Countermeasures - Intrusion Detection

Intrusion detection's main goal is to catch hackers in the act by monitoring system activity. One method of intrusion detection would be employing the use of integrity verifiers. These mainly detect when critical components of the system have changed. One of the types of integrity verifiers is known as a tripwire. This digitally signs files on your system, then compares new signatures to old ones to detect change. Another method of intrusion detection is to create and make use of deception systems. These are systems that intentionally appear to be easy targets for hackers, but end up trapping and identifying them whenever an attack is attempted.

The following is an interesting look into using deception as a way of protecting information systems:

Deception for Defense of Information Systems: Analogies from Conventional Warfare

Countermeasures - VPNs

Virtual Private Networks (VPN) allow the secure transfer of data over public networks through private connections from the private host network to the remote sites. Information over VPNs is kept secure through data encryption. VPNs also require some level of authentication from the user before he or she can access the network, so this adds another level of security. Another advantage to using VPNs is the fact that they're relatively cheap to set up and they can be accessed wherever there is internet access. For more information over VPNs, please visit the section on howstuffworks.

Countermeasures - Firewalls

Firewalls are used to keep networks secure by analyzing data packets and determining whether they should be allowed or not. The following are types of firewalls:

• Packet filters - Looks at each packet and decides whether to allow it or not; Most routers already have packet filters implemented.
• Network Address Translation (NAT) - Hides entire local network behind one IP address; Makes an entire network look like a single machine.
• Proxies - Prevent you from actually connecting to the internet; Proxies never connect to the URL, but instead connect to the proxy server, and the proxy server gets the URL for you. 

image source: http://www.howstuffworks.com/firewall.htm

Countermeasures

For this next section I decided to look outside of the book for primary sources. Doing this, I came across the website, http://www.iss.net/security_center/advice/Countermeasures/default.htm, which gives basic descriptions over multiple types of countermeasures that can be applied to a system. My posts over this topic will be summaries and additional resources regarding the countermeasures mentioned on the site.

Shellcode

Below are a couple of resources listed regarding shellcode:

• http://linuxdevcenter.com/pub/a/linux/2006/05/18/how-shellcodes-work.html
• http://www.vividmachines.com/shellcode/shellcode.html

Denial of Service Attack

A Denial of Sevice (DoS) attack is used to prevent access to a service or resource. This can be done by either crashing the service or flooding the service. DoS attacks that aim to crash the service look for vulnerabilities in software, usually from specific vendors. If the service is on a server then not only will the service and operating system crash, but the server will crash as well. Because of this, many of the vulnerabilities are known and are already patched. Flooding DoS attacks aim to merely overload the service so it can't respond, rather than crashing it altogether. This is primarily done by using up the user's bandwidth so that other traffic can't get through. This can only be done if the attacker has more bandwidth than the victim.

One example of a crashing DoS attack is "The Ping of Death." The basis of this attack is to overload the data portion of an Internet Control Message Protocol (ICMP) packet. The data portion is designed to hold 2^16 bytes of data, so if someone sent an ICMP echo message that contained more than this amount of bytes, it would crash the operating system. Although this is now a known problem and systems are already patched for this vulnerability, new technologies are still sometimes affected by this.

An example of a flooding DoS attack is an Amplification attack. This form of attack is different from a typical flooding attack by not using massive amounts of bandwidth. This is done by targeting a network that has a large amount of active hosts and then send those hosts large ICMP echo request packets. These packets have a spoofed source address of the victim's system, so when these packets are sent to the hosts, they will send ICMP echo reply packets of their own back to the spoofed source address and thus flood the victim's network.

Another type of a flooding DoS attack is a distributed DoS (DDoS) attack. The first step of this attack is to find other hosts and install daemons on them. These hosts are known as bots. Then, when the attacker finds a victim, he or she will execute some kind of program that controls the bots and makes them simultaneously perform a flooding DoS attack. The multiple bots that are used greatly increases the flooding effect and also makes it more difficult to trace the source of the attack.

Below is a link that offers defenses against DDoS attacks:

http://www.securityweek.com/content/how-defend-against-ddos-attacks

Sockets

Sockets are a way to perform network communication through the OS. The two main types of sockets are stream sockets and datagram sockets. Stream sockets are used to provide two-way communication, while datagram sockets only provide one-way communication and can be unreliable. Stream sockets use Transmission Control Protocol (TCP), which ensures that the packets of data being sent along the network will arrive in sequence and without error to their destination. Datagram sockets use User Datagram Protocol (UDP), which is not actually a real connection, but only serves as a basic method to send data. Both of these protocols exist on the transport layer of the OSI model. If you would like to view how to work with sockets in C, please follow this link.

The OSI Model

The Open Systems Interconnection (OSI) model provides standards to hardware that allows it to only focus on the type of communication that is relevant to that specific type of hardware(Ex. routers). The OSI model is broken up into the following seven layers:

1. Physical Layer - This layer communicates between two points through a physical connection. It communicates using raw bit streams and is responsible for activating, maintaining, and deactivating these communications. 
2. Data-link Layer - This layer actually sends the data between the two points and provides high-level functions, like error correction and flow control. 
3. Network Layer - The network layer passes information between the lower and higher layers. It provides the addressing and routing that is necessary to pass the information.
4. Transport Layer - This layer is responsible for transferring the data between the different systems. 
5. Session Layer - The session layer establishes and maintains connections between the different network applications. 
6. Presentation Layer - This layer makes it possible for applications to understand the incoming data by presenting it in a language that the application can interpret. 
7. Application Layer - This layer keeps track of the requirements for a particular application. 

Data is transported by packets through the different layers. The data is wrapped by each layer, starting with the application layer and ending with the physical layer, which is called encapsulation. Each layer has a header, which contains the protocol information for that layer; and a body, which contains the data for that particular layer.

Original image from: http://compnetworking.about.com/library/graphics/basics_osimodel.jpg

Another Buffer Overflow Example

Format String Vulnerability

The format string vulnerability can happen when the data submitted by the user is read as a command by the program. It occurs when you use a format print statement (ex. printf()) in your code without using a parameter to check and convert the input by the user. For example, the wrong way to write a format print statement would be "printf(stringValue);" whereas the correct and more secure way would be to include a parameter in the format printf statement like so: "printf("%s", stringValue);." If an attacker was able to exploit this vulnerability, he or she would be able to execute code, read the stack, cause new behaviors that could affect the security and stability of the system, or completely crash the program and make it unavailable. For more information over the format string vulnerability, please visit the official OWASP page!

Reference: https://www.owasp.org/index.php/Format_string_attack

Buffer Overflows

Buffer overflows stem from C's inability to check whether or not a variable can fit into a specific memory space. Buffer overflow attacks are when a hacker inserts more data into a specified memory location than what that location is allocated. This can lead to the process of executing arbitrary code, which is when the hacker tricks the program into running a piece of malicious code that has been inserted into the memory. This gives power to the hacker to make the program do pretty much anything the hacker wants it to. To look at an example of a buffer overflow, please follow this link.