SPR100 Week 7 Lecture - Network Security I PDF

Summary

This document provides a lecture review of week 6 and week 7 topics in network security. The document covers numerous concepts, including the death of the perimeter, network threats, WiFi vulnerabilities, denial-of-service attacks, and botnets. The lecture format and its content, focused on network security, show a course structure oriented towards understanding cybersecurity and networking.

Full Transcript

SPR100: Week 7
Network Security I
 Lecture Review: Week 6
 Introduction to Cryptography
 Cipher Methods: stream, block and hash
 Cryptographic Algorithms
 Cryptographic Tools
 This Week
 Death of the Perimeter
 Network Threats
 WiFi Network Vulnerabilities
 Denial of Service (DoS)
 Distributed DoS (DDoS)
 Botnets
 Death of the Perimeter
 “Castle” model is now dead
 Death of the Perimeter
 “Castle” model is now dead
 Impractical/Impossible
 It is impractical/impossible to force all information in
an organization through a single point in the network
 New mechanisms for attacking networks are
constantly emerging (e.g., smart phones, tablets,
cars, IoT…)
 Line between “good guys” and “bad guys” has
become blurred
 Death of the Perimeter
 “City” model
 Indistinct perimeter
 Multiple ways of entering the network
 Access control will be at an object level e.g. you will
determine which buildings a person will be able to access
 You have to secure the internal network:
 Internal firewalls and internal intrusion detection systems
(IDS)
 Virtual LANs
 Central authentication servers
 Encrypted internal traffic
 Introduction
Cryptography provides message CIA

Modern Networks have additional
vulnerabilities
 Means of Delivery
 Route of Delivery
 Redirected
 Access
 Communication Media
Vulnerability

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Network Security Attacks
 Threats
Interception
Modification
Fabrication
Interruption

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 What Makes a Network Vulnerable to
Interception?
 Anonymity
 Many points of attack
 Sharing
 System complexity

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Unknown Perimeter

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Unknown Path

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Modification and Fabrication
 Sequencing
 Substitution
 Data Corruption
 Insertion

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Modification and Fabrication

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Interruption: Loss of Service
 Routing
 Excessive demand
 Component failure

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Port Scanning

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
WiFi Network
Vulnerabilities
 Vulnerabilities in Wireless
Networks

Confidentiality
Integrity
Availability

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Wireless Security
 No control as to where:
 The wireless is being
sent
 The access is being
granted from
Wireless Network Access
 Misconceptions
1. It’s difficult to listen to a wireless transmission
2. People do not walk around trying to find
open/weak networks (e.g. war driving)

3. Wire products come with excellent encryption
so must be secure
Unauthorized Wireless Access
Evil Twin Access Point
Wireless DoS − Disassociation & Jamming
 Wireless DoS − Disassociation & Jamming
There are WiFi monitoring systems that offer a
disassociation and jamming feature
Purpose is to only allow approved WiFi networks
Many business use such tools
A particularly interesting case:
Marriott jams wifi hotspots
 Failed Countermeasure: WEP
Wired equivalent privacy, or WEP, was designed
at the same time as the original 802.11 WiFi
standards as the mechanism for securing those
communications
Weaknesses in WEP were first identified in 2001,
four years after release
More weaknesses were discovered over the
course of years, until any WEP-encrypted
communication could be cracked in a matter of
minutes
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 WEP Weaknesses
 Weak encryption key
 Static key – rarely changed
 Weak encryption process – could be brute-forced
easily

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 WPA (WiFi Protected Access)
 WPA was designed in 2003 as a replacement for
WEP and was quickly followed in 2004 by WPA2
 Non-static encryption key
 Authentication

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 WPA2
 The 802.11i wireless security standard based
protocol was introduced in 2004.
 Improvement of WPA2 over WPA was the usage
of the Advanced Encryption Standard (AES).
 AES is approved by the U.S. government for
encrypting the information classified as top
secret, so it must be good enough to protect
home networks.
 WPA3
 In January 2018, the Wi-Fi Alliance announced
WPA3 as a replacement to WPA2
 March 11th, 2019:
Serious flaws leave WPA3 vulnerable to hacks that st
eal Wi-Fi passwords

