Cybersecurity PDF

1. Intro Cybersecurity – practice of protecting systems, networks and programs from digital attacks CIA – concept that focuses on the balance between confidentiality, integrity and availability. Confidentiality - keeping data secure, keeping what needs to be private, private. It ensures that the information is kept private and protected from unauthorized access or disclosure. Integrity – keeping data clean, only those who are allowed can modify. It ensures that information is not improperly modified or destroyed. Availability – keeping data accessible, when authorized user needs to access data, they can. It ensures that information and information systems are accessible and usable when needed Information has a value and a price. Valuable business information (strategic plans, financial data, customer list, marketing strategies) – Such information is valuable as it provides insights of the company’s plans or operations Credentials (usernames, passwords) – highly valuable for attackers with access to these they can get access to systems, networks or accounts causing harm Technical designs/ intellectual property (source code, blueprints) – assets for companies. They represent the result of investment in research development Confidentiality is indeed critical component of many contracts and agreements More sensitive data: PESEL/ SSN, Political / Religious / sexual preferences Data heist – unauthorized and often illegal acquisition of sensitive and valuable information. It involves international breach of security measures to access data with the internet Example of attacks (Loss of integrity) – potential modification of data during transmission or processing, loss of data reliability 1. Man-in-the-middle (MitM) – attacker intercepts and alters communication between two parties without their knowledge 2. A man-in-the-browser (MitB) - specific type of MitM where malware infects a web browser to intercept and manipulate communication between user and web applications. Steps: - Infection – user’s browser is infected with malware - Activation – when the user visits a target site, the malware activates - Interception – the malware intercepts the communication between the user and the site, capturing sensitive information - Manipulation – the malware can alter transaction details or other data without the user noticing - Execution – The attacker uses stolen data or altered transactions for fraudulent purpose 3. Injection of data into system’s bus - Attacker injects malicious data directly into communication bus of a system 4. Hardware and software malfunction – hardware failure, data corruption Meas of protection: 1. Control check sums – error detecting codes uses to ensures data integrity 2. Cryptographic methods: a. Digital signature – verifies authenticity and integrity. Private key is used to generate a signature for data set. 3. MAC (Message Authentication Code) – short information used to authenticate message and ensure its integrity. It involves secret key and MAC algorithm 4. Hash functions – take input and produce string of bytes. A small change in the input will produce different hash Ensuring data integrity is vital for the reliability of information system Inability to access certain resources may result in serious consequences: 1. Financial impact – inaccessibility to financial resources can disrupt transactions 2. Communication channels – lack of access to communication channels can make communication harder, delay decision-making processes 3. Action, plans, contracts - inability to access essential documents, such as action plans and contracts can lead to misunderstanding and project delays 4. Critical systems: a. Life critical system– these include medical equipment and emergency response systems b. Mission critical system – systems crucial for the success of a particular mission or operation c. Business critical system – these encompass core operational systems essential for functioning of business The Parkerian Hexad – model for information security that expands more traditional CIA by introducing additional elements that provide a more comprehensive framework. Consists of 6 elements: 1. Confidentiality – ensures that information is not disclosed to unauthorized individuals 2. Integrity – information is accurate and complete and haven’t been altered in unauthorized way 3. Availability – information and resources are accessible to authorized users when needed 4. Authenticity– ensures that data, communication and communication systems are genuine and verified sources. It’s about verifying where information comes from ensuring it hasn’t been manipulated 5. Possession of control – having physical control of information. It’s about who actually has the data, not who is allowed to access. 6. Utility – making sure information is useful. Data must be usable for people that needs it Key factor – the system is only as strong as the weakest link, which usually are humans Most popular passwords: 123456, password The foundation of security -> LAC OF TRUST - Do not trust the users - Do not trust the administrators - Do not trust deployment team - Do not trust programmers DEFENCE-in-depth in cybersecurity involves developing multiple layers of security measures to protect various components of an IT infrastructure including networks, hosts, application, data 1. Network security a. Firewalls – to monitor and control incoming and outcoming traffic based on predefined security measures b. Intrusion Detection / Prevention System (IDPS / IPS ) – to detect and block suspicious network activities such as unauthorized access attempts c. VPN (Virtual Private Network) – to secure communication between remote users/devices and corporate networks over public networks like internet d. Network Segmentation – dividing network into multiple segments with different security levels 2. Host security a. Antivirus/Antimalware software – installing and regularly updating on hosts and remove malicious software b. Host-based firewalls – configuring firewalls on individual hosts to control income and outcome traffic and prevent unauthorized access c. Patch management – ensuring hosts are regularly updated d. Endpoint detection and response (EDR) – monitor and respond to suspicious activities on host in real time 3. Application security a. Secure development practices – follow secure coding guidelines to minimize vulnerabilities b. Web applications firewalls – to protect web applications from security threats such as SQL injection and cross-site scripting (XSS) c. Code reviews d. Application whitelisting – accepting only specific apps (whitelist) and blocking malicious apps (blacklist) 4. Data security a. Encryption – encrypting – sensitive data to prevent unauthorized access b. Access control – mechanism to ensure only authorized users can access data c. Backup and prevention – regularly backing up data and establishing robust backup and recovery procedures Definitions: 1. Vulnerability – a weakness or bug/error in a system. Weaknesses, flow or error in a system that can be exploited by an attacker to get unauthorized access, compromise data confidentiality or integrity 2. Exploit – opportunity to use vulnerabilities in a system, or tool to take advantage of vulnerability in a system 3. Threat – the entity poised to exploit the system. Factor that has the potential to exploit vulnerability to carry out attack 4. Risk – a product of probability and impact on the system. Aa vulnerability is a system weakness that attackers can exploit while exploit is the tool used by attackers to take advantage of weaknesses. A threat is a potential entity that may exploit a vulnerability while risk refers to the likelihood of an attack and its consequences. Organizations aim to identify vulnerabilities in their systems to minimize risk of attacks - Authentication – confirmation of identity. Confirming identity of a user, device or system. It ensures that entity claiming to be who they say. They are verified (ex. Password) - Authorization – granting access to certain resource. Granting or denying access to certain resources based on authenticated identity. - Black Hat – a criminal profiting breaking into system. Cybercriminal who engages in malicious software activities to cause harm. They exploit vulnerabilities or financial profit data theft or disruption - White Hat – security specialist, identifies and patches vulnerabilities, conducts security assessments, help organizations improve cybersecurity posture. They may perform penetration testing to identify and address weaknesses before exploitation Web apps Attacks: 1. User oriented: a. Cross-Site-Scripting (XSS) – an attacker injects malicious scripts into web pages viewed by the other users. Those scripts can steal cookies, session tokens or sensitive information. b. Cross-Site-Request-Forgery (CSRF) – user-oriented attack that tricks a user into performing actions they did not intend to, such as transferring founds or changing account settings c. Phishing – attackers pretend to be someone from given application. They deceive users to get sensitive information such as login credentials, credit card numbers 2. Host oriented: a. Denial of Service (DOS) – attackers overwhelm a web server with traffic making it unavailable to authorized users b. Code Injection – Attackers inject malicious code into web application which is then executed by the server. This can include SQL injection where SQL queries are executed leading to data breaches c. Buffer Overflow – app writes more data to buffer than it can hold causing data overflow into