Monday, March 13, 2017
Computer Security - Part 1
Computer Security - Part 1
Computer security covers protecting computer systems - cellphones, workstations, servers, networks or any other hardware, software and data from loss, disruption or other attacks. Cybersecurity is the more recent name for Computer Security as the name describes more fully the span of coverage of the term.
Controlling physical access to a system is the first level protection and includes network protection measures as well as protection from malicious persons with access.
Vulnerabilities include any flaw or weakness in a system be it at the operating system level or within the applications on that system and Exploits are those methods which can be used to take advantage of a vulnerability.
Short list of Exploits:
Backdoors, RootKit, Worm, Trojans, Viruses, DDoS, physical access, eavesdropping, phishing, social engineering, privilege escalation, tampering and spoofing, keylogging, Spyware, Botnet, & Cryptomalware.
Each of these affords the attacker specific or combined methods of attack each with various levels or directions of penetration into a system or network. Targeted compromise of a system or network are briefly described below, but further description and investigation of each will be left to the reader’s responsibility.
Trojan Horse (Trojan):
These are malicious programs which lead the user into believing it’s purpose is that of something else. The name Trojan Horse comes from the ancient Greek story where a Trojan Horse allowed the Greeks to invade Troy. Beware Greeks bearing gifts.
Today most trojans are spread through various methods of Social Engineering to dupe the user into installing the malware. Sometimes these are as simple as browsing a web page which contains an executable embedded in through a banner advertisement that requires absolutely no interaction.
Much like any of the exploits described here, once the trojan is in place on the user’s system, the attacker can perform reconnaissance, disable/remove any program (including anti-virus), remote control, data damage/destruction, malware distribution/installation locally, network or globally, data exfiltration or encryption via crypto-malware (aka ransomware).
Ransomware:
Cryptomalware is a form of ransomeware which leaves the user wondering if there is anything they can do to avoid becoming infected or losing their data; This is especially troublesome given the nature of these attacks and the global connectivity of the Internet.
This malware generally has targeted Microsoft Windows systems as they have been the easiest to infect, but has been infecting other systems such as Android, Linux & Mac OSX. One particularly widespread version is known as Cryptolocker which is spread through infected email attachments or existing botnets. Once the software is activated, it encrypts all mounted drives on a system including network mount points. The private key used for the encryption is maintained by the malware Command and Control Server(s) and demands for the user to pay in lower traceability currency bitcoin.
The best method to avoid this disastrous infection is to make frequent backups to offline or remote storage (such as SpiderOak, Carbonite, etc.). Other helpful ways to avoid this cryptoware is to use a secured Virtual Machine running a secure Linux distribution with very limited or no access to the host operating system, file system or network file system.
Continued in parts 2-9
Source: https://en.wikipedia.org/wiki/Computer_security
Continued in parts 2-9
Source: https://en.wikipedia.org/wiki/Computer_security
VPNs
VPNs
Virtual Private Networks provide encrypted communication over an insecure (or secure) network such as the Internet. This enables a user or users to send/receive data over the insecure network with access to the private network (such as home, work, etc). Security of the private network can be offered or provided to applications running on the client.
Corporate network access (Intranet) while out of the office is a primary use of VPNs, but home users take advantage of VPNs this way as well. Offices very remote from each other can be joined together using VPNs to form a single network and share data just as if the systems were in the same office. This allows the client system to send/receive data through often restricted network locations or foreign countries, but there are some services such as Netflix which restrict or block use of VPNs when connecting to their services. They have their reasons, but the other method discussed in this series of blog posts - ssh tunneling - overcomes detection of the VPN for such blocking.
There are security implications for VPN use as the client systems must be protected by the same or higher level of anti-virus or malware prevention software to decrease the chances of infections of the Intranet resources. This is a less common method of infection of a network’s resources (most come from phishing attacks), but still remains a concern.
