My Lazy Admin: cybersecurity

Showing posts with label cybersecurity. Show all posts

Thursday, April 29, 2021

SSL Certificates Overview and FAQs

What is SSL?

- Stands for Secure Sockets Layer

- It provides encrypted communciation between two systems

What are SSL certificates?

- This serves as an your website'ss ID

- You can get this from a CA (E.g Verisign, GLobal Sign, etc.)

- In order for the CA to give you an SSL certificate, they will conduct a series

of checks

to make sure that you are a legitimate website owner and not an attacker/hacker

- Once given by CA, you need to install this on your web server

- The CA will not give that certificate to anybody except you

- SSL certificates usually is in the form of .crt file (e.g mycompany.crt)

What is public and private keys?

- You can generate your own public and public key (or key pair)

- Your public key can be sent to anyone whose going to relay information to you

- That anyone will encrypt his/her message using the public key you sent

- You can decrypt that message by using your private key

- Private key must be only kept to you

- See "public and private keys.jpg" as an example

What is a CSR?

- It stands for Certificate Signing Request

- It is the one you are going to send to an SSL provider (or CA)

- It is a block of encrypted text that is generated on the server that an SSL

certificate will be used on

- It contains information that will be included in your certificate such as your

organization name,

common name (domain name), locality, and country

- It also contains the public key that will be included in your certificate

- A private key is usually created at the same time that you create the CSR

- The CA will use the CSR you sent to create your SSL certificate

- The certificate created with a particular CSR will only work with the private

key that was generated with it

- So if you lose the private key, the certificate will no longer work

All about CA trust

Certificate trust works by having a list of trusted CAs inside the client's

device. This device might be a smartphone but usually its a browser like Google

Chrome or Mozilla Firefox.

When you enter a secure website (URL starting in https://), your browser will

check if the website's certificate is signed by one of the trusted CAs on his

list. If yes, then your browser will open the site for you without any warnings.

If no, then it will check if the certificate of the

source: https://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html

How to create a cerficate chain?

Create a certificate.pem with the following content.

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Then make sure that if you hit "openssl x509 -in certificate.pem -text"

it will show your domain at the first part instead of the root CA. If

not, try to do the order in reverse.

Wednesday, April 28, 2021

History and General Overview of Cybersecurity

Timeline

<1970 - radios, early computers

1970 - mainframes of campuses became targets

1980 - PCs were invented

1990 - internet

2000 - bluetooth, tablets, smartphones ..

>2000 - international law for computer crimes was established

"Making things easier for hackers is the fact that early network

technologies such as the Internet were never designed with security

as a goal. The goal was the sharing of information."

* source: pg 53/ CEHv9 (3rd edition) Sybex

Famous hacks through the years

1988 - 1st internet worm was created by Robert T. Morris, Jr.

1994 - Kevin Lee Pulsen took over telephone lines of Kiss-FM to win a Porsche

1999 - David L. Smith created "Melissa" virus w/c email itself to entries

in user's address book

2001 - Jan de Wit created "Anna Kournikova" virus w/c reads all entries of

a user's outlook address book

2002 - Gary McKinnon connected to deleted critical US military files

2004 - Adam Botbyl (together w/ 2 other friends) stole credit card information

from Lowe's hardware chain

2005 - Cameron Lacroix hacked into Paris Hilton's phone

2009 - Kristina Vladimirovna (good looking russian hacker) skimmed around

3 billion US $ on US banks

mid 2000s - "Stuxnet" virus attacked uranium production

- "anonymous" group attacked local government networks

Generic examples of Cyber crimes

1. stealing usernames and passwords

2. network intrusions

3. social engineering (involves human interaction)

4. posting/transmitting of illegal material

5. fraud

6. software piracy

7. dumpster diving (reconstruction of broken data)

8. malicious code (viruses)

9. unauthorized destruction of data

10. embezzlement (form of financial fraud)

11. data-diddling (modification of information to cover up activities)

12. Denial-of-service (overloads a system resource)

13. ransomware (encrypts files on target system to get money)

Devices and Systems that adds security

Software:

- VPNs (Virtual Private Networks)

- IPs (Intrusion Prevention Systems)