memory Open Web Application Security Project (OWASP) – non-profit organization which aims to improve security of software. Provides free tools, resources and help developers to create secure apps. OWASP top 10: A1 – Broken Access control (users can have an access changing URL) A2 – Cryptographic failures (not using HTTPS, low encryption algorithms, no encrypted sensitive data) A3 – Injection (SQL Injection, OS Command injection, LDAP injection) A4 – Insecure design (overall design and implementation, no security rules, no risk assessment) A5 – Security misconfiguration (incorrect configuration (default), using default password, badly configured servers) A6 – Vulnerable and outdated components (using old libraries or well-known algorithms) A7 – Identification and Authentication Failures (session issues, weak passwords, no login limits) A8 – Software and data integrity failure (untrusted software sources) A9 – Security logging, Monitoring failures (lack of data to analysis, lack of responses) A10 – Server-side request forgery HTTP protocol – Hypertext transfer protocol Foundation of data communication on WWW. Application layer protocol that defines the structure for requesting and transmitting data on the internet. Works on request-response model. Clients send requests to servers which respond with data. Response Codes: 20X – Success 30X – Redirection 40X – Client error 50X – Server error HTTP Cookies – small pieces of data sent from a website and stored on a user’s device while browsing. They are used to remember user preferences, authentication details and other browsing information Set-Cookie Header – when a server wants to set a cookie on a client’s device it sends a “Set- cookie” header in http response Cookie parameters: 1. Path – URL path must exist in request URL (for browser to send cookie with the request) 2. Expire – expiration date and time for the cookie. After time, browser deletes cookie 3. Secure – cookie should only be sent via HTTPS 4. HttpOnly – specifies that cookies should not be accessible via JavaScript. That helps prevent XSS HTTP is stateless protocol, which means that the connection between the browser and the server is lost once the transaction ends. Server does not remember previous actions Stateless Problem Solution – Session ID When you go for the first time to a web page it creates a unique ID = Session ID. It is a random code. Then, the server sends this ID to your browser as a cookie. Browser saves the cookie. After that, every time you send a request a browser automatically combines cookie with Session ID to the request. Thanks to that, server knows that this is your session Key components: 1. Session ID – unique identifier assigned by the server to each session. This ID is used to track the session across multiple requests and responses 2. Cookies – small pieces of data sent from server and stored in the user’s web browser 3. Server – side-storage – maintains session data and associated with each session ID How an HTTP session works: 1. Initiating session -> generating unique session ID 2. Server sends session ID to the user’s browser in the response using Set-Cookie 3. User’s browser states the session ID as cookie 4. For every request to the server browser automatically includes the session ID in the Cookie Header 5. Server receives the session ID with each request 6. Server retrieves and updates data as needed Session can end in several ways: 1. Session timeout – if there is no activity for certain period 2. User logout – user logs out and server ends session 3. Session expiry – session cookie has an expiry date, after which is automatically deleted from the browser Session ID is the only element identifying user’s request Methods of finding out user’s ID 1. Intercepting TCP/IP traffic – attacker may capture an analyze network traffic to find and take over session ID 2. Listening-in Wi-Fi – attacker may eavesdrop on network communications to capture sessions IDs transmitted without security 3. Protocol targeting BGP/DNS – modification and attack key network protocols to get session ID 4. Getting the SID from user’s device Session sniffing – a type of cyberattack where attacker intercepts and captures data packets traveling over the network to steal session tokens or other sensitive information. This allows the attacker to impersonate a legitimate user and gain access to web applications or services. To prevent – use HTTPS protocol to encrypt communication between client and server Session fixation – attacker generates SID. Forwards the SID to the victim. Convinces victim to log into system with SID. Attacker may access the system with victim’s rights Session riding – forcing someone to perform unwanted actions (CSRF) - Victim is logged in to the bank application in the browser, gets malicious link to the web page or opens web where attacker put malicious code. Victim opens browser and code is executed automatically. Because victim is logged in to bank account ID session is included during request. Bank server gets request about transferring money from victim’s account into attacker’s account. In XSS malicious code is injected via URL, cookie or other input data. When user visits page with malicious code, browser executes code. Attacker’s goal is to gain access to sensitive data and steal the session Reflected Cross-Site Scripting – type of security vulnerability where an attacker injects malicious code into a website, which is then reflected back to the user’s browser, potentially executing harmful actions Tabnapping – a type of phishing attack where a malicious website alters the content of a browser tab that is left open but inactive, typically by changing it to a fake login page for a trusted website. This aims to trick users into entering their credentials, unknowingly providing them to the attacker Clickjacking - often involves overlaying an invisible layer on top of a legitimate website or webpage element. This layer can be transparent, making it seem like you’re clicking on the actual content, when in reality, you’re interacting with something malicious hidden underneath. It can lead to various consequences, from unknowingly liking a social media posts to inadvertently authorizing transactions or sharing sensitive information. It’s a deceptive tactic used by attackers to manipulate users into performing actions they didn’t intend to. - Transparency of - using JavaScript to prevent loading the page in a frame - X-Frame option: Deny/Sameorigin “deny” - page cannot be displayed in frame “sameorigin” – page cannot be displayed in frame but on the same domain as the website itself DNS spoofing – DNS cache poisoning, Attack that exploits vulnerabilities in the Domain Name System to redirect network traffic rom the legal servers into false servers DNS rebinding – attack technique which allow to take control over user’s browser to get access to LAN resources which are normally unable to access from the internet Direct Attack Against a Web Application – attack in which attacker carries put an attack directly on the application, trying to gain access to its resources/sensitive data. Purposes: - Access to data bases - Web pages-modification of pages to spread malicious software or phishing - Keys, passwords - LAN – further internal attacks SQL Injection – application attack which injects malicious SQL code into queries, search boxes or other inputs where data is protected in data bases, Attacker can get access to sensitive data or modify data bases XPath (XML Path Language) Injection – XPath is a query language used to select nodes from an XML document. XPath Injection is an attack technique used to exploit vulnerabilities in applications that use XPath queries to interact with XML data. Similar to SQL injection, XPath injection manipulates the structure of an XPath query to execute unintended commands, often gaining unauthorized access to data. XPath injection occurs when user input is inserted into an XPath query without proper validation or escaping. If the input is not sanitized, an attacker can manipulate the query structure to retrieve unauthorized data to perform other malicious actions. Blind Injections SQL and XPATH injection are techniques that use differences in server’s response. These attacks are called blind because attacker cannot see the result of the request but can assume basing on the differences from the server’s responses. Despite this lack of direct feedback, attackers can still infer information based on indirect indications such as response times, differences in application behavior or generic error messages. Ex. Boolean based Blind SQL Injection: ‘OR 1=1-- ‘OR 1=2 – If the first query results in a different response than the second, the attacker knows that the injection is working Injection Based on server’s response – introducing international delays. If there is not any noticeable difference in responses, time that server needs to response may give some valuable clues about database. It is especially useful during blind SQL Injection because attacker may draw conclusions about database basing on response time. The attacker sends queries that cause the database to delay its response if a condition is true: ‘OR IF(1=1, SLEEPS(5), 0) -- ‘OR IF(1=2, SLEEPS(5), 0) – If the first query causes a delay, the attacker knows the condition is true. Code injections allow attackers to inject and execute arbitrary code within a vulnerable application: PHP(ASP/JSP) LDAP – apps that manage information about users OS/Shell Parameter tempering Attack – web based attack where an attacker manipulates parameters exchanged