570 likes | 630 Vues
Cybersecurity. Martyn Thomas CBE FREng Livery Company Professor of Information Technology. Cybercrimes and cyberattacks come in many varieties. Phishing emails Hijacked email accounts Hijacked website accounts Computer viruses Buffer overflow attacks SQL Insertion attacks (SQLi)
E N D
Cybersecurity • Martyn Thomas CBE FREng • Livery Company Professor of Information Technology
Cybercrimes and cyberattacks come in many varieties • Phishing emails • Hijacked email accounts • Hijacked website accounts • Computer viruses • Buffer overflow attacks • SQL Insertion attacks (SQLi) • Cross-site scripting (XSS) • … … and many more
They steal money ... www.cyberliving.uk #cyberliving
… they steal personal data, to sell or to use in later crimes ... www.cyberliving.uk #cyberliving
sometimes the data is used to blackmail the victim www.cyberliving.uk #cyberliving
… sometimes they extort money with threats through ransomwarethat encrypts all your data and demands payment for the key
Several US hospitals have been attacked with ransomware, disabling systems and putting patients at risk, others have had medical records stolen www.cyberliving.uk #cyberliving
Some cybercriminals are caught and may be prosecuted- but many cybercrimes are committed from overseas
Many attacks start withPhishing and spear-phishingemails to trick you into opening attachments visiting malicious websites or sending moneyIncreasingly, phishing emails are personalised and individually targeted, using details from Facebook, Twitter, LinkedIn and other social media sites
a typical phishing email urgency! the l of Paypal is actually an I to help fool spam detection poor spelling or grammar hovering your mouse over the link should reveal the true URL
The full email headers show the source as The House of Autostyling in Australia.Their system has possibly become part of a botnet I have notified them, using the contact details on their website
BotnetsTens of thousands of infected computers controlled by a criminal
What are botnets used for? • Sending spam • each computer may only send a few dozen a day to avoid detection • Distributed Denial of Service (DDoS) attacks • flooding the target with vast numbers of messages to disable it • Click fraud • collecting fees for clicking on advertisements • Proxy sites for child pornography and other crimes • Bitcoin mining and other computationally intensive tasks • downloading other malware etc • e.g. keyloggers to collect passwords and private data
How are botnets created? • The botnet software is installed • through a virus, or opening an attachment, or installing some free software that contains trojan code, or by visiting a video website that says you have to install a viewer or some other software, or by visiting a website that downloads malicious Javascript, or by opening a Word document that contains a malicious macro, or installing an infected USB or DVD or… • The computer connects to the command-and-control (C&C) server over the internet. • The C&C server maintains regular contact, downloads other malware and issues commands • The C&C server will be one of many botnet computers that are acting as proxies for the real C&C master, to conceal its location. The indirection may be many links deep.
How do hackers access accounts?a: common passwords • number sequences: 1234, 12345678, 11111111 etc • keyboard wipes across: qwertyuiop, etc • keyboard wipes down: 1qaz2wsx and variants • a recent top 20 includes pass, password, passw0rd, letmein, master, football, pussy, starwars, dragon, monkey • names, (foods), (colours), (cars) • search online for “popular passwords” and avoid them! • all real words may be vulnerable to a dictionary attack
How do hackers access accounts?b: stolen and re-used passwords • A popular site is broken into and the password file is stolen • or the victim logs into a site that is collecting credentials • The victim has used the same username and password on other sites
How do hackers access accounts?c: intercepted passwords • The hacker creates a “free wifi access point” in a cafe, airport or other public space. • The victim uses the network, and the hacker copies all the network traffic (using Wireshark, for example)
Trojan codea reason never to open email attachments or download any software without careful checking • Email attachments (exe files, java, macros in Word or Excel files, spoofed file types …) • Free or paid-for software with hidden criminal functionality (games, browser add-ins for video viewers etc). • websites that download malicious java or other software. • malicious websites • an insecure legitimate website that was compromised (eg XSS) • Malicious advertising links • Third-party links that are later changed …
An excellent source of information about common cyberattacks, how they work and how developers can protect web systems
Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter 2013-A1 – Injection • Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… • SQL injection is still quite common • Many applications still susceptible (really don’t know why) • Even though it’s usually very simple to avoid • Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access
SQL Injection basics • A web page asks for a user name and I typeThomas. • The web page then builds a database SQL request • SELECT userdetails FROM USERS WHERE uname IS ‘Thomas’ • but if I type my username as‘;DROP TABLE USERS; -- • then if the programmer has taken no precautions, the query will become • SELECT userdetails FROM USERS WHERE uname IS ‘’;DROP TABLE USERS; --’ • Which will select a null username, then delete the entire USER table from the database. (The double minus at the end causes everything that follows to be ignored). • The same trick can be used with other SQL commands to select all the users and change their passwords, for example.
