operating systems' resource access controls as a foundation
steganography
chapter 4
"Users, Passwords, and Authentication"
chapter 5
"Users, Groups, and the Superuser"
1 - review class website, esp. the links in the box with heading
"First-day administrative information you will need to know"
2 - get/order Practical UNIX and Internet Security textbook
("Syllabus" link, upper left)
3 - read textbook chapter 4 "Users, Passwords, and
Authentication" and chapter 5 "Users, Groups, and the Superuser."
Scan the introductory 3 chapters as well.
4 - listen to the narrated slide presentations at the links
entitled "general considerations" and
"users/processes/resources"*
5 - install VMware and some virtual machines
a CentOS6.4 machine
a Fedora 19 machine containing heartbleed vulnerability
a Kali linux machine
a CentOS4.3 machine
a WindowsXP machine
as platforms for doing exercises in this class. In the future I will feel
free to ask you to do work on these machines.
6 - as a tourist, visit the informational links listed at
left under the heading "DETER net testbed". Gain initial
familiarity with DETER at casual level. We will arrange DETER accounts
for you shortly.
7 - view setup security screenshots
from Dell Latitude D620 laptop
8 - read Secrets & Lies by Bruce Schneier*
(10/25)
9 - read about threat
modeling
general considerations
(narrated
version)* (10/25)
users/processes/resources
(narrated
version)* (10/25)
Secrets
& Lies* (10/25)
(Schneier)
threat models probably n.o.t. (not enough time)
steganography* (10/25)
secure boot probably n.o.t. (not enough time)
user accounts
in-class demo
- s-tools
in-class demo
- covert_tcp*
(11/1)
in-class demo
- covert_ping*
(11/1)
in-class exercise
- Disabling users* (11/8)
do -steganography - use s-tools in Windows to create an image file containing an embedded text file. Get s-tools here. Be guided closely but not completely by the instructions at "steganography". Assuming your name is John Smith (substitute your own real name), please name your files
smith.bmp and
smith.txt
In the txt file, put the sentence, naming you, like "my name is John Smith". The image file itself should be sunset.bmp, produced from sunset.bmp. Embed the text file into the image file, using password "password" and encryption algorithm IDEA. email to me the resultant file attached to a message entitled "steganography" (I will use an email filter based on that title, if you name it something else I won't get it). Email it to my private email address, not my SMC address. You get credit if I can extract your text file and read your name. (In the assignment as written up at the "steganography" link, ignore the 2nd portion about covert channels. The assignment was written for use in a slightly different setting. Follow it in terms of its step-by-step for using s-tools but not in terms of the assignment administration. Those just described here are the ones that apply for this class. In particular ignore the questions at the end. The assignment can be done on your Windows machine, or on my delivered VMware Windows virtual one you installed in Assignment 1. Be aware that some anti-malware tools may dislike s-tools. If yours does, turn it off if you are not uncomfortable doing so. You have every right to be and it's wholly your call. Else, use the VM.)* (11/7)
read - portions of Craig Rowlands' page about covert use of tcp and ip. Read the sections entitled "Application," "Implications...," and "Final Notes." Scan the other sections, which are more technical than we care about but show the utilization of something that by design is a non-channel (it's something else) as a channel.
covert channels* (11/1)
Users
(narrated
version)* (11/1)
in-class exercise
ProcessUID
control
version
1 - local
a - chapter 6 "Filesystems and Security"
b - pp. 600-610 in the section of Chapter 19 "Defending Accounts" entitled " Administrative Techniques for Conventional Passwords."
c - pp 850-61 about processes and the ps command that reports on them; read this at a scan level, not to learn the detail in the tables and figures but the concepts in the narrative
read additional resources
the link at left entitled "File permissions"
the link at left entitled "Remote Unix access with ssh"
su, suid, sudo and process UID control
perform the exercise at the link entitled "version 1 - local" under the heading "ProcessUID control" at left. You can do it on your CentOS6.4 VMware virtual machine.
