Memorize-y stuff! Flashcards
(128 cards)
1
Q
STRIDE
A
Spoofing (authenticity), Tampering (integrity), Repudiation (accountability), Info Disclosure (confidentiality), escalation of privilege (authorization)
2
Q
ACL
A
Access Capability List: answers the question: “what SUBJECTS have access to a specific object” (think: VIP list)
3
Q
Capability
A
A row in Access control matrix. Answers the question: “What OBJECTS does a singular subject have access to” (think: what is in my backpack)
4
Q
What are the 3 reference monitor requirements?
A
1) Always-invoked
2) Tamper-proof
3) verifiable (simple design + easy to analyze)
5
Q
RC4
A
Ron’s Cipher 4. Created in 1987- INSECURE
6
Q
ChaCha20
A
Standard cipher algorithm used. SECURE
7
Q
HMAC-SHA2
A
Standard SECURE MAC function used
8
Q
AES-CBC-MAC
A
Somewhat standard MAC funciton used, but bug prone.
9
Q
AES (what are its 3 main modes)
A
Advanced Encryption Standard (a block-cipher). It has 3 modes: GCM= authenticated encyrption (gold standard). ECB= broken mode, CTR&CBC= not broken, but no integrity
10
Q
MD5
A
Very broken Hash function
11
Q
SHA-1
A
Another very broken hash function (not as broken as MD5)
12
Q
SHA2, SHA3
A
standard hash functions! SECURE
13
Q
RSA
A
Way to generate PK and SK (uses a lot of special math!)
14
Q
MAC Address
A
48 bits, permenantly installed in hardware, used to network on L2 (datalink layer), made for local networks to be addressable
15
Q
IP Address
A
32-bits, operates on layer3 (network layer). Prefix = network, suffix = host
16
Q
Private vs Public IP Address
A
Private is used for local network communication (starts with 192 or 176), can be duplicated if they are in different local networks. Public is for outside of local network. They cannot be duplicated
17
Q
CIDR
A
Classless InterDomain Routing: standard for IP address to have a custom prefix length for their network. Depending on how many hosts are using that network, it might be good to have a larger or smaller mask. Denoted with IPadd xx.xx/26 <- /number = network mask
18
Q
WEP
A
Broken form of Wi-Fi encryption (due to reusing nonces). Not used anymore
19
Q
WPA
A
Vulnerable form of wi-fi encryption. Not the standard anymore
20
Q
WPA2 or WPA3
A
Both secure forms of wifi encryption
21
Q
Hierarchy of IP Address allocation
A
Starts with ICANN -> regional internet registeries (like ARIN) -> Large institutions (ISPs, like Qwest) -> smaller institutions (like UChicago) -> individuals
22
Q
DHCP
A
Dynamic Host Configuration Protocol: THe way to connect to network to get an IP address
23
Q
What important components are contained in the IP header?
A
length in bytes, TTL, protocol, source address, destination address
24
Q
What is contained in the IP datagram?
A
IP header - TCP/UDP header - TCP/UDP payload
25
AS
Autonomous System: A collection of IP prefixes that are under the control of a single entity (like Qwest, AT&T, etc)
26
Intra-AS routing
All under the same AS domain- uses Link State protocol to take care of all routing
27
Inter-AS routing
How we route across various AS's- privacy between each AS. Uses BGP (a type of path vector/distance vector protocol) to route
28
Link State Routing
Every single node knows the entire network topology of the network. Each node uses Dijkstra's algorithm to compute the best path towards each node
29
Distance Vector (Path vector/BDG)
Each node only knows its own neighbors' closest distances. Sends these tables to their neighbors and updates their own table with information given from their neighbors.
30
TCP
Transmission Control Protocol: The standard protocol for sending packets back and forth between networks
31
What are some of the important components in the TCP header?
Source port, desintation port, SEQ #, ACK #, flags
32
FIN, SYN, RST, ACK
Flags sent in the TCP header. Finish (done sending data), SYN (synchronize), ACK (acknowledge), RST (reset - terminates port connection)
33
What are the corresponding TCP default port #s for these: SSH, DNS, HTTP, HTTPS
22, 52, 80, 443
34
3-way handshake (and what happens afterwards)
1) Client sends SYN with c-seq = x
2) Server sends SYN-ACK with s-seq = y, ack = x + 1
3) Client sends ACK with ack = y + 1, seq = x + 1
After, data is sent between them with the seq# being the number of len of bytes sent over
35
DNS
Domain Name System:How we map from IP addr -> real name
36
nslookup
A command in the terminal to see the IP address of a domain
37
ICANN
Internet Corperation for Assigned Names and Numbers: A non-profit org that controls + gives the assignments of IP addresses and domain names
38
Resource Records (3 main types)
A = Address (IP address)
NS = Name Server (a DNS server)
MX = Mail exchanger (names of mail servers)
39
Ping of Death
An attack on availability. (in the past) you could send a huge ping larger than the max size to cause a buffer overflow to the server. (server is supposed to respond with a PONG) but instead crashes the server
40
traceroute
A terminal command to find scan the route that packets would take between your IP address and the target domain. Sends repeated ICMP requests with increasing TTL
41
Nmap
Not necessarily an attack? but it is a terminal command to discover the various devices/services running on a network.