- firewalls

- ACLs (Access Control Lists)

- biometrics

- smartcards

Physical security:

- cable locks

- device locks

- alarm systems

Malicious Attacks

- Denial-of-service (DoS)

- manipulation of stock prices

- identity theft

- vandalism

- credit card theft

- piracy

- theft of service

Known hacker groups

Anonymous

https://en.wikipedia.org/wiki/Anonymous_(group)

LulzSec

https://en.wikipedia.org/wiki/LulzSec

Monday, April 26, 2021

Five Pillars of Information Assurance

Sunday, April 25, 2021

How to be a well rounded Ethical Hacker

Hacking is an engaging field but it is surely not easy. To become a hacker one has to have an attitude and curiosity of learning and adapting new skills.

You must have a deep knowledge of computer systems, programming languages, operating systems and the journey of learning goes on and on.

Some people think that a hacker is always a criminal and do illegal activities but they are wrong. Actually many big companies hire hackers to protect their systems and information and are highly paid. here is the list of most important steps necessary to become a hacker, have a deeper look

LEARN UNIX/LINUX

UNIX/LINUX is an open source operating system which provides better security to computer systems. It was first developed by AT&T in Bell labs and contributed a lot in the world of security. You should install LINUX freely available open source versions on your desktops as without learning UNIX/LINUX, it is not possible to become a hacker. .

CODE IN C LANGUAGE

C programming is the base of learning UNIX/LINUX as this operating system is coded in C programming which makes it the most powerful language as compared to other programming languages. C language was developed by Dennis Ritchie in late 1970’s. To become a hacker you should master C language.

CODE IN MORE THAN ONE PROGRAMMING LANGUAGE

It is important for a person in the hacking field to learn more than one programming. There are many programming languages to learn such as Python, JAVA, C++. Free ebooks, tutorials are easily available online.

LEARN NETWORKING CONCEPTS

Another important and essential step to become a hacker is to be good at networking concepts and understanding how the networks are created. You need to know the differences between different types of networks and must have a clear understanding of TCP/IP and UDP to exploit vulnerabilities (loop holes) in system.

Understanding what LAN, WAN, VPN, Firewall is also important. You must have a clear understanding and use of network tools such as Wireshark, NMAP for packet analyzing, network scanning etc.

LEARN MORE THAN ONE OPERATING SYSTEMS

It is essential for a hacker to learn more than one operating system. There are many other Operating systems apart from Windows, UNIX/LINUX etc. Every system has a loop hole, hacker needs it to exploit it.

LEARN CRYPTOGRAPHY

To become a successful hacker you need to master the art of cryptography. Encryption and Decryption are important skills in hacking. Encryption is widely done in several aspects of information system security in authentication, confidentiality and integrity of data.

Information on a network is in encrypted form such as passwords. While hacking a system, these encrypted codes needs to be broken, which is called decryption.

LEARN MORE AND MORE ABOUT HACKING

Go through various tutorials, ebooks written by experts in the field of hacking. In the field of hacking, learning is never ending because security changes every day with new updates in systems.

EXPERIMENT A LOT

After learning some concepts, sit and practice them. Setup your own lab for experimental purpose. You need a good computer system to start with as some tools may require powerful processor, RAM etc. Keep on Testing and learning until you breach a system.

WRITE VULNERABILITY (LOOP HOLE PROGRAM)

Vulnerability is the weakness, loop hole or open door through which you enter the system. Look for vulnerabilities by scanning the system, network etc. Try to write your own and exploit the system.

CONTINUE NEVER ENDING LEARNING

Learning is the key to success in the world of hacking. Continuous learning and practicing will make you the best hacker. Keep yourself updated about security changes and learn about new ways to exploit systems.

Saturday, April 24, 2021

Cybersecurity Domains

Thursday, April 1, 2021

SSL (Secure Sockets Layer)

What is SSL?

SSL stands for Secure Sockets Layer, a protocol developed by Netscape in 1994.
It provides a secure way of communication between computer systems by scrambling
the data to make it difficult to read while traversing the network.

Symmetric vs Asymmetric Key Cryptography

Before we learn how SSL process work, we must understand the 2 major
cryptographies used.

