Saturday, August 8, 2009

Intro to Security,Security Design and Security Threats part 2

Introduction:

In the previous part we talked about introduction security concepts and now in this part we will be talking about security threats and hacking attempts beside security design and how to build a secure solution along.

A Secure Solution!

Let’s start by this hacking wise quote:

“Give a man a crack, and he'll be hungry again tomorrow, teach him how to crack, and he'll never be hungry again."

In some sense, a knowledgeable software hacker is one of the most powerful people in the world today. Most outsourced software (software developed off-site by contractors) is full of backdoors and is extremely difficult to audit independently. Companies that commission this kind of software have not traditionally paid any attention to security at all. Computer security vendors have overpromised and under delivered with classic network security approaches. Not enough attention has been paid to software security and thus we have all these unsecure systems.

Hacker:

A hacker is a person who breaks into computers, usually by gaining access to administrative controls and be able to modify computer hardware, or software.

Hacker Types:

-White hat

A white hat hacker breaks security for non-malicious reasons, for instance testing their own security system. Exposes the weakness in a way that will allow the system's owners to fix the breach before it is can be taken advantage by others. Methods of telling the owners about it range from a simple phone call through sending an e-mail note to a Webmaster or administrator all the way to leaving an electronic "calling card" in the system that makes it obvious that security has been breached. This type of hacker enjoys learning and working with computer systems, and consequently gains a deeper understanding of the subject. Such people normally go on to use their hacking skills in legitimate ways, such as becoming security consultants. The word 'hacker' was originally used to describe people such as these.

While white hat hacking is a hobby for some, others provide their services for a fee. Thus, a white hat hacker may work as a consultant or be a permanent employee on a company's payroll. A good many white hat hackers are former black hat hackers

-Black hat

A black hat hacker is someone who subverts computer security without authorization, the black hat hacker takes advantage of the break-in, perhaps destroying files or stealing data for some future purpose. The black hat hacker may also make the exploit known to other hackers and/or the public without notifying the victim. This gives others the opportunity to exploit the vulnerability before the organization is able to secure it.

-Grey hat

A grey hat hacker is a hacker of ambiguous ethics and/or borderline legality, often frankly admitted. He may use his skills for legal or illegal acts, but not for personal gains. Grey hackers use their skills in order to prove themselves that they can accomplish a determined feat, but never do it in order to make money out of it. The moment they cross that boundary, they become black hackers.

-Script kiddie

A script kiddie is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others. The typical script kiddy uses existing and frequently well-known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet - often randomly and with little regard or perhaps even understanding of the potentially harmful consequences. Hackers view script kiddies with alarm and contempt since they do nothing to advance the "art" of hacking but sometimes unleashing the wrath of authority on the entire hacker community.Also referred to as a Skiddiot.

-Hacktivist:

A hacktivist is a hacker who utilizes technology and uses the same tools and techniques as a hacker, but does so in order to disrupt services and bring attention to announce a social, religious, or political message. In general, most hactivism involves website defacement or denial-of-service attacks.

With great software solution comes great vulnerabilities:

As new businesses take shape, new threats need to be identified and mitigated to allow for the continued success of those businesses. Over time, new businesses can use additional security technology to mitigate such threats. So what makes these threats in the software that we develop?

Three factors work together to make software risks. We call these factors the trinity of trouble. They are:

Complexity:

Modern software has a lot of features and as a rule thumb the more feature you have the more code you will write and as another rule of thumb the more code you have the more complex and it will become more and more complicated in the near future. For example, in 1983 Microsoft Word had only 27,000 lines of code (LOC) by 1995 it was up to 2 million

Some estimates were made about the number of bugs per thousand lines of code (KLOC) and these estimates shows that there exist 5 to 50 bugs per KLOC. Even a system that has undergone rigorous testing will still contain bugs (around five bugs per KLOC).

Assuming there is only 5 bugs per KLOC and assuming also we have a program that is 10 KLOC so this mean we have about 50 bugs so that attacker have 50 way to exploit our software.

Extensibility:

Most modern operating systems support extensibility through dynamically loadable device drivers and modules. Today's applications, such as word processors, e-mail clients and Web browsers, support extensibility through scripting, controls, components, dynamically loadable libraries, and applets.

Unfortunately, the very nature of modern, extensible systems makes security harder. For one thing, it is hard to prevent malicious code from slipping in as an unwanted extension.

Analyzing the security of an extensible system is much harder than analyzing a complete system that can't be changed. How can you take a look at code that has yet to arrive? How can you even begin to anticipate every kind of mobile code that may arrive? That’s why it is harder to design security for extensible systems

Connectivity:

The growing connectivity of computers through the Internet has increased both the number of attack and the ease with which an attack can be made.

Because access through a network does not require human intervention, launching automated attacks is easy.

If vulnerability is uncovered, attackers will steal the information and post it on a Web site and a million people can download the exploit in a matter of hours, deeply impacting profits immediately for financial organizations for example.

Next we need to move on to see some of these threats.

