Cybersecurity Camp

CACR Security Matters

June 15-16, 2017

Ryan Kiser, rlkiser@iu.edu

Mark Krenz, mkrenz@iu.edu

Anurag Shankar, ashankar@iu.edu 

Susan Sons, sesons@iu.edu

Welcome

Many Thanks

  • Volunteer Helpers
  • Logistics, Space, and Food:
    • Leslee Bohland
    • Amy Starzynski Coddens
  • overthewire.org for Natas wargame
  • The Boss:
    • Von Welch

Things to Think About Today

Hint: Its really not that hard.

Infosec Expertise Has a Few Concrete Parts:

  • Understanding Specific Technologies
  • ...and the Principles Upon Which They Operate
  • Principles of Information Security
  • Working Down the Assumptions Stack
  • Adversarial Mindset
  • Risk Assessment
  • A Dash of Psychology & Sociology

We can't teach you everything in two days...

...but we can give you good tools and a

jumping-off point.

Today & tomorrow, we'll cover some specific security topics:

  • Ethics
  • Network Security
  • Current Events
  • Linux/UNIX Basics
  • Cybercrime
  • Password Security
  • Forensics
  • Lockpicking

...but it's just a taste.  If you want to get good, first you need to decide what kind of good, then you need to do some work on your own.  We'll point out next steps as we go.

  • Social Engineering
  • Defense
  • Mobile/IoT
  • Phishing
  • Careers
  • Malware
  • Web Pentesting
  • Datacenter Tour

Cybersecurity Ethics

Know what you are doing.  Good intentions are necessary, but not sufficient.

If you don't know what you are doing, at least make absolutely sure the experiment can't escape the lab.

Beware of side effects.  If you anger a botnet controller, chances are your whole house, if not your whole block, is getting DDoSed.

Never assume that someone more mature, better trained, and better paid than you did anything right.  If you assume this long enough, someone will die, or at least lose their life savings.

 

When you find out exactly how true this is, do a responsible disclosure.  If you are afraid of your own exposure, use a safe proxy person/group to help you do a responsible disclosure.

Safety Tips:

  1. Know how to give yourself an air of legitimacy: you may need it unexpectedly.
  2. Know the law, and don't break the ones that matter.  Nobody cares if you have a high-flow showerhead.  Everybody cares if you plant strobing GIFs on the web forum for the National Epilepsy Foundation.
  3. Don't pick fights.  Best case, you are kicking some sad person who can barely send email, and you're a pathetic lowlife.  Worst case, 25 refrigerators will show up at your house, you will be billed, and it will ruin your credit.  Also, good luck opening the door with 25 refrigerators blocking it.  Then it gets worse.

FINAL SAFETY TIP

Never trust skiddies.

 

Ever.

Network Security

Prerequisite:

  1. Open http://heart.climagic.com/ in browser
    Username:
    cybercamp
    Password: CahDo8xu
  2. Click on the link to download the zip file. The zip file contains network dump files (pcap extension) that we created that we will be viewing in a lab in this section.
  3. Also make sure you have Wireshark installed (www.wireshark.org)

Network Security

  • How the Internet works
  • IPs
  • DNS
  • Protocols
  • Encryption with SSL and TLS
  • Your home router/connection and ISPs
  • WiFi

Topics

(From a user's perspective)

How the Internet works

Guess what? It really is a "series of tubes".

 

Sources:

http://9gag.com/gag/amL8Voo/the-internet-is-a-series-of-tubes-confirmed

https://www.aflglobal.com/Products/Fiber-Optic-Cable/ADSS.aspx   

http://www.thefoa.org/tech/ref/OSP/install.html

How the Internet works

Network Security - A user's perspective

The Internet is made up of many millions of independent multi-level networks that are all linked together through common carriers (The "backbones") and facilitate communication using standardized protocols.