Symmetric Key Cryptography

This is also known as Secret Key Cryptography. Both communicating parties uses
same key in decrypting and encrypting data. The cryptographic algorithm to use
in encrypting and decrypting data must be agreed by both ends. Example of
these are Data Encryption Standard (DES), Triple-Strength DES (3DES), Rivest
Cipher 2 (RC2), and Rivest Cipher 4 (RC4). Decryption/encryption of data is
quick but transferring the secret/symmetric key to both ends can be
intercepted by an attacker.

Asymmetric Key Cryptography

This is also known as Public Key Cryptography. This make use of a private and
public key to encrypt/decrypt data. Private key must never be shared to others
while public key can be shared. If a data is encrypted using the private key,
the data can be decrypted using its corresponding public key (and vice-versa).
Some well known public key algorithms are Rivest Shamir Adleman (RSA) and
Diffie-Hellman (DH) algorithm. Using this kind of cryptography requires more
processing power which makes it slow. This is the reason why we only use this
in ecnrypting small pieces of data like the symmetric key.

In the next sections, we will see how these 2 takes place in SSL handshake.

But first, here are some few items that are worth reading.

| Terminology | Definition |
|---------------|---------------------------------------------------------------|
| cipher suite | A set if cryptographic algorithms and key sizes used that a |
| | computer can use to encrypt data. A cipher suite typically |
| | consists of respective algorithms used for key exchange, |
| | authentication, bulk encyrption, and Message Authentication |
| | Code (MAC). For in depth discussion on cipher suites, I will |
| | provide another post right after this. |
|---------------|---------------------------------------------------------------|
| cryptographic | These are math functions that aims to scramble data to hide |
| algorithm | its contents. 2 major types are Symmetric (uses 1 key) and |
| | Asymmetric (uses public and private keys) and different kinds |
| | exists under those categories. E.g Symmetric has RC and DES |
| | while Asymmetric can be RSA or DH. |
|---------------|---------------------------------------------------------------|
| ciphertext | This is another name for encrypted data. The opposite is |
| | the unencrypted data or cleartext. |
|---------------|---------------------------------------------------------------|

The fun part: SSL Protocol in depth

Here is a more detailed explanation on what is happening in the background.

| CLIENT | | SERVER |
|-------------------------------|-----|--------------------------------|
| Client Hello | --> | |
|-------------------------------|-----|--------------------------------|
| | <-- | Server Hello |
|-------------------------------|-----|--------------------------------|
| | <-- | Certificate |
|-------------------------------|-----|--------------------------------|
| | <-- | Server Key Exchange (optional) |
|-------------------------------|-----|--------------------------------|
| | <-- | Server Hello Done |
|-------------------------------|-----|--------------------------------|
| Client Certificate (optional) | --> | |
|-------------------------------|-----|--------------------------------|
| Client Key Exchange | --> | |
|-------------------------------|-----|--------------------------------|
| Change Cipher Spec | --> | |
|-------------------------------|-----|--------------------------------|
| Finished | --> | |
|-------------------------------|-----|--------------------------------|
| | <-- | Change Cipher Spec |
|-------------------------------|-----|--------------------------------|
| | <-- | Finished |
|-------------------------------|-----|--------------------------------|
| encrypted data | <-> | encrypted data |
|-------------------------------|-----|--------------------------------|

Let's focus on the required steps below leaving off the optional ones with some
few details.

Client Hello

Client (in this case a browser like google chrome) initiates the connection by
going to a secure site (URL starting in https://). At this moment, SSL is
triggered automatically. Client sends the server (system on where the site is
hosted) 4 important information - cipher suite it can use for both symmetric
and asymmetric key encryptions, the SSL version it wish to use, session ID,
and compression method.

Protocol Version - Version of SSL the client wants to use
Session ID - Session identifier the client wants to use. The 1st
client hello is always empty for every new sessions.
Cipher Suite - Contains list of cryptographic algorithms supported by
the client (in order of preference). The server selects
from these choices. If nothing is selected, server will
return a handshake failure.
Compression Method - List of compression algorithms supported by the client.
If server doesn't support any method listed, connection
will fail.

Here is an actual packet capture of Client Hello message from wireshark.

