SEC104 - November & December

Social Engineering & Phishing

What social engineering is Techniques that exploit human weaknesses, and manipulate people into breaking security procedures.

Why it's done Easier to exploit people rather than a computer system. Organizations often overlook this by not providing adequate training to staff, and not testing the staff to ensure they aren't susceptible to being exploited.

Potential triggers Authority (attacker exploits the target through the assertion of authority), commitment and consistency (targets likely have a behavioral pattern that can be exploited), liking and similarity (attackers make the target like them and relate to them), reciprocation (the target is given something, so they feel obligated to give back), scarcity (the target is told that something they want is in short supply), social validation (targets may try to conform to societal standards).

Methods and approaches Over the phone (tech support), in person (service engineer, dropped drive), email (malware, phishing).

Methods to get details Dumpster diving, talking to people, social networks, spear-phishing (targetted phishing),

Authentication

Users should be identified To access user-specific controls, and so they can individually be held accountable for their activities.

Claimed identities must be authenticated It's the first line of system protection, and acts as a safeguard against abuse by unauthorized insiders, and external parties.

Authentication methods Something the user knows (passwords, PIN numbers), something the user has (a card or token), something the user is (biometric).

Passwords Pros: Easy to understand, familiar, work in most contexts. Cons: Hard to use, remember, and manage, inconvenient, time-consuming.

Password practices At least 8 characters, alphanumeric, includes special characters, dictionary word, personal information, reused. Most common: At least 8 characters (under 18s), alphanumeric (over 18s).

How passwords are often cracked Interception, brute force, searching, manual guessing, social engineering, stealing, shoulder surfing, key logging.

Shortcomings of cognitive challenges Opinion based security questions can change over time, some predetermined questions might not apply to some users, others might be able to guess or already know the answer. Picture passwords might be weak since the image might have clear points of interest.

Comparison factors Mental effort, convenience, applicability (works across systems), flexibility (in case the user needs to change it).

Token-based authentication Pros: Can't be shared easily, increased awareness of any potential compromises, attackers must steal the token before being able to use it. Cons: More expensive to implement, tokens can be lost or stolen, might be combined with secret knowledge.

Biometrics Pros: Nothing to lose or forget, more usable. Cons: May not be usable in all contexts, privacy concerns.

Desirable attributes for biometric-based authentication Uniqueness, universal, permanence, collectable, acceptable, secure.

Biometric approaches Physiological: Fingerprint, hand geometry, vascular pattern, iris scanning, retinal scanning, facial recognition, facial thermogram, ear print. Behavioral: Voice, signature, keystroke analysis, mouse dynamics, gait recognition, stylometry.

Perceived protection Most secure: Fingerprint, retinal scan, password, PIN, facial recognition, handprint, voice recognition, none, heartbeat.

Error rates and operational factors FAR (false acceptance rate), FRR (false rejection rate), failure to enroll, failure to acquire.

Mobile Device Security

Threats More prone to theft and loss, fewer and less capable security measures, users are less likely to secure them.

Most common ways organizations deal with the risks Mobile computing policy, mobile device security strategy, implemented mobile device management (MDM), encryption.

Protection against theft and loss Using "Lost Mode" to find the device, remotely wipe its data, or lock it to prevent further unauthorized access.

Mobile malware Less common than desktop, but Android devices are a popular target.

Types of mobile malware Banking trojan (overlays legitimate apps and websites with a fake one), SMS trojan, ransomware, backdoors, spyware.

Device ownership dilemma Having corporate data on a personal device would mean that the corporation can't control the device, which could compromise the security of the device. Having personal data on a corporate device would lead to usage issues, as some usage might be considered inappropriate, and the user's personal data might find its way into the organization.

Mobile Device Management (MDM) OTA distribution of data, applications, and settings. Controls data and settings to reduce risk.

Network Layer

Network layer Transports segment from a host that's sending it, to one that's receiving it. On the sender's side, the segments are encapsulated into datagrams. On the receiver's side, the segments are delivered to the transport layer. Every host and router has a network layer. The router examines the header fields of every IP datagram.

Important functions Forwarding (move packets from the router's input, to the appropriate output), routing (determine the route taken by the packets from their source, to their destination using routing algorithms).

Planes Data plane: Local and per-router function, determines how a datagram moves from the router's input port to its output port, forwarding function. Control plane: Network-wide logic, determines how a datagram is routed between routers along an end-to-end path between the source and the destination. There are two control plane approaches: traditional routing algorithms that are implemented by routers, and software-defined networking (SDN), which are implemented in [remote] servers.

The traditional approach Individual routing algorithm components in each router that interact with the control plane.