getting the needed files - the assignment asks you to acquire 2 files. They are available in the /home/public directory on sputnik.smc.edu. Use the method described here.
submit - When you are finished, answer the 3 questions at the end. Submit your answers following these preparation and submittal instructions (you will use scp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "uid.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.* (11/5)
ProcessUID control
(narrated
version)* (11/8)
in-class demo
- SELinux* (11/8)
a - the link entitled "File permissions" at left
b - Part 1 and part2 of an article from IBM about passwords. Don't worry about the parts where specific code examples are analyzed (unless particularly interested). Note the article's suggestion to utilize dice for composing passwords in order to achieve "a completely random distribution of passwords of a given length." Randomness is a virtue, and dice achieve it better than any computer.
c - a discussion of the importance of randomness for producing "perfect passwords" at Gibson Research Corporation.
visit - sites for a couple of password safes, products where you put a password on your collection of passwords.
Password Safe
LastPass
podcast discussion about LastPass
road-test your DETER account by doing the exercise at
http://homepage.smc.edu/morgan_david/cs78/smc-deter-account.htm
You need send me nothing for this, I can see as a DETER administrator. We'll use DETER more seriously later. This is just to get you familiar with it first.
(narrated version)* (11/8)
SElinux demo* (11/8)
message digests (hashing)
least-need
in-class demo
- yubikey 2FA*
(11/1)
in-class exercises
Pluggable authen-
tication modules
PAM
least-need principle (stripping unneeded services)
SysVinit
version
systemd
version* (11/8)
read - from textbook, chapter 7 "Cryptography Basics"
listen to this discussion about message digests (cryptographic hashes). It's is a 34 minute conversation, of which you can skip the last 14 minutes for our purposes. Just listen to the first 20 minutes.* (11/8)
perform - the "message digests" exercise.* (11/12)
Do this assignment while logged in to your account on sputnik.smc.edu, in your home directory. Don't delete the files created while performing the assignment. I will look for them in your home directory later to evaluate you.
passwords:
Cracking passwords
with Crack
Cracking passwords
with John the Ripper
Cracking passwords
John the Ripper (2)
Cracking passwords*
(11/14)
with hashcat
perform - the hashcat version of the above "Cracking passwords" exercise. Use the kali-linux virtual machine under VMware. When unzipped, kali-2015.zip yields a subdirectory named "kali-2015" in which are all the files VMware needs. Bring up kali linux in VMware. kali linux has hashcat pre-installed.
This exercise has several parts. Do them all. When finished,
maximize your command window and dump the file hashcat.pot to the screen with
the command:
cat hashcat.pot
submit
- two results to me from this exercise. First, take a
screenshot of your screen showing the hashcat.pot dump in the command window
and send it to me as an email attachment. Be sure to 1) send it to my
personal address, not my smc address, and 2) title the message
"hashcat" or it will get lost, 3) make sure you put your
name in the message or I'm unable to give credit to you. Second, consider the
2nd
question at the bottom of the exercise and use the Mandylion spreadsheet
as it asks. Then answer these questions, which recapitulate the exercise's
2nd question (refer to it in answering these):
1. the length of the numbers-only password that requires at
least 50 years to crack, in characters, according to the
spreadsheet, is:
a. 12 b. 15 c. 17 d. 19 e. 24
2. with today's computing power (what is
"today's"? refer back to the page for the
exercise), the length of the
password that requires at least the rest of your life to crack, in
characters, is:
a. 12 b. 15 c. 17 d. 19 e. 24
3. accounting for the continued operation of Moore's law, the
length of the password that requires at least 50 years to crack is:
a. 12 b. 17 c. 19 d. 24 e. 28
4. the shortest "mixed character" password that'll
last 50 years, in characters, is:
a. 12 b. 17 c. 19 d. 24 e. 28
Submit your answers to the preceding 4 questions following
these
preparation and submittal instructions (you will use file transfer to deposit
your answer file in your "assignments" subdirectory on sputnik).