It’s so well known, it has become a joke http://xkcd.com/327/
Recommendations • Avoid the interpreter entirely, or • Use an interface that supports bind variables (e.g., prepared statements, or stored procedures), • Bind variables allow the interpreter to distinguish between code and data • Encode all user input before passing it to the interpreter • Always perform ‘white list’ input validation on all user supplied input • Always minimize database privileges to reduce the impact of a flaw A1 – Avoiding Injection Flaws • References • For more details, read thehttps://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
A typical overflow: Copying a string in C/C++ • strcpychar * strcpy ( char *destination, const char *source ); • Copies the C string pointed by source into the array pointed by destination, including the terminating nullcharacter (and stopping at that point). • To avoid overflows, the size of the array pointed by destination shall be long enough to contain the same C string as source (including the terminating null character), and should not overlap in memory with source.
A Buffer Overflow can be used for a cyberattack • A “buffer” is a fixed length area of computer memory, typically defined as an array of characters. An example would be the memory for a username or password
Buffer Overflows • By overflowing the buffer the attacker can overwrite the return address and also insert some malicious code. Adding lots of no-operation instructions ahead of the code makes it much easier to overwrite • the return address with an address that will jump to the code. http://www.cis.syr.edu/~wedu/Teaching/IntrCompSec/LectureNotes_New/Buffer_Overflow.pdf
Any system may be attacked through buffer overflows - not just websitesThis was a buffer overflow attack on a car using a text message, but any digital data interface may be vulnerable to a buffer overflow attack. www.cyberliving.uk #cyberliving
It is easy to find devices that are connected to the internet and then probe for known vulnerabilities and default passwords
Another Top-10 attack:Cross-site scriptingThe attacker enters malicious script that will be stored and displayed by other usersfor example, in a discussion forum or a social media site
Cross-Site Scripting Illustrated 3 2 1 Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies Script silently sends attacker Victim’s session cookie
Occurs any time… • Raw data from attacker is sent to an innocent user’s browser 2013-A3 – Cross-Site Scripting (XSS) • Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client • Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie) • Typical Impact • Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
Examining the Document Cookie on the BBC website: Function key F12 opens the browser console. Then executing javascript: alert(document.cookie) displays the cookie www.cyberliving.uk #cyberliving
The most common way to reduce the vulnerability to cyberattack is through test-and fix • Testing for cyber vulnerabilities is called Penetration Testing or pen testing • It has the same weakness as other forms of testing: it may show the presence ofdefects but it cannot show the absence of defects. • Pen testers may run large numbers of known attacks against systems, using special testing tools and databases of known exploits ... • … but so may attackers
Metasploit is a popular and powerful tool for penetration testingwith a library of known exploits
https://www.exploit-db.com/ An archive of tens of thousands of reported and verified vulnerabilities, vulnerable applications and exploits, available for download
How can you protect yourself? • Use strong passwords • Use software that helps to protect you : I use • Thunderbird for emails, • Firefox as a browser with the NoScript add-on (it’s inconvenient but powerful) • Startpage as a search engine with the Startpage proxy links to visit pages • ad-blockers and tracker blockers