Hacker Attacks:

-Defacement:

Defacement in which attackers replace legitimate pages of an organization’s web site with illegitimate ones. In such defacement attacks, attacker attacks a website and changes the visual appearance of the site. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their.

Defacement is a very different type of threat than what other web sites, such as financial
Site or e-commerce vendors, might face. The attackers of these web sites may be most interested in compromising bank accounts or conducting credit card fraud. Therefore, how we design systems to be secure against attacks is dependent on the type of threats that we expect them to face.

-Social engineering:

Social engineering is the act of manipulating people into performing actions or leaking confidential information. While similar to a confidence trick or simple fraud, the term typically deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

-Pretexting:

Is the act of creating and using an invented scenario to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.

-Phishing:

Phishing is an attack in which an attacker (in this case, a phisher) sets up a spoofed web site that looks similar to a legitimate web site. The attacker then attempts to lure victims to the spoofed web site and enter their login credentials, such as their usernames and passwords .In a phishing attack, attackers typically lure users to the spoofed web site by sending theme-mails suggesting that there is some problem with their account, and that the user should click a link within the e-mail to “verify” their account information.

The link included in the e-mail, of course, is to the attacker’s web site, not the legitimate site. When unsuspecting users click the link, they arrive at the spoofed site and enter their login credentials. The site simply logs the credentials (attempts to acquire sensitive information such as usernames, passwords and credit card details) and either reports an error to the user or redirects the user to the legitimate site (or both). The attacker later uses the logged credentials to log into the user’s account and transfer money from the user’s account to their own.
Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.

-IVR or phone phishing:

This technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.

-Pharming (AKA DNS CACHE POISONING):

Pharming is another attack in which a user can be fooled into entering sensitive data into a spoofed web site. It is different than phishing in that the attacker does not have to rely on the user clicking a link in an e-mail. With pharming, even if the user correctly enters a URL or web address, the attacker can still redirect the user to a malicious web site.
When a user enters a URL for example www.google.com the browser needs to first figure out the IP address of the machine to which to connect. It extracts the domain name, www.google.com, from the URL, and sends the domain name to a domain name server (DNS).
The DNS servers are computers responsible for resolving Internet names into their real addresses (translates the domain name to an IP address). The browser then connects to the IP address returned by the DNS and issues an HTTP request for index.html.

The attacker will send incorrect DNS information which can cause traffic to be diverted. The DNS information can be falsified since name servers do not verify the source of a DNS reply. When a DNS request is sent, an attacker can send a false DNS reply with additional bogus information which the requesting DNS server may cache. This attack can be used to divert users from a correct webserver such as a bank and capture information from customers when they attempt to logon

-Denial-of-Service (DoS)

Another significant threat that e-commerce and financial institutions face are DoS attacks. In one type of DoS attack, the attacker sends so many packets to a web site that it cannot service the legitimate users that are trying access it. An e-commerce site can end up losing money and revenue as the result of such a DoS attack because its customers will not be able to conduct transactions or make online purchases.

-Ping broadcast:

A ping request packet is sent to a broadcast network address where there are many hosts. The source address is shown in the packet to be the IP address of the computer to be attacked. If the router to the network passes the ping broadcast, all computers on the network will respond with a ping reply to the attacked system. The attacked system will be flooded with ping responses which will cause it to be unable to operate on the network for some time, and may even cause it to lock up. The attacked computer may be on someone else's network. One countermeasure to this attack is to block incoming traffic that is sent to a broadcast address.

-Ping of death:

An oversized ICMP datagram can crash IP devices that were made before 1996.

-Teardrop:

A normal packet is sent. A second packet is sent which has a fragmentation offset claiming to be inside the first fragment. This second fragment is too small to even extend outside the first fragment. This may cause an unexpected error condition to occur on the victim host which can cause a buffer overflow and possible system crash on many operating systems

Security Designing:

Designing security in a software application should be taken into consideration in the very beginning of designing the software itself and not build the software application and then we remember that we need some data to be secured so we then implement a security module, this scenario turned out to be very bad (adding security at the very end of software application development).

Let’s take Windows 98 as an example for this bad practice, after developing the core system, windows team felt that they need to add security to their system to build a secure system (as it was a new thing at this time :D hey this is Microsoft so we need to add the latest things into our system said one of the windows team member)

So security wasn’t taken into consideration from the beginning which caused a lot of problems, for instance in windows diagnostic mode no username and password were required even if they are required when you access the windows in a normal mode so this would give any user the ability to access the hard disk and any sensitive data on it without entering a username or password but if the security was taken into consideration from the beginning this would have been working fine now.

Other people might say: ok we built an unsecure system so what? We will have another system to secure access to our system

For example a firewall which is used by all the organization to secure their system on the internet so they just monitor and filter the requests to their application and if they found any suspicious request they might block it , but that’s not enough as some hackers can bypass the firewall and now your application wont survive their attack.

Conclusion:

as we have seen what motivates the hacker to do hacking and what types of attacks they can do we also talked about security design and we should take into our consideration security in the very first steps of developing the solution and not just add the security as a feature (after we build our solution) at the end, in next part we will continue talking about security design principles as we did in this part so stay tuned ;)



Read more!