification of Every Access:
Each time a subject (e.g., a user or process) tries to access an
object (e.g., a file, database, or network resource), the system must check
if the access is allowed based on current permissions.
 ○ Avoiding Caching Decisions:
Cached decisions can lead to vulnerabilities if the state of
permissions or the resource changes after the initial check. Every
request must be freshly evaluated.
○ Dynamic Changes:
The principle protects against situations where permissions or
access control settings are modified during the lifecycle of a
session or resource.

Why It Matters

Prevents exploitation of outdated permissions.
Ensures security policies are always enforced, even if system conditions
change after initial access.
Protects against privilege escalation and unauthorized use.

5. Open Design

Definition: The security of a system should not depend on secrecy of its
design but on secrecy of keys or passwords (Kerckhoffs's Principle).
Key Aspects:
○ Transparency allows public scrutiny and trust in algorithms and
methods.
Example of Failure:
○ The DVD Content Scrambling System (CSS) relied on secrecy but
was reverse-engineered, compromising its security.

6. Separation of Privilege

Definition: Require multiple conditions to grant access, improving
granularity and security.
Key Aspects:
○ Access should depend on two or more independent factors.
Example:
○ Unix su command requires both root password and membership
in the wheel group.
7. Least Common Mechanism

Definition: Minimize sharing of mechanisms among users or resources
to reduce risks of information leakage or backchannels.
Key Aspects:
○ Shared resources can become vectors for attacks.
Example:
○ Virtual machines and sandboxes isolate processes and prevent
shared access.

8. Psychological Acceptability

Definition: Security mechanisms should be user-friendly and integrate
seamlessly into workflows.
Key Aspects:
○ Overly complex systems lead to misconfiguration, misuse, or
abandonment.
Example:
○ Password rules requiring excessive complexity can lead users to
write them down or reuse passwords across systems.

Software Security (x2)
Summary and Explanation of the PDF: "Software Security"

This document provides an overview of software security, highlighting
vulnerabilities, common programming errors, attack vectors, and mitigation
techniques. The content is particularly focused on issues like buffer overflows,
memory errors, and defensive programming practices.

1. What is Software Security?

Definition:
Software security ensures that programs function as intended, resisting
attacks and handling both expected and unexpected inputs without
introducing vulnerabilities.

Key Concepts:

1. Normal Functionality:

○ The program behaves as expected when given valid inputs.
 2. Unintended Functionality:

○
Security vulnerabilities arise when programs unintentionally
execute malicious or unintended behavior (the "weird machine").
3. Sources of Vulnerabilities:

○ Implementation Mistakes: Bugs in code (e.g., unsafe memory
handling in C/C++).
○ Insecure Composition: Flaws in how systems or APIs interact.
Example: The Mat Honan Hacking Case, where insecure
recovery workflows at Amazon and Apple enabled account
hijacking.

Over-Read in OpenSSL: The Heartbleed Vulnerability

The Heartbleed bug (CVE-2014-0160) is a prime example of an over-read
vulnerability in OpenSSL. This vulnerability allowed attackers to read more
memory than intended, exposing sensitive data such as private keys,
passwords, and session cookies.

What is an Over-Read?

An over-read occurs when a program reads more data than it is supposed to
from a buffer or memory location. This can happen due to improper bounds
checking, allowing access to adjacent memory that may contain sensitive
information.

2. Buffer Overflows

Definition:
Buffer overflows occur when a program writes data beyond the boundaries of
allocated memory, potentially overwriting critical values like return addresses.

Types of Buffer Overflows:

1. Stack-Based Buffer Overflow:

○
Overwriting the return address on the stack to redirect execution.
Example: Manipulating gets() to input more data than a buffer
○
can hold.
2. Heap-Based Buffer Overflow:

○ Corrupting heap memory by overwriting metadata or pointers.
Example:
char *buf = malloc(8);
gets(buf);

○

3. Exploitation Techniques

1. Stack Smashing:

○Overwriting the return address to execute malicious code or
redirect execution.
○ Techniques:
Shellcode Injection: Writing executable code into a buffer.
NOP Sled: Filling memory with no-operation instructions
(NOP) to improve the likelihood of jumping to malicious code.
2. Return-to-libc Attacks:

○ Redirecting execution to an existing function (e.g., system()).
○ Example:
Overwrite the return address to point to system("rm -rf
/home/user").

Extra info

Smash the Stack Principles

"Smash the Stack" refers to techniques used by attackers to exploit
stack-based buffer overflows. A stack-based buffer overflow occurs when a
program writes more data into a buffer on the stack than it was designed to
hold, leading to overwriting adjacent memory, including critical control data
such as return addresses. This can allow attackers to manipulate the
program's execution flow.