"The Internet is a network of networks"

Your home network is one of those networks

How the Internet works

Network Security - A user's perspective

How the Internet works

Network Security - A user's perspective

How most connections to a website work

Your ISP

Upstream provider A

Upstream provider B

Upstream provider C

(not used for this connection)

Datacenter (webserver's ISP)

Server hosting website you visit

How the Internet works

Network Security - A user's perspective

How most connections to a website work

Your ISP

Upstream provider A

Upstream provider B

Datacenter (webserver's ISP)

Server hosting website you visit

Opportunities for network

traffic to be seen by others

How the Internet works

Network Security - A user's perspective

Internet Protocol Addressing (IP addresses)

 

At a low level, we need to use numbers for addresses.

This is what an IP address looks like.

 

129.79.43.149

The general structure is

A.B.C.D

  • From left to right each number becomes more specific.
  • Each position in the dotted quad can be a number from 0 to 255.
  • Some numbers (like 0 and 255) have special meaning.

How the Internet works

Network Security - A user's perspective

Internet Protocol Addressing (IP addresses)

129.79.43.149

For the IP above, we have the following allocation hierarchy

  • 129.0.0.0 - 129.255.255.255 = Allocated to ARIN by IANA
  • 129.79.0.0 - 129.79.255.255 = Allocated to IU by ARIN
  • 129.79.43.0 - 129.79.43.255 = Allocated by IU for various servers
  • 129.79.43.149 = Allocated by IU for natas.cacr.iu.edu

How the Internet works

Network Security - A user's perspective

Internet Protocol Addressing (IP addresses)

The allocations are mostly administrative and does not always map to a physical location or logical network hierarchy

  • 129.80.0.0/16 = Oracle Corporation
  • 129.79.0.0/16 = Indiana University
  • 129.78.0.0/16 = University of Sydney (Australia)

*You can use a 'whois' program to determine this information.

How the Internet works

Network Security - A user's perspective

Domain Name System (DNS)

Because people think they don't like remembering numbers.

DNS translates a name you type in such as www.youtube.com into an IP address.

www.youtube.com

172.217.6.110

Your web browser then connects to the IP address and tells the server listening on that IP that it wants to visit www.youtube.com.

LAB: Try typing in the IP address above in your web browser's address bar to see what happens.

How the Internet works

Network Security - A user's perspective

Domain Name System (DNS)

Because people think they don't like remembering numbers.

  • DNS information comes from DNS servers.
  • Your ISP's DNS server determines answer for you.
  • This information can be overridden by you, your ISP or an attacker.
  • This information can be spoofed.
  • Unfortunately solutions to security problems (such as DNSSEC) are not widely adopted yet.

How the Internet works

Network Security - A user's perspective

Possible Lab: Let's update /etc/hosts on your computer to go to the local natas challenge.

On Windows the file is located at

C:\windows\system32\drivers\etc\hosts

On Mac and Linux it is /etc/hosts

WARNING:

  • Changing this file can alter your internet connectivity.
  • It also requires admin privileges to alter.

How the Internet works

Network Security - A user's perspective

LAB: Let's make a DNS query ourselves

  • Open the command line
    • Mac or Linux: Open the Terminal program
    • Windows: Run cmd.exe
  • type 'nslookup www.owasp.org'
  • Now type the IP returned into your web browser's address bar.

How the Internet works

Network Security - A user's perspective

Examples of DNS exploits

  • Your ISP changing DNS responses
  • DNS cache poisoning
  • Malware changing /etc/hosts or DNS settings
  • Malware changing DHCP DNS servers
  • Typosquatting
  • Registration lapse and hijacking
  • Unicode look-a-like characters
  • Common point of failure (8.8.8.8)
  • Cosmic Rays!

How the Internet works

Network Security - A user's perspective

Protocols

  • Most Internet protocols use TCP or UDP protocols
  • TCP allows for more reliable connections
  • UDP allows for lower overhead
  • Both can use port numbers from 0 to 65535
  • Standard protocols have a defined port (like HTTP = port 80)
  • A network client (such as a web browser) just establishes a connection and speaks the protocol.
  • We can even do it manually.