Historically VPN type of connections were through phone modems or DSL connections via frame-relay or ATM virtual circuits and other telecom providers, but these are not true VPNs because they use passive security. IP VPNs replaced these more primitive methods after larger bandwidth communication methods became available.
VPNs today can allow users of a device to also protect web browsing from malicious website domains using DNS black holes such as can be provided by the Pi-hole for a home user. Blocklists provided in a DNS black hole can include any website or URL corporate management or a home user requires to prevent a malware infection or advertiser from presenting adverts to the user. Such ad blocking methods can also provide excellent bandwidth savings to the cellphone user connected to the VPN with this service.
Other uses of VPNs are for remote access to VPN services providing access to the more “open” Internet. Uses could be to access sites blocked by the user’s own ISP or country, and provide anonymity, but do not provide any increase in privacy as the traffic can be intercepted on the remote target. In the event true privacy is required, the Tor browser can be used in conjunction with VPN service.
The VPN provides:
- Confidentiality - network traffic could be sniffed at the packet level, but only encrypted data would be recognized.
- Sender authentication to prevent unauthorized users from accessing the VPN
- Message integrity to detect any instances of tampering with transmitted messages
VPN protocols include IPsec, SSL/TLS, DTLS, MPPE, SSTP, MVPN and OpenSSH.
Authentication must occur for VPN tunnels to be built or established. Network to network VPNs use passwords and/or certificates as well as biometrics (such as iris or fingerprint), two-factor authentication (such as Google authenticator), passwords or other cryptographic methods. All traffic on the remote or client system can be routed out through the VPN gateway to the Internet or directed to only provide access to internal network resources.
Encryption Methods - Part 5
SSH:
Secure Shell or SSH is used for secure encrypted remote access to a computer system or systems over insecure networks is provided by ssh. It is built into Linux systems by default and allows the user to enable the ssh service on boot as well as provides a client for accessing other remote systems. Any network service can be secured through encryption afforded by ssh.
Historically Unix-like operating systems such as Linux have had ssh built in and MacOS X has included ssh support as it is BSD based. Microsoft’s Windows operating system is providing ssh support through a reimplementation of the Ubuntu program stack on top of Windows services, but also offers ssh support only in professional versions.
History:
Secure shell was created to replace the very insecure telnet, rsh & rlogin services which send passwords and data in plain text. Such unencrypted communication can easily be intercepted by an attacker. Protocol 2 is the standard recommended as it is more secure and is default on most Linux systems.
Common use of ssh is by password/username authentication to an account on the target system, but more secure methods are available. These include manually generated public key cryptography which is the preferred method to insure end-to-end encrypted communications without the potential for interception by Nation States or other major attackers.
PKI:
Using this method, the user generates a private and public key pair with the ssh-key-gen command and copies the public key to the target server ~/.ssh/authorized_keys file. Often this can be accomplished with the command ssh-copy-id username@hostname:, but can also be performed manually. The one requirement for either of these is that the user has a valid account on the server prior to attempting to copy the public key to the target server.
Ssh will only allow login if the authorized_keys file is owned by the user or root and none other.
The PKI pair method of authentication provides convenience to the user and software programs such as the message passing interface stack which may require passwordless login for automation. However, an additional measure of security can be provided by utilizing a private key passphrase and is important should the system be compromised or attacked by a larger authoritarian agency (NSA, CIA, State Actors, etc). In most cases or normal use this passphrase can be left out and the bash_alises file can have aliases added to simplify access to systems often accessed from the command line.
On Linux distributions, applications such as Dolphin or Nautilus file managers support the sftp or fish protocols for file transfer. Both of these use ssh for authentication and transmission to allow for encrypted transfers. Dolphin affords simple bookmarking of sftp connections to allow even easier methods of secure file access. SImple methods also include scp or Secure Copy to allow transfer from one system to another using ssh.
