1. When To Sell Your Asset2. When Not to Farm but Buy Harvest3. Farm or Buy Harvest Depends on Fees and APYs4. When Farming With Highest Yield Strategy5. When to Farm and Any Strategies WorksHow To Farm?Do I Farm?Mirrors
0 Comments
NoteThis is the thirteenth assignment from my Masters Advanced Network Security Course which has never been published anywhere and I, as the author and copyright holder, license this assignment customized CC-BY-SA where anyone can share, copy, republish, and sell on condition to state my name as the author and notify that the original and open version available here. 1. IntroductionOn the 20th century we have seen news of leaked official governmental documents by Wikileaks for example [1]. One of the largest and latest leaked is on period 2013 – 2014 where thousands of classified documents belonging to Nation Security Agency (NSA) in United State of America (USA) leaked to all over The World. Initially it was breached by NSA's network administrator at that time Edward Snowden, and the documents were handed to journalist Glenn Greenwald and filmmaker Laura Poitras. The documents mainly exposed about the mass surveillance and its future plan to monitor everything by NSA. For example direct access to American's Google and Yahoo accounts, record of all phone conversations and everything done on the Internet records, harvesting millions of emails and contacts, spying users of second life and world of warcraft alike, and plan on spreading malware to connect to their fake facebook server in order to intercept connection. All of it can be described by on of the title of Greenwald's book entitled “No Place To Hide” which states the NSA's objective to collect it all, process it all, exploit it all, partner it all, sniff it all, and know it all. [2] The main question on this essay is how did Edward Snowden breach the NSA? The simple answer is he used key and certificate based attack. The world of cyber war had evolved from the motivation of disruption, cyber crime, cyber espionage, and now destruction of trust and creditability that could lead a company to bankrupt. The first threat the cyber world have faced are worms and virus in 1997, it then evolves to for-profit malwares in 2004, next is advance persistent threat (APT) in 2007, finally 2010 key and certificate based attacks were introduced. Edward Snowden simply following the trend (using key and certificate based attack) and made his breach in 2013. [3] 2. How Snowden BreachedThe video [4] explained that there are mainly 3 key steps of Edward Snowden breaching NSA using kill chain analysis: 2.1 Researching the TargetOther names for this step in the world of hacking and penetration testing is information gathering or reconnaissance. Snowden as a system administrator was granted common access card (CAC) that was preloaded cryptographic keys and digital certificates thus he had authorized basic access. When he was in the CIA before he already tried the limits of his administrator privileged to gain unauthorized access to classified information, meaning that he was able to search the locations of each informations. 2.2 Initial IntrusionEdward Snowden doesn't have a server or PCs connected to NSA network, only a shell like any other external hacker who only achieve initial intrusion. In other words he's in the phase after scanning and initial exploitation but without privileged to classified data. He used secure shell (SSH) in his daily job which means he can get the SSH key. He also hold SSH account of his colleagues, meaning he can also extract those keys. With many keys in his possession, he had the capabilities to fabricate his own keys and certificates. With these he was able to gain administrative privileged to classified data. Like those who are knowledgeable in APTs he was able to cover his track and not sounding the alarm. 2.3 ExfiltrationThis step can be quite new for beginner hacker or penetration tester where the 4 general steps (1) information gathering (reconnaissance) (2) scanning (3) exploitation (4) maintaining access (backdoor), this step can be put after (3) or (4). Some can say this is one of those stealth method. This step is after Snowden able to access the data but he cannot simply copy it into a thumb drive or some method alike which will alert the system. He needs to retrieve the data quietly. What he did was encrypted the data based on his own fabricated keys and certificates and send them over the network. 3. The ProblemThe site [5] claims that the main problem is on the awareness of key and certificate based attacks. If the use of keys and certificates were monitored, detection and prevention of abnormality on the use of those keys and certificates were implemented, Snowden attempts can be detected or prevented on the 3rd step. Since NSA was not aware of keys and certificates, Snowdens encrypted transmission of the classified data after the intrusion was treated as safe on the network. 4. ReferenceNoteThis is the twelth assignment from my Masters Advanced Network Security Course which has never been published anywhere and I, as the author and copyright holder, license this assignment customized CC-BY-SA where anyone can share, copy, republish, and sell on condition to state my name as the author and notify that the original and open version available here. 1. IntroductionThe C variables can be categorized into 2 which are the statically assigned variables or local variables resides in the stack area and dynamically assigned variables (using malloc function) resides in the heap area [1]. A stack is a data structure equivalent to last in first out. It mainly has push and pop instruction where push puts new element at the top of the stack and pop removes the top elements first. For instance, when a function calls another function, which in turn calls a third function, it's important that the third function return back to the second function rather than the first [2] [3]. A stack buffer overflow occurs when the input data is larger than the assigned size of local variables, which corrupts the stack area, worst case a malicious user can insert a malicious code on the return address after overflowing the previous stack area [4]. On the other hand the heap is a tree based data structure where the value of the parent is always greater or equal then the children's node. In C the heap area is an area that is not manage automatically but usually larger than stack. On the stack area the user only defines the size and variable, using last in first out it pushes and pops elements automatically, while on the heap area we have to manually free() the memory after it is used. To allocate memory on the heap area usually uses function calloc() or malloc(). Unlike stack it doesn't have size restriction, but it's slower because we have to use pointers to access [5]. A heap buffer overflow can occur on the heap area when the input size (using gets) of a dynamic allocated variable is larger then the allocate size which replace the next dynamic allocated variable [6], or cause by the statically assigned variable next to the heap area (using memset() e.g) which will overwrite starting from the beginning address of the heap area [7]. 2. Sample Script and ExecutionOn Figure 1 is the script and Figure 2 is the result of execution [7]. On the result we can see that DoFilter is on the lowest memory address followed by static char sbuf starting on 6294832 and global variable globalA on 6294848 in integer value. After the statically assigned variable and global variable is the heap area, it is where the dynamically buf and wbuf allocated starting on integer address 24207376 and 24207408, which we also calculate the distance between them diff is 32 integer value. 32 also means the size of variable buf with the data size is 16, in [6] said addition to pointers and register address (maybe others as well) which makes total of 32. To overflow wbuf we simply need to insert more than 32 chars on buf. On the script we first write 15 (BUFSIZE-1) of “Ws” on wbuf, then we write 32+8 (diff+8) of “Bs” on buf. Before writing buf we show the output of buf we is 15 “Ws”, then after writing buf with 40 “Bs” exceeds the size of buf (32) by 8 and overflows to wbuf, and so the first 8 characters of wbuf is overwritten with “Bs”. This is heap buffer overflow caused locally. Another thing abuf and awbuf are local variables residing on stack. 3. Suggestion
4. Reference
NoteThis is the eleventh assignment from my Masters Advanced Network Security Course which has never been published anywhere and I, as the author and copyright holder, license this assignment customized CC-BY-SA where anyone can share, copy, republish, and sell on condition to state my name as the author and notify that the original and open version available here. 1. IntroductionA buffer overflow contains the word buffer which is a temporary data storage area and overflow where too much data is inserted it overflows. Buffer overflow can be define as an event where the data size that was input exceeds the size of the buffer and the last part of the data overwrite the other section of the memory [1]. Think of it as a tea spills out of the cup if we put too much tea in it, and same when the data is too much that it will spill out. Different from a tea being spilled buffer overflow is a data that may overwrites other parts of the memory and maybe read and executed by the machine. The spilled code could change, damage, add, or delete the user's data, even worst may contain an program to execute a remote connection to a malicious person. In July 2000 a buffer overflow vulnerability was found in Microsoft Outlook. No need for a virus attachment, just receiving an email with an exceeded header size added with a payload already open a session for the attacker. These makes buffer overflow as a famous security attack. This attack began when C supplied the framework and poor programming was practice [1]. 2. Buffer Overflow in SecurityOn Figure 1 shows memory layout of Linux process. A process is a program in execution, and an executable program contains a set of binary instructions to be executed on the processor. They could be read only data like printf, global or static data that last through out the process, brk pointer that keeps track of malloced memory, or local function that cleans up after it is run [2]. A process image on Figure 1 shows that it started with the program's code and data on the first 2 blocks after the unused block. Following is the runtime heap created at runtime by malloc, then goes to memory mapped region of shared libraries. On the top is user's stack whenever a function call is made it is used. On Figure 2 shows an illustration of stack region, whenever a function call is made the stack pointer pushes the parameters from right to left, then the return address, and the frame pointer between local and return address [2]. Back to buffer overflow if the data inserted is larger than allocated buffer, it will overflow to other memory address. A simple C program on Figure 3 allocates A 8 of strings, and B is an unssigned short of 2015 value. If we put too much string in A it will overflow and here B changes value [3]. On Figure 4 is the assembly link of the code, we see that the value $2015 is allocated on 2 out of 16 of the address, and to overflow 2015 value we should at least input 14 characters. On Figure 5 is another demonstration. It's a simple login program, even though a wrong password is given, but root privilege was also given [4]. Figure 6 is one of the famous vulnerabilities ms08-67 even among beginners. It's char() buffer overflow vulnerability on unpatched Windows XP where the attacker can open a remote session, in other words hijacked the system. The real codes for starters is quite complicated but metasploit provides a ready to use application and all we need to do is specify the target and exploit [5]. 3. Counter MeasureFrom [2] we got some countermeasures:
4. SummaryBuffer overflow overwrites other part of the memory. The simplest case is variable B if put too much data can flood to the next variable A. A buffer overflow on login program may grant access to the attacker, worst case it can grant remote session as of the ms08-67 vulnerability. To cope with buffer overflow is by well written code for example avoid dangerous functions as gets(). 5. ReferenceNoteThis is the tenth assignment from my Masters Advanced Network Security Course which has never been published anywhere and I, as the author and copyright holder, license this assignment customized CC-BY-SA where anyone can share, copy, republish, and sell on condition to state my name as the author and notify that the original and open version available here. 1. IntroductionReverse Engineering is the process of disassembling and examination to study the parts of (something) to see how it was made and how it works so that you can make something that is like it [1]. As I read in [2] in came back to me that I've actually done a lot of half reverse engineering, where I disassembled camera's, laptops, PCs, hard drives, mouse, and monitors, that would be a full reverse engineering if I thoroughly study them and remade them. There are items that I successfully reversed engineering which are adapters and Cisco router's console cable. For the adapter I just need to buy the parts on electronic shops and assemble. The Cisco router's console cable was almost the same where I disassemble the cable and see how the order of each cables are connected. Then I proceed to a shop and bought 2 DB9 male and female pins, a few cables, and cover, with later I proceed in soldering the cables and made my own console cable as on Figure 1. A process that was originally applied only to hardware, reverse-engineering is now applied to software, databases and even human DNA. Reverse-engineering is especially important with computer hardware and software. Around 1980s San Jose-based Phoenix Technologies Ltd reversed engineered an IBM's bios in order to make their own original compatible PC to IBM. Cyrix Corp and Advanced Micro Devices Inc reversed engineered Intel Corp microprocessors to make their own cheaper microprocessors [2]. 2. Reverse Engineering In ComputersMost programs are written in high level programming language such as C and Java. The written program is then compiled using a compiler into machine language mainly consist of 0s and 1s which then can be executed. This machine language is very difficult for us to understand, but still there are ways to decompile them into high programming language using a decompiler. For example on the GIF picture on Figure 2 I wrote a “hello world” program in java and compiled into “hello.class”. Using an application called “jad” I can decompile the executable file back into the java language. As stated on the first section that reverse engineering can be used to study and reproduce a software, another important field is that it can be use on computer security, since reverse engineering involves analyzing, dissembling, and may decompile a software. An example of reverse engineering in field of computer security is malware analysis, Figure 3 shows a simple overview of malware analysis through reverse engineering. As an example I experimented in injecting a message box payload using “msfvenom” on “calc.exe” (a calculator software on Windows). On Figure 4 I used Reverse Engineering Compiler (REC) Studio which a software to perform disassembling and decompiling on an executable file to compare the original “calc.exe” and the injected “calc_bdoor.exe”, and shows that another task had been added. 3. Laws on Reverse EngineeringFrom [4] reverse engineering has purposes as follows:
But some regions have strict laws on reverse engineering, mainly copyright issues. The laws on reverse engineering varies each region but also similar. Some permits reverse engineering if the purpose is to fix issues of a software, some permits if it is research and non commercial use, and some permits only if it statet by the software owner on the software that reverse engineering is allowed. [5] 4. Reference
NoteThis is the ninth assignment from my Masters Advanced Network Security Course which has never been published anywhere and I, as the author and copyright holder, license this assignment customized CC-BY-SA where anyone can share, copy, republish, and sell on condition to state my name as the author and notify that the original and open version available here. 1. Email OverviewThe protocol that is defined to exchange email over the Internet is simple mail transfer protocol (SMTP). SMTP is used to send email to another email server which is then received through the procedure of post office protocol version 3 (POP3) or another procedure instant message access protocol (IMAP). It can be illustrated in Figure 1 that the email was send via SMTP, then authentication is handled by POP3 or IMAP. The authentication alone is unencrypted, to encrypt is to be send over secure socket layer (SSL) for more secure communication [1]. Another technology is the mailing list where the clients subscribes so they're included into the mailing list. Materials will be send to the subscriber within the mailing list. Security issues on email other than malware mostly dealt with spams. 2. SpamPeople defined the term email spam as bulk email or unsolicited email. It's very subjective how each person defines a spam. An example of a common spam is an advertisement sent to a mailing list or lot's of email address, in an indiscriminate way. A light spam usually contains advertisement only but a severe spam may contain threats that could harm the user like malware. The subtopic belows are example of how spam may occur and what measure that had been taken. Most of the below materials are based on [2] and most definitions are based on [3] (by each key words). 2.1 Open RelayOpen relay is a configuration on the mail server to accept all incoming emails either by known users or anonymous users. This was used to be the default configuration of all mail servers but it became unpopular since it was abused by spammers and malwares, refer to small illustration on Figure 2. Most open relay's are closed, or put on blacklist. 2.2 Impact of SpamThere many impacts of spams. It can be summarize in general as follows:
2.3 POP before SMTP / SMTP after POPTo cope with Figure 2, POP before SMTP is implemented with the concept of allowing email transmission if able to retrieve email. In short you be able to access and retrieve your email first, then you're able to send an email. But today people tends to use SMTP authentication instead. Figure 3 is a general illustration. Back then the POP before SMTP was implemented to cope with the open relay issue, still it's a method to allow email exchange from outside, spammers just need to find another way. (1) First they could gain control (spam bot) the user's PC that had authorization to the SMTP server through service attack worms (SAW) and mass mailing worms (MMS). (2) Second is a method called email error back scattering where on the envelop insert “reply-to: [email protected]” (if error will go to that email). This two are illustrated on Figure 4. How is it possible? It is because of direct SMTP. 3. Anti SpamTo avoid spams the following are recommended, (note: there are more ways the below recommendation):
ReferenceMirrors
Using the HIDS is very affective because (1) can protect important servers (2) can monitor encrypted communications (3) distributed resource used. Even though all servers are part of the network but amongst them they have different scale of importance. A server that offers services as online shopping, e-learning, community are most likely to be attacked because not only contains important informations, it's very popular. For this case (1) is the reason we should deploy HIDS. Sometimes even NIDS needs to be equipped with HIDS because attacks could directly aim for NIDS. For (2) case it's convenient because HIDS is not affected by encryptions because the encrypted packet is alway decrypted on the end of the server. NIDS on the other hand must cope with encrypted communications. For (3) each hosts uses IDS so the resource consumed is distributed, it only processes the packets received. On the other hand for NIDS must handle all network traffics. Sometimes we cannot use HIDS for certain reasons such as (1) using special operating system (OS) where no HIDS is available for that OS, and (2) restriction to changes on host (for certain reasons) or as much as possible want to avoid changes. Another reason is afraid if some sort of accident might occur for example forgot to boot HIDS when restarting a server. Then NIDS should be use here especially if one is curious in monitoring the whole network. Placing an NIDS on a layer 1 network will be no problem since all packets flows to all ports. If using layer 2 or higher where communications is private NIDS must be place on mirror port (copies other ports communication to this one). The best security choice is to use both HIDS and NIDS but resource became a problem. Install HIDS on all service greatly affects the network's performance, an NIDS tends to disfunction at very high traffic. This resource issue became very sensitive on the second type of public cloud where we buy a cloud service which is maintained by another party (cloud providers) such as Amazon, Google, Cloud9, etc. Information from most customers that they don't have control over the physical hardware, which some argues that using IDS is useless because we don't have access to inbound and outbound traffic. Today's research regarding to this issue introduces the virtual machine based IDS (VM-IDS). One example of the VM-IDS install an IDS on the public cloud and the web and database servers on the VM. The users on the Internet must go through the IDS regardless because the servers resides on the VM. That's the simple explanation regarding to the IDS but still lots left uncover. To start investigating the performance of an IDS we can first look at the structure of and IDS. For example open source IDS Snort consists of (1) network interface card, (2) packet capture, (3) preprocessor of packet filter, protocol analysis, and decoder, (4) detection engine, and (5) alert message or output. (1) determines how much packet it could receive, (2) and (3) are essential to capture and identify the packets, and (4) itself is the heart of the IDS which determines whether the packet is a threat or not, lastly (5) informs the administrators. When packets goes through (1), (2) (3) and (4) process the packets thus a performance can be measured seeing how much packet it could process, how are dropped, in special cases how much slips the inspection. With these IDS structure many have identified factors that determines the performance if IDS.
A good IDS should have wide coverage, high detection capability and processing power, and low false negative and positive. The factors above are still the surfaces, and there's still more deeper such as stability, sustainability, resistance to attacks on IDS itself, ability to correlate event, ability to handle high bandwidth traffic, capacity verification, etc. I can conclude that AV and firewall is not enough on a large network because they are not enough to cope when attack patterns are in the network packets. AV and firewall doesn't analyze network packets but IDS or IPS does. That is why I commented that I agree in using IDS or IPS. |
Archives
August 2022
Categories
All
source code
old source code Get any amount of 0FP0EXP tokens to stop automatic JavaScript Mining or get 10 0FP0EXP tokens to remove this completely. get 30 0FP0EXP Token to remove this paypal donation. Get 40 0FP0EXP Token to remove this donation notification! get 20 0FP0EXP Token to remove my personal ADS. Get 50 0FP0EXP Token to remove my NFTS advertisements! |