How the Internet works

Network Security - A user's perspective

Protocols: Demo

  • Open a terminal program
  • Run the command:
    telnet www.apple.com 80
  • Once connected, you can now communicate using the HTTP protocol.
  • GET / HTTP/1.1
    Host: www.apple.com
    

AHHH! WHAT ARE YOU DOING?

How the Internet works

Network Security - A user's perspective

Demo Wireshark (www.wireshark.org) using network dump files

Open http://heart.climagic.com/

Username: cybercamp

Password: CahDo8xu

Click on the link to download the zip file.

How the Internet works

Network Security - A user's perspective

Demo Wireshark (www.wireshark.org) using network dump files

Open http://heart.climagic.com/

Username: cybercamp

Password: CahDo8xu

Click on the link to download the zip file.

  • Show how Browser view source works
  • Show how cookies work
  • Show robots.txt
  • Show URL manipulation

How the Internet works

Network Security - A user's perspective

Protocol exploits

  • Most standard protocols predate their common usage. Security was an afterthought (There's that assumption stack again)
  • Many protocols allow the client to fake information
  • Most protocols don't have encryption by default
  • Implementation mistakes
  • Clients often don't authenticate servers
  • MITM attacks

How the Internet works

Network Security - A user's perspective

All parts of the Internet are constantly under attack

How the Internet works

Network Security - A user's perspective

WiFi exploits

  • No authentication (Open Wifi)
  • WEP security is too weak
  • Hidden WiFi is actually worse
  • WPA and WPA2 are decent
  • Easy to guess passwords, often never changed
  • WiFi Pineapple
  • Your ESSID can be used to track you.

You are here

Can you guess what this is?

How the Internet works

Network Security - A user's perspective

Protecting data confidentiality with encryption

  • Scrambles information in a way that helps prevent unauthorized access.
  • It does not prevent unauthorized parties from intercepting the encrypted data
  • People have been encrypting data to maintain secrecy for thousands of years.

How the Internet works

Network Security - A user's perspective

Protecting data confidentiality with encryption

The Caesar Cipher

Used by Julius Caesar to protect military messages

Works by shifting each letter by a set number of positions

Source: https://en.wikipedia.org/wiki/Caesar_cipher#/media/File:Caesar_cipher_left_shift_of_3.svg

How the Internet works

Network Security - A user's perspective

Protecting data confidentiality with encryption

The Caesar Cipher

Caesar usually used a left shift of 3

PROTECT THE WEST WALL

MOLQBZQ QEB TBPQ TXII

Decryption is accomplished by knowing the encrypted message and the key, which is just the shift value and direction of shift

How the Internet works

Network Security - A user's perspective

Protecting data confidentiality with encryption

The Vigenère cipher

Works by using a "pass word" as the key for shifting the letters in the plaintext message.

Plaintext:

Key:

Ciphertext:

ATTACKMONDAY

ABCABCABCABC

ASRABIMNLDZW

How the Internet works

Network Security - A user's perspective

Protecting data confidentiality with encryption

How encryption can fail

  • Usually problem with implementation or operation.
  • Keys not kept secret
  • Did not follow required procedure
  • Copy of plaintext was discovered
  • Algorithm is flawed (We rolled our own)

How the Internet works

Network Security - A user's perspective

Internet of Things (IoT)

Source: http://edge.alluremedia.com.au/m/g/2016/03/shutterstock_329520023_1080.jpg

How the Internet works

Network Security - A user's perspective

Internet of Things (IoT)

(Basically, anything connected to the internet)

Source: http://edge.alluremedia.com.au/m/g/2016/03/shutterstock_329520023_1080.jpg

  • Traditional computer
  • Mobile devices
  • Printers
  • Webcams
  • Baby monitors
  • Refrigerators
  • Thermostats
  • Smoke Alarms
  • Doorlocks
  • Heart monitors
  • Coffee maker
  • and on and on and on........

