1.38k likes | 1.75k Views
Computer Science Innovations, LLC. Ethical Hacking. Overview. Define Security Discretionary Access Control Trusted Computer System Evaluation Criteria (TCSEC) - Orange Book 1984 by MITRE Corporation Basis for all we do in Security Define Security, how me measure it. Long-term goal.
E N D
Computer Science Innovations, LLC Ethical Hacking
Overview • Define Security • Discretionary Access Control • Trusted Computer System Evaluation Criteria (TCSEC) - Orange Book • 1984 by MITRE Corporation • Basis for all we do in Security • Define Security, how me measure it.
Long-term goal • Given a System, X, tell me the security level. C2, B1, PL3, PL3+ • What does the security level imply? • It implies, what you can do with the system. • Says Who? • Commercial world – Underwriter? • What's an Underwriter? Quantify? • Insurance Companies.
The Present Situation • If I am Responsible for System, X, how do I bring it into Production? • Someone must Approve. • Somebody must assume risk. • Who is that? Insurance company • DOD Adjudicator. • Someone who assumes the risk.
Development up to present • If your system, and you are well defined. • If your security model is simple and based on standards. • If you speak the same language as the decision maker? • It is easier to get someone to put their neck on the line. • Einstein said, If I saw further than others it is because I was standing on the shoulders of Giants.
Goals • Einstein said, As simple as possible, but no simpler. • If you cannot explain it simply, you do not understand it well enough. • Any fool can make things more complex it takes genius to find the simplicity. • Great science is simple.
Science Being Simple Computer Science – Simple seems to win. P-V Semaphore --- Seven lines of code. Google ---- Processing Paradigms.... Simplicity in processing. Map/Reduce …. Solr... Open Source......
Definitions • Levels of Security • Lowest D... Not even discuss it. • Next Level up is C... C1 and C2 • C1 and C2 rely on Discretionary Access Control. • Next level up is B1, B2, B3 which are largely related. • B level uses Mandatory Access Control
Use of Definitions • The same definitions are used for Commercial as Government • In other words, there is just one Security. • There is Computer Security Used in Different Areas. • What is Discretionary Access Control?
Discretionary Access Control • Concerns itself with Named Subjects accessing Named Objects. • So what is a Subject.... Someone or something wishing to access a computer object. • You accessing your email. The Subject --- You. The Object Email. • What does Concerns Itself with Mean?
Subjects and Objects • Access Control... Can the subject read or write the Object? That is one thing we are concerned with. • Auditing... What did the subject do on June 30th? Who are the subjects that accessed my mail. • Assurance – How can I be Guaranteed that all access to th data have access control and Auditing. And … Does my model work?
Access Control • Access Control has some pieces.... • What are the pieces? The first two are • Identity Assertion • Role Gathering • Systems do this. • We knew this in 1984.. This is not new and pre-dates the Internet.
Identity Assertion • Eminem – I am who you say I am. • How do you find out your identity? • Google... Username and Password • Google.. Additional Security through a Token • Show Something About yourself • Biometric Devices. • Prove who you are.
Do I have a session How Do We Do Identity Assertion Www.bankofamerica.com Web Server Browser Do I have a session
How Do We Assert and Identity Username and Password Sitekey Identity Asserter is username and password. Google --- username and password. Challenge ---> send a key to cell phone Biometrics... cheap....
Identity Assertion • Identity Asserters must be pluggable. • What does that mean? • It means if I change the Identity Asserter, I do not need to change the software. • Best Practice … Run the software with two different Identity Asserters without changing, compiling or writing Software.
Role Gathering Browser Web server Asserts Identity Gathers roles
Role Gathering • Having proven who I am.... What can I do? • The Roles Dictate what you can do. • So if my role is Administrator.. I can do a lot. • If my role is Guest... I can do a little. • Show me what you mean. Ok. Let's do a practical Example.
Where do We See Roles Web applications..... Web.xml Directory ---- roles can work in the directory Page --- useradmin ----> roles can see it are Administrator.... Browser... look up web.xml roles..... See it.
Practical Example - Roles • id uid=1000(scott) gid=1000(scott) groups=1000(scott),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),129(vboxusers) • Groups are Synonymous with Roles... Spec says. • They say what I can do. Use Plug in Devices • Line Printer Administrator, Share Files...etc.
What Happened? • Logged into my machine. • Asserted my identity by username password. • Gathered my roles. • Determined what I can do. • Why? It's the standard.
Impromptu Lab Go to your backtrack instance. Username root Password toor id command
Common Shortcomings? • Let's say you have a machine with a web server. • You have 5 people that are Web Server Administrators • What are your options? • You can have a Group Account • Or you can setup the machine to allow multiple people to update the Web Server.
What is Wrong with a Group Account? • It Violates Discretionary Access Control. • Why? Named Subject, Named Object. • NOT • Named Group containing many Subjects and Named Object. • Must be one to one – Person to Subject. • Now Three More Topics for C2.
Bringing Up A Web Server Web Server ---- runs on port 80 Web Server ---- runs on port 8080 Ports < 1024 require Admin Privilege to Start Process. Ports >= 1024 do not require Admin Why do we care? Least Privilege....
Have “Normal” Users Web Admin So Let's say --- Morris Mo... he is a web admin Cheri is a web admin.... They are going to run As normal users... But they need to share The web server.. and we do not want to violate DAC.. So we need to separate them and Keep Least Privilege...
Separate Users Step 1 Create a group per user And create a shared group. Mo Al Webguys shared group.