SDN approach A logically centralized control plane, where a remote controller interacts with local Control Agents (CAs).

Layer functions Routing protocols: Path selection, RIP (routing information protocol), OSPF (open shortest path first), BGP (border gateway protocol). Forwarding table IP protocol: Addressing conventions, datagram format, packet handling conventions. ICMP protocol: Error reporting, router signaling.

IP datagram format (IPv4) Minimum header length: 20 bytes. Maximum header length: 24 bytes. Fields: IP protocol version, header length (in bytes), type of data, total datagram length (in bytes), fragment offset (for reassembly), flags, 16-bit ID, TTL (time to live, maximum number of remaining "hops", which is decremented each time it passes through a router), upper layer protocol to deliver the payload to, header checksum, 32-bit source IP, 32-bit destination IP, options (timestamp, recorded route, list of routers to visit), data (typically a UDP or TCP segment). Overhead: 20 bytes for TCP, 20 bytes for IP, so 40 bytes in addition to the app layer overhead.

IP fragmentation and reassembly Network links have a max transmission unit (MTU), which determines the largest possible link-level frame. Different link types have different MTUs. Large IP datagrams are fragmented and broken up into several datagrams. They are then sent to their destination, where they are finally reassembled. The header fields (particularly the 16-bit identifier) are used to determine the order of the datagrams and subsequently reassemble them. The offset of a datagram is determined by dividing its length (minus the header length) by 8 (to get the length in bits), and then multiplying it by its position relative to the other datagrams. So for example, a 4,000 byte datagram on a link with a 1,500 MTU would be broken up into 3. The first datagram would have a length of 1,500 or 1,480 without the header, and its offset would be 1,480 / 8 * 0, which is 0 since it's the first one and doesn't have an offset. The second one's offset would be 185, and the third one would be 370.

IP addressing IP address: 32-bit identifier for a host, router, or interface. Written in decimal notation. Interface: The connection between a host or router, and the physical link. Routers usually have multiple interfaces, and hosts usually have one or two (wireless 802.11, or wired ethernet).

Subnets The device interfaces with the same subnet part of the IP address, and the devices can physically reach each other without intervening the router. The devices of a subnet all have the same subnet address, and are part of an isolated network, or a sub-network. IP address: Subnet part (high order bits), and host part (low order bits).

Classful addressing Addresses consist of a network part, and a host part. IP addresses are divided into five classes (A, B, C, D, and E). Classes A, B, and C have a fixed length for their network part (8, 16, and 24 bits respectively). The first decimal value of an IP address of class A is between 0 and 127. For class B it's between 128 and 191. For class C it's between 192 and 223. Class C can support 254 hosts, which might not be enough for an organization. Class B can support 65,634, which might be too many.

DHCP Allows hosts to dynamically acquire an IP address when joining the network. Leases can be renewed on an address, and addresses can be reused. Can return the address of the first hop router, the name and IP of a DNS server, and the network mask. ISPs get IP addresses through ICANN, which allocates addresses, manages DNS servers, assigns domain names, and resolves disputes.

NAT (Network Address Translation) All datagrams leaving a local network have the same NAT IP address, but may have different source port numbers. This way, the ISP doesn't need to assign a range of IP addresses to each user. A NAT router must replace the source IP and port of every outgoing datagram to the NAT IP and new port, remember (using a NAT translation table) every replacement and translation pair, and replace the NAT IP and port of every incoming datagram with the original source IP and port. NAT is problematic because routers should only process up to layer 3, and it violates the end-to-end agreement where ports are meant to be used to address processes rather than hosts.

Routing protocol Used to determine the best path or route from the sender to the receiver.

Routing algorithm classification Global information: All routers have complete topology and link cost information (link state algorithms). Decentralized information: Routers know physically connected neighbors, and the link cost to said neighbors, leading to an iterative process of computation, and exchange of information with neighbors (distance vector algorithms). Static routes: Routes change slowly over time. Dynamic routes: Routes change more quickly in response to link cost changes, periodical updates.

ICMP (Internet Control Message Protocol) Constructed at the IP layer, reports non-transient problems to the IP (when TTL reaches 0, or a destination host is unreachable), and to the transport layer (for example when a port is unreachable). ICMP is used by "traceroute" and "ping". ICMP messages are encapsulated inside IP datagrams, where they have header fields such as type (type of ICMP message), code (reason why the packet couldn't be delivered), checksum (to verify the integrity of the data).