Please name your file "passwords.txt". I will grade these using an automated script, so the format of the answer
is critical to intelligibility.
Passwords
(narrated version)*
(11/1)
User authentication alternatives * (11/1)
message digests
(narrated version)* (11/8)
icon)
"1. SDES - Simplified DES" and "3. SDES Mangler
Function." Optionally, also hear
"8. Cipher Block Chaining."*
(11/15)
do - the assignment at link entitled "S-DES algorithm". The assignment asks you to perform the S-DES algorithm on paper and turn in the paper. Do not turn in any paper, but please do perform the assignment on paper nonetheless. I have created some multiple-choice questions about your solution, and posted them as >>>your assignment here<<<. Submit your answers to those questions following these preparation and submittal instructions (you will use sftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "sdes.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.* (11/21)
cryptography
(narrated version)* (11/15)
s-des backgrounder* (11/8)
s-des
operation example
(narrated version)*
(11/15)
cryptography
do - the firewall construction experiment on DETER, found at the
link entitled "firewall construction (on
DETER)".*
(12/3)
Please note:
a) you should use the right network specification
file, which is this
one (firewall6.ns) not the one(s) shown within the
assignment itself.
b) the names of this project, and the
one for which the instructions were written, differ. Our project is known
to DETER by the name SMC-CS78. The instructions don't know that, they
think it's USCCsci530. Wherever you see the latter in any instruction,
substitute the former (e.g., where told to execute:
cp /proj/USCCSci530/exp/server4.c /root
execute instead:
cp /proj/SMC-CS78/exp/server4.c /root )
c) the instructions invite you to contact a Netgear router on the
internet. It died and is no longer available.
d) the
instructions end by assigning you questions to answer. Don't answer the
questions. Instead, I have recast them in a multiple-choice form
and posted them as >>>your
assignment here<<<.
Submit your answers to those questions following
these
preparation and submittal instructions (you will use sftp to deposit
your answer file in your "assignments" subdirectory on sputnik).
Please name your file "firewalls.txt". I will grade these using an automated script, so the format of the answer
is critical to intelligibility.
one-time pad
do the one-time
pad exercise
submit - When you are
finished, answer the questions at the end. Submit your answers following
these
preparation and submittal instructions (you will use scp to deposit
your answer file in your "assignments" subdirectory on sputnik).
Please name your file "otp.txt". I will grade these using an automated script, so the format of the answer
is critical to intelligibility.*
(11/21)
packet filter firewalls
(narrated version)* (11/29)
stream and block ciphers (stream) * (11/8 - partial)
arp spoofing (a man-in-the-middle attack)
read - from textbook chapters 11 and 12. Chapter 11 "TCP/IP Networks" should come in large measure as review to you. Chapter 12 "Securing TCP and UDP Services" is long, and covers a range of security considerations. Some of them are general but many are specific to particular services. The latter part of the chapter devotes a page or two to each of a dozen common services, describing it and its own unique security related characteristics. Read these chapters over the course of the next 3 or 4 weeks. They relate loosely to the network related class lectures and activities (e.g., firewalls and arp spoofing)
read - an explanation of arp spoofing
for reference:
rfc defining arp protocol
home page, ettercap project
Arp spoofing (DETER)
You need to make a couple of
adjustments. Our project is known
to DETER by the name SMC-CS78. The instructions don't know that, they
think it's USCCsci530. Wherever you see the latter in any instruction,
substitute the former (e.g., where told to execute:
cp /proj/USCCSci530/exp/server4.c /root
execute instead:
cp /proj/SMC-CS78/exp/server4.c /root )
The questions for you to answer are the following, which are the same ones found at the end of the exercise in non-multiple-choice form, recast into multiple-choice form.
