1 / 0

OS Security Part II

OS Security Part II. Memory and File System Security. The contents of a computer are encapsulated in its memory and file system. Thus, protection of a computer’s content has to start with the protection of its memory and its file system. 2. Password Security.

brick
Télécharger la présentation

OS Security Part II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OS Security Part II

  2. Memory and File System Security The contents of a computer are encapsulated in its memory and file system. Thus, protection of a computer’s content has to start with the protection of its memory and its file system. 2
  3. Password Security The basic approach to guessing passwords from the password file is to conduct a dictionary attack, where each word in a dictionary is hashed and the resulting value is compared with the hashed passwords stored in the password file. A dictionary of 500,000 “words” is often enough to discover most passwords.
  4. Password Vulnerabilities Organizational or end-user vulnerabilities Lack of passwordawareness on the part of end users Lack of password policiesthat are enforced within the organization Technical vulnerabilities Weak encryption methods Insecure storage of passwords on computer systems http://wp.me/P29YQz-k
  5. Organizational password vulnerabilities User’spassword usually: Weak and easy to guess. Jarang diganti Digunakan untuk beberapa macam sistem Menuliskannya di tempat yang tidak aman Password yang susah ditebak pun bisa dicuri http://wp.me/P29YQz-k
  6. Technical password vulnerabilities Weak password-encryption schemes Software that stores passwords in memory and easily accessed databases. End-user applications that display passwords on the screen while typing ICAT Metabase (an index of computer vulnerabilities) currently identifies more than 460 technical password vulnerabilities(icat.nist.gov/icat.cfm) http://wp.me/P29YQz-k
  7. Cracking Passwords the old-fashioned way http://wp.me/P29YQz-k
  8. Shoulder Surfing http://wp.me/P29YQz-k
  9. Inference Guessing passwords from information you know aboutusers - such as their date of birth, favorite television show, and phone numbers 9 http://wp.me/P29YQz-k
  10. http://wp.me/P29YQz-k
  11. Weak authentication Like in the old Windows 9x and Me http://wp.me/P29YQz-k
  12. Social Engineering Examples False support personnel claim that they need to install a patch or newversion of software on a user’s computer, talk the user into downloadingthe software and obtain remote control of the system. False vendors claim to need to make updates to the organization’s accounting package or phone system, ask for the administrator password, and obtain full access. http://wp.me/P29YQz-k
  13. False contest Web sites run by hackers gather user IDs and passwordsof unsuspecting contestants. The hackers then try those passwords onother Web sites, such as Yahoo! and Amazon.com, and steal personal orcorporate information http://wp.me/P29YQz-k
  14. False employees notify the security desk that they have lost their keysto the computer room, are given a set of keys, and obtain unauthorizedaccess to physical and electronic information http://wp.me/P29YQz-k
  15. http://wp.me/P29YQz-k
  16. Performing Social-Engineering Attacks Perform research Build trust Exploit relationship for information through words, actions, ortechnology Use the information gathered for malicious purposes. http://wp.me/P29YQz-k
  17. Fishing for information Social engineers typically start by gathering public information about theirvictim Using the Internet Dumpster diving http://wp.me/P29YQz-k
  18. Building trust Likability Believability http://wp.me/P29YQz-k
  19. Exploiting the relationship Deceit through words and actions Acting overly friendly or eager Mentioning names of prominent people within the organization Bragging about authority within the organization Threatening reprimands if requests aren’t honored Acting nervous when questioned (pursing the lips and fidgeting - especially the hands and feet, because more conscious effort is requiredto control body parts that are farther from the face) Overemphasizing details Physiological changes, such as dilated pupils or changes in voice pitch Appearing rushed Refusing to give information Volunteering information and answering unasked questions Knowing information that an outsider should not have A known outsider using insider speech or slang Asking strange questions Misspelling words in written communications http://wp.me/P29YQz-k
  20. http://wp.me/P29YQz-k
  21. Sending e-mail for criticalinformation Such e-mail usually provides a link that directs victims to a professional-and legitimate-looking Web site that “updates” such account informationas user IDs, passwords, and Social Security numbers Anytime you need to go to a website for your bank, credit card companies or other personal, financial or confidential information; do not follow a link in an email; just type their address in your browser directly Deceit through technology http://wp.me/P29YQz-k
