Lecture 11: 16th October 2019 Flashcards Preview

CS4203 Computer Security > Lecture 11: 16th October 2019 > Flashcards

Flashcards in Lecture 11: 16th October 2019 Deck (36)
Loading flashcards...
1
Q

What is x.509?

A

A standard for the format of public key certificates used in many Internet protocols

2
Q

How can we implement private comms on the Internet?

A

We need to make protocols that ensure the source and destination IP addresses and ports and the message body of packets are unreadable

3
Q

Where can secure comms be implemented in the 5-layer model?

A

any point

4
Q

How does security impact network load?

A

Increases load by ~80-90% due to greater number of packets

5
Q

What is a MAC?

A

MAC = message authentication code = A short piece of data attached to messages to authenticate them generated from a keyed hash function using the message data and a symmetric key known to the sender and receiver.

6
Q

What are MACs aka?

A

MIC and tag

7
Q

What are session keys?

A

Single-use randomly generated symmetric keys used for encrypting communications between two hosts over the course of one connection. They limit the legibility of the messages to only themselves during that session.

8
Q

What is SSL?

A

SSL = Secure Sockets Layer = A protocol that enables encrypted communications over a network (the Internet). SSL is at the transport layer, sitting on top of TCP, and provides an application interface for secure and encrypted communications

9
Q

Where is SSL on the layered model?

A

the transport layer

10
Q

How does SSL work?

A

SSL has normal process of handshake/data exchange/close but also includes choosing the cipher suite and keys in the handshake so that from then all communications are encrypted and secure

11
Q

What is SSL’s flow of control?

A

TCP handshake:

  • A to B : syn (synchronise)
  • B to A : syn OK
  • A to B : syn OK ack

then comms

TCP FIN:
- A to B: Fin
- B to A: Fin Ack
(or other way around)

Handshake and fin are unencrypted. Cipher suite choosing and key exchange in “comms” section above, but immediately after handshake

12
Q

What is a nonce?

A

“number only once”: random number used to identify a communications exchange and establish secure communications; ~ a session key

13
Q

How are nonces involved with SSL handshakes?

A

Server sends a nonce back to client with certificate and cipher suite choice

14
Q

How are ciphers agreed in SSL handshakes?

A

Client tells server which algorithms it supports; server chooses an algorithm from the list and sends choice

15
Q

What are some vulnerabilities in HTTPS?

A

Heartbleed in the past; incorrect usage leads to vulnerabilities; anyone can get CAs; breaches in any CA affects them all and all of them can make a certificate for any site

16
Q

What is the difference between HTTPS, SSL, TLS, and STARTTLS?

A

HTTPS = an extension of HTTP implementing secure communication over a computer network that is widely used on the Internet. In HTTPS, the communication protocol is encrypted using TLS or, formerly, its predecessor, SSL

SSL = Secure Sockets Layer = A protocol that enables encrypted communications over a network (the Internet). SSL is at the transport layer, sitting on top of TCP, and provides an application interface for secure and encrypted communications

TLS = A cryptographic protocol implementing secure, encrypted communications over a network. It is at the transport and session layer and is on top of TCP, again providing an application interface for secure and encrypted communications

STARTTLS = An extension to SMTP facilitates secure and encrypted communications between SMTP clients and servers. Tries to use TLS and falls back to SSL.

17
Q

What is the weakest-link problem with CAs?

A

The fact that any CA can issue a certificate for any site, a breach in 1 affects all their certificates and all other CAs

18
Q

Why do cookies present a security vulnerability?

A

Set-cookie allows inspection and alteration of a user’s cookie data by a server

19
Q

Why do forms on websites present security vulnerabilities?

A

You can pass scripts to servers in input elements to make them execute. GET requests include parameters in the URL in plaintext, POST requests need a max length, and PHP is susceptible to SQL injections and needs filter sanitising

20
Q

What is filter sanitising?

A

Removing certain characters to stop inputs being executable script statements

21
Q

What are SQL injection attacks?

A

Using web page inputs to insert SQL statements into a server to execute and perform some malicious actions

22
Q

How can you use forms to execute JS code?

A

Put escaped JS code into form inputs to possibly get processed and executed

23
Q

What is cross-site scripting?

A

Cross-site scripting (XSS) is when attackers inject client-side scripts into trusted web pages viewed by other users.

24
Q

How can HTML source code allow footprinting?

A

Looking at artefacts such as comments, TODOs, etc. might give you clues as to the architecture of the site that may allow you to design a viable attack.

