1
Q
Explain the difference between symmetric key and asymmetric key cryptography, and state and example application where each would be used.
A
• Symmetric key cryptography is where you just have one key (password) and the same key is used for both encrypting and decrypting the data.
• Asymmetric key cryptography is where you have a public and private key.
• An example of symmetric key cryptography is file encryption with a password, or any valid application where a single password is used.
An example of asymmetric key cryptography is any application or protocol where public-private keys are used, e.g. PGP, SSH, SSL, Bitcoin Wallets.
2
Q
State four desirable properties of a cryptographic hash function.
A
• Deterministic - The same input always results in same hash
• One-way function: You should not be able to reverse the plain text from the hash.
• No collisions: you should not be able to find two different inputs with the same hash value
• Avalanche effect: changing 1 bit results in completely different output indistinguishable from any other hash. May also be called chaotic function or described accordingly.
Where if an input is changed slightly (for example, flipping a single bit), the output changes significantly
3
Q
In the context of databases, explain and give an example of:
i. An obscure query.
An inference attack
A
Obscure query:
• This is where you hide your real query in a more complex query making it harder to identify the real query.
• Example would be an SQL query where you select data within complex logical conditions that ends up simplifying to a clearly malicious query. When reviewing the database logs, it now becomes more difficult to understand any malicious behaviour.
Inference attack:
• These occur when users combine multiple views of a database in order to illegitimately gain knowledge of a subject or sensitive data e.g. Through statistical inference. An alternative explanation is when someone is allowed to execute queried that they are authorized for, but by executing those queries they are able to gain access to information for which they are not authorized through inference of query results.
• Given a list of students and their colleges, and a list of fines by college, if we know Sarah is the only member of a particular college, we will be able to infer her fines. Alternatively, if we know that Jim and James are members of her college with zero fines, we can infer that both Jim and James are members of a college with zero fines, we can infer that both Jim and James also have zero fines.
4
Q
Explain what “IP spoofing” is, and explain how you can protect against an IP spoofing attack.
A
• IP spoofing is the process of replacing the source IP address with a fake IP address from the IP packets to hide the real identity of the sender. The hacker can make it appear that the packet was sent by different computer system. This can be used for session hijacking, for example a user may think he is accessing a genuine page when he types in the URL but actually he is seeing a compromised page whereby the hacker can steal sensitive information.
• Protect with authentication based on key exchange and configuration of encrypted sessions.
• You can use an ACL to deny private IP addresses on the downstream interface.
• You can implement filtering of inbound/outbound traffic.
The router can be configures to reject packets from outside the LAN that claim to be originating from within.
5
Q
Define a substitution cipher.
A
A substitution cipher is a method of encrypting by which units of plaintext are replaced with ciphertext, according to a fixed system; the “units” may be single letters, pairs of letters, triplets of letter, mixtures of the above an so forth.
6
Q
Describe the differences between Monoalphabetic, Polyalphabetic and Polygraphic.
A
- Monoalphabetic - any cipher in which the letters of the plaintext are mapped to ciphertext letters based on a single alphabet key. For this reason, a monoalphabetic cipher is also called a simple substitution cipher. Remember mono - single, or one.
- Polyalphabetic ciphers uses multiple substitution alphabets.
In Polygraphic substitution a uniform substitution is performed on blocks of letters. When the length of the block is explicitly known, more precise terms are used: for instance, a cipher in which pairs of letters are substituted is bigraphic. Similar to polygraphic but groups are used.
- Polyalphabetic ciphers uses multiple substitution alphabets.
7
Q
Describe SSH and what it can be used for.
A
- SSH, also known as Secure Shell or Secure Socket Shell, is a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.
- SSH is widely used by network administrators for managing systems and applications remotely, allowing them to log into another computer over a network, execute commands and move files from one computer to another.
- SSH uses client-server model
This is accomplished by generating a unique public key pair for each host in the communication;
8
Q
How do public and private keys work?
A
Public key cryptography allows someone to send their public key in an open, insecure channel. Having a friend’s public key allows you to encrypt messages to them. Your private key is used to decrypt messages to you.