Tunneling
A common use of ssh is to tunnel traffic to or from a remote machine to execute commands through TCP forwarding and includes X11 forwarding. Such tunneling can often overcome blocks of VPN services by certain ISPs or Countries to allow communications when a method out or in is required. Access to a remote Linux server such as a Raspberry Pi located in an unrestricted country can provide a gateway to the Internet and provide access to region-locked or restricted services such as Netflix, Amazon or even Google. This VPN offers the home user a simple method of creating a VPN for use with cell phones or other computer systems while sitting on an unsecured network.
Simple client ssh tunneling can be accomplished using the sshuttle program on Linux as it handles all tunneling requests in a less complex command sequence and can be added to aliases for even easier use.
Linux systems as well as MacOS provide built-in ssh support through the Terminal while applications for other operating systems such as Microsoft’s Windows can be obtained to allow ssh access: PuTTY is one such example which can be carried around on a USB drive along with the private keys required for access, which doesn’t require any installation to use on the host operating system.
Encryption Methods - Part 3
S/MIME:
S/MIME functionality and inter-operate between them.
Cryptographic services provided by S/MIME:
To utilize S/MIME, an individual key/certificate is required to be generated by a local, internal or external CA (certificate authority) or from numerous public CAs. The best practices standard method to improve security of the private keys and certificates requires escrow of the encryption key to prevent possible disclosure of the signature key and thereby invalidate non-repudiation. Generating an email or document and encrypting requires the author to encrypt using the public certificate of the recipient. Normally a user sends out his/her public certificate attached to emails when using S/MIME to facilitate encryption. Thunderbird Claws is one example of email software which supports the standard.
There are 2 levels or classes of user certificates to obtain for certification of a user (Class 1 or 2) and are dependent upon the level of validation required of the user. Businesses require validation of a user with more thorough investigation of the user's identity (Class 2 CA validated user) whereas the Class 1 certificates can be self-generated and validated using a web-of-trust method often used during key-signing parties (often held at Linux conferences). Most home users requiring or wanting to use encryption for email will use PKI instead of using the more complicated CA methods and can use the web-of-trust to provide validation of the sender to the recipient.
This method of encryption is problematic with webmail clients (browsers primarily) as the private key must be kept accessible to the user but not the webmail server. This issue is resolved by GnuPGP or PGP Desktop applications whereby the clipboard is used for signing the message and passing the data back to the browser or webmail client. This method is utilized by Android apps such as Enigmail and K-9 to provide end-to-end encryption of email.
Speaking of end-to-end encryption, S/MIME encryption encapsulation of message bodies includes any attachments which could contain malware targeted at the end users' machine. Given that inspection software must evaluate all data arriving at a system, true end-to-end encryption must be technically broken; This is used throughout most business situations to open and inspect the content of the message(s) and attachment(s).
Common methods:
Proper key storage of the private key must be maintained for future decryption of messages encrypted for S/MIME. Attention to this issue should be provided for proper future access to emails.
Cryptographic services provided by S/MIME:
- Authentication
- Message integrity
- Non-repudiation (signatures)
- Privacy
- Data security (encryption)
To utilize S/MIME, an individual key/certificate is required to be generated by a local, internal or external CA (certificate authority) or from numerous public CAs. The best practices standard method to improve security of the private keys and certificates requires escrow of the encryption key to prevent possible disclosure of the signature key and thereby invalidate non-repudiation. Generating an email or document and encrypting requires the author to encrypt using the public certificate of the recipient. Normally a user sends out his/her public certificate attached to emails when using S/MIME to facilitate encryption. Thunderbird Claws is one example of email software which supports the standard.
There are 2 levels or classes of user certificates to obtain for certification of a user (Class 1 or 2) and are dependent upon the level of validation required of the user. Businesses require validation of a user with more thorough investigation of the user's identity (Class 2 CA validated user) whereas the Class 1 certificates can be self-generated and validated using a web-of-trust method often used during key-signing parties (often held at Linux conferences). Most home users requiring or wanting to use encryption for email will use PKI instead of using the more complicated CA methods and can use the web-of-trust to provide validation of the sender to the recipient.