between client and server to modify application data, such as user credentials permissions or prices, leading to unauthorized actions or data breaches Forceful Browsing – attack where an attacker manually navigates to restricted or unlinked areas of web application by guessing or constructing URL’s. This can allow unauthorized access to parts of the application, such as admin interfaces or confidential resources, that should be protected Directory Browsing – occurs when a web server’s directory listing is enabled, allowing users to view the contents of directories on the server. This can expose sensitive files and information that should not be publicly accessible, such as configuration files, source code or user data Bypassing a step of process – involves manipulating a web application’s workflow to skip mandatory steps, such as authentication, payment or input validation. This can be achieved by directly accessing URLs associated with subsequent steps or modifying parameters to trick the application into proceeding without completing all necessary steps Access to the source code – refers to an attacker gaining unauthorized access to a web application’s source code. This can happen due to misconfigured servers, directory browsing vulnerabilities or insufficiently secured code repositories. DOS (Denial Of Service) – make a machine or network or resource unavailable to its intended user by disrupting services Sample Cases: - User’s accounts log down – attacker blocks user’s account - Programmable shutdown – program to disable the server or app - Self-inflected damage – refers to situations where a system inadvertently causes its own performance degradation or outage. This can happen due to misconfiguration, flawed software logic or insufficient resources - Archetype “black-fax” – attacker sends huge number of black pages to the fax using up all the black ink DDOS (Distributed Denial Of Service): - Attack carried from several sources - Bandwidth and computational power overwhelm the target server, making it impossible to handle legitimate requests - Possible exploit (protocol) amplification attack Group organization: - Voluntary help activists or hacktivists who participate for support - Bot-nets – A network of infected with malware computers controlled by attacker Slowloris Attack – type of DoS attack that targets web servers by making many partial HTTP requests and keeping them open for as long as possible. This exhausts the server’s resources, preventing it from handling legitimate requests. Slowloris achieves this by sending headers intermittently to keep the connections alive, effectively tying up the server’s connection pool R.U.D.Y (R-U-Dead-Yeat) Attack – another type of DoS attack that targets web applications by exploiting the POST method of HTTP. It works by opening a connection to the server and then sending the body of the POST request very slowly, one byte at the time, keeping the connection open. This consumes server resources and can eventually exhaust the server’s ability to handle legitimate requests, leading to a DoS condition XML Bomb (Billion Laughs Attack / XML Entity Expansion Attack) – type of DoS attack that targets XML parsers. It exploits the way XML parsers process entities to create a small XML document that expands exponentially to consume excessive amounts of memory and processing power, potentially leading to system crashes or server slowdowns. An XML bomb typically involves defining a series of nested entities that reference each other, creating an exponential expansion when the XML parser resolves these entities Malware Origin of name virus – comes from similarity to biological viruses. Computer viruses infect files or system areas to spread and cause harm Spread – viruses spread by attaching themselves to executable files or by infecting critical system partition Internet – the turning point: - New methods of distribution: now malware could spread through attachments, downloads from websites or vulnerabilities in network services - Remotely – controllable: remote control by attacker - Communication with master: communicate back to attacker’s server - No longer a virus but an army of zombies: now viruses are more complex called botnets – a group of computers that can be controlled by attackers. Botnets can be used in DDoS attacks Malware classification 1. Payload: a. Modifiable – refers to malicious software designed to be easily altered or adapted by the attacker. This type of malware typically includes features or structures that facilitate modification, enabling cybercriminals to adjust its behavior, functionality or appearance with relative ease. The ability to modify malware helps it prevent from detection by security systems b. Controllable – refers to malicious software that can be remotely managed and directed by the attacker after it has been deployed on victim’s system. This type of malware often includes sophisticated features for real-time communication with the attacker, allowing them to execute commands, update the malware and manipulate the infected system as needed c. Backdoor/attack vector – gaining unauthorized access to the application while bypassing all implemented security measures. Reaches the core of the targeted application d. Autonomic malware – refers to self-managing malicious software that can operate independently, making decisions and adapting its environment without requiring constant direct control from the attacker Infection Methods: 1. Worms – Self-replacing malware that rips through the networks without the need for user interaction 2. Distributed with other software – malicious software which is packed with legal software 3. Installed by convinced user – installed by users which are 100% sure that the software is legal 4. Data storage – designed to target data stored on an infected system Selected functionality - Eavesdropping – hacker intercepts, deletes or modifies data that is transmitted - Key logger – registers click, capturing passwords and login data. - Screen logger – capture screen - Hijacking of communication – Man-in-the-browser, local proxy, DNS. Captures browser communication enabling modification of bank transactions - Distribution of mal-activity – click stealers, spam senders, DDoS botnets - Use of local resources – bitcoin mining, password cracking - Ransomware – type of malware blocks access to the system and asks for a ransom (okup) from victim to restore access - Rogue anti-malware – fake software which pretends to be legit one - Illegal content container Trojan Zeus ZBOT Performs actions you did not authorize impersonates legitimate software, does not replicate itself. Main goal is to steal financial information What is he doing: 1. Export of locally stored certificates 2. Retrieval of passwords from locals 3. Monitoring and extraction of passwords from common protocols 4. Keylogger, screenlogger 5. Extraction of SID’s 6. Traffic routing – redirecting network traffic 7. Html modification Famous malware: 1. 2000 ILOVEYOU: a. Infected more than 10m windows pc, 10% of PCs b. After opening attachment, virus copies each person from address book and made changes in the user’s system. Used social engineering 2. 2008 ZEUS a. Also known as Zbot, one of the most successful piece of banking malware ever b. Type of Trojan horse designed to steal banking information by logging keystrokes c. Spreads through phishing emails or malicious downloads d. Installs itself on victim’s computer, often disguising as legitimate file e. Steals sensitive information using keylogging and from grabbing f. Sends stolen data to attackers via C&C servers and receives updates g. Transmit captured data to attacker h. Infected computer joins a botnet, used for further attack or malicious activity 3. 2005-2009 STUXNET a. Works in window computer worm b. For spying out carrying out industrial installations c. Infected ISB caches Botnets – the next level of malware Botnet – organized networks of compromised computers known as zombies which are controlled by malicious actors. These networks can be highly specialized and can be grouped to increase their capabilities IoT (Internet of Things) – network of interconnected devices that communicate and exchange data with each other over the internet, enabling smart functionalities and automation. These devices range from household items like thermostats and refrigerators to industrial machines and healthcare monitors, enhancing efficiency and providing real-time insights across various domains WannaCrypt (WannaCry)- ransomware attack that first appeared in 2017, rapidly spreading across the globe and infecting over 230k computers in >150 countries. The ransomware encrypted files on infected systems and displayed a ransom note demanding a payment in Btc for the decryption key, with the ransom amount increasing if not paid within specific timeframe. WannaCrypt exploited critical flaw in the windows operating system called EternalBlue. Despite a kill switch being discovered shortly after the outbreak, the attacks caused disruption, particularly impacting sectors like healthcare, finance and communication. WannaCrypt had capability to self-spread between devices in LAN Malware for mobile Most attacks are user-targeted, they aim to steal personal data or financial information. Usually distributed with applications outside official channels - First virus: SYMBIAN/ARM 2004 – first known virus that attacked mobiles. Its target were devices with Symbian operating system - Firs mobile Botnet (Malent) - 2012 - Zeus – mobile version, spread by phishing. Aim of Zeus on