Digital Security
Digital security is the protection of this online identity. Digital security is an all-encompassing term which includes the tools you can use to secure your identity, assets and technology in the online and mobile world.
Cyber security refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. Cyber security may also be referred to as information technology security.
There are ultimately three pillars when it comes to data security:
Integrity: we must be sure that the data we’re trying to secure has not been modified or corrupted. We must also be sure of the source: are we certain it originates from the right person, and is that person who they claim to be?
Confidentiality: We must keep things private or limit the data’s availability to certain, pre-specified people or organizations.
Availability: We need it to work so that interactions and transactions etc. can run conveniently all the time
Cryptography
cryptography focused on message confidentiality (i.e., encryption)—conversion of messages from a comprehensible form into an incomprehensible one and back again at the other end, rendering it unreadable by interceptors or eavesdroppers without secret knowledge (namely the key needed for decryption of that message).
Cryptography is the practice and study of secure communication in the presence of third parties.
Encryption is the process of converting plain text information to cipher text. Reverse is the decryption.
Encryption is a mechanism to make the information confidential to anyone except the wanted recipients.
Cipher is the pair of algorithms that creates encryption and decryption. Cipher operation is depending on algorithm and the key. Key is the secret that known by communicants.
In recent decades, the field has expanded beyond confidentiality concerns to include techniques for message integrity checking, sender/receiver identity authentication, digital signatures, interactive proofs and secure computation, among others.
In addition, there are two types of encryption by keys used:
· Symmetric-key cryptography / Secret key cryptography
· Asymmetric cryptography / Public-key cryptography
Symmetric-key cryptography / Secret key cryptography
Symmetric-key cryptography refers to encryption methods in which both the sender and receiver share the same key (or, less commonly, in which their keys are different, but related in an easily computable way).
Symmetric key ciphers are implemented as either block ciphers or stream ciphers. A block cipher enciphers input in blocks of plaintext as opposed to individual characters, the input form used by a stream cipher.
Popular Symmetric-key cryptography
Block Cipher: encrypt block of data of fixed size.
· AES (Advanced Encryption Standard)
· DES (Data Encryption Standard)
· triple-DES
· IDEA (International Data Encryption Algorithm)
· Blowfish (Drop-in replacement for DES or IDEA)
· AWS KMS
Stream Cipher: encrypt continuous streams of data.
· RC4 (Rivest Cipher 4)
Block cipher modes:
ECB (Electronic codebook mode) - In this mode, each block is encrypted individually, and the encrypted blocks are assembled in the same order as the plain text blocks. This is the regular usage, but it leaks some information (e.g., if blocks are repeated in the plain text, this is revealed by the cipher text), and it is vulnerable to block replays.
CBC (Cipher block chaining mode)
CFB (Cipher feedback mode) - makes a block cipher into a stream cipher, by maintaining a queue block (initialised to some initial value) - is similar. The following diagrams shows how Block cipher mode work.
OFB (Output feedback mode)
Asymmetric cryptography / Public-key cryptography
In public-key cryptograms, the public key may be freely distributed, while its paired private key must remain secret. In a public-key encryption system, the public key is used for encryption, while the private or secret key is used for decryption. public-key (also, more generally, called asymmetric key) cryptography in which two different but mathematically related keys are used—a public key and a private key
Symmetric encryption is generally more efficient than asymmetric encryption and therefore preferred when large amounts of data need to be exchanged.
Establishing the shared key is difficult using only symmetric encryption algorithms, so in many cases, an asymmetric encryption is used to establish the shared key between two parties.
Examples for symmetric key cryptography include AES, DES, and 3DES. Key exchange protocols used to establish a shared encryption key include Diffie-Hellman (DH), elliptic curve (EC) and RSA.
Popular Asymmetric-key cryptography
RSA (Rivest–Shamir–Adleman)
Diffie-Hellman (DH)
Elliptic curve (EC)
AWS EC2
Cryptographic Hash/ Digest functions
Cryptographic hash functions are a third type of cryptographic algorithm. It is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash) and designed to be a one-way function, that is infeasible to invert. Integrity checking is the mechanism to verify if the information has not changed. To validate the integrity, a thumbprint (also called hash or digest) of the information created. Thumbprint created by an algorithm that create a shorter bit string from an information.