Server Hello

The server now responds back to the client with the following information

below.

Protocol Version - Vesion of SSL that is supported by the server and the

client. Server will choose the lowest version that match

e.g client supports 2.0 while server supports up to 3.0,

server will choose 2.0.

Session ID - This is the session identifier. If the session ID sent by

the client is not empty, server will look for it in its

cache then will try to reuse it. That means that the

client wishes to reuse an existing session instead of

opening a new one. Otherwise, this will contain another

value which will identify this new session.

Cipher Suite - This is the chosen cipher suite from the list provided by

the client.

Compression Method - Similar to the previous which is chosen from the list

provided by the client.

Certificate

If the server has a certificate, which is the usual scenario, it will send the

client a list of certificates it has. The certificate must be appropriate for

the selected cipher suite.

Server Key Exchange (optional)

This is only sent if the server has NO certificate which is unusual for an

HTTPS connection.

Server Hello Done

This is pretty much a blank message indicating that the server is done sending

the required information.

Client Certificate (optional)

This is the 1st message sent by the client after it receives the Server Hello

Done. However; this is only sent when the server requests a certificate from

a client which is uncommon on web communications. Some cases where this is

used is when an organization establishes a secure communication to another one

which requires authentication.

Client Key Exchange

This depends on the public key algorithm agreed, which is found inside the

cipher suite, between both parties. If Diffie-Hellman is agreed, the packet

will look like this:

Otherwise, if RSA was chosen, client will generate a PreMaster secret, encrypt

it using the server's public key, and send to the server. The server will

decrypt it using its private key. Both parties now have the PreMaster and will

generate a master key off that. For the purpose of this post, let's say RSA

was chosen as the public key cryptography. The corresponding packet capture

for RSA is:

Change Cipher Spec (client/server)

This message signals the transition from Public (Asymmetric) key to Secret

(Symmetric) Key cryptography. But why are we doing this? We know that

Assymetric is resource intensive compared to Symmetric based from the initial

discussions above. So in order not to degrade performance, we will use

Symmetric Key Cryptography throughout the data exchange. What happens here is

that the client copies the new Cipher Spec (pending) to the current Cipher

Spec (the one to be replaced). This message is encrypted by the current Cipher

Spec. When both parties receives each others Cipher Spec, they will copy the

read pending state into the read current state.

Finished (client/server)

This is sent right after the Client Key Exchange and is the first protected

message by the most recent Cipher Spec chosen. There's no acknowledgement

needed on both parties after they received this message and secure data

exchange can now start.

Thursday, March 18, 2021

Cryptography in one picture

Friday, January 25, 2019

SYN Flooding

Symptoms is this is an increase in number of SYN-RECV states in
netstat. Here is an example for SSH connections.

[...]

tcp SYN-RECV 0 0 10.147.0.6:22 144.217.57.63:3082

tcp SYN-RECV 0 0 10.147.0.6:22 104.27.156.179:3082

tcp SYN-RECV 0 0 10.147.0.6:22 104.27.145.254:45914

tcp SYN-RECV 0 0 10.147.0.6:22 104.27.156.179:45914

tcp SYN-RECV 0 0 10.147.0.6:22 103.9.179.158:3082

tcp SYN-RECV 0 0 10.147.0.6:22 103.9.179.151:3082

tcp SYN-RECV 0 0 10.147.0.6:22 103.9.179.158:45914

[...]

Normally, 3-way handshake happens like this.

1. Client sends SYN packet to server
2. Server responds SYN-ACK packet to client
3. Client sends ACK packet to server

During SYN-RECV state, client doesn't send back ACK packet. This
maybe an example of SYN flooding a type of malicious attack.

Several kernel parameters can be configured to defend your server.

net.ipv4.tcp_syncookies = 1 --> prevents valid connections from dropping (best param to configure)

net.ipv4.tcp_max_syn_backlog = 2048

net.ipv4.tcp_synack_retries = 3

net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45

net.ipv4.conf.all.rp_filter = 1

Thursday, May 24, 2018

Introduction to Cybersecurity

History of Hacking

------------------

Timeline:

<1970 -="" computers="" early="" p="" radios="">