How To root@companion:/opt# groupadd mo root@companion:/opt# groupadd al root@companion:/opt# groupadd webguys root@companion:/opt# useradd mo -g mo -G webguys root@companion:/opt# useradd al -g al -G webguys root@companion:/opt# useradd mo -g mo -G webguys root@companion:/opt# useradd al -g al -G webguys
Three More Topics • Confidentiality • No one can listen in and gain information. • Encryption • Least Privilege • Very Very Important. • Am I doing the action with the least amount of Authority. Don't work as Root or Admin • Non-Repudiation • How can I not deny that I sent it.
Confidentiality • https • Hyper Text Transport Protocol Secure • When you read your email are you • http or https? • Log into your mail. • Is it http or https? https
Least Privilege • I must work as a normal user • Or • I must work as an admin. • Which is better? • Why? Myself? Why? You don't mess up the system on purpose or by accident. • Ports... https which port is that? 443 • Who do you have to be to work as 443? • For ports less than 1024 you must be admin
How Do We Do Least Privilege With https? • The browser (Source) wants to communicate on 443.... Default • The system wants to use a normal user. • So what happens? • So your Firewall or Router maps 443 to 8443 • So the Source requests 443 the System responds with 8443 the Router maps them. • Best Practice … Always map <1024 ports to > 1024 to preserve Least Privilege.
Outside World to Inside Https in a browser it says communicate on 443 But we want least privilege … So how do we do that. 8443 on the local system. We need our firewall/router administrator to set this up for us.
Let's Look At This Firewall Al Admin Web Server 8443 Browser 443 Map Incoming 443 to intenal 8443 On a specifc Server
Apache and Least Privilege • ubuntu@ip-10-204-147-104:~$ ps -ef | grep apache • root 3725 1 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • www-data 3727 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • www-data 3729 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • www-data 3730 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • ubuntu 3828 865 0 14:55 pts/0 00:00:00 grep --color=auto apache • ubuntu@ip-10-204-147-104:~$ sudo su - • root@ip-10-204-147-104:~# cd /etc/ • root@ip-10-204-147-104:/etc# grep www-data passwd • www-data:x:33:33:www-data:/var/www:/bin/sh • Apache is not adhering to Least Privilege
Let's Do It • Go to Amazon Web Services. Where .. Google it. • Use Scott's Account scott@scottstreit.com lakers • Create an Ubuntu 12.04 instance.
Use Backtrack • Go ti VMWare and Start Backtrack • Login root toor • Type dhclient • Type startx • Go to firefox • Login using your pem key • Then go to firefox on backtrack and do • http://<amazon.machine.name> • You will get …. nothing running
What Happened • Security Group had to have ports 80 and 22 open. • You had to set permission on pem file as 400 meaning only the user can read it. • You ssh -i <pem.filie> ubuntu@<amazon.host.name> • When you go to browser http://<amazon.host.name> nothing • So what are we going to do.. Apache runs.
Next Step – Start Apache • Do an sudo apt-get install apache2 • Take the defaults • Go to the browser • http://<amazon host name> you should see an “It worked!” • What port is it running as? 80 • Do a ps -ef | grep apache • root@ip-10-204-147-104:/etc# ps -ef | grep apache • root 3725 1 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • www-data 3727 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • www-data 3729 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start • www-data 3730 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start
Who is it Running As? • It was www-data. • Who is www-data? • Do a grep www-data /etc/passwd • What number is associated with www-data? • 33 which is less than 1000 which is a root type user. • Do we have least privilege? • No. Why? Running as root and using port 80
How For Lab Classic wizard gives you different ones to choose from. Amazon gives you their own AMI default. Choose an instance of them. Option to create a new key pair. Custom TCP rule. Allow all of 80 8080 22 Then lets launch it. Need to take a list of it. Need to set the key to get it to log in.
Unix Cheat Sheet • The command ls is the same thing as dir in windows • The command ps is process status and commonly used as ps -ef | more • Do a ps -ef | more • The command pwd is print working directory • The command chmod is change mode • The command chgrp is change user and group
DAC in UNIX • In Unix we get DAC out of the box. • How do we do it. • Name Subject …. logging in • You guys are root/toor – backtrack • How do we protect files? • This is access control.
Unix History • How did we get to Unix? • Who created it? Brian Kerrnighan, Dennis Ritchie, Thompson. • They worked for AT&T in New Jersey in the 70's. They had an idea. What if an operating systems was created that worked on any hardware? • So they needed a hardware independent language – they called it C.
Unix History Continued • AT&T gave it away for free. • How many run Android's. Unix kernel • How many run IPhones. Unix. • There are two flavors. System V – MIT – Linux • BSD – Berkeley – Cal Berkley – Mac/OS • AT&T – Created this.
Amazon Unix vs. Windows • Unix and Windows are both available in the Cloud. • The pricing difference is what? • Windows is more expensive differing by licensing costs. • Access is a little different.
Commands - Unix • Permissions • wwwxxxyyy for a file or directory. • Now let's define www it has 3 digit for RWE • So RWE is what … 7 now www is for the user's permission. • xxx is for the group's permission and • yyy is for the world's permission. • So if a file is 400 like .pem file what is that? • 400 100 000 000 which is R------ at the owner level.
More Permissions • So if I want a file to be Read and Write for the Owner (User) of the file and Read for the Group and Nothing for the world. • Let's do it together • www xxx yyy • U G O • The three digits RWE • 110 100 000 = 6 4 0
Lab on Permissions • So..... A User may Read Write and Execute. • The Group may Read and Write. • The Other may only Read. • What is the pattern? • Remember www xxx yyy RWE U G O • 1 1 1 1 10 100 • 7 6 4
So Back to Commands • The command ls -al full listing. You can see the pattern. • So we a couple more commands and we are done. • The command chmod 3DIGITS files changes the mode. chmod 777 allows all access. • The command chgrp user:group and it lets yo set the owner.