1 / 53

Cybersecurity

Cybersecurity. Martyn Thomas CBE FREng Livery Company Professor of Information Technology. Cybercrimes and cyberattacks come in many varieties. Phishing emails Hijacked email accounts Hijacked website accounts Computer viruses Buffer overflow attacks SQL Insertion attacks (SQLi)

nestork
Télécharger la présentation

Cybersecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cybersecurity • Martyn Thomas CBE FREng • Livery Company Professor of Information Technology

  2. Cybercrimes and cyberattacks come in many varieties • Phishing emails • Hijacked email accounts • Hijacked website accounts • Computer viruses • Buffer overflow attacks • SQL Insertion attacks (SQLi) • Cross-site scripting (XSS) • … … and many more

  3. They steal money ... www.cyberliving.uk #cyberliving

  4. … they steal personal data, to sell or to use in later crimes ... www.cyberliving.uk #cyberliving

  5. sometimes the data is used to blackmail the victim www.cyberliving.uk #cyberliving

  6. … sometimes they extort money with threats through ransomwarethat encrypts all your data and demands payment for the key

  7. … sometimes the criminals just demand payment ...

  8. … sometimes they claim they are the police...

  9. … or the US Department of Justice / FBI

  10. Several US hospitals have been attacked with ransomware, disabling systems and putting patients at risk, others have had medical records stolen www.cyberliving.uk #cyberliving

  11. Some cybercriminals are caught and may be prosecuted- but many cybercrimes are committed from overseas

  12. Many attacks start withPhishing and spear-phishingemails to trick you into opening attachments visiting malicious websites or sending moneyIncreasingly, phishing emails are personalised and individually targeted, using details from Facebook, Twitter, LinkedIn and other social media sites

  13. a typical phishing email urgency! the l of Paypal is actually an I to help fool spam detection poor spelling or grammar hovering your mouse over the link should reveal the true URL

  14. The full email headers show the source as The House of Autostyling in Australia.Their system has possibly become part of a botnet I have notified them, using the contact details on their website

  15. BotnetsTens of thousands of infected computers controlled by a criminal

  16. What are botnets used for? • Sending spam • each computer may only send a few dozen a day to avoid detection • Distributed Denial of Service (DDoS) attacks • flooding the target with vast numbers of messages to disable it • Click fraud • collecting fees for clicking on advertisements • Proxy sites for child pornography and other crimes • Bitcoin mining and other computationally intensive tasks • downloading other malware etc • e.g. keyloggers to collect passwords and private data

  17. How are botnets created? • The botnet software is installed • through a virus, or opening an attachment, or installing some free software that contains trojan code, or by visiting a video website that says you have to install a viewer or some other software, or by visiting a website that downloads malicious Javascript, or by opening a Word document that contains a malicious macro, or installing an infected USB or DVD or… • The computer connects to the command-and-control (C&C) server over the internet. • The C&C server maintains regular contact, downloads other malware and issues commands • The C&C server will be one of many botnet computers that are acting as proxies for the real C&C master, to conceal its location. The indirection may be many links deep.

  18. Cyberattacks often involve:Account hijacking

  19. How do hackers access accounts?a: common passwords • number sequences: 1234, 12345678, 11111111 etc • keyboard wipes across: qwertyuiop, etc • keyboard wipes down: 1qaz2wsx and variants • a recent top 20 includes pass, password, passw0rd, letmein, master, football, pussy, starwars, dragon, monkey • names, (foods), (colours), (cars) • search online for “popular passwords” and avoid them! • all real words may be vulnerable to a dictionary attack

  20. How do hackers access accounts?b: stolen and re-used passwords • A popular site is broken into and the password file is stolen • or the victim logs into a site that is collecting credentials • The victim has used the same username and password on other sites

  21. How do hackers access accounts?c: intercepted passwords • The hacker creates a “free wifi access point” in a cafe, airport or other public space. • The victim uses the network, and the hacker copies all the network traffic (using Wireshark, for example)