mobile, also known as ZitMo (Zeus-in-the-Mobile), was to intercept two-factor authentication codes sent via SMS, enabling attackers to bypass enhanced security measures and gain unauthorized access to victims online banking accounts Number of malware for Android is significant, but the risk is associated with using the black market apps Trends in Mobile malware - Adware and clickjacking treated as PHA(Potentially Harmful Applications) – Adware shows unwanted ads to generate oncomes for attacker. Clickjacking cheats users to click something different then what they see leading them to malicious pages - Malware uses active sandboxing detection – malicious software which may find whether it operates in controlled environment used for security analysis and change its behavior to avoid detection. Infected mobiles may become “zombie adware” continuously displaying ads and generating incomes for attackers - Rise in mobile miners – in 2018 there has been significant increase in the number of mobile crypto miners. It results in decrease in device’s performance - Increased use of “droppers” – malicious software to install additional malicious payloads. They frequently download and install other malicious software - Use of other channels to deliver apps: SMS– malicious links or attachments send by SMS - Social platforms – malicious software spread by social media Malware and anti-viruses Anti-virus programs are usually based on signatures-patterns identifying particular piece of malware code. These signatures are used to find and delete threads Signatures are produced after a new version of malware is identified. That process consists of analysis of new code, creating new templates and updating databases of anti-virus programs. As a result, there is no protection against new malware nor zero-day exploits. Methods for combating malware: 1. Technical: a. Traffic analysis – using firewall, IDS/IPS – Intrusion Delivery/Prevention Systems to detect and block suspicious network and activities b. Behavior analysis – if app starts modifying system files or make unauthorized network connection may indicate malicious activity 2. Disabling botnets command centers 3. Sociological: a. Introduction of uniform practice and communication preferably for whole industry sectors b. Limit changes – limiting changes in systems and networks can reduce the risk of introducing new security vulnerabilities. c. Information and training – employees education, regular trainings Networks Benefits of exploiting vulnerabilities: - Eavesdropping on communication – capturing and modifying data that is sent through network. Credentials are the most valuable - Modification of data in-transit – changing data during transfer between devices - DoS (Denial of Service) and hijacking – overwhelming session or capturing active users’ sessions to impersonate and get unauthorized access TCP (Transmission Control Panel) – assumes that data in coming packets is correct. TCP use is to maintain communication between devices TCP is identified via: 1. Source IP address 2. Destination IP address 3. ISN (Internal Sequence Number) – unique number assigned to tracking new TCP session. Access to communication offers many possibilities: 1. Eavesdropping on the packets – capturing and monitoring data transmitted over the network 2. Hijacking the session (IP + ISN) – attacker may take control over active TCP session: a. Injection of data – attacker puts own data b. Connection termination – sending false TCP packet with RST (reset) flag may end existing connection by interrupting communication between two devices Blind attacks – type of network-based attack method that does not require the attacker to receive traffic from the attacked entity. IPsec (Internet Protocol Security) – set of protocols to ensure security in network layer IP protocol. Common features: - Utilizes encryption on a packet level – IPsec applies encryption mechanisms to protect data transmission over the network ensuring confidentiality and integrity of communication - Offers two modes of operation: o Transport mode – encrypts and/or signs data while leaving the original IP header o Tunnel mode – encrypts and/or signs the entire package including the original IP header which is put in a new IP packet o Encryption and signing the packets – IPsec can encrypt data and sign it preventing manipulation or eavesdropping o Device support is required for IPv6, optional for IPv4. IPsec is integral part of IPv6 and is commonly supported by most devices. In case of IPv4, IPsec support is optional and may demand additional configurations IPsec is widely used securing communication in networks especially in remote access and VPN where data confidentiality and integrity are crucial SYN Flood – form of DoS attack which uses TCP protocol to overwhelm server via manipulation of setting process of connection 1. TCP connection starts with 3-way handshake – setting the connection between two devices using TCP protocol a. 3-way handshake: i. Sending SYN packet ii. Responding using SYN-ACK packet iii. Confirmation ACK 2. Sending a lot of SYN packets but without ending handshake process. Instead, leaves open connections 3. Attack can be conducted simultaneously from different machines To protect against SYN Flood attack, server may use SYN Cookie mechanism. It’s about storing SYN data as SYN Cookie which is stored until an ACK is received from the client. This method secures severs from overloads. SYN Flood attacks (or firewalls) leads to inaccessibility of services = LACK OF ACCESIBILITY ICMP FLOOD - common distributed denial-of-service (DDoS) attack where malicious actors try to overwhelm a server or network device with ICMP pings, or echo-request packets. Its goal is to consume the target’s resources, rendering it unable to respond to legitimate traffic How it works: https://www.youtube.com/watch?v=r3bEjsv9JFw (AMOGUS video) BGP poisoning BGP (Border Gateway Protocol) – used to find the best routes for data packets to travel across different networks, known as Autonomous Systems (AS) on the internet BGP poisoning – when someone sends false routing information using BGP to disrupt internet traffic. This may cause several problems: 1. Black Hole – someone announces a route that doesn’t exist. As a result, data packets get lost, because they are sent to nowhere 2. Routing loops – incorrect routing information creates loops. As result, data packets keep circling between routes without reaching their destination. 3. Eavesdropping – a specific route is announced as the best route to intercept traffic. This allows an attacker to capture and read the data which include sensitive information 4. Link flapping – frequent changes in route announcements make the network unstable. Wi-Fi Possible attack vectors: 1. Access Points (APs) – devices that broadcast the Wi-Fi signal and manage connections between the network and user’s device. Risks: a. Rogue access points – attacker set up unauthorized APs to pretend legitimate ones. When user connect to the fake access point, attacker can capture their login credentials and other sensitive information b. Exploiting weak configurations – default settings or weak passwords on Aps make them easy target for attackers c. DoS 2. Users – individual users connecting to the Wi-Fi network can also be targets. Attackers can exploit user’s devices to gain access to the network or to sensitive information. Example attacks: a. Phishing – fake Wi-Fi networks can be set up to steal login credentials b. MitM – attacker intercept the communication between the user and network, capturing data being transferred Sample attacks against Wi-Fi networks: 1. Eavesdropping on unencrypted connections – attackers intercept data transmitted over Wi-Fi networks that are not properly encrypted. This allows attackers to read transmitted data 2. Collection of data for cryptoanalysis – attackers gather large amount of encrypted data from the network to try and decrypt it using advanced cryptography techniques. This can lead to breaking the Wi-Fi network’s encryption, granting access to sensitive information 3. MAC spoofing – attackers fake MAC addresses to gain access to a corporate network that uses MAC address filtering. This allows attackers to bypass access controls based on MAC addresses, leading to unauthorized network access Wi-Fi protocols: 1. WEP (Weird Equivalent Privacy) – the earliest security protocol for Wi-Fi networks. Uses the RC4 stream cipher for encryption. RC4 has significant vulnerabilities, making WEP easy to decipher. WEO should not be used for securing Wi-Fi networks 2. WPA (Wi-Fi Protected Access) – designed as temporary ‘drop-in’ upgrade to replace WEP. Uses TKIP (Temporal Key Integrity Protocol). TKIP has known vulnerabilities and can be exploited under certain conditions. WPA is more secure than WEP, but not recommended 3. WPA2 (Wi-Fi Protected Access 2) – currently considered secure, especially when using CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) with AES (Advanced Encryption Standard) what are mostly used for encryption. WPA2 is widely used and trusted for most Wi-Fi security needs, but newer standards are starting to take its place 4. WPA3 (Wi-Fi Protected Access 3) – currently developing. Designed to address the shortcomings of WPA2 and provide stronger security features Other vulnerabilities: 1. Hidden circuits : a. Large and distributed supply chain – extensive and spread nature of supply chains makes it challenging to exercise control over all components involved in manufacturing process. b. One of the supplier may include some