  22. http://wp.me/P29YQz-k
  23. The Nigerian 419 e-mail fraud scheme attempts to access unsuspectingpeople’s bank accounts and money. These social engineers - scamsters - offer to transfer millions of dollars to the victim to repatriate a deceasedclient’s funds to the United States All the victim must provide is personalbank-account information and a little money up front to cover the transferexpenses Victims have ended up having their bank accounts emptied http://wp.me/P29YQz-k
  24. Social-Engineering Countermeasures Policies Classifying data Hiring employees and contractors and setting up user IDs Terminating employees and contractors, and removing user IDs Setting and resetting passwords Handling proprietary and confidential information Escorting guests http://wp.me/P29YQz-k
  25. User awareness Treat security awareness and training as a business investment. Train users on an ongoing basis to keep security fresh in their minds. Tailor your training content to your audience whenever possible. Create a social-engineering awareness program for your business functionsand user roles. Keep your messages as nontechnical as possible. Develop incentive programs for preventing and reporting incidents. Lead by example http://wp.me/P29YQz-k
  26. Never divulge any information unless you can validate that the personrequesting the information needs it and is who he says he is If a requestis made over the telephone, verify the caller’s identity, and call back. Never click an e-mail link that supposedly loads a page with informationthat needs updating. This is especially true for unsolicited e-mails. http://wp.me/P29YQz-k
  27. Escort all guests within a building. Never send or open files from strangers. Never give out passwords. http://wp.me/P29YQz-k
  28. Never let a stranger connect to one of your network jacks — even for afew seconds. A hacker can place a network analyzer, Trojan-horse program,or other malware directly onto your network. Classify your information assets, both hard-copy and electronic. Trainall employees to handle each asset type. http://wp.me/P29YQz-k
  29. Develop and enforce computer media and document destruction policiesthat help ensure data is handled carefully and stays where it should. Use cross-shredding paper shredders. Never allow anonymous File Transfer Protocol (FTP) access into yourFTP servers if you don’t have to. http://wp.me/P29YQz-k
  30. High-tech password cracking Password cracking software Dictionary attacks Brute-force attacks http://wp.me/P29YQz-k
  31. Password cracking software NetBIOS Auditing Tool (NAT) specializes in network-based passwordattacks. Go to www.securityfocus.com/tools/543 Chknull(www.phreak.org/archives/exploits/novell) for NovellNetWare password testing These tools require physical access on the tested computer: John the Ripper (www.openwall.com/john) pwdump2 (razor.bindview.com/tools/desc/pwdump2_readme.html) Crack (coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack) Brutus (www.hoobie.net/brutus) Pandora (www.nmrc.org/project/pandora) NTFSDOS Professional (www.winternals.com) Cain and Abel for capturing, cracking, and even calculating varioustypes of passwords on a plethora of systems (www.oxid.it/cain.html) http://wp.me/P29YQz-k
  32. Dictionary attacks Dictionary Attackdilakukan dengan cara membandingkan password dengan suatu dictionary Password Crackersakan mencoba setiap kata yang ada di dalam dictionarysebagai password Suatu dictionary (biasa disebut juga sebagai word list) yang baik lebih daripada sekedar kamus Contoh: di dalam kamus pasti tidak ada kata-kata "qwerty" tapi di dalam word list yang baik, “qwerty” pasti akan dimasukkan Beberapa contoh wordlist dapat diperoleh di: packetstormsecurity.nl/Crackers/wordlists www.outpost9.com/files/WordLists.html http://wp.me/P29YQz-k
  33. Brute-force attacks Brute-forceattacks try every combination of numbers, letters, and special charactersuntil the password is discovered http://wp.me/P29YQz-k
  34. General password-hacking countermeasures Instruct users to create different passwords for differentsystems, especially on the systems that protect more sensitive information Strong passwords are important, but balance security and convenience: You can’t expect users to memorize passwords that are insanely complexand changed every week. You can’t afford weak passwords or no passwords at all. http://wp.me/P29YQz-k
  35. Password Salt One way to make the dictionary attack more difficult to launch is to use salt. Associate a random number with each userid. Rather than comparing the hash of an entered password with a stored hash of a password, the system compares the hash of an entered password and the salt for the associated userid with a stored hash of the password and salt.