1. ARP poisoning of node4 from node1
a. can be done the same way as ARP poisoning of node0 from node1
b. can be done the same way as ARP poisoning of node2 from node1
c. can be done the same way as ARP poisoning of node3 from node1
d. cannot be done from node1
2. At the end of section 6 the question is posed,"How does traffic between node2 and
node0 get from node2 to node0?" Under the circumstances of that section, how??
a. via/through node1
b. via/through node3
c. via/through both node1 and node3, duplicate copies being sent
d. via no other nodes than themselves
3. Consider the question "How?" that appears at the end of section 7. Recall that node2
logged into ftp on node4 and somehow node1 figured out the user password given by
node2. How??
a. the password that node2 issued to node4 transited node1 on the way from node2 to node4, and node1 decrypted it
b. node2 broadcast the password for node4, and node1 decrypted it
c. the password that node2 issued to node4 transited node1 on the way from node2 to node4, and was unencrypted
d. node2 broadcast the password for node4, and it was unencrypted
4. Imagine you run a web hosting company. The manager at one of your clients, a medium
sized business, calls you in alarm and reports the apparent defacement of his website
running on your host machine. Images on the site have all been replaced with various
hacker images like the laughing skull. He heard about it from several of his employees,
then saw it with his own eyes on their terminals. His website has fallen victim to the same
mischief as the one on our node4. What is your course of action?
a. temporarily block access to the web server machine that contains the customer's site,
while you diagnose the site's corruption
b. examine the site's constituent files within the web server machine, to pinpoint (and fix)
the corrupted ones
c. both a and b
d. no action, because the site isn't corrupted
Submit your answers to the preceding 4 questions following these preparation and submittal instructions (you will use ftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "arpspoof.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.
stream and block ciphers (block) * (11/15 - finished)
in-class demo
- RSA algorithm* (11/8)
GNU Privacy Guard:*
(11/22)
GPG (GNU Privacy Guard) official page
RFC2440 - OpenPGP message format
Encryption modes:
block cipher modes of operation
listen to Security Now podcast episode
#183 "Modes of Encryption" from 50:45 to 1:18:07
do the portion of the "GPG,
community" assignment in the paragraph entitled "Preliminary task: sign and circulate/upload/publicize a copy of the gettysburg
address".
You can obtain gettysburg.txt by sftp/scp from sputnik.smc.edu's
"public" account, password given in class.
As a
commonly accessible file-exchange mechanism among class members for this
assignment, use the
account "common", password given in class, and sftp/scp to up- and download files from common's home directory
on the server. Upload both your gpg-created key for this assignment
and your signed copy of gettysburg.txt. (If operating from the class
server itself, as opposed to a private machine remote from it, you
can still use scp using the server machine's own address 127.0.0.1
for that of the target machine.)
I will process the student uploads and deposit resultant files in
the "common" home directory for you to do the next step in
the assignment. When I have done so and all is ready, I will notify
you. Then, you will be able to proceed and do the assignment's
"Part 1" and "Part 2."
do - encryption modes; you may use this encryption calculator as an aid
GNUPrivacyGuard (gpg)
(narrated version)* (11/22)
RSA algorithm
(narrated version)*
(11/22)
certificates
- essentials
in-class exercise:
RSA encryption
(mod arithmetic)
RSA encryption 2
secure shell
in-class exercises:
ssh
key setup
ssh file
access
key exchange
read the section entitled "RSA: The Most Used Asymmetric Algorithm" in "Asymmetric Cryptography" (http://www.informit.com/articles/article.aspx?p=102212&seqNum=4)
Secure Shell (ssh)
read the textbook's coverage of ssh, pp 341-346
visit
"Getting
started with SSH"
"OpenSSH FAQ"
Diffie-Hellman key exchange
- SANS
Institute article
listen to this discussion about Diffie-Hellman key exchange.. The conversation is 37 minutes. The first 14 minutes concerns Diffie-Hellman. The rest is about public-key cryptography. Listen to the Diffie-Hellman segment. Optionally, to the rest.