42
SYN scan
Attack adjacent: send a SYN and figure out some stuff based on a response:
SYN-ACK = port is open
RST = port is closed
--- (nothing) = filtered (ex: firewall)
43
Side Channels (2 main ones)
Under TLS you can still patch together information about packets sent over network. These are namely the size of packets (# bytes sent over) and research has been done to show that timing is also a somewhat feasible side channel
44
Blind Spoofing
Attack: Sending a SYN with a spoofed src IP address. Server will respond with a SYN-ACK to this separate IP address and in order to open up the forged connection, you have to guess the server's SEQ number in return to send an appropriate ACK number in response.
45
RST Hijacking
Attack: Spoofing a src IP address and sending a RST flag at a certain port to close the connection at the port. Used for censorship
46
BGP Prefix Hijacking (2 main goals from this)
Attack: Falsely advertising a BGP network route as "more desireable" to purposefully direct traffic through that route.
1- route the traffic through a specific route with networks that you control to snoop on the traffic
2- an attack on availability (DoS) by sending a ton of traffic to a specific person
47
S-BGP or BGPsec
Defense: A way to defend against BGP prefix hijacking by including digital signatures on the BGP prefixes. Not widly adopted because it's costly
48
DNS Cache Posioning
Attack: An attacker can give a local DNS server a falsely mapped IP address to map a user to a malicious site
49
QID
Query ID: A QID is sent in the DNS packet header. This QID must match when the DNS server returns an IP address. Randomizing the QIDs is a way to defend against DNS cache poisoning, but you can also brute force try to guess the QID (it is 16 bits)
50
Kaminsky Attack (2008)
You can spoof an entire xxx.domain.com zone by making a ton of DNS queries to the subdomains and trying to guess the QIDs. If any one of these QIDs is correctly guessed, you poison the DNS cache for the entire .bank.com domain.
51
DNSSEC
Defense: A defense for trying to get DNS responses signed. Hard to adpot (costly and slow)
52
DDoS
Distributed Denial of Service (attack): Many botnets or volunteers create a DoS attack by overloading one specific server.
53
SYN Flood
Attack: DDoS attack that sends a ton of SYN packets. Whenever a server recieves a SYN, it needs to open a corresponding TCB (tranmission control block) on the kernel memory. If you flood the victim with SYN packets, you will crash the OS by exhausting kernel memry.
54
Smurf Attack
DDos Attack: attacker sends many ping requests with spoofed victim IP address. PONG gets sent back to this victim many times over
55
Smurf Attack Amp Factor
Defined as the total response size/request size. The larger response size compared to the request size the attacker needs to send will increase attack's strength
56
DNS Reflection Attack
A type of DDos attack: Spoof DNS requests to a ton of DNS resolvers. Will overwhelm the victim IP address with responses of DNS.
57
CDNs
Content Delivery Networks: these are sort of intermediate servers that are connected to the root server. Is a nice defence against DDoS because now each large domain will have multiple servers without access to the master server.
58
BotNets
These are specific attack machines that are used/created specifically by attackers. They have unique IP addresses. They are even monotized.
59
DOM
Document Object Model: How a webpage is defined. Built up of various HTML components.
60
HTTP
Hypertext Transfer Protocol: Message sent by a client to a server asking for a specific resource or action.
61
HTTPS
HTTP request but sent over TLS (request and response are encrypted)
62
Same-Origin Policy (SOP)
Web defense: prevents malicious DOM access. Only the origin who loaded the script can access the DOM. (not where the script comes from , but where it LOADS from)
63
Iframes
Inline frames: allow you to embed a webpage inside another webpage.
64
CORS
Cross Origin Resource Sharing: relaxes SOP- basically a set of rules you can put in the header that will specify when other origins can violate SOP on your origin. Include crossorigin="" in the script header
65
CSRF
Attack- Cross-Site Request Forgery: When a user is validly logged on, trick them into doing something (like sending a request).
66
CRSF Token
Defense against CRSF: A random input value "token" is known to the main website (not to the attacker). It is inserted into a hidden field in any forms that get sent. In order for any HTTP request to be valid, the CRSF token must be sent over.