9
Q
Describe block ciphers.
A
- A method of encrypting text in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at one as a group rather than to one bit at a time. (The main alternative method, used much less frequently, is called the stream cipher)
- So that identical blocks of text are not get encrypted in the same way in a message (which might make it easier to decipher the cipher text)
10
Q
Describe side-channel attacks.
A
A side channel attack is any attack based on information gained from the implementation of a computer system, rather than weakness in the implemented algorithm itself.
11
Q
What is a rainbow table?
A
- A precomputed table for reversing cryptographic hash functions
- Strings hashed -> stored in rainbow table
Lookup hash -> find string
- Strings hashed -> stored in rainbow table
12
Q
What are salts?
A
- A random string stored in pain text alongside the hash, but we compute the hash by:
- Hash = H(salt + password)
Two different users with the same password will not have different hashes, as they will have differently randomly generated salts.
- Hash = H(salt + password)
13
Q
What is an access control matrix (ACM)?
A
- An abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system.
- Easy to define and verify
Poor scalability, poor handling of changes, could get corrupted
- Easy to define and verify
14
Q
Describe the 8 NIX access permission settings.
A
- — all types of access denied
- –x execute access only
- -w- write access only
- r– read only
- R-x read and execute only
- rw- read and write access only
rwx everything allowed
15
Q
What is setuid and sticky bit?
A
- Setuid is Unix access rights flags that allow users to run an executable with permissions of the executable’s owner or group respectively and to change behaviour in directories.
Sticky bit is a user ownership access right flag that can be assigned to files and directories on Unix-like systems.
16
Q
Describe link vulnerabilities.
A
E.g. When files give access to an unnamed file. An thus can be altered to access unauthorised files.
17
Q
What are access control lists?
A
- Lists of users that have some sought of permission to access/read/execute a file.
- Easy to view access control, easy to remove access rights of object removed.
Poor overview of access rights per subject, difficult to remove subject.
- Easy to view access control, easy to remove access rights of object removed.
18
Q
Describe capability based security.
A
- Each user holds a list of files which they have rights too, which also details their access right.
- Sorted by user rather than file. (subject focused)
- Easy to transfer ownership, easy inheritance of access rights.
Poor overview of access rights per object, difficulty of revocation of object.
19
Q
Describe the Bell-LaPadula Model
A
- Uses access control lists
- A confidentiality policy “read down, write up” -> subject can only read down and write up
○ Simple security property -> Subject (Greg) cannot read objects of higher sensitivity
○ Star property - Subject cannot write to object of lower sensitivity
○ Strong star property -> subject cannot read/write to object of higher/lower sensitivity - The first goal of the Bell-La Padula security model is to prevent users from gaining access to information above their clearance.
○ E.g. A user with a lower classification should not be able to read files above them.
- A confidentiality policy “read down, write up” -> subject can only read down and write up
20
Q
Describe the Biba Integrity Model.
A
- An integrity policy “read up, write down” -> subject can only read up and write down
○ Simple security policy - Subject (Greg) cannot read object of lower integrity
○ Star property - Subject cannot write of higher integrity
Invocation property - Subject/process cannot request higher integrity access
21
Q
Describe the Clark-Wilson Integrity Model.
A
- Bell-LaPadula is good for confidential systems
- Biba is good for integrity-preserving systems.
- The Clark Wilson model does both.
○ Limits direct interaction between subjects and objects
○ Prevent unauthorized subjects from modifying objects
○ Prevent authorized subjects from making invalid modifications to objects
○ Maintain internal/external consistency
22
Q
What are Protection rings?
A
- They are hierarchical protection domains
- Mechanisms to protect data and functionality from faults and malicious behaviour
- Hardware based access control
- Each subject and object are assigned a number based on importance
- Decisions are made by comparing numbers: If subject < object, disallows access
○ 0: Operating system kernel
○ Operating System
○ Utilities
User processes
23
Q
What are the advantages and disadvantages of using biometrics?