How the Internet works

Network Security - A user's perspective

Source: http://edge.alluremedia.com.au/m/g/2016/03/shutterstock_329520023_1080.jpg

Talk about IoT and Dyn DNS DDoS attack on Friday, October 21, 2016 (Yesterday)

  • Distributed Denial of Service Attack (DDoS)
  • Data, sometimes random, sometimes not, is sent from thousands or even millions of computers to a target, overwhelming, the target's resources.
  • Targeted a major DNS provider (Dyn) that is used by Netflix, Twitter, Reddit, Paypal and others
  • Malware used to infect home and industry IoT devices called Mirai, controls what those devices attack. (Command & Control Software)
  • Distributed nature of DNS allowed victim websites to continue working for other parts of the Internet

Break

Current Events in Cybersecurity

Linux & UNIX Basics

Lunch

Stations

See you tomorrow for:

  • Defense
  • Mobile device & IoT Security
  • Phishing
  • Infosec Careers
  • Malware
  • Web Pentesting

Defense

Defend what from what?

  • Everything with an IP address gets some amount of attacks thrown at it; we refer to this as "internet noise".
     
  • The more you get interested in technology, the more likely you are to start accumulating things you especially want to protect: software repositories you work on, crypto keys, and so on.  These can be at risk from your own computer usage, from other things on your network, and from outside threats.
     
  • Experimenting with infosec can put your systems and data at risk if you don't carefully isolate and protect your lab.

What do we do about it?

Nothing can be perfectly secure, but we can reduce risk by:

 

  • Selecting technologies carefully, and using the least possible.
     
  • Configuring services properly.
     
  • Using strong authentication methods, multifactor whenever possible.
     
  • Separating things from one another 

Some methods and technologies:

Stay Updated

Hopefully, you are only running software that receives regular security updates.

 

Those updates don't do you any good if they aren't installed in a timely manner.  We see attacks in the wild within hours of a vulnerability being disclosed.  Don't sit unpatched for weeks...that's just being an easy target.

Think About Borders

If you have an ISP-provided router, it's probably already compromised.  A safer option is a mass-market router with a well-maintained firmware.

 

Consider that if you have a laptop, you are constantly putting it on untrusted wifi...configure a firewall to limit your exposure.

OpenWRT / LEDE

A cheap way to get advanced features such as QoS and network segregation at home.

  • Have a separate guest network
  • Keep your infosec lab away from the rest of the network.
  • Fix latency issues from bufferbloat or poor balancing between gaming, streaming, browsing, and so on.

Linux

Even if you don't run Linux as your main OS, having a copy around for network diagnostics and other tools can be useful.

 

There are many professional-grade tools available for free, and taking advantage of them is one of the best ways to learn.

Virtual Machines

Using VirtualBox, KVM, Xen, or some other tool, you can create a plethora of virtual computers that you can use to run and experiment with different operating systems and configurations, test software, and test network connections between the virtuals.

 

While virtual machines can't 100% replace having a lab with a variety of hardware available (and can be resource intensive to run), they can be a good way to get variety and isolation on one machine.

Think About Authentication

  • Biometrics are unrevokable
     
  • Password re-use is dangerous
     
  • Password managers can improve password usage, but passwords still get compromised.
     
  • Multi-factor authentication is an easy way to improve security.

Dig In To System Configuration

  • Where can I limit access from the outside?
     
  • How can I limit the access one process can have to another process or to data and resources?
     
  • How can I verify that the code and information I think I have is valid and authentic?
     
  • How can I ensure that my data storage and transfer are encrypted?

    See https://bettercrypto.org to learn more about secure configuration, especially with regard to cryptography.

Q & A

Mobile Devices & IoT

Break

Phishing Attacks

Or... why is my bank account balance now $0.00 ???

This is not a phishing attack

Source: Fish Blooper - Fisherman gets slapped in face by a carp [ https://www.youtube.com/watch?v=o8E-2jeQ8M0 ]

Phishing Attacks

  • Emails meant to deceive you into performing an action.
  • Could be any form of communication
  • One of the most effective and most used attacks in cybercrime
  • Relies on human trust

Phishing Exploit Trends

Email Phishing

From the victim's point of view, things looks normal.

