Security Overview, Threat Pragmatics & Cryptography Issue Date: Revision: Overview • Security Overview • Goal of Security • Threat Pragmatics • Cryptography Basics 2 3 Where is the Security Layer? Application Application Application Presentation (HTTP, DNS, FTP) Data (HTTP, DNS, FTP) Session Transport Transport Data Transport Transport Header (TCP/UDP) (TCP/UDP) IP Transport Network Internet Data Internet (IPv4/IPv6) Header Header (IPv4/IPv6) Data Link Frame IP Transport Network Data Network Header Header Header Access Access Physical (Ethernet, PPP) (Ethernet, PPP) 0011010100000111 https://gettys.wordpress.com/2018/04/09/mythology-about-security/ 4 Why Security? • The Internet was designed for connectivity – Trust was assumed – Security protocols added on top of the TCP/IP • The Internet has become fundamental to our daily activities (business, work, and personal) 5 Internet Evolution LAN connectivity Content driven Data on the Cloud (email, web, music, video) Security (threats and challenges) change as the Internet evolves! 6 Recent Incidents • Cisco - Ripple20 impacting the TCP/IP stack • F5 BIG-IP TMUI RCE vulnerability (7th Jul 2020) • Microsoft out of order patch (CVE-2020-1425) • ZombieVPN https://isc.sans.edu/podcast.html 7 Recent Incidents • Lucifer (June 2020) Cryptojacking and DDoS Campaign – dropping XMRig for cryptojacking Monero – command and control (C2) operation – self-propagation – credential brute-forcing – runs EternalBlue, EternalRomance, and DoublePulsar backdoor https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/ 8 Recent Incidents • Ransomware – LG Electronics and Xerox allegedly hit by Maze – OSX.ThiefQuest targeting MACs – masquerading as COVID-19 contact-tracing apps – Thanos ransomware campaign targeting mid-level employees in Europe – WastedLocker being used since May 2020 – Cognizant confirms data breach after ransomware attack https://team-cymru.com/community-services/dnb/ 9 Recent Incidents • CVE-2019-19494 – Released 2nd Dec 2019 – Buffer Overflow attack – Broadcom chipset modems – Exploit code is available 10 Recent Incidents • Targets vulnerable middleware running on the chip • Allows a remote attacker to execute code at the kernel level via JavaScript run in a victim's browser. • Potential to intercept private messages, redirect traffic, or modems to participate in botnets 11 Recent Incidents • WhatsApp spyware (May 2019) – Exploited voice call feature • Caller could install spyware on the target device • Even if the call wasn’t answered! • Spy emails/messages, locations – Versions prior to: • v2.19.134 (android) https://techcrunch.com/2019/05/13/whatsapp-exploit-let-attackers- • v2.19.51 (iOS) install-government-grade-spyware-on-phones/ • v2.18.348 (Windows) – ~1.5 Billion users 12 Recent Incidents • Facebook (March 2019) – announced that it was storing user passwords (~600 million) in plain text • since 2012! • Could be read by FB employees – April • Oops.. Wasn’t just Facebook accounts, but also some Instagram accts https://about.fb.com/news/2019/03/keeping-passwords-secure/ 13 Not-so Recent Incidents • Slingshot (March 2018) - APT – Active since 2012! – Compromise MikroTik routers • not much clarity to on how they do it, but assumed to be based on the ChimayRed exploit - https://github.com/BigNerd95/Chimay-Red – replace one of the dll in the router's file system with a malicious one (ipv4.dll) • loaded into user's computer when they run the Winbox tool – Once infected • capture screenshots, collect network info, passwords on browsers,. key strokes etc 14 Not-so Recent Incidents • Meltdown/Spectre (Jan 2018) – Exploits processor vulnerabilities! • Intel, AMD, ARM – Meltdown (CVE-2017-5754): • Breaks the isolation between programs & OS • An application could read kernel memory locations – Spectre (CVE-2017-5753/CVE-2017-5715) • Breaks isolation between applications • An application could read other application memory 15 Not-so Recent Incidents • (Not)Petya Ransomware/Wiper (June 2017) – Exploited a backdoor in MeDoc accounting suite • Update pushed on June 22 from an update server (stolen credentials) • proxied to the attacker’s machine (176.31.182.167) – Spread laterally across the network (June 27) • EternalBlue exploit (SMB exploit: MS17-010) • through PsExec/WMIC using clear-text passwords from memory • C:\Windows\perfc.dat hosted the post-exploit code (called by rundll32.exe) 16 Not-so Recent Incidents • WannaCry Ransomware (May 2017) – As of 12 May, 45K attacks across 74 countries – Remote code execution in SMBv1 using EternalBlue exploit • TCP 445, or via NetBIOS (UDP/TCP 135-139) – Patch released on 14 March 2017 (MS17-010) • https://technet.microsoft.com/en-us/library/security/ms17-010.aspx – Exploit released on 14 April 2017 17 Not-so Recent Incidents • SHA-1 is broken (Feb 23, 2017) – Hash collision: obtain same SHA-1 hash for two different pdf files (inputs) • which can be abused as a valid signature on the second PDF file. • https://shattered.io 18 Find any device • shodan.io 19 Find any device • 1st July 2020 20 haveibeenpwned.com • Have you been compromised? – Tracks compromised accounts and released into the wild • 364 pwned websites • >7 million pwned accounts • ~100K pastes [email protected] 21 Acknowledgment • Most of the content from: Steven M.Bellovin’s “Thinking Security” https://www.cs.columbia.edu/~smb/ 22 Before we start… • What are we protecting - asset? and • From whom? • All security system designs should be based on these questions! 