A
- (Advantage) Non-repudiation: a way to guarantee that an individual who accesses a certain facility cannot later deny using it.
(Disadvantage) Uncertainty: Compromise between false-positives and false negatives.
24
Q
In what situations does one prefer FMR (number of false positives /total matches) and FNMR (False Non-Match Rate -> number of false negatives/total matches)?
A
- Prefer low FMR - automatic border control -> refer to human on negative result -> we would prefer less matches to be made (even if it is true)
Prefer low FNMR -> suspect recognition on CCTV (more serious) -> Refer to human on negative result -> we would prefer a match to be made (even if it is false)
25
Describe ZKPP (zero-knowledge password proof) approach.
- ZKPP is an interactive method for one party (the prover) to prove to another party (the verifier) that it knows a value of a password, without revealing anything other than the fact that it knows that password to the verifier.
- Most common ZKPP approach: Challenge-response auth
○ Server generate unique challenge value: nonce
○ Server send nonce to the client
○ Client compute response back to server
Server compare the response with hash(nonce + stored password)
26
What is telnet and why is it bad?
- A network protocol that allows a user on one computer to log into another computer that is part of the same network.
- It is bad - all data is sent unencrypted in plain text
○ Easy to capture passwords using packet sniffer
○ Subject to MITM (man in the middle) attacks
- Telnet replaced by SSH
○ Strong encryption with public key authentication ensuring remote computer is who it claims to be
- FTP is also obsolete (except insensitive data)
○ Sends login and password in clear text vulnerable to sniffing attacks
○ Do FTP over SSH (SFTP)
Check FTP server path is pointing to sensible location
27
What is netcat?
A computer networking utility for reading from and writing to network connections using TCP or UDP.
28
Describe a man in the middle attack in a TCP connection.
- In an HTTP transaction, a TCP connection exists between client and server. The attacker splits the TCP connection into two connections - one between the victim and the attacker and the other between the attacker and the server.
On intercepting the TCP connection, the attacker acts as a proxy reading, altering and inserting data in intercepted communication. The session cookie reading the HTTP header can easily be captured by the intruder.
29
What is the Address Resolution Protocol (ARP)?
- A protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network.
- E.g. In IP v4 address is 32 bits long -> Ethernet, address for attached devices are 48 bits long
- ARP provides the protocol rules for making this correlation and providing address conversion in both directions.
○ Vulnerable to:
§ ARP Spoofing
□ Steal sensitive information
□ DoS, Man-in-the-middle (MITM), Session-hijacking
Still widely used, but replaced by NDP for IP v6
30
What is Neighbour Discovery Protocol?
- NDP operates in the link layer of Internet network architecture
- NDP covers different kinds of network communication such as router solicitation, router advertisement and neighbour solicitation or advertisement.
○ These kind of processes help to route data along network trajectories using individual nodes
○ Help make data transmission more efficient and consistent across multiple networks and processes
- Secure Neighbour Discovery (SEND) security extension
○ Cryptographically generated addresses ensure that the claim source of an NDP message is the owner of the claimed address.
Better router discovery
31
Describe IP spoofing.
- Changing the source of a packet with fake IP address to hide the identity of the sender.
- The victim thinks he's talking to his friend, but actually he's talking to the hacker.
- Protection
○ Authentication protocol
○ Encrypted sessions
○ Access control lists (ACLs)
○ Filtering of traffic
Proper
32
What is a smurf attack?
- The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.
The smurf program sends a spoofed network packet that contains an ICMP ping. The resulting echo responses to the ping message are directed toward the victim's IP address. Large number of pings and the resulting echoes can make the network unusable for real traffic.
33
Describe a DDoS attack.
- A DDoS attack requires an attacker to gain control of a network of online machines in order to carry out an attack.
- Other computers and machines are infected with malware, turning each one into a bot (or zombie). The attacker then has remote control over the group of bots, which is called a botnet.
- Once a botnet has been established, the attacker is able to direct the machines by sending updated instructions to each bot via a method of remote control
- When the IP address of a victim is targeted by the botnet, each bot will respond by sending requests to the target, potentially causing the targeted server or network to overflow capacity
Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be difficult.