Looks Can Be Deceiving

The Real Website

Targeting Bank Accounts

  • Attacker sends you email to their look-a-like site
  • You login to the look-a-like site
  • Attacker now has your login credentials
  • Attacker logs into your real bank account

How the process works

....and its gone.

How is this possible?

  • Email protocol (SMTP) lacks authenticity.
  • Attackers send anonymously from anywhere.
  • Websites only check username / password.
  • Relies on human naivety and impulsiveness.

Being vigilant isn't always easy and you must have the right tools.

How Internet URLs work

http://

www.indiana.edu

/about/index.html

protocol

domain or host name

file

or resource

How Internet URLs work

https://

examplebank.com

/login.html?page=mobile

'https' indicates encryption in use

domain name is hostname

file

Part 2

query string

How Internet URLs work

Part 3

Make sure you check the URL in the correct place.

How Internet URLs work

Part 3

Make sure you check the URL in the correct place.

How Internet URLs work

Part 4

Make sure you check the URL in the correct place.

Rule of Thumb (or finger):

 

Usually the upper most text box

you can edit. But be observant.

How Internet URLs work

Part 5

Tips for "Smart" devices:

  • Become familiar with your favorite browser's address bar behavior.
  • Press and hold on link until context menu appears. It often shows the link URL.
  • Test behaviors in advance with a friend.

URL red flags

  • http://65.205.127.42/www.facebook.com/login.php
    • Avoid addresses that are all numbers and dots in the hostname part.
  • http://www.facebook.com@3627729028/
    • The @ symbol means login as the user before the @ to the hostname or IP address after. In this case, the IP address is obscured into dword format.
  • http://[A:CAFE:FEED:FACE:DEAD:BEEF:B:C]/
    • This is an IPv6 address, which is the new IP addressing standard. But it also uses letters A-F
  • http://0xFACEB001/K
    • IP address converted to hexidecimal. This really goes to IP 250.206.176.1

Learn how to read email headers

Every email you receive has hidden headers that give valuable information about the source and path of an e-mail.

Learn how to read email headers

Usually found by viewing message source.

No website login is insignificant

  • Password reuse is a big problem and should be avoided.
  • Use a password manager such as Lastpass, 1Password or Password Safe
  • Use a different password for each website.
  • Try to use randomly generated passwords that are 12 characters or more.

Source: https://xkcd.com/792/  2010-09-13

LAB: Let's make a fake

  • Open that l33t hacker app that does all the crazy hacking black magic you see in the movies. Its in the menu under the name "Terminal Emulator"
  • Type in the following
    • telnet heart.climagic.com 25
  • You should see

Trying 52.87.206.151...
Connected to heart.climagic.com.
Escape character is '^]'.
220 ec2-52-87-206-151.compute-1.amazonaws.com ESMTP Postfix

 

LAB: Let's make a fake

  • Type:
    • HELO cacrtest.iu.edu
  • (Yes that's only one L in HELO.)
  • You'll see back:
    • 250 ec2-52-87-206-151.compute-1.amazonaws.com
  • Type each of the lines in turn.
MAIL FROM: <yourname@example.com>
RCPT TO: <victim@example.com>
data
From: <someoneelse@example.com>
To: <jimbob@widgets.com>
Subject: Please click this link
Content-type: text/html;

Please visit <a href="http://www.twitter.com/">http://www.facebook.com/</a>.

Thank you
.

View results of lab

Beware of Unicode look-a-like characters

Which one is the correct domain for IU?

Beware of Unicode look-a-like characters that

look like ASCII.

Be very suspicious of file attachments

Rule of thumb: If you aren't expecting it, don't open it. Ask the sender offline or through another communications channel if possible.

Nearly every file type has been known to have vulnerabilities and any executeable code like .exe, .bat, etc. should definitely be avoided.

The sender's account may be compromised

Sometimes even if the e-mail is from someone you know, their account may be compromised.

Many Phishing emails purport to be from your local IT.

And they might even claim to be about fighting the growing Phishing problem.

Spear Phishing

  • Most phishing is general and broadcast.
  • Spear Phishing is targeted specifically at you
  • Attacker may have discovered personal information
  • Usually targeted at organization management
  • Very effective and hard to detect

Questions?