undesired hardware or functionality c. State-sponsored activities – many interfaces of hidden circuits or malicious components in Wi-Fi devices are associated with state-sponsored activities. State actors often possess the resources and capabilities to orchestrate sophisticated attack 2. Meltdown and Spectre – critical vulnerabilities found in the design of modern processors. These flaw allow one program to read memory of another process which should be isolated and protected 3. Buffer Overflow – can occur in applications written in programming languages that do not provide built-in memory access control (C, C++). Attackers overwrite the heap memory corrupting dynamic memory allocations, which can lead to arbitrary code execution. Results of buffer overflow (unpredictable consequences): a. Range of effects – from application crashes to more server outcomes like arbitrary code execution b. In the worst case scenario attackers can execute arbitrary code with root or administrative privileges, leading to complete system compromise. Possible testing methods: a. Fuzzing – this involves providing large amount of random data such as input to the program to see if it causes unexpected behavior or crashes, which may indicate a buffer overflow b. Long data inputs – providing longer than expected inputs to identify if application mishandles the data and leads to a buffer overflow c. GRSecurity/PaX – kernel patches for Linux that provide various security enhancements, including protection against buffer overflow attacks. They implement techniques like address space layout randomization and non-executable memory pages to mitigate buffer overflow vulnerabilities d. Canaries – special values placed on the stack between the buffer and control data. Before the function returns, canary value is checked. If it has been altered, it indicates a buffer overflow, and program can take appropriate action such as terminating the process to prevent exploitation. 4. Integer Overflow Integers can represent a finite range of values. 32-bit unsigned int (0 – 2^32) Representation of negative values – in signed ints, negative values are typically indicated by the most significant bit. Issues: - Type casting problems – directly casting between different int types can cause various problems such as: o Unsigned to signed – converting an unsigned int to signed int can lead to unexpected negative values o Signed to smaller types – converting signed into a smaller type like char can result in loss of data - Overflow in calculations – arithmetic operations that exceed the maximum representable value can cause overflow Potential risks: - System malfunctions – int overflow can lead to unpredictable behavior and system malfunctions, causing app to crash or behave incorrectly - DoS (Denial of Service) – exploiting integer overflow vulnerabilities can be used to trigger DoS attacks by causing apps enter an invalid state or crash - Privilege Elevation – attackers can exploit int overflow vulnerabilities to elevate their privileges. 5. Hazards (race conditions) Race conditions occur when multiple threads access the same region of memory or resources concurrently. This simultaneous access can lead to unpredictable behavior and data corruption AJAX operations – in AJAX applications, various parts of the page code can operate on the same dataset concurrently. Without proper synchronization mechanisms, simultaneous AJAX requests or updates may lead to race conditions, causing data integrity issues. Over-locking of the resource can lead to deadlocks (especially with intensive AJAX usage) Deadlocks occur when two or more threads are blocked infinitely, each waiting for the other one to release resource 6. Faulty error handling: a. Ignoring errors – neglecting error returned by methods or functions such as using a ‘catch-all’ approach and ignoring specific error causes b. General exception handlers – using them instead of specific ones tailored to handle distinct error scenarios c. Propagation of exceptions, throwing exceptions “up” – allowing exceptions to propagate upwards until they reach the user interface or are displayed as HTML comments d. Error logging – although essential for diagnosing issues can be done incorrectly. Social engineering A system is only as strong as the weakest link, which most of the time is human Methods of obtaining access or credentials: 1. Passive methods: a. Observation: i. Workspace (notes) – observing notes or documents left in the workspace, such as sticky notes with passwords ii. Gossip – listening to conversation that may reveal sensitive information 2. Active methods: a. Preparing a trap: i. Building trust – engaging with the target to build a relationship making them more likely to share sensitive information ii. Severity of the predicament – creating scenarios where the target feels they must act urgently, potentially leading them to bypass standards security measures iii. Cut-off from important resources – manipulating the situation so that the target feels isolated from critical resources, compelling them to take risky actions 3. Casting a net-phishing a. General phishing – sending mass emails with malicious links or attachments hoping someone will fall for scam b. Targeting a specific website – creating a fake version of a legitimate website to capture login credentials c. Spearhead phishing – targeting specific individuals or organizations with tailored messages to increase the likelihood of success d. “dumb” phishing – using simple, untargeted phishing attempts that rely on sheer volume to catch unsuspecting users Too much hardening can cause trouble: - Periodical Password reset – requiring users to change their password regularly o Issue – users might forget their passwords and rely on insecure methods to remember them: ▪ Writing it down (in notepads or other insecure places) ▪ Sticky notes - Complex password policies- implementing rules that require complex passwords o Issue – users struggle to remember complex passwords and might use insecure workarounds Balance is a key – the complexity of passwords and security procedures should be balanced Trust as an attack vector – in social engineering exploiting human psychology to gain unauthorized access or information. Here’s a structed overview of how trust can be manipulated in security breaches: - Foot-in-the-door technique – involves making a small request that the target is likely to agree to, followed by gradually increasing the size or scope of the requests - Use of internal information – using non-confidential but specific internal information, such as company structure or employee names, to pose as insider - Request for controllable actions – asking the target to perform actions they believe are harmless and within their control - Help with solving a problem – creating or identifying a problem and then offering assistance to solve it, thereby gaining the target’s trust and compliance - Stochastic approach – randomly calling or contacting individuals with a plausible scenario such as posing a technical support Virtual trust via social media Steps: - Creating a virtual profile - Building trust among followers - Delivering valuable content - Finally, reaping the benefits Experiment by BiTDefender Purpose – understanding how easily people can be manipulated into trusting a virtual profile and taking actions that compromise their security Realization – researchers created fake social media profiles with photos, detailed work histories and connections to other profiles. Fake profiles actively engaged with their followers. They post valuable or semi-valuable content, such as industry news and tips. Once the profiles had established trust and significant following, they shared links that lead to dangerous websites, they were disguised as legitimate sources. Results: - Experiment found that 97% of followers who saw the shared link, clicked on it - The high success rate of the experiment highlights the vulnerability of individuals to social engineering attack conducted through social media How to protect against “handing over” passwords - Minimal user rights – assign users only the rights necessary for their job functions. It reduces the risk of unauthorized access to sensitive data and resources - Limiting access to a list of selected machines – restricting user access to specific machines or resources that are essential for their work. It limits the potential spread of security breach to other parts of the network - Procedures for handling staff leaving company – implement clear and define procedures that include immediate termination of access to systems and resources for departing employees. It prevents former employees from accessing sensitive data after leaving - Single sign-on (SSO) – allows user to log in once to access multiple apps and systems. It simplifies password management and reduces the number of entry points for passwords, decreasing the risk of them being disclosed - Fraud detection – monitor user behavior to identify anomalies that may indicate unauthorized activities. It enables quick identification and response to unusual or suspicious user activities - Protecting against data copying – implement technologies and procedures to limit the ability to copy data to external devices or transmit it outside the organization. Reduces the risk of data leakage through accidental or intentional actions by users Phishing – prevalent form of cyber attack that exploits human psychology, to trick individuals into disclosing sensitive information such as usernames, passwords or financial data Characteristics of