Data integrity check is a most common application of the hash functions and Hash functions provide protection to password storage.
Popular Hash Functions
1. Message Digest (MD)
2. Secure Hash Function (SHA)
3. RIPEMD
4. Whirlpool
Digital Signature
Digital signature is a mathematical scheme for demonstrating the authenticity of digital messages or documents. A valid digital signature enables information integrity (using hash algorithm) to ensure message is not altered, message created by the sender (authentication) and sender cannot deny having sent the message (non-repudiation). The digital signature has to be authentic, unfalsifiable, non-reusable, unalterable and irrevocable. When all this property are gathered, the authenticity and the integrity of an information can verified.
The signature operation is based on asymmetric cryptography. First a digest of the initial information is created and this last is encrypted with the private key. This operation is called the signature.
To validate the signature, the recipient extracts the encrypted digest from the message and use his public key to unencrypt it. Next the recipient creates a digest from the received information and compare it with the previously unencrypted digest. This is the signature checking process.
A good way to remember when the private key is used is to know what information is important in each operation. In signature process, the critical information is the digest so the private key is used to sign. In encryption process, the critical information is encrypted: so the private key is used to unencrypt.
· Authentication (proof of identity of the sender) and
· Message integrity (detection of changes to the message).
· Digital signatures for non-repudiation: proving that a particular individual really sent a particular message.
Digital Envelope
A digital envelope is a secure electronic data container that is used to protect a message through encryption and data authentication. A digital envelope allows users to encrypt data with the speed of secret key encryption and the convenience and security of public key encryption.
Rivest, Shamir and Adleman (RSA) Public-Key Cryptography Standard (PKCS) #7 governs the application of cryptography to data for digital envelopes and digital signatures.
A digital envelope is also known as a digital wrapper.
· A digital envelope uses two layers for encryption: Secret (symmetric) key and public key encryption. Secret key encryption is used for message encoding and decoding. Public key encryption is used to send a secret key to a receiving party over a network. This technique does not require plain text communication.
Either of the following methods may be used to create a digital envelope:
· Secret key encryption algorithms, such as Rijndael or Twofish, for message encryption.
· Public key encryption algorithm from RSA for secret key encryption with a receiver’s public key.
· A digital envelope may be decrypted by using a receiver's private key to decrypt a secret key, or by using a secret key to decrypt encrypted data.
Digital envelope modern algorithm uses a session key (temporarily key) to encrypt information with symmetric cryptography. Next, the session key encrypted with the public key of the recipient. To unencrypt information, first the recipient unencrypt the session key with his private key and unencrypt information with the session key
On the sender side, following actions performed:
1. A temporarily key called session key (Ks) generated;
2. Information encrypted with session key (Ks);
3. (Ks) Encrypted with the public key (Kpu) of the recipient. This key called Kse;
4. Kse added to the encrypted information file. This file sent to the recipient.
On the recipient side, the below action performed:
1. The encrypted information and Kse are separated;
2. The Kse key is unencrypt with the private key (Kpr) of the recipient and becomes the Ks;
3. The document is unencrypted with Ks.
Encryption and Digital Signature Operation
Now that we are aware about encryption, hash algorithm and signature, let have a look how these elements interact together to make an information confidential, authentic and honest.
When the signature and encryption used together, the signing process done first. Following steps performed:
1. A digest is created from the initial information;
2. This thumbprint is encrypted with the private key (Kprg);
3. The thumbprint is added to the initial information (in the same file);
4. A temporarily session key is generated (Ks) It will be used to encrypt initial information;
5. The session key is encrypted (Kse) with the public key of the recipient (Kpub);
6. Kse added to encrypted information file. So this file is contains the encrypted information, the Kse and the signature.
When the recipient receives the file from the issuer, it begins by unencrypt file and next to verify the signature:
1. The recipient extracts the Kse from the received file. This key is unencrypting with the private key (Kprb) to obtain session key (Ks);
2. Ks is used to unencrypt information;
3. Next recipient extracts the encrypted thumbprint;
4. The public key (Kpug) is used to unencrypt the thumbprint;
5. In the same time, the recipient creates a digest from the previously unencrypted information;
6. To finish, the recipient compares the unencrypted thumbprint with the digest generated from unencrypted information. If they match, the signature verified.