Careers

In other words, things we do to

...while hopefully having a pretty good life.

The Good

  • The pay
  • The flexibility
  • The room to be a little crazy, as long as you get the job done
  • Never stop learning
  • Work with brilliant people
  • Work in any industry
  • Change industries
  • Volcanoes & Pirates
  • Adventure
  • Power

The Bad

  • The hours
  • Crazy people
  • Clueless work environments
  • Working to stay good at your job
  • Only your colleagues understand your job
  • Security Politics
  • Identity Politics
  • Trust issues

Some Jobs

  • Analyst
  • CISO or ISO -- (Chief) Information Security Officer
  • Security Architect
  • Cryptographer
  • {Network | Systems | UNIX | DevOps | etc} Engineer
  • Programmer
  • Pentester (penetration tester)
  • Software Assurance Tester/Engineer
  • VP of Information Security
  • Security Engineer
  • Consultant
  • Auditor
  • Compliance <insert any word here>

Some Environments

  • Research
  • Applied Research
  • Startups
  • Finance
  • Big Tech (Google / Facebook / IBM / etc.)
  • Health Care
  • Industrial Control Systems (ICS/SCADA)
  • Big Data / Business Intelligence
  • Intelligence / Espionage (governmental)
  • Military
  • Infrastructure Software
  • Teaching

Some Paths

  • Traditional Higher Ed.
     
  • Non-traditional Higher Ed.
     
  • Ground-up in an established company
     
  • Open Source mentorship
     
  • Military to certifications to civilian

The Advice Part:

Pay attention to everything, be skeptical of everything and everyone, be ready to change your beliefs and your plans when new or better information comes along.

Lunch

Malware

Web penetration testing

What is pentesting?

Sometimes the easiest way to stop a black hat is to think like a black hat.

Wargaming is older than recorded history.  Sun Tzu, renowned military strategist and author of The Art of War, described using one's soldiers to test one another in training and to find holes in ones defenses over 2,500 years ago.

Pentesting can:
 

  • Reveal holes in systems and specific defenses.
     
  • Help break down assumptions made when architecting systems, programs, and networks.
     
  • Educate defenders about how attackers view systems.
     
  • Provide a powerful communication tool with non-technical stakeholders.

This section will be very little talking and a lot of experimenting.

Open your browser and go to:

http://natas0.natas.labs.overthewire.org

USER: natas0

PASSWORD: natas0

The Natas Challenge is a wargame that you can work on here, and continue at home.  Your goal in each level is to steal the password for the next level.  We're going to cover levels 0-6 here, because those are do-able with only browser extensions as tools.  For later levels, you may need a programming environment or an active proxy such as Burp Suite or mitmproxy.

Pentesting Tips:

  • Start by reading everything.
  • Every time you get a piece of information, ask yourself what you can infer from that information.
  • Think about where your input is going, and what can happen if you give inputs that the programmer didn't expect.
  • Keep good notes: you may need to reproduce anything/everything you've done, or use old methods again.
  • Feel free to partner or group up to work.
  • Raise your hand if you need help.

Data Center Tour

Thank You

We hope you had fun.

Ryan Kiser, rlkiser@iu.edu

Mark Krenz, mkrenz@iu.edu

Anurag Shankar, ashankar@iu.edu 

Susan Sons, sesons@iu.edu

Using and Sharing This Work:

Creative Commons License  "CACR Cybercamp" by Susan Sons and Mark Krenz is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

 

Please credit Susan Sons, Mark Krenz, and the IU Center for Applied Cybersecurity Research when using this presentation.

Permissions beyond the scope of this license may be available; send inquiries to sesons@iu.edu.

 

The most current version of this presentation is available from

http://slides.com/hedgemage/cacrcybercamp2017

CACR Cybercamp 2017

By Susan Sons

CACR Cybercamp 2017

Slides from CACR Cybersecurity Camp 2017

  • 409
Loading comments...

More from Susan Sons