34
What is the OSI model and describe it.
- A conceptual framework used to describe network connectivity in 7 distinct layers.
○ Application Layer - High level APIs, including resource sharing, remote file access
○ Presentation - Translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption. Ensures that data is in a usable format and is where data encryption occurs.
○ Session Layer - Maintains connections and is responsible for controlling ports and sessions.
○ Transport Layer - Transmits data using transmission control protocols including TCP and UDP
○ Network Layer - Decides which physical path the data will take
Datalink Layer - Defines the format of data on the network
35
What is cross site scripting?
A type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
36
What are cookies?
```
- Credential tokens:
○ Held in local browsing session
○ Identify you to a remote server
○ Remember states
§ Shopping cart
§ Browsing History
§ Data in form fields
Common target for hackers
```
37
What is Non-persistent XSS and Non-persistent XSRF?
- The victim is tricked into sending malicious code to the vulnerable web application, which is often reflected back to the victim's browser where the XSS payload executes.
Link is hidden within an email and made to look legitimate.
38
What is path traversal/Directory Traversal Attack?
- A directory traversal consists in exploiting security validation/sanitization of user-supplied input file names, such that characters representing "traverse to parent directory" are passed through the file
A type of injection attack that allows users to access files or directories which they don't have authorisation for.
39
Describe basic concepts in a database.
• Authentication - who are you?
• Authorization - what are you allowed to do?
• Encryption - protecting the data
• Auditing - what did you do?
• Redaction - disguise sensitive data on returned results
• Masking - creating similar but inauthentic version of the data for training/testing
• Firewall - threat patterns, approved whitelisted commands, blacklist (harmful) commands, monitor for data leakage, evaluate IP address/time/location
Integrity - data should be accurate and tolerant to physical problems (hardware failure, power failures)
40
What are the reasons that most databases are vulnerable?
1. Excessive and Unused Privileges
a. Privilege control mechanisms for job roles have often not been well defined or maintained
b. People join the company, leave the company, change roles, their privileges often grow and aren't scaled back to be inline with their job requirements
c. Probably the greatest chance of impact in organisations
2. Privilege abuse
a. People who have legitimate use of data, but choose to abuse it
b. Employees often feel entitled to take data with them
i. They feel they were part of creating this data, therefore they will take it with them
3. SQL Injection
a. Inserting or injecting unauthorised malicious database statements somewhere in the application or database that gets executed by the database itself
i. Making critical data available to be viewed copied or changed
b. Typing structure query language commands to the database
c. In many times the database opens up and splits out its contents
4. Malware
a. Spear phishing emails
b. Maleware
c. Credentials stolen
d. Data being stolen
5. Weak Audit trail
a. We get a much clearer picture of what's going on with more detail and resolution
b. Most organisations don't record all the details that you need to deal with the aftermath of these situations
c. Hard to trace back to individual users
6. Storage media exposure
a. After spear phishing and malware, it's often the database backups that are actually leaked in the end
7. Database Vulnerability Exploitation
a. Oracle, Microsoft and IBM have big market share periodically patches and fixes
i. Patches are rolled out and made available to their customers and wider community
b. However 10% take a year or longer to apply a patch
i. Requirements for a stable business etc
8. Unmanaged sensitive data
a. You can easily end up with some of your sensitive data being used in testing environments, or R&D environments and not being managed properly.
i. Training
ii. Use Data Masking
9. DoS & Limited Expertise
a. DoS attacks can happen to databases
b. With databases:
i. Attackers overload server resources (memory usage, CPU)
ii. Flooding database with queries that can cause server to crash
c. Limited expertise & security training:
i. Majority of organisations experienced staff related breaches when policies weren't well understood
1) The very people controlling the policies on devices either don't understand the business aspects or technical aspects of the vulnerability
Small business (over half of them) don't even have a position for educating their staff about security risks, e.g. A software engineer whose learnt about software security
41
What are Inference attacks?