Common Cybersecurity Attacks
Types of hacking techniques that are known to be highly effective, such as malware, phishing, or cross-site scripting (XSS)
Malware
Attackers love to use malware to gain a foothold in users' computers—and, consequently, the offices they work in—because it can be so effective.
Malware” refers to various forms of harmful software, such as viruses and ransomware. Once malware is in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker's home base.
Phishing
In a phishing attack, an attacker may send you an email that appears to be from someone you trust, like your boss or a company you do business with. The email will seem legitimate, and it will have some urgency to it (e.g. fraudulent activity has been detected on your account). In the email, there will be an attachment to open or a link to click. Upon opening the malicious attachment, you’ll thereby install malware in your computer. If you click the link, it may send you to a legitimate-looking website that asks for you to log in to access an important file—except the website is actually a trap used to capture your credentials when you try to log in.
SQL Injection Attack
Many of the servers that store critical data for websites and services use SQL to manage the data in their databases. A SQL injection attack specifically targets this kind of server, using malicious code to get the server to divulge information it normally wouldn’t. This is especially problematic if the server stores private customer information from the website, such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information, which are tempting and lucrative targets for an attacker.
An SQL injection attack works by exploiting any one of the known SQL vulnerabilities that allow the SQL server to run malicious code. For example, if a SQL server is vulnerable to an injection attack, it may be possible for an attacker to go to a website's search box and type in code that would force the site's SQL server to dump all of its stored usernames and passwords for the site.
Cross-Site Scripting (XSS)
In an SQL injection attack, an attacker goes after a vulnerable website to target its stored data, such as user credentials or sensitive financial data. But if the attacker would rather directly target a website's users, they may opt for a cross-site scripting attack. Similar to an SQL injection attack, this attack also involves injecting malicious code into a website, but in this case the website itself is not being attacked. Instead, the malicious code the attacker has injected only runs in the user's browser when they visit the attacked website, and it goes after the visitor directly, not the website.
One of the most common ways an attacker can deploy a cross-site scripting attack is by injecting malicious code into a comment or a script that could automatically run. For example, they could embed a link to a malicious JavaScript in a comment on a blog.
Denial-of-Service (DoS)
Imagine you're sitting in traffic on a one-lane country road, with cars backed up as far as the eye can see. Normally this road never sees more than a car or two, but a county fair and a major sporting event have ended around the same time, and this road is the only way for visitors to leave town. The road can't handle the massive amount of traffic, and as a result it gets so backed up that pretty much no one can leave.
That's essentially what happens to a website during a denial-of-service (DoS) attack. If you flood a website with more traffic than it was built to handle, you'll overload the website's server and it'll be nigh-impossible for the website to serve up its content to visitors who are trying to access it.
Brute-force attacks
To conduct a brute-force attack, an attacker may use a tool to attempt every combination of letters and numbers, expecting to eventually guess the password. If the attacker knows that an organization requires special characters in their password, the tool could be instructed to include letters, numbers, and symbols. Every password, no matter how strong, is vulnerable to this attack. However, this method is going to take a while.
Dictionary attacks
In a dictionary attack, the attacker utilizes a wordlist in the hopes that the user’s password is a commonly used word (or a password seen in previous sites). Dictionary attacks are optimal for passwords that are based on a simple word (e.g. 'cowboys' or 'longhorns'). Wordlists aren’t restricted to English words; they often also include common passwords (e.g. 'password,' 'letmein,' or 'iloveyou,' or '123456').But modern systems restrict their users from such simple passwords, requiring users to come up with strong passwords that would hopefully not be found in a wordlist.
Types of Man-in-the-Middle Attacks
Rogue Access Point
Devices equipped with wireless cards will often try to auto connect to the access point that is emitting the strongest signal. Attackers can set up their own wireless access point and trick nearby devices to join its domain. All of the victim’s network traffic can now be manipulated by the attacker. This is dangerous because the attacker does not even have to be on a trusted network to do this—the attacker simply needs a close enough physical proximity.
