distributed authentication
need to access different servers throughout the day
need to have different passwords for each service
hard to remember
centralised authentication
server gives user key to access other services
- key is encrypted (user cannot decrypt)
- other servers can decrypt to validate
however, tickets can be captured and sent from attacker system (spoofing)
Kerberos
- user sends userID, password, and ticket grant sever ID
- authentication server returns User(sessionKey, TGSKey(Ticket granting ticket))
- user gets session key by decrypting with their own key
- user sends sessionKey(user) + TGSKey(TGT) to Ticket Granting Server
- server returns serviceServerKey(ticket) + sessionKey(serviceSessionKey)
- user get service session key by decrypting with session key
- user sends serviceSessionKey(user) + serviceServerKey(ticket) to service server
- service server replies with serviceSessionKey(response)
- user sends serviceSessionKey(email req)
- service server replies with serviceSessionKey(email)
protection against replay attacks
maintain a replay cache on ticket granting server
if duplicated authentication request detected, error
kerberos limitation
- machines needs to be time synched
- tickets and keys stored on server may get compromised
- key distribution center is a single point of failure
malware
malicious software
- designed to intrude, cause harm
- affects data, time, hardware, reputation
stuxnet
worm spreads using vulnerability
downloads payload and affect temperature controller
cross platform malware
worm must be cross platform as unable to guarantee specific platform. if worm on wrong platform, cause errors and reveals itself
malware types
- worms
- virus
- trojans
virus
- needs a host to run
- when host run, virus also gets executed
- can be inserted via
- overwriting
- appending
- prepending (best: virus runs and revert files to prevent error) - uses mutex to check if host has already been infected
- when spreading, may change signatures
mutated virus (metamorphic)
change instructions but still does the same thing
eg. a=1 to a=2-1 ….
encrypted virus (polymorphic)
decrypts itself to run
keys changes to prevent identification
encryption algorithm can change
virus anatomy
- concealment
- propagation
- payload
virus triggers
logic bomb
time bomb
worms
- no need host
- harmless by itself, carries a payload
- auto replicate
trojan
- hidden inside programs
- targeted virus
- do not replicate, need to remain hidden
malware infection mediums
- attachment emails
- downloaded from internet
- social engineering
vulnerabilities caused by:
- user apathy (it won’t happen to me)
- non awareness
- inadequate security policies
malware defence
- don’t install from untrusted sources
- check email carefully
- update anti virus
- backup data
- enforce policies
- awareness training
malware detection
- use anti virus
- identify and remove malware
- stops infection in the first place
- protect the resources rather than the entrance
- dictionary to store virus signatures - integrity checker approach
- identify changes to file due to malware
- maintain copy of hashed file
- if file is changed, signature will be different - activity monitor approach
- monitor program behaviour
- alert user if suspicious
- quarantine file in VM to analyse- some virus are environmental aware
- if ran in VM, just sleep
signs of malware infection
- program slow down
- sudden drop in available memory
- changes in program size
- very old file recently modified
malware analysis process
- basic static analysis
- advanced static analysis
- basic dynamic analysis
- advanced dynamic analysis
