Courses/Computer Science/CPSC 526.F2015/Lecture Notes
- 1 September 8: Intro and Overview
- 2 September 10: Important Concepts, Basic Threats and Adversaries
- 3 September 15: Intro to the Deception Surface: Setting up a Network From Scratch
- 4 Sept 17
- 5 Sept 22
- 6 Sept 24: Network Recon: Understanding the State of Alice, Bob, and Everyone in Between (Scanning, Sniffing, etc.)
- 7 Sept 29: Network Recon: Scanning + Sniffing
- 8 Oct 1: Ethics of Network Traffic Sniffing
- 9 Oct 6: Firewalls
- 10 Oct 8: Firewalls (cont.)
- 11 Oct 13: A Motivating Threat: Internet Worms
- 12 Oct 15: No lecture
- 13 Oct 20: Introduction to Authentication
- 14 Oct 22: Password-based Authentication Lulz
- 15 Oct 27: Authentication Protocol Basics
- 16 Oct 29: Protocol Pitfalls
- 17 Nov 3: Advanced Password-based Authentication
- 18 Nov 3
- 19 Nov 5
- 20 Nov 10
- 21 Nov 12: No Class (Reading Week)
- 22 Nov 17
- 23 Nov 19: Guest Lecture by Prof. Aycock
- 24 Nov 24
- 25 Nov 26
- 26 Dec 1
- 27 Dec 3
- 28 Dec 8
September 8: Intro and Overview
- Course policies, grading, etc. (Course Outline, Description, Syllabus)
- Concepts / Organization
With some background in security concepts and principles, we set security challenges and problems into a networked environment. Basic crypto primitives become building blocks of systems whose major focus is authentication and protecting the confidentiality and integrity of communications channels. This major topic is complemented with a variety of security mechanisms that attempt to provide C-I-A in other ways (e.g., firewalls, IDS, authentication systems & standards).
- Topics (i.e., knowledge & skills I want you to know by the end of the semester)
- common networking tools
- bit-level agility (packet crafting)
- working knowledge of common applied crypto
- authentication and secure protocols (design and major examples)
- network security application domains: routing security, web security
- network security mechanisms: firewalls, IDS, etc.
- Semester Highlights
- PGP key signing party
- web application hacking (Google Gruyere)
- build a VPN
- build a CA
- network introspection
- Write your "Question of the Day": this is one question about network security that you want answered by the end of the semester
- include your real name
- include a psuedonym if you wish
September 10: Important Concepts, Basic Threats and Adversaries
Today, we will briefly discuss some security concepts and then dive into a reminder and refresher of some basic Unix networking tools. Our goal is to get two computers, Alice and Bob, to exchange traffic.
Questions of the Day:
Results of Poll: out of 25 votes as of 10:15am, 19 people have not taken CPSC 418 or are taking it concurrently. We will dedicate the opening weeks of tutorials to providing a high-level overview of basic crypto concepts and terminology as well as an introduction to some crypto libraries.
September 15: Intro to the Deception Surface: Setting up a Network From Scratch
We will start with a QoD that leads us back to a discussion of basic network security threats and concepts. It also leads us toward the topic of the "deception surface": the collection of protocols and network state that networked computers and application rely on to accomplish their communication -- but these protocols are also, by their very nature, open to manipulation.
Sept 24: Network Recon: Understanding the State of Alice, Bob, and Everyone in Between (Scanning, Sniffing, etc.)
Today I want to discuss the concepts and tradeoffs involved in scanning the network for other hosts. We will also explore the relationship between scanning and sniffing. Sniffing can be seen as one form of passive scanning.
Neither scanning nor sniffing is inherently "bad"; both good guys and bad guys can undertake scanning and sniffing at various times and for various purposes.
- penetration testing
- network auditing (any rogue or forgotten hosts?)
- reconnaissance, host and service enumeration
- listening for unwanted traffic, data exfiltration
- listening for unencrypted traffic, authentication tokens
- listening for communication flows (traffic analysis)
Sniffing (i.e., listening) complements scanning (i.e., actively probing). Sniffing will only sample the network, and provide only a partial view of who is talking during the sampling period. Scanning allows you to attempt to contact and enumerate hosts and open ports, but hosts are under no obligation to respond to your probes. Thus, sniffing and scanning complement each other, but even together may not provide a complete picture of the network.