phishing attack: - Fabricated login pages – phishing attacks often involve creating fake replicas of legitimate websites or services. These fake pages closely mimic the appearance and functionality of the genuine sites, making it difficult for victims to distinguish - Email-based approach – phishing attacks commonly use email as the primary means of reaching potential victims. Attackers send out large number of deceptive emails, hoping to encourage unsuspecting people into clicking on malicious link/attachment - Emotional manipulation – phishing emails often employ psychological tactics to evoke emotions such as fear, urgency or curiosity Attachment-based phishing – variant of phishing where attackers send emails containing malicious attachments rather than links to fake websites. These attachments often contain malware such as viruses, ransomware or trojans designed to infect recipient’s system Vishing (voice phishing) – type of phishing where attacker use telephone calls to trick victims into revealing sensitive information. IVR (Interactive Voice Response System) phishing – attackers set up automated systems that fake legitimate customer service lines. Victims are convinced to call a tool-free number, which leads them to IVR system designed to steal their information. Attack process: - Contact the victim – attacker contacts victims via email, SMS or phone call, posing as legitimate organization - Convince victim to call – the victim is persuaded to call a toll-free number for “customer service” - The tool-free number leads to an IVR that fakes legitimate service - Collect data Request for action: - Authorization of a recent transaction – “to authorize a recent transaction on our account, please enter your account number and PIN” - Confirmation of personal data – “for security reasons, please confirm your personal information” - Extension of service – “to extend your service subscription, please provide your credit card details” Spear phishing - targeted form of phishing aimed at specific individuals or groups, often within particular organizations. Unlike generic phishing attacks that are sent to large numbers of potential victims, spear phishing is highly personalized, increasing likelihood of success Characteristics of spear phishing: - Targeted for certain group of individuals – attacks are carefully planned for specific groups or individuals, rather than a broad audience o Specific group of firms or individuals – often targets particular types of organizations, such as law firms, financial institutions or healthcare providers o Single individuals – can also focus on individual targets especially those in positions of authority or with access to valuable information ▪ Executives – high level executives are common targets due to their access to sensitive data and decision-making power ▪ Resource controllers – employees who manage financial resources or confidential information, such as accountants or HR personnel Spear phishing is highly personalized and targeted phishing attack, making it more effective due to its precision. Education, advanced security technologies, and strict verification processes are key to protecting against these attacks Baiting Attack Baiting is a social engineering attack where attackers leave physical devices such as USB flash drives in common places with the intention of encouraging individuals to pick them up and connect them to their computers. These devices often appear to contain interesting and valuable content, but primary purpose is to deliver malware into the targeted organization’s network Mitigating method - Organizations should implement strict policies regarding the use of external devices. - All entry points to the organization’s network, including USB ports and CD/DVD drives, should be identified and controlled - Use of endpoint security solutions to detect and block malicious activity from external devices - Employee education and awareness training to recognize and avoid potential baiting attacks Basics of cryptography Code vs encryption Coding refers to “codebooks” which are predefined mappings often on a semantic level. These mappings translate entire phrases or words into code equivalents. Coding is typically used for standardizing data representation, error detection/correction or data compression. The process is reversible without need of a secret key Encryption – process of converting plaintext into ciphertext to protect the data from unauthorized access. Its purpose is to secure data by making it unreadable to unauthorized users. The process is reversible only with a secret key. Encryption operates at the bit or byte level, transforming each bit/ byte of data according to specific algorithms. Confidentiality determinants: - Secret algorithm – some encryption methods rely on the secrecy of the algorithm itself, though modern cryptography typically assumes algorithms are public and relies on the secret of the key - Secret key – the confidentiality of the encrypted data heavily depends on the secrecy of the encryption key used in the process Encoding – converting data into a different format for standardization an efficient transmission, making it readable by various systems without securing it. It is reversible without a key. Encryption on the other hand requires a primary key to decrypt it. Primary purpose of encoding is compatibility, when encryption focuses on data security Weaknesses of simple ciphers: 1. Letter frequency in a particular language -simple ciphers do not alter the inherent frequency of letters in the plaintext. In English letters “e” and “t” appear frequently in the ciphertext as well, making cipher vulnerable to frequency analysis 2. Statistical analysis allows for reconstruction of the key – by analyzing the frequency and patterns of the letters or groups of letters in the ciphertext, an attacker can use statistical methods to deduce the substitution pattern or key used in cipher. This is effective against simple ciphers that do not adequately randomize the output 3. It can be based on letters or letter compounds – simple ciphers often operate at the level of individual letters or common letter combinations. This limits scope makes them susceptible to analysis, as the patterns in language can be used to break the cipher Simple ciphers are weak because they don’t sufficiently disguise the statistical properties of plaintext, making them easy to break with frequency analysis and statistical methods Symmetric-key-encryption – type of encryption where the same key is used for both encrypting and decrypting the data, that’s why it is called symmetric. Secret-key, single-key, private shared key – symmetric key algorithms are known by these terms because they rely on a single, shared key The length of symmetric key directly impacts its security. Longer keys are more resistant to brute-force attacks. The choice of encryption algorithm is crucial. Modern algorithms like AES (Advanced Encryption Standard) with key sizes of 128, 192, 256 bits are widely considered secure against current computational capabilities Symmetric-key encryption is a fundamental cryptographic technique and relies on a shared secret key to secure data. Its efficiency and effectiveness make it cornerstone of modern data security, though managing and distributing the secret key remains a critical challenge Quality of encryption: 1. Key generation: a. Random number generator – the quality of the key is crucial for security. A key created using a high-quality random number generator enhances the security of the encryption. b. Key security – the security of the encryption relies heavily on the unpredictability and complexity of the key. Strong keys resist brute-force attacks and other cryptographic methods 2. Algorithm strength: a. Comprehensive key search – a robust encryption algorithm should ideally require an attacker to try all possible keys to break the encryption, making the process infeasible with current computational power Types of ciphers: 1. Stream cipher – encrypts data byte by byte or bit by bit, providing continuous stream of ciphertext. Other used for applications where amount of data to encrypted is not known in advance or where data comes in steady stream. Efficient for real-time data encryption but can be vulnerable if the same key stream is used more than once 2. Block cipher – the message is divided into fixed-size blocks (64, 128 or 256 bits) and each block is encrypted separately. Provides strong security through modes of operation that enhance the basic encryption process, but requires proper padding for messages that don’t fit neatly into blocks] - Quality of encryption depends on the randomness of the key as well as the robustness of the encryption algorithm - Stream ciphers encrypt data continuously and are suitable for real-time data streams - Block ciphers encrypt data in chunks, ensuring strong security for data blocks with various modes of operation to enhance encryption security Selected encryption algorithms: - DES (Data Encryption Standard): o Key: 56-bit o Block: 64-bit o DES was once a widely used encryption standard but now is considered insecure due to its short key length - 3DES (Triple DES): o Key 112 – 168-bit o Block 64-bit o 3DES applies the DES algorithm 3 times to each data block. It was designed to improve the security of DES by increasing the key length. While it offers better security, it’s computationally inefficient compared to more modern algorithms. - AES (Advanced Encryption Standard o Key: 128 – 256-bit o Block 128-bit o AES is currently the industry standard for