Beruflich Dokumente
Kultur Dokumente
the message. The other problem is that the physical medium you re sending the pa
ckets across is insecure. If it were secure, there would be no reason to encrypt
the message in the first place. Anyone who might be monitoring the network coul
d steal the encrypted packets and the key necessary for decrypting them.
Public key encryption on the other hand uses a pair of keys: a public key that s
sent along with the message and a private key which is always in the possession
of the recipient. The private key is based on a derivative of the public key an
d only the two keys working together can decrypt the packets. Because the privat
e key is never sent across the network, it remains secure. The down side of publ
ic key encryption is that it tends to be very slow and resource intensive. This
makes it difficult to send large amounts of data using public key encryption
ents McAlister.
You should hear coverage of many testers vs. one, incentivization, focus on rare
bugs, etc.
The IISLockdown tool helps you to automate certain security steps. IISLockdown g
reatly reduces the vulnerability of a Windows 2000 Web server. It allows you to
pick a specific type of server role, and then use custom templates to improve se
curity for that particular server. The templates either disable or secure variou
s features. In addition, IISLockdown installs the URLScan ISAPI filter. URLScan
allows Web site administrators to restrict the kind of HTTP requests that the se
rver can process, based on a set of rules that the administrator controls. By bl
ocking specific HTTP requests, the URLScan filter prevents potentially harmful r
equests from reaching the server and causing damage.
Note By default, IIS 6.0 has security-related configuration settings similar t
o those made by the IIS Lockdown Tool. Therefore you do not need to run the IIS
Lockdown Tool on Web servers running IIS 6.0. However, if you are upgrading from
a previous version of IIS (5.0 or lower) to IIS 6.0, it is recommended that you
run the IIS Lockdown Tool to enhance the security of your Web server.
During this step, you:
Install and run IISLockdown.
Install and configure URLScan.
Step 3. Services
Services that do not authenticate clients, services that use insecure protocols,
or services that run with too much privilege are risks. If you do not need them
, do not run them. By disabling unnecessary services you quickly and easily redu
ce the attack surface .You also reduce your overhead in terms of maintenance (pa
tches, service accounts, and so on.)
If you run a service, make sure that it is secure and maintained. To do so, run
the service using a least privilege account, and keep the service current by app
lying patches.
During this step, you:
Disable unnecessary services.
Disable FTP, SMTP, and NNTP unless you require them.
Disable the ASP.NET State service unless you require it.
Disable Unnecessary Services
Windows services are vulnerable to attackers who can exploit the service s privi
leges and capabilities and gain access to local and remote system resources. As
a defensive measure, disable Windows services that your systems and applications
do not require. You can disable Windows services by using the Services MMC snap
-in located in the Administrative Tools programs group.
DNS queries that request name resolution of known malicious domains or names wit
h characteristics common to domain generation algorithms (DGA) associated with c
riminal botnets and queries to resolvers that you did not authorize for use in m
any cases are dead giveaway indicators of infected hosts on your networks.
DNS responses also offer signs that suspicious or malicious data are being deliv
ered to hosts on your networks. For example,length or composition characteristic
s of DNS responses can reveal malicious or criminal intent. For example, the res
ponse messages are abnormally large (amplification attack) or the Answer or Addi
tional Sections of the response message are suspicious (cache poisoning, covert
channel).
DNS responses for your own portfolio of domains that are resolving to IP address
es that are different from what you published in your authoritative zones, respo
nses from name servers that you did not authorize to host your zone, and positiv
e responses to names in your zones that should resolve to name error (NXDOMAIN)
may indicate a domain name or registration account hijacking or DNS response mod
ification.
DNS responses from suspicious IP addresses, e.g., addresses from IP blocks alloc
ated to broadband access network, DNS traffic appearing on non standard port, un
usually high number of response messages that resolve domains with short Times t
o Live (TTL) or unusually high number of responses containing "name error" (NXDO
MAIN) are often indicators of botnet-controlled, infected hosts running malware.
You may not be able to keep pace with every new DNS exploitation but you can be
proactive by using firewalls, network IDS, or name resolvers to report certain i
ndicators of suspicious DNS activity.
Windows / MS-DOS
c:\> tracert login.oscar.aol.com
Binky, running tracert on a Windows computer creates 3 ICMP echo (ICMP type 8 )
messages with the time to live in the IP Header set to 1 and addresses the pack
ets set to the destination computer s IP address (we ll call the destination com
puter clown).
Binky starts a timer.
Binky sends the three messages destined for clown out to the network.
Binky waits for a response. This response will be:
An ICMP Time Exceeded message - this means the host responding is not the destin
ation.
An ICMP Destination Unreachable - this means the host responding doesn t know ho
w to get to the destination IP address in the traceroute packets.
The computer on which the messages die because the time to live expired (somewhe
re between Binky and clown ) sends back ICMP Time Exceeded (ICMP Type 11 ) resp
onses. These messages indicate to Binky that the traceroute messages have not ye
traceroute
The *NIX process is a bit different because it uses the Van Jacobson modificatio
n of using a UDP port number and relying on port unreachable errors to signify t
he end of the traceroute.
Only the outbound packets are sent to UDP ports starting with 33434. The returni
ng packets are ICMP and the UDP port number on the outbound packet usually incre
ments upwards from UDP 33434 to match the TTL set in the IP Header. This is why
some firewalls block UNIX/Linux/BSD traceroute but let Windows traceroute throug
h.
Traceroute creates a UDP packet from the source to destination with a TTL(Time-t
o-live) = 1
The UDP packet reaches the first router where the router decrements the value of
TTL by 1, thus making our UDP packets TTL = 0 and hence the packet gets dropped.
Noticing that the packet got dropped, it sends an ICMP message (Time exceeded) b
ack to the source.
