151682582.Pdf
Total Page:16
File Type:pdf, Size:1020Kb
CYBER SECURITY ESSENTIALS CYBER SECURITY ESSENTIALS Edited by James Graham Richard Howard Ryan Olson Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor and Francis Group, LLC Auerbach Publications is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-4398-5126-5 (Ebook-PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a pho- tocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com Contents A N ot e f ro m t h e e x e c u t i v e e d ito rs xi A b o u t t h e Au t h o rs xiii c o N t ri b u to rs xv c h A p t e r 1 C y b e r s e c u rit y fu N dA m e N tA l s 1 1.1 Network and Security Concepts 1 1.1.1 Information Assurance Fundamentals 1 1.1.1.1 Authentication 1 1.1.1.2 Authorization 2 1.1.1.3 Nonrepudiation 3 1.1.1.4 Confidentiality 3 1.1.1.5 Integrity 4 1.1.1.6 Availability 5 1.1.2 Basic Cryptography 6 1.1.3 Symmetric Encryption 11 1.1.3.1 Example of Simple Symmetric Encryption with Exclusive OR (XOR) 12 1.1.3.2 Improving upon Stream Ciphers with Block Ciphers 14 1.1.4 Public Key Encryption 16 1.1.5 The Domain Name System (DNS) 20 1.1.5.1 Security and the DNS 24 1.1.6 Firewalls 25 1.1.6.1 History Lesson 25 1.1.6.2 What’s in a Name? 25 1.1.6.3 Packet-Filtering Firewalls 27 © 2011 by Taylor & Francis Group, LLC v vi Contents 1.1.6.4 Stateful Firewalls 28 1.1.6.5 Application Gateway Firewalls 29 1.1.6.6 Conclusions 29 1.1.7 Virtualization 30 1.1.7.1 In the Beginning, There Was Blue … 31 1.1.7.2 The Virtualization Menu 31 1.1.7.3 Full Virtualization 33 1.1.7.4 Getting a Helping Hand from the Processor 34 1.1.7.5 If All Else Fails, Break It to Fix It 35 1.1.7.6 Use What You Have 35 1.1.7.7 Doing It the Hard Way 36 1.1.7.8 Biting the Hand That Feeds 37 1.1.7.9 Conclusion 38 1.1.8 Radio-Frequency Identification 38 1.1.8.1 Identify What? 39 1.1.8.2 Security and Privacy Concerns 41 1.2 Microsoft Windows Security Principles 43 1.2.1 Windows Tokens 43 1.2.1.1 Introduction 43 1.2.1.2 Concepts behind Windows Tokens 43 1.2.1.3 Access Control Lists 46 1.2.1.4 Conclusions 47 1.2.2 Window Messaging 48 1.2.2.1 Malicious Uses of Window Messages 49 1.2.2.2 Solving Problems with Window Messages 51 1.2.3 Windows Program Execution 51 1.2.3.1 Validation of Parameters 52 1.2.3.2 Load Image, Make Decisions 55 1.2.3.3 Creating the Process Object 56 1.2.3.4 Context Initialization 57 1.2.3.5 Windows Subsystem Post Initialization 58 1.2.3.6 Initial Thread … Go! 60 1.2.3.7 Down to the Final Steps 61 1.2.3.8 Exploiting Windows Execution for Fun and Profit 63 1.2.4 The Windows Firewall 64 References 70 c h A p t e r 2 At tAc k e r te c h N i q u e s an d m ot i vAt i o N s 75 2.1 How Hackers Cover Their Tracks (Antiforensics) 75 2.1.1 How and Why Attackers Use Proxies 75 © 2011 by Taylor & Francis Group, LLC Contents vii 2.1.1.1 Types of Proxies 76 2.1.1.2 Detecting the Use of Proxies 78 2.1.1.3 Conclusion 79 2.1.2 Tunneling Techniques 80 2.1.2.1 HTTP 81 2.1.2.2 DNS 83 2.1.2.3 ICMP 85 2.1.2.4 Intermediaries, Steganography, and Other Concepts 85 2.1.2.5 Detection and Prevention 86 2.2 Fraud Techniques 87 2.2.1 Phishing, Smishing, Vishing, and Mobile Malicious Code 87 2.2.1.1 Mobile Malicious Code 88 2.2.1.2 Phishing against Mobile Devices 89 2.2.1.3 Conclusions 91 2.2.2 Rogue Antivirus 92 2.2.2.1 Following the Money: Payments 95 2.2.2.2 Conclusion 95 2.2.3 Click Fraud 96 2.2.3.1 Pay-per-Click 97 2.2.3.2 Click Fraud Motivations 98 2.2.3.3 Click Fraud Tactics and Detection 99 2.2.3.4 Conclusions 101 2.3 Threat Infrastructure 102 2.3.1 Botnets 102 2.3.2 Fast-Flux 107 2.3.3 Advanced Fast-Flux 111 References 116 c h A p t e r 3 E x p lo itAt i o N 119 3.1 Techniques to Gain a Foothold 119 3.1.1 Shellcode 119 3.1.2 Integer Overflow Vulnerabilities 124 3.1.3 Stack-Based Buffer Overflows 128 3.1.3.1 Stacks upon Stacks 