  36. How Password Salt Works Without salt: Password file: 1. User types userid, X, and password, P. 2. System looks up H, the stored hash of X’s password. 3. System tests whether h(P) = H. … X: H … With salt: 1. User types userid, X, and password, P. 2. System looks up S and H, where S is the random salt for userid X and H is stored hash of S and X’s password. 3. System tests whether h(S||P) = H. Password file: … X: S, H …
  37. How Salt Increases Search Space Size Assuming that an attacker cannot find the salt associated with a userid he is trying to compromise, then the search space for a dictionary attack on a salted password is of size 2B*D, where B is the number of bits of the random salt and D is the size of the list of words for the dictionary attack. For example, if a system uses a 32-bit salt for each userid and its users pick passwords in a 500,000 word dictionary, then the search space for attacking salted passwords would be 232 * 500,000 = 2,147,483,648,000,000, which is over 2 quadrillion. Also, even if an attacker can find a salt password for a userid, he only learns one password.
  38. John the Ripper password cracker http://www.openwall.com/john/f/john171w.zip http://wp.me/P29YQz-k
  39. Storing passwords If you have to choose between weak passwords that your users can memorizeand strong passwords that your users must write down, please choose having readers write down passwords and store the information securely. http://wp.me/P29YQz-k
  40. Train users to store their written passwords in a secure place - not on keyboardsor in easily cracked password-protected computer files (such asspreadsheets) http://wp.me/P29YQz-k
  41. Users should store a written password in either of theselocations: A locked file cabinet or office safe An encrypted file or database, using such tools as PGP Open-source Password Safe, originally developed by Counterpane(passwordsafe.sourceforge.net) http://wp.me/P29YQz-k
  42. You can store your password using Password Safe (http://passwordsafe.sourceforge.net/) It’s free!! http://wp.me/P29YQz-k
  43. Policy considerations Enforce (or encourage the use of) a strong password-creation policy: Use upper- and lowercase letters, special characters, and numbers.(Never use only numbers. These passwords can be cracked quickly.) Misspell words or create acronyms from a quote or a sentence. Use punctuation characters to separate words or acronyms. Change passwords every 6 to 12 months. Use different passwords for each system http://wp.me/P29YQz-k
  44. Use variable-length passwords Don’t use common slang words or words that are in a dictionary. Don’t use similar-looking characters, such as 3 instead of E, 5 insteadof S, or ! instead of 1. Password-cracking programs can check for this. http://wp.me/P29YQz-k
  45. Don’t reuse the same password within 12 months. Use password-protected screen savers. Don’t share passwords. Avoid storing user passwords in a central place, such as an unsecuredspreadsheet on a hard drive. This is an invitation for disaster. Use PGP,Password Safe, or a similar program to store user passwords. http://wp.me/P29YQz-k
  46. Other considerations Test your applications to make sure they aren’t storing passwords inmemory or writing them to disk. Some password-cracking Trojan-horse applications are transmittedthrough worms or simple e-mail attachments, such as VBS.Network.B andPWSteal.SoapSpy. These applications can be lethal to your passwordprotectionmechanisms if they’re installed on your systems. The bestdefense is malware protection software, such as antivirus protection http://wp.me/P29YQz-k
  47. Keep your systems patched. Passwords are reset or compromisedduring buffer overflows or other DoS conditions. Know your user IDs If an account has never been used, delete ordisable the account until it’s needed As the security administrator in your organization, you canenable accountlockout to prevent password-cracking attempts. http://wp.me/P29YQz-k
  48. Other ways to crack passwords Keystroke logging The use of software or hardware to record keystrokes as they’rebeing typed into the computer. Logging tools example: Actual Spy (http://www.actualkeylogger.com/download-free-key-logger.html) Hardware-based tools fit between the keyboard and the computer orreplace the keyboard altogether http://wp.me/P29YQz-k