 Since March 2019 updates have been released
 802.11: False Security
 Turning Off Service set identifier (SSID)
Broadcasting
 SSID is an identifier for an AP
 Users must know the SSID to use the AP
 Drive-by hacker needs to know the SSID to break in
 Aps frequently broadcast their SSIDs
 Some writers favour turning off of this broadcasting
 Turning off SSID broadcasting can make access more
difficult for ordinary users
 Will not deter the attacker because he or she can read the
SSID.
 Transmitted in the clear in each transmitted frame
 802.11: False Security
 MAC Access Control Lists
 Access points can be configured with MAC access
control lists
 Only permit access by stations with NICs having
MAC addresses on the list
 However, MAC addresses are sent in the clear in
frames, so attackers can learn them
 Attacker can then spoof one of these addresses
Denial of Service (DoS)
 DoS Attacks
 What is a Denial of Service (DoS) attack?
 An attempt to make a server or network
unavailable to legitimate users by flooding it with
attack packets
 Malicious intent
 What is NOT a DoS attack?
 Faulty coding that causes a system to fail (human
error)
 Referrals from large websites that overwhelm
smaller websites
 DoS Attacks: Goals
 Ultimate goal is to cause harm, including:
 Sales
 Reputation
 Employee productivity

 Two main ways to causes harm:
 Slowly degrading services
 Stopping critical services

DoS attacks can sometimes expose a
vulnerability
DoS Flooding – Malicious Code
 Smurf
 Echo-Chargen
 SYN flood
 Ping Flood

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Smurf Attack

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 SYN Flood
 Floods victim with SYN messages
TCP Three-way Handshake
 TCP/IP Three-way Handshake
 Host sends a TCP SYNchronize
packet to Server

 Server receives A's SYN

 Server sends a SYNchronize-
ACKnowledgement

 Host receives Servers's SYN-ACK

 Host sends ACKnowledge

 Server receives ACK.
TCP socket connection is
ESTABLISHED
 DoS: Addressing Failures
 Prevents data from getting to victim
 Methods:
 DNS Spoofing
 Rerouting Routing
 Source Routing
 DNS Spoofing

Standard Query and Response

MitM Responds First
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 DoS: DNS Attacks
 A DNS translates an internet name to an address
 It uses a cache of recently used names to
improve performance
 DDoS Attacks
 Distributed Denial of Service
attacks
 DoS attacks from multiple
sources at once
 Attacks usually from botnets
 Botnet:
 Krebs Attack and Mirai (2016)
 Krebs Attack and Meris
(2021)

Image Source: Wikipedia
 Bots
 Updatable attack programs – sometimes called
Zombies
 Bot-master can update the software to change
the type of attack the bot can perform
 May sell or lease the botnet to other criminals
 Bot-master can update the bot to fix bugs
 Bot-master can control bots via a handler
 Handlers are an additional layer of compromised
hosts who are used to manage large groups of
bots
 DDoS

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Fixing and Updating Bots
DDoS Attack
 Botnets
 Layered networks of bots (zombies)
 Hierarchical in structure
 Command and Control centres instruct individual
bots:
 Pushed: C&C sends instructions to bot
 Pulled: Bot calls C&C regularly to see if there is
work
 Botnets

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN:
9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Detour: Mirai Botnet Attack on Krebs

www.krebsonsecuriy.com:
 Well-known and respected IT security website
 It is the website of Brian Krebs a well-known
security blogger
 He does in-depth research and analysis of
cybercrime throughout the world

Pre-attack:
 Site hosted on Akamai – a large internet
infrastructure company
 Hosting is free of charge
 Detour: Mirai Botnet Attack on Krebs

DDoS attack – there had been multiple attacks prior
 Attacked started 20 September 2016
 24,000 systems, mostly IoT (e.g. DVRs, security
cameras etc)
 600 gigabits per second of time-wasting network
traffic.
Note:
 600 Gb/s is equivalent to about 60,000 fast home
networks all turning their entire bandwidth onto
Krebs at the same time, or a 600,000 regular ADSL
connections at once (assuming a one megabit per
second upload speed).
 Detour: Mirai Botnet Attack on Krebs

Post Attack:
 Krebs asked to move his website

Why the attack on Krebs?
 Not confirmed but….
 The attack happened not long after Krebs outed a
DDoS-for-hire service called vDOS, leading to the
arrest of two young hackers in Israel.
 Mirai Botnet Malware
 Botnet malware
 Badly programmed
 Unfinished
 Mirai Malware Package
 The Mirai bot, called simply bot in the source
code, is written in C, and has three main
components:
 A call-home system
 A set of attack routines
 A network scanner
 Mirai Source Code
Package
 Source code includes a command-and-control
tool, called cnc, written in Go
 Go’s compiler directly supports 7 different
computer architectures
 Has over 60 built-in usernames and passwords
 Summary & Review
 Death of the Perimeter
 Network Threats
 WiFi Network Vulnerabilities
 Denial of Service (DoS)
 Distributed DoS (DDoS)
 Botnets