How Buffer Overflows Work

Buffers are regions of memory used to temporarily store data. On the stack,
they are used to hold local variables, function parameters, and return
addresses.

The Problem:

When a program fails to enforce boundary checks on input, attackers
can overflow a buffer and overwrite adjacent stack memory.
 Critical data like the return address can be overwritten, redirecting the
program to execute malicious code.

Smash the Stack Principles

1. Gain Control of the Return Address

Objective: Overwrite the return address stored on the stack with an
attacker-controlled value.
Execution:
○ Input data (crafted by the attacker) overflows the buffer and
overwrites the return address.
○ The attacker directs the program to execute malicious code,
either injected into the buffer or in a different memory region.

2. Point to Malicious Code

Shellcode: Attackers often inject "shellcode" (binary instructions) into the
buffer to execute commands, such as spawning a shell or downloading
malware.
NOP Sled:
○ A sequence of "no-operation" instructions (NOP) is used to make
the jump to malicious code easier.
○ If the exact address of the injected code isn’t known, a NOP sled
ensures the program lands on the attacker’s code regardless of
slight address miscalculations.

3. Modify Program Flow

By overwriting stack data like the frame pointer, attackers can change
the logical flow of the program to bypass security checks or execute
harmful functions.
Example: Instead of returning to a legitimate function, the program
might jump to an already-loaded library function, like system().

How a Stack Frame Works

Each function call creates a stack frame, which includes:

1. Return Address: Points to the instruction following the function call.
2. Local Variables: Stored in the buffer allocated for the function.
3. Saved Registers: Values that the function may need to restore after
execution.
Attack Example

Here’s a vulnerable function:

void vulnerable() {

char buf;

gets(buf); // No bounds checking!

}

How It’s Exploited:

1. Attacker Input:
○ The attacker supplies more than 8 bytes, overwriting the buffer
and the return address.
○ Input: "AAAAAAAAAAAA\x90\x90\x90...".
2. Overwrite Return Address:
○ The attacker modifies the return address to point to the buffer
containing the shellcode.
3. Execute Malicious Code:
○ When the function returns, it jumps to the attacker’s shellcode.

Common Attack Variants

1. Jumping to Shellcode

Injecting shellcode into the buffer and setting the return address to
point to it.
Uses a NOP sled to increase the chances of hitting the shellcode.

2. Return-to-libc

Instead of injecting shellcode, the attacker redirects execution to an
existing library function, like system(), with controlled arguments.
Example: Calling system("rm -rf /") by overwriting the stack.

3. Overwriting Function Pointers

Instead of the return address, the attacker overwrites a stored function
pointer, which gets executed later.
4. Mitigation Techniques

1. Stack Canaries:

A random value placed before the return address on the stack.
If a buffer overflow overwrites the canary, the program detects the
corruption and aborts execution.

2. Address Space Layout Randomization (ASLR):

Randomizes memory addresses of program components, making it
difficult for attackers to predict locations of buffers or libraries.

3. Non-Executable Memory:

Prevents execution of code in specific memory regions (e.g., the stack or
heap).

4. Secure Coding Practices:

Validate all inputs.
Use safer functions (fgets instead of gets, strncpy instead of strcpy).
Manually check for boundary violations.

5. Static and Dynamic Analysis:

Static Analysis: Analyzes source code without running it to identify
potential vulnerabilities.
○ Example Tools: Splint, Perforce.
Dynamic Analysis: Tests code at runtime to identify memory errors or
unexpected behavior.
○ Example Tools: Valgrind, AFL (American Fuzzy Lop).

5. Fuzzing

Definition:
Fuzzing involves feeding a program unexpected, random, or malformed inputs
to discover vulnerabilities.

How It Works:

1. Randomly generates or mutates inputs.
2. Executes the program with these inputs.
3. Monitors for crashes or unusual behavior.
 4. Collects data for debugging and patching.

Example:

A fuzzer found the Heartbleed bug in OpenSSL.

7. Programming Language Choices

When to Use C/C++:

Low-level hardware access.
Performance-critical systems (e.g., operating systems, embedded
systems).
Legacy projects.

When to Avoid C/C++:

Security-critical applications where memory safety is paramount.
Prefer languages with built-in safety (e.g., Rust, Python).

Key Takeaways

Software security requires attention to implementation, composition,
and runtime behavior.
Buffer overflows and integer vulnerabilities remain significant threats.
Mitigation techniques like canaries, ASLR, and memory-safe languages
reduce risks.

Would you like more detailed explanations for any of the assignment
questions?