Encapsulation
takes info from a higher layer and adds a header to it
de-encapsulation –> removes headers from PDUs and passes the data to the next higher OSI layer
data flow –> 7 - encapsulation - 1 –> tx over network –> 1 - de-encapsulation - 7
| layer | PDU |
|---|---|
| 4 - transport | segment |
| 3 - network | packet |
| 2 - data link | frame |
| 1 - physical | bit |
VPN screen scraper = app that allows an attacker to capture what is on the user’s display (abernathy?)
Screen scraping is the act of copying information that shows on a digital display so it can be used for another purpose.
SDN (Software Defined Network) –> physical separation of network control plane from fwd plane (decisions are taken remote, not on the hardware)
VSAN (Virtual Storage Area Network) –> sw-defined storage that allows pooling of storage capabilities & instant/automatic provisioning of VM storage.
Noise –> interference introduced to the cables, distorts the signal –> problems
Attenuation –> weakening of the signal as it travels down the cable
Crosstalk –> wires in parallel –> signals interfere w/ each other & distort the signal
Eavesdropping –> fiber optic is the safest !
Network attacks
non-blind spoofing –> attacker in the same subnet, sniffs the seq/ack numbers and hijacks the session
blind spoofing –> pkts sent to victim to obtain a sampling of seq numbers & generate a valid seq number for the attack (works on older systems)
MITM –> intercepts legitimate traffic between 2, attacker controls info flow & can alter comm
MAC flooding –> overflow the MAC table w/ many entries, transforming the device into a hub-like device
ARP poisoning –> within VLAN, fools routers into learning false MAC addr; then pose as that device and do MITM
ICMP attacks
Ping of Death –> send oversized packets, victim’s OS becomes unstable
Smurf –> ICMP echo request –> sent to the broadcast on victim’s behalf (faked) –> all devices in the network answer –> DDoS
Fraggle –> uses UDP, DDoS like smurf
ICMP redirect –> alter the routing table of the host that receives the message using ICMP redirect packets (type 5, used to specify better routing paths)
ping scanning –> pings every IP address to see if it’s alive
DNS attacks
DNS cache poisoning –> attacker attempts to refresh/update the record when it expires w/ a fake address (on the DNS server’s cache)
pharming –> redirect a website’s traffic to a fake site (by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software)
DoS –> attack the DNS server
DDoS –> DoS from several devices
DNSSEC –> stronger auth mechanism, digital signatures to validate the source of DNS messages
URL hiding –> embed URL in web pages/email (text ok, hyperlink fake)
domain grabbing –> idividuals register a domain name of a well-known company before the company does it
cybersquatting –> domains registered to hold them hostage (sell them to the “right owner”)
Email attacks
email spoofing –> fake the headers to look like it comes from somebody else
phishing –> convince the stupid user to click a link in a unsolicited email (social eng)
spear phishing –> phishing targeted to specific persons
whaling –> important person in the company
spam –> mass email
teardrop –> fragmentation attack, malformed fragments of the packet are sent, @reassembly the victim crashes
session hijacking –> attacker places himself in the middle of an active conversation
IP addr spoofing –> impersonate another IP addr
zero day –> previously unknwon sec vuln
Bluetooth
operates in 2.4 GHz, uses FHSS and AFH (Adaptive Freq Hopping) - switches congested channels, low power
uses a weak encryption cipher, E0; has 128-bit key, is vulnerable
- buffer overflow
- bluejacking (unsolicited msg are sent)
- BlueBug attacks (can overtake phone, send SMS, download/modify data)
| bluejacking | send unsolicited msg over Bluetooth |
| Red Fang | find non-discoverable Bluetooth devices |
| bluesnarfing | theft of data via Bluetooth |
| layer | proto |
|---|---|
| 7 - application | HTTP, FTP, TFTP, DHCP, DNS, SMTP, POP3. telnet, SSH |
| 6 - presentation | GIF, JPEG, MPEG |
| 5 - session | PAP, RPC |
| 4 - transport | UDP, TCP |
| 3 - network | IP, RIP, OSPF |
| 2 - data link | ethernet, frame relay, token ring, PPP, CDP |
| 1 - physical |
Isolation
segments/devices need to be segregated from environment, as not to cause harm/to be harmed
| LOGICAL | VLAN |
| AIR-GAPPED | isolated from any untrusted network |
| PHYSICAL | completely disc. from ANY other network |
| CLEAN ROOM | physically isolated network located in a secure room/location |
Security device placement
directly affects effectiveness
| APPLIANCE | self-contained (hw/sw) network resource |
| SENSOR | device that collects info about netw/host; can report/produce events/control |
| COLLECTOR | performs targeted collection from distributed data & feed it into aggregation/correlation engine |
TRICKS
HTTPS encrypts @ layer 4, using SSL/TLS; the entire HTTPS message; S-HTTP - never widely used, encrypts only data @ layer 7