The "Big Picture" concept for today is that you'll often be asked some form of the question "how good is this tool?"; evaluating the power and limitations of tools, frameworks, techniques, mechanisms, algorithms, etc. entails an understanding how how they work, how they might fail, etc.
Today we will play a bit with traceroute and nmap.
We've already spent 1.5 weeks on the "who am I" question. Here are some other questions
- Where am I? Where are you? What are you (running)?
We can seek to answer these questions with:
- netstat (what services am I offering to the world? local broadcast? local machine?)
- iptables (what communication flows or packets is my kernel actually blocking for me? How? What is 'stealth mode'?)
- traceroute (where are you in relation to me? How do I anticipate this affecting the flow of packets between us?)
- nmap (what services are you running (that I can see?))
- tcpdump (how does nmap actually work? what is scanning, after all? what does a scan produce, and what are the expected replies?)
For example, how far away from scanme.nmap.org are we? http://pages.cpsc.ucalgary.ca/~locasto/teaching/2015/CPSC526/Winter/files/traceroute-nmap.org
Pick a partner. One of you is Alice, the other is Bob.
Have Bob list his open ports:
Have Bob list his firewall rules:
iptables -L //for Linux, for Windows, see [netsh http://windowsitpro.com/windows-server/top-10-windows-firewall-netsh-commands] for Mac, see ipfw or pfctl
Have Bob start up tcpdump:
tcpdump -i eth1 -n
Have Alice nmap Bob with
nmap -sS -sV -O -n --reason --traceroute bob.ip.addr.ess
What packets does Bob see? What ports does Alice see? If Bob flushes his firewall:
does this change the scan results?
For the past two weeks, we've looked at the (inherent!) weaknesses of the basic network fabric and low-level services/protocols --- the so-called deception surface. We made the point that these weaknesses are also strengths in terms of providing low-configuration connectivity and plug-and-talk type communication. The Internet probably wouldn't have taken off if participants had to sign complex multilateral treaties and do complex cryptographic dances simply to bind an IP address to a MAC address.
While countermeasures exist to detect many basic forms of layer2 and layer3 spoofing, poisoning, and flooding attacks and there are authentication protocols to provide basic network access control, our experience has shown us the need for a combination or composition of functionality that (a) provides connectivity and (b) protects the confidentiality, integrity, and availability of such channels. To this end, we will examine the role cryptography plays in network security over most of the rest of the semester.
However, it is worth noting that even with good crypto, and even with simple countermeasures for protecting against ARP flooding, ARP poisoning, DHCP hijacking, DNS poisoning, DoS, etc., many networks still have an ill-defined "edge" and many often have open doors; for example, management interfaces that may be accessible on a public-facing IP via telnet (perhaps on a "hidden/undocumented" port, or available via port-knocking). BYOD also makes the definition of "your" network quite fuzzy. Networks are also composed of more than just desktop computers and servers. See the links below for efforts that provide scanners, a census of the internet, network topology information, and search engines.
- scanning the Internet in under 5 minutes: https://github.com/robertdavidgraham/masscan and http://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html#.VMvYOsYQ5sg
- http://internetcensus2012.bitbucket.org/paper.html "Port scanning /0 using insecure embedded devices"
- Shodan: http://www.shodanhq.com/
Sept 29: Network Recon: Scanning + Sniffing
In this session, we will continue observing what various probes to the network actually look like. We will also begin to take a look at the topic of firewalls.
- Announcements, dump eth1, consider the ethics of this
- Selected questions of the day
- Octavissi: What is a backdoor and how does it work?
- T3AA8: How can we tie network security into virus and malware [the course?]
- John: How does IP sniffing and IP spoofing affect a network? Can ethical hacking prevent that?
- [anon]: How can we detect intrusions and find the breach?
- Current events:
- Scanning and sniffing, plus firewalls
- tcpdump, Wireshark
Read Chapter 23 in your textbook. For class on Thursday, read this paper:
and write 1 paragraph summarizing it and 1 paragraph taking a position on the question of whether it is ethical to listen to network traffic, with, e.g., tcpdump. Be prepared to discuss your position on Thursday.
Oct 1: Ethics of Network Traffic Sniffing
Today we will discuss the ethics of listening to network traffic.