encryption. It was selected for an open competition run by the National Institute of Technology and provides a high level of security and efficiency. AES is widely used in various applications, from securing internet communication to encrypting sensitive data in storage Twofish, Serpent – algorithms that are similar to AES in terms of security and performance. Hash functions and message digests are crucial concepts in cryptography and data integrity Purpose of hash functions: - Constant length output: hash functions take input or “message” and return fixed string of characters, which is typically a sequence of alphanumeric characters. This output is called the hash value or message digest - Irreversibility – hash functions are designed to be one-way functions, meaning it’s computationally infeasible to reverse the process and retrieve the original input from the hash value Each of the hash values is unique to its input, illustrating the sensitivity of hash functions to small changes in the input string. Even minor alteration results in a completely different hash value Characteristics of hash functions: 1. The same input will always produce the same hash value 2. Hash functions are designed to be fast to compute for any given input 3. Given hash value it should be computationally infeasible to find the original input 4. Small change in input results in large change in output 5. It should be computationally infeasible to find two different outputs that produce the same hash value Applications of hash functions: 1. Password storage 2. Ensuring the authenticity and integrity of document by creating a digital signature 3. Detecting changes or corruption in transmitted data by comparing hash values Common hash functions: - CRC32 – Fast, but not suitable for data protection due to lack of cryptography security - MD5 – produces 128-bit hash value, commonly used, considered “cryptographically broken” - MD6 – proposed successor of MD5, designed to address security issues from MD5 - SHA-1 – produces 160-bit hash value, susceptible to collision-based attacks - SHA-2 – successor of SHA-1, current standard for secure hash functions Rainbow tables are a cryptanalytic tool used to crack hash functions. They use a combination of hash and reduction functions to efficiently reverse hash values back into their original input: 1. Hash and reduction functions: a. Hash function – converts input into a fixed length value b. Reduction function – converts a hash value back into a potential input. This function is not inverse of the hash, but transforms the hash into a new candidate input for the next round of hashing 2. Hash chains are created by alternately applying hash and reduction functions. Each chain starts with initial input, applies the hash function to generate hash value, then applies the reduction function to the hash, repeats the process fixed number of times. The result of the last reduction function is called terminator. These chains are computed once and stored in the rainbow table along with their starting inputs 3. If the analyzed hash eventually matches one of the terminators in the rainbow table, the chain corresponding to that termination is identified. The original input is reconstructed by starting from the beginning of the identified chain and following it until the analyzed hash is produced. Asymmetric encryption (public key cryptography) – type of encryption where two different keys are used: a public key and a private key - Key pair: o Public key – this key is shared openly and can be used by anyone to encrypt messages or verify digital signatures o Private key – this key is kept secret by the owner and is used to decrypt the message that was encrypted with the corresponding public key - Process: o Public key can be shared through any public channel without compromising security o When someone wants to send a secure message, they use the recipient’s public key to encrypt the message o The recipient then uses their private key to decrypt the message - Key’s properties: o Public and private keys are used in complementary ways. What one key encrypts, the other can decrypt and vice versa o The key pair must be generated together as a single operation. o One key cannot be derived from the other. - Key generation process: o Random number generation – a secure number is used to create the initial values needed for generating the keys. The randomness and unpredictability are crucial for the security of the keys Key pairs consist of public key and private key. What one key encrypts the other can decrypt. The keys must be generated together, to ensure mathematical relationship. The private key cannot be derived from the public key, maintaining security Asymmetric encryption algorithms: - RSA (Rivest-Shamir-Adleman) – one of the earliest and most widely used public-key cryptosystems, known for its security based on the difficulty of factoring large ints - DSA (Digital Signature Algorithm) – specially designed for digital signatures, providing security based on the difficulty of solving the discrete logarithm problem - ELGamal / Diffie-Hellman – ELGamal encryption algorithm is based on Diffie-Hellman key exchange. Both provide security based on difficulty of the discrete logarithm problem and are commonly used for secure key exchange - ECC (Elliptic Curve Cryptography) – provides similar security to RSA but with shorter key lengths, making it more efficient. It is increasingly popular for use in modern applications Differences between symmetric and asymmetric encryption Symmetric encryption: – Uses the same key for encryption and decryption – Is faster – Is suited for encrypting large amount of data – Key management is more challenging since the key must remain secret and be shared securely Asymmetric encryption: - Uses a pair of keys for encryption and decryption - Is more secure for key exchange and digital signatures - Is slower and less efficient for large data encryption - Key distribution is easier since the public key can be shared openly Message signing – crucial process in ensuring the integrity and authenticity of digital communications. It is widely used in various apps like email, software distribution and secure transactions. Process: - A hash function is applied to the original message to produce a fixed-size string of characters, which is typically much shorter than the message itself - The sender uses a private key to encrypt the hash. This encrypted hash is known as a digital signature. The private key is part of public-private key used in asymmetric encryption, ensuring that only the sender can create the signature - The digital signature is attached to the original message. This combined package (message + signature) is then sent to the receiver Verification: - The receiver obtains both the original message and the digital signature - Receiver uses sender’s public key to decrypt the digital signature. Since the public key is publicly accessible and pairs with the private key, it can decrypt the hash, both the original message and the digital signature. If the two hash values match, the message is verified as authentic and unchanged Hybrid encryption – method that combines the strengths of both symmetric and asymmetric encryption to provide a secure and efficient way of encrypting data Encryption process: - Generate a symmetric key – the sender generates a random symmetric key to encrypt actual data. This key is typically a session key used for a single session or transaction - Encrypt the data – the sender uses the symmetric key to encrypt data. Symmetric encryption is chosen here due to its efficiency in handling large data sizes - Encrypt symmetric key – the sender then encrypts the symmetric key using the recipient’s public key. This step uses asymmetric encryption to ensure that the only recipient can decrypt the symmetric key as they hold the corresponding private key - The sender sends the encrypted data and the encrypted symmetric key to the recipient Decryption process: - Receive encrypted items – the recipient receives encrypted data and the encrypted symmetric key - Decrypt the key – the recipient uses their private key to decrypt the symmetric key - Decrypt data – using the decrypted symmetric key, the recipient decrypts data (PKI) Public Key Infrastructure – framework of policies, services and protocols that enable secure communication, authentication and data integrity using public key cryptography Components of PKI: - Public key – for encrypting - Private key - for decrypting - Digital certificates – bind public key to entities. Certificates are issued by Certificate Authorities (CA) and contain information about key holder and public key. Follow the X.509 standard which includes subject’s name, public key, issue name and validity period - CA (Certificate Authorities) – trusted entities that issue, manage and revoke digital certificates. CAs validate the identity of entities requesting certificates before issuing them. - RA (Registration Authorities) – authority in network that verifies user request for a digital certificate and tell CA to issue it. RAs is part of PKI Digital certificate also known as X.509 certification contains several fields that prove crucial information for ensuring secure communications and authentication: - Serial n umber – unique identifier assigned by the issuing CA to each certificate - Subject – entity that owns the certificate (example of details: entity’s name, organization, department, country) - Signature algorithm - the algorithm used by CA to sign the certificate. It indicates both hashing and public