80 likes | 100 Views
ECE6612 Quiz 2 -> Exam Topics (see also Quiz 1 and Quiz 2 Topics) Spring 2016. Slide set 15 - Hidden Data (also covered in NetSecLab Wrapup – on Tsquare). Hidden Files (on UNIX, name starts with “ . ” ) Startup scripts (great place to hide a Trojan Horse)
E N D
ECE6612 Quiz 2 -> Exam Topics (see also Quiz 1 and Quiz 2 Topics) Spring 2016
Slide set 15 - Hidden Data (also covered in NetSecLab Wrapup – on Tsquare) Hidden Files (on UNIX, name starts with “.”) Startup scripts (great place to hide a Trojan Horse) Covert channels (hide in “Ping” packets, port 80 html, headers) Steganography (hiding data in an image file) Watch for new processes ( use 'ps aux'), new files (particularly “suid” files*), open Internet TCP and UDP ports ('netstat –nal --programs' and 'lsof –t4tcp') *An “suid” file (chmod 4755) owned by root, always runs with root privileges. 2
Slide Set 16 - Safe Computing (also covered in NetSecLab Wrapup – on Tsquare) Eliminate unneeded daemons, “suid programs,” open ports, and user accounts (to "harden" the computer). Enforce long, mixed-character passwords. Explain “Once root, always root” (Copeland's 2nd rule*) (The 1st rule is "No security without physical security.") (The 3rd rule is "Layers of protection and detection are needed ... .") Use host OS firewall to limit connections as much as possible (MacOS: use /etc/hosts.allow to limit incoming ssh IPs, "Little Snitch" to limit by application and outgoing IP connections). Keep security patches up to date, from OS and application vendors. Do not be "root" except when necessary. Most compromises today come from email and Web accesses (no click needed). 3
Slide Set 17 – Shell Code "Shellcode" is binary code that will execute without being processed by a "Loader". 1. Must make kernel system calls directly (no standard lib.s) 2. Must use absolute or relative jumps (no relocatable jumps) 3. Must be written using assembly language, and with a limited set of commands (e.g., no labels). The original shelllcode opened a backdoor with a command shell (bash, cmd.exe, …). Now shellcode has been written that will open an internet connection, download and install malware (e.g., rootkit or bot), transfer files, … Buffer Overflow(what is it, what does it do) [ gets(buf) ] 1) Can change data, 2) can redirect program counter to execute shellcode. How to prevent a “Buffer Overflow” [use fgets(n, buf, stdin) vs. gets()] What’s a “sled”? Why should OS randomize stack memory addresses? What is “polymorphic” code? 4
Current Affairs Spear Phishing - used for government-level and GT attacks. BotNets - used by organized crime for spam email (fake drugs, stock pumping, phishing to steal identity info, links to Web sites with exploits). Distinguished by use of P2P networking. Dynamic DNS (fast-flux DNS) - used to direct hacker URL to various IP addresses. Modified DNS Server IP - site sometimes misdirects URLs. DNS Cache Poisoning - send phony responses to own query. Adware and Spyware - nuisance software that pops-up ads and reports Web usage, but could report more sensitive info. Insider Attacks - unauthorized access to steal government or corporate data, forge records, cover up embezzlement. There will be questions on something from the "Data Brokers" the NOVA "Cyber War" documentariy, and the MandiantAPT (Advanced Persistant Threat) whitepaper (Slides 0.9d). 5
HW What was learned from homework problems? Outside Reading Advanced Persistent Threat – who’s doing it, and why.X [MacAttack UDP-based Amplification Attack. Link.] Target – what when wrong (discussed in class). Three Rules for Organizations (not "Copeland's 3 Rules) 1, Have layers of Protection 2. Have layers of Detection 3. Have Response Plans 6
Terms to Know Malware - any malicious software. RAT - Remote Administration Tool (remote control of host). Hack-Back - reverse hacking of attacker - usually illegal (many attacking hosts are compromised, damage hurts innocents) Exploit code - can be in Microsoft Office documents, HTML mail or Web pages, database files, image files, data input (SQL poison, buffer overflow), text files (shell code and .bat files). Root Kit - installs special versions of OS utilities which hide the presence of an intruder (files, processes, sockets, accounts). Crypto Locker – encrypts all files. Ransom needed to get unlock key. Bitcoin – way to anonymously transfer and receive funds. Dark Web – Web servers where malware, spoils of hacking (IDs, passwords, corporate and government info) are sold. 7
(Copeland's) Three Rules for People • Without Physical Security, there is no security. • Once "root", always "root" (or "Administrator"). • Multiple layers of prevention and monitoring are necessary (to achieve the optimum degree of protection for a given budget). Complete prevention is impossible. • ---- • Many layers in the following three categories: • Protection (physical, firewall, updates,...) • Detection (IDS, Tripwire, ... ) • Reaction (have plans prepared) 8