4MMSR - Networks Security0 - Introduction

Fabien Duchene1

1Laboratoire d’Informatique de Grenoble, VASCO teamGrenoble Institute of Technology - Grenoble INP Ensimag

firstname.name@imag.fr

2011-2012

Fabien Duchene (LIG) 4MMSR-0-Introduction 1/35 2011-2012 1 / 35

Outline

1 Your lecturersFabien DucheneKarim Hossen

2 Pedagogic contractObjectivesPedagogic organizationWhat is expected from you?Some Resources

3 Security?Why?What?Basic definitionsEthics

Fabien Duchene (LIG) 4MMSR-0-Introduction 2/35 2011-2012 2 / 35

Your lecturers Fabien Duchene

Fabien Duchene

Information Security2011: PhD student, LIG, France2010: Implementer, Pentester, Trainer Sogeti-ESEC, France2009: Security Engineering Intern, Microsoft, France

Teaching@Grenoble:

2012: Audit, Forensics, Threats, UJF MSc SAFE, France2011,2012: 4MMSR-Network Security, Ensimag, France2011: 4MMSR-Information Systems Security, Ensimag, France

2011: MS PKI ADCS 2008 R2, Sogeti-ESEC, France2010: Forefront, Microsoft TechDays 2010, Paris, France

http://car-online.fr/en/spaces/fabien duchene/PGP fingerprint: 8C16 9A97 BD01 19DC BA51 7361 60AC 98E9 E77D 3800

Fabien Duchene (LIG) 4MMSR-0-Introduction 3/35 2011-2012 3 / 35

Your lecturers Karim Hossen

Karim Hossen

Career2011: PhD student, LIG, France2010: *** confidential ***2009: Automatic differentiation, INRIA, TROPICS

Teaching2012: Audit, Forensics, Threats, UJF MSc SAFE, France2012: 4MMSR-Network Security, Ensimag, France2011: 4MMSR-Information Systems Security, Ensimag, France2010-2011: 4MMCAWEB - conceiving web application, Ensimag

Fabien Duchene (LIG) 4MMSR-0-Introduction 4/35 2011-2012 4 / 35

Pedagogic contract Objectives

Objectives: after that course...

Some cool stuff you will be able to do:explain how people recently defaced Rihana’s websiteunderstand some parts of how an iranian nuclear power plant wasdeactivated using several Windows XP 0 days, a SCADA virus...[Nicolas Falliere and (Symantec) 2011] W32.Stuxnet Dossierfind and exploit basic vulnerabilities in an application (eg: inmemory, web, networks...)discuss and manipulate various security topics: Wireless security,Identity Federation, three factors authentication, role-based accesscontrol, encryption, IPSec, SOP, XSS, Fuzzing...apprehend new IT security concepts in a large distributed corporateenvironmentread and intelligibly present security research papers

Fabien Duchene (LIG) 4MMSR-0-Introduction 5/35 2011-2012 5 / 35

Pedagogic contract Pedagogic organization

Planning

Lectures1 - Cryptography and cryptanalysis (K. Hossen)2 - Network security related attacks3 - Web Security4 - In memory exploitation and shellcodes5 - TBA (P. Malterre)6 - Web Services Security Testing: some research advances

Ou pas..SeminarsPractical exercices

→ Check the 4MMSR ensiwiki!

Fabien Duchene (LIG) 4MMSR-0-Introduction 6/35 2011-2012 6 / 35

Pedagogic contract What is expected from you?

Review the courses...

4MMSR - Net-work Security

Algorithms:algorithmsand datastructures

LanguageTheories:3MMTL1

OperatingSystems:4MMPS,

4MMSEPC

Assemblylanguages

and C:3MMCEP,C Project

Databases:4MMPSGBD

Networks:3MMRTEL,4MMRES

Fabien Duchene (LIG) 4MMSR-0-Introduction 7/35 2011-2012 7 / 35

Pedagogic contract What is expected from you?

Connect the notions with OTHER courses:

4MMSR - Net-work Security

5MMTLSFTSoftwaretesting

and safety

5MMMSSIModels for

Security4MMCSEOperative

SystemDesign

YOURdaily use ofcomputers!

...

Fabien Duchene (LIG) 4MMSR-0-Introduction 8/35 2011-2012 8 / 35

Pedagogic contract What is expected from you?