67
XSS
Attack: Cross-Site Scripting: You can inject javascript into another page to make them run something without their knowing
68
Reflected XSS
A type of XSS where the javascript is only there temporarily- the user gets tricked into clicking the link or navigating to the script
69
Stored XSS
A type of XSS where the Javascript is there for everyone all the time (like the comments section of a page)
70
CSP
Content Security Policies: A defense against XSS attack. It specifies where certain content is allowed to be loaded from
71
Prepared Statements
A defense against SQL injection. It separates the data from the SQL query itself.
72
CMS
Content Management System: Softwares used to create/publish websites without too much technical knowledge (ex: wordpress, drupal, etc)
73
First-Party Tracking
Tracking via the site you currently on (on search engines or shopping sites). Can use cookies, javascript or URL parameters to do the tracking. Examples: website analytics, session data
74
Third-party tracking
As a result of your visiting a certain page, other sites (origins) are contacted as a result. (Ex: 3rd party ads that show up)
75
Browser Fingerprinting
A way to track users without using cookies. Identifies features of the browswer that are unique to the user's machine (fonts, user-agent string- NOT IP address)
76
FLoC
Federated Learning of Cohorts: A privacy focused proposal from Google. It tried to replace third-party cookies by instead using a sort of browser-fingerprinting (but via clusters of cohorts)
77
Topics API
An alternative by Google from their FLoC initiative to try and walk away from third-party cookies. Addresses criticisms of FLoC
78
"Enterprise"
A company/organization/instituation. (Ex: Google, Microsoft, American Red Cross, University of Chicago)
79
"Enterprise Security"
Large scale security systems to protect enterprises. Specifically- corporate machines/devices, money/trade secrets, specific datasets
80
Enterprise Network
Set of all devices + assets under an enterprise (devices, cloud services, datasets, etc)
81
# [](http://)
Border Firewalls
Any connections that are from external IP (not inside of enterprise network) must go through firewall- sort of like a filter.
82
Conti Ransomeware Attack on Ireland HSE
In 2021 there was a major 700 GB data breach ransomware attack (locked out the victim/encrypted their data and then demanded ransom for restored access) Steps:
1) Attacker was able to download malware on an employee's machine via a suspiscious email attachment
2) Attacker got SSH key added to verified key, created SSH connection outside of the enterprise network
83
Command and Control (C2)
Attacker needs to establish a C&C base inside of the enterprise network to allow the outside attacker from communicating inside. Attacker cannot communicate outisde in, the C2 base needs to innitiate communcation inside-out. Also, attacks take a long time- cannot just have a single network session open for a super long time.
84
Beaconing
A C2 protocol where the infected machine conitnuously contacts the outside attacker for new instructions (since the outside attacker cannot initiate instructions on its own)
85
Internal (local, active directory) Reconnaissance (reconn) + network scanning
In an enterprise attack, process of identifying other machines in the enterpriss.
Local: looking through the infected machine itself (browser/shell/app history etc)
Active Directory: queries to the central authentication + directory databases
Network scanning: probing IP addresses to ifnd machines + vulnerable services
86
Cyber "Killchain" (4 steps)
A typical enterprise attack structure
1. Initial Reconn to find vulnerabilities
2. Initial access + foothold (access to C2 base inside)
3. Internal expansion (gain extra privileges, more reconn)
4. Complete mission (data encryption/stealing, launch ransomware... etc)
87
Network Segmentation & Bastion hosts
A defense for enterprise security: Further internal firewalling to strengthen isolation. Certain similar machines are grouped together and protected with an aditional firewall
88
Zero Trust Model
Enterprise security defense: requires every piece of data to be authetnicated. Minimum permissions needed. (2FA, time of request checks, checking network properties + requesting device, checking if the device has been recently anti-virus scan etc)
89
Network Intrusion Detection (NIDS)
Enterprise security defese: A combination of software + hardware (**in between firewall and enterprise network**) to detect + terminate bad traffic
PROS
90
HIDS/EDR (Host-Based Intrustion Detection)
Individual software installed on each enterprise machine to detect + terminate malicious seeming activity (basically Anti Virus, rebranded to be Endpoint Detection & Response)
91
SIEM
Security Information and Event Management System: aggragate logs from NIDS and HIDS to analyze data to detect any trends etc (security purposes)
92
Signature-based Detection
A way of determining if an activity is an attack by writing *specfic* rules about what is and is not attack
93
Specification-Based Detection
Ways to determine if something is an attack via writing only rules on legitimate behavior. Anything else = attack
94
Supervised Detection
Form of ML based detection: learn the characteristics of attacks + train model based on prior attacks
95
Anomaly Detection
ML-Based Detection- training the model on BENIGN behavior. Everything else = attack
96
Explicit Authentication
Either single-factor or multi-factor authentication (explicitly Y or N)
97
Implicit Authentication
Continuously determining authentication based on behavior of the user.