  49. Hardware Keylogger http://wp.me/P29YQz-k
  50. Homemade hardware keylogger: http://www.keelog.com/diy.html http://wp.me/P29YQz-k
  51. Countermeasures The best defense against the installation of keystroke-logging software onyour systems is a spyware-detection program or popular antivirus products. Consider lockingdown your desktops by setting the appropriate user rights through local orgroup security policy in Windows Alternatively, you could use a commerciallock-down program, such as Fortres 101 (www.fortres.com) for Windows orDeep Freeze (www.deepfreezeusa.com) for Windows and Mac OS X. http://wp.me/P29YQz-k
  52. Credit Card Skimmer 52 Skimming is the theft of credit card information used in an otherwise legitimate transaction http://wp.me/P29YQz-k http://telecommunication.itb.ac.id/~tutun/ET4085
  53. First trick 53 A credit card “skimmer” is mounted to the front of the normal ATM card slot which reads the ATM card number and either stores or transmits the number to the scammers. Once in place it’s very difficult to tell that a skimmer is attached to the ATM machine. Any cards used in this machine will have their magnetic strip recorded and the scammers will be able to use this information to create a “clone” of this card using a magnetic strip writer http://www.expandmywealth.com/category/credit-cards/ http://wp.me/P29YQz-k http://telecommunication.itb.ac.id/~tutun/ET4085
  54. 54 The scammers can take things even further and install a pamplet box containing a concealed camera to record the user’s PIN number http://www.expandmywealth.com/category/credit-cards/ http://wp.me/P29YQz-k http://telecommunication.itb.ac.id/~tutun/ET4085
  55. The Lebanese Loop Trick The Lebanese Loop consist of a strip or sleeve of metal or plastic (such as x-ray film or VCR tape) that is inserted into the ATM’s card slot The ends of the strip are folded upwards. The foldered ends are glued to the outer surface of the ATM card slot, making the Lebanese Loop virtually impossible to detect Slits are cut on both sides of the Lebanese Loop to prevent the card from being returned at the end of the transaction. This causes the card to remain in the machine. Once the ATM user leaves the scammer can now return to the machine and pull down the ends of the loop to retrieve the ATM card and remove it from the slot. The scammer now has the ATM card and is free to use it provided he was able to record or view the user entering in their PIN number the cut http://www.expandmywealth.com/category/credit-cards/ http://wp.me/P29YQz-k
  56. Password Salt One way to make the dictionary attack more difficult to launch is to use salt. Associate a random number with each userid. Rather than comparing the hash of an entered password with a stored hash of a password, the system compares the hash of an entered password and the salt for the associated userid with a stored hash of the password and salt.
  57. How Password Salt Works Without salt: Password file: 1. User types userid, X, and password, P. 2. System looks up H, the stored hash of X’s password. 3. System tests whether h(P) = H. … X: H … With salt: 1. User types userid, X, and password, P. 2. System looks up S and H, where S is the random salt for userid X and H is stored hash of S and X’s password. 3. System tests whether h(S||P) = H. Password file: … X: S, H …
  58. How Salt Increases Search Space Size Assuming that an attacker cannot find the salt associated with a userid he is trying to compromise, then the search space for a dictionary attack on a salted password is of size 2B*D, where B is the number of bits of the random salt and D is the size of the list of words for the dictionary attack. For example, if a system uses a 32-bit salt for each userid and its users pick passwords in a 500,000 word dictionary, then the search space for attacking salted passwords would be 232 * 500,000 = 2,147,483,648,000,000, which is over 2 quadrillion. Also, even if an attacker can find a salt password for a userid, he only learns one password.
More Related