Lecture 11: 16th October 2019 Flashcards Preview

CS4203 Computer Security > Lecture 11: 16th October 2019 > Flashcards

Flashcards in Lecture 11: 16th October 2019 Deck (36)
Loading flashcards...

What is x.509?

A standard for the format of public key certificates used in many Internet protocols


How can we implement private comms on the Internet?

We need to make protocols that ensure the source and destination IP addresses and ports and the message body of packets are unreadable


Where can secure comms be implemented in the 5-layer model?

any point


How does security impact network load?

Increases load by ~80-90% due to greater number of packets


What is a MAC?

MAC = message authentication code = A short piece of data attached to messages to authenticate them generated from a keyed hash function using the message data and a symmetric key known to the sender and receiver.


What are MACs aka?

MIC and tag


What are session keys?

Single-use randomly generated symmetric keys used for encrypting communications between two hosts over the course of one connection. They limit the legibility of the messages to only themselves during that session.


What is SSL?

SSL = Secure Sockets Layer = A protocol that enables encrypted communications over a network (the Internet). SSL is at the transport layer, sitting on top of TCP, and provides an application interface for secure and encrypted communications


Where is SSL on the layered model?

the transport layer


How does SSL work?

SSL has normal process of handshake/data exchange/close but also includes choosing the cipher suite and keys in the handshake so that from then all communications are encrypted and secure


What is SSL's flow of control?

TCP handshake:
- A to B : syn (synchronise)
- B to A : syn OK
- A to B : syn OK ack

then comms

- A to B: Fin
- B to A: Fin Ack
(or other way around)

Handshake and fin are unencrypted. Cipher suite choosing and key exchange in "comms" section above, but immediately after handshake


What is a nonce?

"number only once": random number used to identify a communications exchange and establish secure communications; ~ a session key


How are nonces involved with SSL handshakes?

Server sends a nonce back to client with certificate and cipher suite choice


How are ciphers agreed in SSL handshakes?

Client tells server which algorithms it supports; server chooses an algorithm from the list and sends choice


What are some vulnerabilities in HTTPS?

Heartbleed in the past; incorrect usage leads to vulnerabilities; anyone can get CAs; breaches in any CA affects them all and all of them can make a certificate for any site


What is the difference between HTTPS, SSL, TLS, and STARTTLS?

HTTPS = an extension of HTTP implementing secure communication over a computer network that is widely used on the Internet. In HTTPS, the communication protocol is encrypted using TLS or, formerly, its predecessor, SSL

SSL = Secure Sockets Layer = A protocol that enables encrypted communications over a network (the Internet). SSL is at the transport layer, sitting on top of TCP, and provides an application interface for secure and encrypted communications

TLS = A cryptographic protocol implementing secure, encrypted communications over a network. It is at the transport and session layer and is on top of TCP, again providing an application interface for secure and encrypted communications

STARTTLS = An extension to SMTP facilitates secure and encrypted communications between SMTP clients and servers. Tries to use TLS and falls back to SSL.


What is the weakest-link problem with CAs?

The fact that any CA can issue a certificate for any site, a breach in 1 affects all their certificates and all other CAs


Why do cookies present a security vulnerability?

Set-cookie allows inspection and alteration of a user's cookie data by a server


Why do forms on websites present security vulnerabilities?

You can pass scripts to servers in input elements to make them execute. GET requests include parameters in the URL in plaintext, POST requests need a max length, and PHP is susceptible to SQL injections and needs filter sanitising


What is filter sanitising?

Removing certain characters to stop inputs being executable script statements


What are SQL injection attacks?

Using web page inputs to insert SQL statements into a server to execute and perform some malicious actions


How can you use forms to execute JS code?

Put escaped JS code into form inputs to possibly get processed and executed


What is cross-site scripting?

Cross-site scripting (XSS) is when attackers inject client-side scripts into trusted web pages viewed by other users.


How can HTML source code allow footprinting?

Looking at artefacts such as comments, TODOs, etc. might give you clues as to the architecture of the site that may allow you to design a viable attack.


What is session hijacking?

The exploitation of a valid computer session - session key - to gain the ability to authenticate themselves as a different user connected to a server in a session.


What is HTTP response splitting?

When an attacker alters the HTTP responses given by a server to include false endings within their header so the actual response body is ignored, instead returning a payload determined by the attacker. This allows the attacker to include an abrtirary number of headers in a response or even send multiple.


What is cache poisoning?

When a malformed HTTP response, generated by an attacker, is served to multiple users from a web cache until the cache entry from that response is destroyed.


What are the 5 steps in assessing a web service?

1. Identify the web service running – look at HTTP head or use WebServerFP or hmap type tools

2. Identify subsystems and enabled components (extensions, verified and unverified components) such as ASP.NET, Frontpage, PHP,
OpenSSL, IIS ISAPI extensions.

3. Investigate known vulnerabilities in web services – MITRE, CVE, metasploit tools etc for lists or tools such as N-Stealth, nkito (Linux)

4. Identify poorly constructed or protected sensitive data – poor HTTP authentication, URL query strings

5. Assess CGI, ASP etc scripts – look for parm manipulation, filter evasion, patch regularly. Some assessment tools are available such as Achilles, Exodus, WebSleuth.


What are some issues with email services?

Emails have suffered from trojans, vurises, hoaxes and of course spam.

Encryption can be done through PGP (Pretty Good Privacy) or S/MIME (Secure/Mutipurpose Internet Mail Extensions) which was designed to support Internet email. Both are used for Outook, Eudora etc and allow end-to-end security.


How do the transit problems with Internet traffic apply to email?

1. interception - some organisations protect email up to the edge of the network, and some may copy all emails (legal or government companies) as email are evidence or legal documents

2. monitoring - some organisations monitor email for business patterns or for information disclosure. Some companies state they have the right to access email at any time.

3. anonymisation - some companies (Yahoo, Hotmail) offer free email addresses which can be treated as once use disposable emails.

4. remailers - these are 3rd party mailers who forward email onto a designated recipient. The third party keeps detailed records to allow forwarding in both directions to recipient and sender. Essentially this is not anonymity but pseudonimity. However, a TOR like setup can allow a series of co-operating servers to hide sender details under asymmetric encryption.

5. spoofing- the SMTP protocol does not check for legitimacy or accuracy. (See https://tools.ietf.org/html/rfc821 or rfc7435)