ICMP message types Echo (8) (used by ping to test the connection between two devices), echo reply (0) (reply to a ping, a "pong"), destination unreachable (3) (unavailable port, network, etc.), source quench (4) (data source should reduce its transmission rate), redirect (5) (informs the source of a better route), time exceeded (11) (when TTL reaches 0), parameter problem on a datagram (12), timestamp request (13), timestamp reply (14), address mask request (17), address mask reply (18).

How traceroute uses ICMP The source sends a series of UDP segments to a destination. The first set has a TTL of 1, then 2, and so on. When the datagram of the nth set arrives to the nth router, the router discards of the datagram, and sends the source an ICMP message containing the name of the router, and its IP address. When the message arrives, the source records the RTTs (Round Trip Time). If the UDP segment arrives at its destination, or if the destination returns an ICMP "port unreachable" message, the source stops.

Link Layer

Link layer Hosts and routers are called nodes. Links are communication channels (wired or wireless) that connect adjacent nodes along the communication path. Frames are layer-2 packets that encapsulate datagrams. The data-link layer transfers datagrams from one node to a physically adjacent node over a link. Each and every host has an implementation of the link layer in its adapter (network interface card, chip etc.), and it attaches into the host's system buses, resulting in a combination of hardware, software, and firmware.

Services Framing: Link access (encapsulates datagrams into frames, adds a header and trailer), channel access (if it's a shared medium). MAC address is used in frame headers to identify the source and destination. Reliable delivery between adjacent nodes. Error detection: Errors caused by signal attenuation or noise (the receiver detects errors, and signals the sender for retransmission, or it drops the frame). Error correction: The receiver identifies and corrects bit errors without resorting to retransmission.

Access links Point-to-point links: Link between Ethernet switch and host. Broadcast (shared wire or medium): Old-fashioned Ethernet or 802.11 wireless LAN.

Access protocols Single shared broadcast channel. Interference when there are two or more simultaneous transmissions by nodes (a collision occurs if a node receives two or more signals at the same time). Multiple access protocol: Distributed algorithm that determines how nodes share a channel (for example, determining when a node can transmit). Communication about channel sharing must use the channel itself (no out-of-band channel for coordination).

MAC protocols Taxonomy: Channel partitioning (divides channels into smaller pieces like time slots and frequency), allocates a channel piece to a node for exclusive use. Random access (channel isn't divided, and allows for collisions, which it can recover from). "Taking turns" (nodes take turns, but nodes with more to send can take longer turns). The channel is shared efficiently, and fairly at high load. It's inefficient at low load, and could lead to a delay in channel access, and bandwidth could be limited and wasted even if there's only 1 node. TDMA (time division multiple access): Access to a channel in rounds. Each station gets a slot of fixed length (where length is the transmission time of the packet) in each round. Unused slots go idle. FDMA (frequency division multiple access): The channel spectrum is divided into frequency bands. Each station is assigned a fixed frequency band. Unused transmission time in frequency bands go idle.

Random access protocols When a node has a packet to send, it transmits at full channel rate, and no "a priori" coordination takes place among nodes. Two or more transmitting nodes lead to a collision. Random access MAC protocol (Carrier Sense Multiple Access or CSMA) specifies how to detect a collision, and how to recover from it (through delayed retransmission). CSMA (carrier sense multiple access): Listen before transmitting (if the channel sensed idle, transmit the entire frame, otherwise, defer the transmission). Collisions (entire packet transmission time wasted) can still occur, and a propogation delay means that two nodes may not be aware of each other's transmission. Distance and propogation delay can be used to determine the probability of a collision. Random access MAC protocols are efficient at low load, as a single node can fully utilize the channel, but are inefficient at high load due to collisions. "Taking turns" protocols are the best of both worlds and work well with both low and high loads.

CSMA/CD (Carrier Sense Multiple Access / Collision Detection) Collisions are detected within a short time, and the transmission is aborted, reducing channel wastage. Detection is easy in wired LANs as the signal strength can be measured, and transmitted or received signals can be compared. It's more difficult in wireless LAN, as the received signal strength would be overwhelmed by the local transmission strength. Ethernet CSMA/CD algorithm: NIC (network interface card) receives datagram from the network layer and creates a frame. If the NIC senses an idle channel, it starts transmitting the frame. Otherwise, it waits until the channel is idle, and then sends it. If the NIC transmits the entire frame without detecting another transmission, then it'll be done with the frame. If it detects another transmission, then it aborts, and sends a jam signal. After aborting, the NIC enters binary (exponential) backoff (after nth collision, the NIC chooses K at random from 0, 1, 2... 2^m-1, waits K * 512 bit times, and returns to checking if the channel is idle and resending the frame. More collisions would result in a longer backoff interval.