23 The Incident Response Hierarchy of Needs https://github.com/swannman/ircapabilities Attack Motivation (Who are your Enemies?) • Nation states want SECRETS • Organized criminals want MONEY • Protesters or activists want ATTENTION • Hackers and researchers want KNOWLEDGE http://cartoonsmix.com/cartoons/national-security-agency-cartoon.html Source: NANOG60 keynote presentation by Jeff Moss, Feb 2014 25 Who are your Enemies? • Script kiddies: – little real ability, but can cause damage if you’re careless • Money makers: – Hack into machines, turn them into spam engines, etc. • Government intelligence agencies, AKA Nation State Adversaries 26 The Threat Matrix Opportunistic Advanced Persistent hacks Threats Joy hacks Targeted attacks Degree of Focus Source: Thinking Security – Steve M. Bellovin 27 Joy Hacks • For fun – with little skill using known exploits • Minimal damage – especially unpatched machines • Random targets – anyone they can hit • Most hackers start this way – learning curve 28 Opportunistic Hacks • Skilled (often very skilled) - also don’t care whom they hit – Know many different vulnerabilities and techniques • Profiting is the goal - bank account thefts, botnets, ransomwares…. – WannaCry? Petya? • Most phishers, virus writers, etc. 29 Targeted Attacks • Have a specific target! • Research the target and tailor attacks – physical reconnaissance • At worst, an insider (behind all your defenses) – Not-so happy employee • Watch for tools like “spear-phishing” • May use 0-days 30 Advanced Persistent Threats • Highly skilled (well funded) - specific targets – Mostly 0-days • Sometimes (not always) working for a nation-state – Think Stuxnet (up to four 0-days were used) • May use non-cyber means: – burglary, bribery, and blackmail • Note: many lesser attacks blamed on APTs 31 ATT&CK Matrix for Enterprise https://attack.mitre.org – accessed 12th Nov 2018 Are you a Target? • Biggest risk? – assuming you are not interesting enough! • Vendors/System Integrators and their take on security: – Either Underwhelming or Overwhelming 33 Defense Strategies • Depends on what you’re trying to protect – Assets • Tactics that keep out teenagers won’t keep out a well-funded agency • But stronger defenses are often much more expensive and cause great inconvenience 34 What Are You Protecting? • Identify your critical Assets – Both tangible and intangible (patents, methodologies) assets • Hardware, software, data, people, documents – Who would be interested? • Place a Value on the Asset – Different assets require different level of protection – Security measures must be in proportion with asset value • How much can you afford? • Determine Likelihood of breaches – threats and vulnerabilities? 35 Exercise • Imagine you had a bar of gold to protect – What container would you put it in? – What room would the container be in? – What locks are on the doors? – Where is the room located in the building? – What cameras are watching the room and building? – What humans are watching the cameras? – Who will respond with force to a theft attempt? – How much did all of these cost? 36 Threats, Vulnerability, and Risks • Threat • Vulnerability – circumstance or – A weakness in an asset that can event with potential be exploited to cause harm to an • Software bugs asset • Design flaws/protocol bugs • Configuration mistakes • Lack of encryption • Lack of or no physical security • Risk – The likelihood that a particular vulnerability will be exploited Risk = Threat x Vulnerability Risk = Impact (Consequence) x Threat x Vulnerability 37 Risk Assessment Matrix • Managing risks – Probability-Impact matrix to define the level of risk • Commonly used in real-world risk assessment High Medium High High Medium Low Medium High IMPACT Low Low Low Medium Low Medium High LIKELIHOOD 38 Exercise • Discuss: – Some recent vulnerabilities • https://cve.mitre.org • Cable Haunt CVE-2019-19494 – How does it fit into the risk matrix? • Place a risk in the matrix by assigningHigh Medium High High ratings to its Medium Low Medium High – Severity/impact,