Titolo presentazione Piattaforme Software per la Rete sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17
Outline 1) Introduction to System Security 2) Basic Exploits 3) Network Attacks 4) Web Exploits 5) Safe passwords 2/23
Introduction to System Security
Why a lesson on internet security? Nowadays, security of systems is fundamental at any level, from the small company to the government servers No course of system security in the bachelor degree Any programmer and system administrator sholud be aware of basic attack techniques The blame of a security breach can be of: Users open email attachments, bad passwords, Programmers bugs System Administrator wrong configurations 4/23
Which is the perfectly secure system? 1) A well-configured well-programmed computer 2) A computer not connected to internet 3) A computer turned off 4) A computer disconnected to the power supply 5/23
The trust parts Do you trust on the software you buy? Do you trust on the firewall you are using? Do you trust on Linux kernel? Do you trust of your compiler? Do you trust of your BIOS? Do you trust of your hardware? 6/23
The Risk Hardering the system may be very costly In terms of programming hours, user experience, computational capacity, etc. How much effort should I invest in securing my system? It depends on risk: RISK = ASSETS * VULNERABILITIES * THREATS 7/23
Basic Exploits
The classic: Buffer Overflow (1/2) The buffer overflow is a typical exploit that allows you to execute arbitrary code on a (remote) machine It is basically a bug in a software: void chiedi_user() { char buffer[256]; scanf( %s, buffer); printf( You have written %s!, buffer); } 9/23
The classic: Buffer Overflow (2/2) return address other variables buffer[252-255]... buffer[4-7] buffer[0-3] 10/23
The classic 2: Format String How to write a correct printf: printf( %s, mionome); How to write a terrible printf: printf(mionome); An attacker can READ and WRITE the stack of your application! 11/23
Network Attacks
The * spoofing Network protocols trust hosts. But an host can fake: its IP address its MAC address ARP messages ICMP messages DNS resolutions 13/23
Man in the Middle 14/23
DoS attacks DoS = Denial of Service Trying to make a server or a network unavailable typically via a flood of requests attempting to overload the target system/network RAM Exhaustion, TCP connections exhaustion, threads exhaustion, etc. 15/23
DDoS attacks DDoS = Distributed Denial of Service A DoS attack using compromised machines (botnet) 16/23
Web Exploits
SQL Injection Classic vulnerability of HTTP applications Example of vulnerable PHP code: $sql = SELECT * FROM users WHERE user=. $_GET[ user ]. AND password=. $_GET[ password ]. ; mysql_query($sql); What if $_GET[ password ] = OR 1 = 1? SELECT * FROM users WHERE user=... AND password= OR 1 = 1 18/23
XSS: Cross-Site Scripting Injection of client-side code in vulnerable web pages Currently, the most common security vulnerability What if we add in the comment form a valid HTML, maybe a Javascript code? 19/23
Safe Passwords
Password The easiest attack is to guess the user password Most common passwords*: 1) 123456 290k occurrences 2) 12345 79k occurrences 3) 123456789 76k occurrences 4) password 59k occurrences 5) Iloveyou 49k occurrences * http://reusablesec.blogspot.it/2009/12/rockyou-32-million-password-list-top.html 21/23
A great password According to NASA guidelines*: It should contain at least 8 characters It should contain a mix of 4 types of characters It should not be a name of a dictionary word It should not be related to you (no name, no birth date, no dog name, etc.) * https://www.nasa.gov/centers/dryden/pdf/89163main_train_timesheet.pdf 22/23
XKCD: Password 23/23