"Taking turns" MAC protocols Polling: The master node "invites" slave nodes to transmit in turn. Typically used with "dumb" slave devices. There are multiple concerns, such as polling overhead, latency, and the fact that there's a single point of failure since there's a master node. Token passing: A control token is passed from one node to the next sequentially with a token message. The concerns here are token overhead, latency, and there being a single point of failure (the token itself).

MAC (Media Access Control) addresses 32-bit IP addresses are used in the network layer for interfaces and forwarding. MAC (LAN, physical, or Ethernet) addresses are used locally to transmit frames from one interface to another physically connected interface. They are 48-bit (for most LANs) and are burned into the NIC ROM. They're written in hexadecimal notation. Their allocation is administered by IEEE, where the first 24 bits are the OUI (organizationally unique identifier), and the other 24 bits are unique to the NIC.

ARP (Address Resolution Protocol) ARP table: Each node on the LAN has a table where it has IP/MAC address mappings for LAN nodes, and TTL (time after which the address mappings will be forgotten, typically 20 minutes). If a node A wants to send a datagram to node B, and B's MAC address isn't in A's ARP table, then A broadcasts an ARP query packet containing B's IP address. All nodes on the LAN receive this packet. B would then reply to A with its MAC address (a frame is sent to A's MAC address using unicast). A would then pair B's IP to the MAC address it received, and would save it in its ARP table until the information becomes outdated. ARP provides a sort of "plug and play" support since nodes can create ARP tables without the network administrator having to do it manually. If a node A wants to send a datagram to node B via node R, A would create an IP datagram with the IP source A, and IP destination B. It would then create a link-layer frame with R's MAC address as the destination address, and a frame that contains the A to B IP datagram. The frame would be sent from A to R, where the datagram would be removed, and would be passed up to IP. R would then forward the datagram with IP source A and destination B by creating a link-layer frame with B's MAC address, and the A to B IP datagram.

Ethernet Dominant wired LAN technology. Single chip, multiple speeds. First widely used LAN technology. Simple, cheap, and fast. Physical topology: Bus (popular through mid 90s, all nodes in the same collision domain and can collide with each other), Star (prevalent today, with an active switch in the center, where each "spoke" runs a separate Ethernet protocol and prevents nodes from colliding with one another). Frame structure: The sending adapter encapsulates the IP datagram (or any other network layer protocol packet) in an Ethernet frame, which contains several fields such as a preamble (7 bytes with pattern 10101010 followed by 1 byte with the pattern 10101011, which are used to synchronize the receiver and sender's clock rates), an address (6 byte source and destination MAC addresses), a type (indicates higher layer protocol, mostly IP), a CRC (cyclic redundancy check at receiver, where if an error is detected, the frame is dropped). Physical layer media: Fiber, cable etc.

Ethernet switches A link-layer device that has an active role where it stores and forwards Ethernet frames, and examines incoming frames' MAC addresses, selectively forwards the frames to one or more outgoing links (when a frame is to be forwarded on segment). Transparent (hosts are unaware of the presence of switches). Plug-and-play (switches don't need to be configured). Multiple simultaneous transmissions: Hosts have dedicated and direct connections with the switch. Switches buffer packets. The ethernet protocol is used on each incoming link, but there are no collisions (full duplex, where each link is its own collision domain). Every switch has a switch table it can use to determine whether a host is reachable via a given interface. The table contains the MAC address of the host, the interface through which the host can be reached, and a timestamp. It looks like a routing table. Switches are self-learning, in that they learn which hosts can be reached through which interface. When a frame is received, the switch learns the location of the sender and saves the sender and location pair in its switch table. Both switches and routers are "store-and-forward" (routers are network-layer devices whereas switches are link-layer devices). They both have forwarding tables (routers compute tables using routing algorithms and IP addresses, whereas switches learn and fill out a forwarding table using flooding, learning, and MAC addresses).