- A data mining technique
○ Analyse data in order to illegitimately gain knowledge of subject or database
○ Sensitive information can be leaked if hacker can infer real value with high confidence
Occur when someone is allowed to execute queries that they're authorized for, but by executing those queries they are able to gain access to information for which they are not authorized.
42
What are the approaches to improve database security?
1. Discovery and assessment
a. You can't protect against problems if you don't know they exist
b. Quickly identify sensitive data and assessing vulnerabilities/misconfigurations
2. User rights management
a. Make sure you have thorough process to review and eliminate excessive user rights
3. Monitoring and blocking
a. Have procedures in place to monitor activity and block attempted policy violations
4. Auditing (creating a trail)
5. Protecting the data
a. Storage encryption, tamper-proof audit trail
6. Non-technical security
Raise awareness and cultivate experiences security professionals
43
Describe a full system audit.
• Reset ALL passwords for every account for everyone in the company
• Enable 2FA for all accounts
• Reset all SSH keys, HTTPS certs
• Enforce 2FA for SSH access to servers from outside the office
• Upgraded all of our software dependencies to the latest versions
• Audited open ports on our servers
Run automated pen-testing tools
44
Describe buffer overflows and it's associated risk.
• A buffer is part of the physical memory storage that is temporarily used to store data.
• Buffer overflows occur when a program or process tries to write or read more data from a buffer than the buffer can hold
• In a security context, a buffer can give an attacker access to different parts of the internal memory and eventually control the program execution, introducing risks in confidentiality, integrity and availability.
• Only native code programs ae vulnerable to buffer overflows, meaning programs which use the process instruction set directly rather than intermediates like java virtual machine.
○ Common in programs written in C/C++ -> because they are designed to allow access to memory
• So if bigger amounts of data are pushed to the destination buffer then it will result in a memory overwrite.
• Use heap memory (and fgets) instead of stacks
Do bounds checking e.g. No more than 8 characters
45
What is stack smashing and it's counter measures?
- Essentially the same as overflow but going to a very far extent to reach a certain functionality/goal
- If we can use this on a program that has higher privilege than our self, we can jump to deployed shellcode for that level of privilege
○ Shellcode is executable code inserted as a payload for insertion attacks
- Countermeasures:
○ Check buffer lengths
○ Use heap memory
○ Use ASLR, on the fly randomization of memory to make buffer flow attacks more difficult to implement
§ Similar concept of making the operating system less predictable and much harder to do these kinds of attacks
Use a canary
46
What is a canary value?
- A strategy to detect buffer overflow attacks at run time, without requiring the programmer to modify any source code.
- The compiler generates additional instructions, so that the function prologue will add a so-called canary value to the stack frame between the return address and the local variables.
- The canary value is a random number chosen when the program begins
○ Then, additional instructions are inserted into the function epilogue which check the canary value, as it appears in the stack frame
○ If incorrect, the instructions cause the program to go into a fail-safe mode behaviour while under attack. (usually immediate termination), as to control the program's worst-case behaviour while under attack.
Canary values can work, because most stacking smashing attacks which successfully the return address will also overwrite the canary value, and it is unlikely that the attacker will be able to guess the canary value.
47
What is heap spraying?
- A technique used to aid the exploitation of vulnerabilities in computer systems
- Called spraying because it involves writing a series of bytes at various places in the heap (the large pool of memory that is allocated for use by programs)
- Heap is vulnerable to this kid of attack because it usually starts at a predetermined location in memory
○ And consecutive writes are often located in consecutive locations in memory
- Goal of attack is to ensure that the bytes can be accessed later as the vector of a seperate attack.
○ Later, the malicious software can use a pointer reference to execute arbitrary code
○ If the heap has been sprayed all over with the code to be executed, the chances that the pointer will reference the code is very high
Attempts to put s certain sequence of bytes at a predetermined location in the memory by allowing large blocks on the progress's heap and filling the bytes in blocks with specific values
48
What are timing attacks?
A side channel attack in which the attacker attempts to compromise a cryptosystem by analysing the time taken to execute cryptographic algorithms.
Networks
flashcards
Decks in class (4)
# Cards