key algorithm. This field ensures the integrity and authentication of the certificate - Issuer – the entity that issued the certificate, usually trusted CA. - Validity – specifies the time period during which the certificate is valid - Uses – purpose - Public key – the public key associated with subject’s private key - Hash function – algorithm used to create a hash of the certificate data that is then signed by the CA. - Fingerprint – unique identifier for certificate, created by applying a hash function to the certificate. It is used to quickly identify and compare certificates - CA signature – digital signature of the CA that issued the certificate. The signature is created by hashing the certificate’s data and encrypting the hash with the CA’s private key Certificate classes (according to Verisign) Verisign – leading internet security company, categorizes digital certificates into classes based on their intended use and level of verification: - Class 1: personal - certificates in this class are intended for personal use, primarily for securing email communications - Class 2: organizations – these certificates are issued to organizations and require more detailed identity verification, including checking organizational information. - Class 3: basic server certificate – certificates are designed to secure web servers. They are commonly used for securing websites with HTTPS (Hypertext Transfer Protocol Secure) - Class 4: B2B E-commerce – used in business-to-business ecommerce. They require very through verification and are intended to secure businesses transactions and communications between enterprises - Class 5: government – intended for government institutions. They provide the highest level of verification and security, requiring detailed identity checks off government entities Although Verisign’s certificate classes may seem varied, from a technical standpoint, they are quite similar. The primary differences lie in the level of verification and information included in the certificate Types of certificates - DV (Basic domain-validated certificate – provides a basic level of security and verification, confirming that the certificate owner has the right to use a particular domain. The verification process is quick involving just domain ownership certification - EV (Extended Validation) – offers the highest level of trust and verification. The verification process includes a detailed check of the organization’s identity and its right to use the domain. EV certificates display organization’s name in the browser’s address bar, enhancing user trust in the website Software Signing – process of digitally signing software or code to ensure its authenticity and integrity. It involves using cryptographic techniques to sign executable files, scripts or software updates enabling users and systems to verify the origin of the software and check if it has been tempered with it was signed Importance of software signing: 1. Authenticity – ensures that the software comes from a legitimate and verified source 2. Integrity – confirms that the software has not been altered or corrupted since it was signed. If any changes are made after signing, the signature will become invalid 3. Trust – builds user trust on the software by providing assurance that it has been properly vetted and is safe to install How software signing works: 1. Generating a hash - the hash value represents the condensed software’s contents 2. Encrypting the hash – hash value is encrypted using developer’s private key 3. Attaching signature – digital signature is attached, along with a certificate that contains developer’s public key and identity information. The certificate is issued by a trusted CA after verifying the developer's credentials 4. Verification by the user – when the software is downloaded and executed, the operating system or security software uses the public key to decrypt the digital signature and retrieve the original hash value. The software is then hashed again using the same hash function. If the newly computed hash value matches the decrypted hash value, software is verified and authentic and unaltered SSL (Software Sockets Layers) – standard security technology used to establish an encrypted link between server and a client. SSL ensures that all data transmitted between the web server and browser remains encrypted and secure How SSL works 1. Handshake process: a. Client hello – client sends “hello” message to server, which includes information about what ciphers the client supports b. Server hello – server responds with “hello” message, selecting from the list of ciphers provided by client. Server also sends SSL certificate, which includes the server’s public key c. Certificate authentication – client validates the server’s certificate against list of trusted CAs. If the certificate is valid, client proceeds d. Key exchange - client generates a session key, encrypts it with the server’s public key and sends it to the server. Only the server can decrypt this session key using its private key e. Secure session – both the client and server use session key to encrypt all subsequent data transmitted during the session 2. Data encryption – once the handshake is complete, the SSL protocol uses symmetric encryption 3. Data integrity – SSL ensures data integrity by using MACs (message authentication codes) to verify that the data has not been altered during transmission Key features: 1. Encryption: SSL uses both symmetry and asymmetric encryption to secure data. Symmetric is used for actual data transfer after handshake, while asymmetric is used during it to establish a secure session key 2. Authentication: SSL certificates authenticate the identity of the server, ensuring that users are connecting to the legitimate server 3. Data integrity – ensures that data set and received had not been tempered with during transmission Encryption and PKI play critical role in securing digital communications SSL does not enforce server identity. It is a protocol for establishing encrypted links between a web server and a browser. However, HTTPS which uses SSL/TLS ensures that the communication is both encrypted and that server’s identity is verified through digital certificates. The main difference is that HTTPS provides an additional layer of security by validating server certificate, confirming that the user is connecting to intended website SSL v2 and SSL v3 are no longer considered secure - SSL v2 has numerous flaws including weak message integrity and lack of support for modern cryptographic algorithms - SSL v3 is vulnerable to attacks such as POODLE (Padding Oracle on Downgraded Legacy Encryption) attack. - The recommended protocol is TLS (Transport Layer Security), the successor to SSL. Addresses many of the security issues found in SSL v2 and v3. It provides improved encryption algorithms, better key exchange mechanisms and stronger message authentication Quantum computing – quantum computers have potential to break many cryptographic algorithms currently in use. Specifically, they could efficiently solve problems that are computationally impossible for classical computers, such as factoring large ints (basis for RSA) and computing discrete logarithms (used in DSA and DH). This poses a significant threat to current encryption methods, as quantum computers could potentially decrypt data secured by widely used public-key algorithms. Cryptographic community is actively researching PQC (Post Quantum Cryptography) to develop new algorithms that are resistant to quantum attacks Heartbleed attack: Heartbleed is a crucial vulnerability in the OpenSSL cryptographic library. It allows to exploit a flaw in SSL/TLS heartbeat extension, potentially accessing up to 64KB of memory. This could expose sensitive information like users’ credentials, private keys and session cookies Key points discovery: - Impact: affected significant numbers of websites initially, by May 2015, about 1.5% remained vulnerable - Response: mitigated by updating OpenSSL and reissuing SSL certificates and private keys - Legacy: highlights the need for rigorous security testing and monitoring of cryptographic implementations. Heartbleed underscored the importance of promptly patching vulnerabilities and securing sensitive data in cryptographic systems. Rules of secure communication: 1. Confidentiality: a. The data is encrypted, ensuring that only the person with the appropriate key can read it. Encryption can be either symmetrical or asymmetrical, depending on the needs and available options i. Symmetrical – uses the same key for encryption and decryption. Is fast and suitable for large amounts of data but require secure key distribution ii. Asymmetrical – uses a pair of keys. Public key encrypts data, private decrypts it. More secure method for key distribution, but slower and used for smaller amount of data 2. Authenticity: a. A digital signature identifies the author of the message b. Author can publish their public key and use private to sign a message 3. Integrity: a. Digital signatures also confirm the integrity of the message b. A hash of the message is created and encrypted with the sender’s private key c. Recipient can decrypt the hash with the sender’s public key and compare it to newly calculated hash of received message 4. Undeniability: a. Digital signal cannot be faked, so it confirms that the message was indeed signed by the private key owner b. This prevents sender from denying that they sent message, as the unique digital signatures ties the message to the sender

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue