securing a host Matsuzaki maz Yoshinobu

Transcription

1 securing a host Matsuzaki maz Yoshinobu <maz@iij.ad.jp>

2 Hardening a host Differs per operating system Windows: users can not be trusted to make security related decisions in almost all cases OS X : make things work magically for users. Try to handle security issues in the background Linux: varies by distribution: Ubuntu: try like OS X to make things just work. RedHat: include very useful tools but turned off by default BSD: users will figure it out Changes with time

3 General consideration Define a personal usage profile and policy. What hardware do you use? What software tasks do you do on your computer? Do the first two change when you travel? What habits from the above two do you need to change to be more secure? Decide if you really need VPN access to your network while travelling.

4 General practices Install only the services and software you actually need. Uninstall or disable all software and services you do not use or need. Periodically actively scan your machine for vulnerabilities. Have as few user accounts on your systems as possible Protect your administrative account. Have a strong password, do not permit remote password based logins and do not log in as an administrator unless you need to do an administrative task.

5 Securing MacOS X disable unused sharing services setting -> sharing update software AppStore -> update check services $ netstat -an grep LISTEN enable firewall setting -> security&privacy -> firewall

6 Securing Linux: minimalize pkg CentOS # yum list installed # yum remove <PackageName> Ubuntu > 16 # apt list --installed # apt remove <PackageName>

7 Securing Linux: update pkg CentOS # yum upgrade Ubuntu > 16 # apt update # apt upgrade

8 Securing Linux: checking services CentOS ss -nl Ubuntu > 16 netstat -nl

9 Securing Linux: firewall CentOS iptables firewalld (frontend for iptables) Ubuntu > 16 iptables ufw (frontend for iptables)

10 Securing Windows: minimalize services services.msc

11 Securing Windows: updating > start ms-settings:windowsupdate

12 Securing windows: checking services > netstat -na

13 Securing windows: fiwewall wf.msc

14 Securing windows: firewall The Windows firewall offers four types of rules: Program Block or allow a program. Port Block or a allow a port, port range, or protocol.

15 Windows Network Category execute powershell as administrator to confirm > Get-NetConnectionProfile to change it to Public > Set-NetConnectionProfile -Network <NetworkName> -NetworkCategory public to change it to Private > Set-NetConnectionProfile -Network <NetworkName> -NetworkCategory private

16 Hardware Rule 1: all bets are off with physical access to your devices. Consider removing hardware you never use say bluetooth. Disable in BIOS or EFI or your operating system the hardware or features you can not remove physically. wake on lan Bluetooth discoverability USB ports? BIOS passwords not that useful BIOS level encryp8on/locking of hard disks may not be portable

17 Compromised system Any file on the system is already suspicious You may be able to remove a malware there could be another one that you can not detect

18 Wipe Don t use files in the compromised system programs documents images Clean up the storages that was connected to the system HDD SSD flash memory

19 How can we rescue information from suspicious data files convert it into another format png -> jpg, jpg -> png doc -> txt excel -> csv pdf -> png/jpg infected code can not survive such a drastic modification

20 Wipe to give away data is still there even if it s formatted experts can read the data by using special tools an electric microscope can read more leakage of secret data you need to make sure the data is erased # dd if=/dev/urandom of=/dev/<disk> bs=16m

21 Recover clean install from a scratch format the disk, use a proper OS image apply latest OS patches to be up-to-date it could be vulnerable before patched do update in a secure network install needed applications check upgrades, of course

22 Recover (cont.) disable unnecessary services the same as hardening procedure check configurations if any weakness change all password on the system any password might be stolen

23 Replacing might be your choice securing the compromised system as is for further investigation malware that stays in the memory only just replace the compromised system spare hardware

24 Backups Encryption Automation Generations

25 Encryption Assume theft and lost Your backups must have at minimum the same encryption level as the source data

26 Automation We are lazy! easy to forget automated backup will help you most systems have scheduled backup

27 Generations you shoud have a good version of backup there if a system is compromised, malware might be also backup in the archive, you won t want to restore that though if something goes wrong by change, you may restore the previous version find a good version from your archives

28 Off-site archives 2011 Tohoku earthquake and tsunami flushed buildings, data centers 4 local governments lost whole data on the family registration system They have off-site backups J took about 1 month to recover though wanted to make sure nothing is missed

29 HTTP and Secure Channel HTTP HTTP TLS TCP TCP IP IP BhutanNOG4 29

30 SSL/TLS SSL and TLS SSL v3.0 specified in an I-D in 1996 (draft-freier-sslversion3-02.txt) and now in RFC6101 TLS v1.0 specified in RFC2246 TLS v1.0 = SSL v3.1 SSL v3.0 TLS v1.1 specified in RFC4346 TLS v1.2 specified in RFC5246 Goals of protocol Secure communication between applications Data encryption Server authentication Message integrity Client authentication (optional) BhutanNOG4 30

31 SSL is not secure any more SSL2.0 and SSL3.0 have known vulnerabilities in protocol specifications downgrade attack POODLE attack RFC Prohibiting Secure Sockets Layer (SSL) Version 2.0 RFC Deprecating Secure Sockets Layer Version 3.0 Use TLS instead BhutanNOG4 31

32 TLS Properties Connection is private Encryption is used after an initial handshake to define a secret key. Symmetric cryptography used for data encryption Peer s identity can be authenticated Asymmetric cryptography is used (RSA or ECDSA) Connection is reliable Message transport includes a message integrity check using a keyed MAC. Secure hash functions (such as SHA384, SHA256) are used for MAC computations. BhutanNOG4 32

33 The TLS Handshake Process TLS Client TLS Server Internet 1 Client initiates TLS connection / sends supported cipher suites Server returns digital certificate to client and selected cipher suite 2 3 Client sends shared secret encrypted with server s public key Message encryption and integrity algorithms are negotiated Session keys are generated Secure session tunnel is established BhutanNOG4 33

34 TLS Client Authentication - Client authentication (certificate based) is optional and not often used - Many application protocols incorporate their own client authentication mechanism such as username/password or S/Key - These authentication mechanisms are more secure when run over TLS BhutanNOG4 34

35 TLS IANA Assigned Port #s Protocol Defined Port Number HTTP NNTP POP FTP-Data FTP-Control Telnet TLS Port Number 35

36 Certificate Authority issues a digital certificate which is signed by the CA s private key You can verify the certificate using the corresponding public key if you trust the public key and CA can have hierarchical trust model BhutanNOG4 36

37 Trust chain root CA sign intermidiate CA sign sign end entity cert end entity cert BhutanNOG4 37

38 BhutanNOG4 38

39 trusted CA BhutanNOG4 39

40 CA and certificates CA can issue a certificate for any domainname if you trust the CA, the certificate looks legitimate if you have a malicious CA in your trusted keychain, an attacker can monitor/modify your TLS session data Yes, we have cases perfish BhutanNOG4 40

41 Check your trusted CA Windows certlm.msc Mac OS X Keychain Access.app Firefox Setting -> Advanced -> Certificates -> View Certificates BhutanNOG4 41