In the server's /home/common ("common" account's password given in class) your signed copies of the gettysburg address have been or will shortly be renamed, per the assignment. You can now proceed to figure out who signed each one and submit "signers.txt". The students who signed these files have all published their public keys to us (by putting them in /home/common where they are at our disposal).
do the portion of the "GPG,
community" assignment in the paragraph entitled "Part
2 - encrypting".
In sputnik's /home/common I have or will shortly put a file for each
of you, bearing your name and encrypted with the public key you gave
me (by uploading it into /home/common). You can now proceed to
decrypt that file. Credit for this part of the assignment is given
when you reveal to me what I encrypted for you, by telling me
verbally or emailing it to me.
do the assignment at the link entitled "RSA encryption 2". Perform it in the CentOS6.4 VM (it may also work on sputnik). When asked to choose 2 prime numbers, make sure you choose them large enough that their product is no less than 100. The assignment produces a file named "outfile". Please submit it to me by placing it in your "assignments" subdirectory on the server. Retain the values you generated for keys in this exercise (e.g., don't delete outfile) because I will ask you to use these keys again in a follow-on assignment. (I plan to encrypt something for you with the public key you give me in "outfile", then expect you to decrypt it. You'll need your matching private key to manage that, so retain it. Doing this assignment accomplishes the first 3 steps of the follow-on assignment, which is "Using RSA"* (11/21)
do the assignment at the link entitled "Primitive roots"
(narrated version)
application flaws
in-class exercises:
exploit
shellcode
Stack buffer overflow:
Hackin9 magazine article Overflowing the stack on Linux x86 by Piotr Sobolewski
GNU debugger (gdb) documentation
Sign extension code flaw in crypt_blowfish:
a bug in a library of code called crypt_blowfish. It applies the blowfish block cipher algorithm to the task of hashing passwords. It was utilized as the tool for doing that in some linux distributions (not fedora). The bug was there since about 1998 until patched in 2011. It substantially weakens the passwords it processes. It was found while trying to crack some passwords with John the Ripper.
discovery
(1996)
rediscovery1
(2011)
rediscovery2
rediscovery3
Security Now podcast - “Anatomy of a Security Mistake”
audio
transcript
do the assignment at the link entitled "Primitive roots"
do the assignment at the link entitled "Using RSA", using your private key to decrypt a message from me. Of the 8-item list at the beginning of the assignment, you accomplished the first 3 steps last week when you performed "RSA encryption 2". You generated a key pair. Then you published your public key to me when you put your "outfile" containing it within my reach in your assignments directory. I have since or will shortly perform step 4, encrypting a random string with your public key. All my random strings are 3-character uppercase-alpha strings.
The assignment calls upon you to get
files:
ciphermessage-<yourname> [containing a string encrypted
by me using your pubkey]
decr [script to process above file, yielding the string]
Both can be found in the home directory of user "public" on the
server (password for account "public" given in class).
Get your "ciphermessage" file then
decrypt it using the "decr" script and your private key, per the
assignment. You could transfer files and do this on your own linux
machine, or you could do it just as well in place on the server itself where
the files already are. To get credit: tell me what your random string is at our next
class meeting.
do - application security exercise, parts concerning stack buffer overflow and heartbleed.* (12/3)
stack buffer overflow under the
debugger - the environment suitable for doing it is the "Snort on Centos 4.3 minimal-with-gdb"
virtual machine. The instructions (above link) for causing/observing the stack overflow within that environment
can
be expected not to work in other environments. The sample files are
in the /root directory, within your virtual machine. (The instructions end
with some questions at the bottom. Ignore those, in favor of the
submittal instructions below.)
submit
- one file and two screenshots to me as a result of this exercise.
The file to submit - In a file submit answers to these questions following these preparation and submittal instructions (you will use sftp to deposit your answer file in your "assignments" subdirectory on sputnik). Please name your file "softwaresecurity.txt". I will grade these using an automated script, so the format of the answer is critical to intelligibility.