An example of a full journey through the protocol stack Scenario: A student connects a laptop to the campus network with an ethernet cable, and visits Google. The laptop gets an IP address through the router's DHCP. The DHCP request is encapsulated in UDP, then in IP, and then in 802.3 ethernet. The ethernet frame is broadcasted on LAN, and received at the router that's running the DHCP server. The frame is then demuxed (demultiplexed) from ethernet to IP, then to UDP, then to DHCP. The DHCP server then formulates a DHCP ACK containing the client's IP address, the IP address of the first-hop router, and the name and IP address of the DNS server. It's then encapsulated at the DHCP server, and the frame is forwarded (using switch learning) through the LAN, and demuxed on the client's device, where the client then receives the DHCP ACK. At this point, the client has an IP address, knows the name and IP address of the DNS server, and the IP address of its first-hop router. The student then visists Google. Before sending the HTTP request, a DNS query is created, encapsulated in UDP, then IP, then ethernet, and sent to the router, but first, the client needs the MAC address of the router interface, so an ARP query is broadcasted, received by the router, and the client now knows the MAC address of the first-hop router, which they use to send the frame containing the DNS query. The IP datagram containing the DNS query is forwarded via the LAN switch from the client to the first-hop router, where the datagram is then forwarded from the campus network to the ISP, and then routed to the DNS server, where it is demuxed. The DNS server then replies to the client with the IP address of Google. The client then opens a TCP socket to the web server, and a TCP SYN segment (first step in a 3-way handshake) is routed to the web server. The server respons with a TCP SYN ACK, and a connection is established. The HTTP request is then sent into the TCP socket, and the IP datagram containing the HTTP request is routed to Google, where the web server responds with the HTTP reply which contains the webpage. The IP datagram containing this reply is then routed back to the client, and the webpage is displayed.

Wireless Networks

Elements of a wireless network Hosts: Laptops, smartphones, applications etc. Base station: Typically connected to a wired network, relay (responsible for sending packets between wired network and wireless hosts in its area) such as cell towers, 802.11 access points etc. Wireless link: Typically used to connect mobiles to the base station. Also used as a backbone link. Multiple access protocol coordinates link access. Various data rates and transmission distances. Infrastructure mode: Base station connects mobiles to the wired network. Handoff (mobile changes base station, providing connection into the wired network). Ad hoc mode: No base stations, nodes can only transmit to other nodes within link coverage, nodes organize themselves into a network (route among themselves).

Wireless links Unlicensed frequency bands: Commonly used Industrial, Scientific, Medical (ISM) bands. 433.05 - 434.79 MHz. 868.00 - 870.00 MHz (not the entire spectrum can be used). 2.4 - 2.5 GHz. 5.15 - 5.35 and 5.725 - 5.875 GHz. ISM, no license required, no exclusive use, possible interference, best effort.

Radio frequency transmission Higher data rates have a shorter transmission range. Higher transmit power results in greater distance. Higher frequency allows for higher data rates (but shorter transmission range). Distortion types include path loss (the further away a device is from the signal source, the weaker the signal it receives), absorption (caused by objects being in the way, higher amplitude results in higher power and better coverage), multipath (portions of the signal are reflected and arrive at a later time, which could cause the receiver to get multiple copies of the same signal).

Difference between wireless and wired links Decreased signal strength, interference from other sources, multipath propogation.

SNR (Signal to Noise Ratio) and BER (Bit Error Ratio) Larger SNR: Easier to extract signal from noise. SNR vs BER: Given physical layer (increase in power leads to increase in SNR, which decreases BER).

IEEE 802.11 wireless LAN (WLAN) 802.11b: 2.4 - 2.5 GHz unlicensed spectrum, up to 11 Mbps. 802.11a: 5.0 - 6.0 GHz, up to 54 Mbps. 802.11g: 2.4 - 2.5 GHz, up to 54 Mbps. 802.11n: 2.4 - 2.5 GHz, up to 200 Mbps. They all use CSMA/CA for multiple access, and all have base stations and ad hoc network versions. Architecture: Wireless host communicates with the base station (access point). Basic service set (BSS or cell) in infrastructure mode contains wireless hosts, the base station, and ad hoc mode (hosts only).

802.11 channels 802.11b (2.4 - 2.485 GHz) spectrum divided into 11 channels at different frequencies. The access point (AP) admin can choose the frequency. Interference is possible if another neighboring AP uses the same channel. Each channel is 22 MHz wide. Channels 1, 6, and 11 are non-overlapping. Using any other channel would cause interference, meaning that three access points can occupy the same area.

802.11 association Each host must associate with an AP. Scans channels, listening for beacon frames containing the AP's name (Service Set Identifier or SSID) and MAC address. Selects the AP to associate with. May perform authentication. Will typically run DHCP to get an IP address in the AP's subnet.

802.11 scanning Passive: Beacon frames sent from AP. Association request frame sent from host to AP. Association response frame sent from AP to host. Active: Probe request frame broadcasted from host. Probe response frame sent from AP. Association request sent from host to AP. Association response sent from AP to host.

802.11 multiple access Avoid collisions (two or more nodes transmitting at the same time). 802.11 CSMA (sense before transmitting). 802.11 (no collision detection): Difficult to receive (sense collisions) when transmitting due to weak or fading signals. Can't sense all collisions in any case (hidden terminal, fading). CSMA/CA (Carrier Sense Multiple Access / Collision Avoidance).