  22. Trojan codea reason never to open email attachments or download any software without careful checking • Email attachments (exe files, java, macros in Word or Excel files, spoofed file types …) • Free or paid-for software with hidden criminal functionality (games, browser add-ins for video viewers etc). • websites that download malicious java or other software. • malicious websites • an insecure legitimate website that was compromised (eg XSS) • Malicious advertising links • Third-party links that are later changed …

  23. An excellent source of information about common cyberattacks, how they work and how developers can protect web systems

  24. SQL Injection (SQLi)

  25. Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter 2013-A1 – Injection • Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… • SQL injection is still quite common • Many applications still susceptible (really don’t know why) • Even though it’s usually very simple to avoid • Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access

  26. SQL Injection basics • A web page asks for a user name and I typeThomas. • The web page then builds a database SQL request • SELECT userdetails FROM USERS WHERE uname IS ‘Thomas’ • but if I type my username as‘;DROP TABLE USERS; -- • then if the programmer has taken no precautions, the query will become • SELECT userdetails FROM USERS WHERE uname IS ‘’;DROP TABLE USERS; --’ • Which will select a null username, then delete the entire USER table from the database. (The double minus at the end causes everything that follows to be ignored). • The same trick can be used with other SQL commands to select all the users and change their passwords, for example.

  27. SQL Injection exploits

  28. It’s so well known, it has become a joke http://xkcd.com/327/

  29. Recommendations • Avoid the interpreter entirely, or • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw A1 – Avoiding Injection Flaws • References • For more details, read thehttps://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

  30. Another very common attack:Buffer overflow

  31. A typical overflow: Copying a string in C/C++ • strcpychar * strcpy ( char *destination, const char *source ); • Copies the C string pointed by source into the array pointed by destination, including the terminating nullcharacter (and stopping at that point). • To avoid overflows, the size of the array pointed by destination shall be long enough to contain the same C string as source (including the terminating null character), and should not overlap in memory with source.

  32. A Buffer Overflow can be used for a cyberattack • A “buffer” is a fixed length area of computer memory, typically defined as an array of characters. An example would be the memory for a username or password

  33. Buffer Overflows • By overflowing the buffer the attacker can overwrite the return address and also insert some malicious code. Adding lots of no-operation instructions ahead of the code makes it much easier to overwrite • the return address with an address that will jump to the code. http://www.cis.syr.edu/~wedu/Teaching/IntrCompSec/LectureNotes_New/Buffer_Overflow.pdf

  34. Any system may be attacked through buffer overflows - not just websitesThis was a buffer overflow attack on a car using a text message, but any digital data interface may be vulnerable to a buffer overflow attack. www.cyberliving.uk #cyberliving

  35. It is easy to find devices that are connected to the internet and then probe for known vulnerabilities and default passwords

  36. Another Top-10 attack:Cross-site scriptingThe attacker enters malicious script that will be stored and displayed by other usersfor example, in a discussion forum or a social media site

  37. Cross-Site Scripting Illustrated 3 2 1 Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies Script silently sends attacker Victim’s session cookie

  38. Occurs any time… • Raw data from attacker is sent to an innocent user’s browser 2013-A3 – Cross-Site Scripting (XSS) • Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client • Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie) • Typical Impact • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites

  39. Examining the Document Cookie on the BBC website: Function key F12 opens the browser console. Then executing javascript: alert(document.cookie) displays the cookie www.cyberliving.uk #cyberliving

  40. The most common way to reduce the vulnerability to cyberattack is through test-and fix • Testing for cyber vulnerabilities is called Penetration Testing or pen testing • It has the same weakness as other forms of testing: it may show the presence ofdefects but it cannot show the absence of defects. • Pen testers may run large numbers of known attacks against systems, using special testing tools and databases of known exploits ... • … but so may attackers

  41. Metasploit is a popular and powerful tool for penetration testingwith a library of known exploits

  42. https://www.exploit-db.com/ An archive of tens of thousands of reported and verified vulnerabilities, vulnerable applications and exploits, available for download

  43. How can you protect yourself? • Use strong passwords • Use software that helps to protect you : I use • Thunderbird for emails, • Firefox as a browser with the NoScript add-on (it’s inconvenient but powerful) • Startpage as a search engine with the Startpage proxy links to visit pages • ad-blockers and tracker blockers

  44. Cybersecurity Advice

More Related