The first screenshot to submit - while doing the assignment you will produce a screen like the one shown in the "Application security" slides (next column) entitled "Stack separation between argument & return address" (it's approximately the 28th slide). I want a screenshot of that slide, in which however you don't use D's (use a different letter) and don't use 10 of them (use a different number). Send it to me as an email attachment. Be sure to 1) send it to my personal address (where a message filter awaits), not my smc address, and 2) title the message as instructed or it will get lost.
The second screenshot to submit - while doing the heartbleed assignment you will produce a screen like the one shown in the "Application security" slides (next column) entitled "Exploitation in the lab" (it's approximately the 44th slide). I want a screenshot of that slide, in which however you don't use EAZZZZZZZZZZZ2SEEEEE but rather use a variant of your name. Send it to me the same was as the first screenshot.
Application security (stack overflow, representing the category)* (11/22)
"IP in IP tunneling" "IP encapsulation within IP"
SSH
"Getting Started with ssh”
free clients for Windows
puTTY
OpenSSH
stunnel
"SSL Encrypting Syslog with Stunnel" article
OpenVPN
DETER "Tunnels and vpns" assignment
The instructions were written for a different class. They largely apply with a couple of exceptions.
First exception: do not use the network specification files offered within the instructions. Rather, use one adapted for this class. There are two of them. The first sets up Fedora machines within DETER, the second Ubuntu.
DETER has relatively more available machines able to run Ubuntu. That means when DETER is under heavy use you'll have a better chance of swapping in your experiment if you use the Ubuntu version. On the other hand, the Fedora version is tried-and-true and the Ubuntu one is brand new Nov 2012. I suggest you use the Ubuntu one, contact me if you observe fundamental problems, and use the Fedora version as fallback. DETER is particularly busy right now (mid-November 2012).
Here are the 2 ns files:
network specification (ns) file for Fedora nodes
network specification (ns) file for Ubuntu nodes
Second exception: our project is known to DETER by the name SMC-CS78. The instructions don't know that, they think it's USCCsci530. Wherever you see the latter in any instruction, substitute the former.
With those two caveats, here are the instructions to follow:
Tunnels and vpns (DETER)
You need not answer the questions found at the end of the assignment. I will grade you by 1) observing the presence of evidence on DETER that you did the assignment, and 2) screenshots you turn in. However, as a self-measurement, read the questions and see whether you think you understood their points or not.
What to turn in:
When you reach the point early in the assignment where you have opened 5 terminal windows connected to your 5 experiment nodes, print out a screenshot of it that looks like the one in the instructions.
When you reach the point in the assignment section about OpenVPN "Scenario 1: routed tunnel, unencrypted," print out a pair of screenshots showing the tunnel endpoint connection dialogs, just like what you see in the instructions.
Send me the two screenshots as email attachments.
Tunnels
and vpns
(narrated
version)
forensics
storage encryption
in-class exercise:
article on the Truecrypt vacuum
visit
some websites
Truecrypt's
website
The truecrypt audit Truecrypt
audit completed
successors TCnext VeraCrypt
CipherShed
view - the slides entitled "sshfs - remote filesystem." What relation does the ssh file system bear to encrypted filesystems? to encryption?
do the assignment at the link entitled "truecrypt". Where asked to get files, obtain them from the home directory of user "public" on sputnik.. You are supposed to submit to me a file you create, and to send me information about a file of mine. Do so by sending me a single email message. Make your file an attachment, and include the required information within the message. Make sure the message title is "Assignment 13 Truecrypt". I will use an email message filter that finds such messages and that's what I will grade. If you title your message differently your assignment may get lost. Send your message to dmorgan@world.oberlin.edu (not to my smc.edu address please).
do the assignment at the link entitled "encrypted
filesystems," at left. It is presented there as an in-class exercise.
It can be done either as an in-class or homework exercise. Do it as
homework.
submit - see the bottom of the "encrypted filesystems"
page, and submit the indicated "myencryptedpartition" file to
your assignments directory on the server.
firewall construction
- native
iptables
- via
webmin tool
- firewall