Oct 6: Firewalls
Today we will consider the topic of firewalls
- Linux netfilter architecture
- packet filtering firewalls
- stateful vs. stateless
- firewall policy interpretation models
- gateways, application level firewalls, DPI
- NAT, SNAT, MASQUERADE, DNAT
class activity: nmap a box with different firewalls rulesets and replies (ACCEPT, REJECT, DROP), icmp-admin-prohibited watch traffic in wireshark / tcpdump
- netfilter architecture: http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html
- Wiley Hacker, 1st edition online for free: http://www.wilyhacker.com/1e
- Wiley Hacker, second edition: http://www.wilyhacker.com/
- "A Technique for Counting NAT'd Hosts" https://www.cs.columbia.edu/~smb/papers/fnat.pdf
Oct 8: Firewalls (cont.)
We'll talk about some terminology, firewall policy interpretation, various kinds of firewall architecture, and play with some iptables rule sets.
We began by reviewing the table of contents for the Wiley Hacker, 1st edition book http://www.wilyhacker.com/1e and thinking about how it reflects the state of the growing Internet and nascent topic of network security in the early 1990's. We then tried to put together some basic iptables rules for:
Issues Involved in Firewalls
- semantics of rule interpretation (order: first, last, best match)
- how do you handle scaling of 1000's of rules?
- how much does the firewall slow down traffic processing? What kind of hardware do you need for a network edge?
- How are rule conflicts handled / detected / resolved
- how is this done in a distributed environment?
Oct 13: A Motivating Threat: Internet Worms
The topic of Internet worms is a good way to transition from our consideration of the lack of security in basic network protocols along with the capabilities and limitations of firewalls to a more nuanced view of network security. To a certain extent, worms illustrate how firewalls can sometimes be effective (if a worm signature is precise enough), but they also illustrate the problem of network security being reliant on endpoint (i.e., node) security.
- What is the relation between all elements in network to provide security? The big picture, elements and relations between them and weak points and bottlenecks, what to improve and how? [pg 22, Stallings. But we must also recognize the cost to our other values of implementing 'complete' security -Ed.]
- How secure is peer-to-peer file sharing ?
- Is there a way to secure a network such that the only possible attack left is social engineering (i.e., no software penetration can be successful)
- Can you envisage any circumstances wherein a network is completely secure? (and that connects to an outside network)?
- "The Internet Worm Program: An Analysis" http://spaf.cerias.purdue.edu/tech-reps/823.pdf
- Some citations for the Morris Worm from the Bellovin and Cheswick "Firewalls" book: http://www.wilyhacker.com/1e/chap09.pdf
- Code Red, Code Red II: http://www.unixwiz.net/techtips/CodeRedII.html
- Linux Lion Worm: http://www.symantec.com/security_response/writeup.jsp?docid=2001-032311-2042-99
- "Warhol Worm" Concept from "How to 0wn the Internet in your spare time" paper http://www.icir.org/vern/papers/cdc-usenix-sec02/
- SQL Slammer, Sapphire
- Witty Worm
Oct 15: No lecture
Oct 20: Introduction to Authentication
This week, we begin our discussion of the topic of authentication by considering the topic of challenge-response protocols. We started by looking at HTTP Basic authentication and Unix login-based authentication.
Something you know, something you have, something you are
- Something you have: http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm#!details
- How can you be sure that the person you are talking to is who they say they are, if you've never met them before in person (Online verification / Chain of Trust)
- Textbook, Chapter 9
- Textbook, Chapter 10
- Wiley Hacker, Chapter 5: http://wilyhacker.com/1e/chap05.pdf
Oct 22: Password-based Authentication Lulz
- Storing passwords
- Lamport's Hash
- Mark Burnett's release of password data: https://xato.net/passwords/ten-million-passwords/#.VQxRO2ZOlRE
- "A Research Agenda Acknowledging the Persistence of Passwords" http://research.microsoft.com/apps/pubs/?id=154077
- Intel asks: How Strong is Your Password? https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html
Top 25 passwords listed at http://us.cnn.com/2012/10/25/tech/web/worst-passwords-2012/index.html?hpt=hp_bn5
- Rootkit.com / HBGary 2011
- LinkedIn 2012
- IEEE 2012
- Yahoo 2012
Oct 27: Authentication Protocol Basics
- wide-mouthed frog
Oct 29: Protocol Pitfalls
Protocol Fails Exercise
Nov 3: Advanced Password-based Authentication
- Bellovin-Merritt / EKE: https://www.cs.columbia.edu/~smb/papers/neke.pdf
- nonce definition & types
Nov 12: No Class (Reading Week)
Nov 19: Guest Lecture by Prof. Aycock