What is expected from you?BEFORE a lecture: (30 min / week)

review the ASSUMED knowledge slidesread and understand the slides (prepare questions)read some IT security news

DURING: actively and efficiently participatetake notes (some content is missing in your slide version)ask questions ... but also provide answers!I dun mind people chatting about the lecture... BUT be on time!I accept that people take notes on their laptops BUT: beware somebutterfly effect: Do NOT spend your time reading your mails,doing your very next project..starting from 2 unjustified absences: Mark adjust = (−1) ∗ (Nabsences − 1)

AFTER: (1H30/week)Memorize and perform oral feedback the same day we had lecture!Practical assessments: (1H/week). Not assessed, as it, but the FinalCTF like practical exam is worth 5/20 (see next slide) !update your synthesis notes... useful for an active learning and thefinal exams!

Fabien Duchene (LIG) 4MMSR-0-Introduction 9/35 2011-2012 9 / 35

Pedagogic contract What is expected from you?

How is your grade computed?

Check out the 4MMSR wiki page !Documents: only 1 two-sided A4 pageallowed

Final CTF like practical exam: 5/20knowledge from the practicalassessments required (individual)Written examination: 10/20(individual)

Security Research Paper talk: 5/20up to +− 1 point regarding thequestions you asked as a public (2persons groups)

Fabien Duchene (LIG) 4MMSR-0-Introduction 10/35 2011-2012 10 / 35

Pedagogic contract Some Resources

Some Resources

At EnsimagYour lecturersEnsiwiki:

4MMSR, 5MMSSISecurIMAGA career in information security

Several tools / information sources“MISC ED Diamond” french infosec magazineRSS, twitter: @SecurIMAGTwitte, @fabien duchene#IRC chans

Fabien Duchene (LIG) 4MMSR-0-Introduction 11/35 2011-2012 11 / 35

Security? Why?

Cyberwarfare

1

suspected chinese attack for Paris G20 files 2

200+ non-legitimate certificates certificates issued by Diginotar CAs 34

Stuxnet targeted industrial iranian nuclear plants 5 6

1[Wikipedia 2011a] cyberwarfare2[BBC 2011] Cyber attack on France targeted Paris G20 files3[F-Secure 2011] DigiNotar Hacked by Black.Spook and Iranian Hackers4[community 2011] Chromium Code Reviews5[Wikipedia 2011b] Stuxnet6[Nicolas Falliere and (Symantec) 2011] W32.Stuxnet Dossier

Fabien Duchene (LIG) 4MMSR-0-Introduction 12/35 2011-2012 12 / 35

Security? Why?

Underground economy I

7

Fabien Duchene (LIG) 4MMSR-0-Introduction 13/35 2011-2012 13 / 35

Security? Why?

Underground economy II

“Cybercrime is costing more than the drugs trade” 8

cybercrime in 2011worldwide: $114 billion ; 431 million victimsUSA: $32 billion, china: $25 billionFrance e1 billion (9 million victims)

porn:botnet: . 9,4 million USD for the Zeus botnet 9 Such botnets usuallycombine spam and phishing.underground shops: credit cards, millions of email addresses, rootaccess to some websites, fake drugs

107[Wired 2011] Crime, organized8[Symantec 2011] Norton Cybercrime report 20119[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010

10[Learning from LulzSec: For hackers, automated attacks reign 2011]Learning from LulzSec: For hackers, automated attacks reign

Fabien Duchene (LIG) 4MMSR-0-Introduction 14/35 2011-2012 14 / 35

Security? Why?

Business survivability I

Threats to business reputationSony Pictures: Lulzsec published usernames, passwordsYale university got 43.000 social security number stolen

Figure: Average number of identities exposed per data breach

Fabien Duchene (LIG) 4MMSR-0-Introduction 15/35 2011-2012 15 / 35

Security? Why?

Business survivability II

RevengeEmployes: fired ones, hating their boss

LegalsPCI-DSS: electronic transactions a

Sarbanes-Oxley actb: auditor independenceCalifornia lawc : notify individual when Personally IdentifiableInformation know or believed to have been stolen

a[LLC 2010] PCI-DSS v2b[Sarbanes-Oxley Act] Sarbanes-Oxley Actc[Senator 2002] California law - amending SB 1386

Fabien Duchene (LIG) 4MMSR-0-Introduction 16/35 2011-2012 16 / 35

Security? Why?

Hacktivism I

11

Some actions (2009..2011)Wikileaks:Anonymous: a

DDoS: paypal, mastercard, twitter, Tunisian gvtRiotsInformation release “leakflood”

Lulzsec: CIA website DDos, Sony passwords leakage (Memory Vuln+ SQLi), Nintendo, X-Factor, pron.com

a[Anonymous (hacktivist group)] Anonymous (hacktivist group)

Fabien Duchene (LIG) 4MMSR-0-Introduction 17/35 2011-2012 17 / 35

Security? Why?

Hacktivism II

12

Is this bad?Militantism, protestsDangerous by some aspects:

some actions considered as cyber-criminalitygovernments fear civil disobedience

11[Hacktivism] Hacktivism12[CLUSIF 2011] Panorama de la Cyber-criminalite - Annee 2010

Fabien Duchene (LIG) 4MMSR-0-Introduction 18/35 2011-2012 18 / 35

Security? What?