128 3.1.3.2 Crossing the Line 130 3.1.3.3 Protecting against Stack-Based Buffer Overflows 132 3.1.3.4 Addendum: Stack-Based Buffer Overflow Mitigation 132 3.1.4 Format String Vulnerabilities 133 3.1.5 SQL Injection 138 3.1.5.1 Protecting against SQL Injection 140 3.1.5.2 Conclusion 141 3.1.6 Malicious PDF Files 142 3.1.6.1 PDF File Format 143 © 2011 by Taylor & Francis Group, LLC viii Contents 3.1.6.2 Creating Malicious PDF Files 144 3.1.6.3 Reducing the Risks of Malicious PDF Files 145 3.1.6.4 Concluding Comments 147 3.1.7 Race Conditions 147 3.1.7.1 Examples of Race Conditions 148 3.1.7.2 Detecting and Preventing Race Conditions 151 3.1.7.3 Conclusion 152 3.1.8 Web Exploit Tools 152 3.1.8.1 Features for Hiding 153 3.1.8.2 Commercial Web Exploit Tools and Services 154 3.1.8.3 Updates, Statistics, and Administration 157 3.1.8.4 Proliferation of Web Exploit Tools Despite Protections 158 3.1.9 DoS Conditions 159 3.1.10 Brute Force and Dictionary Attacks 164 3.1.10.1 Attack 168 3.2 Misdirection, Reconnaissance, and Disruption Methods 171 3.2.1 Cross-Site Scripting (XSS) 171 3.2.2 Social Engineering 176 3.2.3 WarXing 182 3.2.4 DNS Amplification Attacks 186 3.2.4.1 Defeating Amplification 190 References 191 c h A p t e r 4 M A li c i o u s c o d e 195 4.1 Self-Replicating Malicious Code 195 4.1.1 Worms 195 4.1.2 Viruses 198 4.2 Evading Detection and Elevating Privileges 203 4.2.1 Obfuscation 203 4.2.2 Virtual Machine Obfuscation 208 4.2.3 Persistent Software Techniques 213 4.2.3.1 Basic Input–Output System (BIOS)/Complementary Metal- Oxide Semiconductor (CMOS) and Master Boot Record (MBR) Malicious Code 213 4.2.3.2 Hypervisors 214 4.2.3.3 Legacy Text Files 214 4.2.3.4 Autostart Registry Entries 215 4.2.3.5 Start Menu “Startup” Folder 217 4.2.3.6 Detecting Autostart Entries 217 © 2011 by Taylor & Francis Group, LLC Contents ix 4.2.4 Rootkits 219 4.2.4.1 User Mode Rootkits 219 4.2.4.2 Kernel Mode Rootkits 221 4.2.4.3 Conclusion 223 4.2.5 Spyware 223 4.2.6 Attacks against Privileged User Accounts and Escalation of Privileges 227 4.2.6.1 Many Users Already Have Administrator Permissions 228 4.2.6.2 Getting Administrator Permissions 229 4.2.6.3 Conclusion 230 4.2.7 Token Kidnapping 232 4.2.8 Virtual Machine Detection 236 4.2.8.1 Fingerprints Everywhere! 237 4.2.8.2 Understanding the Rules of the Neighborhood 238 4.2.8.3 Detecting Communication with the Outside World 240 4.2.8.4 Putting It All Together 241 4.2.8.5 The New Hope 243 4.2.8.6 Conclusion 243 4.3 Stealing Information and Exploitation 243 4.3.1 Form Grabbing 243 4.3.2 Man-in-the-Middle Attacks 248 4.3.2.1 Detecting and Preventing MITM Attacks 251 4.2.3.2 Conclusion 252 4.3.3 DLL Injection 253 4.3.3.1 Windows Registry DLL Injection 254 4.3.3.2 Injecting Applications 256 4.3.3.3 Reflective DLL Injections 258 4.3.3.4 Conclusion 259 4.3.4 Browser Helper Objects 260 4.3.4.1 Security Implications 261 References 264 c h A p t e r 5 D e f e N s e an d A na lys i s te c h N i q u e s 267 5.1 Memory Forensics 267 5.1.1 Why Memory Forensics Is Important 267 5.1.2 Capabilities of Memory Forensics 268 5.1.3 Memory Analysis Frameworks 268 5.1.4 Dumping Physical Memory 270 5.1.5 Installing and Using Volatility 270 5.1.6 Finding Hidden Processes 272 5.1.7 Volatility Analyst Pack 275 5.1.8 Conclusion 275 © 2011 by Taylor & Francis Group, LLC x Contents 5.2 Honeypots 275 5.3 Malicious Code Naming 281 5.3.1 Concluding Comments 285 5.4 Automated Malicious Code Analysis Systems 286 5.4.1 Passive Analysis 287 5.4.2 Active Analysis 290 5.4.3 Physical or Virtual Machines 291 5.5 Intrusion Detection Systems 294 References 301 c h A p t e r 6 i d e f e N s e s p e c i A l fi l e iN v e s t i g At i o N to o l s 305 © 2011 by Taylor & Francis Group, LLC A Note from the Executive Editors This is not your typical security book.