ARP Spoofing
ARP is the Address Resolution Protocol. It is used to resolve IP addresses to physical MAC (media access control) addresses in a local area network. When a host needs to talk to a host with a given IP address, it references the ARP cache to resolve the IP address to a MAC address. If the address is not known, a request is made asking for the MAC address of the device with the IP address.
An attacker wishing to pose as another host could respond to requests it should not be responding to with its own MAC address. With some precisely placed packets, an attacker can sniff the private traffic between two hosts. Valuable information can be extracted from the traffic, such as exchange of session tokens, yielding full access to application accounts that the attacker should not be able to access.
mDNS Spoofing
Multicast DNS is similar to DNS, but it’s done on a local area network (LAN) using broadcast like ARP. This makes it a perfect target for spoofing attacks. The local name resolution system is supposed to make the configuration of network devices extremely simple. Users don’t have to know exactly which addresses their devices should be communicating with; they let the system resolve it for them. Devices such as TVs, printers, and entertainment systems make use of this protocol since they are typically on trusted networks. When an app needs to know the address of a certain device, such as tv.local, an attacker can easily respond to that request with fake data, instructing it to resolve to an address it has control over. Since devices keep a local cache of addresses, the victim will now see the attacker’s device as trusted for a duration of time.
DNS Spoofing
Similar to the way ARP resolves IP addresses to MAC addresses on a LAN, DNS resolves domain names to IP addresses. When using a DNS spoofing attack, the attacker attempts to introduce corrupt DNS cache information to a host in an attempt to access another host using their domain name, such as www.onlinebanking.com. This leads to the victim sending sensitive information to a malicious host, with the belief they are sending information to a trusted source. An attacker who has already spoofed an IP address could have a much easier time spoofing DNS simply by resolving the address of a DNS server to the attacker’s address.
Man-in-the-Middle Attack Techniques
Sniffing
Attackers use packet capture tools to inspect packets at a low level. Using specific wireless devices that are allowed to be put into monitoring or promiscuous mode can allow an attacker to see packets that are not intended for it to see, such as packets addressed to other hosts.
Packet Injection
An attacker can also leverage their device’s monitoring mode to inject malicious packets into data communication streams. The packets can blend in with valid data communication streams, appearing to be part of the communication, but malicious in nature. Packet injection usually involves first sniffing to determine how and when to craft and send packets.
Session Hijacking
Most web applications use a login mechanism that generates a temporary session token to use for future requests to avoid requiring the user to type a password at every page. An attacker can sniff sensitive traffic to identify the session token for a user and use it to make requests as the user. The attacker does not need to spoof once he has a session token.
SSL Stripping
Since using HTTPS is a common safeguard against ARP or DNS spoofing, attackers use SSL stripping to intercept packets and alter their HTTPS-based address requests to go to their HTTP equivalent endpoint, forcing the host to make requests to the server unencrypted. Sensitive information can be leaked in plain text.
Preventing Man-in-the-Middle Attacks
Strong WEP/WAP Encryption on Access Points
Having a strong encryption mechanism on wireless access points prevents unwanted users from joining your network just by being nearby. A weak encryption mechanism can allow an attacker to brute-force his way into a network and begin man-in-the-middle attacking. The stronger the encryption implementation, the safer.
Virtual Private Network
VPNs can be used to create a secure environment for sensitive information within a local area network. They use key-based encryption to create a subnet for secure communication. This way, even if an attacker happens to get on a network that is shared, he will not be able to decipher the traffic in the VPN.
Force HTTPS
HTTPS can be used to securely communicate over HTTP using public-private key exchange. This prevents an attacker from having any use of the data he may be sniffing. Websites should only use HTTPS and not provide HTTP alternatives. Users can install browser plugins to enforce always using HTTPS on requests.
Public Key Pair Based Authentication
Man-in-the-middle attacks typically involve spoofing something or another. Public key pair based authentication like RSA can be used in various layers of the stack to help ensure whether the things you are communicating with are actually the things you want to be communicating with.
-Refresh yourself on Digital Security