Security? I

Some security definitions“situation in which sbdy feels protected from dangerousness” ...relative!absolute security does not exist“security is a journey not a destination”“”“The only truly secure system is one that is powered off, cast in ablock of concrete and sealed in a lead-lined room with armed guards -and even then I have my doubts” a

a[Spafford 1989] Quotable Spaf

Fabien Duchene (LIG) 4MMSR-0-Introduction 19/35 2011-2012 19 / 35

Security? What?

Security? II

Security is not about technologies ONLY[(Microsoft) 2004] Notions fondamentales de securite

Fabien Duchene (LIG) 4MMSR-0-Introduction 20/35 2011-2012 20 / 35

Security? What?

Security? III

The attacker vs defender unevenness1. The defender has to protect all assets ; the attacker is free tochoose the weakest one2. the defender can only protect what he knows / is aware of ; theattacker can search for any vulnerable assets3. the defender has to be constantly vigilante ; the attacker canattack at any time4. the defender has to respect the rules (esp. law, money limits) ; theattacker can do anything

Fabien Duchene (LIG) 4MMSR-0-Introduction 21/35 2011-2012 21 / 35

Security? What?

The 10 security laws

If a bad guy ... 13

1. can persuade you to run his program on...2. can alter the operating system on...3. has unrestricted physical access to ...4. can upload programs to

... your computer/website, it is not yours anymore!5: Weak passwords trump strong security6: A computer is only as secure as the administrator is trustworthy7: Encrypted data is only as (if not less) secure as the decryption key8: An out-of-date malware scanner is only marginally better than noscanner at all9: Absolute anonymity isn’t practical, in real life or on the Web10: Technology is not a panacea: ..people and procedures

13[The 10 immuable security laws] The 10 immuable security lawsFabien Duchene (LIG) 4MMSR-0-Introduction 22/35 2011-2012 22 / 35

Security? Basic definitions

security goals/objectives/properties I

confidentiality (data): 14

availability (system):integrity (data):authenticity (data):freshness (data):traceability (action):non-repudiation (action):privacy (identity):

14[SPaCiOS 2011] Analysis of the relevant concepts used in the case studies:applicable security concepts, security goals and attack behaviors

Fabien Duchene (LIG) 4MMSR-0-Introduction 23/35 2011-2012 23 / 35

Security? Basic definitions

threat related vocabulary

threat: if happens invalidate at least one security goalvulnerability: property of a system that permits a threat to happenexploit(ation): of a vulnerabilityattack: 1+ exploit(s)countermeasure: protects from threatshardening: implementing countermeasures in a systemsecurity policy:

Fabien Duchene (LIG) 4MMSR-0-Introduction 24/35 2011-2012 24 / 35

Security? Basic definitions

Vulnerabilities impact classification

From the STRIDE classification15 16 .. in terms of impact!spoofing: usurpation of a legitimate user credentialtampering: alteration (modification or destruction) of data or systemrepudiation: unability to prove that an action has been performedinformation disclosure: leak of information (data, or systemconfiguration)denial of service: inability of the system to serve legitimate userselevation of privilege: gain of additional rights allowing the attackerto perform additional actions

15STRIDE = enjambee16[Microsoft 2005] STRIDE threat model

Fabien Duchene (LIG) 4MMSR-0-Introduction 25/35 2011-2012 25 / 35

Security? Ethics

Ethics

If you find a vulnerability in an application/system/network that is NOTyours...:

Do not exploit it (prosecution)Report it responsiblyBe patient and comprehensive.Patching or correcting a configuration isa matter of risk management

Fabien Duchene (LIG) 4MMSR-0-Introduction 26/35 2011-2012 26 / 35

Appendix 0 - introduction summary

0 - introduction summary

pedagogic contrat: students’ behavior, practical assessments,seminarsinfosec motivations: cybercrime, cyberwar, competitors, businessreputation, hacktivismsecurity properties: confidentiality, integrity, availability, freshness..basic security definitions: security policy, threat, vulnerability,exploit, attack ...

Fabien Duchene (LIG) 4MMSR-0-Introduction 27/35 2011-2012 27 / 35

Appendix For Further Reading

Ari Takanen Jared DeMott, Charlie Miller (2008). Fuzzing for SoftwareSecurity Testing and Quality Assurance.BBC (2011). Cyber attack on France targeted Paris G20 files.http://www.bbc.co.uk/news/business-12662596.CLUSIF (2011). Panorama de la Cyber-criminalite - Annee 2010. http://www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-2011-Panorama-Cybercriminalite-annee-2010.pdf.community, Open source (2011). Chromium Code Reviews.http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.cc.Ensiwiki (2011). A career in information security.http://ensiwiki.ensimag.fr/index.php/A_career_in_Information_Security.F-Secure (2011). DigiNotar Hacked by Black.Spook and Iranian Hackers.http://www.f-secure.com/weblog/archives/00002228.html.