Traceroute makes a note of the routers address and the time taken for the round-t
rip.
It sends two more packets in the same way to get an average value of the round-t
rip time. Usually, the first round-trip takes longer than the other two due to t
he delay in ARP finding the physical address, the address stays in the ARP cache
during the second and the third time and hence the process speeds up.
The steps that have occurred uptil now, occur again and again until the destinat
ion has been reached. The only change that happens is that the TTL is incremente
d by 1 when the UDP packet is to be sent to next router/host.
Once the destination is reached, Time exceeded ICMP message is NOT sent back thi
s time because the destination has already been reached.
But, the UDP packet used by Traceroute specifies the destination port number to
be one that is not usually used for UDP. Hence, when the destination computer ve
rifies the headers of the UDP packet, the packet gets dropped due to improper po
rt being used and an ICMP message (this time Destination Unreachable) is sent ba
ck to the source.
When Traceroute encounters this message, it understands that the destination has
been reached. Even the destination is reached 3 times to get the average of the
round-trip time.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ What are Linuxs strength
s and weaknesses vs. Windows?
Windows weaknesses
Virii and Malware
Despite some valiant efforts, virii and malware plague the lives of Windows user
Diffie-Hellman
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Whats the difference between Diffie-Hellman a
nd RSA?
Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing prot
ocol. If they get that far, make sure they can elaborate on the actual differenc
e, which is that one requires you to have key material beforehand (RSA), while t
he other does not (DH). Blank stares are undesirable.
DH is used to generate a shared secret in public for later symmetric ("private-k
ey") encryption:
Diffie-Hellman:
Creates a shared secret between two (or more) parties, for subsequent symmetric
encryption
Key identity: (gens1)s2 = (gens2)s1 = shared secret (mod prime)
Where:
gen is an integer whose powers generate all integer in [1, prime) (mod prime)
s1 and s2 are the individuals "secrets", only used to generate the symmetric ke
y
RSA is used to come up with a public/private key pair for asymmetric ("public-ke
y") encryption:
RSA:
Used to perform "true" public-key cryptography
Key identity: (me)d = m (mod n) (lets you recover the encrypted message)
Where:
n = prime1 prime2
(n is publicly used for encryption)
= (prime1 - 1) (prime2 - 1) (Euler's totient unction)
e is such that 1 < e < , and (e, ) are coprime
(e is publicly used or encrypti
on)
d e = 1 (mod )
(the modular inverse d is privately used or decryption)
It just so happens that -- in practice -- RSA's results are subsequently used to
generate a symmetric key.
Furthermore, it also happens that you can also modiy DH to be used or public-k
ey encryption.
But they are undamentally dierent, even though both o them have "public" and
"private" components.
Not knowing this is more forgivable than not knowing what XSS is, but only for j
unior positions. Desired answer: when an attacker gets a victims browser to make
requests, ideally with their credentials included, without their knowing. A soli
d example of this is when an IMG tag points to a URL associated with an action,
e.g. http://foo.com/logout/. A victim just loading that page could potentially g
et logged out from foo.com, and their browser would have made the action, not th
em (since browsers load all IMG tags automatically).
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$How does one defend against CSRF?
Nonces required by the server for each page or each request is an accepted, albe
it not foolproof, method. Again, were looking for recognition and basic understan
ding herenot a full, expert level dissertation on the subject. Adjust expectation
s according to the position youre hiring for.
perspective that I think represents the highest level of security understandinga realization that security is there for the company and not the other way aroun
d.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Whats the difference between a threat, vulnerab
ility, and a risk?
Asset People, property, and information. People may include employees and custo
mers along with other invited persons such as contractors or guests. Property a
ssets consist of both tangible and intangible items that can be assigned a value
. Intangible assets include reputation and proprietary information. Informatio
n may include databases, software code, critical company records, and many other
intangible items.
An asset is what were trying to protect.
Threat Anything that can exploit a vulnerability, intentionally or accidentally,
and obtain, damage, or destroy an asset.
A threat is what were trying to protect against.
Vulnerability Weaknesses or gaps in a security program that can be exploited by
threats to gain unauthorized access to an asset.
A vulnerability is a weakness or gap in our protection efforts.
Risk The potential for loss, damage or destruction of an asset as a result of a
threat exploiting a vulnerability.
Risk is the intersection of assets, threats, and vulnerabilities.
Why is it important to understand the difference between these terms? If you dont
understand the difference, youll never understand the true risk to assets. You
see, when conducting a risk assessment, the formula used to determine risk is.
A + T + V = R
That is, Asset + Threat + Vulnerability = Risk.
Risk is a function of threats exploiting vulnerabilities to obtain, damage or de
stroy assets. Thus, threats (actual, conceptual, or inherent) may exist, but if
there are no vulnerabilities then there is little/no risk. Similarly, you can ha
ve a vulnerability, but if you have no threat, then you have little/no risk.
Accurately assessing threats and identifying vulnerabilities is critical to unde
rstanding the risk to assets. Understanding the difference between threats, vul
nerabilities, and risk is the first step.
ed? Etc. The key is to see that they could quickly prioritize, in just a few sec
onds, what would be the most important things to learn in an unknown situation.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$If Im on my laptop, here inside my company, and I hav
e just plugged in my network cable. How many packets must leave my NIC in order
to complete a traceroute to twitter.com?
The key here is that they need to factor in all layers: Ethernet, IP, DNS, ICMP/
UDP, etc. And they need to consider round-trip times. What youre looking for is a
realization that this is the way to approach it, and an attempt to knock it out
. A bad answer is the look of WTF on the fact of the interviewee.
This could be asked as a final phase of a multi-step protocol question that perh
aps starts with the famous, What happens when I go to Google.com?