This method of encryption is problematic with webmail clients (browsers primarily) as the private key must be kept accessible to the user but not the webmail server. This issue is resolved by GnuPGP or PGP Desktop applications whereby the clipboard is used for signing the message and passing the data back to the browser or webmail client. This method is utilized by Android apps such as Enigmail and K-9 to provide end-to-end encryption of email.
Speaking of end-to-end encryption, S/MIME encryption encapsulation of message bodies includes any attachments which could contain malware targeted at the end users' machine. Given that inspection software must evaluate all data arriving at a system, true end-to-end encryption must be technically broken; This is used throughout most business situations to open and inspect the content of the message(s) and attachment(s).
Common methods:
- Store private keys on the gateway server to allow decryption prior to a the gateway malware scan.
- Store private keys in malware scanners to inspect messages and relay the message or a message with infected/blocked status to the user.
Proper key storage of the private key must be maintained for future decryption of messages encrypted for S/MIME. Attention to this issue should be provided for proper future access to emails.
This is an especially important issue home users should consider when using any encryption of their data should they or their families require access in the future. Often this can be resolved by storing the private key on a CD or USB media locked in a vault, safety deposit box or other secured location.
More to come in part 4:
IPSEC, & SSH
(1) - https://en.wikipedia.org/wiki/S/MIME
More to come in part 4:
IPSEC, & SSH
(1) - https://en.wikipedia.org/wiki/S/MIME
Encryption Methods - Part 4
IPSEC:
IPsec can protect data traversing several different communication methods: host-to-host (i.e. one system to another), network-to-network (i.e. one LAN to another LAN) or network-to-host (i.e. LAN to host system). IPsec is commonly used for protection of traffic over the Internet's IP networks.
Protections of Data afforded by IPsec:
- Network-level peer authentication
- Data-Origin Authentication
- Data Integrity'
- Data Confidentiality (encryption)
- Replay protection
The architecture of IPsec includes:
- Authentication Headers (AH) - Protect against replay attacks and provide both connectionless Data Integrity & Data-Origin Authentication
- Encapsulating Security Payloads (ESP) - Confidentiality, Data-Origin Authentication, & connectionless data Integrity when used with Tunnel mode; This protects the complete IP packet. The whole inner IP packet is protected including the
inner header while the outer header including any outer IPv4 options
or IPv6 extension headers remains unprotected. ESP operates directly on
top of IP.
- Security Associations (SA) - algorithms and data parameters for AH / ESP operations.
These are used to encrypt and authenticate a particular data flow in one direction which results in a pair of security associations for normal bi-directional traffic. These use Internet Security Association and Key Management Protocol (ISAKMP), which is implemented by manual configuration with pre-shared secrets IKE and IKEv2, KINK, and the use of IPSECKEY DNS records. RFC 5386 defines Better-Than-Nothing Security as an unauthenticated mode of IPsec using an extended IKE protocol (3).
Transport Mode = host-to-host
Transport mode presents the payload of the IP packet as either encrypted or authenticated with the routing not modified as the header remains unchanged and encrypted. If the authentication header is used, NAT cannot be used as the IP addresses of the system are part of the hashing algorithm. For home users, this presents a problem as most systems in the home are connected via a home router which is performing IPv4 Network Address Translation routing.
Tunnel Mode = network tunneling mode
When using this mode, the complete IP packet is encrypted and authenticated and this is in turn encapsulated into a new IP packet (with a new IP header). VPNs utilize Tunnel mode to create network-to-network communications (e.g. between routers or host to network communications. This method is useful for individuals wishing to maintain privacy while using unsecured networks such as open wireless network hotspots (wifi hotspots) as the tunnel remotes into a more secure network. This allows the user to work using a known and trusted network.
1 - https://en.wikipedia.org/wiki/IPsec
2 - http://tools.ietf.org/html/rfc4301#page-4
3 - https://tools.ietf.org/html/rfc5386
Subscribe to:
Comments (Atom)