98
Risk-based Authentication
When you vary the authenticaiton requirments based on the estimated risk
99
Phishing attack
Password-based attack: tricking the user into giving up their credentials, thinks that you are a legitimate, trusted system. **Spear** phishing is a subset of this where a *specific* user or target is pinpointed- these attacks are much more personalized
100
Shoulder Surfing
An attack against passwords: simply physically observing someone entering their credentials
101
bycrypt and scrypt
the best password hashing algorithms! takes forever to unhash them
102
Salting
A defense against password attacks: passwords are hashed with a "salt" string to make it more difficult to unhash. These are stored alongside the password. Defends against rainbow tables. The more accounts in the database, the more difficult it becomes to crack the passwords with salting
103
Pepper
A form of password salting where the salt is stored secretly and is the same for every single password. Not commonly seen
104
Online Password Attack
An attacker will try to enter multiple passwords online. Rate-limited, not very effective
105
Offline Password Attacks
Attacker obtains the password database of hashed passwords (maybe via SQL injection) + username combos and tries to crack them
106
Shannon Entropy + a-guesswork
A statistical approach to measure passwords. Shannon entropy uses entropy of password- this does not consider real, human tendencies when creating passwords. Also requires a large sample in order for it to be accurate
107
Parametaized Guessability
A way of analyzing password strength: given a particular cracking algorithm, how many guesses would it take to crack it?
108
Wordlist
Password cracking technique to simply hash a set of predetermined words to try and find matches
109
Mangled Wordlist Attack
Password Cracking attack: Take a simple wordlist, then modify it using a rulelist (ex: replace a->4) for every combination
110
John the Ripper
A password cracking software. Iterates each rule over the entire wordlist until the rules are exhausted
111
Hashcat
A password cracking software: iterates each word over each rule until the words are exhausted
112
Mask attack
A brute force password cracking attack that finds every single combination of characters that satisfy the mask.
113
Markov Model
A password cracking model that predicts the next character of a password based on the probability it had from the entire password base
114
Probabilistic Context Free Grammar
PCFG: a type of slow password cracking that uses grammatical rules to crack passwords
115
Password Composition Rules
A method to get users to make better passwords: defines certain rules their passwords must comply to (ex: needs to have a number). In practice, this is pretty predictable though
116
Single Sign-On: Shibboleth
A way to allow access to many types of domains when you are already signed in
117
FIDO2
A passwordless authentication mechanism that uses public-key cyrpto.
118
Passkeys
A FIDO2 / web Authn method that syncs your private key across your devices
119
Out-of-order exectuion
The CPU will execute code instructions *out of order* compared to the code. This speeds up the process if you're waiting on a certain value to be computed but can still sort of "multitask" with other instructions
120
Speculative (predictive/eager) Execution
When at a conditional branch, instead of waiting to figure out which branch to take, just take it. Either: predictive (guess which one) or eager: taking both branches
121
Spectre Attack
An attack that takes advantage of the CPU speculative exectuion. If an instruction was mistakenly, speculatively executed, it will be cached in the CPU no matter what. The most common way: reading data that is not typically allowed to be accessed. With speculative execution, a conditional branch might end up reading data from an array offset that is not typcially permitted, but the CPU will cache this data no matter what. You can measure the time it takes to input data into the cache (cannot actually read it) and slowly read memory byte by byte. Time-based attack. Can leak browser cache, session key, sensitive information.
122
Meltdown Attack
You can attempt to access memory that is not allowed at a conditional branch. Due to speculative execution, the CPU will access this memory anyway and cache it. They can figure out what this memory is via a timing side channel- they will read each page of memory, and almost all of them will be slow. If one is slightly faster, it means it was cached!
123
KAISER/KTPI
Kernel Page Table Isolation: A way to mitigate against meltdown attacks. It separates the kernal page tables from other parts of memory. This does impact performance though
124
Heartbleed
A bug found in the OpenSSL code. Mainly a result of no code review/underfunded non profit projects
125
Zoom Crypto Bug
| From reading
It was found that zoom used AES-ECB which is a widly known AES method that has been deprecated because it is insecure. The cipher text reveals information about the plaintext in this mode
126
Terrapin Attack
| From reading
A MiTM attack on SSH channel that uses prefix truncation to intercept the very beginning of the SSH handshake
127
Let's Encrypt ACME Protocol
| From the reading (also mentioned in slides though)
ACME protocol automates the process of obtaining a valid certificate. When a domain requests a certificate, Let's Encrypt sends back a "challenge" request for the domain to prove themselves. Ie- this can be either in the form of a special DNS query or putting a certain piece of data on their server
128