Fabien Duchene (LIG) 4MMSR-0-Introduction 28/35 2011-2012 28 / 35

Appendix For Further Reading

Learning from LulzSec: For hackers, automated attacks reign (2011).http://venturebeat.com/2011/07/28/hacker-lulzsec-imperva/.LLC, PCI Security Standards Council (2010). PCI-DSS v2. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf.Microsoft (2005). STRIDE threat model.http://msdn.microsoft.com/library/ms954176.aspx.(Microsoft), Cyril Voisin (2004). Notions fondamentales de securite.(Microsoft), Technet. The 10 immuable security laws.http://technet.microsoft.com/en-us/library/cc722487.aspx.Nicolas Falliere, Liam O Murchu and Eric Chien (Symantec) (2011).W32.Stuxnet Dossier.http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.Nikam, Rajesh (2011). Introduction to Malware & Malware Analysis.http://chmag.in/article/sep2011/introduction-malware-malware-analysis.

Fabien Duchene (LIG) 4MMSR-0-Introduction 29/35 2011-2012 29 / 35

Appendix For Further Reading

Senator (2002). California law - amending SB 1386.http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.SPaCiOS (2011). Analysis of the relevant concepts used in the casestudies: applicable security concepts, security goals and attack behaviors.http://www.spacios.eu.Spafford, Eugene H. (1989). Quotable Spaf.http://spaf.cerias.purdue.edu/quotes.html.Symantec (2011). Norton Cybercrime report 2011.http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_16.Wikipedia. Anonymous (hacktivist group). https://secure.wikimedia.org/wikipedia/en/wiki/Anonymous(group).wikipedia. Hacktivism.https://secure.wikimedia.org/wikipedia/en/wiki/Hacktivism.

Fabien Duchene (LIG) 4MMSR-0-Introduction 30/35 2011-2012 30 / 35

Appendix For Further Reading

Wikipedia. Sarbanes-Oxley Act.https://secure.wikimedia.org/wikipedia/en/wiki/Sarbanes\OT1\textendashOxley_Act.— (2011a). cyberwarfare.https://secure.wikimedia.org/wikipedia/en/wiki/Cyberwarfare.— (2011b). Stuxnet.https://secure.wikimedia.org/wikipedia/en/wiki/Stuxnet.Wired (2011). Crime, organized. Available athttp://www.wired.com/magazine/2011/01/ff_orgchart_crime/.

Fabien Duchene (LIG) 4MMSR-0-Introduction 31/35 2011-2012 31 / 35

Bonus slides

Some Information Security jobs

hacker 17

security researcher / vulnerability analystspenetration tester / auditors 18

software security testersIT security:

IT security mechanisms implementerCISO (Chief Information Security Officer)

17[Ari Takanen 2008] Fuzzing for Software Security Testing and QualityAssurance

18[Ensiwiki 2011] A career in information securityFabien Duchene (LIG) 4MMSR-0-Introduction 32/35 2011-2012 32 / 35

Bonus slides

Common misconceptions - best dummies quotes

“Our corporation is secure because...”firewall, IDS/IPSchecksums thus integrity guaranteedno networks connected to the internet

Fabien Duchene (LIG) 4MMSR-0-Introduction 33/35 2011-2012 33 / 35

Bonus slides

MALicious softWARES (malwares) categorization I

19

virus: self-replicating program injecting into a “host” (script,process...)worm: autonomous self-replicating programtrojan hose: apparently useful software but with hidden maliciousfunctionalitiesspyware: gathers personal or confidential information without theuser consent and sends them to a remote serverbackdoor: permits remote code execution on the victim’s computerand opens a communication channel to which the attacker connectshacktool: tools used by attackers to get access to the system.hacktools try to exploit vulnerabilities

Fabien Duchene (LIG) 4MMSR-0-Introduction 34/35 2011-2012 34 / 35

Bonus slides

MALicious softWARES (malwares) categorization II

rootkit: actively hides from the OS, usually has the ability to interactat a low level (I/O such as keyboard, mouse, display..)rogue application: “fake” application which pose themselves assecurity solutions (eg: faking malware detections). Usually misleaduser to pay for a pretended removal of malwares.

19[Nikam 2011] Introduction to Malware & Malware AnalysisFabien Duchene (LIG) 4MMSR-0-Introduction 35/35 2011-2012 35 / 35