25
Q

What is session hijacking?

A

The exploitation of a valid computer session - session key - to gain the ability to authenticate themselves as a different user connected to a server in a session.

26
Q

What is HTTP response splitting?

A

When an attacker alters the HTTP responses given by a server to include false endings within their header so the actual response body is ignored, instead returning a payload determined by the attacker. This allows the attacker to include an abrtirary number of headers in a response or even send multiple.

27
Q

What is cache poisoning?

A

When a malformed HTTP response, generated by an attacker, is served to multiple users from a web cache until the cache entry from that response is destroyed.

28
Q

What are the 5 steps in assessing a web service?

A
  1. Identify the web service running – look at HTTP head or use WebServerFP or hmap type tools
  2. Identify subsystems and enabled components (extensions, verified and unverified components) such as ASP.NET, Frontpage, PHP,
    OpenSSL, IIS ISAPI extensions.
  3. Investigate known vulnerabilities in web services – MITRE, CVE, metasploit tools etc for lists or tools such as N-Stealth, nkito (Linux)
  4. Identify poorly constructed or protected sensitive data – poor HTTP authentication, URL query strings
  5. Assess CGI, ASP etc scripts – look for parm manipulation, filter evasion, patch regularly. Some assessment tools are available such as Achilles, Exodus, WebSleuth.
29
Q

What are some issues with email services?

A

Emails have suffered from trojans, vurises, hoaxes and of course spam.

Encryption can be done through PGP (Pretty Good Privacy) or S/MIME (Secure/Mutipurpose Internet Mail Extensions) which was designed to support Internet email. Both are used for Outook, Eudora etc and allow end-to-end security.

30
Q

How do the transit problems with Internet traffic apply to email?

A
  1. interception - some organisations protect email up to the edge of the network, and some may copy all emails (legal or government companies) as email are evidence or legal documents
  2. monitoring - some organisations monitor email for business patterns or for information disclosure. Some companies state they have the right to access email at any time.
  3. anonymisation - some companies (Yahoo, Hotmail) offer free email addresses which can be treated as once use disposable emails.
  4. remailers - these are 3rd party mailers who forward email onto a designated recipient. The third party keeps detailed records to allow forwarding in both directions to recipient and sender. Essentially this is not anonymity but pseudonimity. However, a TOR like setup can allow a series of co-operating servers to hide sender details under asymmetric encryption.
  5. spoofing- the SMTP protocol does not check for legitimacy or accuracy. (See https://tools.ietf.org/html/rfc821 or rfc7435)
31
Q

What is STARTTLS?

A

An extension to SMTP facilitates secure and encrypted communications between SMTP clients and servers. Tries to use TLS and falls back to SSL.

32
Q

How does STARTTLS work?

A

STARTTLS encrypts a session after it is established. After an SMTP session is initiated an email server lists the services or features it supports. If encryption is not available then the unencrypted transfer of data will occur. it tries to with TLS at first then falls back to SSL.

33
Q

What is STARTTLS stripping?

A

This attack takes advantage of the fail-open design of STARTTLS, that is, the SMTP servers using cleartext if the STARTTLS handshake fails. Like many security mechanisms, STARTTLS is designed to “fail open” rather than “fail closed,” meaning that when certain errors happen, servers will simply send e-mail in unencrypted form rather than failing to send the message at all. Network actors can exploit this design by sending certain types of packets that trigger a fail-open error.

34
Q

What are some remaining issues with security on the web despite the use of encryption and certificates?

A

Privacy from looking at headers even if encrypted; easy to get SSL certificate; exploits and vulnerabilities in site backends; exploits (injections) from web browsers; exploits from URL parameters, etc

35
Q

What are X.509 certificates composed of?

A

unique ID; subject; signature algorithm used; signature; issuer; valid from; valid until; key-usage (how to use public key); public key; thumbprint algorithm; thumbprint.

36
Q

What are some security issues associated with databases?

A
  1. Access Control: restriction levels of read, write (update). Delete must be at admin level.
  2. Authentication: Pre phase of authentication needed for access.
  3. Physical DB integrity: power failures, disc failure etc should not affect the data.
  4. Logical DB integrity: The structure of the DB is preserved after data modification (no loss of fields, keys etc).
  5. Auditability: for forensic or legal reasons as well as reconstruction.
  6. Two phase update: designed to prevent problems during update (long intent phase and then commit phase when commit flag is set)